Thursday, December 28, 2006

how to avoid email spam

typically, the life-cycle of email spam (in the most general sense) goes something like this:
  1. the spammer gets your email address
  2. the spammer sends you spam
  3. you receive and do your best to deal with that spam

most of the anti-spam technology that the average person is aware of works to deal with spam after it's been sent, effectively trying to address stage 3 in the spam life-cycle... you probably know this technology as spam filtering, either a black list where you record all the email addresses (or perhaps domains) from whom you don't want to receive email, a white list where you record all the email addresses from whom you do want to receive email, or some more advanced content-based spam filter such as the bayesian filtering... as most average people are at least vaguely familiar with spam filtering (even if only by way of noticing there's a junk mail folder in their webmail) they also know (or if not, should be made aware) that filtering isn't a perfect solution, that some legitimate mail can get flagged as spam and some spam may fool the filter into thinking it's legitimate mail... nothing is perfect, but as spam volume increases the number of spams that sneak through spam filters also increase, and nobody (except the spammers) want to see the amount of spam in our inboxes increase...

addressing stage 2, trying to stop the spam from getting sent or at least making it more difficult or costly, is something most average folks aren't aware of (or at least don't often think about) because it's not something they've been a part of for the most part... early on there was account termination for those caught spamming, then there were CAPTCHA tests to stop the spammers from creating very large numbers of accounts (which would otherwise make account termination a non-issue) from which to spam from... after that there was a crack down on open mail relays and ISPs started trying to block their subscribers from connecting to outside SMTP servers... now spammers use botnets designed for sending spam, effectively moving the burden of stopping spam out of the hands of centralized organizations like ISPs and into the hands of end users whose machines have been compromised and who are least likely to be able to deal with the problem or even be aware of it's existence... if you've never heard of this before, now you've got a brand new reason to prevent malware from compromising your computer - to help keep the spam problem in check...

avoiding spam
neither of these qualify as avoiding spam, however... in order to do that one must address spam at the earliest stage in it's life-cycle, one must stop the spammer from getting one's email address in the first place... think of your email address as being like your home phone number - it's confidential information that you don't hand out to every tom, dick, and harry you happen across...

keeping your real email address secret is probably not the most intuitive thing in the world, especially since so many things require you to give them an email address, but there are services and techniques that can help make it easier... there are also limits to how well the secret can be kept, but as an example i've managed to keep a webmail address i use daily completely spam free (there isn't even anything in the spam folder) for over 2 years simply by being careful and not giving out the address except to those i trust... one other caveat is that you can't make an email address secret if it wasn't a secret before... if your current address is receiving spam then the spammers already have your email address, the address has been compromised and there's nothing you can really do about that - you can't put the genie back in the bottle...

what you can do, with a fresh email address, is use disposable email addresses that forward to that real email address... a number of people are already familiar with the idea of a throw-away email address and often use hotmail or some other free webmail provider to make one but unfortunately that leaves you with no way to know who leaked your address to the spammers so when you need to change addresses (because the current throw-away address has gotten too spammy) you'll have no way to know which organizations to not give the new address to (never mind the fact that you'll have to give a new address to a bunch of organizations)... this is where true disposable email addresses come in - you need to use a different address for each site you give an address to (whether it's ebay, amazon, or your bank) so you can identify which one leaked the email address simply by looking at which email address got leaked and so that you only have to turn off that one address when it starts getting spammed rather than changing addresses and updating a potentially long list of sites with your new address... dedicated disposable email address services make creating multiple addresses easier (certainly easier than creating multiple throw-away email addresses where you have to answer a CAPTCHA test for each one) and managing multiple addresses (ie. turning off the ones that get spammy) easier as well...

different services provide addresses with different properties; some will forward the email sent to the disposable address on to your real address while others might maximize the ease and convenience of creating a new address by allowing you to create one without contacting the disposable email address provider first... beware the combination of these two properties (something spamgourmet.com does), however, because you invariably wind up giving out the information necessary for others to create new addresses that will forward to your real address and you don't want any tom, dick, or harry to be able to do that anymore than you want them to be able to email you directly... instead, use the created-on-the-fly addresses in cases where no sensitive information is going to be sent and/or in cases where you're likely only going to need to check for mail once (because most on-the-fly disposable email address services also don't require a login to check the email - mailinator.com and dodgeit.com work this way), and use forwarding addresses (such as those from sneakemail.com or mailnull.com) for everything else so that you get the benefit of picking up the mail in one place that only you (and your real email provider) have access to...

website feedback
now that takes care of sites that ask you for your email address, what about if you have a website or even a blog like this one? you want to be able to receive feedback from people without being deluged by spam but if you put an email address on the page then software that searches for email addresses on the web will find that address pretty quickly and it will soon be filled with spam... using disposable email addresses on their own doesn't solve this problem...

one thing people like to try is email address obfuscation - where the email address is manipulated in such a way that software that searches for email addresses can't easily recognize it as one... unfortunately this runs into competing requirements - in order to truly prevent software from collecting your email address for the spammer the email address has to not be machine readable, however people expect to be able to click on something and start typing their feedback and that functionality requires that the email address is machine readable... no email address obfuscation method can achieve both requirements so you generally either have to break expected functionality or accept that the email address isn't truly hidden...

a better solution is to use a contact form, specifically one that doesn't contain your email address in it's code... mailnull.com happens to offer this facility, it's what i'm currently using for this site at the time of writing, you can see what it looks like by clicking here... the only major drawback to using a web-based contact form is that people can't send you attachments but considering how troublesome attachments can be from a security standpoint, not providing a way for first time contacts to send them to you doesn't seem like all that big a deal... if you do encounter a scenario where it is a problem, the first time contact could use a file storage solution like dropload.com with their own disposable email address in the To: field and then paste the resulting URL into the web contact form...

additionally, if you not only have your own website but your own domain, you may want to turn off the default/catch all email functionality (where email sent to any non-existent address on that domain is 'caught' and collected for review and possible redirection to relevant parties)... so long as you are providing people with a clear way to directly contact the right individuals within your domain there should be no reason for anyone to send email to non-existent addresses on your domain or firing emails blindly at arbitrary addresses on your domain...

friends and family
as i mentioned before, there are limits to the extent to which you can keep your email address secret and a potentially very big hole in the strategy involves your trusted contacts (be they friends, family, or business contacts)... these are people you can't reasonably be expected to keep your email address a secret from and so may wind up being a source of email address leakage... what can you do?

pretty much what you can do boils down to treating their email addresses with the same care you would treat your own and teaching them to do the same for you (maybe even pointing them here)... that means that you shouldn't give their addresses to websites no matter how cool those websites might happen to be or how interesting you think your friends/family/contacts will find the site (even those greeting card websites that are so popular around the holidays) - instead you should give those sites one of your own disposable email addresses and then forward the resulting email to the person you wanted to share the site with, thus giving them exactly the same information you would have given them if you'd exposed their email address to the website but without actually exposing their email address to the website...

additionally, don't share people's email addresses with other people they don't know... if you're emailing people that don't know each other, put your own email address in the To: field and put the other email addresses in the Bcc: field so that they can't see each other's addresses... if you're forwarding something to people, make sure not to include any of the email addresses that it was previously sent to or from as forwarded emails otherwise tend to build up large numbers of email addresses on a large number of strangers machines - any one of which might get compromised by a piece of malware that harvests email addresses for spammers and other email miscreants and that's something you want to minimize where possible...

anti-spam safe hex
all these things effectively form a set of spam-related safe hex rules... summarized, they are:
  1. treat your email address like a secret
  2. use a different disposable email address for each website you give an address to (so that if you do get spam you can tell who to blame)
  3. use contact forms instead of email addresses on your website
  4. turn off the catch-all email functionality for any domain you might have
  5. don't give your friend's/family's/contact's email address to websites
  6. don't give your friend's/family's/contact's email to people they don't know
  7. try to teach your friends/family/contacts to show your email address the same care that you show theirs

2 comments:

kontaktlinser said...

That's a really great article. It's very nice and useful info. Many thanks for your share.

markjack said...

very nice informations...
thanks for sharing