Slashdot Mirror
What Makes You "High Risk" For SPAM?
sexykitty writes "What exactly is it that we do to invite unsolicited email to our inboxes? CNET contributor Matt Lake opened 12 free email accounts online in an experiment aimed at determining just that, and here are the results. See the risks involved in disclosing your email address through various methods. " Yeah, running a relatively well known website with your e-mail address all over doesn't exactly help out in the spam avoidance department either.
For years, i have been using bob@bob.com as a junk mail address to enter. I recently found out, there is a bob@bob.com. (It used to be owned by someone at microsoft i believe.) So im sorry bob.
this is why i changed my address to abuse@att.com... i figure why not let the spammers report themselves?
--
It's not that the concepts behind the code is bad, but numerous perl experts have pointed out weaknesses and lack of checks in those codes that could easily break a system. Sure, others have improved the security of those codes as well, but most people take blind faith that because they're at Matt's Script Archive, the code is 'secure'.
And saying that thousands of sites use formmail.pl is like saying that thousands of sites use an unpatched IIS.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
Its a common theme on slashdot to obsfucate your email address, most of us here do it.
.sig of one guy on ./ who uses a perl algorithm to hide his...)
The account I have above (which is a junk account), I have had for the last 3 years. I have had it on slashdot for over two years.
Up until the last 6 months, I had not recieved a single spam message in my inbox at hotmail. My address appeared on the newsgroups, and on slashdot, but it was de-spammed to confuse the spambots. (I still love the
Then I decided to register for a few online services with this email account.
Bad move.
I got hit with about 20 spam mails per day.
I don't know which one it was, but as the article says take the "we take your privacy seriously" statements, often are pure B.S.
Try to hack my 31337 firewall!
My own spam problem started in the dark and forlorn days of 1995. It all started because of a name.
Due to an unfortunate accident of ancestry, my initials happen to be ADS. When I got my first dialup shell account, I chose to use my initials for my login name in the style of one of my then-heroes, Robert Tappan Morris (of RTM Worm fame). Thus did I become ads@netcom.com.
You can imagine the sort of traffic this generated for me, from day one! Every yokel with a half-brained scheme and a university mail account decided that this miraculous 'ads' address must be a special mailing list for thousands of Netcom customers who sat with baited breath, waiting to learn how they could lose weight fast, get rich quick or get rid of debt.
I fought this torrent of spam for almost 5 years before I finally had the technical proficiency and computing resources to come up with a solution. The solution I finally found is elegant and simple. It keeps the spam down to three or four messages per day. More importantly, it lets me know who is distributing my name to whom, and when.
I have a host alias tracker.xeger.net. Mail sent to any address @tracker.xeger.net is subjected to extra-bitchy filters, and mail that makes the cut is forwarded to one of my normal mail accounts, address intact.
Whenever I go to a new web site, or give my email address out to anyone, I give them an address of the form 'domain_dom@tracker.xeger.net'. CNN gets 'cnn_com@tracker.xeger.net'; Amazon gets 'amazon_com@tracker.xeger.net' and so forth. When the spam comes rolling in, I know from whence it came. I know how they got my mail address. And I know who to hunt down and disembowel.
To this date, I have been solely responsible for more than 200 cancelled accounts and at least two blacklistings. The count goes up daily.
In my limited experience, I've found that the more "common" your email address, the more likely it is that you will get spam. My wife had a hotmail account nmcdonald29@hotmail.com Obviously, a good way for a spammer to operate is to send mail to obvious names like that, i.e. send mail to nmcdonald1@hotmail.com, nmcdonald2@hotmail.com, etc.
Once she changed to a yahoo account, with the address nancy94376@yahoo.com, the flow of spam has almost stopped. Of course, perhaps yahoo does a better job of filtering than hotmail.
It might be a good experiment to open up several accounts at the same service with names of varying "commonness", and see which ones get the most email, e.g.
fjkflfjk78@yahoo.com
nancy74384738@yahoo.com
nancy1@yahoo.com
All email addresses have been changed to protect the innocent.
Thats right, if you happen to be jeff@somewhere.com or sally@somewhereelse.com or bill@ or steve@ or smith@ or jones@ your gonna get a lot of spam. They try every username they have ever seen on anybody's server -- on your server.
A big problem is that a lot of people leave EXPN (expand) on their sendmail servers turned on. That means joe spammer can go to your server and try expanding every common username on his list and quickly he can get every user on the system to spam. Even if that is turned off, during the normal SMTP process, sendmail will generate an error code if the username is invalid... which means they can cancel that email and try the next name.
This and a lot more spam-avoidance stuff can be found in Brett Glass's paper Stopping Spam and Trojan Horses with BSD, which contains a lot of good information, even if you are not using BSD.
--
Good Fast Cheap. Pick any two.
I'd guess "Posting on Slashdot".
Awww shit....
--
Give a man a match, you keep him warm for an evening.
Give a man a match, you keep him warm for an evening.
Light him on fire, he's warm for the rest of his life
--
Recently, I opened a Hotmail account. Within minutes, I had my first spam arrive (toner cartridges). Minutes. On an address that has never been given out, used, or posted anywhere.
A friend of mine has an login name that's both short and is made up of the first five letters of the alphabet. She gets upwards of 100 pieces of spam each day.
J. Random Spammer, like an orangutang with an assault rifle, could care less if spam arrives at a valid e-mail address. As long as the client can be billed for "1,000,000 direct marketing messages sent". That's all that matters.
The real problem is all of the brain dead system administrators that leave port 25 open for anyone who wants to drop trou and take a huge dump in everyones' In Box. Korea, Ireland, Brazil, China...and the good ol' USA. Idiots.
Fetch my LART gun, boy.
k.
--
"In spite of everything, I still believe that people
are really good at heart." - Anne Frank
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
There were two of them that I never used, but which included me in their user directory. These boxes quickly filled up with spam.
So in some cases, just opening a free email account can get you spammed.
I run my own email server, and I admit, every once in a while, I get pretty obsessive about looking at the mail logs. For a few weeks earlier this year, I had someone from a [big national ISP] dialup pounding my server with requests that came up with 'unknown user' bounces. The usernames were common first names, and names like "marketing", just trying to get a hit. My best guess is someone was using a dictionary type attack to find valid usernames to spam. I sent email to [big national ISP] giving them the logs and the specific IP address that these were originating from. No response, attack continued. I finally denied that IP range with the sendmail 'access' file.
/dev/null all the 'unknown user' emails.
How can you fight this type of harvesting? I can't figure out how... having some sort of feedback when an legitimate email has a mistyped username is useful, so I don't want to accept and route to
Nah.
Every time I fill out any kind of registration for crap that I don't want to get actual email about I put in hemos@slashdot.org. I don't even remember why, I think Hemos pissed me off at some point about something mundane and it just stuck in my mind. I'm thinking that dave@dave.com gets a lot because of me too.
"Share your knowledge. It's a way to achieve immortality." -- Dalai Lama
Get an e-mail address like [a-z][a-z][{insert generic family name}]@[hotmail|yahoo|bigfoot|whoever].com and you won't be able to stop the deluge.
I did that once at Hotmail and I had to stop reading the account. Now I am using it only for cases where I have to register with an e-mail address.
-Martin
SoftMaker Office for Windows|Linux|Android
My Yahoo address, in comparison, gets maybe 1/10th as many spams, nearly all from identifiable sources (e-tailers I've used before, for example). So, making a "chat only" address probably won't help much with AOL spam.
The only "intuitive" interface is the nipple. After that, it's all learned.
"The question of whether a computer can think is no more interesting than that of whether a submarine can swim" -EWD
It should be pointed out that it's not Deja/Google that spam, but spammers. Email addresses get attached to articles, in a similar way to slashdot articles. Those addresses get harvested and mailed.
Bill, no spam I.
Remove me addresses, put remove in the subject, global opt out lists, etc.
Go to http://mail-abuse.org/rbl/reporting.html instead.
I use Sneak Email to direct my mail. Any time I need to enter my e-mail address, I create a new one. Worried about Amazon.com going bankrupt and selling your e-mail address? Worry no more. You can adjust the filters to block domains, all mail, or just delete the address from existence. Why bother configuring your own host to filter when you can use SneakEmail for free.
Of course it helps to spamproof your address when posting to message boards (see mine above).
Filling in a needless registration form? I started putting 'abuse@theirdomain.com' instead. If Real.com wants to spam me, they'll just spam themselves.
Be careful! Your example demonstrates every mistake it possibly could. One, it requires putting your email address in the HTML, where a spammer could find it. Two, it does not appear to restrict the recipient, meaning it is effectively an open relay. Three, there is no indication that it performs effective logging, meaning it is effectively an anonymous open relay.
Not to mention that any programmer so thoughtless probably didn't think much about security, so you may be creating a new vulnerability without solving the old one.
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
Fight Spammers!
First, I have a hotmail account. When I get mail in my box that is addressed to every variant before and after my name, alphabetically, I figure that's just a buckshot approach to hitting a few addresses that might work. 'Course, I have no scientific way to demonstrate this except the suspiciousness of such CC: headers.
Second, what about email forwards? My mother-in-law is big on forwarding cutesy stories and inspirational things, as well as those fake virus warnings (when some guy was first telling me about Melissa, before he said he saw it on TV, I thought that was another one of those) and "email tracking for money/candy/cure for cancer/etc" messages. We all know someone who constantly sends stuff like that, likely. While some people even consider that borderline spam, I think the larger problem is the long list of headers, containing addresses, that end up in nefarious hands at some point or another. Again, I have no proof, but I'd bet that this kind of thing is a good way for spammers to get email addresses, when my name has been included in a long string of names on somebody's chain letter.
The problem with the second method could be greatly alleviated if people would a) clean up messages they forward; b) learn not to forward the obvious junk (a nice story or good joke occasionally is ok); and c) use BCC: instead.
"I say consider this day seized!" -Hobbes
"I say consider this day seized!" -Hobbes
"Tomorrow we'll seize the day and throttle it!" -Calvin
That way, when I get mail to me+realplayer@example.com, I know that I gave that address out when I downloaded realplayer. If email to that address starts getting out of hand, it's simple to just block to that specific address.
YMMV, as I don't know if all mailing software supports it, but for our Sendmail+Cyrus setup it works fine.
"I say consider this day seized!" -Hobbes
"I say consider this day seized!" -Hobbes
"Tomorrow we'll seize the day and throttle it!" -Calvin
Maybe it's because you don't list your email addy on your account?
It doesn't matter if you reply to spam or not. The spammer still knows that your account is real, because if it weren't, the server would rejet his message. However, he doesn't know if anyone actually reads the account.
Got friends?
Here's some of the nefarious companies and their creations...know your enemy :)
This company has an "Atomic Harvester" that fishes for email addressen and if that's not annoying enough, they also have a program that automatically spams newsgroups. And for the spammer that's too lazy or too cheap to pay for the software, then This company will harvest email addressen for a fee.
To thwart the above methods, check here for ways of protecting against those harvesters.
/*drunk.. fix later*/
Yeah, running a relatively well known website with your e-mail address all over doesn't exactly help out in the spam avoidance department either.
.com on
in it and people love convenience . Well, now is your
chance to capitalize on this . We will help you turn
your business into an E-BUSINESS plus decrease perceived
waiting time by 180% ! The best thing about our system
is that it is absolutely risk free for you ! But don't
believe us . Mrs Jones of New York tried us and says
"My only problem now is where to park all my cars"
. We are licensed to operate in all states . So make
yourself rich now by ordering immediately ! Sign up
a friend and you'll get a discount of 90% . Best regards
. Dear Cybercitizen , You made the right decision when
you signed up for our club ! If you are not interested
in our publications and wish to be removed from our
lists, simply do NOT respond and ignore this mail !
This mail is being sent in compliance with Senate bill
1916 ; Title 6 , Section 307 ! This is not multi-level
marketing . Why work for somebody else when you can
become rich in 96 weeks ! Have you ever noticed how
long the line-ups are at bank machines and most everyone
has a cellphone . Well, now is your chance to capitalize
on this . WE will help YOU decrease perceived waiting
time by 150% and deliver goods right to the customer's
doorstep ! The best thing about our system is that
it is absolutely risk free for you . But don't believe
us . Prof Jones who resides in Ohio tried us and says
"My only problem now is where to park all my cars"
. This offer is 100% legal ! We BESEECH you - act now
. Sign up a friend and your friend will be rich too
. Best regards ! Dear Salaryman ; We know you are interested
in receiving cutting-edge intelligence . If you no
longer wish to receive our publications simply reply
with a Subject: of "REMOVE" and you will immediately
be removed from our database ! This mail is being sent
in compliance with Senate bill 1619 , Title 4 ; Section
309 . This is a ligitimate business proposal ! Why
work for somebody else when you can become rich in
23 WEEKS . Have you ever noticed society seems to be
moving faster and faster and people love convenience
. Well, now is your chance to capitalize on this .
WE will help YOU process your orders within seconds
and SELL MORE . You can begin at absolutely no cost
to you ! But don't believe us . Ms Anderson of Georgia
tried us and says "Now I'm rich many more things are
possible" ! We are licensed to operate in all states
! We IMPLORE you - act now ! Sign up a friend and your
friend will be rich too . Thanks .
Dear Friend ; We know you are interested in receiving cutting-edge news . If you are not interested in our publications and wish to be removed from our lists, simply do NOT respond and ignore this mail . This mail is being sent in compliance with Senate bill 1916 , Title 7 , Section 302 ! Do NOT confuse us with Internet scam artists . Why work for somebody else when you can become rich within 20 months . Have you ever noticed nearly every commercial on television has a
Candygram for Mongo!
I wan't able to read the article yet (/. effect ?), so maybe it's covered there, even tho I don't think so.
:-( But, once I did not indend fo use that address for anything else, it does straigh to /dev/null, after going through some filters to separed official communication from Terra.
:-(
I have recently (about 2 months ago) opened an account on another ISP (this one for Cable). I chose and e-mail address like r[some-other-letter]@terra.com.br (just to put a finger on the culprid). Once I have lots of addresses, I simply chose not to use this one. Well, one would support that I would never get a spam on this addres, right ? wrong.
Only 3 days after, I received my first spam on this account. Of course I though "this darn bastards are selling e-mail addresses", and complained like hell to them. They went on swearing they did not sell addresses and so on and on. Well, that settled the matter was a spam I received which stated the name of the target
Dear Roberto
Well, my name is not Roberto (even tho it starts with "R"). What caused the spam ? They were recycling (reissuing?) e-mail addresses. Someone in the past had that same username on terra.com.br, did some dump things, and his address got in some spam lists. He was the target, not me. But once this address now belongs to me, I receive his spam.
I don't know if this recycling of usernames is a common practice elsewhere, but this is surely a good way to have you mailbox filled with spam
---
morcego
I've had an email address for about a year that was not once used for any reason at all. Never received, never sent. One day, I sent an email to a relative who had just got their email account and was excited to be on the web.
..."
A month later, I got forwarded one of those "send this to x people and Bill Gates will send you $3,014 for each 3rd person... no really, it's true, just the other day I recevied my $10 million dollar check from
I replied and told her never to do that again or she will be blocked and I'll never email her. I explained to her why she shouldn't do that. It's because someone somewhere along the line will get the 30 times forwarded message and will glean the 100's of emails that are a part of the message body from all the forwards and put you on a list.
Now, everyday I get 1 or 2 Univerity Diplomas emails, they just don't stop sending them, Every day Janna wants to know what I was doing last night, King Kong keeps wanting me to buy some Herbal Viagra alternatives, FBI snooper detection prevention software, and a chance to win a free 3 carot dimand after I send $2,000 to sponser some foundation... yeah... uh huh...
I'll tell you, those funnies you send and recieve everyday is a really good way.
The other way is to reply to a spam to be removed from a mailing list. In the same mail account, I replied to a few to be removed from the list and shortly after the volume of messages recived almost doubled. Now it's a useless email account that receives over 600 emails per week. It's sad because I've only sent and recieved less than 10 legitimate messages from that account in the past 5 years and this is what I get in return for it.
Bottom line:
* Warn your friends and family not to send
you forwarded email. Explain to them
that most of those messages are hoaxes,
anyway. Companies don't pay to you to blast
the Internet with messages.
* Second, don't reply to spams when you do
receive them or it will just confirm an
active account. I used to spoof returned
mail notices but those don't help any,
they also make it worse.
* Third, if you do recieve a mass-forward,
you're already at odds.
* Each time you sign up to a new web-site, read
the privacy statement. Usually, you're info
will be shared with a partner. Check that
partners privacy, because usually that partner
will share your info with a partner and so on.
Your email address is usually not kept secret
anymore. They make too much money by selling
to people. If they are European based, then
it might be more secure because of privacy
laws.
* Opt-out of those "important updates from the
company and their partners". This will just
generate more unwanted messages than you'll
care about. I've opted-in to some in the past
that were supposed to be monthy tech news
updates on important issues. Well, one day it
became daily. They changed their policy with
out notifying me.
* Most sites reserve the right to change their
privacy policies at-will and with no obligation
to notify you. They expect you to keep up
on this yourself. The best advice is to do
so. I've cancelled membership to some sites
because of this. My data is not theirs to
profit from while I profit nothing from it.
* Obvious names, such as "kitty@domain.com,
bmwlover@domain.com, studmuff@domain.com, etc"
are likely culprits. Sometimes they perform
dictionary based attacks on many domains and
it may just be your lucky number. What's
worse, is that they CC so all emails are there
and other spammers gather those emails and then
you are placed on another list.
* Anything else not mentioned. Keep in mind,
these are only spam "reduction" techniques. I
think it's very difficult and next to
impossible to not be spammed. Being aware of
certain actions that will trigger a result and
preventing those actions, will help greatly.
* If they leave a return address, sometimes you
can complain and have their account revoked.
This won't stop them, they'll open another
account and continue.
* Push for a law that allows the sponsor of the
spam to be sued for damages and inconveniences
rather than the sender. For example, I've
recived over 200 unvirsity diplomas messages
which all have the same phone number, but each
message is from a different sender. If we can
sue the owner of the phone number, than that
would go a great distance because it would
make people afraid to market in that mannor.
Well, hope this helps,
Leabre
in case your email has never been revealed anywhere on the net, you can use cgi or php scripts that email you. They don't reveal your email address, but let's your users email you.
I switched to these way too late though, so I still get lots of spam.
Here's an example of a web mail form:
http://www.topfloor.com/pr/examples/cgimail.htm
--
My mother complains to me (her IS dept) that she keeps receiving spam and pr0n ads. However, her behavior is one not mentioned as one of the high risk activities on that report. She constantly mass mails her friends chain letters and email jokes (and unfortunately for them does not use blind carbon copy). Most people do not remove that big list of addresses from chain letters and the like before sending them on to the next person (or typically, group of people). As a result, those big long lists of email addresses will eventually get harvested by some agency looking to make money on lists of valid addresses. Even worse for my mother, those agencies do not even have to work any further to verify some of the addresses. They can be guarenteed that the sender(s) addresses are valid. Makes it quicker and easier for them to get your email address sold and sent to spammers.
So, meanwhile, my mother and I'm sure countless other novice computer users will continue to complain about spam, but those chain letters will keep getting sent. I wish this report would have gone into more depth about this practice - I think it's one of the quickest ways to get spam.
Why bother.
Date: Fri, 27 Jul 2001 12:09:49 -0500 From: root | Block Address | Add to Address Book To: andres32a@yahoo.com Subject: Was that you? Make money fast by selling viagra to the Nigerian government while helping them funnel the money they skim from the operation out of the country to give to naked coeds so they can buy tiny miniture webcams from a company that you must buy stock in now. THIS IS NOT SPAM
It seems that a lot of the spam-bots try to filter out certain forms of spam-proofing and remove the word spam from email addresses. After switching to an email account with the word "spam" actually as part of the username, my spam count has plummeted. Of course, time spent explaining to people that that actually is an email address and not spam-proofing is required, but you only need to tell someone once for all of the times they'd write, while you would have to delete spam every time it came in.
______________________________________
______________________________________
Ever notice how fast Windows runs? Neither did I...
I actually tested this more comprehensively by sending all the email I got at my domain to one inbox, and using nameofdomain@mydomain.com to figure out where the spam was coming from. I was surprised that I didn't get any from my Slashdot account despit people's paranoia about it here. The biggest culprit was a single newsgroup posting that I made, netting me over 140 spam messages.
import sig.my.*;