Seems like you volunteered to receive spam?

You are right if you feel like spam is getting out of hand!

It did. And it is.

The well-known consultancy firm Gartner projects that SPAM (unsolicited commercial email) will increase by one thousand percent per year - and almost 70% of all email received on the internet is now spam!  This means that unless we do something, the spam problem is going to get even worse.

In this article we discuss how you got targeted by spammers and what you can do about it.

Contents

Topics covered in this article:

  • Don't help the spammers
  • Where spammers got your email address
  • Be careful when you give your email address away
  • How your address is stolen
  • Your friends may be helping spammers make your inbox miserable
  • Why ISPs find it difficult to block spam
  • Use disposable email addresses
  • Fighting back

Don't help the spammers

Spammers sends billions of email messages in the hope that a fraction of a percent of recipients will visit their site or buy their product.  Once people stop responding to these messages, there will be no point in using spam.

Of course this is an idealist point of view ("common sense is not at all that common", to quote Winston Churchill), and there will always be gullible and naive people to fund spammers and other online crooks.  This does not mean we should give up.  By educating people and helping our friends and colleagues understand spam and how it works, we hit the spammers where it really hurts - in their bank accounts. 

If you help a spammers to confirm that your email address is active, you incentivize them to send you more spam.  Spammers can track your email address (validate that it is real) when you:

  • Open an HTML spam message while online
    The message includes links to the spam web site enabling the bad guys to track the fact that you opened their message.  Now the spammer knows that your email address is valid and you will keep on receiving "offers" until you scream.
  • Unsubscribe using the link provided
    Sometimes a particular spammer might actually honor your unsubscribe request, but most will simply sell your now validated email address on tens or hundreds of other spam mail lists.  In the end you are worst off because more spammers now have your email address.
  • Reply to the spam
    When you reply in any way - even to complain, they know you are there.
  • When you buy from them
    Of course, when you buy a product advertised with spam or visit the website in the spam message you pay the spammer's salary AND his Porche.  All they need is a few hundred people per million to buy their product / visit the web site.

Bottom line: Don't read, respond to (or open) any spam message.

Where spammers got your email address

Spammers use software programs (called robots or spiders) to "read" web sites to harvest email addresses published on the web.  Once you publish your email address on any web site or discussion forum, robots may pick it up and add it to their spam list....and you will get spammed for as long as that email address stays active.

The number one golden rule is therefore to never, ever publish your email address on any web site - including your own!  (Use a contact-us form instead). 

If you don't have access to server based forms, or for some reason you need to display your email address, at least try to hide the "@" sign in your address.  Unsophisticated spam robot software look for the @ sign to harvest your email addresses.

A simple and mostly effective technique to fool the robots is by making your email address human readable, but difficult for software to understand.  For instance: instead of publishing your email address as neverspam@goaway.com publish the address like this: neverspam[at] goaway.com. 

This is not as foolproof as server side-forms and it might confuse some of your less astute visitors - but that's a small price to pay for spam-free email!

Other sources abused by spammers to harvest email addresses are:

  • Online directories
    Sites with online lists of telephone numbers, email addresses and contact information - including telephone directories and some specialist search engines.
  • Chain letters
    When you forward chain letters you expose your own email address and those of all the other people who got duped into perpetuating the junk mail because they are either superstitious or stupid, or both.
  • Online guest books
    When you sign an online guest book on a web site, be aware that spammers might be scanning that site for email addresses too
  • Online chat rooms
    This is a favorite hang-out for spam bots. 
  • Classified adds, online discussion forums and newsgroups
    Golden rule: if your email address is available anywhere on the web, the spammer bots will find it.
  • Contact details for domain registration
    Contact info for domain registrants must be published publicly where spammer bots can get your email address.
  • Blogs
    Do not disclose your email address when you leave comments on blogs.

Be careful when you give your email address away

Many legitimate web sites ask for your email address in order to send you information or in exchange for a free newsletter or software. 

This is not necessarily a bad thing, because most web sites are legitimate businesses willing and able to supply you with information and advice.  The thing is that there are bad apples too, and therefore:

Before you supply your email address, make sure that:

  • You read their terms of use and privacy statement
  • The site is indeed reputable and can be trusted
  • You understand exactly why your email address is needed

Even after you verified the above, it's still better to give them one of your disposable email addresses rather than your primary address.  (more about disposable email addresses later)

Watch out for covert address collection

Beware of dirty-tricks-department schemes:

  • The mailto: link
    When you click on a mailto: link (your email client opens a new mail message like this) not only will you be sending email, but you will also reveal your own email address.  Unless this is a web site you can trust, be aware that you might be volunteering to receive spam.
  • Ftp links:
    Some sites offer free downloads of software via an anonymous ftp server.  Unless your Internet browser software is setup correctly, your email address will be revealed to the ftp server. 

Gifts from friends you can do without

One big problem remains - your friends and business contacts: unless all the contacts and people with access to your email address are educated, they are almost certainly going to blow your cover and unwittingly subscribe you to the spam-list-from-hell.

Sure fire ways for your friends and contacts to unknowingly "betray" you are:

  • E-cards
    Have you ever received an e-card for your birthday or a special holiday?  Chances are that's how you landed up on a spam list to begin with.  While there are many reputable e-card companies that is in no way connected to spammers, your friends just need to send one card from a website that is not reputable - and voila - you're in spam hell!
  • Promotions and gifts
    Friends or contacts may send you "special free gifts" of information they found somewhere on the web. 
  • Chain letters
    Yup, the famous forward this to 10 of your friends caper.  Eventually every single address on that chain letter will land up on a spammer's list.

So, how do you overcome this threat?

  • Educate them
    First and foremost make sure that your family, friends and contacts understand about the dangers of giving their own or other people's email addresses away.  (As a start, send them this article)
  • Use disposable email addresses
    Sooner or later someone is going to do one of the things we warn about in this article and your email address will land up on a spam list.  It might take a year, two years or just a few months.  Make peace with the fact and don't grow too attached to your email address - you might have to dispose of it later.
  • Tell your friends to use your public email address when 3rd parties are involved
    Ask your friends to always use your "public" email address when they feel an uncontrollable urge to send a e-card or other information via a 3rd party to you.  (More about disposable email addresses later)

Why is it so difficult for ISPs to block spam?

Spammers deliberately use techniques to make it difficult (almost impossible) for ISPs to block email.  Their favorite tricks include:

  • False sender address
  • Constantly changing subject lines
  • Random words in the message to confuse scanners
  • Relaying (sending) email via security holes in legitimate but unsecured email servers
  • Rapidly changing web sites for the product they "advertise"
  • Random words and snippets in the spam message to make pattern matching very difficult
  • Weird spelling taht is hmuan raedbale, but nonsnese to comupetrs

What we at Ovation are doing to block spam:

  • We delete all known viruses and worms as they arrive on the server
  • We do reverse lookups on the servers sending email and reject email from servers using false registration records
  • We try to contact the alleged sender domain to check whether the sending server is authorized
  • We check against several separate and independent blacklists to refuse email from hundreds of thousands of KNOWN spam servers

Even with all these hi-tech defenses in place, there is no way an ISP can effectively block ALL spam (yet). 

A recent CNN article reported that AOL (large ISP in the USA) is blocking up to 2.3 billion spam messages a DAY - and still their members are being flooded with spam!

The only way to stay completely spam free is to keep your email address off the spam lists!

Spam list hell

Spammers invest in software to harvest email addresses online.  They buy address lists from less reputable web sites and newsletters. They also buy and sell email address lists from each other.  

These email address lists are sold on CD and other forms.  (You can buy a few million email addresses for a fraction of a cent per email address!)

So let's say you managed to stop the the infamous Viagra spammer from sending you junk.  Think your problems are over?  Think again, because your name is on a list that was sold to ten other spammers all falling over their feet to send you junk ranging from anatomy enlargement herbs to pornography.

Once your email address is compromised to even a single spammer, you will never get rid of spam on that email address again.

Disposable email addresses

How do you get your inbox (and sanity) back once you are on that spam list or your address is on a CD of email addresses sold to spammers?

You have to delete the compromised email address and start using a new one.

For most people changing their email address is a traumatic and counter productive.  So much so that they would much rather live with the spam than deal with the pain of changing email addresses.

Unless...

Imagine the compromised email address is only one of a few you use and it only affects a small portion of your email volume.  Imagine you can notify senders to the deactivated email address automatically of your new email address - so that you don't loose any email.

These are called "disposable" email addresses: At the outset you know that your email address will be compromised sooner or later and you plan accordingly:

This will significantly reduce the "trauma" of  disposing of a spammed email address.  (For instance, tell your friends to use your first name email address for personal communication, eg: joe@nospam.com, but, for e-cards or any other communication where a 3rd party is involved, use your formal address with your full name, eg: joesmith@nospam.com)

As soon as you start receiving spam on your joesmith@nospam.com address, simply dispose of it and tell your friends to use joesmith2003@nospam.com (2003 = current year) for communication via a 3rd party instead; in other words:

When an address is compromised, you simply set up an auto responder to handle incoming mail, and delete the address. The auto responder will tell the sender that you now have a new email address and that they should update their records.  If a human read the message (as opposed to a spammer's software) the person will update their records.

To set up disposable addresses:

  • Use different email addresses for different tasks
    Use one or more email address for your friends, an email address you only give to your clients, etc, etc.
  • Use a free web service for disposable email addresses
    Use free, disposable web mail services like Gmaill or Hotmail for non-essential or casual email (newsletters you subscribe to).

Now ask your ISP to set up an auto responder for the "disposed" email address so that anyone sending email to a disposed address will receive an automatic response notifying them of your new email address. (Spammers routinely forge reply addresses so they will almost never get your auto reply)

A tip for creating a disposable address: Try to pick an email address late in the alphabet because many spammers process their lists alphabetically and will often be shut down before they get to zzzJoeSmith@nospam.com.
(Conversely aaaMarySmith@nospam.com may be one of the first to be processed.)

If you are currently receiving a lot of spam on your existing email address - consider disposing of it right now and adopting the advice in this article. 

If you think that's too painful - consider the prospect of receiving 1000% more spam every year for the rest of the lifetime of that email address!

Fighting back

If you want to fight the spammers directly (we all should), here are some resources that will help in the good fight:

In closing...

Spam is a fact of internet life  - it most assuredly will not go away.  Only by educating internet users (our clients, friends and contacts) and by using all the technology at our disposal can we hope to turn the tide.

We are all in this fight together - lets start claiming our inboxes back!