Why You Get Spam And What You Can Do To Stop It

Spammers operate on the principle that the more emails they send, the more money they make. The numbers do not sound like a good business model — they may need to send millions of emails to trigger a few hundred sales. But since spam is sent by infected PCs (“bots” or “zombies”), and use badly-configured email servers to route it on, the infrastructure and incremental cost is very low if not zero. All a spammer needs to do is infect machines to do the dirty work. They may not even have to spend money writing code — it's all on the 'net, for free. And if you want to be a spammer but don't have the technical expertise, you can hire armies of bots from hackers. (Recently the FBI arrested three “bot-herders”.)

Thus the spammers need to obtain as many email addresses as possible and they have a number of techniques. The primary way is to use automated processes which “crawl” the world wide web to harvest addresses. They can detect addresses both as clickable hyperlinks and plain text, and can also see through some obfuscation schemes. Therefore the worst thing you can do is have your email address on your website. As our Great Spam Experiment shows, it doesn't take long to score a hit, and as the addresses are traded with other spammers the volume only increases.

Some email addresses end up on the web through other means. Vendors, associations and others may publish your email address without your knowledge. There are a vast number of online directories that do this also. So even if you've been careful with your own website, you'll get spam anyway.

Spammers will also send email to fake aliases on domain names. Domain names are in a public database (the world-wide domain name system), so if you create a brand-new domain name it will not be long before you start to receive spam addressed to <random>@<domain>. This is because many hosting providers have a catch-all or stray mail mailbox which delivers the badly-addressed email.

Finally, if someone you know is infected by a virus, trojan, backdoor etc, it may harvest their address book. You may have the most secret email address in the world but you won't be safe if someone you know is careless about their own security.

So, what can be done about it? There are two broad approaches: prevent it in the first place, and manage it when you start getting it.

To Prevent Spam

• Disable the catchall mailbox. Contact your hosting provider or email administrator. To see if you have a catchall mailbox, send a message to a gibberish address on your domain. Where does it end up? (See also Missing Email.)

• Keep your email addresses off your website. To let customers contact you, use a form where they can type their message and click “Submit”, or use a bitmap image (.gif, .jpg) to display the address. For example:

  

• Search for your email address on the web to see if anybody has listed it. Ask for it to be removed.

To Manage Spam

• Spam filtering is sometimes useful. Recent versions of Microsoft Outlook have a terrific spam filter. But filtering is only good at reducing clutter in your Inbox, it doesn't save you the work of checking what is caught in the filter. In any case, you should definitely not use any ISP- or third-party filtering, and it's not worth spending money on a standalone program. (For more discussion, see Do I Need A Spam Filter?)

• If you receive egregious volumes of spam, you will have to change your email address. It's painful, but unavoidable. Filtering will not help you. If you have a domain name, this is quite simple and won't cost anything. Create a new mailbox. Inform all your contacts. After a month or so, delete the old address. Then go back to “To Prevent Spam” above and follow those practices.

  If you don't have a domain, and your address is <username>@<isp>, it's easy to make a new mailbox, because ISPs often provide multiple mailboxes with dial-up and broadband internet accounts. But it's generally impossible to delete the original mailbox. So in this situation you could add an auto-reply message to the original to say the mailbox is being ignored, and then ignore it. Most likely the ISP will remove old emails from this mailbox or reject new messages when it fills up.