There are enormous quantities of spam being distributed through the Internet, tying up the system resources and time of unwilling recipients. This usurpation of resources represents a significant drain on productivity, so subscribers expect their mailing list to be a spam-free zone. Unfortunately, this is more of a goal than a reality.

Some spammers make a really nasty habit of using other people's computers to spawn email messages without the consent of the computer owner. This is accomplished by planting a trojan (i.e., program) on the computer. The trojan transforms the computer into a "spam drone" that generates spam whenever the computer is online. The program is set to run invisibly, so the user isn't likely to know their computer is being used as a spam drone until they are contacted by their ISP, mailing list administrator or other annoyed spam recipient who has traced the email back to them.

When a mailing list receives spam from a trusted source, such as a subscriber, it is possible that the sender's computer is being used as a spam drone. If this is a first-time offense, it's wise to give the sender the benefit of the doubt and provide any help you can to help them secure their computer. Most of the current anti-virus software is packaged with anti-spyware software, and there are also free, downloadable versions of anti-spyware and home firewall software available on the Internet.

The tie-in between spam and malware isn't limited to hijacking computers for use as spam drones. Spam does have more sinister uses. Phishing scams, a relatively new internet phenomenon, can be initiated via spam masquerading as email from a trusted source, such as your organization. These messages are usually designed to mislead the recipient into believing that it is necessary to update personal and account information. The message contains a link to an official-looking page where forms capture privileged information such as passwords, credit card numbers, etc. This is just another reason why your organization will want to take advantage of all practical precautions to guard against spam being posted to its mailing lists.

Guarding against spam presents a greater technical challenge than guarding against malware, such as viruses. First, only certain types of files can transmit malware capable of executing itself. Plain text files, such as those commonly used for email, won't contain malware but they can certainly contain spam. Secondly, programming code must be properly structured if it is going to work, so files containing executable malware have identifiable patterns that can be detected by virus filters. On the other hand, spammers can and do deliberately obscure the keywords for which spam filters search. For instance, anti-spam software may search incoming messages for the terms 'pharmaceutical' or 'viagra'. Spammers can use obfuscated but human-readable versions of these terms such as 'phar$ma/ceu*tical' or 'v/ia^gra'. This foils the ability of the software to detect the terms, since it can only find exact matches to known patterns. It's impossible to completely identify and filter out all spam without human intervention (i.e., using moderators to review all messages before posting them to the list).

Spammers obtain email addresses by purchasing them from companies who are willing to sell their customer's addresses or by harvesting addresses from webpages. They use software called spiders or scrapers to glean email addresses from mailing list archives, rosters, directories and any other source they can find. Spammers sell these lists to each other and to customers, and there are rumored to be lists containing millions of email addresses in circulation, although a high percentage of the addresses on these lists are likely to be stale and invalid.

Spammers often use software to run "dictionary attacks"—similar to those that attempt to crack weak passwords—to test for common usernames. For instance, if the domain name is 'example.tld', this software might check for common names and nicknames like 'kim@example.tld' and 'brownie@example.tld'.

Many alias names are based on widely used standards, so spammers routinely send mail to common system aliases such as support@example.org. Mailing lists were the original spam-distribution vector and are still a favorite target. If a spammer manages to learn or guess a list alias and distribute spam through a list, a single successful guess may forward the spam message to thousands of list subscribers.

Spam can't be eliminated, but it can be minimized, and the single greatest defense against spam is to have moderators vet messages before they are posted to the list. Even if all messages are moderated, spam will occasionally slip through, usually because a moderator is out of the office and an autoresponder replies in a way that approves posts in their absence.

If you want your list to be moderated, select a moderated list type. See Default List Types for information on moderated list types. To learn more about moderation, see Moderation.

Kavi® Mailing List Manager offers several different access control mechanisms that can be implemented through list configuration option settings at the list and list type levels. Options can be set to limit the ability to post and to subscribe. Since the ability to post can be based on whether an individual is a subscriber or not, restricting the ability to subscribe indirectly controls the ability to post for many types of lists. Lists that aren't completely moderated often allow subscribers to post directly while sending posts from the public (i.e., posts from unknown addresses) to moderation or rejecting them outright.

This is explained in more depth in Access Control and List Types.

Spam filters work in conjunction with automated access control options and human moderation to protect your list. They screen incoming email at the firewall before it even enters the Web site. Email that meets the filter's rather broad criteria is immediately deleted and fails silently. Occasionally a legitimate message that closely resembles spam will be deleted (usually because it has an empty 'Subject:' field) and occasionally spam that doesn't meet the filters criteria will pass the filter. Depending on list configuration, the message may still be kept from the list by being automatically rejected or sent for moderation because the address of the sender isn't on a list with direct posting privileges.

See the section on Spam Blocking in Virus Scanning and Spam Blocking for more information.

Blocklists are lists of the IP addresses of known spammers that have been collected by global anti-spam organizations. Kavi uses blocklists maintained by Spamhaus, which is probably the foremost of these organizations, and rejects any incoming email if the sender's IP address matches an IP address on the blocklist. Mailing list managers can report repeat spammers to their ISP, Spamhaus and other anti-spam organizations so they can be added to these blocklists. Kavi also maintains a private blocklist to help protect sites it hosts.

Most mailing lists employ a zero-tolerance policy for spammers and the list's Policy and Usage statement includes the information that any subscriber who attempts to post spam will be immediately and permanently unsubscribed. It's wise spell out list policy for the more subtle forms of spam (e.g., job solicitations, cross-posts) and the consequences that may be incurred by senders submitting these forms of spam. For more information, see Writing Policy and Usage Statements and Sample Policy and Usage Statement.

Whether a list's Web archives are public or private, email addresses can be obscured by selecting the 'Protect Archives from Spam' option in the Add a Mailing List or Edit a Mailing List tool. Setting this option to 'Yes' causes the email domain of addresses to be replaced with a series of 'X' marks before being displayed in the Web archives so that address harvesting software will be unable to glean list user's addresses. This is inconvenient to list users who want to contact another list user directly and can't get the other's address from the archives, but those who use address harvesting software are relentless in their attempts to bypass system security—and the lists of addresses they collect are sold to spammers around the world, potentially including unethical people running phishing schemes and other kinds of scams.

As mentioned in the preceding section What is spam?, there are several conditions under which email from your organization might be mistaken for spam by the recipient, particularly if the list doesn't confirm the individual's intent to subscribe or makes it less-than-easy to unsubscribe.