By Ferry Boender <f.boender (AT) nihilist (DOT) nl>
Version 0.2, Sat July 12, 2003
Some e-mail addresses are easy to get by just guessing. John@hotmail.com. I'll bet he gets a lot of spam.
There are companies out there who specialize in finding e-mail addresses. And then they sell them to evil corporations. These companies use the same methods in order to get e-mail addresses as the others in this list.
You may have signed up for some free trial, played an online game, sent out a digital greeting card, went to an expo and filled in your personal information on a registration card. On all these occasions you probably also entered your e-mail address, didn't you?
Do you have a home page? Did you ever sign a guest book online? Just like search engines, some corporations have bots which crawl the web. Bots are automated web-surfing programs which visit every page on the Internet they can find. Instead of taking their contents and placing it in a database for you to search, they collect every e-mail address they find, put it in a database and then sell the database to people who are spamming you.
Somebody may have submitted your e-mail address to some site. They were trying to be nice by sending you a digital greeting card, but all they really did was give your e-mail address to the spammers.
Sometimes some people will receive a very very funny image from some other guy or girl which they think you should absolutely see. So they send it to you're e-mail address, and to their 20000 other friends. They don't believe it's spam, but you may not agree. I know I don't.
That's right, two. At least one of these e-mail addresses should be with a free provider, so you can easily shut it down without ever having to check it again. The other one can be your official providers e-mail address or your work e-mail address. Whenever you have to enter your e-mail somewhere on the web, you use the free one. When mailing friends or important people, you use the other one. When you start receiving spam on the free account you can either ignore it, or close down the account and get another one. Whenever you need to register at some service and they will send you a password to the free account, you'll still be able to receive it. Of course, you can also use redirection services or some other 'closable' thing.
I myself use aliases. Since I run my own mail server, I can create as many e-mail addresses I'd like, and close them down again when I start receiving spam on them. I'm currently using email@example.com, and already went through spam@ and spam1@, me@, myself@. Generally I need to close one down every 2 months. (Meaning I receive about 1 spam e-mail every 2 months)
Tell your friends NOT to supply your 'good' e-mail address anywhere on the web. Make them use the free e-mail address if they want to send you greeting cards and the likes. Tell them about this page, so they will know what they should and shouldn't do with your and their own e-mail addresses.
Tell them not to send you crappy 'funny' images, links to flash movies, etc. Unless, of course, you happen to like that kind of thing.
Never, ever, ever, ever, ever reply to spam! Don't click links in the e-mail you received, not even the unsubscribe link! Why not? Because it won't work. These people, these damned bastards are spamming you, do you really think they will listen to you if you tell them to "stop it and unsubscribe me"? Of course not. The fact is, if you click a link, you are letting them know that somebody is reading the e-mail address they spammed. That means they've found a potential customer! Perhaps, by legislation, they will stop sending you spam, but it will not stop them from selling your e-mail address to others with the message: "Hey, this sucker reads his spam!". This may sound paranoid, but hey, spammers are friggin' weasels and you have to be paranoid in order to stay one step ahead of them.
You should also make sure that your e-mail client (outlook, for example) never renders inline images in received messages, because this will tell them just as fast that somebody is reading their spam. Also turn off the auto-send-confirmation option. Nobody uses it anyway, and besides, it's invading your privacy. Nobody has to know when you read your e-mail so they can get pissed off when you don't reply.
The human brain is much smarter at seeing patterns then any spambot will be in a very very long time. So when you put your e-mail address on your home page (or sign it at some guest book) like this
<a href="mailto:firstname.lastname@example.org">email@example.com</a>, even the most stupid spambot will be able to harvest your e-mail address. Instead, use something like this:
Email me at this address (obfuscated): spam2 (@) nihilist (.) nl , or this:
Email address: (remove all capital 'X's for the real e-mail address): spXam@nXiXhiXliXst.nXl .
I'll admit, it's not that user friendly, but if someone really really wants to e-mail you, they'll take the time to copy/paste the damned thing. Spambots will probably never recognize things like this. Make sure you do not still specify your e-mail in the
mailto: link, because spambots WILL read this. Just make people copy paste the address.
Another way to obfuscate it is : use an image. Just open up some graphical editor and create a new image. Write some text on the image with the text-tool and then place the image on your site. The spambots won't be able to read it, but normal people will.
You could try using spam filters, but my experience (not first hand, just as a skepticism of the used techniques and through the reports of various people) is that they sometimes delete legitimate e-mail, which isn't spam at all. Don't want that now, do you?
Fact is that spam filters are automated little thingies. Whenever spambots are made to be more intelligent, so will the spam-filters. Since there's a lot of money to be made with spamming, spammers will invest a lot of money into research which will make their spam less 'spammy' so your precious spam filter will not recognize it as spam. Increasing sensitivity on your spam filter will only make it reject more legitimate mail in order to intercept all spam. Since the knife cuts both ways, not increasing the sensitivity on your spam filter will make it accept more spam. What I'm trying to say here is that spam filter will always be a trade-off between accepted legitimate e-mails and spam. Also, spam filters, because of obvious reasons, will always be one step behind of spamming techniques. This, in itself proves, for me at least, that spam filter are not the preferred solution.
Of course, this is just my personal opinion. Some people I know claim to have had excellent results with their spam filters. When I ask them 'How do you know that no legitimate e-mail is thrown away?', they reply: 'I've checked all rejected e-mail for X amount of time'. This, to me, does not sound like a solution to the problem.
Another way to avoid spam is white-listing. White-listing involves the use of a list of known persons, e-mail addresses or other means of identification from which e-mail may be received. When someone not on the white-list needs to send you an e-mail, their message will first be queued by a automated process. This process will then reply to the person's e-mail address, asking for confirmation. All they have to do is reply. After that, the automated process will add them to the white-list and their original e-mail will be delivered to you. This has both advantages as well as disadvantages.
The advantages are that spammers will need to specify a valid reply e-mail address. This increases costs for spammers quite dramatically (should they choose to actually specify a valid reply address), although perhaps not enough for them to stop their illegal and harassing activities. But at least you will be able to track them down.
A disadvantage will be that other automated e-mail senders (like subscription robots, etc) will also stop functioning. This probably proves to be the biggest problem with this technique.
Implementations of this technique already exist, as I have seen them reported on freshmeat (A software repository site), although I forgot its name, and now can't find it anymore. A quick googling brought me this result: TMDA, which states: "TMDA's Whitelist-centric Strategy 'Deny everything that is not explicitly allowed'".
If anybody has tried this technique, and is willing to share its results with me, please contact me at the (obviously obfuscated) e-mail address at the top of this article.