Spam slayer: Be wary of opting in

SAN FRANCISCO (02/02/2004) - Tip of the month

Viruses love spam. If you can read this, it means the spamlike Mydoom virus didn't crash the Internet. To keep your system running virus-free, it's vital to stay informed of the latest threats. The Computer Emergency Response Team won't patch your system, but it will alert you the second it identifies an Internet threat. To sign up for e-mail alerts, go to the CERT Web site. For mobile access to alerts, visit on your WAP-enabled phone.

"Opting in" to receive commercial e-mail that might interest you seems harmless enough. But it can turn the trickle of spam in your in-box into a torrent. A huge volume of spam, regardless of new antispam laws, still plagues e-mail users. Sharon Lewis is one example.

"I spend about an hour every day deleting spam," Lewis says.

I found Lewis and others like her through opt-in e-mail lists, which are sold through a perfectly legal network of e-mail address brokers. I obtained a list that contained Lewis's e-mail address, full name, postal address, phone number, IP address, credit rating, the estimated value of her house, how many times she was late paying her mortgage, and whether she was approved for a loan she requested.

Lewis was painfully aware that her e-mail address was being circulated online. But she didn't realize the level of personal detail being bought and sold as part of these lists. "This doesn't sit right with me," she says.

The hazards of opting in

The massive amount of unwanted e-mail peddling everything from get-rich-quick schemes to herbal Viagra are usually associated with underhanded scammers. But spam, which is simply the popular name for unsolicited commercial e-mail, also comes from legitimate sources. This sort of spam arrives in your in-box because at one point you agreed, or opted in, to receive e-mail of some sort. It may have been at only one site. But if it was the wrong site, that one indiscretion could quickly balloon into hundreds of spam messages daily.

That's what happened to Lewis. She admits she has only herself to blame for her spam. She traces her fatal mistake to an online application for a loan last October. She doesn't remember reading any fine print or agreeing to let the service share loan information with marketing partners, but it's likely the opt-in agreement required just that.

But with some sites, failing to opt out leaves you fair game for future e-mail. It is perfectly legal for a Web site that accepts loan applications to do whatever it wants with your personal information, say the Federal Trade Commission and even the privacy-watchers at the Electronic Privacy Information Center.

Lewis and other people I contacted from the list now count spam messages in their in-box by the hundreds. No one I spoke with could say for certain that the spam explosion correlates to the loan application that each of them filed, but their stories sounded the same.

Watch for fine print

Lewis says she doesn't feel that she gave informed consent, a view shared by others. But marketers that make a business out of gathering e-mail addresses have no incentive to make "opt out" provisions obvious. If a Web site states -- however covertly -- that your e-mail address and other information you share is up for grabs, you have only yourself to blame.

The business of e-mail list marketing is worth millions to the spammers who rent, sell, and swap e-mail addresses for advertisers. They're compiling them from loan applications, contest entries, or people who accept a free Web service.

The lists are large and the information cheap when purchased in bulk. In the detailed list I obtained, the personal and financial information about Lewis cost about US$0.20.

Under CAN-SPAM laws now taking effect, permissions-based e-mail is legal. As a result, opt-in e-mail lists are more important than ever to spammers. That's because CAN-SPAM outlaws use of software programs that scour the Internet to harvest millions of likely e-mail addresses from Web postings. That puts more pressure on gathering e-mail addresses through opt-in means.

Anyone who has ever made the mistake of entering an online sweepstakes or applied for anything online at the wrong Web site knows just how dicey protecting your e-mail address can be.

Address-gathering techniques

When Web surfing, try to be sure you've really found the resource you think you have. For example, when I ran a Google search seeking information about the Fair Credit Act, a site called Fair Credit Act sounded like a good source of information about whether spammers can trade financial data. In fact, the site does provide some resources. However, when I visited the site, it asked for my e-mail address in exchange for access. A small "privacy policy" link reveals a 1088-word privacy policy that states my personal information can be sold to a third party.

In fact, this site is not run by the government, although it might appear at first glance. The U.S. Federal Trade Commission runs a site with similar consumer information--and doesn't put you on a spam list to get it. More detailed consumer resources are available from the Federal Citizen Information Center, run by the U.S. General Services Administration. It offers e-mail newsletters, but does not require that you sign up for them.

The legacy of the dot-com bust is another source of e-mail addresses. When dot-com companies went belly up, some sold their e-mail lists to pay debts regardless of privacy policies that had promised customers their information would be kept private.

These are only a few of the creative data-gathering tactics that keep the spam coming. Perhaps this is why Roswell, New Mexico resident Peggy Jackson says she has more faith in the existence of space aliens rumored to lurk in her hometown than the effectiveness of antispam laws. Jackson is one the Web-surfing wounded. Her name, home address, phone number, credit history, and e-mail address is an Internet advertising commodity and she has loads of spam to prove it.

"The weirdest stuff I see nowadays is in my in-box," Jackson says.


Q. Spam filters are generating lots of questions -- especially when spammers figure out ways to wiggle through. Many readers asked how to curb spam when a filter isn't enough.

A. Fake out the spammers by using multiple e-mail addresses. Many online e-mail services, such as Yahoo AddressGuard, let you set up secondary e-mail addresses that are managed from a primary e-mail account. This lets you create e-mail aliases you can use when you sign up for free online services that later spam you. If you start receiving too much spam, ditch the address. Another option is offered by Incamail, which recently launched a free Web-based e-mail alternative to Yahoo's Mail Plus package (which costs US$30 per year and includes Yahoo AddressGuard).