Spam Research Six Month Report

Zoomer writes "Every day, millions of people receive dozens of unsolicited commercial e-mails (UCE), known popularly as 'spam.' Some users see spam as a minor annoyance, while others are so overwhelmed with spam that they are forced to switch e-mail addresses. This has led many Internet users to wonder: How did these people get my e-mail address? In the summer of 2002, CDT embarked on a project to attempt to determine the source of spam. To do so, we set up hundreds of different e-mail addresses, used them for a single purpose, and then waited six months to see what kind of mail those addresses were receiving. The results offer Internet users insights about what online behavior results in the most spam. The results also debunk some of the myths about spam." Update: 04/12 15:47 GMT by CN : About a minute after this went live, I found that michael posted this earlier. Mea culpa.

Hotmail

[obotics]

I think if the government or something was to just do a raid on Hotmail servers and shut them all down, this would cause a heavy reduction on the amount of spam. It is amazing how much my Hotmail account receives. If I don't check the account for a whole day, the account will reach the storage limit and bounce incoming e-mail.

PS if anybody needs some good spam to help Mozilla Bayesian Junk Mail filters learn, just set up a Hotmail account and copy those e-mails into Mozilla :)

WHOIS

[SamMichaels]

They mentioned that no spam was received from emails listed in the WHOIS database...

I'd be interested in seeing a study for companies that harvest snail mail addresses from the database.

I've received junk snail mail from every shady company on the face of the planet when I register a new domain or when it's up for renewal...plus I've even received phone calls (back when I used a real phone) about "we're ready to setup your web hosting and web design. Call us back immediately!" Persistant bugger, too...he kept calling back.

Re:WHOIS

[juuri]

I get a bit of spam related to domains registered through netsolutions, this is around 25 domains. At last count it was about 10 emails a week, far higher than the single email received during this study.

Domains registered with other registrars have yet to generate spam. Weird.

Really good report

[dtolton]

It's interesting to see those results. While I knew that spammers
harvested e-mail addresses from Web Sites, I didn't realize the
magnitude of it.

of the 10,000 spam messages they received over the six month period,
8,609 of them were from simply posting it publicly to a web site. I
always opt out of the subscription services where I can, and most of
the time I avoid posting any of my e-mail addresses publicly, now I
will redouble that effort.

They had some really useful suggestions also, my favorite was using
multiple "disposable" e-mail addresses and forwarding them to a main
e-mail address that you keep private. When you sign up for a site,
create a new disposable e-mail address and use that. If you start
getting spam from it, just shut off that disposable e-mail. That is
incredibly good advice.

I like the idea of disguising or masking your e-mail address,
although I think using HTML characters or a "Human readable"
equivalent is something that spammers will easily be able to
circumvent if the practice becomes widespread. They don't bother now
because not many people do it.

What I would like to see is a standard practice of generating your
posted e-mail address into an image. This would make it
*significantly* more difficult to harvest e-mail addresses in mass,
while remaining easy for a single use of sending someone an e-mail message.

Re:Really good report

[wass]

People have long been putting the NOSPAM identifier in your their address to be displayed publically, but I'm pretty sure spammers robots are by now regex'ing these attempts out.

What I have done in the past is to disguise the @ and . chars with other characters and include instructions how to fix it. For example, sign your posts like : email address me at "johndoexfakeyemailycom" and change the x to @ and the y to .

That technique might eventually fail if a large database of domains is built up such that it's easy to figure out where the x and y are. At that point, you can add longer words like 'xyzzy' instead of just 'x' for the @ substitution, etc.

Other good techniques I've seen is putting an email like "johnappledoe@fake.orange.email.banana.com" and then saying "remove all fruits to email me".

Although, whenever possible, I think embedding a picture of an email address is a great idea. I'll start doing that on my own webpages.

Fight SPAM.

[termos]

I recently registred a new e-mail adress, two days later I already had spam in my inbox. I noticed that I had been releasing my e-mail on a few web-pages, and came to think of something. The spammers "scan" webpages for e-mail addresses, and automaticly send commercial mail to them.
If you are sick of this - as I am - add your e-mail address with NOSPAM in the middle of it like name@NOSPAMhost.com, or write it like this; name at host dot com. I have started doing that, and as I can see spam has acually increased a little bit.

Shouldn't this have been posted by CmdrTaco?

[MondoMor]

"Spam" ought to be CmdrTaco's category to update all by himself. It appears to be some weird obsession with him, since most people in his position just use one of the many freely-available tools and live with it.

Spam, the religion of CmdrTaco, who will soon declare SpamJihad on the troll community here, unleashing his SpamFedaykin-Slashbots! SPAM!

Mailshell.com

[blackmonday]

Mailshell.com tells me who spams me. You can assign yourself a "new" email address anytime, just by making it up when you give it to someone. The fake email is forwarded to your real address. So I have addresses like amazon@me.mailshell.com, etc. You can also direct any email that comes from a particular address to the trash, and never see it. I like it, I don't think it's too expensive. When I signed on it was still free.

AI...

This still doesn't tell us WHERE spam comes from... i.e. what kind of losers are distributing it. Havent they realised that spam is now an ineffective advertising method? If someone wants pr0n, they damn where know where to get it. They're not just going to one day say "Oh, I think I will 'try' pr0n just because I got an email about it" as someone would try a car if they saw an ad on TV...

OR perhaps spam doesnt come from any one person - perhaps its the beginning of a dormant AI within the internet that nobody sees, it creates these messages on its own free will, and will some day break out of the internet.... okay, maybe i HAVE been watching the Matrix Trailer too much..

What I want to know....

[invenustus]

.... is the profile of the average spammer. Most of my spam is poorly spelled and frequently points to sites that don't have anything to sell. My suspicion, and I have no way of verifying it, is that most of these messages are sent by people who get suckered into a "Make Money From Home!" offer, send a few messages to a giant list of addresses, and then give up when they're not living in MC Hammer's mansion by the end of the week.

Does anyone know who the average spammer is?

Another cool piece of spam research I've never seen mentioned on Slashdot is the Bot Trap, which I learned about from this Little Green Footballs entry. If you're the admin for any web server, I strongly recommend setting this up. You probably don't make a huge dent in spam, but you get the satisfaction of seeing the list of IP's you thwarted.

Your email on a WebSite

[GregBildson]

We found that posting our contact email addresses on a well known website was definitely the worst thing to do. There are some very aggressive email harvesters out there that just eat up website content and easily parse out the email addresses. Using some simple javascript tricks to assemble and display your email address piece by piece will defeat the current generation of harvesters.

Some of our old email accounts are now firmly planted in the email lists that these companies sell to each other and will "be in play" forever. Having received numerous offers to assemble and sell email lists (which we will never do), I know a little about these companies. Once your email is known by one of the big players, it will be sold to others in units of thousands for as little as pennies but sometimes up to a buck per thousand.

Government Increased My Spam

[dragons_flight]

I operate a domain, so it is easy to substitute a unique email address when I register for some suspect activity.

To my shock, one of the single greatest sources of spam that I have gotten is from an email address placed on a CA voter registration form. I've never actually used that address or given it out for anything before or since, and yet a year later I am still getting 3 or so emails a day showing up in my spam filter from that address.

To my knowledge not one of these spams actually came from the CA governement, but I can only infer that either they sold it, or there is some big public list of voter registration emails that spammers know about.

morpheus generated spam

[roalt]

I have an own domain, so when I give away my email address I just put the name of that website before the @ (at) sign. All mail is forwarded to my real e-mail address.

I noticed some time ago I received a lot of spam from musiccity@, an e-mail address I provided for the once-popular peer-to-peer network morpheus.

The funny thing is, I just redirected this e-mail address mail towards sales@musiccity.com. It helped!

Avoid Spam Bots

[ManyLostPackets]

Their is like a zillion ways to thwart spam bots from harvesting e-mail. less cryptic ones like this one work good enough.

shows up as name@domain.com

<SCRIPT LANGUAGE="JavaScript">
<!-- NoSpam
user = "name";
site = "domain.com";

document.write('<a href=\"mailto:' + user + '@' + site + '\">');
document.write(user + '@' + site + '</a>');
// End -->
</SCRIPT>

I hate spam too, but...

[rmdyer]

...I just don't understand how some people are having so much trouble with it.

I've had the same email address since Sept 1992. We don't use any filtering on the mail server. I only get about 5 or 6 spam messages a day. On a bad day I might...might get up to 10. Granted, I have seen a marked increase in spam in the last year. True, it's probably going to get worse. I sometimes get more telemarketer calls a day than email spam tho...that says something.

I can only surmise that some people don't know how to browse the internet securely.

First rule of the internet, create a hotmail account for anything non-professional like general browsing and usenet. For professional sites, always uncheck the boxes that request news and updates. This is no-brainer stuff.

If you really want to eliminate spam, get rid of drop-box mail solutions like SMTP. Require the sender to request a token for email transfer.

Just my 2 cents.

Easy

[iamacat]

DMCA regulates something that is strictly my own business, like do I watch my DVD under Windows or under Linux? If you send spam, you are making it a million people's business.

I tend to talk to people I know on the phone and just check my e-mail once per week to see if anyone sent a message about my programs. Even if you are right, I have to sit for 14 minutes doing nothing except deciding which messages with "Hi, Oleg" subject to open. And I deleted quite a few legitimate messages because I didn't recognize the address.

By the same token, if I went to sleep at 4am I won't want to have a chat with a telemarketer at 9. So I end up turning off my phone until I wake up and possibly missing calls from friends. And I don't want my physical mailbox to overflow just because I went on a one week trip during the holiday season. But spam is definitely the worst.

Communication between people is good. I should be able to publish my postal address, my phone number and by e-mail on the web and invite people to contact me if they looked at my stuff and want to chat. Remember when shareware came with a README file with all kind of contact information to send $15? I actually got a few nice snail mail letters with checks.

Spam has destroyed our ability for this kind of casual communication. People sending it or selling the products advertized make very little money compared to the value of our time or forced changes in our behaviour. It's time to stop them using technological, political or cultural methods, whatever works best.

Re:Dupe (mod)

[mbogosian]

I use hotmail, I never get span (except from MSN, but it is THEIR damned webspace i'm using). Now, i am worried that i will get spam blasts from having my address on my website, but it hasnt happened yet. hopefully it never will.

It would be interesting if the authors of the study published the the names of the companies which refused to honor the opt-in/opt-out preferences or who sold e-mail addresses inappropriately. I'm not sure how "ethical" this is, but I'd really like to know....

yup

[lysium]

I think spammers are the same kind of people that get stuck working for one of those quasi-pyramid sales companies. Those "Make Money from Home" ads usually require the purchase of the spamming software (reliable revenue stream of suckers), and I would suspect that most people do not make back the money they spend on it.

I doubt these folks' internet connections stay valid for very long once they start spewing email through their accounts, so that might have something to do with it....

-----------

Not all means taken into "account"

[Kaz+Riprock]

Just having an account can get you spam these days. Even at a university...especially at a university. Like any good system, my school's mail/student server is organized by year and/or alphabetized.

If any user changes up a directory...does an ls -1p > spamlist.txt and then mails said spamlist.txt to their friendly neighborhood spammer who pays them 20$...then all of those users just got added to somebody's hit parade, even if they never submitted their address to a public or private outlet.

I know this, because my email address is a bit ambiguous. One could email me at fake@university.edu or fake@xxx.university.edu and it would arrive in my mailbox. I have *NEVER* used this email address in any forum other than work-related issues and have *NEVER* used the "xxx" portion of the email when I have submitted it (in interest of brevity).

I currently procmail filter about a dozen different spammers (each sending different revisionary mails of each of their products) and invariably the address used is fake@xxx.university.edu (NOT the one I have ever used). Clearly someone determined what my account was named and then determined the mail server to be xxx.university.edu and put the two together. It's easy enough if you have an account on the server to simply list the home directories into a file and submit.

fake@xxx.university.edu is not listed on any google-indexed site or usenet article which furthers my belief that this came from within. Also, some spammers send the mails to about 15-20 university accounts at a time (they don't always hide the headers correctly and I get a cc list of about a dozen other users on my university's student server...ALL using xxx.university.edu).

These inside jobs are easy, do not negatively affect the committed party (unless the school is logging every ls command), and probably earn you enough money to buy a six-pack. A few beers for the inconvenience of your fellow students...great job, jerky.

They didn't test forwards or viruses....

[davburns]

I have suspected for some time that lots of spam gets sent to people who send (or recive) lots of forwards. This is the only explaination I can think of for some of the spam I've seen to some "private" (given only to friends) addresses. This implies, I suppose, that some friends, or friends of friends, or their friends are giving my address to spammers.

They also didn't test viruses as a method of address-harvesting. (Viruses like Klez that send mail to random people with forged From: addresses.) I have no clue how much spam comes from this, but it would be very interesting to know.

I note also that this study didn't include any control to compare results to "real" addresses that get used for lots of things, so maybe there is some other method that spammers use, that also wasn't tracked. Six months might be too short of a time. I know I get mail to new@walt (walt is a machine that had a usenet server on it during the mid-ninteties), so old email addresses, once harvested, get on CDROMS and keep getting hit forever.

Back in my time...

[Pseudonymus+Bosch]

For the love of God, NEVER put it in unadulterated form (i.e. user@domain.com) in a Usenet posting or in a publicly-accessible HTML page

I still remember when guides for newbies told that not providing an usable return address was a breach of netiquette.