Kavi Mailing List Manager Help

Chapter 18. What You Need to Know About Spam

The Ascent of Spam

Once upon a time there was no Internet and SPAM was a tasty treat, especially when baked with pineapple. Then the Internet became available to anyone with a computer. Soon everyone and their grandmother were exchanging baby photos via email and a new class of entrepreneur arose to exploit the opportunity to distribute a huge number of advertisements at an irresistibly low cost. The age of spam was born.

Ironically, spamvertisements have become so universally loathed that advertising via spam is now a good way for businesses to go broke...except for those that get paid to broadcast spam on behalf of gullible newbies who can't imagine that a million spam messages could possibly fail to generate a single sale. The only other people making money on spam seem to be selling questionable goods or running con games disguised as get-rich-quick schemes and those heroes of the spam wars, vendors of spam-filtering software.

Back to top

What Is Spam?

Whether distributed via mailing lists or sent directly to individual addresses, spam is the electronic equivalent of junk mail. The popular conception of what constitutes spam has broadened beyond advertisements distributed via email, but all the different forms of spam share several distinguishing features.

Qualities that distinguish spam:

  • It has a broadcasted, rather than targeted, message

  • It suits the purposes of the sender rather than the receiver

  • Most important, the message is distributed without the explicit permission of the recipients

Many messages that constitute spam in the minds of list users might not be intended as spam by the sender, but spam is in the mind's eye of the receiver.

Spam in its more subtle forms:

Employment solicitations

These belong on the organization's job board rather than to the mailing list. To minimize this, the Policy and Usage statement on the Mailing List Home page should include instructions on posting to the job board.

Excessive cross-posts

Spam originated on Usenet newsgroups where spam was defined as excessive cross-posting. Judicious cross-posting can facilitate the flow of information between different groups within a technical standards organization, but newcomers should be advised to err on the side of caution.

Messages from lists that don't confirm subscriptions

Closed-loop, confirmed opt-in is the "gold standard" for mailing list subscriptions. It is used to acquire explicit permission from the owner of an email address before subscribing the address. Lists that don't use subscription confirmation are more likely to add subscribers who don't realize they have been automatically subscribed, who changed their minds after subscribing or, if the list accepts subscribe requests via email, have been subscribed maliciously by someone.

Messages that don't include unsubscribe instructions

Just as it is important to have individuals confirm their desire to opt-in when subscribing, it's important to allow them to opt-out whenever they want by making it easy to unsubscribe. Plain-text messages can be configured to include instructions on unsubscribing. Messages that don't include these instructions may be viewed as spam by unwilling recipients.

Unexpected list messages

Legitimate messages from mailing lists can be perceived as spam if the recipient isn't expecting to receive list mailings, or at least, not so many of them. Individuals are not always aware of being automatically subscribed to a list when they became a member or of being subscribed by an administrator when they become a company representative. Sometimes the recipient is confused because a subscriber forwarded the message to them or they believe they have unsubscribed.

Of course, spam messages that get posted to the list will be distributed to subscribers and when this happens, the list IS actually spamming subscribers. The only near-foolproof method of eliminating spam from a mailing list is to moderate the list.

Back to top

Why Spam Is Evil

Resource Misappropriation

There are enormous quantities of spam being distributed through the Internet, tying up the system resources and time of unwilling recipients. This usurpation of resources represents a significant drain on productivity, so subscribers expect their mailing list to be a spam-free zone. Unfortunately, this is more of a goal than a reality.

The Malware Connection

Some spammers make a really nasty habit of using other people's computers to spawn email messages without the consent of the computer owner. This is accomplished by planting a trojan (i.e., program) on the computer. The trojan transforms the computer into a "spam drone" that generates spam whenever the computer is online. The program is set to run invisibly, so the user isn't likely to know their computer is being used as a spam drone until they are contacted by their ISP, mailing list administrator or other annoyed spam recipient who has traced the email back to them.

When a mailing list receives spam from a trusted source, such as a subscriber, it is possible that the sender's computer is being used as a spam drone. If this is a first-time offense, it's wise to give the sender the benefit of the doubt and provide any help you can to help them secure their computer. Most of the current anti-virus software is packaged with anti-spyware software, and there are also free, downloadable versions of anti-spyware and home firewall software available on the Internet.

The tie-in between spam and malware isn't limited to hijacking computers for use as spam drones. Spam does have more sinister uses. Phishing scams, a relatively new internet phenomenon, can be initiated via spam masquerading as email from a trusted source, such as your organization. These messages are usually designed to mislead the recipient into believing that it is necessary to update personal and account information. The message contains a link to an official-looking page where forms capture privileged information such as passwords, credit card numbers, etc. This is just another reason why your organization will want to take advantage of all practical precautions to guard against spam being posted to its mailing lists.

Difficult to Defend Against

Guarding against spam presents a greater technical challenge than guarding against malware, such as viruses. First, only certain types of files can transmit malware capable of executing itself. Plain text files, such as those commonly used for email, won't contain malware but they can certainly contain spam. Secondly, programming code must be properly structured if it is going to work, so files containing executable malware have identifiable patterns that can be detected by virus filters. On the other hand, spammers can and do deliberately obscure the keywords for which spam filters search. For instance, anti-spam software may search incoming messages for the terms 'pharmaceutical' or 'viagra'. Spammers can use obfuscated but human-readable versions of these terms such as 'phar$ma/ceu*tical' or 'v/ia^gra'. This foils the ability of the software to detect the terms, since it can only find exact matches to known patterns. It's impossible to completely identify and filter out all spam without human intervention (i.e., using moderators to review all messages before posting them to the list).

Back to top

How Spam Is Distributed

Like junk mail, spam can be sent to known addresses that the spammer has somehow acquired or to recipients whose addresses are not known in advance.

Acquired Addresses

Spammers obtain email addresses by purchasing them from companies who are willing to sell their customer's addresses or by harvesting addresses from webpages. They use software called spiders or scrapers to glean email addresses from mailing list archives, rosters, directories and any other source they can find. Spammers sell these lists to each other and to customers, and there are rumored to be lists containing millions of email addresses in circulation, although a high percentage of the addresses on these lists are likely to be stale and invalid.

Guessed Addresses

Spammers often use software to run "dictionary attacks"—similar to those that attempt to crack weak passwords—to test for common usernames. For instance, if the domain name is 'example.tld', this software might check for common names and nicknames like 'kim@example.tld' and 'brownie@example.tld'.


Many alias names are based on widely used standards, so spammers routinely send mail to common system aliases such as support@example.org. Mailing lists were the original spam-distribution vector and are still a favorite target. If a spammer manages to learn or guess a list alias and distribute spam through a list, a single successful guess may forward the spam message to thousands of list subscribers.

Back to top

Fighting Spam

Because mailing lists are the original and still favorite target of spammers, mailing list managers must maintain a vigilant defense against spam. Ironically, mailing lists are sometimes perceived as

Use Moderation

Spam can't be eliminated, but it can be minimized, and the single greatest defense against spam is to have moderators vet messages before they are posted to the list. Even if all messages are moderated, spam will occasionally slip through, usually because a moderator is out of the office and an autoresponder replies in a way that approves posts in their absence.

If you want your list to be moderated, select a moderated list type. See Default List Types for information on moderated list types. To learn more about moderation, see Moderation.

Other Access Control Options

Kavi® Mailing List Manager offers several different access control mechanisms that can be implemented through list configuration option settings at the list and list type levels. Options can be set to limit the ability to post and to subscribe. Since the ability to post can be based on whether an individual is a subscriber or not, restricting the ability to subscribe indirectly controls the ability to post for many types of lists. Lists that aren't completely moderated often allow subscribers to post directly while sending posts from the public (i.e., posts from unknown addresses) to moderation or rejecting them outright.

This is explained in more depth in Access Control and List Types.

Spam Filters

Spam filters work in conjunction with automated access control options and human moderation to protect your list. They screen incoming email at the firewall before it even enters the Web site. Email that meets the filter's rather broad criteria is immediately deleted and fails silently. Occasionally a legitimate message that closely resembles spam will be deleted (usually because it has an empty 'Subject:' field) and occasionally spam that doesn't meet the filters criteria will pass the filter. Depending on list configuration, the message may still be kept from the list by being automatically rejected or sent for moderation because the address of the sender isn't on a list with direct posting privileges.

See the section on Spam Blocking in Virus Scanning and Spam Blocking for more information.


Blocklists are lists of the IP addresses of known spammers that have been collected by global anti-spam organizations. Kavi uses blocklists maintained by Spamhaus, which is probably the foremost of these organizations, and rejects any incoming email if the sender's IP address matches an IP address on the blocklist. Mailing list managers can report repeat spammers to their ISP, Spamhaus and other anti-spam organizations so they can be added to these blocklists. Kavi also maintains a private blocklist to help protect sites it hosts.

Zero-Tolerance Policy

Most mailing lists employ a zero-tolerance policy for spammers and the list's Policy and Usage statement includes the information that any subscriber who attempts to post spam will be immediately and permanently unsubscribed. It's wise spell out list policy for the more subtle forms of spam (e.g., job solicitations, cross-posts) and the consequences that may be incurred by senders submitting these forms of spam. For more information, see Writing Policy and Usage Statements and Sample Policy and Usage Statement.

Archive Security

Whether a list's Web archives are public or private, email addresses can be obscured by selecting the 'Protect Archives from Spam' option in the Add a Mailing List or Edit a Mailing List tool. Setting this option to 'Yes' causes the email domain of addresses to be replaced with a series of 'X' marks before being displayed in the Web archives so that address harvesting software will be unable to glean list user's addresses. This is inconvenient to list users who want to contact another list user directly and can't get the other's address from the archives, but those who use address harvesting software are relentless in their attempts to bypass system security—and the lists of addresses they collect are sold to spammers around the world, potentially including unethical people running phishing schemes and other kinds of scams.

Subscription Confirmation and Easy Opt-Out

As mentioned in the preceding section What is spam?, there are several conditions under which email from your organization might be mistaken for spam by the recipient, particularly if the list doesn't confirm the individual's intent to subscribe or makes it less-than-easy to unsubscribe.

All mailing lists should:

Use the closed-loop, opt-in subscription process

Confirm subscription requests by sending a confirmation email to an address before subscribing it.

Be sure to provide individuals who are automatically subscribed with a way to opt out unless the list is used to distribute announcements that the subscriber must receive according to organizational rules or legal obligations.

Make it easy to unsubscribe

Provide unsubscribe instructions in trailer text appended to list messages.


Failure to confirm subscribe requests or offer an easy way to unsubscribe may inconvenience the receiver and cause your messages to be perceived as spam. It could even get your organization blocklisted as a spammer if the recipient files a complaint with an anti-spam organization and they agree that you failed to adhere to best anti-spam practices. Getting your organization's IP address off a blocklist tends to be problematic and time consuming.

Back to top