Do not respond to spammers

The spam messages often contain instructions how to get removed from the mailing list. According to the spammers you usually need to send a remove request to a given email address or you must visit a web page.

Anti-spammers usually advice people not to complain directly to the spammers and not to try to "remove" yourself from the mailing list. Usually the spammers do not care of these removal request. In the worst case the remove requests serve only to verify that your email address is active, resulting to more spam sent to it. I made an experiment that verified the soundness of this advice.

Experiment on replying to spammers

I created a new email address with a Finnish Internet service provider. The user portion of the email address consisted of two randomly selected letters and six randomly selected digits. By choosing the email address like this I tried to avoid that anyone could guess the address in random. I did not publish this email address anywhere. I used the email address only for one purpose: I asked spammers to remove the address from their mailing lists obeying instructions given in spam messages (naturally the address was not - at least originally - in any spammer's list).

I sent between the period of 28 July 2000 and 3 December 2000 a total of 82 such remove requests, 74 by email and 8 using various web forms. 22 of the emailed remove requests didn't get through because the remove address given in the spam message did not work. Similarily two of the web forms did not work. Therefore, at most 58 remove requests were received by the spammers.

I have received to the address (that I have used only to send remove requests) 235 spam messages in the period between 20 November 2000 and 31 May 2003 (spam messages in gzipped mbox format, published 31 May 2003).

The address received 2 spams in 2000, 6 spams in 2001, 44 spams in 2002 and 183 spams during the five first months of 2003. The amount of spam has increased rapidly. This is probably because the email address has ended up as a merchandise to CDs used by spammers and/or to the mailing lists of some active spammers.

As a comparison, I have "normal" email accounts with the same service provider. I have not published them anywhere and I receive practically no spam to these other addresses. Therefore the spammers have most likely obtained the test address originally from the remove requests, after which the address has probably been disseminated for example in Compact Discs containing email addresses. In principle the address may also have been subsequently revealed from other sources, such as from the header fields (To and Cc) of some spam messages having several recipients, if any of these spam messages have been made public (Google web and group search found no instance of this address). The increase in the overall amount of spam may also have been a contributing factor: according to Brightmail in the end of year 2002 41 % of all email was spam, while only 14 months earlier the ratio was 8 %.

Summary

This experiment verifies the common impression that addresses obtained from the remove requests are used to send spam (even Financial Times is guilty of this).

It is also worth noting that almost a third of the remove addresses given in the spam messages did not work in the first place.

As a summary: Never respond directly to the spammer. Instead, complain to his Internet service provider! The sfnet.viestinta.roskapostit FAQ advises how to deal with spam [in Finnish]. [For instructions in English see e.g. news.admin.net-abuse.email FAQ or SPAM-L FAQ.]

Spam 'Remove' Lists (The Spamhaus Project)
Keep Your Email Address Unlisted: There Is No "National Do Not Email Registry" (Federal Trade Commission)