Email spam filters now do a pretty good job of keeping your email account relatively clean, but it is best not to attract any spam in the first place. I’ve posted on this before, but it was a while ago and I wanted to refresh and expand the advice a little bit. Here is the basic list of dos and don’ts:

1. Never respond to a spam email for any reason; never click on any link in an email unless you are 500% certain it is not spam
2. Do not publish your email address on any web page, BBS/Forum, chat, or anywhere public on the web. If you are required to supply an email address, use a fake address or a throwaway account (see explanation of throwaway accounts below)
3. Do not use your main email address to sign up for anything; use a throwaway account
4. Whenever you give your email address, even to family and friends, stress that they must never sign you up for anything, or distribute your email address to anyone without your permission, especially to any commercial enterprise
5. When choosing a hotmail, yahoo, or any free mail account address, don’t choose a short name (to avoid dictionary spam)
6. Do not use the “opt-out” link in any email you receive, and do not sign up for any do-not-email list; they will only result in more spam being sent your way
7. Turn off HTML graphics in your email–they will notify the spammer that you’re viewing their email and probably identify you specifically to the spammer (this is more commonly allowed in email clients like Eudora or Outlook, but check for it in your browser-based email accounts as well)
8. Use an email program with effective spam filters. If you’re worried that a legitimate emailer might get blocked, remember that most email client spam filters will always allow email through if the address of the sender is in your address book for the program
9. If you use Windows, then be sure to use an effective anti-virus program, making certain that it successfully and automatically updates the virus definition list on a regular and frequent basis. Some viruses are designed by spammers to raid your address book for addresses to be added to spam lists. Try avoiding adware and spyware as well (Ad-Aware and Spybot are popular programs for clearing these pests)
10. Do not use the “send this story/picture/anything to your friend” feature offered on many web sites, and tell those with your email address never to put your address into one of them. Many services, including some respected periodicals, will give you the option of sending something interesting, like a news story or a cartoon, to your friend–all you have to do is enter their email address and hit “Send.” A friend of mine once did that “for” me, sending a story using the BBC’s news service. Within hours I was getting spam related to the topic of the story. If you want to inform a friend of something interesting on a web site, copy the address of the web page and paste it into an email you send them directly
11. Never, ever, ever, ever, EVER buy ANYTHING from a spammer. Ever. If you do, then then anti-spam vigilantes will enter your house in the dead of night and tattoo the word “IDIOT” on your forehead in bright, day-glo colors. Or they would in a more perfect world.

One basic rule of thumb: treat your main, real email account like a top-secret piece of information. Only hand it out to people you know and trust, or people who absolutely need to have it. If you do business with an email address and have to give it out less discriminately, then create a special business-oriented email account, and keep special track of whom you give it to, so if it becomes spam-flooded and you need to change, you can send an email out to all the people you’ve given it to and notify them you’re changing to a new address.

In other situations, an important tool is the throwaway account. If you’re like me and you have some domain names at your disposal, you will have the ability to easily generate new email accounts to be used and discarded at will. But if you don’t have your own domain and/or can’t easily generate email accounts for it, then you’ll have to rely on Yahoo, Hotmail and GMail. It might be easier to sit down in one session and create half a dozen or so accounts at once, of course writing down each specific address and its username and password. Keep in mind that if these accounts will expire after x amount of time if not accessed by you, but no biggie, just go back and generate a half dozen new ones every three to six months.

Why throwaway accounts? What are they good for? Well, nowadays a lot of places require you to give an email address if you want to do what you want to do on the web. If you want to join a forum, enter a restricted area, sign on for a “free” subscription to something, or to make a purchase, it is very likely that you will be asked for an email address. This is usually so they can generate a list of email addresses that they can sell to spammers and make a bit of money on the side, or it is for their own private advertising purposes. Most times they don’t even bother to lie to you about the address being so they can contact you if something goes wrong.

So why not just give a fake email address? Because most times when they ask you for an email address, they will then send an email to that account with an “activation” code, and you won’t be able to do what you wanted to do unless you go to the email account in question, get the code, and enter it into the web site. Many times this is a legitimate way for the web site to make sure you are a human being and not some robot program made by a spammer or hacker, but many times also it is a way for spammers to make sure you gave them a real live email address they can send spam to. So use a throwaway account.

So am I being paranoid here? Not at all. I tested some of the traps I mentioned in the list above. For example, I created some special throwaway accounts with very specific names which had never before existed, and I told no one of them. They were squeaky clean, no way for spammers to know they existed.

One of them I put on this web page, but I made it invisible to the eye. In a small area with a plain gray background, I typed the email address (not a “mailto” link, just the address in plain text) and made it the exact same gray color as the background. That meant that it would be invisible to any human visitor to the site unless they selected all the text on the page and searched carefully for the email address, which no one would do (don’t try now, it’s not there anymore). In theory, it should have remained secret. But within a few days, dozens of spams started pouring in (most of them Nigeria or European lottery scam artists, actually, but a lot of it also plain-vanilla spam).

So what happened? The spammers (and scammers) use robot programs to scan every web page they can find for anything containing an email address. They usually just look for the @ mark, and a period followed by a domain suffix; both are necessary in any email address. The addresses found are harvested, spammed, and sold to other spammers.

That’s why you don’t want to write your email address on any web page on the Internet. It will be found, and you will get spammed.

Another test I did was the opt-out. That’s when the spam you receive has a bit (usually at the bottom) where they “allow” you to add your email address to a list of do-not-mail addresses, under the premise that this will actually remove you from anyone’s spam list. Most often, it is simply a trap.

You see, spammers have huge lists of email addresses, but they face a problem: most of the addresses are fake, expired, or are never used. And they mostly don’t know which ones are which. An email address which is certifiably active is valuable to them. An email address belonging to someone who reads spam messages is golden. An email address where the owner is gullible enough to respond to spam is the Holy Goddamned Grail.

So the spammers want to know that they succeeded in catching a live one. But they won’t know unless you tell them somehow. The “opt-out” is all too often a scam to do just that. They put a line at the bottom of the email claiming that your email address was collected in some completely legal and honest fashion, and if it was a “mistake,” then just click on this link, type in your email address, and we’ll happily remove you from our lists.

What really happens, of course, is that when you visit that page and type in your email address, they know that (a) the email account is real, (b) you read the spam they send to it, and (c) are gullible enough to fall for the scam. Congratulations–you have just signed up to the Holy Grail of Spamming list and are about to get that email address flooded with more spam than ever before.

I tested this by going through some recent spam I’d received in a different account and culling a few dozen “opt-out” addresses. I then visited these pages and typed in one of those squeaky-clean throwaway accounts I had generated. If the opt-out promise were honored, that site should never receive spam; if spam came in, I would know for certain that it came from the opt-outs.

After seeding the address in the opt-out pages, nothing happened for a few weeks; after all, if they immediately started spamming you, you would likely catch on to what caused it. But after two weeks, the spam started rolling in. After a few months, the account was receiving more than a dozen spams a day. I shut it down before it got out of hand, but had I let it roll, it would probably be getting a few hundred spams a day by now.

Worse than this, there are scammers out there who will even charge you to get your name added to a no-spam list. Don’t fall for it. And what about that government no-spam list? If someone suggests that they can put you on it, don’t fall for it–it doesn’t exist. Although the naive and useless CAN-SPAM Act of 2003 allows for such a list to be made, the Federal Trade Commission decided it was unworkable. Why unworkable? Well, 80% of spammers are outside the US and therefore are outside the reach of US law. But they can still read the don’t-spam list, and get tons of juicy, active email accounts from it. And even spammers within the US might feel like raiding the list, since US law enforcement can’t go after all the spammers out there.

And why is the CAN-SPAM Act of 2003 useless, after we’ve seen a couple of cases of spammers getting arrested? The answer is simple: look at the spam in your email box. Mine hasn’t been reduced since 2003, and if yours has, it is probably because your ISP put a better spam filter into place. The CAN-SPAM Act is simply another example of your congresscritter trying to look like they’re doing something when there’s nothing really that they can do. The New York Times reported in February 2005 that the act had done little or nothing to stop spam, and that spam volume had only increased since the law was passed.

So in the end, the best way to stop, or at least stem spam is to do it yourself. Follow the rules listed at the top of this post. Don’t make me get out my tattoo needle and day-glo inks.