Privacy Rights Clearinghouse
- How do spammers get your e-mail address?
- What's in it for spammers?
- What is being done?
- Is there a national “do not e-mail” registry?
- What can you do?
- Other anti-spam resources.
Like any technology, e-mail can enhance your daily life, but it can also invite intruders into your personal space. Today, e-mail is a major form of communication, rapidly replacing written correspondence and telephone calls as a way of keeping up with family and business matters. Just like you, legitimate marketers along with many fraudsters have discovered the beauty of communication that eliminates the constraints of time zones and answering machines. Above all, soliciting via e-mail can reach millions of people without the costs involved in telemarketing or direct mail.
Spam is loosely defined as unsolicited, unwanted e-mail messages from a sender you don’t know. Spam e-mail is usually sent in bulk with messages having substantially identical content. Spam messages, by the millions, flood computer mailboxes each year.
Spam breaks down further into sub-categories:
(1) nuisance e-mails, such as solicitations to buy products or services; and
(2) malicious e-mails, which often seek to trick you into revealing personal information that then can be used to defraud or damage you and your computer.
While the nuisance spam is the most numerous and annoying, it’s the malicious e-mail that is potentially the most serious and which appears to be increasing disproportionately.
Other anonymous senders seem only intent on shock value, transmitting messages or images that repulse the average person. Such messages are particularly troubling when family members of all ages share a common computer.
As the public becomes more aware of scams associated with unsolicited e-mail, fraudsters have become more skilled in masking their intent. As such, it is often difficult to distinguish between a message intended to defraud you and one that simply seeks to sell you something or to shock you.
There has been a rapid increase in “phishing” attacks in which consumers receive messages from dishonest sources disguised as e-mail from trusted retailers, financial institutions, or even government agencies. Most “phishing” e-mails include a message of urgency, encouraging you to act quickly to provide the information requested. The message may say, for example, that you may have been the victim of fraud or that your account information must be updated before you can continue doing business.
Much malicious e-mail seeks to obtain the consumer’s personal financial data like personal identification numbers (PINs), Social Security numbers and account numbers. Spammers may also try to trick you into installing destructive files that will cripple or destroy your computer.
Not only does spam clog your inbox and overload your brain with messages — genuine and bogus — but it also raises the risk that you will fail to see e-mail that you really want. It’s easy to get so involved in filtering out or deleting unwanted messages that you will miss the important, meaningful ones.
Spam messages are not limited to personal home computers. Businesses can incur substantial loss in time and productivity as employees spend hours sorting through unwanted messages. An unscrupulous spammer may even cause harm to a company’s reputation by hijacking its server and transmitting messages that appear to have come from the business. The Federal Trade Commission (FTC) offers suggestions for businesses on how to avoid the pitfalls of spam in the workplace. http://business.ftc.gov/documents/bus57-securing-your-server-shut-door-spam 
Other communication methods including instant messaging (IM), social networking, and text messaging are also spam targets. Spam delivered through IM (such as Yahoo Messenger, AIM, ICQ, and Windows Live Messenger) instead of e-mail is often referred to as spim. Social networking spam is directed at users of social networks including Facebook, MySpace, and LinkedIn. Users may receive spam which might include links leading to outside sites. Mobile phone spam (SMS spam) is directed at the text messaging service of a mobile phone. This can be particularly annoying for the recipients because they may be charged a fee for every text message received.
Probably you have given it to them by filling out an online form, attaching your e-mail address to your personal or business Web site, or by posting to Internet discussion groups. Spammers “harvest” these addresses with computer programs that collect and add the addresses to their spam mailing lists. Once these lists are compiled, they’re easily sold or rented to other spammers.
It’s quite simple. Spamming is profitable. Chances are, neither you nor anyone you know would ever respond to a spam e-mail. In fact, like most people, you probably go to great lengths to avoid spam, installing filters and automatically deleting any spam that makes its way through.
However, like fraudsters who once targeted victims through direct mail and unscrupulous telemarketing, spammers know that the key to profits is in sending millions of solicitations. By doing so, even a minuscule response rate translates to profits. The principle is the same whether the spammer aims to steal your personal information through phishing, entices you into a scam investment, or direct you to a fake pharmacy Web site.
A 2008 study conducted by computer scientists from the University of California Berkeley and the University of San Diego examined the profits to be made from spam. A full report of researchers’ methodology and conclusions can be found at: www.cs.ucsd.edu/~savage/papers/CCS08Conversion.pdf .
A 2012 study by The American Economic Association calculated that while the societal cost of spam is $20 billion annually, while the revenue derived by spammers from spam is $200 million. The researchers’ report and conclusions can be found at: http://www.aeaweb.org/atypon.php?return_to=/doi/pdfplus/10.1257/jep.26.3.87 
The federal law, Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, 15 USC §§7701-7713, (CAN-SPAM), went into effect in 2004. In passing the CAN-SPAM Act, Congress noted that “[m]ost of these messages are fraudulent or deceptive in one or more respects.”
Still, the law stops far short of prohibiting unsolicited e-mail messages. Instead, Congress adopted the weak opt-out standard as consumers’ first-line defense against unwanted spam. The theory underlying the law seems to be that protecting the commercial rights of a few “legitimate” spammers outweighs the annoyance, cost, and potential harm to consumers and business recipients of spam.
For the text of the CAN-SPAM Act, see http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=108_cong_public_laws&docid=f:publ187.108.pdf 
In Facebook, Inc. v. MAXBOUNTY, Inc. (March 28, 2011), the U.S. District Court for the Northern District of California held that messages sent by Facebook users to their Facebook friends’ walls, news feeds or home pages are “electronic mail messages” under the CAN-SPAM Act. The court rejected the idea that CAN-SPAM applies only to traditional e-mail. The ruling broadens the kinds of e-mail messages falling under the CAN-SPAM Act. What this means is that unsolicited commercial email messages via Facebook are subject to the same CAN-SPAM requirements as any other commercial e-mail message. In all likelihood, this decision is intended to apply to high volume third-party spammers, rather than individual Facebook users. http://www.hldataprotection.com/2011/04/articles/consumer-privacy/canspam-held-to-apply-to-social-media-messaging/index.html 
The CAN-SPAM Act requires, among other things, that unsolicited commercial e-mail messages be labeled and that the sender provide instructions on how the consumer can opt-out of receiving future messages. The law also requires the sender to provide its physical address and refrain from using deceptive subject lines and false headers on the messages. Messages prompted by a “transaction” or “relationship” with the sender are exempt from the CAN-SPAM Act.
The most egregious violations of CAN-SPAM, such as using a computer without authorization, is subject to criminal prosecution by the U.S. Department of Justice. States also have authority to enforce the federal CAN-SPAM Act.
For a summary of the major provisions of the CAN-SPAM Act, see the FTC’s publication, The CAN-SPAM Act: Requirements for Commercial Emailers, http://business.ftc.gov/documents/bus61-can-spam-act-compliance-guide-business .
The CAN-SPAM Act requires commercial e-mail messages to include the sender's "valid physical postal address." Under the new rules, the FTC says a valid physical address can be either (1) a street address; (2) a Post Office box that has been registered with the United States Postal Service (USPS); or (3) a private mailbox that has been registered with a commercial mail agency under USPS regulations.
The FTC's rules explain how the opt-out process works. First, any legitimate e-mail solicitor should give you a means to opt out of receiving future messages. After receiving the message, you have 30 days to opt out. The person who sent the message has 10 days to honor your opt-out request, that is to stop sending you unwanted e-mail messages. The sender cannot require you to pay a fee to opt out or to provide information other than your e-mail address and your opt out choices.
What's more, a sender cannot require you to do anything to opt out except reply to an e-mail message or visit a single Internet Web page. A sender should not, for example, ask you to write a letter or make a phone call to exercise your opt out choice. Once you opt out, your choice stands indefinitely. The FTC turned down marketers' requests to “scrub" their opt-out lists periodically, requiring consumers to opt out again every few years.
The FTC also has commented on what would constitute a “transaction” or “relationship.” Generally, an e-mail generated by a company you have some business dealings with is not subject to the CAN-SPAM Act. One exception would be if the company tries to sell you some new product or service. E-mail from an employer or its agent is usually also exempt. Messages from a collection agency may also be exempt.
Rather than add significant new protections for consumers against unwanted e-mail, the recent FTC rules seem instead more focused on providing guidance for spammers. While this may be instructive for legitimate e-mail solicitors, a spammer intent on draining your bank account or stealing your identity is unlikely to be swayed by the nuance of federal rules. The more effective road to stronger consumer protection has been and will continue to be aggressive enforcement with hefty penalties imposed by civil and criminal courts.
The FTC requires that all commercial e-mail containing sexually oriented content include the label “SEXUALLY EXPLICIT” in the message’s subject line. E-mails found to be in violation of this rule face lawsuits with civil and criminal penalties including imprisonment and fines of up to $500,000. Read more at www.ftc.gov/opa/2004/05/sexexplicit.shtm  and at www.ftc.gov/opa/2004/04/adultlabel.shtm .
Consumers who receive unsolicited commercial e-mail messages in violation of CAN-SPAM and FTC rules should forward the messages to email@example.com . (www.ftc.gov/opa/2004/07/newspamemail.htm ) A federal court has ruled in Gordon v. Virtumundo (9th Cir., Aug. 6, 2009) that Internet service providers may sue spammers under the CAN-SPAM Act, but that individual spam recipients may not. The court also ruled that the CAN-SPAM Act preempts all state spam laws except those dealing with fraud. (http://www.scribd.com/doc/18215423/For-Publication )
See also the list of Web sites at the end of this Fact Sheet for further resources.
No. If you are on the national do-not-call registry, you have probably seen a reduction is unwanted telemarketing calls.
As part of the CAN-SPAM Act, Congress directed the FTC to study and report on the prospect of adopting a similar registry for unwanted e-mail. In a June 2004 report to Congress the FTC advised against adopting a national registry for e-mail.
The study concluded that such a registry would likely do more harm than good, noting that spammers would most likely use a registry for verifying e-mail addresses. Potential harm to children from dangerous Internet users, like pedophiles, was also noted among other concerns.
To read the FTC’s report to Congress, see www.ftc.gov/reports/dneregistry/report.pdf  .
All spam is a time waster and a resource waster, potentially jamming networks and servers.
Anti-spam filters have improved in recent years, and Internet hosts (like AOL) screen out spam more effectively. Even the best filters, though, are not 100% effective. They either screen out some messages you want to see or they allow too many undesirable messages to evade the filters.
Can you eliminate all spam? Probably not. Some spam always seems to evade the controls. But you can reduce unwanted spam considerably if you follow the recommendations in this Fact Sheet.
- Never open spam messages. Unless you block HTML graphics, it’s possible that the sender will be alerted that you have opened the message. This encourages spammers to send more messages.
Often times the subject line in a message will suggest that it is spam. Promises of a youthful appearance, speedy weight loss, prescription drugs without a doctor’s approval, or some other panacea are all indicators of spam. For a list of the top e-mail scams, see the federal government Web site OnGuard Online. http://onguardonline.gov/articles/0038-spam  .
Opening a spam message may also subject your computer to malicious code. Your personal computer could become part of a robot network, called a “botnet” or “zombie army.” To read more about “botnets,” and what you can do, read the FTC’s publication Botnets and Hackers and Spam (Oh, My!),
- Never click on a URL (link) or Web site address shown in a spam e-mail. This could alert the site to the validity of your e-mail address, potentially resulting in more spam. It could also expose you to malicious code inserted on your computer. Scam e-mail messages often give a URL that includes the name of your bank, government agency or other legitimate source. Clicking on the scammer’s URL will direct you to a counterfeit site that could look surprisingly like the official site.
- Never reply to a spam message or even click on the “unsubscribe” link. That informs the spammer that you exist. Responding to the messages just confirms that your e-mail address is valid and that you received and read their message. It also encourages them to send more messages.
Don’t respond to any “removal instructions” that might be included at the bottom of the message. And, of course, never buy anything as a result of spam you receive.
Be especially alert for phony e-mails that request personal information from you. Cyber-thieves have gotten very good at mimicking legitimate Web sites of merchants, banks, and government agencies — including their logos and “official”-sounding language — and asking for your Social Security number, bank account data, or other private information under the guise of “updating” their records or “clarifying” your status as a customer.
However, legitimate businesses and agencies rarely ask for such information over the Internet. So if you have any doubts — and you should — call the organization instead of responding to the e-mail. Be sure to use a phone number in the phone book, not a telephone number shown in the message or on the possibly phony Web site.
- Set filters in your e-mail program to allow or to block specific senders and/or specific language. Many Internet Service Providers now provide automatic spam filtering. These are filters you may need to set manually. The filters can be set to keep out certain senders, or conversely, to “white list” other correspondents by allowing their specific e-mail address.
In either case, filters work by analyzing your incoming mail and attempting to decide which e-mails are genuine and which are spam. But the process — whether automatic or manual, and whether blocking or permitting — is far from perfect. If you find that either legitimate messages are being captured in your spam filter or that unwanted messages are continuing to slip through to your inbox, you may need to adjust the spam filter settings. Many e-mail accounts offer a separate “bulk mail” or “spam” folder where suspicious messages are held.
- Understand where rejected messages go. If you use filtering software, be sure the rejected messages are sent to a special folder other than your e-mail “trash” basket. That way you can periodically review them to see if a message you truly want was diverted by an over-aggressive spam filter.
- Have a backup e-mail account(s). Use a free Web-based e-mail account when subscribing to magazines, filling out warranties, posting to Internet discussion groups, or in other situations where you are not sure how your email address will be used. Some examples of free e-mail services are Hotmail.com, Yahoo.com, or gmail.com (Google). While this won’t reduce the amount of spam you receive, it will largely keep it out of your primary e-mail account that you use on a daily basis.
- Use a combination of letters and numbers in your e-mail address. Many spammers employ “a dictionary attack” — bombarding the Internet with any plausible combination of letters and hoping some of those match your e-mail address. If you use numbers and/or symbols in your address, you will likely sidestep such efforts.
- Never respond to spam. Responding to the messages just confirms that your e-mail address is valid and that you received and read their message. It also encourages them to send more messages.
Don’t respond to any “removal instructions” that might be included at the bottom of the message. Granted, the CAN-SPAM Act requires spammers to give you an opt-out. Regardless of this, keep in mind what Congress said in adopting CAN-SPAM: “Most of these messages are fraudulent or deceptive in one more respects.” Common sense says a company that uses fraud and deception in its solicitation is unlikely to take your opt-out request seriously.
And, of course, never buy anything as a result of spam you receive.
- Do not rely on spam-blocking services. Many are ineffective and may even cause an increase in the spam you receive. Yahoo recommends the following: Never sign up with sites that promise to remove your name from spam lists. Although some of these sites may be legitimate, more often than not, they are address collectors.
The legitimate sites are ignored (or exploited) by the spammers, and the address-collection sites are owned by spammers. In both cases, your address is recorded and valued more highly because you have just identified that your address is active.
- Consider using disposable online addresses. You can create a unique e-mail address for each e-mail newsletter or forum you subscribe to. Then, when an e-mail address begins getting spam, you can discontinue using it and start using another. This works because the disposable e-mail addresses actually forward to your real e-mail address. For more about disposable e-mail addresses, see http://email.about.com/od/disposableemailservices/tp/disposable.htm  .
You can find out if the company intends to share your information with a third party or affiliate company. Do they require these companies to refrain from marketing to their customers? If not, you can expect to receive spam and even mail or phone solicitations from these companies.
- Remove e-mail addresses from your Web site. If you list or link to your e-mail address, you are likely to be spammed by address-harvesting robots. If you must include your e-mail address on the site, try posting it written out in words (“example at domain dot com”) instead of firstname.lastname@example.org. That way a human user can understand the correct address, but a robot may not recognize it as such.
An FTC study report concluded that altering an e-mail address in this way, a practice known as “masking,” can substantially reduce spam generated through the use of harvesting software. To read this study, go to www.ftc.gov/opa/2005/11/spam3.shtm 
- Consider subscribing to a spam-prevention service. These vary in effectiveness, but some people find them helpful. Many are “challenge-response services,” which means they require people who send you an e-mail to respond by clicking, visiting a Web site, and/or typing in a code that only a human — not a robot — could do correctly. That puts a burden not only on scammers but, unfortunately, also on your friends and legitimate senders who may find the system onerous and rude.
- Report spammers to their domain. Most e-mail accounts have an anti-spam requirement in their terms of service. For example, here is Yahoo’s Anti-Spam Policy: http://docs.yahoo.com/info/guidelines/spam.html 
Many fine web sites contain suggestions on ways to reduce unwanted e-mail solicitations. These, in turn, will lead to many more such sites.
A sampling includes:
|www.cauce.org ||CAUCE (Coalition Against Unsolicited Commercial E-Mail) lobbies for legislative solutions|
|www.scambusters.org ||Reader-friendly site detailing scams, many of which involve spam|
|http://spam.abuse.net ||A collection of spam-abuse links and resources|
|www.spamcop.net ||When spam is reported here, Spamcop then seeks to learn its origins and report it to the Internet Service Providers|
|www.imc.org/imc-spam ||Internet Mail Consortium, an industry group, provides legislative news and links|
|www.JunkEmail.org ||The spam-prevention Web site of www.getnetwise.org |
|www.moralityinmedia.org ||Anti-pornography group gives tips on combating porn spam|
|www.junkbusters.com ||Helps consumers get rid of junk messages of all kinds, including spam|
The basics about spam, phishing, and other e-mail pests
OnGuardOnLine http://www.onguardonline.gov/articles/0003-phishing 
Federal Trade Commission, SPAM Home Page http://www.ftc.gov/bcp/menus/consumer/tech/spam.shtm