Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can’t We Just Spam the Spammers to Death?

Oh so tempting... but ultimately ineffective or worse.

Unfortunately, that turns you into, yes... a spammer! There are many, many problems with this idea. I'll explain a few.
A digital battle scene symbolizing the ineffective and illegal attempts to fight spam with spam. Include visual metaphors such as email icons clashing like swords, a figure representing a regular email user transformed into a spammer wearing a villainous mask, and digital debris to illustrate the chaos and negative impact of such actions. The scene should convey the message that while the idea of retaliating against spammers is tempting, it ultimately backfires and turns the well-intentioned user into part of the problem.
(Image: DALL-E 3)

I received a rather lengthy question mentioning a specific service claiming to turn the tables on spammers either by spamming them back or by using the content of their messages to harm them in some way... or at least annoy the heck out of them.

However, as much as spam angers us, besides ultimately being ineffective, vigilante justice isn’t the answer. Here's why.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Spam the spammers?

Retaliating against spammers is both ineffective and illegal. Spammers don't care about incoming emails. Since they frequently use fake or hijacked email addresses, your actions could harm innocent parties, get your own account shut down, or result in legal trouble. The best approach is to use spam filters correctly and never engage with spam otherwise.

Spamming the spammers

One common idea is to take incoming spam email and reply to it with thousands of messages in return.

There are so many problems with this idea that it’s hard to know where to begin. Here are just a few.

  • Spammers don’t pay attention to returned email.
  • The "From" address is often spoofed, so any reply you send will go instead to an innocent bystander.
  • The "From" address is often completely fake, in which case you may find yourself the recipient of thousands of bounce messages.
  • If the spammer does notice your reply, they're likely to respond by sending you more spam, not less.

Regardless of the possible consequences, what’s happened here is you have become a spammer.

Spam is spam whether it comes from a spammer, you, or a service fighting spam. You are causing thousands of unsolicited email messages to be sent, which makes you a spammer.

You run the risk of losing your email account, your email provider being placed on blacklists, and your legitimate email not being able to make it out. You even run the risk of running afoul of the law since what you would be doing is -- as I understand it -- quite illegal.

So it's illegal, it's ineffective, and the only people negatively impacted by your actions are you or innocent third parties.

Don’t do it.

Using the spam's content to spam or annoy someone

Another approach people think will retaliate against spammers is to spam the link in the spam email, perhaps overwhelming their server.

You can’t send email to a link. A link goes to a page on a website, which is quite different than an email address. In a spam message, the two are often completely unrelated. Even though you might know the domain that the link goes to (the "whatever.com"), you can’t know the email address at that domain to which to target your attack.

In addition, the link in the spam is rarely the actual website of the spammer. These links fall into two buckets:

  • Hidden pages on websites that have been hacked. Any attempt to retaliate will only impact the websites of innocent bystanders.
  • Temporary websites on temporary domains. Any attempt to retaliate will affect only sites and servers that the hackers care little about as they just create another site on another server and carry on.

Ultimately, automated retaliation simply doesn't work. Even manually following the link to perhaps make bogus purchases or otherwise cause problems is ultimately ineffective, and runs the very real risk of attracting malware or some form of account compromise.

Maybe DDOS em?

While you can’t send email to links, you could, I suppose, try to mount a distributed denial-of-service (DDOS) attack on them. Instead of sending thousands of emails, you would attempt to make thousands and thousands of requests of that URL with the intent of crippling the spammer’s server -- or just annoying the heck out of them.

The problem is, as I've explained, it’s not the spammer’s server at all! If you succeed, you’ve only succeeded in taking down some innocent third party whose site happened to get hacked.

And once again, I’m pretty sure you’ve broken the law.

Do this

Fighting spam just isn’t that simple.

Authorities often follow the complex trail of obfuscated and hacked email addresses and links, and they often manage to stop large-scale spammers and their networks, or at least slow them down. But it’s not nearly as simple as some kind of "fight back against spam" service would make it out to be.

The single best thing you can do to avoid spam is to use the “this is spam” button in your email program appropriately. Only flag true spam -- unsolicited commercial email -- as spam.

And never, ever buy anything that comes to you as spam. The people who do make spam the industry it is.

No spam here! Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

5 comments on “Can’t We Just Spam the Spammers to Death?”

  1. I send spammers a a reply with “thank you for signing up for daily SHIT pictures” Enjoy!
    I then send photos of dog crap.

    Funny as heck

    Reply
  2. ” it’s not the spammer’s server at all! If you succeed, you’ve only succeeded in taking down some innocent third party whose site happened to get hacked.”

    Wouldn’t the link in the spam point to the spammer’s site or more likely the site of someone who is paying the spammers for clicks? If everyone who receives that spam copies and pastes the link into a browser and goes to the site, wouldn’t that amount to a legal DDOS because they would just be responding to an email and it’s not anything organized.

    This is just theoretical as it would never happen, but in theory?

    Reply
    • Rare. Most links I’ve seen these days redirect a time or two, meaning you’re still hitting the innocent third party hard as the first step of the chain. Another scenario is when the hacked site simply collects data, and then passes it some other way to a home server. Yet another scenario is when it’s a bot, and it’s communicating to a command-and-control server. There are so many ways spammers can isolate themselves from a retaliatory attack, it just isn’t worth trying.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.