Spam

The term spam refers to unwanted, mass-mailed email messages and newsgroup articles. In detail, a distinction is made between

  • UBE (unsolicited bulk email): not expressly ordered, shipped-in-bulk email
  • UCE (unsolicited commercial email): not expressly ordered, commercial advertising by email
  • ECPR (excessive crosspost): articles published in inappropriate numbers of newsgroups (“posted”)
  • EMP (excessive multipost): an inappropriate number of posted, identical articles in one or more newsgroups.

Unfortunately, no general criteria can be derived from this classification which could be used to unambiguously identify spam. The approach of characterising spam as mass email has the flaw that it is not based on the perceptions of those affected: The recipient simply receives email that does not interest them; the fact that thousands of others are bombarded with the same news does not matter to the recipient. From a recipient’s point of view - and this must be a central consideration in all considerations about countermeasures - the typical feature of spam is that it is “unwanted”. However, this is a subjective criterion, not accessible to electronic data processing. That is why trying to define spam via its content is doomed to failure: Messages that are undesirable to some recipients may be useful and welcome to others. Often advertising material, product information or price lists, for example, are completely and deliberately requested from business partners and are to be transmitted regularly at the request of the recipient.

This is the Achilles heel of all anti-spam measures: Even when using the most advanced artificial or even human intelligence (who wants his email to be read before delivery anyway?), it is not possible to judge beyond doubt whether a message is wanted or not. Therefore, there is still no consensus on a precise and a the same time meaningful definition of spam: Ultimately, only the recipient can decide.

There are several answers to the question of how spammers get the email addresses of the people who are “lucky” enough to receive their emails:

  • From articles posted in newsgroups and publicly available mailing lists.
  • From websites that contain contact addresses or even entire email directories (eg of the entire institute). In particular, email addresses that can be found using search engines such as Google are also available to spammers.
  • Registration of the email address for online sweepstakes, freemailers, etc.: There are constantly reports about spam being sent to addresses that were only used on such occasions.
    Also directory services with LDAP, Whois databases, etc. are considered address sources for spammers.
  • Although no such case has been documented so far, it is only a matter of time until email worms are also programmed, which not only spread, but also send a copy of the address book of the affected computer to spammers.
  • By embedding framesets and images (web bugs), HTML messages can cause the email client to access the spammer’s web server to display a message. Increasingly, it uses numbered URLs to help spammers determine who opened their spam in the email client. Clearly, the information that a specific email address is actually active is worth a lot of cash for the spammer.

Spam is banned in many countries - including Austria. Section 107 of the Austrian Telecommunications Act reads:

 (...) The sending of an electronic mail as a mass mailing or for advertising purposes requires prior consent of the recipient - revocable at any time.

In addition, Denmark, Germany, Finland, Greece, Italy and Norway are banning the sending of unsolicited commercial email (UCE).

In some countries, spam is allowed until the recipient objects. This so-called opt-out procedure testifies to the fact that relevant legislators recognised the reality of the situation: How do you ban the sending of advertisements by someone you do not know of in advance and who usually cannot be found in retrospect (more on that later)? Besides, it is not about one or ten senders, but about thousands. This type of regulation is therefore completely ineffective.

Some countries are still considering and advising, but EU Directive 2002/58/EC of 31 July 2002 gives cause for hope:

Article 13
Unsolicited communications
1. The use of automatic call systems without human intervention (automatic call machines), fax machines or electronic mail for the purpose of direct mailing may be permitted only with the prior consent of the participants.

There is no uniform regulation in the USA; however, many states have taken action (see http://www.spamlaws.com/, opens an external URL in a new window):

  • In California, UCE must include instructions for opt-out and, under certain conditions, the label ADV: or ADV:ADLT in the subject. (g) In the case of email that consists of unsolicited advertising material for the lease, sale, rental, gift offer, or other disposition of any realty, goods, services, or extension of credit, the subject line of each and every message shall include “ADV:” as the first four characters. If these messages contain information that consists of unsolicited advertising material for the lease, sale, rental, gift offer, or other disposition of any realty, goods, services, or extension of credit, that may only be viewed, purchased, rented, leased, or held in possession by an individual 18 years of age and older, the subject line of each and every message shall include “ADV:ADLT” as the first eight characters.
  • Florida has no specific rules on spam; However, lawyers soliciting via unsolicited mail must write “legal advertisement” in the subject.
  • Louisiana’s legislators were particularly creative: It is forbidden to send unsolicited commercial email to more than 1000 recipients if the message contains fake routing information (Received: header) or if it is sent in violation of the terms of use of the respective provider (penalty: 5000 USD).
  • In Washington, commercial emails may be sent unless it uses third-party domain names without permission, contains fake routing information, or has a false or misleading subject.
  • In Japan, there is a rule according to which email advertising must be declared as such and must include opt-out instructions.

Conclusion: Spamming is not allowed or banned in more than just banana republics.

We are accustomed to punishing misconduct that harms society and offends good manners, and it annoys us when the villain gets away with impunity. Why doesn’t someone put the spammers out of business?

One of the reasons was described above: In order to be able to prosecute a spammer, their actions have to first be banned. But globalisation is especially significant here with the Internet: Even if we vehemently wave around our § 107 TKG, it will not concern an sender in China (the principle applies only in the EU that the right of the recipient country is to apply). Even the favourable case that spam is also banned in the country of the sender does not mean that it can be dealt with reasonable effort: The prosecutor (or whatever authority may be in charge) of another country will hardly allow themselves to be forced into taking action by another prosecutor. A subjective right of the recipient to punishment of the offender cannot be deduced from the ban on spamming; therefore, it is also not possible to carry out such proceedings. The same applies if the spam sender violated the terms of use of their provider: The recipient does derive any rights from this - because this person is not a contracting party.

What is the situation in your own country? There is general agreement that spam from Austria is extremely rare. In relevant newsgroups, however, it is reported repeatedly that the authority responsible for the spam problem, the telecommunications office, does not appear to carry out any recognisable activity. The question of whether § 107 TKG is not as dead in Austria as the ban on honking a car horn unfortunately remains open due to lack of published statistics.

In addition to (administrative) criminal law, of course, there is civil law:

  • One variant is to pursue an injunction against further sendings. For the spam victim, however, this means immense effort and not inconsiderable financial risk. This is of relatively small benefit even in case of success, since it is only in exceptional cases that one receives spam several times from the same sender (at least one that is recognisable and demonstrable as such). Unfortunately this does not lead to a general preventive effect - in the sense that the spammer or even other spammers would be deterred from further such activities.
  • The situation is different when a competitor sends spam: You can proceed with the cudgel of unfair competition.
  • Claims for damages are also possible in principle and have already been successfully asserted. As with the injunction, here too, the potential financial risk is only rewarded with small amounts in damages. Large companies/institutions that have received a large amount of spam from the same sender could charge the costs incurred for server load and possibly maintenance as well as lost working time. However, prosecution will usually not occur especially in such cases: The legal departments of large organizations often have neither the capacity nor the ambition to combat spam.

In the context of the Internet - the allegedly only functioning anarchy - the slogan “self-regulation” is often bandied about. Internet providers can actually do a lot to prevent their customers from sending spam. Although there are enough providers who have no reservations about well-paying spammers in their clientele; the majority prohibits misconduct more or less explicitly (eg by reference to netiquette) in a corresponding passage of their General Terms and Conditions. Unfortunately, violations often have no consequences: The attractive possibility of levying penalties is not something that is often considered - most providers only reserve the right to block access by the culprit in the event of abuse. However, in relevant mailing lists one constantly reads that in the face of a potential claim for damages by the access owner, providers often shy away from implementing their stated consequences.

So, legally speaking, not much support can be expected in the fight against spam - and this does not even taken into account that the actual sender of a spam message can only rarely be determined.

1. Avoid email addresses whose alias only consists of 3 or 4 letters (example: xy@tuwien.ac.at)
For example, regular advertising emails are sent to all 2-, 3- and 4-letter variations of known domains (for example Yahoo, Hotmail, GMX or web.de) via address generators. Email addresses whose alias consists of common first names or terms are often emailed by spammers. Its better to use full names like firstname.surname@tuwien.ac.at

2. Use two email addresses: A public and a private address.
The more liberal you are with your email address, the greater your risk of spam. It therefore makes sense to create one main address for electronic correspondence and another for all other purposes.

3. Only use your main address if you really want to communicate with someone.
You should never use your main address for any of the following purposes: Participation in sweepstakes, registration for free services or product registrations, email address lists, mailing lists, newsletter subscriptions, guestbook entries, discussion forums or Usenet, domain registrations, e-card sending, online shopping.

4. Never respond to a spam email.
Advertising emails often contain the message that the recipient can prevent them from being sent again by replying with a specific subject or by clicking on a link. However, by doing this you achieve the exact opposite: The sender now knows your email address is valid and that you use your account, and that knowledge makes your address even more valuable to spammers.

5. Never click on a link in a spam email.
Links contained in spam emails often lead to the installation of a so-called “dialer”, ie a dial-in program that dials into the Internet via an expensive 0190 number. (This is not such a big danger at the Vienna University of Technology as no modems are used for the internet connection at the workstations!)

6. Do not forward chain letters or virus warnings.
At least not without first checking their veracity. Chain letters and false reports which often circulate over the years (such as alleged virus warnings or email signature lists) increase the amount of email rubbish considerably. Many of these hoaxes have been “unmasked” for a long time, but continue to be spread. You can find excellent and up-to-date information on this topic here for example http://hoax-info.tubit.tu-berlin.de/, opens an external URL in a new window

7. Use distribution lists or the BCC field when sending an email to multiple recipients. 
On the one hand, this is to protect the privacy of your correspondents, who should be left to decide for themselves whom they would like their email address to be seen by. At the same time you prevent the uncontrolled retransmission of these addresses.

8. Avoid public address directories
Do you like to use online services like instant messenger or chat? These providers often have a publicly accessible membership directory. You should refrain from listing in these directories or provide your secondary address. Of course, the same applies to pure address directories, which might allow lost acquaintances to find your email address.

9. Own homepage? Disguise your email address.
Spammers comb through the Internet looking for email addresses using fully automated search tools. Therefore, do not enter your email address in clear text on your homepage. A contact form or a text graphic are better solutions.

10. Use our central spam marking service.

11. Use a SpamBlocker such as Mailshield from the campus software, which filters emails directly on the mail server.

or a freeware product eg SpamPal, opens an external URL in a new window.

Service Center

Logo service center

© TU Wien

Ticketsystem Online Portal, opens an external URL in a new window
Hotline 01 588 01 42002

help@it.tuwien.ac.at
1040 Wien, Operngasse 11, EG

The Service Center can be reached digitally from 8 a.m. to 4 p.m. on Mondays to Fridays and will also be in person from 8 a.m. to 12 p.m. on weekdays.

Safety and Security Measures, opens an external URL in a new window