Fighting Spam: I …

Fighting Spam: I have written about the problem of spam in the past, most notably about how some Web sites and content management systems do not do an adequate job of protecting their users’ email addresses from spam harvesting robots (spambots). There are also people out there who just want to cause trouble by using your email address as the return address for thousands of pieces of spam, as Dave Winer has recently found out. If you allow your email address to be publicly available, it will eventually be collected by the spammers. Short of filtering spam (typically using procmail) before downloading your email to your inbox, there is little you can do except to go to great lengths to keep your email address off of Web sites. Here are some things you can do:

  • Search Google for your email address (this is now a semi-dead account I check periodically) to see what Web pages it exists on. Then contact the webmaster of each of those pages and politely ask for them to manually remove your email address, and explain to them why.
  • Check to see if any of the mailing lists you are subscribed to have Web-based archives. If they do, check to see if your email address is stored in the archived posts. Some mailing list management systems like Yahoo Groups do a very good job of obscuring their users’ email addresses. Others like LSoft’s ListServ do not. In fact, I have been told by a LSoft customer service representative (via a list admin for CHI-WEB) that this feature is not available. Here’s their response: “Development’s position is generally that anonymization belongs outside the list server (for instance subscribers could use a free, anonymous email service like Hotmail or Yahoo to subscribe to the mailing list).”
  • Change your mailing list subscriptions to use an email address that you don’t consider valuable. Configure your email client to be able to send email from multiple email addresses, and be very careful about which email address you send mail from, but also where you send email to.
  • For Web sites you don’t trust, use an email account or address that you can eventually throw away if it starts receiving too much spam. I use both Yahoo and Hotmail and only check them when I am expecting email to those accounts. Both services also have an optional Bulk Email filter setting that works fairly well (Yahoo’s is better, IMHO).
  • Never reply to a piece of spam requesting to be removed. By doing this, you have just verified to the spammers that your email address is valid and they will move it to an email address database they can sell for more money. You are just helping them out when you email them from your account.
  • Subscribe to a spam-reporting service like Spamcop, and report as much spam as you can. By aggregating and then blocking spammer’s resources, Spamcop is becoming a great service that ISP’s and other people who run mail servers can use to filter their email against to strip out spam before delivering email to their users’ inboxes.
  • Never take any piece of spam seriously. Never buy anything from a spammer. This only encourages people who think spam is a money-making enterprise to continue to do so. Assume that if you do any kind of commerce transaction with a spammer or a client of a spammer, that you are going to get screwed. Spammers have shady reputations for a reason.
  • Educate your friends and family. Teach them that spam is bad and should not even be read. Show them how to delete spam. Believe it or not, my mother reads every piece of email, including spam, that she receives. I’ve had to explain to her several times that spam is bad and that no matter how good the offer may seem that she should ignore it.
  • Avoid entering online contests and sweepstakes that require an email address. If you do enter them, use a throwaway account from Yahoo or Hotmail. It’s a safe bet that this data is being aggregated and sold to marketing companies, who then may sell it to spammers.
  • If you run a Web site, hide your email address behind a CGI script or some sort of server-side process that prevents harvesting spambots from scraping it (since it requires a form submit interaction and not just a page-read).

Here is what I know and suspect regarding the following sites allowing spammers to scrape their user data for email addresses:

  • eBay. Because I have a separate email address I was using for eBay auctions that I only used for eBay auctions. I get loads of spam at this address.
  • Hotmail. I believe, but cannot prove, that Microsoft sells their user data to marketing companies. I’ve been told by others that within days (sometimes less than 24 hours) that a brand new Hotmail account starts to receive spam. The only other thing I can think of is that somehow the spammers have found a hole into Microsoft’s profile storage computers (not unlikely) and are scraping the addresses from there.
  • Yahoo. I also get a lot of spam at my main Yahoo account (I have several), but I think it’s because I use it for so many ecommerce transactions: Amazon, 800.com, Buy.com, Travelocity, and a bunch of others. So, the source of this spam is much harder to diagnose. To Yahoo’s credit, their Bulk Email filter catches about 90% of the spam, whereas Hotmail’s only catches about 50%.
  • Network Solutions. Because I get a crapload of spam regarding new domain registration, domain registrar transferring, and other things regarding domain names. I am pretty sure that a lot of the newer, smaller registrars have scraped the WHOIS database and are using traditional spammer resources (unsecure mail servers in China, for instance) to spam these email addresses (or hiring spammers to distribute their spam for them).

The last thing I can recommend is that you change your perception of the value of an email address. Treat it as a piece of your personal identity. Only give it out to people and entities that you trust. Treat it like you treat your home address, your phone number, and your social security number.

Posted by Cameron Barrett at December 16, 2001 12:22 PM

Leave a Reply

Your email address will not be published. Required fields are marked *