Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Can’t We Just Spam the Spammers to Death?

I received a rather lengthy question that mentioned a specific service that claims to turn the tables on spammers either by spamming them back or by somehow using the content of their spam messages in an attempt to harm them in some way… or at least annoy the heck out of them.

Now as much as spam angers us, besides ultimately being ineffective, vigilante justice just isn’t the answer.

Become a Patron of Ask Leo! and go ad-free!

Spamming the spammers

One common idea is to take incoming spam email and reply to it with thousands of messages in return.

There are so many problems with this idea that it’s hard to know where to begin. The biggest one is simply that the spammers don’t pay attention to the email that gets returned. Either the “From” address is forged and you’re actually spamming an innocent bystander, or the “From” address is completely fake, in which case you might just find yourself the recipient of thousands upon thousands of bounce messages.

In either case, what’s happened here is that you have become a spammer, or perhaps this third party service you used for this has.

The fact is spam is spam, whether or it comes from a spammer, or from you, or from a service. You are causing thousands of unsolicited email messages to be sent, which makes you a spammer.

Depending on how things are set up, you actually run the risk of losing your email account, or your email provider being placed on blacklists, and your legitimate email not being able to make it out. You even run the risk of running afoul of the law since what you would be doing is, as I understand it, quite illegal.

So it’s illegal, it’s ineffective, and the only person potentially impacted by your actions is you.

Don’t do it.

Using the spam’s content to spam or annoy someone

Spammer VooDoo DollThe other approach, of course is to take the link in the spam email and somehow spam it.

Well, first of all, you can’t send email to a link. A link goes to a page on a website which is quite different than an email address. In a spam message the two actually can be completely unrelated and often are. Even though you might know the domain that the link goes to (the “whatever.com”), you simply can’t know the email address at that domain at which to target your attack.

But it gets much worse. Once again, the link in the spam is rarely the actual website of the spammer. These links actually fall into two buckets:

  • hidden pages on websites that have been hacked
  • and temporary websites on temporary domains

The first one is little understood and actually so very common that it’s worth explaining.

What spammers like to do is this: they actually hack a legitimate site. For example, they’d love to hack AskLeo.com. In a folder on the hacked site they then place their own malicious code. Perhaps simple HTML, perhaps JavaScript, perhaps a redirect, perhaps something else entirely.

The spam emails then contain a link to that page on the hacked site. So, if it were on AskLeo.com for example, it might be something very random like AskLeo.com/wp-content/uploads/something-or-other. Ideally (for the spammer) something that I as the site owner might never even notice, or at least not notice for a long time.

Since it’s a link going to a legitimate site, the email is not flagged by spam filters. When you click on that link, the malicious code that has been placed there by a hacker does something to redirect you to some other site that then has the real content, or perhaps even some other intermediary site, to further obscure the final destination.

If you can’t spam ’em, then maybe DDoS em?

Now, while you can’t send email to those kind of links, you could, I suppose, try to mount a denial-of-service attack on them. Basically, instead of sending thousands of emails, you would attempt to make thousands and thousands of requests of that URL with the intent of crippling the spammer’s server, or just annoying the heck out of them.

The problem is that as I’ve explained, it’s not the spammer’s server at all! If you succeed, you’ve only succeeded in taking down some innocent third party whose site happened to get hacked.

Oh, and once again, I’m pretty sure you’ve broken the law.

Fighting spam the right way

Fighting spam just isn’t that simple. Yes, authorities often do follow the complex trail of obfuscated and hacked email addresses and links, and they often do manage to stop spammers and their networks. Or at they at least slow them down. But it’s not nearly as simple as some kind of individual “fighting back” service would make it out to be.

The best thing you can do to avoid spam is to use the “this is spam” button in your email program appropriately. Only flag true spam – unsolicited commercial email – as spam. Use the “not spam” button on any email you find that was mistakenly placed into your spam folder.

And never, ever, buy anything that comes to you as spam. It’s the fact that just enough people do this that makes spam the industry that it is.

8 comments on “Can’t We Just Spam the Spammers to Death?”

  1. This article reminds me of a company called Blue Security which produced a Windows client called Blue Frog in an effort to combat spammers. It was back in ’06 I think. If memory serves, it didn’t go so well.

    As you say, just use that ole “this is spam” button. I’ve been using Gmail for many years and its spam filters work remarkably well.

    Reply
  2. About that last part:

    In my opinion, if someone wished that a company would die off, destroying their product or throwing it in the trash doesn’t help because once that person pays for it, what happens to the product doesn’t matter: the price of manufacturing it has already been more than made up for and the company made a profit from it. This could be said not only of spam products, but also of legitimate companies, as haters are just going to hate.

    Reply
  3. Like the spammers, I have many disposable email addresses. When the spammer asks me to write back with Western Union cash info and things of the type, I bombard them with polite notes asking them to “unsubscribe” my address AND hundreds of news articles, poetry, jokes, and whatever else can be easily forwarded via rss feeds. I also write polite notes asking about the weather and things of that sort.

    As I said, I have many different email addresses of my own. I flood their mailbox with whatever can be easily sent using several different email addresses of my own. The spammers often get the message and go away. Not always, but often.

    Reply
    • So you fight the spammers by stooping to their level and becoming a spammer yourself? This is not recommended. You could lose your legitimate email accounts and your ISP could boot you if it were to generate complaints. ISPs in particular take spamming very seriously.

      Reply
      • Old thread I know but someone else will read this after me. No, most ISPs do not care. Limestone Networks is in business as far as I can tell to service spammers. I now have blocked most every IP address range they own due to the spam from them. I email their abuse department and receive nothing back from them. The server hosting farms do not care as long as they are getting paid.

        Reply
  4. In the case of hacked sites, a nasty thing is to add an alternate stream. Those are created by having something like somefile.html:a secretpage.html
    Under Windows, you can have c:\:nasty\ that can’t be suppressed short of reformating.
    The same can be done under MacOS and Linux/Unix and may look as root:nasty.
    The part after the colon is the alternative stream. What is nasty is that it will NEVER show when you show a folder’s content AND whenever you copy or move the original file, of even whole folder, the alternative stream will tag along.
    The only sure fire way to get rid of those, if you don’t know the exact name to use, is to move the file or folder to a destination that don’t support alternative streams, delete the original, then restore the file/folder. If it’s the root of a volume, you’ll need to reformat it.

    Reply
  5. That artikle made me laugh 😀
    I did just read till the Ddos section. First you mention Ddos (distributed denial or service) and then you just talk about Dos (denial of service)
    Know the difference? Dos doesnt work nowadays since every firewall is able to block a Dos attack.
    Ddos however, is if the attacks come from virtually thousands of different clients. You would need a botnet for that. If you are at that level, you wont have problems with spam anyway 😉

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.