Spam exists because it is profitable, but emailers have defenses they can use.

There are many profiteers in the lucrative spam industry: Email address list builders scavenge and sell lists of email addresses. Software makers and marketers build and sell cheap programs that facilitate numerous illegal spam activities: look for vulnerable, hackable email servers, disguise sender identities, generate random lists of possible email addresses, harvest email addresses from the public Web, to name some. Mailers launch spam attacks against millions of inboxes. Shady Web site hosts provide a buffer or safe haven for questionable Web sites. Marketers sell bogus products and services. Scammers try of all sorts employ fraudulent schemes to trap unwitting emailers. There are certain weak links in this spam chain where Internet users can apply defensive measures.

Emailers use simple measures to avoid spam.

In this survey, we found that users were employing the simplest methods to avoid attracting spam: 73% said simply that they avoid giving out their email addresses. Also, 69% avoid posting their email addresses on the Web, where they risk being “scraped” off by harvesters. About 14% tried to use obscure screennames, so they might be less subject to getting emails generated by computers that spit out logical combinations of names and numbers (e.g. joesmith@isp.com or bettyjane1@isp.com). One creative emailer wrote in the TRAC survey about his attempt to create a screenname that no spammer could find: “I finally took the moniker FlatulentFreddy which finally has stopped the spam from coming my way. Most of it.” And 23% of email users have created separate email addresses for the times they think they might attract spam, not stemming the flow of spam, but at least diverting and isolating it.

Such judicious use of an email address seems worthwhile. The Center for Democracy and Technology (CDT), in a 2003 study9 to investigate the reasons people get spam, found that the surest way to attract spam is to post a standard, unobscured email address on a public Web site. Over 97% of the 10,000 incoming spams the CDT collected came to email addresses that had been posted on the Web. In an earlier study, the FTC reported that 86% of email addressed posted to newsgroups or public Web pages received spam.10 The CDT reported that more popular Web sites seemed to attract more spam and also offered a morsel of good news: once email addresses were removed from the Web, the volume of incoming spam dropped significantly.

However, many an email user who has never posted his email address anywhere on the Web has been surprised to find it there. As an exercise, if you type your screenname, complete with the domain after the @ sign, into a Google search box, you, too may be surprised at where you see your name pop up on the Web.

Filtering helps deflect spam.

While filtering does not eliminate spam, it makes spam more manageable for the user. Use and effectiveness of filters vary a lot between personal and work email. And none of these filtering systems come free; they require time, expertise, and money to install and maintain.

Sixty-two percent of workers say their employers use filters to block spam from their email accounts. These workers get less spam than those whose employers do not use filters. Nearly twice as many workers with employer filters get no spam at all (50% v. 28%) Only 5% of those with filters say that more than 60% of their inbox is spam, compared to 19% of those with no filters.

Workers whose employers use filters have more time to work: Half of those with filters say they spend no time at all on spam, compared to 28% of those without filters who reported spending no time at all dealing with spam. About 8% of those with filters say they spend half an hour a day or more on spam, compared to 12% of those without filters who spend that much time dealing with spam. In addition, of those who receive spam at work, 29% of those whose employers use filters say spam sometimes prevents them from getting to the messages they want to read, compared to 37% of those without filters.

While it is easy to conclude employers should use filters on their employees’ email accounts, comments from those in the trenches demonstrate how costly that can be. One correspondent in the TRAC survey wrote: “I am an enterprise systems consultant who is being engaged more and more frequently to provide measures to protect against spam…For my most recent customer, spam accounts for more than 50% of all the email flowing into their systems. A tremendous amount of money is spent both in paying for my services, as well as equipment costs. Considering that the design and implementation of such a system is likely to be a minimum of four weeks of work (~$5000/wk), and require two moderate powerful servers (~$4000/ea), that is a cost of $28,000.”

Some 37% of those who have a personal email account apply their own filters to their email system. Of those who filter, 21% receive less than 10% spam, compared to 18% of those without filters. Fully 49% of those with filters receive at least 60% spam in their accounts, compared with 50% of those without filters.

This picture of quite equal volumes of incoming spam, regardless of filter use, could mean two things: Either personal filters are not doing much good or filters are effective and those who do employ filters would have received much more spam without them. Those who are able to view bounced spam in their junk folders can look to see if their filters are keeping out spam.

For a number of emailers described in the TRAC survey, assessing what it takes them to avoid and deal with spam leads them wonder if it is all worth it.

  • “I have finally managed spam to a point with which I can deal…. First, I always create a new email alias when communicating with an online service…. Secondly, I run a program on my mail server which filters out just about all the spam. And, finally, I report spam to uce@ftc.gov and smapcop.org. The down side to this is that it takes too much time for what gets accomplished. I spend time no matter what – either deleting spam, or building and maintaining a defensive system.”
  • “The email program that I use allows me to set up email filters and prevent junk/adult email from even coming into my email inbox. But, what I have come to notice is that real emails that I need are being sent to my junk email box so I have to sort through it regardless. I found messages from clients and potential clients, my husband, and friends in the junk email.”

Tech workers are among the most annoyed. One writes:

  • “In my inbox, I receive on average 5 – 10 spams any given hour. I am a Unix administrator, with long ties on the Internet. No existing solution allows me to filter the spam effectively. I use inbox routing tools to get the mail that I expect to come in, but I am still forced to wade through the remnants, to the tune of 100 or more emails per day.”

We heard about one emailer’s clever solution that is a variation on a “white list,” where the user accepts incoming email only from those expressly designated:

  • “I dread being away from my computer where I read my personal email…when I return I have hundreds of worthless spam…I have given up trying to filter out the spam, and chose to instead filter out all the ‘expected’ or known email sources into folders and leave my inbox to the spam.”

Once spam arrives, most emailers try to counteract it.

What are people doing with the spam they receive? Most of the emailers in this study, 86%, report that usually they “immediately click to delete” their incoming spam. As this is a neutral behavior, something else must be going on to support the growing, lucrative business of spam.

Two-thirds of users have at some point clicked to be removed from a mailing list. This tactic exemplifies some of the confusion surrounding spam that can leave users perplexed about what to do. It is generally acknowledged that responsible senders will remove you from a list if you so request. The CDT, in its study about behaviors that attract spam, found that most commercial sites respected their wishes to “opt out” of further commercial email. But the FTC reports that 63% of “remove me” requests were ignored. Others suspect that sending a “remove me” message to a spammer only serves the purpose of confirming to him that he has found a responsive email address, which then earns the responder more spam. The ePrivacy Group, an anti-spam and trusted email technology company, and the Ponemon Institute, an ethics and privacy research institute, conducted a 2003 study about spam, and found that among the 37% of Internet users who never opt out, 40% choose that route because they do not believe the company will honor their request, 38% have found that opting out did not work before, and 9% fear it just confirms their email to spammers.

Email users often worry that clicking to “remove me” from future mailings will only attract more spam.

One emailer described in the TRAC survey his nightmare after trying to remove himself from future mailings:

  • “It started off slowly then exploded into a major mess. I began clicking on the options to ‘be removed’ from a list or ‘Stop’ receiving emails. Soon the emails went from a few a day to about 25, then 50…my Internet service provider told me the worst thing I could do was to click on those “remove” buttons. But now it is too late, because I currently receive at least 120 spam emails a day.”

And another found similar behavior initiated an even more offensive chain reaction:

  • “One day I received an email advertising pornographic materials & Websites. There were all of these ‘legal’ clauses at the bottom along with a link to remove my name from their list. I clicked on the link only to be inundated with these emails in the following weeks.”

And yet another respondent wrote:

  • “About a year ago, I checked out a Web site that sounded fun and was clean and family friendly. I read all their rules and ‘privacy policy’ and decided to join thinking that I could be a part of it without having my email address sold to anyone. But not a week later I started to get around 50 spam emails. Two weeks later I began to receive double emails in the same day from all the spammers…A month later I counted 357 emails a day that were spam…So I investigated and discovered that in their privacy policy that they had a mirror site that did not have the privacy rules and was allowed to sell my address.”

And one emailer lives in his own personal hell:

  • “I made the mistake of responding to one particularly voluminous and obnoxious series of spam mails, to demand that I be removed from their mailing list. Because they substituted their header information with mine, I am now forever in an endless loop, receiving the same exact “returned mail” every 30 minutes, 24hours a day, 7 days per week (with the message: “config error: mail loops back to me.)”

Some emailers pursue offers from unsolicited email.

Some emailers are more responsive to spam than others. One-third of emailers have pursued an offer in an unsolicited email by clicking on a link to find further information. If the recipient is expecting satisfaction, the results are usually disappointing: In one anecdotal experiment, an enterprising reporter replied to 75 spam messages by requesting further information. She found over half of the requests were never answered, leading to the suspicion that this was just another way of email address list-building. Some 16% were obvious scams, 11% received bounced backs of “account closed” because of ISP complaints, and 17% appeared to be legitimate products or services for sale. All the porn delivered what it promised.11

Further, 7% of emailers report that they have ordered a product or service that was offered in an unsolicited email. Herein lies the problem: While some have suggested that if people simply stopped responding the spam industry would dry up, some bulk emailers claim that even 0.001% positive response rate is a break-even point.12]

In future work, we would like to further explore the 7% conversion rate, for both the kinds of products or services that respondents ordered and the characteristics of the positive responders. This survey didn’t probe the first issue, and with such a low positive response rate (7%), we lacked the sufficient numbers to reliably describe the positive responders.

However, we can make a few comments. First, we are guessing that a good portion of orders were for legitimate products or services, like software or beauty items. This points to the softness in the collective definition of spam, that while “unsolicited” is a commonly accepted factor in the definition of spam, both the relationship with the sender and the nature of the product being promoted affect users’ tolerance for the message. People may be ordering products or services from unsolicited emails, but they are not necessarily considering those messages to be spam. Second, it is likely that some of these 7% of positive responders ordered a product or service quite a while ago, before the issues of spam, scams, Internet marketing, and security and privacy issues were in the limelight as they are in today. And lastly, given the continuing onslaught of spam for bogus health products, for pornography subscriptions, and even for infamous financial scams, we’re quite sure that there remains a viable market that makes it worthwhile for spammers to persist.

Behavior with spam

It is worth noting, too, that 12% of email users say they have responded to an email offer, only to find out later that it was phony or fraudulent.

In the TRAC survey, there were several stories about fraud:

  • “I was hoping to acquire another major credit card, in spite of poor credit, so when I got a spam that said, ‘You have been approved for a major credit card.’ I checked into it…An online form said that the fee (one time $49.95 processing fee) had to be taken from my account right then. So I gave the routing number and account number expecting to open a credit card account. But once they got the money there was no credit card nor was there any refund. It was a 100% scam.”
  • “My husband saw an offer for a free trial for a Web site and took it. They said they needed a checking account to verify his age. He gave them my routing number and account number…Since the free trial, which he ‘opted out’ of immediately after accepting the trial, they have taken one hundred and eighty dollars out of my account…I had to close my checking account and hope I get a little of my money back.”

Some emailers take more aggressive action against spam: A fifth of emailers have reported unwanted email to their service providers. Another 7% — equaling the number of emailers who have purchased as a result of unsolicited email — have taken lengths to report spam to a consumer or government agency. The FTC reports that spam reports to the agency have grown to at least 130,000 a day.