Editors’ Note: Nowadays, spam is a problem for everyone with e-mail. Furthermore, it is a problem that threatens to change the landscape for organizations, such as nonprofits, that depend on the immediacy and low cost of e-mail to reach fragmented and diverse constituencies. These attributes, which have been a key to rapid adoption of e-mail by nonprofits, are being eroded as organizations are increasingly inundated with spam and viruses. We must learn to manage incoming spam in order to keep our organizations from “crashing.” We must also learn to navigate the new spam-filled environment, while maintaining a vital communications channel and avoiding the spam label, ourselves.

In the time it takes you to read this sentence, thirteen separate pieces of spam will have been reported to Spam Cop, a Web site dedicated to helping users report unwanted and unsolicited e-mail. In one 24-hour period, 1,198,166 messages were reported as spam, and in the month of February, 2004, more than 47 million messages were submitted to their site.1
Estimates vary on the percentage of spam messages in relation to all e-mail. Spam Filter Review, a site that identifies and tracks spam filter products, estimates that 40 percent of all e-mail sent is spam.2 Brightmail, a company that makes a spam filter product, reports that 62 percent of all e-mails sent in February, 2004 were spam.3

All of this begs the question: What is spam? There is no hard-and-fast definition; and increasingly the lines are being blurred between spam, viruses, and legitimate messages, which promises to make this issue more complex and costly. According to GetNetWise, spam is “unsolicited ‘junk’ e-mail sent to large numbers of people to promote products or services. Sexually explicit unsolicited e-mail is called ‘porn spam’.” Both terms may be used to refer to inappropriate promotional or commercial postings to discussion groups or bulletin boards.4

Spam has become much more than just an annoyance. It can clog our inboxes and gunk-up all of our Internet communications mechanisms. And, beyond our own inboxes, it can hit message boards, comment areas on Web sites, and listservs, causing our systems to shut down and others to reject our messages. In June 2003, according to a BBC report, MessageLabs, a spam filtering company, identified an example of a virus being sent by spam. The virus didn’t just send out messages to individuals in the infected computer’s e-mail address book; it opened a back door that enabled the spammers to use the infected machine to send out unsolicited mail.5

Viruses and spam often intersect in a way that allows spam messages to display third-party e-mail addresses. These addresses may be harvested from an infected computer’s address book. The address may be taken when a machine is hijacked and used to send spam messages. In either case, it can be made to appear that your organization is sending unsolicited e-mails on a variety of subjects.

This article does not cover all of the complexities faced by nonprofits regarding spam, but there are two main concerns that nonprofits face: their ability to protect their systems and their employees’ time from spam, and their ability to get messages out to new constituencies who are battling spam problems of their own.

Are You a Spammer?

Nonprofits must view their e-mail communication strategies within the context of a spam-filled environment. Not only must your messages be compelling enough to be opened, they must also avoid falling victim to filters and blacklists. Being labeled as a spammer can prevent your organization from getting its message to its audience. Worse, removing your name from blacklists, renegotiating a relationship with an Internet service provider (ISP), or rebuilding goodwill with a constituency that felt you e-mailed them without their explicit permission, can be costly and sometimes impossible to do.

Bill Pease, Chief Technology Officer at GetActive Software, talks about the need for nonprofits to attend to their practices of both list building and message deliverability as key factors in maximizing their ability to get their message out without acting as, or being labeled as, spammers.

“It is often tempting to cut corners in building e-mail lists,” says Pease. However, doing so can negatively impact the ability of your organization to send legitimate e-mail messages to your constituency. While many people think of e-mail lists like direct-mail lists, they are vastly different. You don’t need permission to send people direct mail, but in the e-mail arena, you do need permission if you don’t want to be labeled a spammer.

According to Pease, you can choose from a spectrum of options for building your list. The spectrum ranges from using strict procedures to ensure you have permission to email subscribers, to building lists without acquiring explicit consent from recipients. From the perspective of Internet service providers and anti-spam activists, the “gold standard” mechanism for building your list is known as double opt-in. This method asks users to sign up, and then asks them to confirm their sign-up in a second action. This method is often avoided because many organizations are concerned that people will drop off between the first and second confirmation. However, with this method you can be assured that those responding really wanted to join in the first place.

In the middle of the spectrum are list-building techniques that involve obtaining some level of permission from recipients, but exactly what has been consented to is often ambiguous. One example would be the common practice of acquiring names via co-registering. For example, when users sign up on a Web site, they may indicate that they are willing to receive messages from a third party. Typically, people are given an option to select third parties within their interest area; however, they are not given the names of the organizations that will be contacting them. For example, a user may indicate a willingness to receive messages from environmental organizations. Later, however, when they actually do receive e-mails from a specific environmental advocacy group, they may not connect it to the permission they gave earlier. As a result, they may complain that the group who contacted them is a spammer. It is critical to be constantly aware of the potential complaint rate your messages are likely to generate. Even relatively few complaints can result in new spam controls that prevent messages from getting to the intended recipients.

Such mechanisms for indirectly acquiring permission, according to Pease, “…really don’t stand up under scrutiny, and these days are more and more risky. These days it doesn’t take as much to start generating enough complaints to get you temporarily blacklisted. There’s a lot at stake in ensuring that you have permission [to send messages].”

In a presentation at the 2003 San Francisco Regional Conference of the Nonprofit Technology Enterprise Network (N-TEN),6

Pease offered the following advice for list building:

• Request explicit permission whenever you collect an e-mail address.
• Link brand or publication name to every opt-in request.
• Document all opt-ins, especially those collected off-line.
• Use double opt-in for online recruitment.

“The other thing,” says Pease, “that is very obvious these days for nonprofits…is that email messaging has become an extremely technical, rapidly changing field. There’s a wish that it was still the early days of the Internet when there was no spam, and e-mail was a great way of communicating. Nonprofits are used to thinking this is a cheap and free and easy way to get into everyone’s inboxes. That isn’t true any more.” Pease points out that while e-mail itself may be free, deliverability is not.

In fact, deliverability services—assistance in ensuring that the message gets to the recipient—is a service for which e-mail service providers are charging. Organizations often use bulk e-mail practices that trigger spam prevention software, and navigating these “requires a lot of technical and relationship expertise,” according to Pease. Examples of these types of practices include the following: sending e-mail to large numbers of Bcc (blind carbon copy) addresses, sending bulk e-mail via a dial-up connection, and sending bulk e-mail via free services such as Yahoo! or Hotmail. An e-mail service provider can help you avoid these types of pitfalls.

In addition, it is becoming more and more important to ensure that you maintain good list hygiene if you want major ISPs to accept your email messages. Proper management of bouncing email, for example, is now critical to maintaining good relationships with ISPs. If you do not cease messaging to addresses that are bounced because of an invalid e-mail address, and quickly address spam complaints from an ISP’s subscribers, you risk having all of your messages blocked.

The Monday morning routine is simple: start the computer, download your e-mail, sip your coffee, hit the delete key for roughly half of the e-mails you received since Friday, and then groan with the realization that you’ve hit the delete key one too many times. If you’re lucky it is simply annoying; but if you’re unlucky, virus-carrying spam messages can open up your system to use by a spammer. Consequently, you can be targeted—and blocked—as a sender of unsolicited e-mail. Both of these scenarios interfere with your staff’s ability to do mission-based work.

Many companies are debating the best ways to filter spam before you see it.7 These discussions, while interesting, will probably not impact you or your organization for several years.8 In the meantime, you can concentrate on two basic ways to protect your resources: organizational best practices and software solutions.

The first step in managing spam is to engage your staff in a discussion about spam. Ask them to talk about how and why it is a problem or challenge in their work, and then share with them a list of your own ideas. Be mindful of your organization’s purpose. Consider the best interests of your organization in terms of eliminating spam as well as in terms of your own privacy policy and communications. It is essential to balance the need to protect your staff time and your system resources with your need to be available to the outside world.

Although there is still no standard approach to e-mail privacy, encourage staff members to protect their information. A first-line defense would be to ensure that you and your staff don’t unwittingly give information to those who would misuse it.
A particularly harmful trend that is gaining in popularity is identify theft. The practice of gathering names, passwords, credit card numbers and other private information, sometimes referred to as “Phishing,” can be costly and dangerous. Spammers create messages that appear to be from a legimate source (PayPal and Earthlink are two recent examples). They ask users to enter personal information, threatening that their accounts can be closed or limited if the information is not supplied immediately. Once obtained, spammers can do great harm; and often the person who provided the information is unaware until after serious damage has been done.9

Beware of responding to any unknown e-mails, including those offering to allow you to “unsubscribe.” Many unsolicited e-mail messages include a helpful line that says something like: “Do you want to be removed from our e-mail list? Click here.” While some e-mail messages do carry legitimate unsubscribe buttons, the majority do not. By clicking, you have confirmed that you have an active e-mail address that is being read and acted upon. The safest approach is to simply delete
the message.

Many spammers utilize programs that harvest e-mail addresses off public Web sites. If your organization has many e-mails listed, you may want to highlight them and then examine ways to reduce the number of addresses you make available on the Internet. These e-mail addresses can include the contact e-mails on your organization’s Web site, public archives of listserv messages, or lists of conference attendees.

Alternate approaches to minimizing the number of e-mails that could be harvested include establishing a single alternate contact such as [email protected] and removing all of the staff addresses. (You can find out more about hiding addresses from spammers at http://spam.abuse.net/userhelp/#hide). Some organizations also assign their staff two e-mail accounts: one to use privately—shared on business cards and with regular and known correspondents—and another for use in more generic public places: on listservs, when registering for conferences, and when signing up as a user on various Web sites.

Organizational best practices are designed to allow legitimate e-mail to reach you and, at the same time, to minimize your potential to be a target of spam. The downside of many best practices is that they can’t keep up with spammers’ ever-evolving ability to get at your inbox; they may limit the ability of people to contact you; and they may require an additional level of technical savvy on the part of your staff.

Spam filtering software provides an automatic mechanism for separating the e-mail that has the characteristics of spam from the e-mail that has the characteristics of legitimate e-mail. While spam filtering software can provide a very good shield for an organization, it is not a panacea. It has two main problems: false negatives and false positives.

False negatives are often seen as the lesser problem. These are simply spam messages that are not tagged as such, and so get through to the users inbox. False positives can be more problematic. These are messages that should not have been labeled as spam—they may have been sent to a large Bcc list or have come from an unknown sender—and they are filtered out of the inbox.

When implementing a software-based solution, it is best to include a trial period. During this period, e-mail should not be deleted before the user can view it. E-mail may be tagged (a phrase added to the subject line, for example) so that users can set up filters in their e-mail clients. Potential spam also may be collected in a central place so that users can review it before it is deleted.

During the trial period, ask your staff to comment on the effectiveness of the software. Many filtering solutions
offer an option to adjust the controls; they may be made more or less permissive. For a summary of how such
filters work, as well as their pros and cons, see the PowerPoint presentation by Eytan Urbas of MailShell at http://www.nten.org/conferences-2003-sf-fightspam.

Not all methods are appropriate for all organizations, so before selecting a software solution ask questions about how it works and whether it is an appropriate approach for your nonprofit. Most organizations will use a combination of methods—rules-based software that has the capacity to develop both black and white lists. This may also be used in conjunction with collaborative networks in which all users report back on identified spam so that, with critical mass, certain senders can be added to black lists, or rules can be tweaked to better identify spam. In all cases, the best software solutions update their spam rules on a regular basis. Many of these updates require little or no effort on the part of the user. These updated rules help to catch spammers who continually find ways around existing rules by doing things like altering spellings, spoofing known e-mail addresses, or mimicking the rules for legitimate e-mails.

In addition, you should be sure that the spam software you decide upon gives you an opportunity to adjust specific rules to meet your needs. An organization dedicated to providing information about sexually transmitted diseases, for example, may receive a significant amount of e-mail with the word “sex” in the subject line. These organizations may wish to remove a rule that identifies those e-mails as likely spam.

You can find lists of spam filtering software at http://directory.google.com/ Top/Computers/Internet/Abuse/Spam/

Legislative solutions involve efforts to make the sending of unsolicited spam illegal. Various states have several efforts underway. You can track these efforts on Web sites such as Spam Laws at http://www.spamlaws.com/index.html and SpamCon Foundation at http://law.spamcon.org/.

None of these mechanisms will ensure that spam does not interfere with your organization’s ability to act on its mission. Thinking about these issues as you set up systems, however, will ensure that you and your staff can mitigate that effect in a thoughtful and engaged manner.

1. Spamcop.net: Statistics on Spam Trends, http://www.spamcop.net/ spamstats.shtml
2. SpamFilter Review: Spam
Statistics 2004, http://www.spamfilterreview.com/spam-statistics.html
3. Brightmail: Spam Percentages
and Spam Categories, http://www.brightmail.com/spamstats.html
4. GetNetWise: Guide to Internet
Terms: A Glossary, http://www.getnetwise.org/glossary.php#S
5. BBC News: Technology: “Spam virus ‘hijacks’ computers,” http://news.bbc.co.uk/2/hi/technology/ 2987558.stm
6. http://www.nten.org/conferences-2003-sf-spamham
7. BBC News: Technology:
“Row over how to junk spam,” http://news.bbc.co.uk/2/hi/technology/3492354.stm
8. Security Pipeline: News: “Gartner: Microsoft’s Anti-Spam Plans Will Take Years,” http://informationweek.
9. New York Times, March 24, 2004, “Online Swindlers, Called ‘Phishers’; Lure Unwary,” by Saul Hansell.

About the Author

Marnie Webb has been working on technology issues with nonprofits and schools for the last twenty years. She is currently the Director of Consulting Services for CompuMentor, the home of TechSoup.