Making Your Lusers Not Spam

There are many approaches that have been taken.

• Politely inform then that it is Not Nice, and ask them not to.

  Pros:

  • Polite; may deter the occasional naif.

  Cons:

  • Generally useless against the kind of jerks that most spammers are.

  Further notes: This approach can, however, be part of a tutorial on nettiquette. I applaud any attempt to educate the clueless newbies flooding the net each day, even if it won't deter true jerks.

• Limit system functionality so that it is just plain impossible to spam (at least to any large degree). Examples include most systems that you must deal with via custom software, or strictly via a menu interface.

  Pros:

  • Works.

  Cons:

  • May be technically difficult to implement.
  • Also limits legitimate functions.

  Further Notes: Includes almost all BBSes. This, plus "community policing", is one of the big reasons why BBS networks such as Fidonet have nearly zero spam.

• Set up "throttles", so that any message sent to over some number of lusers is either not sent at all, or is sent very slowly, giving you time to take manual action. This can be done both for your own lusers, and for attempts to relay through you.

  Pros:

  • Legitimate mailing lists do get out, albeit slowly.
  • The number of people successfully spammed is limited.

  Cons:

  • Legitimate mailing lists get slowed down.
  • Some people are still successfully spammed.
  • Technically difficult to implement.
  • Doesn't stop your lusers from spamming from elsewhere.

  Further notes: UUNet (known to the spammed as ScrewYouNet) currently uses this approach on its dialup lines. Those of you who know how to decode spam headers know how effective this is. For the rest of you: NOT!

• State in your Terms of Service, Acceptable Usage Policy, or whatever you call it, that spamming will be punished by account termination.

  Pros:

  • Puts a minor hurt on spammers.

  Cons:

  • Puts a minor hurt on spammers.

  Further notes: This seems to be the standard at most ISPs. Many will give one or more warnings first, which I believe to be totally unwarranted -- if they are such clueless newbies that they don't realize what a Bad Thing spam is, they surely don't have so much invested in their current email account that it would be all that huge a loss. Throwaway accounts are a standard tool of the spamming trade. Unless they've dropped hundreds on setting up the account, they don't care if you cancel it!

• State in your ToS/AUP/whatever, that spamming will be punished by a large fine. This is usually some amount per complaint, plus sometimes a larger base fine. Other approaches include making the base a minimum, and fining per address spammed (whether valid or not, and whether they complain or not), per day during which there was spamming activity, and per hour of staff time (spent cleaning it up, dealing with complaints, gathering evidence, etc.).

  Pros:

  • Deters spammers.
  • If they do spam, you make money.

  Cons:

  • Difficult to enforce, without a valid credit card number first.

  Further Notes: Earthlink, formerly one of Internet's worst spamhavens, pioneered this approach. Much to the anti-spam community's surprise, they enforced it (perhaps due to the second Pro). It worked wonderfully, turning them quickly into one of the smallest sources of spam among major ISPs. It worked similar wonders at Netcom, also formerly one of the net's most infamous spamhavens. Other ISPs currently using this approach include tagonline.com, up.net, 9netave.com, and if you know of any more, please tell me.

Now, if one of your lusers should happen to spam, then what?

One so-called sysadmin I recently complained to, forwarded my complaint to the spammer! Luckily, this particular spammer was an apologetic clueless newbie... but he could well have turned out to be the kind of jerk most spammers are, get irate at having his account shut down (which apparently wasn't even done in this case), and wreak assorted kinds of havoc for me. (I will not detail. Use your imagination.) To put it bluntly, don't do this! If you do this to me, I will do whatever I (legally) can, to (ahem) make you see the error of your ways.

But what should you do? Whatever your ToS says you will do! Do it quickly, severely, and without mercy. One admin I complained to said that the spammer was a retired priest, whose business he spammed about was his sole source of income, barely getting by, and whose Internet account was his sole contact with the Outside World. My answer? Tough noogies. Obviously, being a priest doesn't score any points with this Jewboy, but more importantly, if you let yourself get all weepy and sympathetic over some spammer's tale of woe, you will find spammers with tales of woe (mostly pure BS) flocking to your door. This particular sysadmin agreed, and the account was toast in short order.