I received a rather lengthy question that mentioned a specific service that claims to turn the tables on spammers either by spamming them back or by somehow using the content of their spam messages in an attempt to harm them in some way… or at least annoy the heck out of them.
Now as much as spam angers us, besides ultimately being ineffective, vigilante justice just isn’t the answer.
Become a Patron of Ask Leo! and go ad-free!
Spamming the spammers
One common idea is to take incoming spam email and reply to it with thousands of messages in return.
There are so many problems with this idea that it’s hard to know where to begin. The biggest one is simply that the spammers don’t pay attention to the email that gets returned. Either the “From” address is forged and you’re actually spamming an innocent bystander, or the “From” address is completely fake, in which case you might just find yourself the recipient of thousands upon thousands of bounce messages.
In either case, what’s happened here is that you have become a spammer, or perhaps this third party service you used for this has.
The fact is spam is spam, whether or it comes from a spammer, or from you, or from a service. You are causing thousands of unsolicited email messages to be sent, which makes you a spammer.
Depending on how things are set up, you actually run the risk of losing your email account, or your email provider being placed on blacklists, and your legitimate email not being able to make it out. You even run the risk of running afoul of the law since what you would be doing is, as I understand it, quite illegal.
So it’s illegal, it’s ineffective, and the only person potentially impacted by your actions is you.
Don’t do it.
Using the spam’s content to spam or annoy someone
The other approach, of course is to take the link in the spam email and somehow spam it.
Well, first of all, you can’t send email to a link. A link goes to a page on a website which is quite different than an email address. In a spam message the two actually can be completely unrelated and often are. Even though you might know the domain that the link goes to (the “whatever.com”), you simply can’t know the email address at that domain at which to target your attack.
But it gets much worse. Once again, the link in the spam is rarely the actual website of the spammer. These links actually fall into two buckets:
- hidden pages on websites that have been hacked
- and temporary websites on temporary domains
The first one is little understood and actually so very common that it’s worth explaining.
The spam emails then contain a link to that page on the hacked site. So, if it were on AskLeo.com for example, it might be something very random like AskLeo.com/wp-content/uploads/something-or-other. Ideally (for the spammer) something that I as the site owner might never even notice, or at least not notice for a long time.
Since it’s a link going to a legitimate site, the email is not flagged by spam filters. When you click on that link, the malicious code that has been placed there by a hacker does something to redirect you to some other site that then has the real content, or perhaps even some other intermediary site, to further obscure the final destination.
If you can’t spam ’em, then maybe DDoS em?
Now, while you can’t send email to those kind of links, you could, I suppose, try to mount a denial-of-service attack on them. Basically, instead of sending thousands of emails, you would attempt to make thousands and thousands of requests of that URL with the intent of crippling the spammer’s server, or just annoying the heck out of them.
The problem is that as I’ve explained, it’s not the spammer’s server at all! If you succeed, you’ve only succeeded in taking down some innocent third party whose site happened to get hacked.
Oh, and once again, I’m pretty sure you’ve broken the law.
Fighting spam the right way
Fighting spam just isn’t that simple. Yes, authorities often do follow the complex trail of obfuscated and hacked email addresses and links, and they often do manage to stop spammers and their networks. Or at they at least slow them down. But it’s not nearly as simple as some kind of individual “fighting back” service would make it out to be.
The best thing you can do to avoid spam is to use the “this is spam” button in your email program appropriately. Only flag true spam – unsolicited commercial email – as spam. Use the “not spam” button on any email you find that was mistakenly placed into your spam folder.
And never, ever, buy anything that comes to you as spam. It’s the fact that just enough people do this that makes spam the industry that it is.