Home > Computers and the Internet > Email Spam Refresher: How to Avoid Spam

Email Spam Refresher: How to Avoid Spam

August 23rd, 2005
Email spam filters now do a pretty good job of keeping your email account relatively clean, but it is best not to attract any spam in the first place. I've posted on this before, but it was a while ago and I wanted to refresh and expand the advice a little bit. Here is the basic list of dos and don'ts:
  1. Never respond to a spam email for any reason; never click on any link in an email unless you are 500% certain it is not spam

  2. Do not publish your email address on any web page, BBS/Forum, chat, or anywhere public on the web. If you are required to supply an email address, use a fake address or a throwaway account (see explanation of throwaway accounts below)

  3. Do not use your main email address to sign up for anything; use a throwaway account

  4. Whenever you give your email address, even to family and friends, stress that they must never sign you up for anything, or distribute your email address to anyone without your permission, especially to any commercial enterprise

  5. When choosing a hotmail, yahoo, or any free mail account address, don't choose a short name (to avoid dictionary spam)

  6. Do not use the "opt-out" link in any email you receive, and do not sign up for any do-not-email list; they will only result in more spam being sent your way

  7. Turn off HTML graphics in your email--they will notify the spammer that you're viewing their email and probably identify you specifically to the spammer (this is more commonly allowed in email clients like Eudora or Outlook, but check for it in your browser-based email accounts as well)

  8. Use an email program with effective spam filters. If you're worried that a legitimate emailer might get blocked, remember that most email client spam filters will always allow email through if the address of the sender is in your address book for the program

  9. If you use Windows, then be sure to use an effective anti-virus program, making certain that it successfully and automatically updates the virus definition list on a regular and frequent basis. Some viruses are designed by spammers to raid your address book for addresses to be added to spam lists. Try avoiding adware and spyware as well (Ad-Aware and Spybot are popular programs for clearing these pests)

  10. Do not use the "send this story/picture/anything to your friend" feature offered on many web sites, and tell those with your email address never to put your address into one of them. Many services, including some respected periodicals, will give you the option of sending something interesting, like a news story or a cartoon, to your friend--all you have to do is enter their email address and hit "Send." A friend of mine once did that "for" me, sending a story using the BBC's news service. Within hours I was getting spam related to the topic of the story. If you want to inform a friend of something interesting on a web site, copy the address of the web page and paste it into an email you send them directly

  11. Never, ever, ever, ever, EVER buy ANYTHING from a spammer. Ever. If you do, then then anti-spam vigilantes will enter your house in the dead of night and tattoo the word "IDIOT" on your forehead in bright, day-glo colors. Or they would in a more perfect world.

One basic rule of thumb: treat your main, real email account like a top-secret piece of information. Only hand it out to people you know and trust, or people who absolutely need to have it. If you do business with an email address and have to give it out less discriminately, then create a special business-oriented email account, and keep special track of whom you give it to, so if it becomes spam-flooded and you need to change, you can send an email out to all the people you've given it to and notify them you're changing to a new address. In other situations, an important tool is the throwaway account. If you're like me and you have some domain names at your disposal, you will have the ability to easily generate new email accounts to be used and discarded at will. But if you don't have your own domain and/or can't easily generate email accounts for it, then you'll have to rely on Yahoo, Hotmail and GMail. It might be easier to sit down in one session and create half a dozen or so accounts at once, of course writing down each specific address and its username and password. Keep in mind that if these accounts will expire after x amount of time if not accessed by you, but no biggie, just go back and generate a half dozen new ones every three to six months. Why throwaway accounts? What are they good for? Well, nowadays a lot of places require you to give an email address if you want to do what you want to do on the web. If you want to join a forum, enter a restricted area, sign on for a "free" subscription to something, or to make a purchase, it is very likely that you will be asked for an email address. This is usually so they can generate a list of email addresses that they can sell to spammers and make a bit of money on the side, or it is for their own private advertising purposes. Most times they don't even bother to lie to you about the address being so they can contact you if something goes wrong. So why not just give a fake email address? Because most times when they ask you for an email address, they will then send an email to that account with an "activation" code, and you won't be able to do what you wanted to do unless you go to the email account in question, get the code, and enter it into the web site. Many times this is a legitimate way for the web site to make sure you are a human being and not some robot program made by a spammer or hacker, but many times also it is a way for spammers to make sure you gave them a real live email address they can send spam to. So use a throwaway account. So am I being paranoid here? Not at all. I tested some of the traps I mentioned in the list above. For example, I created some special throwaway accounts with very specific names which had never before existed, and I told no one of them. They were squeaky clean, no way for spammers to know they existed. One of them I put on this web page, but I made it invisible to the eye. In a small area with a plain gray background, I typed the email address (not a "mailto" link, just the address in plain text) and made it the exact same gray color as the background. That meant that it would be invisible to any human visitor to the site unless they selected all the text on the page and searched carefully for the email address, which no one would do (don't try now, it's not there anymore). In theory, it should have remained secret. But within a few days, dozens of spams started pouring in (most of them Nigeria or European lottery scam artists, actually, but a lot of it also plain-vanilla spam). So what happened? The spammers (and scammers) use robot programs to scan every web page they can find for anything containing an email address. They usually just look for the @ mark, and a period followed by a domain suffix; both are necessary in any email address. The addresses found are harvested, spammed, and sold to other spammers. That's why you don't want to write your email address on any web page on the Internet. It will be found, and you will get spammed. Another test I did was the opt-out. That's when the spam you receive has a bit (usually at the bottom) where they "allow" you to add your email address to a list of do-not-mail addresses, under the premise that this will actually remove you from anyone's spam list. Most often, it is simply a trap. You see, spammers have huge lists of email addresses, but they face a problem: most of the addresses are fake, expired, or are never used. And they mostly don't know which ones are which. An email address which is certifiably active is valuable to them. An email address belonging to someone who reads spam messages is golden. An email address where the owner is gullible enough to respond to spam is the Holy Goddamned Grail. So the spammers want to know that they succeeded in catching a live one. But they won't know unless you tell them somehow. The "opt-out" is all too often a scam to do just that. They put a line at the bottom of the email claiming that your email address was collected in some completely legal and honest fashion, and if it was a "mistake," then just click on this link, type in your email address, and we'll happily remove you from our lists. What really happens, of course, is that when you visit that page and type in your email address, they know that (a) the email account is real, (b) you read the spam they send to it, and (c) are gullible enough to fall for the scam. Congratulations--you have just signed up to the Holy Grail of Spamming list and are about to get that email address flooded with more spam than ever before. I tested this by going through some recent spam I'd received in a different account and culling a few dozen "opt-out" addresses. I then visited these pages and typed in one of those squeaky-clean throwaway accounts I had generated. If the opt-out promise were honored, that site should never receive spam; if spam came in, I would know for certain that it came from the opt-outs. After seeding the address in the opt-out pages, nothing happened for a few weeks; after all, if they immediately started spamming you, you would likely catch on to what caused it. But after two weeks, the spam started rolling in. After a few months, the account was receiving more than a dozen spams a day. I shut it down before it got out of hand, but had I let it roll, it would probably be getting a few hundred spams a day by now. Worse than this, there are scammers out there who will even charge you to get your name added to a no-spam list. Don't fall for it. And what about that government no-spam list? If someone suggests that they can put you on it, don't fall for it--it doesn't exist. Although the naive and useless CAN-SPAM Act of 2003 allows for such a list to be made, the Federal Trade Commission decided it was unworkable. Why unworkable? Well, 80% of spammers are outside the US and therefore are outside the reach of US law. But they can still read the don't-spam list, and get tons of juicy, active email accounts from it. And even spammers within the US might feel like raiding the list, since US law enforcement can't go after all the spammers out there. And why is the CAN-SPAM Act of 2003 useless, after we've seen a couple of cases of spammers getting arrested? The answer is simple: look at the spam in your email box. Mine hasn't been reduced since 2003, and if yours has, it is probably because your ISP put a better spam filter into place. The CAN-SPAM Act is simply another example of your congresscritter trying to look like they're doing something when there's nothing really that they can do. The New York Times reported in February 2005 that the act had done little or nothing to stop spam, and that spam volume had only increased since the law was passed. So in the end, the best way to stop, or at least stem spam is to do it yourself. Follow the rules listed at the top of this post. Don't make me get out my tattoo needle and day-glo inks.

Categories: Computers and the Internet Tags: by
  1. August 24th, 2005 at 00:52 | #1

    Luis, this is an excellent write up.

    Unfortunately for me, my personal email address (not the one I use here) is the shortest and easiest to remember address that would be impossible to get in this day and age. I’ve had it for almost 12yrs. And nobody would forget it. However, it gets spammed to death and I’ve thought about cancelling it many times but it is just too good to waste. What to do?

  2. BlogD
    August 24th, 2005 at 00:58 | #2

    Roy, I have the same problem. My email address is essentially my name with a suffix, I was lucky enough to get one variation of that. However, I learned all that I wrote above by making just about every single mistake I described in this entry, with that address.

    I’ve just gotten used to it. Eudora helps by filtering out most of it, but I still have to quickly scan the junk box to make sure anyone new who emails (and is not in the address book) doesn’t get sent there by accident.

    Like I said, I’m used to it. It’s just a routine now. But you may feel differently. Not much you can do except to make a break and a fresh start, unfortunately….

  3. Brad
    August 24th, 2005 at 12:09 | #3

    Not much you can do except to make a break and a fresh start, unfortunately….

    Yeah, but that’s so hard to do, isn’t it?! My personal e-mail address also has my surname as the suffix; created back in 1997 or so when I – and the internet – were innocent of the evil that is spam. Every now and then I consider going to a completely anonymous name, but I demur every time … too much hassle. Still, the spam filters seem to be doing a good job.

  4. Tcia11
    August 27th, 2005 at 00:57 | #4

    And, says Auntie Pat, never, ever answer Nigerian email scams!

    “LA record producer killed by Nigerian scam ring?”

    via boingboing.net:

    http://www.latimes.com/news/local/la-me-topanga25aug25,1,2555949.story

    http://tinyurl.com/c7uk5

  5. miva
    October 14th, 2006 at 05:18 | #5

    hi,

    I don’t have a choice but to add my email address on my website. Is there anyway I can add email address without triggering spammers?

  6. Luis
    October 14th, 2006 at 11:47 | #6

    Miva:

    A lot depends on how that is handled. For example, do you have to display the email address, or do you just have to give people a way to contact you? I made a website for my father, which contains a “contact” page. That page contains a form, where an applicant fills in their name, email address, and message, then they click “send.” An automatic email is generated and sent to my father. Now, his email address would appear within the form’s HTML code, but I used a little trick: I put a junk email address in the form, and then forwarded that email to my father’s real account. Whenever spammers find the junk email address in the form and start spamming it, I just change to another junk email address, and forward that one to my father’s account like before. By rotating the form address and always forwarding to my father’s account, his real account stays secret.

    However, that trick requires (a) your own domain, (b) the ability to write forms in HTML, and (c) knowledge of FTP. You might not have that. Furthermore, you might not have a choice but to display your actual email address, right there on the page. If so, then there may be no way to protect against spammers.

    Ah! I just got an idea–really, I did just now. And I love it, because it’s an old spammer’s trick! I don’t know if it will work, but it’s worth a try.

    In order to avoid spam filters which catch certain words, spammers may break up the word in HTML. Let me explain.

    In HTML–the coding that makes web pages–anything within angled brackets (shift-comma and shift-period on your keyboard) is invisible to the viewer. For example, if I put this on a web page:

    He<!– red –>llo th<!– blue –>ere!

    It would appear as “Hello there!” to the viewer. The “<!– ooo –>” part is simply a comment in HTML, which does not render on the actual page. But as you can see, I broke up the words “hello” and “there” in the HTML.

    Why is this important? Because spammers do not collect email addresses by having humans look at the pages; they use automated programs which look at the HTML! Right now, on this blog’s main page, I put an email address in the HTML, one which is invisible to the human eye–but spammers caught on to it quickly and the address now draws about 5 spam messages per day and growing.

    You can reverse that, by adding the HTML comments I showed you. In the web page code, put <!– ooo –> within the email address several times, adding a random word where the “ooo” is. For example, here’s a dummy address with the breakups:

    m<!– red –>yma<!– car –>il<!– toy –>@<!– cat –>bl<!– blue –>og.c<!– night –>om

    To a human viewer, that would appear on the page as “mymail@blog.com,” but to a spammer’s HTML-reading program, it would have all that junk interspersed.

    Now, I haven’t tried that yet–I will very soon! So I can’t guarantee it just yet. After all, it is a spammer’s trick, so maybe they guard against it. On the other hand, I have to think that most people don’t do this, maybe nobody does it yet, so maybe the spammers don’t bother guarding against it. I don’t know, is the point–it might work and it might not.

    But that’s the only thing I can think of. Keep in mind that I am far from an expert, just an experienced amateur; there may be other ways I don’t know about.

  7. Brian
    October 20th, 2006 at 03:22 | #7

    Great advice, I’ll try to adhere to as I’ve only been on the net since January. So if I stuff up, just show me where the day-glo colours are and I’ll apply the word “novice” on my forehead, then if I do it again I’ll use the word “idiot”, but only in extenuating circumstances. I stumbled on your column by accident looking for a list of countries related to the web suffixes. Where do I find such a list? Or could you provide a link or an address, please?
    Keep writing the good advice. You are now on my Favourites list.
    Brian

  8. Luis
    October 20th, 2006 at 04:30 | #8

    Brian, I think you’re looking for this:

    http://en.wikipedia.org/wiki/Country_code_top-level_domain

    When in doubt, always go for Wikipedia.

Comments are closed.