Skip to content Accesskey=4Skip to sub-navigation Accesskey=3View our Accessibility Options MIT Information Services and Technology Home About IS&T Contact IS&T Site Map Search Advanced Search
Getting StartedGetting Services by Topic or Alphabetically Getting Help

Spotlight Links

MIT Spam Screening

MIT Network Security

MIT Copyright Central

Office of Student Conflict Resolution and Discipline

The Police at MIT

Stopit Home


Frequently asked questions on spam answered:

What's the latest?
What is spam?
How did they get my e-mail address?
How did they get a mailing list address?
Why do I get e-mail that isn't addressed to me?
Can I deal with this by filtering?
Should I "reply to remove?" It didn't work!
But the foreign language spam?
Can't we track these evildoers down, and do something?
How can I figure out where it came from?
This mail is from MIT, now what...?
Oh, this mail is from outside, now what...?
Who's responsible for all this at MIT?
Why is MIT is only place that has this problem?
Does MIT sell its directory to marketers?
What is MIT doing to stop this?
Additional Resources

 

The Answers:
What's the latest?


Users of MIT e-mail (i.e., those receiving their e-mail on po9, po10, po11, po12, or po14) have the option of screening incoming messages for spam. MIT Spam Screening performs a series of tests on an incoming e-mail message, scores it according to a set of criteria, and can optionally filter any message that qualifies as spam. More About setting up Spam Screening can be found at http://web.mit.edu/ist/services/email/nospam/.


What Is spam?


Unsolicited bulk e-mail is often referred to as spam, an unfortunate use of the Hormel Corporation's luncheon meat of the same name. The key word here is unsolicited: spam, like junk mail, is not something that you asked for. It appears in your inbox (often multiple times), taking your attention away from relevant work-related and personal e-mail. Spam costs millions of dollars a year in lost time, due to slower bandwidth, attempts to filter, and frustration.

You may have noticed a lot more pointless e-mail in your inbox lately. These messages tout schemes to get rich quick, or pills to look younger, or deals on toner cartridges -- or offers that are even less savory. Who are these people and how did they get your address? For the unscrupulous senders of these messages, e-mail is a form of cheap advertising, a venue for scamming people, or a way to shock or annoy.

This type of e-mail, sometimes called spam or unsolicited commercial (UCE) or bulk (UBE) e-mail, is becoming more common, and more annoying. While the recent state of affairs with regard to spam has not been bright, there are legitimate organizations working to combat it through proposed legislation, spam reporting, and better filtering options.

MIT now offers spam screening on it's mail servers (po9,10,11,12,14).

How did they get my e-mail address?


Unfortunately, spammers are getting cleverer. They get your address in a variety of ways. Many harvest addresses from Usenet postings and web pages, by viewing mailing list archives, or by buying them from companies that claim to have the address owner's permission. Once spammers have a collection of addresses, sending the mail is easy.


How did they get a mailing list address?


Mailing lists are obtained through a number of fairly simple methods: 1) some list names are easy to guess, for example, FINANCE@SOMEDOMAIN.COM might work, as many companies have a Finance Department; 2) some list names are included, for customer convenience, on web sites that advertise products and services -- unfortunately, spammers find these web sites convenient as well; 3) some list names are provided by disgruntled employees or students to the evil site operators as a way of harassing a group or organization. This is a violation of the MITnet Rules of Use, and may result in disciplinary action up to and including expulsion.

Why do I get e-mail that isn't addressed to me?


When you get mail that doesn't explicitly include your individual username, or the name of a mailing list, in the To: or Cc: headers, you can be sure that the spammer put the addressing information into a Blind Cc: header. This is just another tactic used to try and fool anti-spam filters and tools.

Can I deal with this by filtering?


All e-mail that is currently received in your MIT account (ending in @mit.edu) is given a spam ranking score. Those messages that have a certain score or higher are considered spam and are given the following header:

X-Spam-Flag: YES

You can filter messages, based on this header, with your e-mail program. Instructions for doing this can be found at the MIT Spam Screening page.


Should I "reply to remove?" It didn't work!


We strongly urge you to not reply to any spam messages. Doing this simply confirms that your e-mail address is valid. What happens then is that the spammer that received your confirmation will do two things:

  1. Send you more spam.
  2. Sell your confirmed working e-mail addresses on the spam black market to other spammers, leading to even greater amounts of spam to your address.

It is also unwise to open any e-mail attachment that you are not expecting, even if they appear to have been sent from someone you know. Many viruses are transmitted through e-mail attachments by sending them to addresses found on infected machines.

But the foreign language spam?


Well, yes, there is something you can do if you absolutely, positively don't want to receive mail that's written in Korean, or whatever. Here's what you do:
The e-mail header that you need to look at for doing this is Content-type, specifically the "charset" variable. For most mail between folks here at MIT, it will look something like this:

Content-type: text/plain; charset=us-ascii
but sometimes it will looks like this:

Content-Type: text/html; charset="ks_c_5601-1987"
This example is of a message written in t he Korean character set. To filter out all such mails, set up a filter in your mail software to segregate those messages into a separate folder. After you see that you're not throwing away any important messages, you can change the filter rule to simply put them in the Trash box.

For other character sets, refer to the IETF standards documents.

Can't we track these evildoers down, and do something?


Spammers rarely give an accurate return address. If the address is valid, it's likely that of some unlucky third party. This has created some interesting battles that rarely include the person who actually sent the message. While Information Services and Technology still encourages people to use the filtering mechanisms in their e-mail programs, it's not likely to wipe out spam completely.

How can I figure out where it came from?


When you get spam, check to see where it came from by viewing the full headers*. To do this in Eudora, click the BLAH BLAH BLAH button. Examine the Received from: field to see where the message originated, since the From: field can be easily forged.

* More complete instructions for displaying full headers in more e-mail programs.

This mail is from MIT, now what...?


If the mail came from within MIT, ask "Is this spam, or did the person simply make a misstep in terms of the list's purpose?" If the message has been sent from within MIT to a list that you're on, you may want to check with your list administrator to see if the message violates posting rules of the list.
You can reach list administrators by sending e-mail to <owner-listname@mit.edu>, where list names is the name of your list. If the message was sent to the list in error, the sender should be sent a reminder of the list posting rules. Mass mailing or blind carbon copying many unrelated lists at MIT is a form of spam and should be reported to <stopit@mit.edu>.

Oh, this mail is from outside, now what...?


If the mail originated outside of MIT, there is less that MIT can do. MIT does not attempt to filter its mail both for privacy reasons and because it is usually ineffective. Deleting the message is your best course of action. Turning off e-mail previewing also lets you delete offensive messages without having to view the content. IS&T does not recommend responding to the message, visiting the web site, or calling the phone number provided to be removed from the distribution list. Doing so only confirms that your e-mail address is accurate and may subject you to unsightly web sites, long distance phone charges, or more spam.

Who's responsible for all this at MIT?


Strictly speaking, the MIT Postmaster is responsible for all traffic that moves through the MIT e-mail system. The MIT Postmaster is one function within the MITnet Operations Group, which also handles the physical infrastructure, as well as the services normally associated with MITnet.

Why is MIT is only place that has this problem?


Au contraire! According to a recent article in the Washington Times,
"US consumers received more than 140 billion spam messages in 2001, according to a report last week by Jupiter Research. Spam accounted for 46 percent of the 261 billion e-mail messages sent last year. An estimated 645 billion spam e-mail messages will be delivered by 2007, Jupiter said in its report.
Subscribers to Microsoft Corp.'s Hotmail e-mail service are among the hardest hit. Hotmail subscribers receive more than 1 billion junk e-mail messages annually, despite Hotmail's use of filters."

Isn't this illegal?


No, it isn't, not in the USA, and only somewhat in some states. You may get spam that says it "complies with federal requirements". However, there is no federal legislation either supporting or prohibiting the sending of unsolicited e-mail messages. However, you may have noticed references a Federal Law, no doubt pointing to the Murkowski Bill, that died in conference committee and never passed the House. Therefore, it never became law.


Yes, some 26 states have laws that refer in one way or an other to spam, but they haven't been very effective yet, largely due to the difficulty of finding the actual source of the spam

The latest state to enact such an anti-spam measure is Maryland. Massachusetts does not have such a law.

Does MIT sell its directory to marketers?


No, never! The online directory is protected technically from being compromised, and is considered confidential and proprietary to MIT. Violations of MIT's rights would be grounds for litigation, if the spammer were discovered.


The paper versions of directories -- faculty and staff, student -- are more difficult to control. While they are under the same controls as show above, if a copy of a directory were to slip into the wrong hands, it could result in the discovery of many e-mail addresses. Investigating claims of this sort would be extremely hard, time-consuming, and likely fruitless. However, in sufficiently egregious circumstances, the MIT Police would be able to pursue such a case.

What is MIT doing to stop this?

Users of MIT e-mail (i.e., those receiving their e-mail on po9, po10, po11, po12, or po14) have the option of screening incoming messages for spam. MIT Spam Screening performs a series of tests on an incoming e-mail message, scores it according to a set of criteria, and can optionally filter any message that qualifies as spam. More About setting up Spam Screening can be found at http://web.mit.edu/ist/services/email/nospam/.

Spam has become a bit of an epidemic, and the content is getting more and more seamy. Unsubscribe attempts are really counterproductive for anything but the most legitimate spam (an oxymoron, I suspect). The spammers and their henchmen actually use the unsubscribe messages as a way to gather valid addresses, not to do what you have asked them to do. Spammers operate on the fringe of society, with a business model that wouldn't allow any legit business to remain viable, but the Internet model is perfect for them (at least so far). Average SUCCESSFUL spam operations yield 35-50 responses per ONE MILLION messages sent. As users have become more wary, and are deleting spam without reading it, spammers have made their mail more and more obnoxious to get a reaction from more people. So far, the spammers are winning, and the content will continue to get worse.


Additional Resources

(note: there is a wealth of information about spam on the Internet, this is not intended to be an exhaustive list)
MIT Home | Getting Started | Getting Services | Getting Help | About IS&T | Accessibility
Send a comment about this web page.