TypewriterFrom The Urbach Letter – June 2007

Return to Archive

Oh No Icon

The Spam Fighter's Handbook
(Updated from the November 2004
Urbach Letter)

If you're online, you're getting spammed. It's only a question of how much. Today, over two thirds of all email is spam, and a good deal of it is deceptive, offensive, even dangerous. There's good news though: smart strategies you can start using today to dramatically reduce the amount of spam clogging your inbox. I last wrote about this topic nearly two and a half years ago... so this update is long overdue. I have new tips to share and can recommend new spam-fighting resources I've "battle tested" over the past 32 months. I don't want to jinx my luck by saying this, but I can tell you that I now live a relatively spam-free life. You can too.

You may be wondering just who's sending spam. Some spammers are just small-time "entrepreneurs" who've received bad advice about how to promote their businesses. However, the majority are evil people who are exploiting and destroying one of the greatest communication tools ever invented. Humorist Dave Barry of the Miami Herald calls spammers, "The mutant spawn of a bizarre reproductive act involving a telemarketer, Larry Flynt, a tapeworm, and an executive of the Third Class mail industry."

Here are seven smart things you can do to shield yourself from the continuing onslaught of spam:

Strategy #1: Protect your work email address
If you've been assigned a work email address like "[email protected]" it belongs on your business card and very few other places. Since that corporate email address usually follows some standard format based on your name ([email protected], [email protected], etc.) you're going to have a hard time changing it later on to escape from spam. Never use your work email address in "public" on the web – in an online discussion forum, on a "registration" form, etc. There are automated harvesting programs ("bots") that scour the web sucking up random email addresses and adding them to spam lists. For this reason, if your work email address is listed on your company web site, talk to your web administrator to have it "coded" so it's readable/clickable by a human being but not by a scourbot. Any competent webmaster should be able to do this for you. Here's a link to a nifty javascript encoder in case you want to roll your own "invisible" web-based email addresses.

Please know that the #1 source of spam is machine readable email addresses on web pages. A comprehensive study from the Center for Democracy & Technology, using "baited" email addresses reported that 97% of spam received was from was from web posting. The more popular the web page, the more unsolicited mail received. Now that blogging is becoming more popular, be sure that your email doesn't appear in somebody's web blog. Google your own email address to be sure. Also, if your ISP maintains a "member" directory, opt out of it.

Strategy #2: Have more than one email address
Even if spam didn't exist, it would still make very good sense to have – at a minimum – a separate personal email address for yourself. You can get a web-based email account you can access anywhere from Gmail, Yahoo, Mail.com, Hotmail, and others. [Added motivation: remember that the work email account provided to you by your employer belongs to that employer – and your company has the full legal right to not only read your email messages but also take action against you based on what they see.] One very good spam-related reason for using multiple email addresses is to have "throw-aways." Keep at least your work email and one personal email address very clean (by limiting its distribution to your "inner circle") and use others for buying things online, "registering" for web services and publications, and for posting to online forums.

I recommend against using most webmail services, even their paid versions. Because no payment is required, Yahoo and Hotmail attract people who want to remain anonymous, and are therefore sometimes used to pull scams or make fraudulent purchases. Web merchants are starting to refuse sales to people with yahoo.com or hotmail.com or other no-charge webmail addresses. You're better off paying the nominal fees (about $20 per year or less) most paid services charge. Consider registering your own name as a domain. Once you own jones.com, you can make up email addresses based on it: [email protected], [email protected], etc. You may need some techie help getting this set up, but it's worth it. If you don't want to bother getting your own domain, a paid email service (with good blocking technology), worth checking out is AT&T Lab's ZoEmail.

Strategy #3: Use an email forwarding service
Even better than having multiple personal email accounts is using a free "mail forwarding" service. There are about half a dozen no-charge forwarding services available, including one called Spam Motel (spam checks in… it doesn't check out). Here's how it works (text from the Spam Motel documentation): Whenever you are online and about to give out your e-mail address – STOP! Do you really want to do this?  Spam Motel has a better way. Simply type a short reminder memo to yourself, including why and to whom the e-mail address is being given. Spam Motel records this memo, and the date and time, and quickly sends you a special "disposable" address to use instead of your real one. The new address is automatically placed into the "clipboard" memory of Windows, where it can be pasted into any online form that you are filling out. E-mails sent to this special address are forwarded to your regular e-mail account, along with your reminder memo, which appears at the top of the e-mail message. From now on, you'll know exactly when and where the sender or spammer got your e-mail address. But just knowing this information is not enough. So we give you the power to stop spam sent to any of these special addresses. This is done through the Log Page – your online control and information page – where you can delete any of the addresses you've given out. You can also suspend and resume forwarding for each address at any time. Your real e-mail address is never given out, just the special ones you create using Spam Motel. Other forwarding services similar to Spam Motel are Spamex, Sneakemail, and Despammed. Take your pick. They're all good. My personal preference is Spamex, even though it's a paid service ($20/year).

Strategy #4: Use an "odd" email address
If you make up a new email address with some non-alpha characters like "xyz#[email protected]" you'll get less random spam. That's because of a new insidious spammer tactic called "dictionary spamming." Since it costs next to nothing for these lowlifes to blitz out tens of millions of messages overnight, they just make up addresses with the hope that one in a thousand will be "real" and get through. They'll often try first name initials plus last names (e.g. [email protected]). They'll also mix-n-match different popular domains (a domain is the part of your email address after the "@"). If you had an old account like "[email protected]" but cancelled it because it was overrun by unsolicited email (AOL users especially get a lot of spam), and opened a new account at Earthlink: "[email protected]" you'll probably get spammed even if you never give out that new address. It therefore makes sense to start completely fresh as "[email protected]" – you're going to have to notify everybody about your new email address anyway. Also, the longer the address you choose, the less dictionary spam you'll get. They start with single letters, then two letter/number combinations, then three, etc. Most spammers get shut down at some point before their full blast is delivered during these "brute force" alphabet attacks, so zzz's get less mail server spam than aaa's.

Strategy #5: Use adjustable spam filters
Many Internet service providers (ISP's) offer different levels of filtering for your inbound email. However, don't expect miracles. At their more liberal settings, most spam will still leak through. At their tightest, most of your legitimate emails will get caught, mixed in with the spam, and possibly lost. You sure don't want to throw the baby out with the bathwater – so experiment a little and see which middle setting works best for you. For many people, an alternative approach that works well is to autosort incoming email into different inbox folders based on a "whitelist" (a list of friendly email senders whom you wish to continue communicating with). Microsoft Outlook, Outlook Express, and most other email programs make this easy to do. A whitelist approach is also better than a personal blacklist. It rarely pays to add people to a "junk senders list." The "from" address in most spam emails is forged so you'll rarely get spam from the same "sender" twice.

<Rant mode on> Unfortunately, server-level blocking and filtering has gotten out of hand. Much of it is done without your consent or knowledge. Many company IT departments have tightened down the screws so tightly that virtually no HTML mail can get through; not even the newsletters and bulletins you've requested. As you can imagine, legitimate publishers like me are having an increasingly hard time getting our HTML mail delivered to subscribers. Even my own mail host, Verio (now my ex-host) blocked me from getting my own copy of the Urbach Letter. Sheesh. No alert that the trapped mail was being discarded. No option to change it. When I complained, they said there was nothing they could do. But there *was* something *I* could do: find a new mail host... who understands that I want to maintain control over which messages I receive or not. Hasta la vista Verio. I won't be back. Since I'm still on the rant, you should know that after I'm done writing each issue, I still have to spend an hour or more running it through "Spam Assassin" test filters and editing out "bad" words. I can't even tell you what those words are. Listing them here would ensure you'd never get this issue. <Rant mode off>

Strategy #6: Napsterize your email.
I started off this article by bragging about how little spam I get. That's largely because of a program called MailFrontier (now part of Zone Labs's Zone Alarm Security Suite), based on "peer-to-peer" technology like the original Napster. When you get a spam message, you highlight it and click a button. The message is instantly analyzed and added to a centralized database. Meanwhile, all your incoming messages are scanned to see if they match the profile of spam caught by somebody else on the MailFrontier peer-to-peer network. If it matches, it's filtered out and placed in a spam folder in your inbox. Very cool. By the way, I used to use a competitive program, Cloudmark's SpamNet, but found it had some minor operational problems. But both MainFrontier and SpamNet are very effective weapons in the war against spam. Millions of strangers cooperating anonymously to eliminate spam from their lives. Got to love that concept.

A word about Challenge/Response. MailFrontier has an additional spam-fighting option I recommend you ignore... unless you're totally overrun by spam and are willing to inconvenience all the friends and businesspeople who send you emails. You can set the program to send out a "challenge" message to everyone not already in your address book or on your whitelist. They'll have to respond to your challenge in order to have their original message delivered. Can you see why I'm recommending against this, other than as a last resort? Many people just won't be bothered to play the challenge/response game with you. Life is short enough as it is. Oh, the technology is clever. It requires a real, live human being to confirm the messages, either by presenting a graphic: "How many puppies are in this picture?" or by the more business-like option of showing a scrambled letter/number image and asking the recipient to type it in a box. In theory, people should only have to jump through this hoop once, and then their emails will get recognized from then on.

Besides the anti-spam programs I've mentioned so far, there are others that have received good reviews and are worth considering (although I can't endorse them myself). I've heard that the latest versions of McAfee Internet Security Suite ($40) and Symantec Norton 360 ($60) are quite good -- and provide the all-in-one solution many folks seek (antispam + antivirus + firewall).

Strategy #7 Fight back!
Topping the "dangerous spam" list are phishing scams. From an FTC Consumer Alert: "Internet scammers casting about for people's financial information have a new way to lure unsuspecting victims: They go 'phishing.' Phishing is a high-tech scam that uses spam or pop-up messages to deceive you into disclosing your credit card numbers, bank account information, Social Security number, passwords, or other sensitive information. According to the Federal Trade Commission (FTC), phishers send an email or pop-up message that claims to be from a business or organization that you deal with – for example, your Internet service provider (ISP), bank, online payment service, or even a government agency. The message usually says that you need to "update" or "validate" your account information. It might threaten some dire consequence if you don't respond. The message directs you to a Web site that looks just like a legitimate organization's site, but it isn't. The purpose of the bogus site? To trick you into divulging your personal information so the operators can steal your identity and run up bills or commit crimes in your name."

The bulletin goes on to list some tips to avoid getting hooked by a phishing scam. Think you're too smart to fall for this? Think again. Why don't you take this Phishing IQ Test? It's a quick 10-question quiz to see how well you recognize bogus messages. Not so easy, is it? There's another reason I like MailFrontier. Part of its peer-to-peer analysis tracks phishing scams, and provides and optional taskbar icon that operates similarly to WeatherBug. But instead of a tornado warning, you'll get immediate notification of a fast-spreading phishing or fraud outbreak. By the way, if you do receive a questionable email, forward it on to [email protected].

Avoid signing up for freebies or online contests. These often exist solely to collect and resell email addresses. Besides, your chances of wining anything worthwhile are infinitesimal.

A note on spyware and virus spam
Right now, 4 out of 5 computers are infested with spyware. One is five has a virus infection. That's according to the National Cyber Security Alliance in a recent study. While most spyware comes from installing file-sharing programs and "ad sponsored" utilities, and from visiting dodgy web sites, address book spam is responsible for most virus infections. The NCSA study showed that most people (85%) have a virus scanner installed, but only a small number keep their virus definitions up to date. Hopefully, you're smarter than that.

Final words...
Everything in this letter has been a suggestion, except this last thing, which is an ORDER: Never, Never, Never buy anything from a spam message, no matter how attractive it seems. These tapeworm spammers work on very small numbers – if only one person out of several thousand responds, they consider it a big success – so you're actually doing a lot of damage to others if you buy something (plus you're probably going to get ripped off). Don't even click on any links in the spam – especially not on the "remove me from your list" link or button. All that does is confirm that your email address is connected to a live human being, ensuring that you'll be spammed even more in the future.

By the way, you may have noticed I haven't said a word about CAN-SPAM, the U.S. law supposedly regulating spam that's been in place since January 1, 2004. Have you noticed any reduction in the amount of spam you receive because of this law? Me neither. So far, all it's done is make life a little more difficult for legitimate publishers. However, it does open the door for prosecution of black hat spammers, and that's happened to a limited extent.

Return to Archive

(c) Copyright 2002-2010 Victor Urbach
This article
may be reprinted with permission and attribution