27. September 2006, 16:47 | by WD Milner | Full Article |

Spammers harvest e-mail addresses wherever they can. They scour the Internet, trick browsers into revealing addresses, con people with bogus offers, chain letters and surrepticous scripts. Or they simply guess and shotgun thousands (millions) of addresses and drop any that bounce. The lazy ones buy mailing lists from those that have already done the harvesting work.

Perhaps the most common method has become the so called “spambot”, a program that starts with a Web search, copies or “scrapes” any e-mail addresses on the first page it finds, and then follows links to other pages and sites collecting addresses as it goes. A simple protection against this is to redirect spiders to a page either devoid of e-mail addresses, or full of invalid e-mail addresses to “poison” the list.

Another favorite harvesting source is chatrooms, profile pages and newsgroups where the target of choice is the newcomer to the internet who is perhaps less likely to take strict precautions with their e-mail address. Browsers provide a source of information if unprotected as a website can trick them into revealing your e-mail address. While many (especially those services which sell privacy solutions) claim that domain name whois pages are a prime source, at least one study has shown that e-mail addresses collected from this source to be negligible to non-existant.

Once a spammer has collected their lists of addresses, all that remains is to send thousands to millions of electronic junk to the unsuspecting public. Spammers often try to hide their identy using bogus or “spoofed” source addresses, using other people’s mail servers, or find and use servers that will send mail out from anyone who submits it to the server. Such systems are called open relays, and are often just the result of a lazy administrator who installs software with default settings and makes no further attempt to secure the server. Others install their own server or use a bulk mailing service. Many of these activities are illegal and get shut down by providers as rapidly as they are discovered in an endless cat and mouse game. Unfortuantely there are some providers out there that are spammer friendly.

Tips for the Enterprise

One of the most basic steps in combatting spam is to formulate, publish and make sure employees read the company e-mail policies. This should include detailed instructions on how employees should handle inappropriate e-mail. It should also specify whether employees can sign up for newsletters and mailing lists, as well as web sites, using their business e-mail address. Employees should be taught never to repond to spam, even to removal requests as they are merely a mechanism to confirm the address is valid. All employees should be required to sign a statement indicating they have read and agree to abide by the rules. Such a document may be part of a larger security policy.

E-mail addresses that need to be published on the company’s public web site should be presented in such a manner that they are not machine readable, along with any special instructions to help people use the addresses provided. This may involve obfuscating addresses, using graphics or other techniques to munge the addresses. As part of these techniques, do not use easily guessed e-mail addresses such as unmodified employee or department names. Add at least one extraneous character, such as a number, to reduce the likelihood of them being guessed.

Require that employees take the same precautions of obfuscating their company e-mail address on those newsgroups, mailing lists and chat clients they do use. Additionally limiting or eliminating personal e-mail, especially such things as e-greeting cards, in the company system can have a great beneficial effect on reducing spam.

Set employee browsers to the appropriate security settings and ensure that the corporate firewall is set to block unrequested traffic. Install anti-virus protection at the gateway, server and desktop level as viruses and troijans can often wreak havoc on e-mail. By using a different product at each level you can provide some overlap in case a virus that passes one product will be caught by another.

Last but not least, make sure you mail servers are not acting as open relays. Not only will this reduce likelihood of you receiving spam, it will help stop spammers from using them to spam others. It will also keep you off any of a number of blacklists of open relays where such a listing could interfere with your company mail and/or reputation.

Tips for the End User

Don’t give out your personal e-mail address to anyone but those real people you actually intend to correspond with. Resist the impulse to post your e-mail address on web sites, guestbooks, contact lists, newsgroups, chat rooms, etc. where it can be easily harvested. For merchants and other legitimate entities you don’t correspond with on a regular basis, use a free e-mail account from one of the web-based services. You can then simply abandon the address if it gets on a spammers mailing list and get a new one. Many such services have some degree of spam filtering built in. A similar technique, especially if you have your own domain name, is to use a disposable address. This is one that redirects to your regular address and which you give out (sometimes only to one entity) in lieu of your real address. If it gets spammed you just discard it. Not only is this convenient, but if you give a custom address out to each forum, mailing list, newsletter, etc then if you do start to receive spam you know what address, and hence source was compromised.

If you are using a web signup form that asks for an e-mail address but you don’t care to correspond further with the site, or have need of any kind of confirmation or support e-mail, then you can just provide a false address. Please note that if you use this option, try and make the address invalid so someone else somewhere doesn’t inadvertantly get spammed. One of the best way to ensure this is to use an invalid top level domain, for example anonymous@no.spam. If the form validator chokes on this technique, use the domain of the website.

Never respond to a spam e-mail, even if it is to request removal. All you will do is confirm the validity of the e-mail address. In many cases the reply address is a fake anyway. When you do sign up or buy something and you need to give an e-mail address, ensure that you opt out of everything that you are not sure you want to receive, and make sure you read the privacy policy of the site so that you understand what is done with the information you provide. If there is no privacy policy, consider using the free e-mail account or disposable address techniques discussed earlier.

Lastly, use a spam filter if you continue to get high levels of spam in your inbox. There are many commercial and free products available that can help.

- 30 -

Categories: ,
Keywords: spam,e-mail,spammer,prevention,tips



Textile help
* Indicates a required field.

As a SPAM prevention measure, comments are moderated and will be posted once vetted.


Article & Comments

Comments are not enabled for all articles or documents.

Article Navigation


Internet and WWW
Music and Audio
Society and Culture
Stage and Screen
Tips and Tricks
Web Design
Web Site

The Birches - Milner.ca Support Child Safety Online


 Help to FIGHT spam!