The Spam Fighter's Handbook
(Updated from the November 2004
If you're online, you're getting spammed. It's only a question of
how much. Today, over two thirds of all email is spam, and a
good deal of it is deceptive, offensive, even dangerous. There's good news
though: smart strategies you can start using today to dramatically reduce the
amount of spam clogging your inbox. I last wrote about this topic nearly two
and a half years ago... so
update is long overdue. I have new tips to share and can
recommend new spam-fighting resources I've "battle tested"
over the past 32 months. I don't want to jinx my luck by
saying this, but I can tell you that I now live a relatively
spam-free life. You can too.
You may be wondering just who's sending spam. Some
spammers are just small-time "entrepreneurs" who've received bad advice
about how to promote their businesses. However, the majority are evil
people who are exploiting and destroying one of the greatest communication
tools ever invented. Humorist Dave Barry of the Miami Herald calls
mutant spawn of a bizarre reproductive act involving a
telemarketer, Larry Flynt, a tapeworm, and an executive of the Third Class
Here are seven smart things you can do to shield yourself
from the continuing onslaught of spam:
Strategy #1: Protect your work email
If you've been assigned a work email address like "firstname.lastname@example.org"
it belongs on your business card and very few other places.
Since that corporate email address usually follows some standard
format based on your name (email@example.com, firstname.lastname@example.org,
etc.) you're going to have a hard time changing it later on to
escape from spam. Never use your work email address in "public"
on the web in an online discussion forum, on a "registration"
form, etc. There are automated harvesting programs ("bots") that
scour the web sucking up random email addresses and adding them
to spam lists. For this reason, if your work email address is
listed on your company web site, talk to your web administrator
to have it "coded" so it's readable/clickable by a human being
but not by a scourbot. Any competent webmaster should be able to
do this for you. Here's a link to a
"invisible" web-based email addresses.
Please know that the #1 source of spam is
machine readable email addresses on web pages. A
comprehensive study from the
Center for Democracy & Technology, using "baited" email
addresses reported that 97% of spam received was from was from
web posting. The more popular the web page, the more unsolicited
mail received. Now that blogging is becoming more popular, be
sure that your email doesn't appear in somebody's web blog. Google
your own email address to be sure. Also, if your ISP
maintains a "member" directory, opt out of it.
Strategy #2: Have more than one email
Even if spam didn't exist, it would still make very good
sense to have at a minimum a separate personal email address
for yourself. You can get a web-based email account
you can access anywhere from
Hotmail, and others.
[Added motivation: remember that the work email account provided
to you by your employer belongs to that employer and your
company has the full legal right to not only read your email
messages but also take action against you based on what they
see.] One very good spam-related reason for using multiple
email addresses is to have "throw-aways." Keep at least your
work email and one personal email address very clean (by
limiting its distribution to your "inner circle") and use others
for buying things online, "registering" for web services and
publications, and for posting to online forums.
I recommend against using most
webmail services, even their paid versions. Because no payment
is required, Yahoo and Hotmail attract people who want to remain
anonymous, and are therefore sometimes used to pull scams or
make fraudulent purchases. Web merchants are starting to refuse
sales to people with yahoo.com or hotmail.com or other no-charge
webmail addresses. You're better off paying the nominal fees (about $20
per year or less) most paid services charge. Consider
registering your own name as a domain. Once you own jones.com,
you can make up email addresses based on it: email@example.com,
firstname.lastname@example.org, etc. You may need some techie help getting this
set up, but it's worth it. If you don't want to bother getting
your own domain, a paid email service (with good blocking
technology), worth checking out is AT&T Lab's
Strategy #3: Use an email forwarding
Even better than having multiple personal email accounts is
using a free "mail forwarding" service. There are about half a
dozen no-charge forwarding services available, including one called
Spam Motel (spam checks in
it doesn't check out). Here's
how it works (text from the Spam Motel documentation):
Whenever you are online and about to give out your e-mail
address STOP! Do you really want to do this? Spam Motel
has a better way. Simply type a short reminder memo to yourself,
including why and to whom the e-mail address is being given.
Spam Motel records this memo, and the date and time, and quickly
sends you a special "disposable" address to use instead of your
real one. The new address is automatically placed into the
"clipboard" memory of Windows, where it can be pasted into any
online form that you are filling out. E-mails sent to this
special address are forwarded to your regular e-mail account,
along with your reminder memo, which appears at the top of the
e-mail message. From now on, you'll know exactly when and where
the sender or spammer got your e-mail address. But just knowing
this information is not enough. So we give you the power to stop
spam sent to any of these special addresses. This is done
through the Log Page your online control and information page
where you can delete any of the addresses you've given out.
You can also suspend and resume forwarding for each address at
any time. Your real e-mail address is never given out, just the
special ones you create using Spam Motel. Other forwarding
services similar to Spam Motel are
Despammed. Take your pick. They're all good. My personal
preference is Spamex, even though it's a paid service
Strategy #4: Use an "odd" email address
If you make up a new email address with some non-alpha
characters like "email@example.com" you'll get less random
spam. That's because of a new insidious spammer tactic called
"dictionary spamming." Since it costs next to nothing for these
lowlifes to blitz out tens of millions of messages overnight,
they just make up addresses with the hope that one in a thousand
will be "real" and get through. They'll often try first name
initials plus last names (e.g. firstname.lastname@example.org). They'll
also mix-n-match different popular domains (a domain is the part
of your email address after the "@"). If you had an old account
like "email@example.com" but cancelled it because it was
overrun by unsolicited email (AOL users especially get a lot of
spam), and opened a new account at Earthlink: "firstname.lastname@example.org"
you'll probably get spammed even if you never give out that new
address. It therefore makes sense to start completely fresh as
"fredflintstone3000BC@earthlink.net" you're going to have to
notify everybody about your new email address anyway. Also, the
longer the address you choose, the less dictionary spam you'll
get. They start with single letters, then two letter/number
combinations, then three, etc. Most spammers get shut down at
some point before their full blast is delivered during these
"brute force" alphabet
attacks, so zzz's get less mail server spam than aaa's.
Strategy #5: Use adjustable spam filters
Many Internet service providers (ISP's) offer different
levels of filtering for your inbound email. However, don't expect miracles. At
their more liberal settings, most spam will still leak through.
At their tightest, most of your legitimate emails will get
caught, mixed in with the spam, and possibly lost. You sure
don't want to throw the baby out with the bathwater so
experiment a little and see which middle setting works best for
you. For many people, an alternative approach that works well is
to autosort incoming email into different inbox folders based on
a "whitelist" (a list of friendly email senders whom you wish to
continue communicating with). Microsoft Outlook, Outlook
Express, and most other email programs make this easy to do. A
whitelist approach is also better than a personal blacklist. It
rarely pays to add people to a "junk senders list." The "from"
address in most spam emails is forged so you'll rarely get spam
from the same "sender" twice.
<Rant mode on> Unfortunately, server-level blocking and
filtering has gotten out of hand. Much of it is done without
your consent or knowledge. Many company IT departments have
tightened down the screws so tightly that
no HTML mail can get
through; not even the newsletters and bulletins you've
requested. As you can imagine, legitimate publishers like me are
having an increasingly hard time getting our HTML mail delivered
to subscribers. Even my own mail host, Verio (now my ex-host)
blocked me from getting my own copy of the Urbach Letter.
Sheesh. No alert that the trapped mail was being discarded. No
option to change it. When
I complained, they said there was nothing they could do. But
there *was* something *I* could do: find a new mail host... who
understands that I want to maintain control over which messages I receive or
not. Hasta la vista Verio. I won't be back. Since I'm still on
the rant, you should know that after I'm done writing each issue, I
to spend an hour or more running it through "Spam Assassin" test
filters and editing out "bad" words. I can't even tell you what
those words are. Listing them here would ensure you'd never get
this issue. <Rant mode off>
Strategy #6: Napsterize your email.
I started off this article by bragging about how little spam
I get. That's largely because of a program called
MailFrontier (now part of Zone Labs's Zone Alarm Security
based on "peer-to-peer" technology like the original Napster. When you get
a spam message, you highlight it and click a button. The message
is instantly analyzed and added to a centralized database.
Meanwhile, all your incoming messages are scanned to see if they
match the profile of spam caught by somebody else on the MailFrontier
peer-to-peer network. If it matches, it's filtered out and
placed in a spam folder in your inbox. Very cool. By the way, I used to use a
competitive program, Cloudmark's
SpamNet, but found it had some minor operational problems.
But both MainFrontier and SpamNet
are very effective weapons in
the war against spam. Millions of strangers cooperating
anonymously to eliminate spam from their lives. Got to love that
A word about Challenge/Response.
MailFrontier has an additional spam-fighting option I recommend
you ignore... unless you're totally overrun by spam and are
willing to inconvenience all the friends and businesspeople who
send you emails. You can set the program to send out a
"challenge" message to everyone not already in your address book
or on your whitelist. They'll have to respond to your challenge
in order to have their original message delivered. Can you see
why I'm recommending against this, other than as a last resort?
Many people just won't be bothered to play the
challenge/response game with you. Life is short enough as it is.
Oh, the technology is clever. It requires a real, live human
being to confirm the messages, either by presenting a graphic:
"How many puppies are in this picture?" or by the more
business-like option of showing a scrambled letter/number image
and asking the recipient to type it in a box. In theory, people
should only have to jump through this hoop once, and then their
emails will get recognized from then on.
Besides the anti-spam programs I've
mentioned so far, there are others that have received good
reviews and are worth considering (although I can't endorse them
myself). I've heard that the latest versions of
McAfee Internet Security
Suite ($40) and
Norton 360 ($60) are quite good -- and
provide the all-in-one solution many folks seek (antispam +
antivirus + firewall).
Strategy #7 Fight back!
Topping the "dangerous spam" list are phishing scams. From
FTC Consumer Alert: "Internet scammers casting about for
people's financial information have a new way to lure
unsuspecting victims: They go 'phishing.' Phishing is a
high-tech scam that uses spam or pop-up messages to deceive you
into disclosing your credit card numbers, bank account
information, Social Security number, passwords, or other
sensitive information. According to the Federal Trade Commission
(FTC), phishers send an email or pop-up message that claims to
be from a business or organization that you deal with for
example, your Internet service provider (ISP), bank, online
payment service, or even a government agency. The message
usually says that you need to "update" or "validate" your
account information. It might threaten some dire consequence if
you don't respond. The message directs you to a Web site that
looks just like a legitimate organization's site, but it isn't.
The purpose of the bogus site? To trick you into divulging your
personal information so the operators can steal your identity
and run up bills or commit crimes in your name."
The bulletin goes on to list some tips to
avoid getting hooked by a phishing scam. Think you're too smart
to fall for this? Think again. Why don't you take this
Phishing IQ Test?
It's a quick 10-question quiz to see how well you recognize bogus messages. Not so easy, is it?
There's another reason I like MailFrontier. Part of its
peer-to-peer analysis tracks phishing scams, and provides and
optional taskbar icon that operates similarly to
WeatherBug. But instead
of a tornado warning, you'll get immediate notification of a
fast-spreading phishing or fraud outbreak. By the way, if you do
receive a questionable email, forward it on to
Avoid signing up for freebies or online contests. These often
exist solely to collect and resell email addresses. Besides,
your chances of wining anything worthwhile are infinitesimal.
A note on spyware and virus spam
Right now, 4 out of 5 computers are infested with spyware.
One is five has a virus infection. That's according to the
National Cyber Security Alliance in a recent study. While most spyware comes from installing file-sharing programs and "ad
sponsored" utilities, and from visiting dodgy web sites, address
book spam is responsible for most virus infections. The NCSA
study showed that most people (85%) have a virus scanner installed,
but only a
small number keep their virus definitions up to date.
Hopefully, you're smarter than that.
Everything in this letter has been a suggestion,
except this last thing, which is an ORDER: Never, Never, Never buy anything
from a spam message, no matter how attractive it seems. These
tapeworm spammers work on very small numbers if only one
person out of several thousand responds, they consider it a big
success so you're actually doing a lot of damage to others if
you buy something (plus you're probably going to get ripped
off). Don't even click on any links in the spam especially not
on the "remove me from your list" link or button. All that does
is confirm that your email address is connected to a live human
being, ensuring that you'll be spammed even more in the future.
By the way, you may have noticed I haven't
said a word about CAN-SPAM, the U.S. law supposedly regulating
spam that's been in place since January 1, 2004. Have you
noticed any reduction in the amount of spam you receive because
of this law? Me neither. So far, all it's done is make life a
little more difficult for legitimate publishers. However, it
does open the door for prosecution of black hat spammers, and
that's happened to a limited extent.