Opt Out

Opt-out is a technique intended to avoid legitimate mass postings becoming spam. This is implemented by inserting in the post a web-link or an e-mail address where one can request one's e-mail address to be removed from the posting list.

Unfortunately, this is not a trustworthy method. In the first place as a principle, this means that the recipient has already received one of these unwanted postings and hence has been spammed. Secondly, and foremost, illegitimate spammers use Opt-out as a camouflage to gather valid addresses.

Preferable technique is OptIn?.

I recently changed e-mails and tried using reasonable seeming opt-out systems in some of the spam coming in the old address. The growth of incoming spam was exponential! And in this case is an e-mail address that had been for several years publicly on web sites and within last year had been removed from various locations on web. -- TomiBgtMantyla
Why not use OptOut? They already have my email address. What difference does it make whether I OptOut or not? They're just going to keep sending spam to that address either way, aren't they? Please, read the above. It appears that confirmed addresses are appreciated goods and get to even more lists than unconfirmed.

Many spam emails are sent to random addresses - especially if you're at a domain such as hotmail, where <firstname><lastname><number>@hotmail.com is popular. If you respond, you'll get on a "live list" of addresses that are known (at the time) to be good.

Of course, there are other ways for spammers to confirm your email address. One way, if you have your email client (usually MicrosoftOutlook) configured to automatically display HTML, is to embed a small HTML image in it located on a remote site. Encoded in the URL is your email address. If an HTML request for this image is transmitted, then the spammer knows that someone opened the mail. So what if I get on the "live list" of known-good-addresses? What's the worst they could do - spam me again? How is that any different from what they were going to do anyway? They've already sent me one spam, using an address from some file. The next time they send out a batch of spam advertising some "new" product, why in the world would they limit that to known-good-addresses? Why don't they send it to every addresses from the original file?

The worst they can do is to bundle all the "known-good" addresses together and sell that list to other spammers. In this way, the original spammer makes money from your opt out action even if you don't buy anything. "A strange game... the only way to win is... not to play." -- WOPR

OK, so this spammer sells all the "known-good" addresses to some other spammer(s). What's to prevent this spammer from selling *every* address in the entire file to that other spammer? Is there honor among thieves?

Retaliation of an unhappy customer. If I were to have a company that sent unsolicited or OptOut advertisement to masses and put money in a list that was guaranteed to be active addresses but turned out not to be, there would be many ways to contact authorities. If my actions were legal, the product would be deficient. If buying/selling the list was illegal, I could tip the seller to the authorities or I could even try to get my money and efforts back in illegal ways.

It is almost effortless to gather active addresses in an OptOut system of trusting recipients. Therefore it is plausible to consider that such lists are gathered and sold/distributed.

Using active lists is more efficient than crawling the web for addresses or trying to guess addresses. However, an active account will soon have their spam filter filter everything from your address, so you either have to change your address and the structure of the message template you use, or you have to exchange active lists with others that also gather them.

Which one would you choose for your spam list? One that has a million addresses that have no guarantees at all of being "live ones" or one that is at least claimed to be "live"? And these opt-out systems are the easiest way to get lists that at least seem real in addition to actually even being such too. It's hard to generate lists artificially so that they would appear working addresses even in the first glance, especially when there are people stuffing their sites with fake addresses.

See also: SpamDefenseRoadmap, SpamPerSe, SpamCop

View edit of January 28, 2009 or FindPage with title or text search