Slashdot Mirror

← Back to Stories (view on slashdot.org)

What Makes You "High Risk" For SPAM?

Posted by Hemos on from the lots-of-whisky-ciggerates-and-dirty-living dept.

sexykitty writes "What exactly is it that we do to invite unsolicited email to our inboxes? CNET contributor Matt Lake opened 12 free email accounts online in an experiment aimed at determining just that, and here are the results. See the risks involved in disclosing your email address through various methods. " Yeah, running a relatively well known website with your e-mail address all over doesn't exactly help out in the spam avoidance department either.

15 of 259 comments (clear)

  1. I have a confession. by Anonymous Coward · · Score: 5

    For years, i have been using bob@bob.com as a junk mail address to enter. I recently found out, there is a bob@bob.com. (It used to be owned by someone at microsoft i believe.) So im sorry bob.

  2. My own Final Solution (tm) to spam by Xeger · · Score: 5

    My own spam problem started in the dark and forlorn days of 1995. It all started because of a name.

    Due to an unfortunate accident of ancestry, my initials happen to be ADS. When I got my first dialup shell account, I chose to use my initials for my login name in the style of one of my then-heroes, Robert Tappan Morris (of RTM Worm fame). Thus did I become ads@netcom.com.

    You can imagine the sort of traffic this generated for me, from day one! Every yokel with a half-brained scheme and a university mail account decided that this miraculous 'ads' address must be a special mailing list for thousands of Netcom customers who sat with baited breath, waiting to learn how they could lose weight fast, get rich quick or get rid of debt.

    I fought this torrent of spam for almost 5 years before I finally had the technical proficiency and computing resources to come up with a solution. The solution I finally found is elegant and simple. It keeps the spam down to three or four messages per day. More importantly, it lets me know who is distributing my name to whom, and when.

    I have a host alias tracker.xeger.net. Mail sent to any address @tracker.xeger.net is subjected to extra-bitchy filters, and mail that makes the cut is forwarded to one of my normal mail accounts, address intact.

    Whenever I go to a new web site, or give my email address out to anyone, I give them an address of the form 'domain_dom@tracker.xeger.net'. CNN gets 'cnn_com@tracker.xeger.net'; Amazon gets 'amazon_com@tracker.xeger.net' and so forth. When the spam comes rolling in, I know from whence it came. I know how they got my mail address. And I know who to hunt down and disembowel.

    To this date, I have been solely responsible for more than 200 cancelled accounts and at least two blacklistings. The count goes up daily.

    1. Re:My own Final Solution (tm) to spam by Xeger · · Score: 5

      Duly noted. I knew something was fishy about that paragraph.

    2. Re:My own Final Solution (tm) to spam by Webmonger · · Score: 5

      One variant is to use plus addressing: Sendmail always ignores plus signs in the username when delivering mail. So you can use spamcheck+aol@mydomain.com and spamcheck+marigolds@mydomain.com and they'll be delivered to spamcheck@mydomain.com, but you can see they're addressed to spamcheck+aol...

    3. Re:My own Final Solution (tm) to spam by 3-State+Bit · · Score: 5

      The problem with this is that a spammer can spam whatever@tracker.xeger.net
      A better way to do this is to give amazon.com "xeger232524272" instead of amazon_com, and then associate xeger232524272 with amazon.com on your end of the line. You can have a simple script give you another number every time you need a name. Do you need to register something with "Marigolds Inc?" simply execute this at your bash prompt:
      #redirectoradd
      Short nick: Marigolds Inc
      Reason/description: signed up for their "infrequent" newsletter -- once per month they said.
      xeger65134556132

      In other words, xeger65134556132@tracker.xeger.net is now an active mailbox, and you can cut and paste it over to the web form. Associated with this new mailbox is a date and time (which the "redirectoradd" script adds), a description, the knowledge that it couldn't just be "guessed" (since an 11 digit number is not simply guessable).
      Any spam tracker.xeger.net gets that's not associated with an active number is bounced, except for "xeger@tracker.xeger.net", which autoresponds so:
      Subject: I haven't seen your email!
      Body:
      Hi, sorry for the inconvenience, but for security reasons this isn't actually my real email address. To get a real email address, you need to reply to this email with "get real address" as your subject and the body a description of who you are and why you need my email address.

      I repeat, your email has NOT been delivered. For your convenience, it is attached in this reply, and any text portion is included below. It will also be included with the email notifying you of my real address, where you can simply forward it.
      You wrote:
      >Hi Xeger!
      > How would you like to get in on this ONCE
      > IN A LIFETIME opportunity??? Yes, that's
      > right...[etc]

      That way, if you need to give out your email address when you're not at your computer, you can still do so. You can have various levels of this, where mail to xeger1 never gets looked at, but xeger2, which you put on your resume, actually does let you look at the mail that you receive there, even while you wait for your prospective employer to establish a "formal" address. If this doesn't strike you like a good idea, you can create a few "spare" addresses with no descriptions associated with them, so that when you give it out to somebody on the spot you can cross that one off of your list and the person can email you directly, while that address is still only associated with one person and you can know if it's ever given out. for instance:
      #redirectorblanklist 5
      xeger6513455512123
      xeger4351234214985
      xeger1215437214963
      xeger9467248121546
      Which you can then print on a few cards and give them out whenever somebody needs an email address. You can carry around a bunch of preprinted addresses this way, and write down a description every time you give one out, even if it's just at a credit card promotion at the mall. You can write a description next to the name and put it into your database when you get home. Sure it's a LITTLE more involved than giving out billbrady@redirector.xeger.net, but then billbrady can't submit the name "asdfasdf@redirector.xeger.net" to sign you up for the Daffodils Promotion Program at daffodils.com, which mysteriously gets you a lot of spam from a bunch of people you don't know. Moreover, if everyone started doing what you do currently, then spammers could just guess email addresses and always have them delivered (if they sneak by the spam filter). Not a good idea.


      What do you think?

      --

  3. Re:And people wonder why we despam our emails... by PigleT · · Score: 5

    `Despam'? YM `munge', that's the traditional term.

    Anyway. I have to say I find Usenet is the greatest cause of spam around. Bots regularly trawl both From: and Reply-To: headers, so I get most of my spam that way.

    I've found the best bet is to have complete ownership over your own (sub)domain; you can easily enough choose one or two real usernames at that subdomain to use for yourself, and then when you sign up for given services online, invent a single word (egg@, asserta@, slash@, aol@, chat@, whatever) on a per-site basis. That way you can track exactly where a given spam got your email address if you want.

    I'm not convinced of the timing in the guy's article; I started getting spams to usenet@ my domain only a couple of weeks from starting using it; it wasn't even that long that the throw-away account started getting these things from /. as well.

    The moral is simple: beware of what things you publish. Not only will advertising an email address bring you spam, but sticking your box in DNS as `www' will bring you loads of packets, and appearing in an NNTP-Posting-Host: header will bring you *loads* of news-port scans as well.
    ~Tim
    --
    .|` Clouds cross the black moonlight,

    --
    ~Tim
    --
    .|` Clouds cross the black moonlight,
    Rushing on down to the circle of the turn
  4. What Makes You "High Risk" For SPAM? by egon · · Score: 5

    I'd guess "Posting on Slashdot".

    Awww shit....

    --
    Give a man a match, you keep him warm for an evening.

    --
    Give a man a match, you keep him warm for an evening.
    Light him on fire, he's warm for the rest of his life
  5. Email address harvesting from your own server! by Matt_Bennett · · Score: 5

    I run my own email server, and I admit, every once in a while, I get pretty obsessive about looking at the mail logs. For a few weeks earlier this year, I had someone from a [big national ISP] dialup pounding my server with requests that came up with 'unknown user' bounces. The usernames were common first names, and names like "marketing", just trying to get a hit. My best guess is someone was using a dictionary type attack to find valid usernames to spam. I sent email to [big national ISP] giving them the logs and the specific IP address that these were originating from. No response, attack continued. I finally denied that IP range with the sendmail 'access' file.

    How can you fight this type of harvesting? I can't figure out how... having some sort of feedback when an legitimate email has a mistyped username is useful, so I don't want to accept and route to /dev/null all the 'unknown user' emails.

  6. Should I post anon? by Cplus · · Score: 5

    Nah.

    Every time I fill out any kind of registration for crap that I don't want to get actual email about I put in hemos@slashdot.org. I don't even remember why, I think Hemos pissed me off at some point about something mundane and it just stuck in my mind. I'm thinking that dave@dave.com gets a lot because of me too.

    --
    "Share your knowledge. It's a way to achieve immortality." -- Dalai Lama
  7. Why run your own domain? by alanjstr · · Score: 5

    I use Sneak Email to direct my mail. Any time I need to enter my e-mail address, I create a new one. Worried about Amazon.com going bankrupt and selling your e-mail address? Worry no more. You can adjust the filters to block domains, all mail, or just delete the address from existence. Why bother configuring your own host to filter when you can use SneakEmail for free.

    Of course it helps to spamproof your address when posting to message boards (see mine above).

    Filling in a needless registration form? I started putting 'abuse@theirdomain.com' instead. If Real.com wants to spam me, they'll just spam themselves.

  8. BAD web forms by The+Pim · · Score: 5
    in case your email has never been revealed anywhere on the net, you can use cgi or php scripts that email you.

    Be careful! Your example demonstrates every mistake it possibly could. One, it requires putting your email address in the HTML, where a spammer could find it. Two, it does not appear to restrict the recipient, meaning it is effectively an open relay. Three, there is no indication that it performs effective logging, meaning it is effectively an anonymous open relay.

    Not to mention that any programmer so thoughtless probably didn't think much about security, so you may be creating a new vulnerability without solving the old one.

    --

    The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
  9. Webforms too. by www.sorehands.com · · Score: 5
    I switched to using webforms on my site instead of mailto. Then I rewrote the code to hide the email address from the public since most of the form codes gets the email address from the webpage.

    --
    Fight Spammers!
  10. customize your email address by kchayer · · Score: 5
    If I have to use my email address to register some software, I started using a little trick to track where my mail comes from. It's simple: you can add name+extension@example.com to your address.

    That way, when I get mail to me+realplayer@example.com, I know that I gave that address out when I downloaded realplayer. If email to that address starts getting out of hand, it's simple to just block to that specific address.

    YMMV, as I don't know if all mailing software supports it, but for our Sendmail+Cyrus setup it works fine.

    "I say consider this day seized!" -Hobbes

    --

    "I say consider this day seized!" -Hobbes
    "Tomorrow we'll seize the day and throttle it!" -Calvin
  11. Re:More comprehensive by 11223 · · Score: 5

    Maybe it's because you don't list your email addy on your account?

  12. My Mother's Practice Would Be High Risk :-) by Lethyos · · Score: 5

    My mother complains to me (her IS dept) that she keeps receiving spam and pr0n ads. However, her behavior is one not mentioned as one of the high risk activities on that report. She constantly mass mails her friends chain letters and email jokes (and unfortunately for them does not use blind carbon copy). Most people do not remove that big list of addresses from chain letters and the like before sending them on to the next person (or typically, group of people). As a result, those big long lists of email addresses will eventually get harvested by some agency looking to make money on lists of valid addresses. Even worse for my mother, those agencies do not even have to work any further to verify some of the addresses. They can be guarenteed that the sender(s) addresses are valid. Makes it quicker and easier for them to get your email address sold and sent to spammers.

    So, meanwhile, my mother and I'm sure countless other novice computer users will continue to complain about spam, but those chain letters will keep getting sent. I wish this report would have gone into more depth about this practice - I think it's one of the quickest ways to get spam.

    --
    Why bother.