Spam – How much is too much?

Every now and then, clients voice their concerns about getting too much spam. The problem is twofold. First, spam isn’t going to disappear and there’s only so much to be done without hurting the medium of email. Secondly, people have extremes in opinion as to how much spam is “a lot”.

On one hand, before I adjusted Spam Assassin on the server to eliminate instead of just tag bad email, I received as many as 6000 spam emails per week through multiple addresses. When I weeded out unused addresses, it decreased to just under 3000 per week. Outlook filtered some of it — sometimes a little over half and sometimes more than 90%, leaving me with only one or two every time I turned around. So it’s hard for me to feel sorry for people who complain of finger cramps from hitting the delete key a dozen times a day.

On the other hand, any spam is annoying if you aren’t used to it. It’s offensive, obtrusive, and uncalled for.

And some addresses get more than others. That hardly seems fair, but the truth is that some addresses haven’t been found by spammers yet, or not passed around that much — yet. But eventually they find you and the war begins.

The main ways spammers get your address is by having their system search the web to “harvest” addresses found on web pages. Kentropolis currently uses “Spam Spoiler” code to ‘hide’ the address from bots while making it still usable by human users. The problem is that we have no way to test its effectiveness, except for a testimonial a while back that it never failed to work. But spammers may have ‘cracked the code’ since then.

This is why addresses used for business tend to get more spam than personal ones, unless you post it on a blog or elsewhere on the Net.

Other ways include giving out your address, such as subscribing or registering online, or even offline for a contest or mailing list. These addresses may be sold without your knowledge or blessing.

Worst of all, when you click the “unsubscribe” link, you are screwed. You just let the spammer know your address is valid and therefore worth more money to sell to the next guy … and the next … and the next.

And if you actually BUY anything from unsolicited email, then congratulations — you are part of the ultimate factor in making spam worthwhile for the bad guys. Please don’t ever admit in my presence you have ever done such a thing.

Lastly, you can get spam by luck — or rather a “dictionary attack” — where a spammer sends out randomly or bulk-sequence generated email addresses, hoping to hit a real address.

So we go back to the question “How much is too much?” The answer depends on the person and situation, but here’s a general rule:

You have too much spam if you are spending more than 1% of your time deleting unwanted messages to get to good ones. That’s about 5 minutes an average work day — about 60 to 300 emails.

When it reaches near that point, you are so popular (and cursed) that you have to explore hard-core options, such as installing paid software on the mail server in-house. Kentropolis offers Spam Assassin for free as a configurable option, and it is all most people would need, but anything more and spending big bucks becomes a serious and worthwhile consideration.

But if you only get a few here and there, take a deep breath and say a prayer of thanks to the deity of your choice. Complaining would be like being dissatisfied about the color of the wine with your fettuccine Alfredo, while sitting in the middle of a starving third-world village.

We can only hope things will change in the war against spam — where American corporations spend tens of billions of dollars a year in software, personnel and lost productivity — but we can expect it to sometimes be better, sometimes be worse, for at least the foreseeable future.