SPAM: Frequently Asked Questions (FAQ)
Answers to frequently asked questions about spam
- What is Spam?
- Suggestions to Reduce the Volume of Spam
- Why Do I Get So Much Spam?
- Why Can't Cal Poly Block Spam?
- Isn't Spam Against the Law?
- How Do I Report Spam?
- Additional Actions to Take in Dealing with Spam
- Actions NOT to Take in Dealing with Spam
Spam is unsolicited, commercial "junk mail" that's delivered to your email account or a newsgroup.
What Can I Do About It?
Spam is unfortunately, a daily occurrence - and annoyance -- in our email correspondence, and there isn't one definitive method for eliminating it. But, hopefully the following suggestions and tips will help reduce the volume of spam you receive:
- Try not to display your email address in public. That includes newsgroup postings, chat rooms, websites or in an online service's membership directory. You may want to opt out of member directories for your online services; spammers may use them to harvest addresses.
NOTE : This is not an option for Cal Poly employees, whose campus email address constitutes a public record, which can only be removed from the directory by legal order or similar exception with proper approvals. Students can protect all or part of their "directory" information, but doing so can restrict other services. For more information, see registrar.calpoly.edu/ferpa_summary.
- Do Not Reply to Spam A lot of the spam that's received includes instructions on how to "remove yourself from our list." It's been well documented that not only does the "remove" command often not work, but also the removal attempt can help verify to the spammer the validity of your email address. However, this may be a viable option for messages sent by legitimate businesses and well-known companies. Use caution before you decide to reply.
- Do Not Respond to Spam Spam often contains advertisements for false claims. No matter how enticing or believable the message is, don't respond to it. Do not buy anything from a spammer. Doing so will encourage more spam.
- Create a secondary email address for personal use. Free secondary email addresses can be created via such web sites as hotmail.com or yahoo.com. A primary email address (email@example.com) can be shared with family, friends and associates and a secondary email address (firstname.lastname@example.org) can be used when visiting chat rooms or message groups. You should also use your secondary email address when filling our forms or buying anything on the Internet for your personal use. When the volume of spam on the secondary email address becomes overwhelming, then the account can be closed and a new one can be created.
NOTE : Your campus email alias (email@example.com) is required for official University communications. Use the Personal Information channel at http://my.calpoly.edu to redirect campus email to your personal email address.
- Choose personal email addresses that combine characters and numbers. Spammers send email using programs that go through thousands of letter permutations. Mixing characters and numbers in an email address makes it more difficult for a spammer's "dictionary attack" to ascertain your email address if it includes numbers.
NOTE : Campus email addresses are determined and assigned by the University and will only be changed in response to a court order or similar exception with proper approvals.
- Web Site Email Address Submission. When browsing the web for personal use, if asked to submit your email address on a web site, uncheck any options that allow the web site to sell your email address. If you must give an email address, use your secondary address if feasible.
NOTE : Cal Poly employees should provide their campus email address for University-related business.
- If you send an email to a group of people, then use BCC as the address field. It is possible for emails with large distribution lists to get in the hands of spammers. You can hide email addresses from a spammer by putting addresses in the BCC address field of your messages.
- Warn the sender to stop sending more mail, and then file suit in court if they do not. This is only effective if you know the sender's actual identity and they have assets in California. Unfortunately, most spammers are able to hide their identity and are difficult to sue, even if you want to do so. Asking to be removed can also verify your address for the spammer and generate more spam.
- Complain to the Internet Service Provider (ISP) used to send the spam. Most ISPs will terminate the sender's account based on their terms of service. Unfortunately, spammers can just as easily obtain another account, but this may slow them down. See "How Do I Report Spam?" for more information.
- Delete the messages as they arrive. This is the recommended method by Cal Poly and other national authorities and law enforcement agencies.
The volume of spam continues to increase. One reason is that email users and Internet Service Providers (ISPs) are doing more to filter and eliminate spam on their systems. Where a spammer used to send hundreds of messages to generate one response, they must now send hundreds of thousands to obtain a single reply. State and Federal legislators are working on legislation to address spam.
Email spam targets individual users with direct mail messages. Email spam lists are often created by scanning Usenet postings, stealing or purchasing mailing lists, or searching the Web for addresses, including those published in public online directories and individual websites.
A variation on email spam is sending spam to mailing lists (public or private email discussion forums). Although many mailing lists limit activity to their subscribers, spammers will often subscribe to as many mailing lists as possible, allowing them to "grab" the lists of addresses. These can also be "harvested" from public web sites and online directories. At Cal Poly, this includes class, committee and other group "aliases" widely used for campus communications.
Cal Poly's email gateway does identify and block emails that can be positively identified as spam. However, people who send spam usually get around blocking attempts by frequently changing their sending addresses or subject headings, so blocking a single address or heading is virtually meaningless. Blocking the originating site will block valid email as well as spam. There is also the issue of freedom of speech. What constitutes junk mail to some may be useful to others. Blocking spam could constitute a violation of a student's First Amendment rights. However, the University will take action if a particular message or sender threatens the reliability and integrity of campus resources and can be pinpointed and stopped. Finally, Cal Poly is exploring tools to help users deal with spam.
Currently, unwanted spam is covered by Federal and State laws.
Under California law, you can sue a spammer if they fail to stop sending after you ask to be removed, but this is only effective if you know the sender's actual identity and they have assets in California. Unfortunately, most spammers are able to hide their identity and are difficult to sue, even if you want to do so.
Asking to be removed can also verify your address for the spammer and generate more spam.
As an alternative, you can complain to "abuse" at the Internet Service Provider (ISP) whose service was used to initiate the spam. The ISP will act based on their terms of service and terminate the sender's account. Unfortunately, spammers can just as easily obtain another account, but this may slow them down. See "How Do I Report Spam?" for more information.
Remember, Cal Poly can only act on spam originating from a campus computer or a valid Cal Poly email address; it cannot act on complaints about spam originating from off-campus. It is not unusual for spammers to forge the "From:" and other message identifiers; the originating ISP can only be determined by checking the full message headers. More information on reading and interpreting full ARPA headers can be found at
Once you have found the full headers, use an online header analysis tool to determine the originating ISP. Paste the headers into the text box and click the "Check Headers" button. The last IP address listed is usually the originating IP address. However, the "X-Originating-IP" header should also contain the IP address of the originating machine. Click the "Who Is" button matching that IP address to identify the ISP and their abuse contact information.
If you use an anti-spam tool, make sure it accurately reads and interprets the message headers to properly report spam abuses. (Some tools respond based on the "From:" line, which is not a reliable indicator of the origin of the message.)
If you determine that the spam originated from Cal Poly, forward the message (and full headers) to firstname.lastname@example.org .
If it originated off-campus, send it the abuse address for that ISP (e.g., email@example.com, firstname.lastname@example.org, etc. Many of the small ISPs, however, do not have an "abuse" address, sending to abuse@isp in that case will generate an error and the message will bounce. If abuse@isp doesn't work, send to postmaster@isp.
We recommend not reporting spam that originates from overseas unless it comes from a well-known ISP. If you have questions regarding these procedures, contact email@example.com.
There is an anti-spam web site ( http://spam.abuse.net/ ) whose goal is to provide the best collection of spam links and resources on the Internet.
The following page ( http://spam.abuse.net/userhelp/ ) includes many links for
- Spam reporting
- Tracing spams
- Hiding addresses from spammers
- Tools to block and filter spam
- Resources links for parents
Above all, in dealing with spam, don't respond to spam in a manner that is criminal, illegal, or that might violate campus policies (see https://security.calpoly.edu/content/policies/index). Such action could result in legal action or a complaint being filed against you!
- Threaten violence or vandalism
- Mailbomb the site or alleged spammer
- Hack into the site
- Try in any way to bring the site down