What Makes You "High Risk" For SPAM?

sexykitty writes "What exactly is it that we do to invite unsolicited email to our inboxes? CNET contributor Matt Lake opened 12 free email accounts online in an experiment aimed at determining just that, and here are the results. See the risks involved in disclosing your email address through various methods. " Yeah, running a relatively well known website with your e-mail address all over doesn't exactly help out in the spam avoidance department either.

What about provider differences?

I wonder what the results would be if the editor simply created the accounts and did NOTHING with those accounts...? Then you would be able to see the differences between the free e-mail providers, their privacy practices, or simply how much of a target for spam a provider has become.

I say this because I have a hotmail account which I have never used to send mail or to register for anything. That's a big, fat, "never." (I use it to POP mail if/when Yahoo! Mail is down) Yet, when I check my hotmail account, I find that I have anywhere from 2-5 pieces of spam a day.

In turn, I have a Yahoo! account which I use to sign up for newsletters, visit chat rooms, register a domain, communicate on my web page, etc, etc... yet I only get 1-2 pieces of spam a day.

There's obviously something going on that I am not aware of. Just some food for thought... Your provider may dictate your spam ratio more than your activity...

Re:What about provider differences?

[Zico]

Actually, the only way that your provider dictates it in your case is that 1) Hotmail's the most popular free email service, and 2) the name you chose must've been an easily guessable one by the spammers. Because of (1), spammers just go through and guess Hotmail usernames. Because of (2), they were able to guess yours. There's a lot of anecdotal evidence from people who use fairly unique Hotmail addresses (remember: underscores_are_your_friend) that have never received a single piece of spam.

Cheers,

Re:What about provider differences?

[irksome]

Underscores may be your friend, but they don't stop you from recieving spam. I have had a hotmail account with an underscore for about 4 years, and I get roughly 300 spams per week. (Although, I probably disqualify myself, having used this particular address as the contact address for multiple domain registrations.)

It's pretty obvious that a lot of spammers use the part of the address before the @ as the "name" and have some way of customizing the subject of their spams ... I have gotten several "M_hockey, you have been preapproved for a credit card" or "M_hockey, get a free sample of viagra"

-

Re:customize your email address

This particular form of tagging works only, if the mailserver processing your email is running sendmail. Other MTAs use different tagging methods or none at all.

how i stop spam ....

bob@hotmail.com, if you are out there, I'm sorry but you have been getting alot of SPAM thanks to me.

Re:how i stop spam ....

[roie_m]

I had a friend that used not@liberty.2.say whenever asked his email address...

Re:My own Final Solution (tm) to spam

Sendmail always ignores plus signs in the username

I actually LEARNED something form /. today. Better check that hell froze over.

Some web-forms declare the + to be illegal and won't let you sign up with the + however. (just keep that in mind if you otherwise like the idea)

The Coward Asks...

"The dead hand of Asimov's mass psychology wins every time."

I've seen this a good many times now.
I've yet to see the source of it?
Is there an explanation short of ploughing through 3 or 300 books I don't have time to read?

Thanks.
--
The Coward

Quick summary

High-risk: Actually using the net to communicate.

Low-risk: Being a good little consumer.

Re:This one ain't hard...

"This one ain't hard..."
you've been looking at the wrong sort of porn then.

Re:Have to disagree about Ebay.

I'm on my 5th ebay email address. The first time they sold my address or allowed it to be harvested or whatever, i tried writing to their abuse desk to complain. I got back a note telling me they wouldn't help me because I had to send mail from the address in question (it's just an alias folks... but they are too clueless to understand that.) So, I solved the problem by making it their problem: every time my ebay only alias gets a spam, that alias is changed and the old one is pointed straight to their abuse@ebay.com address. now it's their problem, and they can track it down or not without bothering me in the least. They have four of those spam attractors now. heh heh

I have a confession.

For years, i have been using bob@bob.com as a junk mail address to enter. I recently found out, there is a bob@bob.com. (It used to be owned by someone at microsoft i believe.) So im sorry bob.

Re:I have a confession.

[Genom]

My personal fave is no.way@is.this.my.real.address.spammer.go.away.bzz zzzzzzzzzzzzt.org

Any human reading that will immediately know it's not real.

Any spambot reading it will try to send email to that address, and it will bounce since NOONE in their right mind has a machine name that long.

Admittedly, the bounce will cause traffic...but I'd much rather it be a bounce than my real address.

opt-out?

[Nick]

The remedy How can you avoid precisely targeted unwanted mail? Reply to it. Put remove or unsubscribe in the subject header, or follow any instructions within the actual messages. Most real business e-mail provides a functioning remove link. If the message comes via paper mail or phone, contact the company with a request to stop. Any business that's savvy enough to cross-reference records with a domain registry is smart enough to stop if it's about to lose a customer (we hope).

Most places if you follow the link to opt-out it'll just let them know you that you are active and you'll be added to more lists.

Re:What's your experience for archived mailing lis

[mosch]

I used to use dedicated e-mail addresses as my slashdot return address. A few greps of my mailbox archives tells me that in the year 2000 I got 589 messages to this dedicated slashdot address. If memory serves me correctly, I've received, at max, six actual messages from slashdot users posting private followups.

this is why i changed my address to abuse@att.com... i figure why not let the spammers report themselves?

--

Re:the big guys?

[Scott+Wunsch]

Well, I'm not sure about Slashdot, but I've noticed that the linux.com folks seem to have come up with a clever idea.

If you take a look at the source for the main linux.com page, you'll find a comment that contains the address spampoison@linux.com, both bare, and in the form of an HTML link. It is accompanied by a warning not to send mail to that address.

I suspect that what they're doing is collecting spam at that address, and then if a similar message arrives at one of their other addresses, it can be recognised and refused/blackholed immediately.

Re:My Mother's Practice Would Be High Risk :-)

[jandrese]

Your mom needs to tell her friends to stop forwarding those big header filled posts on to spammers. Honestly, I don't think those chain letters are as bad as a problem as you think they are. A spammer would have to be forwarded the letter directly from someone (who doesn't trim forwarding info), and most people don't want to send their address to spammers. The biggest danger is that a friend of a friend of a friend will forward that onto someone who posts it somewhere with the headers intact, but that's a pretty rare occurance in my experiance.

Re:Actually

[Masem]

Anything from Matt's Script Archive is about as secure as a wet paper bag.

It's not that the concepts behind the code is bad, but numerous perl experts have pointed out weaknesses and lack of checks in those codes that could easily break a system. Sure, others have improved the security of those codes as well, but most people take blind faith that because they're at Matt's Script Archive, the code is 'secure'.

And saying that thousands of sites use formmail.pl is like saying that thousands of sites use an unpatched IIS.

Hotmail Experience?

[Samus]

Maybe I'm just "lucky" but my experience with Hotmail is nothing like what the author of the article has had. I signed up so with Hotmail so that I could use it to retrieve mail from my other pop accounts at work. The amount of spam is awful. The thing that gets me is I have never used it online any place except to get a passport acct (we're an M$ shop :-(). I've sent a few emails back to friends but thats it. I'm curious to know if in general its a good service

Re:Hotmail Experience?

[Weh]

I haven't gotten one single piece of spam in my hotmail account so far.... I chose a pretty unconventional id though, so maybe that's why. I set some girl up with a Hotmail account a while back and she chose an id that's quite conventional, she got spam within days.

Re:If you think you might get Spam...

[Genom]

Problem being that it gets your real email address out there into someone else's hands -- someone who you can't control. Someone could grab the last year's worth of logs of forwarding addresses (most of which are probably legit, considering the purpose of the tool) and compile it into a list. BLAMMO! You've been spammed.

I don't give out addresses @ my domain to any company that I buy/order/sign up for something from -- they get my hotmail address.

Sonce noone who I *really* want to hear from ever emails me at the hotmail account - I can be reasonably sure the email there came from:

- MS's Spam Farm (IE: the master Hotmail list that quite obviously gets sold every couple of months to a lucky set of spammers -- despite what the article says, I open a new hotmail account every few months, and generally within a couple weeks of not doing anything with it (no mail sent, no address given out to anyone) there's about 5-10 a day - the longest this has ever taken was 2 months.)
- Companies I've signed up for stuff with
- Spammers
Thus, it's easy to contain, and about 5 minutes every month or two, I skim over the email there to make sure nothing legit came in (it never does).

My real email address gets obfuscated everywhere but on my webpage -- which is low-traffic anyway. All mail coming into me gets passed through a filter which weeds anything NOT directly addressed to me into a "suspect" mailbox.

My main mbox gets MAYBE one spam a month. The "suspect" mbox gets about one a day, two a day on Sundays (don't know why, but that's how it goes). My hotmail account gets at LEAST 40-50 a day, about half of which are generally caught by the filters there. MAYBE one legit message comes into my hotmail address every two or three months.

Have to disagree about Ebay.

[bill_mcgonigle]

I made a new address that I used only for Ebay's mailing service, where you put in a filter and they send you mail when a listed item matches. This is a non-public site (others can't see that you're on it). I often use unique addresses as it makes filtering easier. Well, I got spam to that address a couple months later, meaning either they sold it, they were hacked, or spammers setup network monitors along the route for harvesting. I sent mails to abuse@ebay.com and they went unread, returning the form letter about harvesters on auctions (which this clearly wasn't). Further letters were ignored completely (poor form for any abuse admin). I procmail that address straight to /dev/null at my ISP now.

-----
My God, it's full of source!

Re:Have to disagree about Ebay.

[guinsu]

I've found the best way to get in touch with an unresponsive company is to e-mail the address in their DNS records. If that doesn't work, call them up on the phone number in who is.

Re:And people wonder why we despam our emails...

[Tack]

If your mail server uses qmail, you can create user aliases. So suppose you want to download some 3com drivers but they require registration. Just create a file in your home directory called .qmail-3com and inside it put the email address you want forwarded to. If your username is fred, then email sent to fred-3com@domain.com will get forwarded to the address you place in the file.

It's a painless and effective way to create new email addresses when you want to register with a new service. Then, when you get email sent to one of those addresses from an unknown party, you know precisely who to blame. I have been following this practice for over a year now, and -- knock on wood -- I haven't had a single address leaked, and I've registered with some pretty obscure places. I have about 50 aliases setup. Jason.

Re:SPAM vs. spam

[craw]

From www.spam.com, the official SPAM website, is this piece of info

We do not object to use of this slang term to describe UCE (unsolicted commercial e-mail), although we do object to the use of our product image in association with that term. Also, if the term is to be used, it should be used in all lower-case letters to distinguish it from our trademark SPAM, which should be used with all uppercase letters.

Re:My Mother's Practice Would Be High Risk :-)

[FFFish]

One of these days I'm going to snap and end up subscribing every email address listed in one of those fookin' chainletter hoaxes to some nasty porn.

I will then make sure to let everyone know that the sole reason they're receiving the porn is because some dumb twat passed on a chainletter with their address. And I'll be revealing exactly who that dumb twat was...

It'll be my one small contribution to ridding the world of another moron. Said dumb twat, if not killed outright by his now-hostile "friends" will certainly never repeat his mistake...

--

Ask Slashdot

[waldoj]

See my recent Ask Slashdot ("SPAM - Stopping Rumpelstiltskin Attacks?") for more information on this topic.

-Waldo

Re:More comprehensive

[mrplow]

I do the same, though got already two nasty calls,
basically telling me to "Stop abusing our company
name, or else...!". It was pretty hard to convince
them, that no, I'm not trying to deceive people by
putting their company name into my email and thus
pretending to be them. Since then, I just mangle
their names slightly ("apple" becomes "apl" etc.)

Re:What Makes You "High Risk" For SPAM?

[edhall]

Strangely enough, I've had one of my email addresses in the clear (yes, that's it, right up there) for over three years on Slashdot, and I've posted at least a couple hundred times during that period. I get relatively little spam to that address. (Well, a piece or two a day, which is "little" compared to the dozen or two a day I get to the address listed as my domain contact.)

The way I figure, so many folks obscure their addresses or are aggressively anti-spam that few spammers even bother harvesting here. On the other hand, I usually get a series of script kiddies knocking at my door every time I post. Kind of goes with the neighborhood...

-Ed

What's your experience for archived mailing lists?

[ToastyKen]

I'm actually curious about this.. I'm on a couple of obscure mailing lists that are archived online, so that's basically the same as having your email address in cleartext on Slashdot, except that Slashdot is more heavily trafficked.

I currently get maybe a few spams a week, whereas I used to hardly get any at all before when I was more careful about having my address on the web anywhere.

What are other people's experiences with subscribing to obscure web-archived mailing lists, or, for that matter, with posting your email address in cleartext on Slashdot?

Linux Journal

[Brant]

Interestingly enough, one of the worst culprits for spam for me has been the Linux Journal. I'm talking about real paper, snail-mail spam here. I have been consistently getting 2-3 pieces of mail a month that are obviously linked to my magazine subscription. In my opinion, snail-mail spam is much worse than e-mail spam. It wastes paper and I actually have to walk somewhere to put it in the recycling bin. Has anyone else been getting this from LJ?

Brant

Re:Actually

[dallen]

Matt Wright's Formmail uses the following code to open a pipe to the mail program:

open(MAIL,"|$mailprog -t");

No error checks. This is the sort of thing that people have been complaining about (since 1996, nach). If there is any problem with the system's mail program, the form will be silently discarded. If your site uses Matt Wright's formmail script, it might be a good idea to go and change that line to say:

open(MAIL, "|$mailprog -t") || die "Can't open sendmail: $!\n";

___
-DA
> perl -MPOSIX -le '$ENV{TZ}="EST";print ctime(1000000000)'

And people wonder why we despam our emails...

[Mr.+Flibble]

Its a common theme on slashdot to obsfucate your email address, most of us here do it.

The account I have above (which is a junk account), I have had for the last 3 years. I have had it on slashdot for over two years.

Up until the last 6 months, I had not recieved a single spam message in my inbox at hotmail. My address appeared on the newsgroups, and on slashdot, but it was de-spammed to confuse the spambots. (I still love the .sig of one guy on ./ who uses a perl algorithm to hide his...)

Then I decided to register for a few online services with this email account.

Bad move.

I got hit with about 20 spam mails per day.

I don't know which one it was, but as the article says take the "we take your privacy seriously" statements, often are pure B.S.

Re:And people wonder why we despam our emails...

[PigleT]

Yes; qmail has its ways, FWIW so do the other MTAs as well. In short, you're looking for a way to host virtual domains, and to create mappings so that within one particular domain, certain users get handled separately (if any), and (optionally) all the other user-parts get diverted to one user.

I do the latter; all mail for two of my domains goes to me and I filter based on apparent destination.
~Tim
--
.|` Clouds cross the black moonlight,

Re:And people wonder why we despam our emails...

[PigleT]

`Despam'? YM `munge', that's the traditional term.

Anyway. I have to say I find Usenet is the greatest cause of spam around. Bots regularly trawl both From: and Reply-To: headers, so I get most of my spam that way.

I've found the best bet is to have complete ownership over your own (sub)domain; you can easily enough choose one or two real usernames at that subdomain to use for yourself, and then when you sign up for given services online, invent a single word (egg@, asserta@, slash@, aol@, chat@, whatever) on a per-site basis. That way you can track exactly where a given spam got your email address if you want.

I'm not convinced of the timing in the guy's article; I started getting spams to usenet@ my domain only a couple of weeks from starting using it; it wasn't even that long that the throw-away account started getting these things from /. as well.

The moral is simple: beware of what things you publish. Not only will advertising an email address bring you spam, but sticking your box in DNS as `www' will bring you loads of packets, and appearing in an NNTP-Posting-Host: header will bring you *loads* of news-port scans as well.
~Tim
--
.|` Clouds cross the black moonlight,

Re:And people wonder why we despam our emails...

[BillGodfrey]

Anyway. I have to say I find Usenet is the greatest cause of spam around.

Usenet does not cause spam, spammers, and only spammers, cause spam.

Re:And people wonder why we despam our emails...

[Foggy+Tristan]

One of the funniest ways to despam I've seen was an email address like

judyl@BRAyahoo.com

with the sig

to email me, remove my bra

Re:My Mother's Practice Would Be High Risk :-)

[sammy+baby]

You might want to gently suggest that those pr0n ads she keeps getting are her karmic comeuppance for passing on all those awful chain mails. Spammers and chain-email senders: truly, two groups of people who deserve each other.

Risky Subnets

[sharkey]

We just moved our MX from a CoreComm affliate's IP block (Class C) to AT&T (Class A). Big jump in spam, from 5-10 week to 10+ a day spread out amongst 60+ email addys.

--

Actually

[CaptainSuperBoy]

That script is formmail.pl, which comes from Matt's Script Archive, one of the first repositories for CGI scripts on the net (I remember visiting that site as early as 1996). Formmail.pl is old, and I'm sure there are better scripts for form to mail gateways, but I can assure you it's secure.

Thousands of sites are using formmail.pl - if there was some vulnerability there, it would have been abused by now. I have seen this script abused as an open relay, but I think you can restrict the recipient in a configuration file or in the code..

--

Re:Important factor: your email address

[shri]

Check out Spammotel.com they have some cool software which allows you to identify where the spam is comming from.

They generate a unique email address for any / every different situation that you need an address for.

Re:Why run your own domain?

[wirefarm]

OK, then, let's see how it works when you spammify the address...

xcizjev55jf55t001@NOSPAM.sneakemail.com

That address agan:

xcizjev55jf55t001@NOSPAM.sneakemail.com

I always wonder how much crap you get from posting slasdot with a spammified address....
Cheers,
Jim in Tokyo


Have no clue about firewalls?

My own Final Solution (tm) to spam

[Xeger]

My own spam problem started in the dark and forlorn days of 1995. It all started because of a name.

Due to an unfortunate accident of ancestry, my initials happen to be ADS. When I got my first dialup shell account, I chose to use my initials for my login name in the style of one of my then-heroes, Robert Tappan Morris (of RTM Worm fame). Thus did I become ads@netcom.com.

You can imagine the sort of traffic this generated for me, from day one! Every yokel with a half-brained scheme and a university mail account decided that this miraculous 'ads' address must be a special mailing list for thousands of Netcom customers who sat with baited breath, waiting to learn how they could lose weight fast, get rich quick or get rid of debt.

I fought this torrent of spam for almost 5 years before I finally had the technical proficiency and computing resources to come up with a solution. The solution I finally found is elegant and simple. It keeps the spam down to three or four messages per day. More importantly, it lets me know who is distributing my name to whom, and when.

I have a host alias tracker.xeger.net. Mail sent to any address @tracker.xeger.net is subjected to extra-bitchy filters, and mail that makes the cut is forwarded to one of my normal mail accounts, address intact.

Whenever I go to a new web site, or give my email address out to anyone, I give them an address of the form 'domain_dom@tracker.xeger.net'. CNN gets 'cnn_com@tracker.xeger.net'; Amazon gets 'amazon_com@tracker.xeger.net' and so forth. When the spam comes rolling in, I know from whence it came. I know how they got my mail address. And I know who to hunt down and disembowel.

To this date, I have been solely responsible for more than 200 cancelled accounts and at least two blacklistings. The count goes up daily.

Re:My own Final Solution (tm) to spam

[Xeger]

Duly noted. I knew something was fishy about that paragraph.

Re:My own Final Solution (tm) to spam

[meldroc]

I'm surprised noone has mentioned SpamCop yet. For those who don't know about SpamCop, they are a service that offers spam-filtered email accounts, and a free spam reporting service. Forward your spam to them, all headers included, and they will automagically look up the ISP that is responsible and send a complaint to their abuse hotline. I've lost track of how many spam accounts I've helped to cancel using SpamCop. Probably not 200 though, but every TOS termination helps.

Re:My own Final Solution (tm) to spam

[Webmonger]

One variant is to use plus addressing: Sendmail always ignores plus signs in the username when delivering mail. So you can use spamcheck+aol@mydomain.com and spamcheck+marigolds@mydomain.com and they'll be delivered to spamcheck@mydomain.com, but you can see they're addressed to spamcheck+aol...

Re:My own Final Solution (tm) to spam

[kubrick]

...waiting to learn how they could lose weight fast,

Quit eating fast food all the time.

get rich quick

Put the money that you would have spent eating fast food into the bank

or get rid of debt

Take the money out of that bank and use it to pay off your credit cards and other debts.

Those solutions will never work. People always want something for nothing -- it's the fundamental basis of capitalism. You can't tell these people that TANSTAAFL -- they won't believe you.

Re:My own Final Solution (tm) to spam

[YoungHack]

I have also found the mail forwarding from pobox.com to work very well. My wife used to get about 5-10 spam per day. She forwarded her old account through pobox.com and she only gets about 1 per week after the spam cleaning.

Re:My own Final Solution (tm) to spam

[Cruciform]

Having it generate an auto-reply to notify or mock the spammer is well and good, but then it also contributes to the bouncing, and flooding of crap on email servers as spammers tend to spoof their email addy.

Re:My own Final Solution (tm) to spam

[Reziac]

I just tried myusername+test@earthlink.net, and it works here -- I got the mail, addressed as advertised.

Oddly enough, it lost the carbon to my real address. ELN does *NOT* lose mail (*none* that I know of in almost 5 years, and I run a continuous crosscheck by way of most of my mail being duped to another account). Maybe hit a bug??

Re:My own Final Solution (tm) to spam

[Glint]

Sounds like the same solution http://www.sneakemail.com/ uses to spam-proof people. Someone mentioned that the last time /. had a spam discussion, and I tried it out, and it's abosolutely wonderful. Adam recommends.

- Adam

Re:My own Final Solution (tm) to spam

[pete-classic]

Wow, that is a great trick.

Then, once the spam starts pouring in you can procmail that address (real+bogus@domain.tld) to /dev/null, and your real@domain.tld mail still comes through!

-Peter

Re:My own Final Solution (tm) to spam

[spasm]

..and for those without the time / technical expertise (or the time & expertise to set up all of one's friends and relatives) there's always sneakemail: http://sneakemail.com

Lets you set up as many unique addresses as you want & forwards the mail sent to them to your regular account. If you get spammed, a) you know exactly where it came from, and b) you can shut down the forwarding. Very easy to use, very good for grandma Jones who doesn't have a clue about "all this technology" but who is already sick of spam..

Re:My own Final Solution (tm) to spam

[The+Wing+Lover]

...waiting to learn how they could lose weight fast,

Quit eating fast food all the time.

get rich quick

Put the money that you would have spent eating fast food into the bank

or get rid of debt

Take the money out of that bank and use it to pay off your credit cards and other debts.

Re:My own Final Solution (tm) to spam

[Fred+Ferrigno]

I use a similar system to the one mentioned above, and I've never gotten any spam to an alias other than one I've given out. Spammers don't expect you to have an unlimited ammount of addresses, and automated email catchers would have a hard time distinguishing it from normal addresses.

I've never had a "Bill Brady" sign me up for anything at any email address other than the one he was given. And if he did, it'd be easier just to block those out once then spending my time preparing just in case he might. Hell, he could spam every conceivable alias, and all I'd have to to do is tack on some extension (like 941) to new addresses and filter anything without that extension.

--

Re:My own Final Solution (tm) to spam

[Fred+Ferrigno]

default suggestion: slashdot@check.bizlnad.com (in this case of course the default suggestion is wrong. I misspelled the domain name for your benefit, it's not part of my illustration.)

I've fooled your script from the get-go. The word "spam" in my email address is actually a part of it, and not an attempt at munging. I think you give spammers too much credit. I've never gotten any spam to my slashdot at spamcheck.bizland.com account, even with minimal munging.

In the sad event that spammers grow wise to my scheme, I am fully able to fix it after the fact, and, if necessary, change to your(?) system with minimal disruption to any real email. I would rather spend a few minutes wading through spam dissecting how it got in than follow the aforementioned system every time I gave out an address.

Yes, my system does rely on obscurity, and it is prone to faults. However, this is just spam. The consequences of a fault are not too severe, and IMO the ease of use seriously outweighs the extra margin of security provided by the alternative. The issue of scalability seems a distant and unprobable threat; and should it rear its ugly head, it can be dealt with at that time. In the meantime, I'm happy using a system I can control in my head.

--

Re:My own Final Solution (tm) to spam

[fobbman]

thousands of Netcom customers who sat with baited breath...

Unless Netcom supplies services to some of the aquatic talent at Sea World, I'm betting you meant to use the term "bated breath".

Re:My own Final Solution (tm) to spam

[Andrewkov]

This isn't reliable... I just tried emailing myself and adding a +test to the end of my name .. I got a delivery failure message. I guess @home (who use excite for mail) doesn't use sendmail.

---

Re:My own Final Solution (tm) to spam

[gamorck]

That is easily one of the coolest things I have EVER heard. Somebody mod this man up! (Hmmm.. you are already at 5)

Somebody change the maximum number of points! Quick!

Gam

Re:My own Final Solution (tm) to spam

[Chundra]

Sounds cool. What did you use to set this up? Just sendmail?
--

Re:My own Final Solution (tm) to spam

[3-State+Bit]

The problem with this is that a spammer can spam whatever@tracker.xeger.net
A better way to do this is to give amazon.com "xeger232524272" instead of amazon_com, and then associate xeger232524272 with amazon.com on your end of the line. You can have a simple script give you another number every time you need a name. Do you need to register something with "Marigolds Inc?" simply execute this at your bash prompt:
#redirectoradd
Short nick: Marigolds Inc
Reason/description: signed up for their "infrequent" newsletter -- once per month they said.
xeger65134556132

In other words, xeger65134556132@tracker.xeger.net is now an active mailbox, and you can cut and paste it over to the web form. Associated with this new mailbox is a date and time (which the "redirectoradd" script adds), a description, the knowledge that it couldn't just be "guessed" (since an 11 digit number is not simply guessable).
Any spam tracker.xeger.net gets that's not associated with an active number is bounced, except for "xeger@tracker.xeger.net", which autoresponds so:
Subject: I haven't seen your email!
Body:
Hi, sorry for the inconvenience, but for security reasons this isn't actually my real email address. To get a real email address, you need to reply to this email with "get real address" as your subject and the body a description of who you are and why you need my email address.

I repeat, your email has NOT been delivered. For your convenience, it is attached in this reply, and any text portion is included below. It will also be included with the email notifying you of my real address, where you can simply forward it.
You wrote:
>Hi Xeger!
> How would you like to get in on this ONCE
> IN A LIFETIME opportunity??? Yes, that's
> right...[etc]

That way, if you need to give out your email address when you're not at your computer, you can still do so. You can have various levels of this, where mail to xeger1 never gets looked at, but xeger2, which you put on your resume, actually does let you look at the mail that you receive there, even while you wait for your prospective employer to establish a "formal" address. If this doesn't strike you like a good idea, you can create a few "spare" addresses with no descriptions associated with them, so that when you give it out to somebody on the spot you can cross that one off of your list and the person can email you directly, while that address is still only associated with one person and you can know if it's ever given out. for instance:
#redirectorblanklist 5
xeger6513455512123
xeger4351234214985
xeger1215437214963
xeger9467248121546
Which you can then print on a few cards and give them out whenever somebody needs an email address. You can carry around a bunch of preprinted addresses this way, and write down a description every time you give one out, even if it's just at a credit card promotion at the mall. You can write a description next to the name and put it into your database when you get home. Sure it's a LITTLE more involved than giving out billbrady@redirector.xeger.net, but then billbrady can't submit the name "asdfasdf@redirector.xeger.net" to sign you up for the Daffodils Promotion Program at daffodils.com, which mysteriously gets you a lot of spam from a bunch of people you don't know. Moreover, if everyone started doing what you do currently, then spammers could just guess email addresses and always have them delivered (if they sneak by the spam filter). Not a good idea.


What do you think?

--

Re:My own Final Solution (tm) to spam

[Wolf+Eyelash]

This reminds me of when I had the address will@austin.ibm.com. I soon realized the problem with this address when I fired up my mail reader and found 200+ emails each addressed to: This@austin.ibm.com, is@austin.ibm.com, a@austin.ibm.com, error@austin.ibm.com, message.@austin.ibm.com, There@austin.ibm.com, will@austin.ibm.com, problem be@austin.ibm.com, another@austin.ibm.com, message@austin.ibm.com, generated@austin.ibm.com, if@austin.ibm.com, the@austin.ibm.com, error@austin.ibm.com, persists.@austin.ibm.com I called the person who owned the system generating these messages and I recall him saying he wasn't able to do anything about them so I created a procmail rule to copy these messages to him and guess what, the mail bombing stopped shortly after. I also miss the days when spammers used valid e-mail addresses. I had a system for dealing with a new spammer where I would spoof an e-mail that appeared to be from the spammers address and send it to each known spammer in a list for this purpose and also send a e-mail from each of the known spammers to the new spammer stating they where interested in whatever it was they were selling. It made me giggle every time I sent a new spammer into my spambulator.

Re:My own Final Solution (tm) to spam

[jcochran]

I like this idea! I think it's time to look at my email configuration.

my own spam experiences

[double_h]

No big surprises in the article, although it was nice to see somebody do a little semi-formal research to quantify where the most spam comes from.

I have a personal email address that I do not publish on the net at large, and have been remarkably successful at keeping it spam-free. I have another email address I don't publish, which came free with my dial-up account at home, that gets between 10-20 pieces of spam per day. I guess some ISPs (even good ones) sell their customer lists. I also have a couple of yahoo/geocities emails that have been getting spammed since day one, and I don't care. Work email gets about 3-5 pieces of spam a week, almost all semi-work related (notices of developers conferences, seminars, etc.)

One thing I *do* try to do is not publish my email directly on web message boards like slashdot. I've done so in the past and noticed a definite increase in spam as a result. Instead, I'll link to my web page and list my email there -- this makes it a little harder for automated email harvesting programs. Of course, I also post on usenet, so I'm not that fanatic about stopping every last piece of spam. As long as I have one email address I can maintain as a "clear channel", I don't mind as much if the others get a little clogged with junk.

The SIZE of spam also is a factor as to how much it annoys me. I'm much less likely to get bothered by 3 lines of "Make Money Fast" than I am by a 30K HTML monstrosity that looks like crap in mutt or pine. I've recently been getting spammed by some club/rave promoter in the UK (presumably because I run an electronic music site) with large HTML emails, several times a week. I don't even live in the UK, so this is particularly stupid and annoying.

Re:my own spam experiences

[i0lanthe]

Work email gets about 3-5 pieces of spam a week, almost all semi-work related (notices of developers conferences, seminars, etc.)

I get very little spam at my 'real' address too... there are a few people who've mined official web pages or other locations where one does not get to choose whether one's address appears, though. I get some of that on two or three work-related mailing lists (sent to the list address itself), and the rest from the canonical Evil Toner-Supplies Freak (being single-minded, he is at least not real hard to filter; and since I can't think of anything else "nice" to say about this person I had better say nothing at all).

Important factor: your email address

[bmac526]

In my limited experience, I've found that the more "common" your email address, the more likely it is that you will get spam. My wife had a hotmail account nmcdonald29@hotmail.com Obviously, a good way for a spammer to operate is to send mail to obvious names like that, i.e. send mail to nmcdonald1@hotmail.com, nmcdonald2@hotmail.com, etc.
Once she changed to a yahoo account, with the address nancy94376@yahoo.com, the flow of spam has almost stopped. Of course, perhaps yahoo does a better job of filtering than hotmail.
It might be a good experiment to open up several accounts at the same service with names of varying "commonness", and see which ones get the most email, e.g.
fjkflfjk78@yahoo.com
nancy74384738@yahoo.com
nancy1@yahoo.com

All email addresses have been changed to protect the innocent.

Re:Important factor: your email address

[martin-k]

However, spammers tend to prune 'abuse' from their lists....

Hey, that's a great idea. I'm tempted to start posting on Usenet as abuse@softmaker.co^H^Hinvalid ...

-Martin

Re:Important factor: your email address

[jcochran]

Another factor is owning your own domain name (which then gives you control over the userid). Email sent to me will reach me. However, spammers tend to prune 'abuse' from their lists....

Re:Important factor: your email address

[el_$corpio]

Man Nancy1@hotmail.com is going to be pissed with you.

What makes me high risk for SPAM

[trongey]

I think it has to be the flavor. That stuff makes the most incredible sandwiches. Of course it's always been a bit too salty (which I loved as a kid), but they have the less salt variety available now for my more mature tastes.

Just make up an e-mail address

[The+Very+Evil+Doctor]

When in doubt, just make up an email addess and let them try.

I pity the poor sucker that's got whatever@fuckoff.net. He's been getting my spam for years.

"Rumplestiltskin" Attacks

[Jeff+Ballard]

Actually as the email admin for a fairly large group (over 5k+ users). One of the biggest methods for getting spam: Your user name.

Thats right, if you happen to be jeff@somewhere.com or sally@somewhereelse.com or bill@ or steve@ or smith@ or jones@ your gonna get a lot of spam. They try every username they have ever seen on anybody's server -- on your server.

A big problem is that a lot of people leave EXPN (expand) on their sendmail servers turned on. That means joe spammer can go to your server and try expanding every common username on his list and quickly he can get every user on the system to spam. Even if that is turned off, during the normal SMTP process, sendmail will generate an error code if the username is invalid... which means they can cancel that email and try the next name.

This and a lot more spam-avoidance stuff can be found in Brett Glass's paper Stopping Spam and Trojan Horses with BSD, which contains a lot of good information, even if you are not using BSD.
--

Hotmail

[Rupert]

My experience with hotmail differs from his. I signed up for a homtail account before taking an extended overseas trip. The first time I checked my account I had 6 pornographic spams waiting for me.

--

Re:Hotmail

[Tridus]

I agree. I opened a hotmail account and was recieving spam within 10 minutes.

I've had it for a week and now have over 100 pieces of spam (a lot of it caught by the spam filters mind you). I haven't used it for anything at all.

Re:Hotmail

[waterbiscuit]

I set up a hotmail account about 3 years ago, and used it on practically everything. It was myrealname@hotmail.com, and after 2 years of postings just about everywhere with no attempts so protect it, I still didn't recieve a single bit of spam- I really genuinely couldnt see what the fuss about spam actually was. After my first year or so of using this hotmail address I decided I really did not like using my real name everywhere, and subsequently I have a number of email addresses for personal use, and one for things such as /. headlines etc. I rarely used my hotmail account on usenet posts etc as I had dedicated addresses for posting-related emails etc. And then this January completely out of the blue it started- I get a minimum of 6 spam emails a day into my hotmail now. I suppose I was just lucky to keep a clean account for so long posting the address so widely.

Good Spam Filter

[Preylude]

I've recently set up a filter system in Eudora that tends to filter out about 95% of spam. It also has the welcome effect of filtering out other things that aren't totally spam, but just as annoying (like mailouts from companies you've bought stuff from).

Do simply this: Send all mail not directly addressed to one of your email addresses to a Junk folder. (not directly to your trash since no filter is perfect) You'd be surprised how much spam is caught this way (most is BCC'd to many people at once).

The only bad thing about this is it will Junk legitimate mails that you are BCC'd on. However, I've found so far that most of these mails tend to be somewhat junky anyways :)

I run a medium-popularity website that has my email address all over it so I know about spam. (5-25/day) This method seems to really help.

What Makes You "High Risk" For SPAM?

[egon]

I'd guess "Posting on Slashdot".

Awww shit....

--
Give a man a match, you keep him warm for an evening.

Re:What Makes You "High Risk" For SPAM?

[damiam]

That's why everyone munges their email address on /.

Not allways

[WyldOne]

My mom once sent for s cookbook(?) from Pillsberry. To date I have tried the 'remove' option for her 6 times. each time they say it will be removed. Then a bit later here it comes again. This e-mail has even followed her when the ISP went non-profit (change in domain names - NYX.NET. The e-mail account she has does have a limit. She has even wrote to the company directly and this has not stopped. I'm gonna set up procmail for her, but this is just the tip of the iceburg.

Another method they get you

[WyldOne]

I have one account that I keep very private. well I am now getting spam in it. I figure that they got it from my web browser. I usually put in a bogus e-mail, or my alternate (spammed) account. I had changed once and forgot to change back until a week later. By that time it was too late.

Am I the only one ???

[Mr.+Ayo]

I like spam. After years of getting only an email or two a week, I was quite pleased when I started getting spam. Any time I get a new email account, the first thing I do is post to the newsgroups. Within days I can feel 'special' because of all the email I receive!

/me

Yes, I have no life.

Being a boyscout?

[hardaker]

At least that's the time in my life where I ate the most spam...

Left off the worst one

[Snowfox]

By far, the biggest spam magnet is an eBay account.

There must be hundreds of harvesters running, collecting e-mail addresses there. Users are required to have a valid e-mail address to keep their eBay account, and by being there, you're showing a willingness to trust strangers in net commerce to some extent. This makes eBay address collections golden.

I created a rather obscure new address at my personal domain, intending to use it for eBay only. Within a few weeks, I was up to a dozen spam messages a day.

How to stop most crawlers

[macdaddy]

I have to point everyone to an paper written by Brett Glass for this one. In the paper Stopping Spam and Trojan Horses with BSD Brett discusses many SPAM filtering options, from an administrator viewpoint. He also has some excellent ideas for mailto's on webpages. In this section he suggests replacing various pieces of the email address with their ASCII code. For example he replaced the "m" in mailto, the colon, the @ symbol, the period before com, and the "c" in com with their ACSII codes. This method would work just fine since most web crawlers look at the HTML code rather than the page that would be displayed to the user (generated by the browser). What the user sees and interacts with shouldn't break. I've tried it and have had great luck. My $.02.

--

Friends

[CAIMLAS]

I'll take, "Having abusive friendships and many ex's for 1000's, Jim."

I mean really. Probably the worst way to get spam is to have a 'friend' submit your email address in those 'free porn-a-day' spam collection thingies. That, and those horrible email forwards that get your email address in them.

-------
Caimlas

Re:More comprehensive

[sirinek]

I JUST, not 10 minutes ago, got that stupid virus email from the email account I use for Slashdot, so dont think for a second you are safe at this site. Thankfully I read my mail using mutt on FreeBSD. ;)

siri

Funny, but...

[wiredog]

It is funny. It is also a good way to get sued for harassment. Hope your friend is being careful about using an anonymizer so he can't be tracked.

Re:Funny, but...

[Genoaschild]

Actually, it is not direct harassment. Your e-mail address belongs to you so if a person directly spams them for 2.5 years, it is harassment. Your e-mail address is also public so your allowed to give it away or have other people give it away. It's like your mailing address, if other people know it, they can give it to other people who give it to other people, etc. Give it to spammers. Since you are giving away something that is not private and you are not spamming them yourself, it is not true harassment. Mailing lists are legal to sell and to give away. This would most likely fall under this category.
----

Re:mp3.com not as "nice" as he claims

[Reziac]

I once tried to buy a friend's CD from MP3.com.

I received 6 spams (all junk advertising, NONE related to my registration or pending purchase) DIRECTLY FROM MP3.com before I even got the purchase finalized.

Needless to say, I bailed on the purchase. I got several dozen more spams DIRECTLY FROM MP3.COM over the next few days, at which point apparently my vociferous complaints had an effect, and the spams stopped.

The other effect is that it was over a year before I went back to MP3.com for ANY reason, and when I did have to re-register to download something, I gave them my junk Hotmail address. Ironically, this reg'n has so far produced no spam. Maybe they learned their lesson.

Re:This one ain't hard...

[huh_]

I see a lot of people are doing this. What steps do I have to take to register my own domain and get email from it? I just have DSL access, would I have to run my own mail server? And what about these DNS servers or something? Sorry, I'm not that clever, but It would be of help if I could get some more information. Thanks.

ah ha!

[NetJunkie]

So you're the guy buying all the Viagra and sending $5 to everyone's name on the list! :)

Re:I wonder how much spam will /. generate....

[cetan]

you're just asking for it when you do that.

use a dedicated spam catcher for posting on any forum anywhere on the web.

Re:Email address harvesting from your own server!

[Felix+Rodriguez]

I wonder if you could legally have an escape from this. I mean, this is a form of mini DOS attack really... And given that [big national ISP] was given a warning and they did nothing - probably makes them liable.

Hmmm.. I wish I was a lawyer. Anyone out there know if this is a possible solution?

Félix

Alpha spammers...

[ktakki]

Recently, I opened a Hotmail account. Within minutes, I had my first spam arrive (toner cartridges). Minutes. On an address that has never been given out, used, or posted anywhere.

A friend of mine has an login name that's both short and is made up of the first five letters of the alphabet. She gets upwards of 100 pieces of spam each day.

J. Random Spammer, like an orangutang with an assault rifle, could care less if spam arrives at a valid e-mail address. As long as the client can be billed for "1,000,000 direct marketing messages sent". That's all that matters.

The real problem is all of the brain dead system administrators that leave port 25 open for anyone who wants to drop trou and take a huge dump in everyones' In Box. Korea, Ireland, Brazil, China...and the good ol' USA. Idiots.

Fetch my LART gun, boy.

k.
--
"In spite of everything, I still believe that people
are really good at heart." - Anne Frank

Re:Alpha spammers...

[plone]

Have you ever thought that maybe spammers create lists of common names and email address (eg johnsmith@*, Jilltang@*, smiles4life@* etc) , and then proceed to bombard them. If they dont get a bounced e-mail, it means that the username is active and they will carry on e-mailing it. I have a hotmail account which also gets over a 100 spams a day. I never gave out the address, but it is a fairly simple address (just my name with 2 intitals). I also have another hotmail account with a much more complex name, and i get practically no spam, apart from the services that i signed up for using that e-mail.

Re:Alpha spammers...

[gowen]

Well, the port 25 must be opened if you want to receive mail. You must add anti spam rules to your MTA then.

He means opened for relaying mail. The spam I get (10 pieces a week maybe, nearly all to my usenet@mydomain ID), is nearly all originating from the US, but routed through poorly set up machines, often in China and Korea .

Re:Alpha spammers...

[frankie_guasch]

The real problem is all of the brain dead system administrators that leave port 25 open for anyone who wants to drop trou and take a huge dump in everyones' In Box. Korea,

Well, the port 25 must be opened if you want to receive mail. You must add anti spam rules to your MTA then.

I've been using postfix for a long time. I found it is a perfect replacement for sendmail. Easy to configure and it's not an open relay by default.

Re:Alpha spammers...

[billanderson71]

With hotmail, it seems you get spam when you open an account with a name that is short, or that has a common name, i.e., JohnSmith103. The spammer just keeps incrementing the number, not caring whether the name is valid or not.

I opened a hotmail account 3 months ago with an obscure name. I haven't used it anywhere, and have received no spam.

Re:Alpha spammers...

[unicaller]

My hotmail account gets ~150-200 spam mails a day. Some times I like to empty it just to see how much spam I get in a day.

Re:Alpha spammers...

[jrp2]

Recently, I opened a Hotmail account. Within minutes, I had my first spam arrive (toner cartridges). Minutes. On an address that has never been given out, used, or posted anywhere.

The most likely cause for that is the address may have been assigned before, was abandoned, and made available again. That happened to me when I signed up for DSL, got an email account along with it, and the spam was rolling in within minutes. It became clear that a fair percentage of the spam, some music newletters, and some legitimate personal mail (from his sister, and a cousin) were addressed to the same specific name, and he shares my initials.

Bottom line, super-popular services like Hotmail, and large ISPs like Mindspring, will re-use abandoned addresses. If the previous owner was careless, or, as many of us do, used the Hotmail account as a spam box, you could very well be the unlucky recipient of a lot of spam.

blame ISPs as well

[treebeard77]

I have an email address at my dialup ISP, galaxy ( gis.net ), medium size outfit here in the northeast. I have never used this address anywhere. I have never sent email using it. I only check it to see if the ISP has sent me anything. I receive 1 - 5 pieces of SPAM ( some xxx-rated ) a day there. I can only assume the ISP or someone working there has "sold" that edress.

Don't get put in a user directory

[DeadSea]

At one point I opened about 30 free webmail accounts. I used various ones for different things, but almost all of them sat empty.

There were two of them that I never used, but which included me in their user directory. These boxes quickly filled up with spam.

So in some cases, just opening a free email account can get you spammed.

Re:Don't get put in a user directory

[TOTKChief]

If you'll read the article, you'll note that the guy said, and I'm paraphrasing, "If you opt out of the user directory upon signup, you're not going to get spammed like a madman."

Re:Email address on webpages as a graphic

[pnb2001]

But, if the spambot actually scans the html code, rather than what's represented on the screen, then it will pick up the email address in the mailto: tag right?

Re:Don't use generic e-mail names

[DavidAtkinson]

Quite. I've had this hotmail address since it's early days. I used to be carefull about munging it but these days there's just no point. I don't know how many junk messages I get in a day, but when I look at the first page of 100 messages, they all, always, are dated 'today'. Needless to say it's not a very usefull account anymore - my spam filter consists of me only looking at it when I'm expecting something.

Email address harvesting from your own server!

[Matt_Bennett]

I run my own email server, and I admit, every once in a while, I get pretty obsessive about looking at the mail logs. For a few weeks earlier this year, I had someone from a [big national ISP] dialup pounding my server with requests that came up with 'unknown user' bounces. The usernames were common first names, and names like "marketing", just trying to get a hit. My best guess is someone was using a dictionary type attack to find valid usernames to spam. I sent email to [big national ISP] giving them the logs and the specific IP address that these were originating from. No response, attack continued. I finally denied that IP range with the sendmail 'access' file.

How can you fight this type of harvesting? I can't figure out how... having some sort of feedback when an legitimate email has a mistyped username is useful, so I don't want to accept and route to /dev/null all the 'unknown user' emails.

Should I post anon?

[Cplus]

Nah.

Every time I fill out any kind of registration for crap that I don't want to get actual email about I put in hemos@slashdot.org. I don't even remember why, I think Hemos pissed me off at some point about something mundane and it just stuck in my mind. I'm thinking that dave@dave.com gets a lot because of me too.

Re:Should I post anon?

[sideshow]

I wonder how much mail lasdfj@asfk.com and the like get everyday from people typing random crap on their keyboards when told to enter an address?

Re:Should I post anon?

[fonetik]

If you are going to leave something like that, at least make it worth a damn. I always put abuse@verizon.com or postmaster@sprintpcs.com and sign them up for all those silly newsletters.

What about mail hoaxes

[spectro]

He didn't mention mail hoaxes. There is one of the best ways to harvest "live" email addresses. I wonder why the mail hoax sites don't emphasize this fact.

---

Re:AOL SUCKS!

[DebtAngel]

He had a third AOL control account sitting unused, which recived no e-mail during the coarse of his experiment.

So, yeah, not being on chat *does* seem to help.

Here's a reason

[Hollins]

I use a different email address for each place i have to give an email address to. It's very useful for filtering and sorting incoming email.

For instance, I have amazon@mydomain.com, timezone@mydomain.com, ebay@mydomain.com, nlug@mydomain.com, etc.

This way, if an address goes rogue and gets inundated with spam, I set my filter to bounce it, which clears things up within a month or two. It's also a good way to check to see if someone is violating their privacy policy by selling my email address when they promise not to.

Re:Here's a reason

[alanjstr]

Yes, but why do the filtering yourself? Sneakemail will do it for you. You can even give things longer names with spaces in them.

Re:Webforms too.

[kimihia]

Web forms are a great idea. They actually encourage people to write to you.

The only problem is when the person writing types their address in wrong.

I think usual rates for the increase in the amount of feedback you get when changing from a mailto: link to a form are something like 10x the amount.

Another thing is the feedback forms I've added to my web site. In the past I might get one comment every two months. Now I get several a day.

Still there are some old skool people who want your email address, or in case you break your form and don't notice - then how do they contact you?

Inaccessibility

[kimihia]

I'm using a text-only browser (because this computer doesn't support anything but an 80x25 text display) and I'm afraid I can't read your email address.

Might I also point out that your web site violates several of the Web Accessibility Initiatives's guidelines.

I understand that on my personal web site and have included an image with a detailed ALT tag that even blind users will be able to use. It doesn't help cognitive impaired people unfortunately, but there is a form they can use.

P.S., see also the UID on my GPG key.

Not supported by all MUAs

[kimihia]

Handy dandy, but I've recently found that + and - characters aren't supported by all mail user agents.

One case in point, I had published an email address in the form 'bla - fodge @ domain . summink', and I received an email to 'fodge @ domain . summink'. The MUA had ommitted the 'bla - ' part of the address that was being used to filter out spam.

Another poster many posts ago said that the BEST way was to use a subdomain, and then eventually drop that subdomain. With no MX and no A for the subdomain, the spammer won't know where to send the mail - which is better than post facto filters and post-connection fatal errors from your SMTP daemon. They will already have used your resources by that time, even if you never get to see the email.

You stole my secret!

[kimihia]

How the hang did you figure that out?

My copy of RealPlayer is registered to abuse@real.com. My copy of Quicktime is registered to abuse@apple.com.

Ditto for a lot of my other mail.

I also notice that funcards.com (or similiar) has a thing where it says:

To view this page and sign up for our newsletter click here: link

(To view this page, click here: link)

Most people hit the first link and get opted in to their mailing list without realising it. I've opted-in some addresses at their domain. :-) Dose of their own medicine.

Luck

[barnaclebarnes]

It seems like a lot of it has got to do with luck, especially if you take a middle of the road approach to posting your email address. I have had a hotmail account for about 3 years and it gets spammed about once a day, however another account of mine gets spammed alot more than that and I have been accessing the same sorts of sites with both accounts (Shopping, discussion, news sites, etc). Somewhere along the line one of the sites must have 'leaked' my details...

Of course my third hotmail account was used for 'special websites' which generates 10 spams a day...

Re:customize your email address

[billh]

I take it one step further, and have one of my domains setup to take any address, and forward it to my real address. I used to use a +, but ran into occasional problems when filling out some forms.

Amazing how much of my spam comes from network solutions.

A great way to get more spam

[sg3000]

How about getting your email address stuck on a forwarded joke or chain letter?

I used to get tons of jokes or chain letters forwarded to me (which I never read), but then I noticed I started getting spam in my private email account (I have a public account I use for emailing people I don't know, and a private one for people that I know). then I figured it out. If someone sends you a chain letter or joke forwarded to a bunch of people, and anyone on that list forwards it to someone else, before long you'll have a great source of email addresses. and good luck suggesting that they list addresses using BCC, instead of To. If you can't get them to stop sending you "fwd:fwd:funny joke", how are you going to get them to use BCC?

So not only are chain letters annoying and stupid, but they'll breed spam to boot.

Re:This one ain't hard...

[exodus2]

http://mricon.com/sm/guide/ I saw this in someones sig yesterday. It has lots of geat info. Ofcourse you could just read the how-to's on mail

Watch yourself online.

[Sax+Maniac]

I've gotten almost no spam since I bought my own domain. Here's some tricks that can help:

1) Use Google to search for your own email address every couple of months. This makes sure that you or no one else has intentionally or accidentally posting your address too publicly. Contact the webmasters to encourage them to take them down or munge the address. If they refuse or ignore, the only way to start fresh is to get a new address.

The biggest culprit that I've found? Private mailing lists! You'd be surprised how many mailing lists are archived on the web with unmunged adresses. Sure, the list doesn't spam you, but if they archive everything in plain text, you will be eventually.

2) Plead with your family to only the use your private email address only for personal correspondance. Personal correspondence means email that you send yourself. The intent is to keep them from typing your name into those stupid webpages like shakin-baby-butts.com. Tell them to use your alternate spamtrap email (e.g., Yahoo with filters on) if they must type your name into anything EXCEPT the mailer's "To:" field.

3) Zap any mailto links in personal webpages. Someone suggested using a picture of the address, but I've found a nicer solution. Use HTML entities to screw up your name. For example, from my homepage, the HTML source is this:

s<!-- die spammers -->co&#0116t
<!-- die spammers --> <!-- die spammers --> @
<!-- die spammers --> <!-- die spammers --> &#116;&<!-- die spammers
-->r&#00105;ng&#97;li.or<!-- die spammers -->g

This allows visitors to cut and paste the mail address. The only bot that seems to be able to parse this is Google.

that URL really IS a valid one...

[seigniory]

The URL mentioned in the article (or at least ones that look like it)

i.e. http://3519285059/remove.html

is in fact a working URL. Perhaps the nature of it leads people to believe that it is not, but visit http://packetstormsecurity.org/papers/general/obsc ure.htm to find out exactly how this works. Keep in mind that this method is blocked by many proxy servers, so it probably won't work for you from an office - try your cable modem or dial-up at home.

Re:web forms

[frankie]

I went to xpenguin.com, clicked on the email link, and viewed source.

Having your email address on a web site in any way (mailto link, body text, form element, or even just a comment tag) is an open invitation to spam harvesting.

Consider that the lowly Sircam worm will read through web page caches to find email addresses -- spambots are at least that smart.

hotmail = automatic spam

[Roadmaster]

well I dunno, but I opened a hotmail account just so that I could use msn messenger (altough with an alternative client, everybuddy). I didn't give my hotmail address to anyone. And still, it gets an average of 80 spams a week. Now, that's what I call privacy. Luckily, since I don't get anything important on that account, I can just delete everything every week. heh.

imagine if...

[tourettes]

...asdf@adsf.com was an actual email address, i have used this email too many times to keep track of, but after looking at asdf.com i started using jklsemicolon@asdf.com just to be a prick, sorry guys!

Re:Just to be a dink...

[goldfndr]

Why unleash on real.com?

Try mpaa.org or riaa.org. Might as well get some use out of them.

Re:Finally I know who you are ..

[Steeltoe]

YOUR lawyers makes the cost go up, yes?

Send him a bill! ;-)

- Steeltoe

CNet still dont have a clue about what Usenet is

[dingbat_hp]

The culprit: an unscrupulous message board

[...] used it in a single message at what was then Deja.com's Usenet Discussion Service (now part of Google).

For your information, Usenet isn't a "message board", neither is if "part of Google". Idiot comments like this perhaps explain some of the naive "Hi Guys, welcome to my chatroom" Usenet postings that keep coming from CNet.

Don't use generic e-mail names

[martin-k]

After reading the article (yes, I really did that!), I am wondering why they left out the one sure-fire recipe for getting tons of spams:

Get an e-mail address like [a-z][a-z][{insert generic family name}]@[hotmail|yahoo|bigfoot|whoever].com and you won't be able to stop the deluge.

I did that once at Hotmail and I had to stop reading the account. Now I am using it only for cases where I have to register with an e-mail address.

-Martin

Re:Don't use generic e-mail names

[homer_ca]

It's called a Rumplestilksen attack (named after the fairy tale where the troll makes the girl guess his name). I made a hotmail account with [a-z][a-z][four digit number]@hotmail.com (basically my initials + 4 digit no.) and I was receiving spam within days and without giving out that address to anybody. One of the first spams I got was addressed to xx1001, xx1002, xx1003, etc. It must have been a probe to find working addresses.

Re:Don't use generic e-mail names

[tb3]

Hee, hee. My friend thought he was really clever when he grabbed smith@ .com. I wonder if he regrets it now?

Re:Don't use generic e-mail names

[maddjn]

I did that on hotmail and had to abandon this account. The funny part is my brother and my friends on hotmail were never as spammed as me. maybe its only god hating me... maddjn

Re:MMF Spammers; their wares & methods.

[Fluid+Truth]

Another method of fighting web crawlers looking for addresses to spam is http://www.monkeys.com/wpoison/. This uses a combination of things to help prevent web based harvesting.

First, you put the e-mail addresses on their own page. You then modify (or create) a robots.txt file to tell the legitimate crawlers not to look at that page. Then, you put a "hidden" link on that page that links to the wpoison page. If anyone is rude enough to go there, it basically creates a randomish link (that actually goes back to itself) and a randomish e-mail address. The web crawler thinks that it has hit the motherlode and harvests away.

They get tons of e-mail addresses that don't go anywhere, plus they wasted a ton of time/resources.

Re:My Mother's Practice Would Be High Risk :-)

[cburley]

Feel free to point people to my web page on chain email. I have a small, but encouraging, amount of anecdotal evidence that it has managed to encourage a few people to break the habit.

My Experience With /.

[cburley]

IIRC, when I first registered with /., I used my "real" email address ("craig@mydomain"). But for most of my time here, I've used "craig-sd@mydomain".

Not only do I get plenty of spam to "craig-sd", but plenty to "sd" as well.

I don't think I ever used "sd@mydomain" here myself, so perhaps some harvester munged addresses gathered over the web and it got committed to CD-ROMs sold worldwide, 'cause I've been getting spams (to both addresses) for a long time now.

(Of course, once they get tedious enough, I can filter them here or, better yet, upstream at my ISP.)

Huh, while I'm thinking about it, might as well change my email address here to a new (munged) one.

Re:More comprehensive

[irksome]

I find support@domain cuts down on my spam a lot. For example, if I'm registering realplayer, I will use support@real.com. Or if you don't want to piss off their support people, you could always use support@microsoft.com

-

Did you notice

[whovian]

the irony? You can sign up for CNET newsletters in the right hand column by just giving your e-mail address. Sign *ME* up!

AOL SUCKS!

[Galvatron]

I wonder how much of those AOL chatroom spams were because of being in a chatroom, and how much was just because he's an AOL member. My old AOL address (which only still exists becase it's the master (undeletable) account on the AOL subscription my parents use) gets an ungodly number of spams, even though I stopped using it perhaps 4 years ago, sometime in high school. Most of the spam comes from other AOL addresses.

My Yahoo address, in comparison, gets maybe 1/10th as many spams, nearly all from identifiable sources (e-tailers I've used before, for example). So, making a "chat only" address probably won't help much with AOL spam.

The only "intuitive" interface is the nipple. After that, it's all learned.

My confession

[dman123]

I've always used a@a.com and felt sorry for that poor soul. After years of never remembering to follow up, your post inspired me...

www.a.com

Administrative Contact:
Internet Assigned Numbers Authority (IANA)
(IANA) Internet Assigned Numbers Authority
4676 Admiralty Way, Suite 330
Marina del Rey, CA 92092
US
Phone: 310-823-9358
Fax..: 310-823-8649
Email: res-dom@iana.org

Oh, nevermind. Cancel the guilt trip. It's ICANN. I don't feel so bad now.

--
dman123 forever!

A vital distinction

[jpallas]

I think this is good research, but I have a complaint with the way the results are presented. There are two kinds of spam: mail from people you have some business with, and mail from strangers. The article downplays this difference, but it should not.

It's no surprise that people you do business with (even if it's just a free service) don't want to piss you off. They want your business (cash or eyeballs) and they won't get it if they send crap you don't want. They are seeking quality over quantity.

That's completely different from the true spammers, the people who buy and sell lists, use fake return addresses, open one-time ISP accounts for flooding, and almost often tell you that their mail complies with a years-dead US "law" on unsolicited email that never got out of committee.

I get "spam" from Amazon recommending CDs, DVDs and books I might want to buy based on my past purchases. I don't think of it as spam because I know that Amazon will stop sending it if I ask them to. Because it's infrequent and because I know that I can stop it if I want to, I don't mind it. That's the real difference between the two kinds of spam.

Consider the source

[R.Caley]

This guy thinks Usenet is `unscrupulous message board' , a Deja (now google) service and part of the Web.

Maybe the spammers were trying to email him some clues.
_O_

WTF?

[BillGodfrey]

Responsible marketers who use unsolicited mass e-mail

Show me one...

Re:WTF?

[Nihilanth]

im with you on this one. Unsolicited mass e-mail should be considered a punishable abuse of the internet in general

Unscrupulous message board?

[BillGodfrey]

The culprit: an unscrupulous message board

I opened an e-mail account with Hotmail in December of 1999 and used it in a single message at what was then Deja.com's Usenet Discussion Service (now part of Google).

It should be pointed out that it's not Deja/Google that spam, but spammers. Email addresses get attached to articles, in a similar way to slashdot articles. Those addresses get harvested and mailed.

Bill, no spam I.

You should still never opt out.

[BillGodfrey]

Remove me addresses, put remove in the subject, global opt out lists, etc.

Go to http://mail-abuse.org/rbl/reporting.html instead.

Why run your own domain?

[alanjstr]

I use Sneak Email to direct my mail. Any time I need to enter my e-mail address, I create a new one. Worried about Amazon.com going bankrupt and selling your e-mail address? Worry no more. You can adjust the filters to block domains, all mail, or just delete the address from existence. Why bother configuring your own host to filter when you can use SneakEmail for free.

Of course it helps to spamproof your address when posting to message boards (see mine above).

Filling in a needless registration form? I started putting 'abuse@theirdomain.com' instead. If Real.com wants to spam me, they'll just spam themselves.

Other things that make you "High Risk" for spam...

[fobbman]

1) You think that the sullen-looking netadmin at work would really appreciate it if you forward to them all those cute little jokes or thoughts for the day that you get from your other friends.

2) The pizzas that you ordered for the company meeting are called "Mushroom Medley", "Tofu Trio", or "Leafy Shit with Goat Cheese".

3) You expect that your friend's relative will spend 3 hours weeding out the problems in your AOL browser for $5 and warm soda.

There are others, but you get the drift.

If you think you might get Spam...

[fobbman]

...for registering for something somewhere get a free temporary email address at Spamh0le.

You can set up your account to forward email to your real address for as long as you want, and from then on it gets forwarded to their /dev/null. Handy, to say the least.

Hotmail has a new spam filter

[Rushuru]

In the article they say that Hotmail's spam filter (called inbox protector) filters about 2/3 of the received spam. I got approx. the same figures with my own hotmail account.

However, since last week end hotmail not only has a new design, but also a new spam filter. It is disabled by default, but you can enable it in the 'Options' section by setting the inbox protector filter to "High"

And it works very well so far (ok only 5 days is a bit short for an experiment). My 10-spams-a-day trash hotmail account that I only used to register on sites where you need to is now usable!

Well, it is until the spammers find a new way to circumvent it :/ Unfortunately, I don't think circumventing a spam filter is in the scope of the DMCA

Responsible marketers?

[Mastoid]

Quoth the article: Responsible marketers who use unsolicited mass e-mail as their medium of choice always provide a way out, usually in the form of a Web link or a valid reply address.

How is this unsolicited mass email, in any way shape or form, responsible?

It's this line of thinking, that anybody is fair game for a deluge of unwanted ads until they tell each and every individual sender to cut it out, that brings us the ridiculuous opt-in vs. opt-out argument. This shouldn't even be a debate. The answer is obvious, and I'll use small words for marketeers who don't get it and are currently lobbying our elected representatives:

• We don't want your ads.
• Your ads are spam, not a valid advertising.
• You can bluster to the government all you want about revenue and promotion, but in the end, you're building a business model that depends on tactics extremely unfriendly to the consumer.

Re:mp3.com not as "nice" as he claims

[Rimbo]

I've been on MP3.com for several years, and I've used a large number of its features, and I haven't experienced anything like what you're describing here. I have an artist's page, I manage several stations, I use it to buy CDs and look for (and then download) new music, I use the my.mp3.com feature to keep my favorites in order, and I get -maybe- two e-mails a month from them, which are all easily filtered because they come from "@mp3.com"!!!

Of course, if you use a fake e-mail address, you can still listen and download as much as you like without using all the extra features!

BAD web forms

[The+Pim]

in case your email has never been revealed anywhere on the net, you can use cgi or php scripts that email you.

Be careful! Your example demonstrates every mistake it possibly could. One, it requires putting your email address in the HTML, where a spammer could find it. Two, it does not appear to restrict the recipient, meaning it is effectively an open relay. Three, there is no indication that it performs effective logging, meaning it is effectively an anonymous open relay.

Not to mention that any programmer so thoughtless probably didn't think much about security, so you may be creating a new vulnerability without solving the old one.

Re:BAD web forms

[Mynn]

Be careful! Your example demonstrates every mistake it possibly could. One, it requires putting your email address in the HTML, where a spammer could find it. Two, it does not appear to restrict the recipient, meaning it is effectively an open relay. Three, there is no indication that it performs effective logging, meaning it is effectively an anonymous open relay. Not to mention that any programmer so thoughtless probably didn't think much about security, so you may be creating a new vulnerability without solving the old one.

Or you could simply do what has been working for me; I set up an AOL account that is not allowed to recieve any email. The mail is directed there, and then it bounces back to me on my root hosting account as a "failure". I get the email, no account names are revealed.

-Mynn the Museless

my experience with Hotmail was worse

[fetta]

My experience with Hotmail was very different. I opened up an account so that I could use MS Instant Messenger, and opted out of all of the marketing checkboxes on the sign in. I have plenty of other addresses, so I have never used this address anywhere. I still get 10-15 spam messages a week, even with the junk mail filter turned on.

Having said that, this was a well written and interesting article.

"Conventional wisdom has it that merely opening a free e-mail account--especially a Hotmail account--generates spam. . . . Meanwhile, my opened-and-completely unused accounts with Hotmail, Yahoo, Netaddress, and Mail.com didn't get a single pitch in six weeks."

Re:web forms

[www.sorehands.com]

The instructions you provide do distribute your email! You can read the email address from the html. What you have to do, is modify the cgi to use an address within the cgi, not passed by the form!

Re:Java script is better

[www.sorehands.com]

Good point. But Javascript does not always work.

Webforms too.

[www.sorehands.com]

I switched to using webforms on my site instead of mailto. Then I rewrote the code to hide the email address from the public since most of the form codes gets the email address from the webpage.

Re:Java script is better

[stevie-boy]

If you want to spam proof your email addy with JavaScript for on your site, I have a bit of JS on my site that will split your addy up into several document.write() statements so that the harvester bots can't see it.

Email address hider

Re:This one ain't hard...

[beebware]

Every mail I send or subscribe to a service, I use a unique email address so I can track where they got my email address.
To me, the main sources seem to be USENET (I'm still getting spam sent to an email address I used _once_ over 4 years ago), website greppers and the Network Solutions Domain Registration Database (search for a random domain, grep the WHOIS entry for email and violia!).
Richy C.

What gives?

[gimple]

Yeah, running a relatively well known website with your e-mail address all over doesn't exactly help out in the spam avoidance department either.

Why do you guys think you have to make some sort of gratuitous self-important comment after EVERY article posted? Your own self-importance is beginning to wear mighty thin.

Michael: Mod this down, censor.

Re:Here's a couple more

[Matthaeus]

My dad had a friend who had the nasty habit of forwarding anything he received. After about a hundred messages or so, I hacked out a quick perl script to find all the unique e-mail addresses in the headers. I came up with 30,000 addresses. Don't know what Dad did after that, but the forwards stopped coming.

Re:SPAM vs. spam

[Matthaeus]

http://slashdot.org/articles/01/05/29/0117200.shtm l

Caution helps, but the Inbox host is key

[Stultsinator]

When I got my DSL line installed and my machines configured properly, I thought, just for kicks, I'd check the POP box they setup for me. Ready for this? Over SIX HUNDRED spam messages were waiting for me :)

Here's a couple more

[kchayer]

In my experience, spam could be delved out a few other ways as well.

First, I have a hotmail account. When I get mail in my box that is addressed to every variant before and after my name, alphabetically, I figure that's just a buckshot approach to hitting a few addresses that might work. 'Course, I have no scientific way to demonstrate this except the suspiciousness of such CC: headers.

Second, what about email forwards? My mother-in-law is big on forwarding cutesy stories and inspirational things, as well as those fake virus warnings (when some guy was first telling me about Melissa, before he said he saw it on TV, I thought that was another one of those) and "email tracking for money/candy/cure for cancer/etc" messages. We all know someone who constantly sends stuff like that, likely. While some people even consider that borderline spam, I think the larger problem is the long list of headers, containing addresses, that end up in nefarious hands at some point or another. Again, I have no proof, but I'd bet that this kind of thing is a good way for spammers to get email addresses, when my name has been included in a long string of names on somebody's chain letter.

The problem with the second method could be greatly alleviated if people would a) clean up messages they forward; b) learn not to forward the obvious junk (a nice story or good joke occasionally is ok); and c) use BCC: instead.

"I say consider this day seized!" -Hobbes

Re:Here's a couple more

[sfe_software]

You make a good point. Outlook by default adds everyone you reply to to your Address book, which means if you "reply with REMOVE in the subject", you've added the spammer to your address book.

So Aunt Dawn now forwards the message about the virus that will blow your PC speakers and melt your CDROM to her entire address book, complete with your address and the spammers in the CC line...

Of course generally SPAM reply addresses don't go anywhere, but I'm sure some go to a bot that verifies that you have a valid address.

- Jman

Re:Here's a couple more

[hyped]

Those suggestions a), b) and c) are right on.. I was going to suggest that to my fwd-happy friend.
But here's the really ironic part:

If you do the right thing and puts multiple recipients in a BCC field, then Hotmail blocks it as SPAM!!

Yeah I know.. Friends don't let friends use Hotmail.

customize your email address

[kchayer]

If I have to use my email address to register some software, I started using a little trick to track where my mail comes from. It's simple: you can add name+extension@example.com to your address.

That way, when I get mail to me+realplayer@example.com, I know that I gave that address out when I downloaded realplayer. If email to that address starts getting out of hand, it's simple to just block to that specific address.

YMMV, as I don't know if all mailing software supports it, but for our Sendmail+Cyrus setup it works fine.

"I say consider this day seized!" -Hobbes

Don't use 1, 2, or 3-character email names

[John+Jorsett]

I get lots of spam and it's because I have a 3-character ID for my account at a large ISP. Spammers will shotgun their crap at all combinations of 1-, 2-, or 3-character IDs at larger ISPs, on the theory that many folks will be using their initials or single-character names for convenience.

Re:i have a hotmail account...

[sqlrob]

Oh great. I heard this message in my head with that horrible accent. Thanks.

I propose a new TLD - .con

[mttlg]

I wonder if congress, once it's done with .kids, would consider forcing ICANN to add a .con TLD. I already use this domain all the time for free software registration (Real player, anything Microsoft, etc.). That way, they are guaranteed to not get a working address (there's always a chance that someone will actually have this.is@fake.com).

Now, if we expand this to spammers, we could sort of get a little alliance going. Spammers are going to always spam someone, right? What we can do is give all the spammers .con addresses and filter that domain, but not tell the AOL/WebTV/etc. crowd about it. If the spammers organized and sent some money to the right people (agreeing to keep the message size and volume minimal), they could make sure that ISPs wouldn't do any filtering, leaving it to the end user. Since .con looks so much like .com, a lot of people would never even notice (unlike stuff like .ru, .kr, .jp, etc.). The spammers get some idiots without changing internet accounts every 5 minutes, ISPs get money, and the rest of us have no more spam. Everybody wins.

Spam

[blueg3]

I'm surprised this guy managed to only get one e-mail a day, on average (at the worst). Of course, I use a hotmail address to throw at places that I know will send me mail.

The overall outcome of the article? Don't give your e-mail address to advertisers. As if that shouldn't be obvious.

What makes you high-risk?

[GungaDan]

Screennames like "sexkitty" don't help.

Re:web forms

[Jantastic]

I agree - the method used:
<input type="hidden" name="recipient" value="yourname@your.org">
hides it from being presented on screen (or in voice, braille, etc.), but some b0t searching for @ddresses in HTML won't have any trouble finding it.

I'd rather put in a HTML-generating script somewhere... PHP, CGI, Perl.
If you're into seperating content, style and presentation; data like this (email address) is probably stored in a database anyway...

Re:This one ain't hard...

[guinsu]

Yeah, I started doing the unique address thing, but nothing had come of it, until ezBoard.com sold me out. And once they sold my name there was no way to opt-out. So if anyone is planning on signing up for ezBoard, don't.

Three words to filter out

[Ando[evilmedic]]

These three words do the trick for me to filter out spam:

Viagra, Unsubscribe, and Remove.

If it hits any of those words, or as substrings, it moves the message to a seperate folder.

Gets 18/20 guaranteed.

- Ando
You are the weakest link, goodbye.

Re:More comprehensive

[11223]

Maybe it's because you don't list your email addy on your account?

the big guys?

[benshutman]

im curios as to how much spam the /. guys get - considering their address is around so much. what do they do to block them?

if anyone care, mod this up so they see it. if not, i will party down here with the +1'ers


NEWS: cloning, genome, privacy, surveillance, and more!

Not necessarily...

[Burning1]

Not necessarily. Spammers will usually use other people's poorly configured relays, as well as random, and often invalid sender address to both evade black hole rules, and the costs associated with sending mass quantities of spam.

In these cases, they will NOT recieve bounce messages, and an unsubscribe very well may both mark your account as valid, and as active.

According to the article, unsubscribing seems to do more good than harm, however... So... *shrug*

Correct Link:MMF Spammers; their wares & methods.

[friday2k]

The correct link is http://www.attainwealth.com/harvest.htm

Maybe this . . .?

[Nostrada]

I guess when you make it onto one of these lists you are on the risky side of things:
http://www.alexdemos.com/humor/2.htm
Mary Ellen Dickinson ---> dickinme@iup.edu
and so on....

Re:localhost

[PixelJuice]

I've come across filters like that, that seemed to only filter out "localhost" and "127.0.0.1", not realizing that the entire 127/8 is loopback. I hope abuse@127.32.64.128 liked any resulting spam... :-)

CNET not too knowledgeable

[Gannoc]

The culprit: an unscrupulous message board

They thought that all of _Usenet_ was an "unscrupulous message board." run by Deja (now Google)

Re:It wonder how much spam will /. generate....

[sedman]

I setup a yahoo account years ago and only used it to send a test message to myself. Recently I started monitoring that account. It now gets easily 60 spam messages a week.

Unorthodox, Yet Logical Solution

[Webz]

It has been with my experience that the only way to truly avoid spam is to (aside from not having an e-mail account at all) never electronically express your real e-mail addy and keep a junk e-mail account handy. For example, if some form of registration asks me for my e-mail, I immediately give it my junk e-mail address (like the /. one above). You could always give a fake one too, like foo@bar.com, a favorite of mine, to just bypass it all togther. If one of my friends wants my e-mail, I'll give my real one to him in person and it writing probably. I know, It's a not-too-convenient practice, but hey, it's worked so far.

good filter = no risky behavior

[jqh1]

Of course, using a good filtration service like spamgourmet immunizes you from all the activities. Besides being free, ad-free, (and spam free, for that matter), spamgourmet is pretty darned easy to use.

Re:More comprehensive

[m2t]

That's sort of what I do.. I have one account for everyone I know, and then when I sign up somewhere for something (say, on apple's website) they get apple@domain.com, or ms gets ms@domain.com, then I just have my mail program kick anything that doesn't have myname@domain.com in the to field, into a seperate folder for later sorting! :) -matt

Finally I know who you are ..

[RedLaggedTeut]

contact me immediately, every day my lawyers search for you the cost goes up ..

Usenet is not DejaNews Discussion Service

[RedLaggedTeut]

I read the article. I am not sure that my reception of your words is correct, but USENET IS NOT DEJANEWS' DISCUSSION SERVICE.

It is a separate network of servers that probably existed before dejanews (and probably before you where born, too.)

SPAM vs. spam

[BlowCat]

Please don't write spam in all capitals. It is not an acronym when it means unsolicited e-mail.

Re:SPAM vs. spam

[BlowCat]

I fixed drag-and-drop from Mozilla to GMC (Gnome file manager) five minutes ago. Expect this feature in mc-4.5.55 which will be released in August 2001.

How about you?

Re:SPAM vs. spam

[Sarcasmooo!]

I'm surprised the people at SPAM haven't threatened Slashdot directly. Not for the word, but the use of the can image.

Replying to spam

[Cardhore]

It doesn't matter if you reply to spam or not. The spammer still knows that your account is real, because if it weren't, the server would rejet his message. However, he doesn't know if anyone actually reads the account.

Wow!

[update()]

Go C|Net! That was an excellent example of how to frame a question and attack it in a way where you can believe your findings. Matt Lake must have really paid attention in chem lab or stat class or something.

(How not to frame a question: go to national video game competitions, use the contestants as subjects in your study and trumpet your findings as proof that "gamers are comparable to top athletes". Also not to do: have Jon Katz post a long article on it days after Slashdot has already covered it, lift lengthy paragraphs from a newspaper article without using quotes or proper attribution and then add his own, even more overblown, conclusions.)

The most interesting thing, I thought, was how responding to "Remove" addresses didn't seem to be the disaster everyone says it is.

Unsettling MOTD at my ISP.

Hope They Do A Follow-Up

[Foggy+Tristan]

I'd be interested to see how the results hold up after 6-9 months, as some of the media sites mentioned may only disseminate e-mails on a periodic basis.

On a separate note, perhaps we could use a site where people report experiements with different sites in regards to e-mail abuse (I registered with this email and got this spam, i.e.)...or does such a site already exist and I'm too lazy to find it?

Re:MMF Spammers; their wares & methods.

[Darth+RadaR]

I do mung up my alt tags. I figure that if someone's checking out a webpage with Lynx, they should be clued enough to figure that youKEINE@SPAMMENthere.com or spam_you@spam_there.com would == you@there.com. If not, then I don't want email from them. :)

MMF Spammers; their wares & methods.

[Darth+RadaR]

Of course the best way to prevent some spammer from getting your email address off of a webpage is to just make an image of your email address instead of putting a "mailto:you@there.com" which is one of the many ways spammers do their harvesting.

Here's some of the nefarious companies and their creations...know your enemy :)
This company has an "Atomic Harvester" that fishes for email addressen and if that's not annoying enough, they also have a program that automatically spams newsgroups. And for the spammer that's too lazy or too cheap to pay for the software, then This company will harvest email addressen for a fee.

To thwart the above methods, check here for ways of protecting against those harvesters.

good way to track it

[gol64738]

anyone with their own mail server and domain should do what i do: everytime i sign up for something (e.g. yahoo), i make an address just for that company. so, i register with an email address of yahoo@mydomain.com. using this method, i can monitor who has sold me out and who hasn't.

i haven't found any real blatant offenders, except for a couple of sweepstakes sites. it's good to know that if you do receive spam, you know who sold your address.

Despite NEVER using my 'real' Email account

[SCHecklerX]

...It is CONSTANTLY filled with spam. This could be that the idiot admins have every user's name available for browsing by being oh-so-nice and providing web space, even if you didn't ask for it.

I'm more inclined to think they sell their lists. Not to mention the security at the ISP is attrocious.

I check my 'real' account about twice a week. There are always at *LEAST* 50 messages in the inbox. All spam.

The account I actually use, however, is on my *OWN* mail server. I use dyndns.org for my domain name and to provide the MX record that points to my own mail server.

The account on my own mail server gets 1, maybe 2 spam mails a month.

In summary...I think it's the fscking ISP's lack of security and selling of it's userlists that leads to spam.

btw...I post DAILY to the usenet, using the real email address that is hosted on my own mail server. The fact that I don't get spam leads me to believe that this is no longer a problem. Then again, I only post to a single alt.* group that seems to not be a target of the spambots.

Amusing - but it only afirms what we already knew

[hillct]

Ok, so it's entertaining that this guy spent the time to do such detailed - although not vary scientific - tests to gather his information, but is there anything here we don't already know?

Don't lurk in AOL chat rooms
Don't play online lotteries

Fascinating. I would have never figured this out on my own...

Perhaps it's targeted to a less knowlegable audience (given that it's on C|Net) but still, this is the sort of article that serves no real purpose other than to get the author a few bucks and some publicity.

It is amusing though to think that someone actually spent 5 months evaluating this...

--CTH

Filters

[snakecoder]

At the risk of educating spammers, I filter any mail with the following words in the subject header to a folder called potential junk. I then scan once a week to see if I have an legit e-mails (order by e-mail address). My hotmail account gets roughly 20 spams a day. The combination of my filter and hotmail's junk filter usually reduces my inbox to one junkmail a day.

Credit
Money
Income
Debt
free
casino
invest
adult
win
join
xxx
earn
sex
golf
naughty
girls
hot
cock
penis
cost
Enhance
$
!

You might be high risk if...

[geekplus]

You have more than 4 cars up on cinder blocks in your front yard...

A Couple Missing Variables

[bedouin]

Firstly, he didn't specify whether or not he was using common E-Mail addresses, or ones with slight imagination. Lucky for me, my name isn't a Western one, so spammers never guess it. The second thing that should have been taken into account is that commerical mail providers are naturally at high risk for spam. I've had a university account since 1994 and only recieve a few spam messages a month.

One of the policies that my university has is that for students, there is no, for example "jsmith@...edu". Our E-Mail addresses are actually our social security numbers somehow made into a four letter code; sure spammers could guess combinations, but most won't put in the effort.

I can testify that registering two domains was the beginning of spam on my university accounts; for months I would literally go spam free until getting put into the whois database. Contrary to what some people here have found, Hotmail and Yahoo have produced no spam for me, except their own... I think what protected me was having a unique name that wasn't easily gussed by spammers.

Usenet produced *some* spam for me, but nowhere near the amount this guy is reporting. It probably has *a lot* to do with what groups you're posting to, and whether you're crossposting.

He could have mentioned more solid ways of getting off of spam lists, like checking headers to see where spam is originating from. 50% of the spam I've seen comes from someone with a dial-up account and a mail server. Once E-Mailing abuse@, and postmaster@ these people generally go away, either because they don't want to deal with someone like me (a hostile 'customer'), or because their ISP's pull the plug.

If you have a box of your own it's fun sometimes to create a bunch of E-Mail accounts, and see which ones get spammed from who.

Just to be a dink...

[Mark4ST]

You can add name+extension@example.com to your address. That way, when I get mail to me+realplayer@example.com, I know that I gave that address out when I downloaded realplayer.

What I like to do, if the people I need to give my email address don't need to mail me back. I choose a blatantly fake address like admin@real.com.

And then I opt in to every stupid thing they offer. Just to be a dink.

Re:More comprehensive

[daniel_isaacs]

I find jo@yourmama.com to be sufficient for Apple.

Spammimic.com

[Ronnie+Coote]

Yeah, running a relatively well known website with your e-mail address all over doesn't exactly help out in the spam avoidance department either.

Dear Friend ; We know you are interested in receiving cutting-edge news . If you are not interested in our publications and wish to be removed from our lists, simply do NOT respond and ignore this mail . This mail is being sent in compliance with Senate bill 1916 , Title 7 , Section 302 ! Do NOT confuse us with Internet scam artists . Why work for somebody else when you can become rich within 20 months . Have you ever noticed nearly every commercial on television has a .com on in it and people love convenience . Well, now is your chance to capitalize on this . We will help you turn your business into an E-BUSINESS plus decrease perceived waiting time by 180% ! The best thing about our system is that it is absolutely risk free for you ! But don't believe us . Mrs Jones of New York tried us and says "My only problem now is where to park all my cars" . We are licensed to operate in all states . So make yourself rich now by ordering immediately ! Sign up a friend and you'll get a discount of 90% . Best regards . Dear Cybercitizen , You made the right decision when you signed up for our club ! If you are not interested in our publications and wish to be removed from our lists, simply do NOT respond and ignore this mail ! This mail is being sent in compliance with Senate bill 1916 ; Title 6 , Section 307 ! This is not multi-level marketing . Why work for somebody else when you can become rich in 96 weeks ! Have you ever noticed how long the line-ups are at bank machines and most everyone has a cellphone . Well, now is your chance to capitalize on this . WE will help YOU decrease perceived waiting time by 150% and deliver goods right to the customer's doorstep ! The best thing about our system is that it is absolutely risk free for you . But don't believe us . Prof Jones who resides in Ohio tried us and says "My only problem now is where to park all my cars" . This offer is 100% legal ! We BESEECH you - act now . Sign up a friend and your friend will be rich too . Best regards ! Dear Salaryman ; We know you are interested in receiving cutting-edge intelligence . If you no longer wish to receive our publications simply reply with a Subject: of "REMOVE" and you will immediately be removed from our database ! This mail is being sent in compliance with Senate bill 1619 , Title 4 ; Section 309 . This is a ligitimate business proposal ! Why work for somebody else when you can become rich in 23 WEEKS . Have you ever noticed society seems to be moving faster and faster and people love convenience . Well, now is your chance to capitalize on this . WE will help YOU process your orders within seconds and SELL MORE . You can begin at absolutely no cost to you ! But don't believe us . Ms Anderson of Georgia tried us and says "Now I'm rich many more things are possible" ! We are licensed to operate in all states ! We IMPLORE you - act now ! Sign up a friend and your friend will be rich too . Thanks .

Suspected SPAMMER found MURDERED!!

[erroneus]

Meanwhile, my opened-and-completely unused accounts with Hotmail, Yahoo, Netaddress, and Mail.com didn't get a single pitch in six weeks.

It never occured to me that merely openning a hotmail account would generate spam without having used it for correspondance. I have to disagree with the author of the article. Openning my hotmail account resulted in what was obviously some sort of "brute force" email. (I say brute force to remind you of the method of password cracking.) While it's probably the most clumbsy and resource consuming method of collecting email addresses, it's one possible explanation...

I have, however, used the address for merely registering a couple of domains so that sorta-kinda disqualifies me from that test. But as I looked at the emails that came through, it seems pretty obvious.

I wonder how long it will be before some murder is splashed all over the news media where the apparent motive was that he was a spammer and just wouldn't STOP!! I must admit I have had a secret wish that these bastards would die... anyone else have the same wish? :) I wonder if it would be illegal to post a bounty for the heads of spammers? I suppose it would be... and I'm not rich enough to pay for it anyway... but I can dream can't I?

Oh yeah, and another thing -- the Hotmail's anti-spam measures don't always work! Sometimes the spam gets through anyway and that's a mystery to me how unless their filter software gets crushed by the load or something.

Anyway, I'm rambling... DEATH TO SPAMMERS! DEATH TO SPAMMERS!!!

Other ways it can happen ...

[morcego]

I wan't able to read the article yet (/. effect ?), so maybe it's covered there, even tho I don't think so.
I have recently (about 2 months ago) opened an account on another ISP (this one for Cable). I chose and e-mail address like r[some-other-letter]@terra.com.br (just to put a finger on the culprid). Once I have lots of addresses, I simply chose not to use this one. Well, one would support that I would never get a spam on this addres, right ? wrong.
Only 3 days after, I received my first spam on this account. Of course I though "this darn bastards are selling e-mail addresses", and complained like hell to them. They went on swearing they did not sell addresses and so on and on. Well, that settled the matter was a spam I received which stated the name of the target

Dear Roberto

Well, my name is not Roberto (even tho it starts with "R"). What caused the spam ? They were recycling (reissuing?) e-mail addresses. Someone in the past had that same username on terra.com.br, did some dump things, and his address got in some spam lists. He was the target, not me. But once this address now belongs to me, I receive his spam. :-( But, once I did not indend fo use that address for anything else, it does straigh to /dev/null, after going through some filters to separed official communication from Terra.

I don't know if this recycling of usernames is a common practice elsewhere, but this is surely a good way to have you mailbox filled with spam :-(

---

Here's what gets you embarassing spam...

[somethingwicked]

If you treat an employee like crap and then fire them unjustly, you may get tons of spam!

A friend goes to every embarassing website he can think and enters the email address for his wife's ex-boss. Pron sites, embarassing drugs, on and on.

It has been 2.5 years and he still does it!

Telephone spam

[cheesebot]

i actually was a victim of TELEPHONE spam not too long ago. i took an ad out in a local newspaper to try to sell a car and when the week was over i got a telephone call from a competing classifieds paper to take an ad out with them if my car didn't sell.

Annoying Forwards

[leabre]

I've had an email address for about a year that was not once used for any reason at all. Never received, never sent. One day, I sent an email to a relative who had just got their email account and was excited to be on the web.

A month later, I got forwarded one of those "send this to x people and Bill Gates will send you $3,014 for each 3rd person... no really, it's true, just the other day I recevied my $10 million dollar check from ..."

I replied and told her never to do that again or she will be blocked and I'll never email her. I explained to her why she shouldn't do that. It's because someone somewhere along the line will get the 30 times forwarded message and will glean the 100's of emails that are a part of the message body from all the forwards and put you on a list.

Now, everyday I get 1 or 2 Univerity Diplomas emails, they just don't stop sending them, Every day Janna wants to know what I was doing last night, King Kong keeps wanting me to buy some Herbal Viagra alternatives, FBI snooper detection prevention software, and a chance to win a free 3 carot dimand after I send $2,000 to sponser some foundation... yeah... uh huh...

I'll tell you, those funnies you send and recieve everyday is a really good way.

The other way is to reply to a spam to be removed from a mailing list. In the same mail account, I replied to a few to be removed from the list and shortly after the volume of messages recived almost doubled. Now it's a useless email account that receives over 600 emails per week. It's sad because I've only sent and recieved less than 10 legitimate messages from that account in the past 5 years and this is what I get in return for it.

Bottom line:

* Warn your friends and family not to send
you forwarded email. Explain to them
that most of those messages are hoaxes,
anyway. Companies don't pay to you to blast
the Internet with messages.

* Second, don't reply to spams when you do
receive them or it will just confirm an
active account. I used to spoof returned
mail notices but those don't help any,
they also make it worse.

* Third, if you do recieve a mass-forward,
you're already at odds.

* Each time you sign up to a new web-site, read
the privacy statement. Usually, you're info
will be shared with a partner. Check that
partners privacy, because usually that partner
will share your info with a partner and so on.

Your email address is usually not kept secret
anymore. They make too much money by selling
to people. If they are European based, then
it might be more secure because of privacy
laws.

* Opt-out of those "important updates from the
company and their partners". This will just
generate more unwanted messages than you'll
care about. I've opted-in to some in the past
that were supposed to be monthy tech news
updates on important issues. Well, one day it
became daily. They changed their policy with
out notifying me.

* Most sites reserve the right to change their
privacy policies at-will and with no obligation
to notify you. They expect you to keep up
on this yourself. The best advice is to do
so. I've cancelled membership to some sites
because of this. My data is not theirs to
profit from while I profit nothing from it.

* Obvious names, such as "kitty@domain.com,
bmwlover@domain.com, studmuff@domain.com, etc"
are likely culprits. Sometimes they perform
dictionary based attacks on many domains and
it may just be your lucky number. What's
worse, is that they CC so all emails are there
and other spammers gather those emails and then
you are placed on another list.

* Anything else not mentioned. Keep in mind,
these are only spam "reduction" techniques. I
think it's very difficult and next to
impossible to not be spammed. Being aware of
certain actions that will trigger a result and
preventing those actions, will help greatly.

* If they leave a return address, sometimes you
can complain and have their account revoked.
This won't stop them, they'll open another
account and continue.

* Push for a law that allows the sponsor of the
spam to be sued for damages and inconveniences
rather than the sender. For example, I've
recived over 200 unvirsity diplomas messages
which all have the same phone number, but each
message is from a different sender. If we can
sue the owner of the phone number, than that
would go a great distance because it would
make people afraid to market in that mannor.

Well, hope this helps,
Leabre

Java email applet

[rpbird]

One could always use a Java email applet configured so as not to reveal the address.

But maybe I shouldn't mention Java, since MS has decided, once again, to kill this poor, defenseless, programming language.

Myth about unused accounts is TRUE!!!!

[Myrv]

Perhaps the writer didn't get any spam to dorment accounts but I surely did.

After signing up with Bell Sympatico they assigned me a new e-mail account which I never used. In fact, I ignored it so well that they ended up suspending my account because my credit card had expired and they only sent notification to my sympatico account. After getting my account reactivated, (why the bill didn't carry over to my new card I will never understand) I decided to check the account. Over the first three months of it's existence it had gathered over 60 emails, 50 of which were pure spam (the others were notices from Bell).

Remember I had never used this account. In fact I had to dig through my files just to find out what the bloody address was (b1miok73@sympatico.ca not exactly an easy to guess name--and I don't own it anymore so spam away :) ). So yes, just having an email account can indeed generate spam

web forms

[*xpenguin*]

in case your email has never been revealed anywhere on the net, you can use cgi or php scripts that email you. They don't reveal your email address, but let's your users email you.

I switched to these way too late though, so I still get lots of spam.

Here's an example of a web mail form:
http://www.topfloor.com/pr/examples/cgimail.htm

--

Re:web forms

[beanerspace]

Consider this, if I'm going to create a program, let's say using PERL and a library like LWP. Then I really don't care if your e-mail address is a hidden variable or up there as a mailto ... if I build my regular expression correctly ... you're mine.

Second, while your approach may have cut it back in 1996 when Matt Wright gave it away, it doesn't address many of the security issues that have crept up, some of which are listed in an article Lincoln Stein wrote for the W3C.

Third, if unedited, versions of FormMail as exampled by your site, can become a major spam producer. In large part FormMail uses that HTTP variable for your e-mail address we talked about earlier. This allows Spammers to easily abuse your form to distribute their messages. Moreover, unless you capture and forward their IP, you give then the anonymity.

Finally, why write so much stinking (and unsecure code) ? By using CGI.pm, you can address some other security issues. You can avoid having to put your 'hidden' arguments in your HTML. With the addition of a few other libraries, you can address a variety of other security issues while significantly reducing your effort.

IN other words, work SMART and HARD !

Re:web forms

[haruharaharu]

that still won't help; if you're on a large mail domain like earthlink or att, spammers will do a blind shotgun at your server. They basically send spam to every plausible mail address they can think of.

Re:Amusing - but it only afirms what we already kn

[Rogerborg]

I'll synopsise it further: don't use AOL.

Further still: don't be the sort of induhvidual who uses AOL.

And the best way to get spam in your e-mail box...

[Chuu]

A little story. A couple of years ago I was playing a farily popular MUD, and went over to hotmail.com and grabbed an account with a popular NPC's name as the user name. Well, someone else wanted this account too, and e-mailed me offering to trade something for it. I said no, and he said if I didn't give it up, he'd make sure I wasn't able to use it. I just deleted the message. A couple days later, the spam started to POUR in. And it kept getting worse. It went from 5 letters a day to 10 to 20 to well over 50 before I stopped keeping track. What I figured he did is pick out some of those harveting sites (lottery sites are infamous for this, as the article notes) and stuck my e-mail on every one. The end result, one week later the box was completly unusable. What can stop this sort of attack?

Insight on the 'spam at unused account' myth/fact?

[BillX]

A quick poll for those who have unpublished mail accounts at mega-domains (Hotmail, Yahoo, etc.)...

How long is your username?

I'm willing to bet spam intake rises exponentially with shorter usernames, and here's why. Spammers to known mega-email-domains with literally millions of users will send a spam-bomb to every conceivable address of a given length (aaaa@hotmail.com ~ zzzz@hotmail.com) I like to call sonar mailing. Others use a dictionary or wordlist similar to brute-force password crackes to spam likely-to-exist usernames in sequence. (I've heard this referred to as firehosing or guessing & cleaning, I guess terminology varies depending on who you talk to). Mails that bounce back with "invalid username" get marked off the spammer's list, and the rest...well, you know what happens to the rest :)

I unfortunately selected a 4-letter Hotmail address long ago, and get a sonar mail every couple months--typically followed by a sharp increase in spam from various places, which falls back toward nominal as their accounts get nuked (at least until the next sonar ping...)

--

Oops, should have mentioned:

[BillX]

Some of the mythical proportions of unused-account-spam may come from people who don't carefully watch for a "List me in online member directory" box and untick it. Some freemail sites (includes Hotmail) have a member directory listing the email address of everyone who consents to be listed.

If you are listed on the member directory, you are pretty much *guaranteed* to have the pink stuff coming out of your ears within a week. Read the signup carefully, untick those boxes!

--

god knows where it comes from on hotmail

[fatgraham]

i signed up to a hotmail account the other day(and suprisingly fatgraham@hotmail hadnt been taken) to get a "passport" for the wince source, and the first piece of spam i got was from, fatgraham@msn.com... (i didnt make the effort to fnind the headers, but you get my point)

considering i hadnt used it yet (to put in forms/pasted on a site etc) i was kinda suprised (or maybe i wasnt) that it came from me. albeit at msn.com

although that spam was probably funding hotmail :]

DirectTVDSL.

[AX.25]

Formerly Telocity.

They seem to harvest from their clients email accounts. I run my own server (not on their network) and found I was getting the same spam to both my personal accounts and my this is for spam account all because I accidently sent an email from one to the other.

Bad, bad, bad.

Re:It wonder how much spam will /. generate....

[Nurgster]

I occasionally get spam to slashdot@thisisnurgle.org.uk, and I recently got one at mark (at) gamedev (dot) net, and that account hasn't been used for years.

My Yahoo! mail accound has never got a piece of spam in the 2 years I've had it, and I've never recieved spam to my main mail address (which was posted on my website, which had quite a few links to it at one point).

One thing which did happen once was curious is that my ISP assigned me an address, which I never use (but I do check). I've only ever got one piece of email to that account, which was spam.

Turns out someone at my ISP was selling addresses (he got fired very quickly).

Re:Amusing - but it only afirms what we already kn

[Regolith]

Yes, it may be obvious, but it is at least slightly interesting to see a numerical breakdown to confirm that you are in fact correct. Kinda like the Honeynet article yesterday. It is common sense not to enable services you don't need and not give your email to strange companies, but that doesn't mean that someone saying so is completely useless (unless its JonKatz).

-----

Everything

[Uttles]

Doing pretty much anything on the internet opens you up for SPAM, especially signing up for internet email accounts. All I say is "that's why they made the delete button." Just delete it and move on, and don't go doing anything stupid like signing up for special offers from MSN.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Very nice paper...

[Lethyos]

I sent that one to my parental unit in question, and she understood it. Maybe she'll think about it a little more before she sends her next deluge. ;)

Here's another...

[Lethyos]

asdf@asdf.com - I can only imagine what they get.

My Mother's Practice Would Be High Risk :-)

[Lethyos]

My mother complains to me (her IS dept) that she keeps receiving spam and pr0n ads. However, her behavior is one not mentioned as one of the high risk activities on that report. She constantly mass mails her friends chain letters and email jokes (and unfortunately for them does not use blind carbon copy). Most people do not remove that big list of addresses from chain letters and the like before sending them on to the next person (or typically, group of people). As a result, those big long lists of email addresses will eventually get harvested by some agency looking to make money on lists of valid addresses. Even worse for my mother, those agencies do not even have to work any further to verify some of the addresses. They can be guarenteed that the sender(s) addresses are valid. Makes it quicker and easier for them to get your email address sold and sent to spammers.

So, meanwhile, my mother and I'm sure countless other novice computer users will continue to complain about spam, but those chain letters will keep getting sent. I wish this report would have gone into more depth about this practice - I think it's one of the quickest ways to get spam.

Use a URL instead of an email!

[NewtonsLaw]

In my experience, anyone who uses their email address in the header or body of a usenet posting is putting up a virtual "Spam Me" sign -- it is (or was) the primary source of email addresses for spammers.

Second in line is the "mailto:" tags that so many people (especially business sites) are stupid enough to put on their webpages.

My servers get about 8-10 spambot trawls a day from bots looking for mailto: tags and their associated email addresses.

Then there are those who really are dumb enough to believe a spammer whem they say "click to unsubscribe" -- oh yeah, for sure!

There are effective ways to avoid spam -- check out Memo.to.

mp3.com not as "nice" as he claims

[CKW]

In that report he claims that mp3.com is "low spam", since they have an opt out system.

HOWEVER, if you do ANYTHING FURTHER at mp3.com, they force you to re-confirm your registered information, which again signs you up for more spam (it's right there, in the fine print).

So in effect, it is impossible to use mp3.com over the long haul without putting up with their spam, without using a fake e-mail address. So if you want to do something that requires a valid e-mail address, like maintain a "station" (list of favorite songs for others to browse, highly useful, one the best way of finding good music on mp3.com these days), or send feedback/e-mail to an artist using the mp3.com feedback box (the only way for some artists, who don't want to publicly announce their e-mail addresses), you're screwed.

This has been one of the main things keeping me from wanting to buy artist's discs and giving artists money on mp3.com, because I know that every time I do I'll be forced to take more mp3.com spam and "unsubscribe" all over again.

Re:.MIL & .GOV [Slightly OT, but curious]

[guuyuk]

It really depends on what you are doing. Normally, posting on Usenet is not part of someone's official duties. However, .mil and .gov users do get on spam mailing lists occasionally. Most of the time, the offending ISP is sent a cease-and-desist letter/email (just like any company would). Every so often, other things may happen (depending on who does it). :-)

what about a slashdot account?

[nilstar]

So, the article fails to tell you how much of a 'risk' having a slashdot account is. :-)

Earthlink = Spam, er, I mean Sprint!

[gschwim]

Yup. Had 'em for quite some time, and I *swear* that they sell distribution lists of their users to spammers. It only got worse when Sprint bought them. In fact, I was once a Speedchoice customer, and once Sprint bought them (!) I started getting barraged with spam. Bad Sprint!

Email Address Encoder

[superflippy]

This nifty web page will convert your email address into Character Entities so you can display it on your site and not get harvested by spammers: Email Address Encoder

Will this fit in my /. user profile? &#119;&#101;&#098;&#109;&#097; &#115;&#116;&#101;&#114;&#064; &#115;&#117;&#112;&#101;&#114; &#102;&#108;&#105;&#112;&#112; &#121;&#046;&#110;&#101;&#116;

localhost

[beanerspace]

I've gotten some satisfaction from abuse@[127.0.0.1] or postmaster@localhost or some variant.

While I'm sure most harversters avoid such addresses, I have seen it catch the stupid spammer who thinks they're hot stuff using LWP::UserAgent.

Easy answer

[iamklerck]

I would say you're at pretty high risk right now if your alias is sexykitty and you put your real email address in the slashdot news submission form!

26^3

[6EQUJ5]

My email name happens to be one of the 17,576 that are possible using 3 characters from the english alphabet. Almost daily I'll get 1 or 2 (out of 20+ total) spams that cover my name, along with the alphabetically ordered names that are close to mine, all listed in the "To:" field.

This one ain't hard...

[kypper]

What Makes You "High Risk" For SPAM?

Giving my e-mail to pr0n pic-mailers, of course.

That was easy.

Screw 3...

HTML mail & "Web bugs"

[Cardinal+Ximinez]

And then there are always the HTML emails with embedded images that track when the email is viewed:

http://www.privacyfoundation.org/resources/webbu g. asp

You don't even need to reply, just viewing the email with an open Internet connection will do it.

CX

Re:I wonder how much spam will /. generate....

[andres32a]

Boy this is scary... ten minutes and already 13 emails!!!!

It wonder how much spam will /. generate....

[andres32a]

Well... nice article. But one thing is missing... How much spam will posting my email at /. generate???
Lets make the test. My email is andres32a@yahoo.com. DONT SPAM ME!!!

This has to be the funniest spam....

[andres32a]

Date: Fri, 27 Jul 2001 12:09:49 -0500 From: root | Block Address | Add to Address Book To: andres32a@yahoo.com Subject: Was that you? Make money fast by selling viagra to the Nigerian government while helping them funnel the money they skim from the operation out of the country to give to naked coeds so they can buy tiny miniture webcams from a company that you must buy stock in now. THIS IS NOT SPAM

Spam?

[boiscout]

I've been using my High School e-mail adrress as my primary address for over ten years now. When ever I sign up for some new service, they get that e-mail, when ever I don't want a service to get my real e-mail, they get that one. But yet. After 10 years of signing up for tons of things, from MTV.com to AIM to Who knows what else. I still don't recieve that much spam. I've always been careful to watch for those little boxes that say, "Don't give my info out to other people" and it seems most companies follow that. In 2000, I recieved only 3046 spam messages, and they were all from places that I agreed I had wanted thier mailing, so that's not really spam then.

Re:THAT'S MY POST!!!

[Genoaschild]

I went to your website. Wow, we are the exact opposite of each other in our beliefs but we both love slashdot. Hmm. Weird.
----

Amazon

[SilentChris]

One point is a little offbase in the article. I happen to love Amazon, but I get unsolicited mail from them all the time, much of which I have to manually opt-out of. It began about a year ago and has been a steady stream since.

Sorry, but if I don't ask for movie showtimes, and I rarely every buy any DVD's, why are you telling me about them?

Couple of my favorite ways to reduce spam...

[klapton]

When registering software from companies that I don't want to receive spam from, I usually enter something like webmaster@company.com. If I'm registering Real Player, I'd enter webmaster@real.com. Unfortunately, Adobe has become wise of this and their online registration won't allow you to use webmaster@adobe.com. I wonder why, hehe. Another favorite is to make up a name like harrybalzac@company.com.

A good solution is to use a 2nd address at yahoo

[sjonke]

I use to get swamped with spam. When I got a new email address, I then went to mail.yahoo.com and made an account there as well. I use the yahoo account for anything that results in strangers getting my address. That includes posting to usenet, online purchases, product registrations, mailing lists from untrusted sources, etc. That address gets swamped with spam, varying from, oh, lets say 10 to 40 messages per DAY (a significant portion of which gets filtered into yahoo's bulk mail folder.) I get virtually no spam at my main address. I think the little I do get there is due to a few slipups here and there, but we are talking one to two every several months or less. I would take this article's list of things that aren't high-risk with a grain of salt - when you give you email address to someone or some company you don't know/trust, that is high-risk for spam no matter what the situation, especially in this day and age of hacking.

Spam-proofing

[Omnivorous+Cowbird]

It seems that a lot of the spam-bots try to filter out certain forms of spam-proofing and remove the word spam from email addresses. After switching to an email account with the word "spam" actually as part of the username, my spam count has plummeted. Of course, time spent explaining to people that that actually is an email address and not spam-proofing is required, but you only need to tell someone once for all of the times they'd write, while you would have to delete spam every time it came in.
______________________________________

Re:Java script is better

[WoofLu]

Yeah, but those little things may follow the link ... So ..

The best thing is to use an email like @.* and if you get spammed: just redirect it somewhere, or trash it to /dev/null.

Re:Java script is better

[WoofLu]

Wups, the email screwed:

<yourSpamSite>@<yourDomain>.*

That's it :)

you're pretty lucky then...

[_avs_007]

I use a different email as well when I do things. Like when I look at houses and such, and when I have to fill out forms when ordering things, etc etc. I must get at least 10-20 spams a day. I just filter emails for that account to go straight to the trash.

I am the Real John@Hotmail.com...

[slashdotbanana]

and thank you all very much for giving out MY email address whenever you need to give a fake one!
I now get around 4.2 TeraBytes of junk email per day!

Use custom addresses

[p_trinli]

If you use an alternate address, it's not a problem. For example, I use "evol-psych@aaronshaver.com" for an evolutionary psychology mailing list to which I subscribe. If you own a domain with a decent webhost, you can make up new addresses for everything. I used "psy204@aaronshaver.com" as a temporary address for a class I attended last term.

--
Aaron J. Shaver
http://aaronshaver.com/

7 years.

[telbij]

I've had the same address for 7 years, and my spam has increased very slowly. I get 5-10 spams a day now, but my co-worker who's email is less than a year old gets 15+ spams a day.

This validates the articles premise that just having your email on a website doesn't generate too much spam (because mailto: URLs are mostly where my email is available).

I have been considering moving to a new email address and keeping it top secret, but so many people only have that one contact for me, so I'd have to keep checking it anyway.

Isn't there an email client that can filter out mail from open relays? All the solutions I've seen are for mail servers, but I don't have access to my mail server.

Spambouncer..

[JerryKnight]

just a quick plug for a great spam blocker.

it's linux/procmail. It blocks *almost* all spam, and *almost* never misfires.

More comprehensive

[statusquo83]

I actually tested this more comprehensively by sending all the email I got at my domain to one inbox, and using nameofdomain@mydomain.com to figure out where the spam was coming from. I was surprised that I didn't get any from my Slashdot account despit people's paranoia about it here. The biggest culprit was a single newsgroup posting that I made, netting me over 140 spam messages.

yummmm spam

[DEFFENDER]

if the new AOL OS pop-up problem hasn't been brought up then it should be. stupid people with alot of money, to much time, and a hunger for cookies will altimately always be the reasons for spam. if they get you at a homeshopping website or your local gaming site it makes no difference either you have to outlaw spam or COPE!!! if you have to stop writing drivers for your flat bed scanner for a minute and set up a spam blocker then DO IT!!

i have a hotmail account...

[emoeric]

for account signups, and the only spam i continue to get is from good old stalwart, MISS CLEO! Apparently i went to the webpage at some point and put that email addy in somewhere. Needless to say, i wasn't sober when i did that. Eh, it was fun, and now i get advance notice of special rates on FREE READIN's!! "CALL ME NOW!"

|---------------|

mindspring and earth link customers you are gettin

[gumbysworld]

talk about spam mindspring and earth link customers you are getting screwed, you have recieved a message to change you dial up number or soon will. ask your friends who have msn, they are telling us to use msn dial up numbers, and next month our bill goes up too 21.95 the same price as msn. how much u wanna bet they are selling us to msn and taking that 200 dollar credit for ech of us. needless to say the msn numbers suck. i changed to att.net nice and fast.