Stop Spam From Yahoo!

Yahoo was one of the first of the commercial "good guys" on the web. Probably in a desperate attempt to defend their still huge market cap and to bring down their still astronomical P/E, they have slithered further and further off their pedestal. They have instituted a few "opt-out" tactics that allow them to spam you and to spy on you as you get spammed. Opt-out tactics assume that you want to be spammed and spied on, and it's up to you to tell them otherwise. This is a new low. It's sad to see this happen!

It's easy to fix these problems, but you have to know that you have to!

Yahoo Spam

Yahoo has a "feature" in Yahoo accounts called "marketing preferences". They have set all your preferences to yes, as if you have voluntarily asked for more spam! You have to explicitly opt out (see below) to avoid the spam.

To make matters worse, they have taken information like address and phone number, previously given in confidence to Yahoo Shopping, and sold it to their partner spammers.

Who Is Affected

I believe anybody is affected who has a Yahoo id, for example a Yahoo mailbox, a portfolio on quote.yahoo.com, a page on My Yahoo, is a member of a Yahoo Group, or has done online shopping with Yahoo Shopping.

If you have many yahoo ids, you have to fix them all.

It's possible to join a Yahoo group by email address without getting a Yahoo id. I'm not sure if those email addresses will get spammed by Yahoo, so I don't know whether to recommend that those people sign up for a Yahoo id just to explicitly turn off the spam, or whether they should leave well enough alone. I also don't know if Yahoo harvests email addresses in other ways, e.g. messages that are sent to or from Yahoo mail accounts.

How To Fix It

1. Find an Account Info link on any Yahoo page that requires that you sign in. For example, you can go to My Yahoo; once you are signed in you'll see the link.
2. Click on the Account Info link.
3. Verify your password if it asks you to.
4. Your Yahoo "ID card" should come up. Click on Edit your marketing preferences somewhere near the middle of that page.
5. You'll probably see all the Yes buttons selected! Before you go any further, you should probably go down to Edit your Yahoo! Delivers preferences. This appears to be yet another spam factory, and if you click all the No buttons before this step, they'll be reset after you're done with "Yahoo Delivers". (Under "Yahoo Delivers", there are a number of ways to say no; I chose them all!) After you're done with this, click Finished.
6. Now you should be back at Edit Marketing Preferences. Select all the No buttons. Make sure you go all the way to the end so you don't get spammed by phone or postal mail either. (I tried, just for fun, to set it to deliver spam to abuse@yahoo.com but it was clever enough to reject the address!)
7. Click "Save Changes".
8. You're done!

Yahoo Spying: "Web Beacons", a.k.a. One-Pixel GIFs or Web Bugs

To add insult to injury, Yahoo is now also using "web beacons", or one-pixel GIFs, to spy on you as you browse the web and read your spam. The idea of these is simple. For the most part, when your browser or mail reader reads an HTML page (HTML is the language in which web pages, as well as some email messages, are written) it reads the page with your explicit consent. For example, you decide when to point your browser at a particular web page, or when to open an email message. But there's one exception to this. An HTML page may contain image tags to allow browsers to load graphics along with the page. The image tag contains a link to the file containing the image. The net result is that, if you open a web page or an email message that contains an image tag, your browser or mail reader makes another request over the network to read the image, without your explicit consent.

Mostly, these image tags are harmless, and, while overused, they do serve a sometimes useful function. For example, the image to the right of this text comes to you via an image tag. But there are a number of ways image tags can reveal more about you than you care to share:

• The image does not have to be visible. A one-pixel transparent GIF is invisible. So unless you know where to look, you won't even know that your browser or mail reader requested, and was sent, an image from somewhere on the web.
• The link to the image can point anywhere on the web, not just the server serving the original page. So the image tag forces you to be a visitor to that other site without your consent. For example, a site containing information about a medical condition might contain image tags pointing at huckster sites that may be interested in spamming you, or even insurance companies that may be interested in denying you coverage.
• The image server can send you cookies, and your browser will normally send the image server any such cookies next time you "visit", even if your "visit" is inadvertent via an image tag. This is how Doubleclick gets cookies on your computer even though you've never knowingly visited Doubleclick's site.
• The image server can find out your IP address.
• While the typical image tag just contains a web address of the image file, the originating page can hide any other information it wants in the tag, as long as the server can interpret it. This is particularly painful in email messages, which can hide your email address right in the image tag. This way a spammer such as Yahoo, or worse, can find out if, when, and from where you read their spam. Obviously an email address of someone who actually reads their spam is more valuable to spammers, and makes you more likely to get spammed in the future.

To make use of any of the above techniques, the author of the original page or email must explicitly cooperate with the server of the graphic file. Yahoo should be above such shenannigans, but apparently it's not.

How To Fix It

Luckily there are a few things you can do to minimize the effect of these GIFs:

• Never open email messages if they appear to be spam, even just to peek.
• Use web browsers and mail readers that have features to foil this exploit. A mail reader should allow you to prevent it from loading remote images in email messages. A web browser should allow you to prevent it from loading images from a different server than the one the page is on. Both of these features are available in the excellent, free, open-source browser/email reader Mozilla.
• To put recipients of your emails at ease, configure your mail program to produce plain text messages, not HTML messages. Not all mail readers can read HTML messages anyway.
• For each browser on each machine that you use, you can visit this page to tell Yahoo that you want to opt-out of web beacons. Of course, this technique at best solves the problem for Yahoo and its crony sites, but not the rest of the web.

Yahoo has published a little note on this unpleasant subject.

Talk Back?

If you want, tell Yahoo how you feel about all this snooping their privacy feedback form. I can't imagine, though, that this will do any good.

Last modified: 2003-01-14