What Makes You "High Risk" For SPAM?

sexykitty writes "What exactly is it that we do to invite unsolicited email to our inboxes? CNET contributor Matt Lake opened 12 free email accounts online in an experiment aimed at determining just that, and here are the results. See the risks involved in disclosing your email address through various methods. " Yeah, running a relatively well known website with your e-mail address all over doesn't exactly help out in the spam avoidance department either.

I have a confession.

For years, i have been using bob@bob.com as a junk mail address to enter. I recently found out, there is a bob@bob.com. (It used to be owned by someone at microsoft i believe.) So im sorry bob.

My own Final Solution (tm) to spam

[Xeger]

My own spam problem started in the dark and forlorn days of 1995. It all started because of a name.

Due to an unfortunate accident of ancestry, my initials happen to be ADS. When I got my first dialup shell account, I chose to use my initials for my login name in the style of one of my then-heroes, Robert Tappan Morris (of RTM Worm fame). Thus did I become ads@netcom.com.

You can imagine the sort of traffic this generated for me, from day one! Every yokel with a half-brained scheme and a university mail account decided that this miraculous 'ads' address must be a special mailing list for thousands of Netcom customers who sat with baited breath, waiting to learn how they could lose weight fast, get rich quick or get rid of debt.

I fought this torrent of spam for almost 5 years before I finally had the technical proficiency and computing resources to come up with a solution. The solution I finally found is elegant and simple. It keeps the spam down to three or four messages per day. More importantly, it lets me know who is distributing my name to whom, and when.

I have a host alias tracker.xeger.net. Mail sent to any address @tracker.xeger.net is subjected to extra-bitchy filters, and mail that makes the cut is forwarded to one of my normal mail accounts, address intact.

Whenever I go to a new web site, or give my email address out to anyone, I give them an address of the form 'domain_dom@tracker.xeger.net'. CNN gets 'cnn_com@tracker.xeger.net'; Amazon gets 'amazon_com@tracker.xeger.net' and so forth. When the spam comes rolling in, I know from whence it came. I know how they got my mail address. And I know who to hunt down and disembowel.

To this date, I have been solely responsible for more than 200 cancelled accounts and at least two blacklistings. The count goes up daily.

Re:My own Final Solution (tm) to spam

[Xeger]

Duly noted. I knew something was fishy about that paragraph.

Re:My own Final Solution (tm) to spam

[Webmonger]

One variant is to use plus addressing: Sendmail always ignores plus signs in the username when delivering mail. So you can use spamcheck+aol@mydomain.com and spamcheck+marigolds@mydomain.com and they'll be delivered to spamcheck@mydomain.com, but you can see they're addressed to spamcheck+aol...

Re:My own Final Solution (tm) to spam

[3-State+Bit]

The problem with this is that a spammer can spam whatever@tracker.xeger.net
A better way to do this is to give amazon.com "xeger232524272" instead of amazon_com, and then associate xeger232524272 with amazon.com on your end of the line. You can have a simple script give you another number every time you need a name. Do you need to register something with "Marigolds Inc?" simply execute this at your bash prompt:
#redirectoradd
Short nick: Marigolds Inc
Reason/description: signed up for their "infrequent" newsletter -- once per month they said.
xeger65134556132

In other words, xeger65134556132@tracker.xeger.net is now an active mailbox, and you can cut and paste it over to the web form. Associated with this new mailbox is a date and time (which the "redirectoradd" script adds), a description, the knowledge that it couldn't just be "guessed" (since an 11 digit number is not simply guessable).
Any spam tracker.xeger.net gets that's not associated with an active number is bounced, except for "xeger@tracker.xeger.net", which autoresponds so:
Subject: I haven't seen your email!
Body:
Hi, sorry for the inconvenience, but for security reasons this isn't actually my real email address. To get a real email address, you need to reply to this email with "get real address" as your subject and the body a description of who you are and why you need my email address.

I repeat, your email has NOT been delivered. For your convenience, it is attached in this reply, and any text portion is included below. It will also be included with the email notifying you of my real address, where you can simply forward it.
You wrote:
>Hi Xeger!
> How would you like to get in on this ONCE
> IN A LIFETIME opportunity??? Yes, that's
> right...[etc]

That way, if you need to give out your email address when you're not at your computer, you can still do so. You can have various levels of this, where mail to xeger1 never gets looked at, but xeger2, which you put on your resume, actually does let you look at the mail that you receive there, even while you wait for your prospective employer to establish a "formal" address. If this doesn't strike you like a good idea, you can create a few "spare" addresses with no descriptions associated with them, so that when you give it out to somebody on the spot you can cross that one off of your list and the person can email you directly, while that address is still only associated with one person and you can know if it's ever given out. for instance:
#redirectorblanklist 5
xeger6513455512123
xeger4351234214985
xeger1215437214963
xeger9467248121546
Which you can then print on a few cards and give them out whenever somebody needs an email address. You can carry around a bunch of preprinted addresses this way, and write down a description every time you give one out, even if it's just at a credit card promotion at the mall. You can write a description next to the name and put it into your database when you get home. Sure it's a LITTLE more involved than giving out billbrady@redirector.xeger.net, but then billbrady can't submit the name "asdfasdf@redirector.xeger.net" to sign you up for the Daffodils Promotion Program at daffodils.com, which mysteriously gets you a lot of spam from a bunch of people you don't know. Moreover, if everyone started doing what you do currently, then spammers could just guess email addresses and always have them delivered (if they sneak by the spam filter). Not a good idea.


What do you think?

--

Re:And people wonder why we despam our emails...

[PigleT]

`Despam'? YM `munge', that's the traditional term.

Anyway. I have to say I find Usenet is the greatest cause of spam around. Bots regularly trawl both From: and Reply-To: headers, so I get most of my spam that way.

I've found the best bet is to have complete ownership over your own (sub)domain; you can easily enough choose one or two real usernames at that subdomain to use for yourself, and then when you sign up for given services online, invent a single word (egg@, asserta@, slash@, aol@, chat@, whatever) on a per-site basis. That way you can track exactly where a given spam got your email address if you want.

I'm not convinced of the timing in the guy's article; I started getting spams to usenet@ my domain only a couple of weeks from starting using it; it wasn't even that long that the throw-away account started getting these things from /. as well.

The moral is simple: beware of what things you publish. Not only will advertising an email address bring you spam, but sticking your box in DNS as `www' will bring you loads of packets, and appearing in an NNTP-Posting-Host: header will bring you *loads* of news-port scans as well.
~Tim
--
.|` Clouds cross the black moonlight,

What Makes You "High Risk" For SPAM?

[egon]

I'd guess "Posting on Slashdot".

Awww shit....

--
Give a man a match, you keep him warm for an evening.

Alpha spammers...

[ktakki]

Recently, I opened a Hotmail account. Within minutes, I had my first spam arrive (toner cartridges). Minutes. On an address that has never been given out, used, or posted anywhere.

A friend of mine has an login name that's both short and is made up of the first five letters of the alphabet. She gets upwards of 100 pieces of spam each day.

J. Random Spammer, like an orangutang with an assault rifle, could care less if spam arrives at a valid e-mail address. As long as the client can be billed for "1,000,000 direct marketing messages sent". That's all that matters.

The real problem is all of the brain dead system administrators that leave port 25 open for anyone who wants to drop trou and take a huge dump in everyones' In Box. Korea, Ireland, Brazil, China...and the good ol' USA. Idiots.

Fetch my LART gun, boy.

k.
--
"In spite of everything, I still believe that people
are really good at heart." - Anne Frank

Email address harvesting from your own server!

[Matt_Bennett]

I run my own email server, and I admit, every once in a while, I get pretty obsessive about looking at the mail logs. For a few weeks earlier this year, I had someone from a [big national ISP] dialup pounding my server with requests that came up with 'unknown user' bounces. The usernames were common first names, and names like "marketing", just trying to get a hit. My best guess is someone was using a dictionary type attack to find valid usernames to spam. I sent email to [big national ISP] giving them the logs and the specific IP address that these were originating from. No response, attack continued. I finally denied that IP range with the sendmail 'access' file.

How can you fight this type of harvesting? I can't figure out how... having some sort of feedback when an legitimate email has a mistyped username is useful, so I don't want to accept and route to /dev/null all the 'unknown user' emails.

Should I post anon?

[Cplus]

Nah.

Every time I fill out any kind of registration for crap that I don't want to get actual email about I put in hemos@slashdot.org. I don't even remember why, I think Hemos pissed me off at some point about something mundane and it just stuck in my mind. I'm thinking that dave@dave.com gets a lot because of me too.

Don't use generic e-mail names

[martin-k]

After reading the article (yes, I really did that!), I am wondering why they left out the one sure-fire recipe for getting tons of spams:

Get an e-mail address like [a-z][a-z][{insert generic family name}]@[hotmail|yahoo|bigfoot|whoever].com and you won't be able to stop the deluge.

I did that once at Hotmail and I had to stop reading the account. Now I am using it only for cases where I have to register with an e-mail address.

-Martin

You should still never opt out.

[BillGodfrey]

Remove me addresses, put remove in the subject, global opt out lists, etc.

Go to http://mail-abuse.org/rbl/reporting.html instead.

Why run your own domain?

[alanjstr]

I use Sneak Email to direct my mail. Any time I need to enter my e-mail address, I create a new one. Worried about Amazon.com going bankrupt and selling your e-mail address? Worry no more. You can adjust the filters to block domains, all mail, or just delete the address from existence. Why bother configuring your own host to filter when you can use SneakEmail for free.

Of course it helps to spamproof your address when posting to message boards (see mine above).

Filling in a needless registration form? I started putting 'abuse@theirdomain.com' instead. If Real.com wants to spam me, they'll just spam themselves.

BAD web forms

[The+Pim]

in case your email has never been revealed anywhere on the net, you can use cgi or php scripts that email you.

Be careful! Your example demonstrates every mistake it possibly could. One, it requires putting your email address in the HTML, where a spammer could find it. Two, it does not appear to restrict the recipient, meaning it is effectively an open relay. Three, there is no indication that it performs effective logging, meaning it is effectively an anonymous open relay.

Not to mention that any programmer so thoughtless probably didn't think much about security, so you may be creating a new vulnerability without solving the old one.

Webforms too.

[www.sorehands.com]

I switched to using webforms on my site instead of mailto. Then I rewrote the code to hide the email address from the public since most of the form codes gets the email address from the webpage.

customize your email address

[kchayer]

If I have to use my email address to register some software, I started using a little trick to track where my mail comes from. It's simple: you can add name+extension@example.com to your address.

That way, when I get mail to me+realplayer@example.com, I know that I gave that address out when I downloaded realplayer. If email to that address starts getting out of hand, it's simple to just block to that specific address.

YMMV, as I don't know if all mailing software supports it, but for our Sendmail+Cyrus setup it works fine.

"I say consider this day seized!" -Hobbes

Re:More comprehensive

[11223]

Maybe it's because you don't list your email addy on your account?

MMF Spammers; their wares & methods.

[Darth+RadaR]

Of course the best way to prevent some spammer from getting your email address off of a webpage is to just make an image of your email address instead of putting a "mailto:you@there.com" which is one of the many ways spammers do their harvesting.

Here's some of the nefarious companies and their creations...know your enemy :)
This company has an "Atomic Harvester" that fishes for email addressen and if that's not annoying enough, they also have a program that automatically spams newsgroups. And for the spammer that's too lazy or too cheap to pay for the software, then This company will harvest email addressen for a fee.

To thwart the above methods, check here for ways of protecting against those harvesters.

Annoying Forwards

[leabre]

I've had an email address for about a year that was not once used for any reason at all. Never received, never sent. One day, I sent an email to a relative who had just got their email account and was excited to be on the web.

A month later, I got forwarded one of those "send this to x people and Bill Gates will send you $3,014 for each 3rd person... no really, it's true, just the other day I recevied my $10 million dollar check from ..."

I replied and told her never to do that again or she will be blocked and I'll never email her. I explained to her why she shouldn't do that. It's because someone somewhere along the line will get the 30 times forwarded message and will glean the 100's of emails that are a part of the message body from all the forwards and put you on a list.

Now, everyday I get 1 or 2 Univerity Diplomas emails, they just don't stop sending them, Every day Janna wants to know what I was doing last night, King Kong keeps wanting me to buy some Herbal Viagra alternatives, FBI snooper detection prevention software, and a chance to win a free 3 carot dimand after I send $2,000 to sponser some foundation... yeah... uh huh...

I'll tell you, those funnies you send and recieve everyday is a really good way.

The other way is to reply to a spam to be removed from a mailing list. In the same mail account, I replied to a few to be removed from the list and shortly after the volume of messages recived almost doubled. Now it's a useless email account that receives over 600 emails per week. It's sad because I've only sent and recieved less than 10 legitimate messages from that account in the past 5 years and this is what I get in return for it.

Bottom line:

* Warn your friends and family not to send
you forwarded email. Explain to them
that most of those messages are hoaxes,
anyway. Companies don't pay to you to blast
the Internet with messages.

* Second, don't reply to spams when you do
receive them or it will just confirm an
active account. I used to spoof returned
mail notices but those don't help any,
they also make it worse.

* Third, if you do recieve a mass-forward,
you're already at odds.

* Each time you sign up to a new web-site, read
the privacy statement. Usually, you're info
will be shared with a partner. Check that
partners privacy, because usually that partner
will share your info with a partner and so on.

Your email address is usually not kept secret
anymore. They make too much money by selling
to people. If they are European based, then
it might be more secure because of privacy
laws.

* Opt-out of those "important updates from the
company and their partners". This will just
generate more unwanted messages than you'll
care about. I've opted-in to some in the past
that were supposed to be monthy tech news
updates on important issues. Well, one day it
became daily. They changed their policy with
out notifying me.

* Most sites reserve the right to change their
privacy policies at-will and with no obligation
to notify you. They expect you to keep up
on this yourself. The best advice is to do
so. I've cancelled membership to some sites
because of this. My data is not theirs to
profit from while I profit nothing from it.

* Obvious names, such as "kitty@domain.com,
bmwlover@domain.com, studmuff@domain.com, etc"
are likely culprits. Sometimes they perform
dictionary based attacks on many domains and
it may just be your lucky number. What's
worse, is that they CC so all emails are there
and other spammers gather those emails and then
you are placed on another list.

* Anything else not mentioned. Keep in mind,
these are only spam "reduction" techniques. I
think it's very difficult and next to
impossible to not be spammed. Being aware of
certain actions that will trigger a result and
preventing those actions, will help greatly.

* If they leave a return address, sometimes you
can complain and have their account revoked.
This won't stop them, they'll open another
account and continue.

* Push for a law that allows the sponsor of the
spam to be sued for damages and inconveniences
rather than the sender. For example, I've
recived over 200 unvirsity diplomas messages
which all have the same phone number, but each
message is from a different sender. If we can
sue the owner of the phone number, than that
would go a great distance because it would
make people afraid to market in that mannor.

Well, hope this helps,
Leabre

My Mother's Practice Would Be High Risk :-)

[Lethyos]

My mother complains to me (her IS dept) that she keeps receiving spam and pr0n ads. However, her behavior is one not mentioned as one of the high risk activities on that report. She constantly mass mails her friends chain letters and email jokes (and unfortunately for them does not use blind carbon copy). Most people do not remove that big list of addresses from chain letters and the like before sending them on to the next person (or typically, group of people). As a result, those big long lists of email addresses will eventually get harvested by some agency looking to make money on lists of valid addresses. Even worse for my mother, those agencies do not even have to work any further to verify some of the addresses. They can be guarenteed that the sender(s) addresses are valid. Makes it quicker and easier for them to get your email address sold and sent to spammers.

So, meanwhile, my mother and I'm sure countless other novice computer users will continue to complain about spam, but those chain letters will keep getting sent. I wish this report would have gone into more depth about this practice - I think it's one of the quickest ways to get spam.