SPAM ADDRESS HARVESTING

11. June 2006, 15:28 | by WD Milner | Full Article |


A discussion of SPAM and how addresses get harvested led to the discovery of a forum where a Chinese stock tip spammer has over 200 pages of e-mail addresses listed on the web, and about 20,000 addresses per page. Stop and think about that for a minute. These addresses are there for any harvest bot that comes by. Despite numerous requests they somehow rationalize it as ‘free capitalism’.

This brought to mind an interesting article from a couple of years ago (which was published on my then static site on May 9, 2003) on where e-mail addresses are harvested. Given the above site, and the conclusions of the study, things can only get worse. It also seems to make the practice of anonymizing WHOIS information to prevent harvesting seem somewhat pointless.

The original article link didn't work but I managed to track it down and have posted a reprint below (in compliance with publishers usage policy for copyrighted materials) as well as the new link to the original.

"Why am I getting all this spam?"

by Grant Gross, IDG News Service
This article appeared on page 10 of the April 4, 2003 issue of ComputerWorld Canada.

It's easy to fool e-mail harvesting software, even though the primary source for spammers' e-mail lists are e-mail addresses listed on public Web sites, according to a six-month experiment from the Center for Democracy and Technology (CDT).

The Center set up about 250 dummy e-mail addresses, and during the six-month test those addresses received a combined 8,842 e-mail messages that Center researchers classified as unsolicited e-mail, which is commonly known as spam. But about 97 per cent of that spam, 8,609 e-mail messages, were received by six e-mail addresses listed at three Web sites: GetNetWise.org, ConsumerPrivacyGuide.org, and CDT.org.

Usenet newsgroup postings were the second-largest source of spam, but e-mail addresses registered at e-commerce sites, posted to online discussions on Web sites, or listed as the contact for domains in the WHOIS database generated little spam, according to the study released Wednesday, titled Why am I getting all this spam?

Addresses on those three sites disguised by simply replacing the @ system with "at" or coding the addresses in HTML instead of in regular text received no spam at all during the six months. And the spam fell off significantly on three addresses that were removed from public view two weeks into the Center's test. For example, an e-mail address listed on GetNetWise.org for the full six months received 6,035 pieces of spam, but an address removed after two weeks received only 894 pieces of spam during the length of the study.

"The shelf life of an e-mail address when it's pulled off the Web is fairly short," noted Rob Courtney, a policy analyst with CDT.

To test spam from Usenet, CDT used dummy addresses to post to 13 newsgroups, ranging from alt.sex.erotica to alt.kids-talk, and 85 per cent of those addresses received spam. But those addresses only received 110 pieces of spam over six months, and disguised e-mail addresses received no spam.

One piece of good news was that CDT received little spam from 31 top-trafficked e-commerce Web sites, Courtney said. In every case in which CDT registered at a Web site and asked not to receive commercial e-mail, its wishes were respected.

"We certainly found that for the most part, when Web sites did offer privacy policies and choices, that meant something," Courtney said.

CDT also used other dummy addresses to opt in to commercial e-mail and later opt out. At five sites, CDT continued to receive commercial e-mail, a total of 82 pieces, after a two-week grace period it gave Web site operators another two weeks to shut off the e-mail spigot.

Twenty-six of those 82 spam messages came from Priceline.com, but a spokesperson there said the Web site uses a third-party, "off-the-shelf" opt-out solution that several other companies use. "If it happened to us, it'd strike me that a lot of other companies would have the same problem," the spokesman said.

The spokesperson said Priceline.com would examine the CDT study further to understand what happened. "The last thing we want to do is spam people," he said. "Our policy is if somebody wants to opt out, we let them opt out."

CDT received only 15 pieces of spam from posting to discussion forums at 10 Web sites, including Monster.com, eBay.com, and Amazon.com Inc. All 15 came from an e-mail address that posted to InteliHealth.com. CDT received just one piece of spam from e-mail addresses entered in the WHOIS database.

However, separate from the more than 8,800 pieces of spam generated in the study, a "brute force" attack on a CDT server generated more than 8,500 pieces of spam in the middle of the study. In a brute force attack, the attacker tries many different letter combinations to try to guess active e-mail addresses. Short e-mail addresses, such as bob@something.com, were more likely to get spam from brute force attacks than longer addresses, the CDT noted.

"Even a user who's really careful about where they give their address would still get spam from attacks like this," Courtney said. "No matter what precautions the user will take, there's still a chance they will get spam."

- 30 -

Categories: ,
Keywords: spam,harvest,no-spam,report,study

Comments


 



Textile help
 
* Indicates a required field.

As a SPAM prevention measure, comments are moderated and will be posted once vetted.

 

Article & Comments


Comments are not enabled for all articles or documents.

Article Navigation
|

Categories

Business
Communications
Electronics
Entertainment
Environment
Government
Internet and WWW
Miscellany
Music and Audio
News
Photography
Privacy
Psychology
Security
Society and Culture
Stage and Screen
Technology
Theology
Tips and Tricks
Web Design
Web Site


The Birches - Milner.ca Support Child Safety Online

 

 
 
 Help to FIGHT spam!
 • 
  •
•••