Spam Wars

Spam, spam, spam, spam. As the Monty Python sketch goes (and from which the term 'spam' originates), spam is everywhere. It's flooding our email inboxes in epidemic proportions. It's out of control. You're missing, maybe even deleting vital emails because you've been 'blinded' by another 30 unsolicited emails clogging up your inbox. It's taken you time (and money) to download, much of it is offensive, plus you have to spend time deleting it. And what's more, YOU DIDN'T ASK FOR IT IN THE FIRST PLACE!

Yes, spam really is an Internet menace. It costs businesses a lot of money to deal with, cloggs up servers and hogs bandwidth. Spammers cover their tracks by forging the headers in their emails so that it's almost impossible to discover the sender's address. They use every trick in the book, and as people become savvy to their tricks, they devise new ones, such as altering the subject lines to read 'About last week's meeting', 'Your order has been processed' or, more devious yet, 'Recipient unrecognised at this server...' or some such nonsense.

What's more, sending spam is a profitable business. Look at it this way. Spammers can purchase lists of several hundred thousand 'active' email addresses for around £60. They're then able to send out thousands, if not millions of emails to people on these lists (whose details were 'harvested' without their owners' knowledge or consent) for a few pence. Even if they only receive a few responses to their offers of 'Enlarge your penis', 'Buy genetic viagra' or 'Please help my Nigerian friend' they've covered their costs, maybe even made a profit. And all for next-to-no outlay.

Before the advent of the Internet commercial organisations could only spam you by sending expensive paper mailings through the post (aka snail mail). Now all a spammer has to do is purchase a mailing list - or compile his/her own - send out bulk mailings and sit back. Or rather, keep mailing. The spammer has no scruples, couldn't care less who you are, or whether you're interested in the deals he's sending; in fact, he almost certainly knows you couldn't care less (or worse still, that you'd love to get hold of him for a serious 'head-to-head', hint hint). He's aware that he cannot be easily traced, so he keeps emailing with impunity. It doesn't matter if he targets an audience interested in what he (or the company he's representing) is selling. All that matters is that he receives enough responses to generate a profit. And at a few pence per several thousand emails sent, that's not exactly going to be difficult.

Like just about everyone in possession of an email address, I've been plagued by spam over the years, such that I've had to change email addresses to escape their clutches. But along the way I've learned a few valuable lessons I'd like to pass on. This is not an exhaustive article detailing every possible way of detecting and avoiding spam. There are numerous articles on the Internet on this subject, some of a very technical nature. Instead I'd like to give you a few hints of my own, especially some of the practices I've adopted which I haven't necessarily seen used by others and which seem to be working ... so far...

So, why do we receive spam in the first place? 'I'm careful with my email address, rarely give it out to people, ensure that I always tick "Do not pass on my details to carefully selected partners" when purchasing from commercial sites, and I don't visit "dodgy" sites and leave my email address for all to see,' you cry. Ah, but the spammers are ever devious!

The methods by which your email address is collected and sold on to other spammers are manifold. The most common practice is for spammers to use software ('robots') which skilfully scan web pages for email addresses. In particular they will search out @ symbols and 'mailto:' html (mailto: is the html - the code use to create web pages - command that allows you to click on email address links and send someone an email) source code, and there are probably millions of those scattered across hyperspace. Spamming software will also:

• Scan Usenet/message board postings
• Search chat rooms
• Gather addresses from mailing lists
• Visit MSN and AOL public profile pages, heaven for a spammer if you've entered your personal details for all the world to see

If you've left your email address in any of these places, expect spam sooner rather than later. Remember: spammers expend minimum effort locating your address. Just leaving their computer running all day with numerous scouting robots scouring the Internet for new email addresses requires no effort and costs nothing. Starting to see the advantages of spamming?

So how do I avoid getting spammed?

Easier said than done. If you're already receiving a lot of spam, it's probably next to impossible to get yourself removed from spammers' lists. Although it can involve a lot of hassle and inconvenience, almost certainly the best solution is to change your email address.

But be careful. Even before you create a new address, think about naming conventions. Spammers don't necessarily cull email by searching for an Internet presence; their very clever software can also 'guess' addresses. So, for example, you choose mary.jones@whatever.com. How easy is it for spamming software to guess that one? Why not make it harder for the spammer. Choose mj.mymail@whatever.com instead. Or use an uncommon letter like y or x somewhere in the address. Spam software is much more likely to pick up mary.jones22@whatever.com because it takes only microseconds for this derivative to be generated by the software. Once tested and found to be live, the spam begins. Why not use initials instead? Spam lists will often grind to a halt before they go past the first half of the alphabet and may never reach the more uncommon letters like v, z, or q. However, don't make it so difficult that you or your friends can't remember the address; and don't automatically accept whatever the ISP suggests for you, e.g. mary.jones101@whatever.com. A good, difficult-to-guess email address will make all the difference later on, so expend a little thought at the sign-up stage.

If you've purchased your own domain name, consider opting out of the 'catchall' option. For example, say I purchase the domain email address (assuming I already own the domain name) @ihatespam.co.uk. Most accounts will automatically assume that you want to receive anything before the @ symbol. Using this option a person could send me an email by putting anything before the @ (e.g. matt@ihatespam.co.uk, mail@ihatespam.co.uk, info@ihatespam.co.uk) -- it woud all reach me. While it may be convenient for the webmaster to receive email using the catchall function, it also makes it easier for spammers to hit you with junk mail. Assume you have a site with the address www.ihatespam.co.uk, all the spammer has to do to start bombarding you with mail is to put anything before @ihatespam.co.uk and hope it'll reach you. If the catchall function is in place, be assured that it will. Instead, why not limit your options by saying no to the catchall option and instead specifying specific addresses - such as info@ihatespam.co.uk or mail@ithatespam.co.uk (though be advised these 2 suggestions may be easily guessed). You could also institute a form in the place of a contact email address which forwards email to the address(es) you've set up in the domain control panel - and which brings me to my next point...

Contact forms. A really good idea. Never, but never display your email address on a webpage. If you have your own site(s) and you want people to be able to contact you via email, use a form (which will shield your address) in place of an email address. If you can't create a form, don't want to, or insist on displaying your email address, at least take precautions. Ensure that you don't use a mailto: command. Furthermore, don't use text for the email address (which can be cut & pasted). Instead display the address as an image. This may not completely deter the spammer, but it certainly can't harm.

Only give out your current email address to close, trusted friends. And while you're about it, instruct them never to give your address to someone else. Ask them not to include your address in mailings sent to others; and if they do, ensure that they/you use the BCC (blind carbon copy) function which hides your email address from other users.

Create a second email address and don't give it to anyone. Most ISP's, particularly the ones you pay to use, offer 5+ email addresses. Use them. Set up a second address to reply to emails you're unsure about. (Outlook Express, for example, allows you to send email using different email addresses as the reply address, so long as they're set up within the Accounts section - under 'Tools'). If you then start to receive spam, you'll know who sold on your address and can easily delete the account and create another with minimum effort.

Here's one trick I came up with which I haven't heard others use yet. Use a hotmail address, but configure it so that you don't receive spam when buying or registering online! Sounds easy, right? It is, but I rarely see people use it in the same way.

OK, so you're registered on 30-odd sites, whether they be DVD, book, computer hardware, domain name, music, or travel related. How do you avoid your email address being passed to spammers by any of these sites? You opt out of the 'Please pass on my name to carefully selected companies' option, right? Wrong! While many companies will honour this agreement and respect your wishes, many couldn't care less. Even some of the best known and respected have reportedly sold on email addresses to the highest bidder. The simple rule is: trust no one (forget The X-Files: spammers pose a much more real threat).

So, you've altered your email address to something hard to guess. You're ready to start changing your email details on each of the 30 or so sites so that they're able to contact you about that CD order, or to send you the latest computer newsletter to which you've subscribed. Before you go any further, sign up for a hotmail address. Hotmail is free webmail (mail that you can collect via the Internet wherever you are in the world), supplied by Microsoft. There are numerous webmail providers, some of the more common of which include Yahoo!, Lycos and Altavista. However, Hotmail has advantages which many of the others do not have, namely the spam filter option and the ability to collect hotmail in Outlook Express, meaning you do not have to go online to check your mail.

So, how can you avoid receiving spam from companies? Well, you'll have to put aside at least 3 hours to configure your hotmail account, but in terms of the hassle it'll save you later, believe me, it's time well spent.

OK, you've got a new hotmail address (it doesn't matter what) and have included it in Outlook Express email program. First, enter the hotmail site, log in to your account and click on the Mail tab (to the right of the 'Today' tab). Click on options (right-hand part of the screen, next to Help). Click on Junk Email Protection. Click on Junk Email Filter. Put a dot in the 'Exclusive' option and click OK. Go back to the Junk Email Protection section and select 'Safe List'. Keep this page open and load another browser page (Internet Explorer, Netscape, whatever). Now, visit each commercial site in turn, and copy & paste the domain name of each site (e.g. amazon.com, ebay.co.uk, maplins.co.uk) into the 'Type an address or domain' box at the top of the Safe List page. Hit Add. Each time you add to the Safe List, update your email address in the site (e.g. amazon) to your new hotmail one. Move from site to site and repeat the procedure. Ensure that you include all derivations of the domain when adding to the Safe List, e.g. if you live in the UK, for ebay include ebay.com and ebay.co.uk.

Yes, this will take a while - and you'll have to remember to repeat the procedure every time you sign up to or buy from a new site in the future - but you've already messed up the spammers' agenda. Now if any of these companies sell on your email address, or if you accidentally hit yes to 'Please pass on my name to carefully selected companies', you won't receive any spam. The only emails you will receive to your hotmail address will be from those companies you've allowed to email you. Nothing else will get through. Furthermore, you'll never again have to update your email address on sites, even if your main email address changes. Cool or what!?

What else can I do to avoid being spammed?

• Never click on links within spam emails that promise to remove you from their mailing list. These are usually a means of alerting a spammer that your email address is active. Should you accidentally do this, expect a flood of spam within hours.
• Never buy from sites advertised via unsolicited email. Not only are the products being sold likely to be illegal, dodgy or possibly even dangerous, it also encourages the growth of spam. Would you give out your phone number or postal address to someone you knew nothing about? Of course not. Accord your email address with the same degree of privacy.
• Download and use Mailwasher, an excellent piece of freeware which allows you to view all email received to your various accounts at the server level. This means that you can easily view any email you've received without having to waste time downloading it first. If you've received some spam it's simple to delete or bounce (the email is bounced back to the sender, making it appear as though it never reached you) it with the click of a button. Mailwasher also gives you the option of deleting large attachments from the server without having to waste time downloading them, especially if didn't ask for them in the first place -- you know, that image that so-and-so thought was so cool but which is 3 Mb in size and isn't half as funny as he or she thinks it is.
• Don't assume that because you've changed your email address, spammers won't find you. If your old email address is still active but no longer displayed on your site, you can still be spammed. All Internet search engines cache web pages, meaning that pages containing your old address will show up if someone decides to click on the cache link of a search results page.
• Don't respond to spammers or attempt to send them mass mailing as a 'revenge' tactic. Spammers are very careful to conceal their identities. You're very unlikely to reach the spammer directly, and even if you do, it will confirm your email address is active which may even encourage them to send more.
• Do consider disguising your email address. One common practice is to add words such as 'no spam' to the address, e.g. matt@nospamwhatever.com with instructions to remove the 'no spam' bit when someone replies to your mail. Bound to mess up the spam bot's agenda!
• Do invest in a firewall, whether you use dial-up or broadband. A spammer only has to slip a trojan through one of your Internet ports and it will start scouring your hard disk for email addresses, which will then be reported back to the spammer.
• Do report spam to the necessary authorities. Many ISPs and companies have addresses specifically set up to enable you to report incidents of spam, especially if the sender has illegally used another person or organisation in the body of the mail.
• Be careful to whom you respond via email. Even a genuine sounding query, say, a complimentary email about a piece you published on your personal web pages, may well be a ploy to confirm whether your email address is working. If you must respond, only use an address specifically set up for this purpose, which can be easily deleted if the spamming begins. Better still, if you don't require a reply, include your hotmail address as the return address - that way, any replies sent, especially spam, will never reach you. This works especially well if, for instance, you've sold an item on ebay. Assuming you've included your hotmail address as your contact address for all online auctions, the highest bidder will only be able to contact you via ebay (whose domain name is on your hotmail Safe List) and not by emailing your directly. Furthermore, if you need to email that buyer you should use your hotmail address and include a few lines explaining that he/she will not be able to directly respond to your hotmail address but can only contact you through ebay (or via your contact form - supply the link). Sure, most buyers are genuine, but when it comes down to it, you know nothing about an individual and want them to know as little as possible about you. Would you go into a shop and start handing out your contact details to the shop assistant? 'Nuff said.

If this all sounds a little paranoid and extreme, you're right: it is. Spam is crushing the Internet with the weight of junk, clogging hyperspace highways and causing daily misery to corporations, organisations and individual users alike. Remember: spammers don't give a damn about you personally. Nor do they care that they're causing system slow down, hogging internet bandwidth and causing genuine companies to lose money, even go out of business. Email has made it incredibly easy for individual users to send huge quantities of email easily, quickly and moreover, cheaply. Ironically, the ease of use of this particular communication medium may well spell its eventual doom.

As far as many are concerned -- and I include myself in this category -- nothing short of declaring outright war on the spammers will have any effect on the tide of useless crap with which we're daily deluged. But it's not hopeless. You can fight back. It requires a little extra effort, increased diligence -- thinking before acting -- but you can throw a stone in the giant's eye and blind him, even if momentarily.

Time to take up arms and fight our faceless enemy on its own terms. See you on the battlefield!