Below I detail a viable and proven plan to reduce spam. This is a plan that we, normal everyday people with e-mail inboxes, can do while we wait for our various governments to finish dragging their feet. This plan works. I’ve been doing it for years. If more people employ this plan, I sincerely believe we will force a major reduction in spam for everyone.
Please, read the plan. Tell others. Pass it around (preferrably as a link as I’d like to keep a live dialog going on this topic). Emply the plan and save us all some inbox space.
Spammers—or, as they like to be called, “e-mail marketeers”—get e-mail addresses in three distinct ways:
Method One: E-Mail Harvesters
First, they routinely crawl websites and the sites to which they link using automated, search-engine-like bots called “e-mail harvesters” or “spambots”.
Harvesters just crawl around the Web (and other Internet services like Usenet Newsgroups, chat rooms, instant messenger service member directories, etc.) looking for the @ symbol, a required part of any e-mail address. When an @ is found, the harvester captures it and any and all characters to either side of the @, until it encounters a space, punctuation, or an HTML tag. So it would grab the address bob@bob.com from all of the following passages:
“…to contact me, please e-mail me at bob@bob.com any time…”
“Post By: <a href=“javascript:degrease(‘kxkekxkflxv’,9)”>Bob</A>”
“…so I said to bob (<a href=“javascript:degrease(‘kxkekxkflxv’,9)”>e-mailBob</A>) that it wasn’t his…”
You might notice how example number two is a common sight on a blog. That’s from where my e-mail address was compromised: Someone’s blog.
Your e-mail address is not even safe in the following example:
“…to contact me, please e-mail me at bob@NOSPAMbob.com any time…”
It isn’t safe because this is such a common trick. Inserting a harvester-fouling phrase like “NOSPAM” or “N0-SPAM” (note zero in the second example) doesn’t really foul harvesters any more. This trick is several years old, and harvesters and “spam-bots” are pre-programmed to strip out such common trickery.
Want proof of any of this? Set up a dummy Yahoo! or Hotmail account and use it only to post to blogs or newsgroups, even with some kind of spam-bot-fouling trickery. Keep the account up for a few months and watch it gradually accumulate more and more spam.
For the record, Yahoo! accounts not added to the member directory are reportedly pretty safe from “spontaneous” spam. If you don’t use it anywhere, it shouldn’t accumulate spam.
Method Two: Chain Letters
This second method is much smaller, though still very successful. The third method, below, is the most wide-spread and is responsible for the largest portion of spam in your inbox.
The second method employed to collect e-mail addresses for spam is Chain letters.
“Send this to seven people (after you make a wish). Make sure it is sent as soon as you read it or your wish won’t come true.” This is an actual quote from a message I received recently. I get these from time to time, like most everyone else. The message usually contains a joke or an offer for money or a plea to help some non-existent stricken child or blah blah. They’re scams, folks. The purpose behind chain letters is to harvest e-mail addresses.
Look at the last chain letter you received. What’s in there? The main body, sure. What else? Yes. That. The address of the person who sent you the chain letter, and the addresses of everyone else to whom she sent it. Look further, below all the “>”. There are more e-mail addresses, the addresses of those who received the message at the same time as the person who sent it to you… And all the people before them, and before them, and before them, and…
There is often a list of several dozen (or more) e-mail addresses, nearly all of which are guaranteed as good and functioning because they were specifically and innocently chosen by the well-meaning sender. The original sender was not well-meaning, however. The original sender is counting on the law of averages (one person sends it to seven, each of whom sends it to seven others, each of whom sends it to seven others, and so on) to eventually get the message back to him or to someone he knows. When he does get it back, he’ll have a fresh list of hundreds of validated e-mail addresses ripe for his latest XXX advertisement.
If you feel you simply must pass along a chain letter, please, for the piece of mind of those with whom you like enough to share the message, use this very, very simple trick: It’s called the BCC field. Blind Carbon Copy.
- Put your address in the To field.
- Enter the addresses of your recipients in the BCC field.
- Please also be kind enough to protect those not savvy enough to protect themselves by stripping out the e-mail addresses of previous senders.
- To be extra safe and protect yourself, add these very instructions to the bottom of the message, right next to where it says “send this to seven people” so that your recipients will also learn to protect themselves and their friends (you among them).
Addresses in the BCC field will not be shown in the message. Thus you will be protecting your friends while sharing with them.
Method Three: Buying Lists
The third and most successful way spammers obtain e-mail addresses is by buying them as part of lists. You put yourself on these lists. Or, more accurately, you give your e-mail address to apparently trustworthy sites that turn around sell your address.
Often sites like IffySite.com will supplement their primary income by selling the e-mail addresses of members/customers/whatever. This is a pretty lucrative practice, believe it or not, and extremely prevalent despite the proliferation of claims of privacy. Most privacy policies state that sites, their owners, and “affiliates” are allowed to send you mail they think will interest you. This is the clause that allows them to legally sell your address to spammers.
Since I own several domains, with the ability to create an unlimited number of e-mail addresses, I have the luxury of doing a little more in terms of identifying from whence spam originates. Any site on which I don’t feel safe providing my e-mail address, but am required to for some reason, I “key” the address to the site. For example I might enter the e-mail address of iffysite.com@myrealdomain.com (where @myrealdomain.com is actually my real domain name) when filling out a form on the fictitious IffySite.com. Mail addressed to this new address will automatically deliver to my primary POP3 e-mail account unless I specifically configure my server to do something else with that mail. Later I’ll explain some of the things I do with those addresses… And what you can do to reduce spam.
If/when spam arrives to my new, keyed-address, I know that IffySite.com has compromised my e-mail address somehow. If it was used in some kind of public or semi-public posting—a forum or online profile, for example—then spam is be expected. Anywhere e-mail addresses appear enmasse, harvesters will be pointed. However, if the only place iffysite.com@myrealdomain.com appears is in a single form I’ve filled out on IffySite.com—say, a registration or order form—and it generates spam from sources not obviously affiliated with IffySite.com, I know that IffySite.com is not a trustworthy business entity and sells its member/customer/whatever list.
This method of keying an e-mail address is a much more accurate way of knowing how trustworthy a particular site or business is than trusting in their often meaningless privacy policies—many of which are often simply ripped from another site.
So what do I when I realize that IffySite.com is selling my e-mail address to spammers? I do the same thing you can do.
Depending on the severity of the spam—one piece here and there or suddenly dozen—I will take one or more of the following actions:
- Add the address iffysite.com@myrealdomain.com to an Outlook rule I’ve created that kills all messages sent to a range of addresses;
- Configure my mail server to automatically destroy all messages to iffysite.com@myrealdomain.com before Outlook downloads them;
- Configure my mail server to deliver all messages addressed to iffysite.com@myrealdomain.com to a special mailbox I keep on the server simply to collect spam, which I often later followup with a complaint to anti-spam groups and lists, or;
- Create an auto-forwarder address on my mail server that sends all messages addressed to iffysite.com@myrealdomain.com to the e-mail address of the registered Owner or Administrative, Billing, or Technical Contact for the domain name IffySite.com.
The last option I use sparingly, but I feel perfectly justified in it.
The last option is the crux of the plan to reduce spam for everyone.
The Plan To Reduce Spam
If my address was sold to a spammer, then it was a human being who made the decision to sell my address. It was a human being who profited from my frustration. Let him deal with the spam he intended for me. Let him feel the frustration I would have felt by all this unwanted mail. Let him pay for the lost productive time and connection charges. Let him change his e-mail address to avoid that flow of spam. Remember: The terms of domain ownership stipulate that the e-mail address on file for a contact must be current at all times, so changing that e-mail address requires some effort and is usually a great inconvenience to the owner… Just as it would be if I had to change my e-mail address, as IffySite.com’s representative should well realize.
What’s more, by forwarding spam intended for me back to either the person directly responsible for it or at least to the person responsible for setting, maintaining, and changing the policies of the company that caused my address to be sold to spammers, I hope to influence, in my small way, the move away from profiting from selling trusting customers’/users’/registrants’ e-mail addresses.
Keep in mind that once one’s working e-mail address is on a spam list it will be sold and resold and propogated. The flow of spam will grow exponentially from even a single initial appearance on a single list. Once you begin receiving spam at an address it will not stop until long after that address is proven to be inactive and no longer accepting mail. Let the person who made the decision to sell your address suffer the consequences of his own actions.
I encourage everyone with the ability to do this type of keying and forwarding back to do it. If only a few thousand of the Internet’s several million users sent their spam back to the person or organization that sold it, far, far fewer companies would consider it profitable to sell customers’/users’/registrants’ e-mail addresses.
Don’t try to send it back to the spammer. Don’t mail bomb the spammer with a thousand messages. That won’t work. The spammer will not see it. They use bogus From addresses (yes, unlike much of the practice of spamming, forging a return address is illegal in the United States, but they do it anyway). Often they use the address of the next recipient on the list as the sender’s address to avoid bounced mail, thus you’ll be mail bombing the next poor shmuck who, just like you, was unlucky enough to trust a company or individual who sold his e-mail address. Instead, send all your spam back to the originating site by keying your e-mail address.
I have absolutely no guilt about sending spam intended for me back to the person who is responsible for it. I’m most satisfied by the fact that I’ll never see it. I don’t let Outlook do that kind of forwarding work; I do it all on my mail server(s) before it gets to my inbox. It’s just a simple matter of setting up a Mail Forwarder. Your hosting company can help you do it in 30 seconds or less.
By keying the address and sending that mail back to the originating site’s contact, I have reduced my spam over the years. This is a viable, proven plan to reduce spam. Nearly everyone with a virtual or dedicated server nowadays can do this.
If you do it too, you’ll frustrate a few more people who profit from your frustration. If several hundred do it we’ll cause some businesses to stop the practice of selling e-mail addresses. If several thousand of us do it, then many businesses will cease the practice of selling our e-mail adresses, and we will force a reduction in spam for everyone.
Dialogue: Questions? Comments?
By the way, though e-mail addresses are required on my blog to reduce the interference of spammers, it will be protected programmically by special coding in the page. Moreover, I categorically do not sell or redistribute e-mail addresses.
[ FYI, ‘employ’ is spelled with an ‘o’. ]
Your plan is naïve. Obviously you haven’t done due diligence before posting it to your blog by first asking for discussion in:
news:news.admin.net-abuse.email
Firstly, the registered contact for a web site is not who *sold* your name.
Second, email to the registered contact addresses to my sites are already 99% spam themselves, thus easy to clear out.
Third, even if you stuff the mailbox, all that will happen is further complaints will bounce, and it is still the valid [required] contact address.
Should they need to use their contact address, they can simply clear out the mailbox first.
Fourth, you haven’t said anything about an URL to a site on an ISP, such as AOL. Oops, won’t help there.
It is good you are using Javascript to construct mail URLs at runtime. Most harvesters don’t run a rendering engine. But they could if the practice of using Javascript became widespread.
Great, I gotta reply to myself…
I read a little closer about what you meant when you said the web site sold your name. Okay, they sold your name. Ticketmaster, BTW, is guaranteed to do that:
http://politechbot.com/p-05001.html
Unfortunately, the vast majority of people are not going to be able to configure their mail server, or even have their own mail server, to do what you suggest.
What I do is slightly different: I instantiate (using my ISPs webform for my domain) a new name for purchases, such as paypal-dot-com@. Should I get spam, which hasn’t happened yet from a purchase, I would simply delete the forward to my real mailbox.
Not that regular lusers would be able to handle that either.
If you did make a purchase via a webform on say an AOL site, and it didn’t have a privacy policy stating they wouldn’t sell your name, complaining to AOL won’t get you far.
A webbug is another way of getting on a spam list. You get an email, sometimes they just generate lots of names and try them. Should you make the mistake of reading your email with image loading turned on, congratulations: you’ve just confirmed your address as valid. All the spammer need do is work a unique number into any image URL that they can then match up with your email address.
Your subscription process doesn’t involve a confirmation. I take it you’ve never been listbombed. That’s when someone subscribes you to dozens and dozens of lists that don’t have the now-usual confirmation step of a reply before adding the email address to the list. Take the time to do that with your list. Freeware called ezmlm will automatically handle this for you.
Thanks for the well thought out feedback, George.
I think something basic may have gotten lost in the translation of my plan. I do not propose a plan to eliminate spam, merely one to reduce it.
You’re right, the vast majority of the Internet users out here neither possess the needed technology to take advantage of the plan (beyond the safety steps I’ve given regarding protecting their own e-mail addresses, sending mail to lists via BCC, etc), nor are they technologically savvy enough to make use of mail forwarders on a configurable mail server if they had access to one. I’m not saying that everyone can or even should follow my plan of keying addresses and sending back to the originating site any spam received to those addresses. My plan is geared toward people like you and me that do have access to that technology and the skill to use it. There are quite a few of us out here who fit that profile.
It may be a bit naïve, but think about it: Retaliation against the spam senders has been proven time and again as ineffectual and a waste of one’s time. Attacking the advertisers who use spam as a means of promotion is only slightly more effective since the majority of them are small, home-based businesses running Pyramid or Ponzi scams, not larger companies who have a vested interest in promoting a good brand image.
Equally useless is any plan to go after the ISPs and service providers who enable spam because, by and large, professional spammers maintain their own servers or use disposable accounts.
So, we’ve eliminated three of the five entities in the spam process. The fourth is, of course, the recipient. The fifth is the company or individual who collects the e-mail addresses.
As you noted, I use Javascript to reduce (again, not eliminate) the instances of a listable hit upon my site. I also employ [it was a typo earlier, thank you] other systems through the blog and other places to protect the addresses of my visitors.
What I am talking about is those sites that require us to provide an e-mail address before granting us access to something we desire. Maybe it’s a small software publisher’s site who sends an activation key to one via e-mail after purchase. Maybe it’s a members-only news site like ConsumerReports.com or TheNYTimes.com. It could be anything. More and more lately, even for free content, registration is the norm. It helps sites show a provable user base for promotion, setting advertising rates, securing financing, arranging partnerships, and so on. I fully support registration… As long as the registrant’s information is kept confidential.
When it isn’t, the company with whom one has registered becomes the fifth entity in the spam chain: The pimp, if you will.
If enough of us with the ability and resources sent our spam back to the pimp who sold us out to it, that pimp will have to re-evaluate his profit versus aggravation ratio. Eventually he will ask himself: Is it worth it to make a few hundred bucks here and there when I have to keep filtering out several hundred copies of each of several hundred spam messages just to read my e-mail? How often is it worth it to me change e-mail addresses just to keep selling lists?
You stated:
Sure, they can clear out their boxes. But, just like the rest of us, if that box may contain any desired mail, they’ll need to sift through it. Automated filters, as I’m sure you’ve learned first hand, have a limited lifespan. Spammers are constantly devising new tricks to defeat our filters (my favorite is inserting random characters between letters of a common keyword, and those characters being set by HTML or CSS to not show in the rendered page). So, the pimps then have to sift through their mail, just like the rest of us–thus the frustration factor transferred from us, the intended recipient, to them, the instrument of our would-be frustration.
Further, those addresses that are required domain contacts are typically used for something important: Communication with the registrar. Many people aren’t savvy enough to mark on their calendars when a domain is up for renewal, so, lest the domain go down, the site owner will want a means of receiving reminders if nothing else.
Why delete the forward? What I suggest is, instead of deleting the forwarding address, redirect it to the individual or company responsible for the spam. By deleting the forwarder you’re acting defensively, which is what we all have been doing for years. We act in defense of our inboxes, inviting the spam industry to continue on the offensive, the easier side, working to defeat our defenses without ever taking the defense themselves.
I want to change that. The best defense is a good offense. Turn your forwarder back on the source. Make them defend against their own defense-defeating mail. As you know, it’s a simple matter to do. Once you’ve done a whois on the domain, drop a contact’s e-mail address into your forwarder, and be done with it. Such a small effort, done by a few hundred of us who can do that, would make a big effort. It would put those who would victimize us into the position of being the victims of their own actions.
There is nothing exploitative about sending spam back to these people. Mail bombing them is bad, but by sending back spam they caused to be sent, they are reaping only their own seeds. Should they somehow cause the sold address to no longer receive spam, they will no longer receive spam from it. However, should the sold address generate a dozen unsolicited messages per day as a result of the pimp’s actions, then the pimp will receive that mail. The pimp receives only what s/he causes to be sent. Nothing more, nothing less.
Right. A large company like that and you’re out of luck, with this plan, anyway. That doesn’t mean you shouldn’t fight the not-so-giant companies.
I was unaware of the workings of a webbug, though I had a pretty good idea that something of that sort was going on. Thanks for informing me.
Listbombed, yes, I have, too many times. Same thing: Spam the mail back to the site on which one has used the keyed address being listbombed.
Actually, I use NotifyList.com for my Saturday Slant list. For the subscriptions to this blog, I’ll look into ezmlm. Thanks.
Again, thanks for responding. I really hope you and the 823 unique visitors this page has logged since I put it up will join me in this plan to send the frustration of spam back to some of the sources.
I hope I am not monopolizing replies, and thanks for not getting upset at my brisk attitude. I’m used to rougher forums, i.e. Usenet.
I have seen almost no spam from registrations. They all seem to have an opt-out (or even better: opt-in) checkboxes. How much spam and from where are you getting hit??? Inquiring minds wanna know.
Anyone using Ticketmaster had better be ready to revoke the email address once the transaction is complete.
I’m already using unique addresses that I can revoke when I order stuff.
Where do I get spammed from? My
InterNIC registrations, mailing lists,
and Usenet.
I don’t see any global way of eliminating or even noticeably reducing spam without going to an everyone-gets-registered-to-access the Internet scheme, which of course would be horrible. They’ve got that in China.
What might I try locally?
For mailing lists, a unique address which I’ll change if I start getting spam. Unsubscribe, resubscribe.
For Usenet, I’ve found you can put an URL within the comment field where your name goes. I’ll make a web page with a form on it to send me email, protecting the email address either by turning off read permissions and leaving execute permissions, else turning off all non-owner permissions and using cgiwrap.
The address portion will be needed to do a signup with a Usenet service,
but thereafter I can just forward it to
cypher@punk.net, which is a /dev/null sinkhole everyone has permission to use. Also, there are addresses at http://www.privacy.net/email that can be used for a “go away” autoreply.
Anyone who would want to reply to me would be able to figure out to pull up the URL and enter the message in the webform.
Should it catch on (someone offer it as a service), then spammers would write client-side http scripts, but one could add random letter pictures that must be hand entered, as hotmail.com now uses to prevent automated registrations.
Same thing for web site registrations (InterNIC): use a form. It might require using a real address, then editing it to the http form address. It might need changing the colon and slashes to something obvious like dashes to pass syntax checks.
httpColonSlashSlashPath.com
If necessary, use the trick described for Usenet to put the whole URL in the name/comment portion of the address within double quotes.
“first last http://blah.com”
You might need to get a reply there, at least initially. Maybe only allow emails from your registrar and the
ISP that hosts your site, forwarding
the rest into the bit bucket.
The good thing is you can always decide to forward it back to your real email address for a while, in case, say, you need to complain about being forged. You can’t complain if you don’t own the visible email address and can receive email there.
Another option for site registration is to use the $50/year ones at Tonga, which is really in a consulate in the US somewhere.
http://homepage.to/dnsrgstr.htm
# Unlike any other registrar, nobody can query your domain name and find out who owns that name, what servers or hosting provider you are using in what country or any other information about your domain name registration. They will only tell people whether or not a specific domain name has been registered.
—-
I think I read somewhere that you are in Portland, OR. Condolences. ;-)
Also, that you have Mac OS X.
I got that OS upgrade from 9 several weeks ago, and I am planning on moving all my operations onto it. It’s fabulous.
Have you tried training its junkmail spotter? Some sort of heuristics are involved. Take your main mail address, send it to two real POP boxes, read one using Mail under Mac OS X and see how intelligent it becomes. In training mode you can click to change the status from not-junk to Junk and the udder way.
I’m splitting (forwarding) my email into three pop boxes for now. One for my regular machine, one for the iMac, and one for reading it while at work.
OS X Mail has a full filtering capability under Preferences->Rules.
A good idea!