I was not 100% sure where to put this, on the one hand it seems like a pretty General Question. On the other hand, the topic can be a little controversial. Counting on the general maturity of the folks here, I decided to put it here.
Basically, I don’t have a clear idea of how Spam works, and why it is so hard to stop. I will outline the general notions that I have and be glad to have them expanded upon/corrected.
[ul]
[li]It is my understanding that Spammers are tough to track down because they fake headers on their email, making it hard to find who is actually doing it. I can buy this, except for one thing. Is not the point of Spam to make money? If so, is it not part of this the ability to contact the folks behind this integral to this?[/li][li]It is also my understanding that Spammers use other people’s servers to make these mail drops, and that this is part of why they are so hated. How is this possible?[/li][/ul]
To answer your second point, yes, spammers can “spoof” other people’s mail server but I’m certainly not going to explain how to do that.
SPAM works because it is almost free to send millions of emails to unsuspecting recipients in hopes that 1/10th of 1 percent fall for whatever the scam is. They usually get your name by buying it from unscrupulous dealers and keep trying to get you to respond.
Why can’t you track them down? Who says you can’t? It just takes a lot of time and effort. Think how many SPAM emails you get on an average week? Are you willing to track these people down? Plus, once you track them down what are you going to do? They can just set up shop with a new domain name and off they go again.
One problem with SPAM is that sometimes people sign up for email and forget they did later. They receive an opt-in piece of email and start to complain about it. In this case it’s not SPAM since they did opt-in at one point. To avoid getting SPAM simply never put your email address in any web form.
The fake headers make it harder to complain to those who run the servers distributing the spam. If the headers couldn’t be forged, then any system used to send spam would draw millions of complaints in response. With forged headers, the owners of a system being used to spew spam mail might never know it’s happening (and so the spammers can continue to take advantage of that system.)
Spam is legal in most USA states, so having the contact info for the spammer doesn’t help anyone shut them down. (Jeeze, if ISPs just charged huge fines for spamming, the problem would be far smaller than it is.)
Spammers take advantage of systems which have poor security. Internet was born out of Unix systems in academia which tended to adopt a philosophy of trust, so spammer-prevention was not built in. How often does someone set up a new mail server yet doesn’t have the knowledge to make it spammer-proof? From the looks of typical headers, China and eastern Europe are hotbeds of “open relay” servers. A bunch of unofficial blacklists have arisen which try to identify offenders so ISPs can block all mail. Unfortunately even the biggest ISPs don’t care about spam, so they get on these lists (USWEST for example.) This makes blacklists useless, since a providers’ customers won’t let them block mail from major sources.
Here are excellent sites for tracking down the source of spam:
Point 1: many spammers fake headers, but many do not. In the case where headers are forged, the body of the email usually contains a non-Internet contact method like a toll-free phone number which can be called to order the product or service advertised. In many cases, the spam is advertising a website and the headers are forged simply to prevent replies to the email from swamping the source server and they know most people are too lazy or ignorant to do anything but click the reply button.
Point 2: When you set up an email server, you can set it up as an “open relay”. This means it will accept mail from anyone and send it on its way. This was often done in the old days as a convenience, so I could carry my laptop around the country and still send mail through my home server (note that this applies to SMTP outgoing mail, not checking your POP account which always connects to the server the account is on). Open relays are a very bad thing because they allow anyone (e.g. spammers) to send mail through your server, stealing your bandwidth and making the legitimate email headers look like the email originated from your site. Any properly configured email server will authenticate connections, only accept connections from inside a privileged domain, and/or only accept outside connections with mail for internal addresses. However, open relays persist because people are to lazy to configure properly or don’t even understand the issue.
Note that many spammers do neither. They use ISP accounts to send their mail and keep the number of emails sent through any one account low enough to stay unnoticed by the ISP. This doesn’t make them any less reprehensible, but it allows them to claim some false air of legitimacy. Interesting article on this topic today. http://online.wsj.com/article_email/0,,SB1037138679220447148,00.html
As has been hinted, many unwanted emails are not selling any product or service. They’re trying to provoke a reaction that will confirm there’s a real human being monitoring that email account. Once a spammer knows that, the address can be sold on to other spammers (some of whom will be selling products).