WHERE TO SPAMS CAME FROM?
It is often suggested that if you are going to place your email address on a Web site, you should obscure it by encoding the address as HTML entiries, else your address gets harvested by spambots. It is just as often refuted by those who think about such things. After all, it stands to reason that spambots can easily learn to decode these entities and happily harvest your encoded address.
That all sounds good in theory, but what happens when the theory is tested?
The Center for Democracy & Technology spent six months conducting a controlled study to determine where spammers get email addresses from. Their report, “Why Am I Getting All This Spam?,” details their findings.
Among other things, the report found that encoded email addresses left on a honeypot Web site for six months were never harvested by spambots. Test addresses placed on the site and used nowhere else never received spam. That’s not to say that spambots won’t eventually be taught to decode HTML entities, but for now it appears safe to use them in spam prevention.
This also shows that you must test your theories. Something that sounds perfectly sensible in your mind doesn’t always hold up to reality. It seems obvious that spambots would be taught to recognize encoded email addresses, but in the real world, they haven’t.
WHAT NOT TO DO:
Maybe you can relate to this: As junk mail fills Hypothetical Bob's Inbox, he's gripped by an uncontrollable rage. He feels the urge to do something -- anything! Bob responds to one of the (ahem) more vulgar spam messages and writes something (ahem) equally inappropriate to whoever just spammed him.
Resist the urge. It won't do any good, and it'll waste time -- time you could have used to configure your anti-spam software.
Here are other things you should never do:
- Contact Spammers: Do not reply to spam messages. Do not click unsubscribe links. Do not email the ISP (Internet Service Provider) that supposedly delivered the message. People sending spam forge their IP addresses and use bogus email addresses, which means you can't contact them or trace them. But even if you could email them, you wouldn't want to: Such an action would only verify that your email address is correct -- something that would ensure that you get even more spam!
- Post Your Email Address on the Internet: Do not post your personal email account on a website. Evil spam-bots scour websites for email addresses -- if they find yours, they'll grab it and never let go. People try to get around this by breaking their email addresses up into chunks, like this: matt [at] macinstruct . com. That won't help you evade spam-bots these days! Create a junk Gmail account and post that if you really need to publish an email address on the Internet.
- Be a Cyber Vigilante: Do not spam the spammers. Do not try to retaliate against people spamming you. Legend has it that a systems administrator at the University of New Mexico tracked down an individual who had spammed him and launched a DOS attack against the spammer -- from a UNM production web server. Turned out that was a bad idea. The spammers completely flooded UNM's mail server with junk mail for months after that, rendering the UNM mail server completely useless.
- Buy Spam Stuff: Don't even think about buying anything advertised in a junk mail message. If you want to buy cheap, no-name pharmaceuticals (!), buy them from somebody other than a petty electronic criminal.
- Report Spammers: There are tons of websites and applications that allow you to track and report spammers. The organizations that provide these services claim to be building databases full of the bad guys, and they say that the information they collect can later be used to track down and eliminate the nasties. Don't believe the hype. The spammers can't be tracked or traced, and even if they are busted, they'll just move somewhere else.
TIPS FOR AVOIDING SPAMS:
Currently there is no foolproof way to prevent spam. Based on our research, we recommend that Internet users try the following methods to prevent spam:
- Disguise e-mail addresses posted in a public electronic place.
CDT received the most spam just by placing an e-mail address at the bottom of a webpage. Spammers "harvest" these addresses with computer programs that collect and process addresses and add them to spam mailing lists. If a user must post his/her e-mail address in a public place, it is useful to disguise the address through simple means such as replacing "firstname.lastname@example.org" with "example at domain dot com" or other variations such as the HTML numeric equivalent, in which "email@example.com" could be written "example@d omain.com."
Opt out of member directories that may place your e-mail address online. If your employer places your e-mail address online, ask the Webmaster to make sure it is disguised in some way.
- Read carefully when filling out online forms requesting your e-mail address, and exercise your choice.
- Use multiple e-mail addresses.
When using an unfamiliar Web site or posting to a newsgroup, establish an e-mail address for that specific purpose. Alternatively, instead of just using one or two e-mail addresses, you can use "disposable e-mail addresses," which consolidate e-mail in a single location but allow you to immediately shut off any address that is attracting spam. By recording which disposable address was used at which web site, one can track what sites are causing spam. Many Web sites are now providing free e-mail accounts. A search in Google Directory for "disposable e-mail addresses" provides a list of e-mail providers designed for one-time use e-mails.
- Use a filter.
Many ISPs and free e-mail services now provide spam filtering. While filters are not perfect, they can cut down tremendously the amount of spam a user receives.
- Short e-mail addresses are easy to guess, and may receive more spam.
At least one spammer tried to guess the e-mail addresses used in this study by sending mail to short and common addresses. E-mail addresses composed of short names and initials like bob@ or tse@, or basic combinations like smithj@ or toms@ will probably receive more spam. E-mail addresses need not be incomprehensible, but a user with a common or short name may want to modify or add to it in some way in his or her e-mail address.