Slashdot Mirror

SpamGourmet.com

Makes it trivially easy to create a unique forwarding address for any website you care to visit, then set the domain of that site as an exclusive sender for that address.

If a 3rd party starts spamming you at that address, Spam Gourmet just drops it, but continues to deliver relevant mail.

Oh, and it's completely free.

You've just described spamgourmet. http://www.spamgourmet.com/

There's a long-running thread on the bbs for spamgourmet discussing a bunch of events like this -- spamgourmet users generally use a unique email address for each of their accounts, and so can quickly identify a problem (unless it was with spamgourmet itself, of course, but records so far show that hasn't happened). The response of the companies varies from complete denial and reticence to surprising accountability. None of it ever ended up in court, afaik.

"I started getting a bunch of stock-tout spam in the last month or so. The other day, I happened to look and see it was coming in to an email address I had dedicated to my online trading account account. I've spoken to the online trading company, and I've given them the info on these spams. It turns out there is an 'ongoing investigation,'

Is the trading company called Ameritrade by any chance? They got a leak problem, maybe an insider job. Look at this thread on spamgourmet (an anti-spam site that I help with): http://bbs.spamgourmet.com/viewtopic.php?t=81&star t=60

Why not just use SpamGourmet or some other provider of free disposable email addresses? That way, you get to keep all your email in one place. Nice and tidy, nice and tidy,....

you can use automatically created disposable e-mail addresses.

Dude, spamgourmet.

I don't need to know about This week's hot deals on Electronics & Photo at Amazon.co.uk.

I don't either that is why I use http://www.spamgourmet.com/ and create a new account for every online purchase.

From the FA, "False positives have been a problem with e-mail marketing for a very long time".

I run a small mail server, use SpamAssassin, and I check for false positives periodically, and the only thing close to false positives that I get are marketing mails, and I don't care (nor do my users).

When I look at these mails, they suck. They often use known spam mass mailers. They are very close to spam, and its not a loss in my eye to have them quarantined with the V1agra mails as well.

I also go through my snail mail beside a trashcan and put all of the mass mail marketing junk in the trashcan without opening it.

These guys already have a much lower than 1% success rate with mass snail mail and email. I don't care if their success rate is another 10% lower than it is already.

I am not required to buy stuff from anybody. Also, there is no requirement for a business to make money. Businesses fail every day. So be it.

you never have to give out your address: spamgourmet.com

His solution: #1, spam the user. #2, notification spam. #4, multi level marketing.

I'm assuming your off by one on the multi-level marketing thing.

Well, as I see it, the other forms of "marketing" on the internet are: #4 text or graphical/flash ads, #5 deception or fraud (think mortgage brokers), and #6 annoyance ads (think popup/unders).

Now, lets look at what I tolerate on the internet.

#1, I have spamassassin trained to eliminate over 99.9% of the marketing
#2, I have a http://www.spamgourmet.com/ account for every purchase online that "requires" an email address
#3, I foe every single dipfuck here on slashdot that has multi-level marketing in their "homepage" or signatire
#4, I don't use flash. I use http://culater.net/software/PithHelmet/PithHelmet. php to eliminate banner ads and if it misses one at least the gif animation does not cycle forever
#5, I know better
#6, I haven't seen a popup/under since about 2001 because "popup blockers" are a requirement since then for a suitable browser for me

So, what escapes? Text ads. Yup. And I often click on them when I am searching for a product to help support Google for having such an excellent search engine, but I do not believe that I have ever bought something from an ad on the internet. Even the tasteful text ads on Google are 99% deception and/or fraud, or the companies have nothing over standard, known brick-n-mortar or established internet retailers.

The real problem here is ignorance of the general population. They tolerate and fall for so much of the 6 marketing methods, and actually perpetuate it. Everybody knows that spam would stop if people stopped buying V14gr4! and penis pills from spam, but people will and do reply to them, so it is profitable. The same goes for the others.

So, my only beef with the parent's del.icio.us comments, are that his recommendations are incomplete.

Foe for life!

Try spamgourmet. Same approch but easier.

If you don't want to bother creating/deleting emails in your own domain (or for those without personal domains), I've found these services to be very useful for this sort of thing:

http://www.spamgourmet.com/
http://www.sneakemail.com/
http://www.mailinator.com/

I think my point was pretty clear, proper opt-in etiquette requires an affirmative action to request repeat emails like newsletters, announcements. I will buy off on providing an email address for validation purposes for the service. Any use beyond that SINGLE confirmation email is required to be UNSELECTED by default. The marketing droids like to think of all sorts of clever things to insinuate themselves into your life so they can claim that they are following rules of the "YOU_CAN-SPAM" act and then sell that information to others. Good-luck to them, I use http://spamgourmet.com/ to provide one-off and sender restricted addresses to foil their dastardly plots and relieve me of having to wade through their fine print. I currently have over 60 aliases still getting used of which maybe 4 are actually forwarding mail.

You might want to check out http://www.spamgourmet.com/ instead.

It's kind of the same idea, but instead of holding the email for you in a disposable mailbox, it forwards it to your real address. After a certain number of uses though, the address "shuts down" and all messages sent there are eaten. You can log into the site and control the number of messages left on a particular address, set a dedicated sender, etc.

You go to the site and make an account, which requires a username, password, and real email address. From then on you can give out any address of the form:

someword.username@spamgourmet.com

Where 'someword' can be any word. You can also make ones of form someword.x.username@spamgourmet.com, where x is a number of messages from 1-20 that the address will work for, after which it shuts off.

I've signed up for some mailing lists using spamgourmet names. Initially the address is good for 5 messages. After you get the first one from the mailing list, you log into the system and set the mailing list email as the dedicated sender. Then, you can only get messages from the mailing list to that address. All others are tranparently deleted.

It's also good if you want to put an email in an eBay auction listing. You can set the address for 20 messsages, enough to keep it working through the auction, and then once the auction's over either close it down (by setting remaining msgs =0) or wait for it to run out. I've found by looking on the status page of my account at SpamGourmet, that those addresses have received a TON of spam.

It's also great for figuring out who's selling out your email address.

yeah, yeah, sendmail.

Spamgourmet ( http://www.spamgourmet.com/ ) uses sendmail for the mail server and is handling 1,741,490 disposable email addresses as I write, on tinker toy hardware.

It's a pain in the ass to configure, etc., etc., but it works very well and probably has more flight time than any other choice.

Starting to get the picture? If you haven't yet then please allow me to forward you the 40+ false bounces I get a day where spammers have used an E-mail address I have. I have the strange misfortune of having a last name that's a common english word (but not as common for a name) and I had been in the habit of getting my E-mail addresses to be lastname@domain long before spam became a problem. Thanks to the spammers I've had to move away from my preferred E-mail usernames to avoid both dictionary attack spam and bounces. The account I mentioned is with Comcast and up until a year ago it only got a few spams a month. Nothing changed on my end, I have other accounts I use to sign up for things (actually I just use Spam Gourmet) and only a very few family and friends had that address. About a year ago the level of spam jumped up a bit but what really made the account useless was the sudden influx of bounced spam messages that pretended to be from MY account.

I no longer use that Comcast account but I do download and delete the mail in it periodically. It's up to over 40 false bounces and "my mailbox is protected by _____ and you need to do ____ to prove you're not a spammer" messages. The amount of spam is much lower, about 20 a week and the Baysian filter catches most of it.

An interesting side effect is that I can see that sending bounces for E-mails flagged as spam only makes the problem worse. Most of the bounces are from mail servers saying "sorry your message was flagged as spam and not delivered". Well hell, if you think it's spam then why send a bounce? If it was just the spam it would be manageable but it's all the bounces that have made the account unusable.

In any case spam is much, much different than other form of advertising. Other forms of advertising don't hijack resources and try to do whatever sneaky, scummy things possible to make you see them. Frankly the actions spammers take to send out their spam tell you all you need to know. Do you know of any legit company that uses hijacked zombie PCs, open proxies, etc. to send out their advertising? Spammers do. They know their messages are unwanted, perhaps even illegal but they don't give a shit. Hell they even advertise false and illegal products!

How anyone could think it's "just" another form of advertising is beyond me. Perhaps marketers act like spammers where you are?

Is it just me, or does anybody else think that these attempts might show some promise, but in the long end probably won't work.

This may not work. I don't know.

The thing here is that there are basically 3 types of SPAM.

1) Annoying mails from a legitimate company that you may or may not have explicitly told them they could spam you, or you are just being punished for being their customer. The difference here is that they _DO_ comply with opting out.

2) Annoying mails from a semi-legitimate company that will not unsubscribe you without physical intervention with a baseball bat. Ticketmaster is a prime example of this, and my baseball bat is ready.

3) Annoying mails from a non-legitimate company or other entity, often outside of your country, that will never stop sending you more and more mail until your email address does not work. Even then, they will probably send mail, it just will not be delivered.

Number 2 is very annoying, but hey, maybe I will or some bozo like me might actually want to see Britney Spears someday, and a reminder that she is coming to town from Ticketmaster will bring out my weakness for such a thing. You never know.

Number 1 is tolerable.

Number 3 is not. This is were all of the phishing scams come from, the V_1_@_G_8_A, the black market software sales, rolex watches, pr0n, Nigerian scams, and whatnot. These mails often have either a deceptive subject and/or to or from address. The domain names are registered in bulk and do not have an index page at the top level of the website. The domains often have inaccurate information in the registrar's records. The products are either nonexistent, illegal, quasi-illegal, or simply a front to confirm your address so you will get more.

There are 2 things in common with the Number 3 group that do not exist in the others. A need for anonymity via email and the web as part of their "business model" and a need for that 1 in a million sale to that 1 in a million moron, so a million mails are required for one sale, and X times a million mails for enough sales to make money. In my opinion, if registrars did their job by validating the authenticity of a domain name request, a vast majority of the spam domains would no longer exist.

I don't get hardly any spam in my inbox because of a tuned installation of spamassassin. I've also reduced the amount of incoming spam by using spamgourmet from http://www.spamgourmet.com/. Its an excellent way to easily and dynamically create disposable addresses that will not receive spam after a configurable number of mails have been forwarded to you. It also lets you look to see who has tried to spam you! So far, the leader is the email address I used for an NYTimes registration. About 40 mail a month try to get to that address (I just use one of those random ones now).

I hate spam. I will foe anybody that puts spam in their slashdot sigs like for the "free" stuff like iPods or Minis. I have nothing against you wanting to make money, but if I'm not interested in either your product or helping you make money and I ask you to leave me alone, do it. DO NOT SHOUT LOUDER THINKING I WILL NOW RESPOND. DO NOT KEEP SHOUTING AND SHOUTING LOUDER THINKING I WILL RESPOND.

Too much work. Try this:

http://www.spamgourmet.com/

It's what Spamgourmet is for.

On first blush, this seems like a "look at me!" article. But I think the author does bring up some good points on methodologies used in fighting spam on a large scale. However, one thing that isn't emphasized is how little deliverable email he gets. It looks like it averages 5-10 messages per hour.

So the next question is, how would his techniques scale to a domain that processes 3.5 million emails per day and rejects 0.25-3.0 million spam emails per day. Plus, to reduce the risk of false positives, much of the spam is actually delivered to users. All delivered email has a spam score added to the email headers for the individual user to decide their threshold for filtering.

For those of you out there who are IT for domains that handle millions of emails per day, how do you handle spam? How many servers and how much bandwidth does it require?

If you're curious, I get 100 emails per day delivered and 78.2% of that is spam. Unfortunately, I've found that I can't rely on the spam score added to the headers by the aforementioned domain. My filter (k9, Bayesian) currently has a false negative rate of 0.49% and false positive rate of 0.00%. Yeah, that means I see a single piece of spam every two days on average. In reality, I'll usually get a surge of spam where on a single day I might get two or three pieces of spam, followed by a week of nothing once the filter has adapted.

For protection on the net, especially for usenet and web forms, I use disposable email addresses (ie: spamgourmet, mailinator).

Here's some blatant avertising for a spam protection service I use, http://spamgourmet.com/. You pick out an address to fill in in servicekey.messages_allowed.accountname@spamgourme t.com format, and it forwards messages_allowed messages from the servicekey account, then discards all further ones. I use this for a gmail account I have, and I've never gotten a single spam message to it. Ever.

In practice, regarding emails, I'm not sure how real a threat it is -- Even though someone may "know" my email address, they won't have access to my email? They can send fake email from me, but the don't have my PGP. Aside from be a potential recepient of SPAM, what is the harm to me that someone knows my email address? Leaving unsolicted email out of the equation for a moment, your email address HAS to be known by people -- how else can they send you email? I fully support the idea of disposable by date emails and disposable by # of messages received emails, ala Spamgourmet. I think that sort of email management (whitelists, disposable addresses, etc) is a more fruitful way to deal with things. IMHO, changing your "real" email address should not be quite so casual. I'd rather see people defend/protect their email addresses rather than abandon them. I know some are lost -- but SPAM hasn't become THAT overwhelming yet has it? I have an email address that I've used for 10 years (crap I'm old), and I've been pretty wise about it -- and I'm pleased to say I get VERY little spam to it. I do use it for my login on Amazon, some other merchants I really trust. I've stopped using it on my domain registrations, instead using a 20 email limit filter on those, which I do occasionally refill or change.

You're 1--% right though that this is one of the cons that has to be weighed into the equation. Differrent people are going to need different things, and their weighings will have different results

pros for using email as login:

1. guaranteed unique, though you'd be a fool to not have check.
2. users forget it slightly less
3. you have to send verification/password anyway

1. What if a user has more than one email address?
2. Email addresses make reasonable unique keys, but slow indexes, especially since many are very similar
3. users may use disposable email addresses and suddenly you cannot contact them

After reading the article, I've just adjusted my registration page (on my work site, not on sportsdot, my perl ain't what it should be) to not give the "pick another account name" if a user tries to register and existing email address. Both success and failure now go to the "Your password has been mailed to ." I send either a success or "this account is already in use" message to the email address. I also stuck on a 3 registration attempts per day per email address whether success or failure to prevent me from inadvertantly spamming.

i have been using spamgourmet, http://spamgourmet.com/

so i can sign up for stuff and give my mail address out to computer forms etc.

you can't believe the spam i get through here from sites i thought were trust worthy

however you can set a limit to how many emails you want to receive from 1 to 20

does not help with the traffic but keeps my box clean.

I don't think of email as "bullet proof" but I do have a *special* email address that sends to my cellphone. For those REALLY critical things. I don't rely on it alone for critical things -- like weather alerts when I'm sailing, but in the absence of any thing else, it's one good way to get notified about stuff. Of course, I use Spamgourmet to protect the address.

Note that this article is not about the Gratis Networks freeipod offer, which was the first and most well-known, but about one of their more sleazy imitators. Here's another article that compares and contrasts a sleazy imitator to the original Gratis Networks.

Gratis Networks just requires you to do one single promotional offer--and get several of your friends to do the same. Unlike the fraudulent con game that most people are referring to when they say "pyramid scheme" (you know, the "send five bucks to everyone on this list and then add your name" type thing) no money changes hands between you, Gratis, or your referrals; the money is paid from the advertisers to Gratis. Click the link in my signature to find more info. It's legit. Granted, you're going to receive a lot of spam to the address you sign up for with, but that's what easily-available GMail addresses or disposable email address services like SpamGourmet are for.

Oh, and FYI, I received my free 20 gig iPod several months ago, and just got my free 27" Sony flatscreen TV last night. And I only need six more completed referrals to get my free Mac Mini...

http://www.spamgourmet.com/

or check out http://spamgourmet.com/, similar method with more functionality and without the need to setup a server

At least some of the complaints are misguided. We run the anti-spam disposable email address spamgourmet.com out of HE. Some enthusiastic sg users regularly report spam that comes to unexpired disposable email addresses, and the reports often wrongly implicate the spamgourmet server (which, of course, sits in HE's IP range) as being involved.

Ironically, one of the most time-consuming tasks involved with running sg is dealing with these false reports.

Engage in "privacy self defense." Don't share any personal information with businesses unless it is absolutely necessary

Or... Give them disposable information that allows you to cease hearing from them, or know when/if they have distributed your information without consent.

To this end, I highly recommend Spam Gourmet which allows the on-the-fly creation of disposable email addresses.

If you walk into McDonalds and really want to sign up for their win a free cheeseburger contest, you give them an email address like cheesy.n.youraccount@spamgourmet.com and you will only ever receive 'n' emails to that address before it dies.

Of course if you then receive emails from Pizza Hut, you know exactly where they got the email from.

If you never want to hear from the person, give them this address: me@privacy.net.

Any emails sent to that address receive a reply to the effect of: "whoever gave you this address didn't want you to have theirs".

Useful stuff!

Not only does it allow you to cut off spam, it gives you traceable addresses that can be used to see who leaked email to spammers. And it's perfect against phishing attempts.

They even have protections in place to keep people from just randomly adding to your accounts. The nice thing is, all the spam just goes away, never delivering to your email box (think of it as /dev/null for spam)

This is the same as not using email at all. Personally I find this technique useless. Don't you?

My domain registrar uses this approach on my WHOIS results, this is just taking it one step further. Use e-mail addresses like 20040901@mydomain.com, rotating each month (or whatever interval you prefer) to sign up for random things. Use a more permanent address (myname@mydomain.com) for trusted communication.

One problem is it might be a pain to update your mailbox every month (or whatever interval you choose), however, I don't really see this as being much differant that just having two e-mail addresses - one for trusted correspondence, and one for junk. I wouldn't call it a useless approach, just perhaps not the most efficient one.

Personally, I think you can kill two birds with one stone by using a service like spamgourmet.com to create throw-away e-mail addresses. It requires no maintenance, it's easy to use, and your mail can be delivered to your primary address if you do not wish to manage a second e-mail address.

I've been using spamgourmet http://spamgourmet.com/ for about a year now. Very nice way to create throwaway email addresses.

You set up and account with them (no charge) and give them your forwarding email address.

Then, when you have to fill in an email on a form somewhere, you give it the format of:

madeupname.n.youraccount@spamgourmet.com

Where

madeupname is something you create on the spot, i.e. amazon, landsend, disney, etc

n is the number of emails you want forwarded before spamgourmet cuts them off.

youraccount is the account you created at spamgourmet.

After the n messages go through, spamgourmet throws everything else into the bitbucket.

it's easy, it's cheap, and it works!

I use Spamgourmet for any site that requires an email address.

When you register (it's free!) with spamgourmet they ask for a username, password, and forwarding email address. Then when you register on a site you specify a spamgourmet email address like so:
[unique_site_id].[max_email_count].[username] @spam gourmet.com

Then all your email gets sent to spamgourmet and they process it based on the rules you set up. If the number of emails you've recieved from unique_site_id is less than max_email_count then it will be forwarded to your real address.

You can change the max_email_count for any unique_site_id after the fact at spamgourmet.com plus get stats on all the addresses you've used. I think the service is perfect.

And best of all the source code is release under the Artistic License so you can use it on your own mail server!

For those less technical, you can create unique and disposable addresses that forward to your real account with some other neat features to give you control of how each address is handled and the ability to send from the disposable. They even have open-source on how to setup the mechanisms for your own server. I have no affiliation with the site, just a satisfied user. http://www.spamgourmet.com/

... but its a DRY heave -- me

You're right. We'd like to disable the email address that the spammers have, but that means giving out a new email address to everyone we know. It also means (as he said) that we cannot post our address publicly because the spammers will quickly find it and we'll have to change it even sooner.

The solution to making this work is SpamGourmet. It's an email forwarding service. Basically, you don't give your real email address to anyone. When asked for an address you make one up for that person/organization and give them that instead. My addresses look like this: slashdotme.jmcclare@spamgourmet.com (jmcclare is my SpamGourmet username). Whenever you get an email from somebody you like, you add them to your whitelist. Spammers will only be able to send a specified number of emails to an address before it expires. You can set a default number, or put the number in the address, ie. slashdotme.[3].jmcclare@spamgourmet.com will accept three emails and then expire.

People on your whitelist can send you as many emails as they want. The only thing you have to do when an address (like a publicly posted one) gets taken in by spammers is post a new one. All of your whitelisted people can keep emailing you normally, new people will just have to get a new address from you or wherever you post your info. The old address will expire on it's own.

It's a little too complicated for the general populous to understand (although you could train a workplace to use this), but for me it's pretty much a cure for spam. Spammers can't reach me anymore. Anyone posting here should be able to use this, so I urge you to. Spam may still rule the internet around you, and your friends may keep losing your emails to their sloppy filters, but at least you won't get any crap in your own inbox.

Clear down the counter every so often at Spam Gourmet or adjust the anti-spam behaviour with a Pobox account.

Or get your ISP do hold the domain on your behalf

If it did I'd use http://www.spamgourmet.com/ to provide a disposable address.

You might want to be interested in services like Spamgourmet and Jetable. Really helpful and even more comfortable than to log into hotmail just for some registration email.

Fine, then everyone can use disposable e-mail addresses.

Or, for those who can't/don't want to have their own domain, just use the Spam Gourmet to do essentially the same thing.

spamgourmet is another similar service.

I've been using both Fastmail.fm and Spamgourmet for over a year. Both services are free and very useful.

Fastmail provides a ad-free web-based and free access to IMAP. Spamgourmet provides a free full-featured email alias system. Using both of those free services, I get essentially no spam. I haven't gotten a single message of spam to my fastmail address ever in fact. I've found the information provided at Infinite Ink provides balanced reviews of free and pay-mail providers. Fastmail, in my opinion, is the most reliable free provider I've ever used along with the best web interface I've ever found.

Reminds me of my proof of concept program I wrote for Slash.
Basically, there's a finite number of address obfuscation, and those are easy to find out - so all the program does (very slowly, to get past the checks) is de-obfuscate the email addresses, and puts them in a database along with UID, username, and info from the bio, etc.
It was quite trivial to do, offers up a highly targeted email list, and works on anything powered by Slash. And for all those k5 fans, I have one that works on scoop too. Next up - post & phpnuke ones and a phpbb/vbulletin suckers. Once I'm done I plan on writing up a little expose about it all - especially when you realize that:
A. People tend to actually post their real email addresses on these sites due to the supposed protections offered and
B. The overwhelming amount of websites that run these CMS - it's over 50%.
Working via proxies and multiple clients it would be very simple to put together lists that are more targetted then anything seen before.

So remember - ALWAYS obfuscate your email yourself, don't trust a website! At the very least, use something like SpamGourmet.Com.

If you give me a invitation I can start sending some French spam on Orkut ;) (just kidding)

orkut.10.freeman@spamgourmet.com

thanks !

...and in case you don't want to get your own domain, you can still do the same thing for free if you get yourself a spamgourmet.com address.

I prefer http://www.spamgourmet.com/ as it is forwards mail and is slightly more configurable than mailinator. Also, it avoids the problem mailinator might have of someone else reading mail to a common disposable address e.g. Slashdot@mailinator... (address syntax might be wrong, I haven't used Mailinator for a while.)

The worst thing is when your so-called friends figure out for themselves that you have a catchall set up, so you start receiving emails to pigfucker@yourdomain, grabass@yourdomain etc... and it's not even spam, it's from your friends!

I now use the free http://www.spamgourmet.com/ for my disposable addresses and highly recommend it.