Dealing with Spam and Other Junk Email

An unfortunate "feature" of the modern Internet is junk email of various kinds. This not only includes unsolicited commercial email ("spam"), but also attempts to recruit people into criminal schemes, messages sent by mass-mailing viruses, and messages sent by misconfigured email scanning programs to an innocent person claiming that that innocent person sent a virus or piece of spam. To this can be added plain old harassment, by a person who keeps sending you email you don't want in a way that's hard to filter.

This page offers some things you can do about this sort of email and some things you shouldn't do. But first, some facts about junk email.

Facts about junk email

1. There is no way for IMSS to simply block all of this junk.

You might think "why can't Caltech or IMSS or someone just stop all of this junk from getting to my mailbox"? The answer is that while some mail is obvious junk, there is quite a lot where it is hard to tell. In fact, what is desirable one day can become junk a week later (for example, if you sign up for emailed news updates about some topic which you soon find you don't care about, and can't figure out how to get the senders to stop sending you). No computer program can discriminate between junk email and desirable email with 100% accuracy, and IMSS does not want to throw away legitimate email in the name of stopping junk email, as the consequences could be disastrous (imagine a faculty member not receiving an important email while trying to meet a tight deadline for a multimillion dollar funding proposal, for example).

Caltech also has a dedication to academic freedom and the free exchange of ideas, and it would not be right for a Caltech department to stop academic colleagues of people on campus from communicating with them just because their mail happens to come from locations frequented by junk emailers.

Please believe us that if IMSS could block all of the junk, we would! A significant fraction of our mail servers' performance is wasted due to having to process junk email.

2. There is usually no way to track down the senders of junk email, or to stop them from using forged "From" addresses.

The SMTP protocol that underlies the sending and processing of email was designed for a more trusting Internet. In particular, there is no requirement, when connecting to a mail server, that you prove in any way that you are who you say you are in the "From" address. Fly-by-night operators thus set up accounts with large services like AOL or Hotmail, send out spam for a short time (often with a forged "From" address), then close the account and move on -- by the time anyone decides to complain, the account no longer exists. Sometimes junk mail is sent with a Reply-To email address of a real, innocent person, but really came From another address entirely. Junk emailers are also using "spambots" - programs installed on other people's computers by tricking them, or by exploiting security flaws. In such a case the person who owns the computer which is actually sending the junk email doesn't even know that it's happening.

Some mail servers are beginning to require authentication for outgoing email to hinder spam relaying. The IMSS email servers themselves require authentication of outgoing email if you are trying to send mail using your access.caltech account from a computer which is not connected to the Caltech network. More information is available at our Authenticated Outgoing Email Service webpage.

3. Caltech email accounts are particularly vulnerable to junk email.

Because it is convenient for many reasons, IMSS's mail servers handle all mail meant to go to an "@caltech.edu" address, and all accounts will, by default, accept mail to both "accountname@its.caltech.edu" and "accountname@caltech.edu". The caltech.edu domain is the "root domain" for Caltech - the range of numerical IP addresses allocated to Caltech are registered under the name "caltech.edu" - and the master lists of Internet domains are easily browsed (so people can figure out what domain names can be bought, for example). Thus junk emailers know that "caltech.edu" is a legitimate place to send email, and can connect to the mail servers handling that domain and start trying to send mail (IMSS can't prevent them, because it might be real mail). IMSS believes that the spammers then try sending to many, many short sequences of letters and numbers to see which ones are legitimate addresses. This is why you can get junk email even if you have never given your address to anyone.

4. This problem is not restricted to Caltech.

Junk email is on the rise everywhere on the Internet. Some service providers claim they can stop spam from coming to you, but they can only do that by taking aggressive measures that have a good chance of blocking legitimate email along with the junk mail. The reasons IMSS (and the IT departments of other universities) cannot do that are outlined above.

Things you can do about junk email

1. Use the IMSS spam flagging service.

IMSS runs an automated program that analyzes all email that comes in to our mail servers which looks for various spam-like features and assigns a number of points to each one. If a message is assigned a certain threshold number of points, it is given a special header indicating it is probably spam. It is possible for you to set up filtering on our mail server itself, or in your own computer's local email program, to file away such messages into a "spam" folder so you can check them to be sure they are not real email, and then delete them in bulk. This system is not 100% perfect (especially as spammers learn to evade it), but IMSS is committed to keeping our spam flagging service up-to-date to maximize its effectiveness.

Please see our webpage about the IMSS Spam Flagging Service for more information.

2. Use special-purpose email addresses.

The IMSS mail servers have a feature that allows you to use special-purpose email addresses. You can use these at any time and there's no setup procedure. It works like this: if your email address is "username@caltech.edu" or "username@its.caltech.edu", you can give out your address as "username+word@caltech.edu" or "username+word@its.caltech.edu", where "word" is any word or phrase without spaces that you want. Any mail sent to "username+word" will actually go to "username", and you'll get it. The advantage to this is that if you visit a Web site that requires you to submit an email address, you can use such an address, and when you no longer want to get mail sent there, you can safely throw it away by using server- or client-side filtering. (It's another sad fact of the modern Internet that companies will sell email addresses you give them to junk emailers. This method will let you find out who those companies are, and boycott them.)

For example, you go to www.cheesegraters.com and buy some cheesegraters. You provide them with your email address as "username+cheesegraters@caltech.edu". A few months later, you realize that the manufacturer of a cheesegraters add-on product, potholders, has somehow gotten the address you provided to www.cheesegraters.com. You start getting daily special offers to buy potholders, and attempt to unsubscribe from their mailing list since you have no interest in buying potholders, but you continue to get a message per day from them despite your requests. Since you used a special-purpose email address, you can set up filtering such that any email coming to you with a "To:" address of "username+cheesegraters@caltech.edu" be filtered automatically into your "cheesegraters" folder. Then, once a week, you can skim over that folder and if you don't see any real or interesting email there, instead only seeing junk about potholders, you can bulk delete the messages in that folder.

Things you shouldn't do about junk email

1. Attempt to use an "unsubscribe" web link or email address.

A lot of unsolicited junk email comes with a claim you can unsubscribe, along with a web link to click on or an email address to send to. Think of this as a form of bait, and don't take it! Junk emailers send mail to large numbers of addresses, many of which don't work. If you click on the link or reply to the email, they now know your address works and has someone reading mail sent to it, and they will most likely now never stop mailing you.

Now, this warning doesn't apply to all mail - legitimate email lists do have an unsubscription method. However, this warning is generally valid for emails trying to sell you a product or service from a company you've never dealt with before.

2. Send lots of mail to the sender to punish them.

This tactic is known as "mailbombing" and is both ineffective and unethical. It is ineffective because the listed sender may not actually be the real sender, as described above. It is unethical because it may wind up punishing an innocent person; because it puts a load on the IMSS mail server, hurting everyone else on campus trying to send mail; and it may cause an Internet service provider to start rejecting all mail from Caltech, which again hurts everyone else on campus.

3. Forward junk email to IMSS.

In your frustration you may want to forward some particularly egregious piece of junk mail to IMSS. Please believe us when we say that we know junk email is a problem for everyone on campus and we are taking what limited steps we can to stop it. Please read the facts about junk email above before making any complaints to IMSS, so you know the kind of things we will just be unable to do.

4. Try changing your email address to avoid spam.

As mentioned above, junk emailers use automated harvesting techniques to find new addresses to send mail to. Changing your email address will only provide a temporary respite and will cause a great deal of inconvenience for the people trying to contact you at your old address. IMSS policy is to refuse to change account usernames for the purpose of spam avoidance. (We will do so for cases of harassment, however; please see below.)

A note about harassment

If you find yourself a subject of special email harassment or stalking, where someone or a group of people keep sending you email you don't want from many different addresses (so you can't filter it), IMSS will change your account username and eliminate previous references to your email address. Please contact us at http://help.caltech.edu (request type IMSS-->Email & Calendar-->Other).