I'll address these together. Without a doubt, spammers harvest email addresses from USENET postings. I've tested this by creating accounts, issuing a single message to a newsgroup, and waiting to receive the spam, which usually begins showing up within a month. In our book, we discuss a few different ways to keep your address out of the hands of spammers harvesting from USENET.

One approach is to have a second account that you use only for USENET posting - a second AOL screen name, or a Hotmail or Juno account that can be used to post through DejaNews. This lets you keep your "real" email address out of the public eye. Anonymous remailers offer another way to do this.

Another commonly used approach is to disguise or "munge" your address. This is indeed effective, as people come up with a much larger and more imaginative set of ways to disguise addresses than spammers can automatically unmask (although some spammers do reportedly employ real people to unmunge addresses!) In the book, we explain how to munge effectively.

But consider what we've been forced to do by spammers. USENET was once a haven of useful information, important announcements, and lively discussion in which participants could easily contact one another privately by email as well. Now many people are worrying about how to conceal their addresses, and it's getting harder and harder to reply to posts by email. That's sad.

One rumor I've heard says that some spammers who offer "mail to this address with REMOVE in the subject" actually use that technique to verify authenticity of your address. Is this true?

It has been true in a number of cases. Certainly, back in the day when I used to try to "opt out" like this, I sometimes received much more spam from the same organization. And spammers buy and trade lists, so you might be giving a verifiable address to a host of spammers.

Do you suggest that recipients of spam send e-mail to the spammer's ISP asking them to stop the spam?

We consider this a matter of personal preference, but generally favor it. Sometimes you can tell that the spammer is just a naïve novice who doesn't know that spamming chain letters is a bad idea, and a word to the spammer suffices. On the other hand, most spammers are breaking the law by violating their contract with their ISP, and very few ISPs are willing to stand for this. ISPs have the most powerful position with regard to spammers -- if their acceptable use policies are well-written, they can not only terminate spamming accounts, but collect "clean-up" damages.

What do you think about anti-spam campaigns, such as organized mail bombing?

Anti-spammers should take the high ground, and abide by the same principles of law and netiquette that they expect of spammers. Nearly all do. We come out strongly against mail bombing or threats or other illegal actions against spammers. Mail bombing isn't necessary anyway -- 100 outraged people sending a single email message to an ISP is far more effective in the long run than one person crashing their server with a mail bomb. And there are some technologies, like the Realtime Blackhole List (http://maps.vix.com/rbl) or USENET Death Penalties, that allow the Internet community to effectively shun rogue ISPs who don't take action against spammers.

More...