Slashdot Mirror
Where Does Spam Come From? No, Really?
jnazario writes "The Center for Democracy and Technology has recently put together a really neat paper studying the methods by which spammers get your email addresses. The report posted otherwise unused email addresses in a variety of locations, using different techniques for visibility (ie HTML encoding vs plaintext) and then watched what accumulated after six months. They generated some interesting results into the methods by which spammers can track you (with publicly available websites containing your bare email address being the most popular method) and even some techniques to stop spam, such as HTML encoding your email address. A very interesting read."
This seems familiar.
that Spam comes from a 'SPIG'. Cousin to the pig, but has to be mechanically seperated before being canned and served.
Is it April Fool's again? I'm waiting for the story on the evil bit now.
From those damn Spamers I'd guess.
:)
No wait, better - it comes from those companies who profit from the utilisation of bandwidth. People who sell email servers marketed as coping with massive volumes of email too. Oh, and lets not forget the people spam filters!
Cynical? Me?
But what explains the amazing spectrum of sources?
Even with a black-list implementation, spam has been through the roof lately, almost too much to keep up with submitting even.
If Slashdot posts the same report three times, is that slashspam?
SLAM: An unsolicited duplicate Slashdot story.
This article is a duplicate of one posted on March 19 back when the CDT report was released:
CDT Releases New Report on Origins of Spam
Hormel Foods Corporation
Sig ?
tripe n.
1. Stomach tissue of a ruminant and especially of the ox used as food
2. Something poor, worthless, or offensive
Toronto-area transit rider? Rate your ride.
Yes....
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
"'These antispammers should get a life[...] Do their fingers hurt too much from pressing the delete key? How much time does that really take from their day?"
S PA M.html?pagewanted=print&position=
s s/ 1877197
"By contrast, she said, '70 million people have bad credit. Guess what? Now I can't get mail through to them to help them.'"
The whole story is available at:
http://www.nytimes.com/2003/04/22/technology/22
Also available at
http://www.chron.com/cs/CDA/ssistory.mpl/busine
Is Alyx Sachs the female Alan Ralsky?
Iraqi Information Minister Mohammed Saeed al-Sahhaf (aka Baghdad Bob). He's always telling us that:
"Americans are not in Baghdad"
or
"Loose wieght in just 2 weeks"
or
"Make money fast"
or
"Requested information"
Karma: The shiznight, mostly because I am the Drizzle.
the readers of /. are being spammed with reports about spam...
/. editors come on guys make up and start talking to each other again.
Spam should clearly have the Evil Bit set to on.
Where do duplicate slashdot articles come from? No, really?
I like to have fun with this one. Make sure that you take out any "serial numbers" which might be embedded in the link. Call as many dynamic scripts on the page as you can.
#!/bin/bashCOUNT=0
while [ $COUNT -lt 2000 ]; do
lynx -dump $1?YOU_FILL_MY_MAILBOX_WITH_UNSOLICITED_CRAP_AND_
let COUNT=COUNT+1
echo $COUNT
done
Okay, it's ugly. And who knows if they actually check their weblogs? But it makes me feel better.
Besides, they were warned on my webpage, which outlines all the policies with regard to sending e-mail to my domain.
A really neat extension would be to have a script which parses the e-mail for links, de-fluffs them (to remove redirects through Yahoo and obfuscators like that) and automatically hits each and every one of the URLs given... but I haven't gotten around to it yet.
Fire and Meat. Yummy.
Maybe SlashCode should be set up to look through the links for the past X days/months/whatever and see if there are any duplicate links. Then it could bring up a little warning saying that the link has already been posted so somebody can do a quick check. It wouldn't keep all of the dupes out but it'd help. Of course, thats a rough idea and I'm not going to code it... dupes don't bother me all that much...
Conclusions
1. E-mail addresses harvested from the public Web are frequently used by spammers. By an overwhelming margin, the greatest amount of spam we received was to addresses posted on the public Web.
When an address has been posted on the public Web, it can potentially be viewed by hundreds of millions of users. People who develop spam lists exploit this feature by using address-harvesting programs to surf across thousands of web sites, collecting any e-mail addresses that they encounter. Most users have no idea that their addresses have been harvested until they begin receiving spam.
2. The amount of spam received by an address posted on the public Web is directly related to the amount of traffic that Web site receives. The more visitors a Web site has in a given period of time, the greater the likelihood that an address-harvesting program used to send spam will scour it. As a result, addresses posted on high-traffic Web sites are likely to receive a greater amount of spam than address posted on smaller sites -- popular Web sites are more frequently "harvested," and addresses posted on those Web sites are added to a greater number of spam lists.
3. E-mail addresses harvested from the public Web appear to have a relatively short "shelf life." When e-mail addresses we posted on the public Web were removed, there was a pronounced drop in the amount of spam they received each day. The change was not absolute -- on a given day, an address might receive a few spam messages even months after it had been removed from the public Web. But such spam was on the order of 2 or 3 messages per day, compared to the thirty or more messages received by addresses still on the public Web.
4. Addresses posted in the headers of USENET messages can receive significant spam, though less than a posting on the public Web. Like most Web sites, USENET postings are publicly accessible and may be targeted by e-mail address-harvesting programs. When a user includes his or her address in the heading of a USENET message, that address can be harvested and used to send spam. Our preliminary data indicates that some USENET newsgroups are more frequently harvested for e-mail addresses than others.
5. Obscuring an e-mail address is an effective way to avoid spam from harvesters on the Web or on USENET newsgroups. Even when posted in publicly accessible areas, none of the addresses we obscured -- whether in English ("example at domain dot com") or in HTML -- received a single piece of spam. Users who want to avoid spam should consider obscuring their addresses when possible.
6. Sites that publish their policies and make choice available to users generally respected those policies. A major element of the CDT project was to submit e-mail addresses to a number of popular businesses and other organizations on the Web. Many of these sites had privacy policies describing how they handle e-mail addresses and other potentially sensitive pieces of information. While the terms of these policies varied, we found that almost all sites followed their policies. In addition, when consumers were offered choices about how their personal information would be handled, those choices were respected.
7. Domain name registration does not seem to be a major source of spam. Despite the fact that the WHOIS database is publicly accessible, our project received just a single spam message to an address that was in WHOIS for six months. This leads us to believe that, at least for some people registering new domain names, listings in the WHOIS database may not be a major source of spam. However, because our project had a relatively short duration, we were not able to examine whether additional spam would be received as a domain name approached its renewal date.
8. Even when an e-mail address has not been posted or shared in any way, it is still possible to receive spam through various "attacks" on a mail server. In our study, a "brute force" attack on the mail server generated a t
This is a consumer document meant to tell folks how to stop getting as much spam.
Useful insofar as it goes, but what would be much more helpful is an objective take on how spam gets to the end-system. It's very hard to generate this information. You can come up with the list of final-hop relays, but that's not as useful as you might think, since most of the really crappy spam software out there finds open relays dynamically and routes through them.
Slightly smarter software is now making it out there that performs some simple testing to determine how / if a given relay of choice can reach other sites. So for example, AOL's recent blocking of Commcast customers will help them in the short term, but over time they'll find that spammers simply stop using those relays and start using the ones that can get through. As new relays pop up, they will be used... eventually you would have to simply stop accepting mail in order to correctly prevent spam.
Like I say, it would have been useful to have the data on where spam is actually originating, but even without it, you can block spam with a very high degree of certainty based on the sender and relays with a much lower false positive (failure) rate than any of the bogus blacklist schemes out there. I'm about to add a module to SA to do just this, so stay tuned....
I was getting 500 spam a day. Hot damn, that is a lot. I have a bunch of URLs and I was promiscuous with my e-mail address(es). I had them up in newsgroups, message boards (even slashdot), I subscribed to crap, I bought things online, I registered at countless sites... and never with a condom. I have a paypal account, and I have registered at a few casinos (not to play, but to look for security holes - but that doesn't mean they don't still spam the hell out of me). And then my friends and I go through periods of signing each other up for things when we are asked to fill out forms - so it is hard to say how much of that has happened.
The bulk of what I was getting was from the URLs that I have registered - those URLs were setup to forward all mail at that address that didn't have an actual e-mail address to my address. So I disabled that feature to some extent, and it dropped my daily spam count down to a little over 120 or so a day.
So I then got curious and went through and "unsubscribed" from a bunch of them just to see what happened. My spam went down to about 30 a day. Hot damn, it worked.
But then it came back up over time - not sure if the unsubscribing just got my name on other lists, or if it just grew over time.
So I installed spamassassin, at the time 2.5 was in devel, so I used that. Various builds were better than others, and it got me down to about 1 or 2 spam that snuck through everyday.
Since then I have installed 2.6 and haven't kept up with the development builds as often since the changelog wasn't... well, wasn't changing much over the time that I was watching it.
I run it as the perl script, not the faster c daemon. I am on a shared server and scripts have to time out after 30 seconds of cpu time. So if the perl script is doing a lot of stuff, it gets killed, and the mail gets sent through.
So that was the bulk of the spam I was getting - not that spamassassin mistagged it - but that it was dying and letting it through that way.
So I went in and changed my settings. I disabled all of the blacklist checks (score RAZOR_CHECK 0 and score RAZOR2_CHECK 0). I raised the autolearning threshold to be higher so that it would do that less frequently. I have my good contacts on a whitelist. I made the required_hits spam score to be 3.5 instead of the default 5. I went in and made the 90% bayes score 3.5 and the 99% score to 4. I skipped the rbl checks and made the max attempts on anything that would try multiple times if there was any failure to be low (1-2).
As a result, it rarely kills the process now unless the server is under a lot of load - and now I get about 1 or 2 spam in a week instead of in a day.
I am a very big fan of spamassassin.
There are some odd things afoot now, in the Villa Straylight.
... is that slashdot only posts 10-15 stories a day. Some days we see two or three dupes so maybe over time that averages out to a little less than a story a day.
What I find impossible to believe is that out of all the submissions that enter into the possible queue these are the ones that stick out so well they end up getting posted. That almost 9% of the time we see the same article get put up.
Think of it this way, if your department at your company, hell if your company, messed up 9% of the time what would happen to you? In the case of slashdot nothing happens because no one is accountable and anytime anything shoddy happens everyone clamors about with "it's rob's personal site!@#!@#!@ he can post whatever he wants!@#". Except that isn't the case anymore and hasn't been for years. This is a FOR-PROFIT site with readers who create the value, yet time and time again we are shown and told (Hi Michael!) how little we are valued or mean to the staff at slashdot. Answer me this Rob, do you care so little about your creation now? Where is your sense of pride?
Unfortunately just departing is a hard thing to do because of the absolute power in the meme of "/.". It is a lot like CNN, you know the news sucks, you know it is biased, but it is always there so in a moment of weakness you give in.
--- I do not moderate.
Mirror
- you are sofa king weed todd did
You see, there's a mummy spam and a daddy spam. When they love each other very much they, well, sort of, get together, you know, and they make a new spam.
Stick Men
http://www.hcdonline.com/jobs/DisplayJob.asp?ID=3
Category: New Media
Job Title: eMail ad designer
Job Description: Need a techy or ad person who can jam out killer ads using front page for eMail campaigns. Easy gig for someone who knows how to write and cut and paste. Good op for freelance, college, or veteran Internet or Advertising guru
Job Location: Los Angeles
Phone Number: 323-871-2000x11
Fax Number: 323-871-0625
Email: yurontv@netglobalmarketing.com
Enjoy!
--rhad
Slashdot needs to interview Natalie Portman.
The more common strategy is to either use a fake return address, or just choose a more or less random return e-mail address either belonging to someone else (an anti spammer, perhaps?) or that has been registered for the purpose at a free e-mail service.
I used to be involved in running a fairly large free e-mail service, and our main spam problem was people using addresses from our system in the from field, not people spamming our user. When a spammer sends a few million messages to invalid AOL or Hotmail accounts and one of your addresses is in the From field, you sort of notice the bounce traffic....
Making the spammers crawl invalid e-mail addresses can reduce the amount of spam to real recipients they manage to send, though, which is why there's quite a few spamtrap scripts out there that generate pages containing lots of e-mail addresses and links to other pages generated on the fly by the script.
"Wouldn't that clog it up on their end with bounces? And maybe change the pages every few days with a new list, maybe there's a random email generator thing to come up with fake domains, like a password generator?"
Yes it would, but there in lies the problem. Say for example you are on someISP.net as your internat provider. Some one else decides to start spamming through someISP.net (either by an open relay, spoofing or even by actually having an account there. Buhzillions of bouncebacks start swarming someISP.net's servers and BAM! You dont get that e-card from your mother on your birthday.
The other problem is by having all those fake addresses. Let's say that spamboy sends out that proverbial "buhzillion" messages. That's all traffic that the backbones have to route. NOW since those e-mails are fake they have to bounce back...that's a "buhzillion" autogenerated nessages that the servers have to route again.
Congrats, we've just doubled the spamload.
Phoenix
-- Wiccan Army, 13th Airborne Division "We will not fly silently into the night"
Iraqi Information Minister Mohammed Saeed al-Sahhaf (aka Baghdad Bob). just hired by slashdot
"THIS STORY IS NOT A DUPE! IT IS NOT A TRIPE! IT IS ORIGINAL AND YOU WILL READ IT YOU FILTHY INFIDELS!!!
I am still alive!!
This battle for email addresses will 'never' end. In order to use an email address, you need to publicize its existence. There lies the weakness that spammers exploit.
;'.
;'s all over the place within a webpage. That way, there would be too many false positives for them to work out. People are lazy and won't bother with such garbage. The irony of this would be that spammers would need to use anti-anti spamming filters. Then we'd need anti-anti-anti filters, etc.
Even the HTML encoding of addresses can not stand up to this exploitation. When scouring a website for addresses, everyone knows you look for all occurrances of '@' in the source. Encoding it with HTML merely substitutes one search character with the short string '@
Probably the best defense is to randomly insert undisplayed '@'s and '@
Like I said, as long as addresses are advertised, this battle will 'never' end.
This is not my sig.
Problem is, the spammer probably isn't getting bounce messages. They fake a reply-to or stick in someone else's address, so all the error messages go to /dev/null or some innocent person's mailbox.
There are a bunch of scripts out there that will do what you are looking for. To wit:
Sugarplum: SPAM poison
Searches for stuff like "spam harvest poison script" should turn up more. There are also honeypots and tarpits designed to mire SPAMmers attempts to pump out spam by acting like an open relay, but sending back fake success messages with delays to slow down their progress.
The thing that gets me is that SPAMmers know everyone hates them, and they do all this underhanded harvesting, address spoofing, attempts to get around filtering, etc. If they would simply put "ADV:" at the start of their message header, we could all set up filters and not get so annoyed. I know since my annoyance level has increased I report each and every SPAM I get via SpamCop, and cackle with delight when I see their websites shut down in short order.
Spam comes in a can,
It was put there by a man,
In factory downtown.
And if I had my little way,
I'd get spammed every day!...
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
"By contrast, she said, '70 million people have bad credit. Guess what? Now I can't get mail through to them to help them.'"
Tough luck. I pay for my Internet connection, you have no right to cost me money. Does telemarketers call collect? Does the postman demand cash for delivering me mail? No. Why the hell should I let you run a business at my expense?
Kjella
Live today, because you never know what tomorrow brings
I've been creating one-off email addresses for pretty much anything that requires an email address for almost a year now. At this moment, I have almost a hundred email addresses made specifically for anything ranging from Slashdot to job-sites to mailinglists. So far, the only addresses that generated any spam at all have been de one I used for Google Groups (well, DUH) and one that was published on a website in plain HTML. All the other ones, so far, have not generated a _single_ spam email. All in all, it seems like the companies and websites that require you to give them your email really do keep it confidential.
He who laughs last, thinks slowest.
Just remember, SPAM doesn't kill people
People who get spammed, kill people.
Use your head, can't you, use your head,
You're on earth, there's no cure for that - S. Beckett
>>at the Center for Democracy & Technology,
>>202-637-9800, ari@cdt.org.
>hmm.. I'll be interested to know how
>much spam that generates for him/her....
First note that Ari is probably male... and then...
RTFA !!
Ari heavily insists on encoding your email adress in crude HTML ASCII codes which robots don't detect yet (matter of weeks I guess - I guess not everybody on slashdot is an angel, as everywhere) but are perfectly human readable. The guy actually used the method, so it looks
on screen : ari@cdt.orgg
view source :
please note I forged his address so that robots don't harvest it here on slashdot, which parent post ignorantly forgot to do
O.
But none of the addresses that were obscured, whether in "human-readable" or "HTML-obscured" form,
received a single piece of spam, leading us to conclude that e-mail address "harvesters" are not presently
capable of collecting such addresses. While this may change as time passes and technology develops, for the
time being it appears that obscuring an e-mail address is an effective means of avoiding spam.
It's not that the harvesters can't figure out obscured email addresses. Searching for the @ sign isn't
that much easier than searching for the HTML equivalent. I think the reason obscured addresses don't get
spam is this:
The spammers realize that anyone smart enough to obscure is someone who hates spam really bad.
Obviously someone like that isn't going to be an easy sell, and may already be filtering for spam. What's
the point in targeting that demographic? Waste of time.
That is why you should obscure your addresses.
Home of SPAM
Perhaps, perhaps not... The 'blah at blah dot com' is a real easy one to fix in a spider (at=@, dot=., you're done), but there are quite a few ways to do it that are either human-parseable only, or require a LOT of coding...
F0r 15stanc3, rand0m numb3r/l3++3r r3p1ac3m3n+ ki115 dic+ionary program5.
rO, er-ev-sr-e ve-re-y ap-ri fo el-tt-re-s (reverse every pair of letters... include human readable directions, and you're set)
Some of the set ones we see on slashdot - bob@hotmailBOHR.com remove physicist, etc.
Computers are great at quick calulations... but even untrained humans can do pattern recognition many millions of times faster and better (hence the reason face-recognition technology is so primative).
-T
TheInformationMinister.com Slashdot really needs to hire this guy. (Note: Opera seems to have a problem with the way the Flash on the site works, but Netscape or IE seem fine.) Worth seeing at least once.
To find out which sites actually sell your mail adress, fill in the name of the site (or a name that is obvious enough to know on which site you filled it in) in the real name part of the form.
When you get mail adressed to Mr./Ms. Real Player then you know who is doing what with your e-mail, so far i received quite some e-mail this way, apperantly the sites that actually state promises about not sellign addresses seem to be doing just the opposite. More so than sites which don't state promises.
Sometimes I wonder if the novelty has worn off for the admins and they just really don't care anymore. Sad, because some people would give their left foot for a chance to run the show.
I'm now convinced this is the case. If Rob and crew don't even bother to read the headlines on their site, then maybe they should remove themselves from the day-to-day and focus on the backend. At one point in the distant past, Rob and Neal lent some personal flavor to slashdot, I'm not sure that's the case anymore.
The problem with this is that sometimes the spammer will say the same thing. like "no I didn't send you the email about my amzing penis enlarging pills, but if you want to by them click here". It is just another level spammers will shrink to.
Some of these guys think that saying this will protect them from the lawsuits they so richly deserve.
Oh and it happend to me too.
I used to have a cool sig, back when I cared
* Short e-mail addresses are easy to guess, and may receive more spam.
For further information, please contact Ari Schwartz at the Center for Democracy & Technology, 202-637-9800, ari@cdt.org.
Did anyone else find that rather funny?
Mikey-San
Karma: +Eleventy billion (mostly affected by watching Celebrity Jeopardy)
So let's beat them with their own weapons. Sugarplum is a WWW spambot poisoner feeding them with lots of email addresses which are faked, spam traps or addresses of known spammers and spamfriendly people - collected from spam emails or experience with spamfriendly ISPs. As a motivation, a lot of spamfriendly institutions don't see the problem "spam" as serious until they get a really high dosis of unwanted email per day.
My Sugarplum installation gets scanned really often. At the moment, the French superspammer Artmarket is coming back almost every day, harvesting my Sugarplum site and dumping about 100 spams each time into my spam trap box. My ratio between spam trap and spammer is 1:50, so each time Artmarket will spam about 5000 spammers.
Some German dialer operators who had a really big spam problem half a year ago are actually trying to hire people to fight against spam they are getting on their own - no wonder, their domains were about the first to be spambaited massively in Usenet newsgroups and on WWW sites. Some 419 scam gangs who spamvertise their email addresses have to change them about once a month, as they will get flooded with "counterspam", and what is worse, they rely on the availability of their email addresses to get replies from their victims - that's why they spam.
Dangit..."Increase your browser history size" - now that sounds like a piece of spam right there.
I know I'll probably get modded to heck for this, but what the heck...
"Evil will always triumph because good is dumb." -- Dark Helmet
Ok, I am not a coder, so don't flame me much. I am just curious about something. People write programs that hunt through the entire web, parse the pages, and find email to record for spam. This does not seem easy to me. So, why are there not effective, agressive counter measures? It seems to me there is a vast and bright talent pool on slashdot. Why are there not programs that spam the spamers with email adresses or something like that? Take the fight to them. In the old west, there was no law until the people stopped helplessly looking around and saying why me? My two cents, -Iowa
"He who laughs last, didn't get the joke."-Cap
Heh...
Before the days when SPAM was a big problem, my Mom already didn't like getting physical "junk mail" through the USPS. She knew different organizations were selling and trading her address, but she decided to track it to see who was passing what info. She started using false middle initials when she subscribed to magazines, bought things from catalogs, etc.
So when she subscribed to Cosmopolitan (I know, but it was the 70s and she's a woman. What can you do?), she used the name "June C Cleaver" (well, except that I've replaced my Mom's real name with "June Cleaver" here to protect Mom's privacy). When she subscribed to Games, it was "June G Cleaver," and so on.
When she would call some magazine or other company to demand to know why they had sold her address to others, their denials were quickly slapped down when she revealed that "C" or "G" or whatever wasn't her real middle initial and she had used the fake initial to determine who was selling or passing her address to whom.
My Mom rules.
--Mark
"It is nice to know that the computer understands the problem. But I would like to understand it too." --Eugene Wigner
Seems to be the case. Her's a reply to an email I sent Malda a few weeks ago:
Works for me, anyhow.
except that the other articles were posted by Cowboy Neal and Michael, respectively.
In any case, part of the problem is that in reading the submissions they will undoubtedly see the same story many times, so a link would show as visited if you'd scanned through a bunch of those, published or not. The same goes for just trusting your memory, there must be a serious deja-vu problm. But there's no fucking excuse at all for such unprofessionalism. Just type "spam" into the search box on the Slashdot front page and you see the earlier stories (along with both "AOL sues spammers" of a few days ago). More specifically, typing in "cdt.org" shows all three dupes at the top of the list.
I can't think of any explanation except serious drug abuse in the workplace.
If you are concerned (angry, assigning blame, whatever) about spam through open relays and open proxies you might like to know how they find the systems to abuse. If you are concerned and know how they do it you could do something to make it harder for them.
Good grief, moderator. It's not Interesting, it's Funny. RTFC.
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
I think a much better, and more truth revealing, study would be to find out the statistics on the spammer's own email habits.
Among others, some simple stats:
* How many email accounts do they own
* How much spammer do they receive per day
* How much of it do they actually bother to read and not just immediately delete
* How often do they use bogus email address when filling out forms
But, more importantly:
* What have they done to opt-out of receiving mail from lists
* What filters/blocks do they implement and why when it is such a good legitimate business
* What are their opinions on spammers vs. telemarketers
Several years ago I set up a spam account, spamforchris@yahoo.com. Everytime that I register for a web site, register software, subscribe to a newsletter, etc, I use the spam account. And when I give a friend or family member my personal email adress, I ask that they do not include me in their chain-emails. I have had less than 20 spam messages in any of my real email accounts since college.
Moral: If you are careless with your email adress, expect spam.
Simple people talk of people, better people talk of events, great people talk of ideas.
I'm using POPFile at home to filter mail to 4 POP accounts, one of which is flooded with as many as 100 pieces of spam per day (my Hotmail account, of course). It uses Bayesian filtering to learn what spam looks like, neatly handling the various tricks spammers use.
So far, on more than ten thousand messages its been better than 99.8% effective.
Of course, this isn't a solution, since I'm still paying something like $8 a month for the priviledge of receiving all this crap in the first place.
Does anybody know of any good filters to block "dictionary" (brute force) attacks on an SMTP server?
Could be on application level (like Postfix) or at firewall level. I guess there's a solution out there, but Googling didn't help me this time.
DMCA regulates something that is strictly my own business, like do I watch my DVD under Windows or under Linux? If you send spam, you are making it a million people's business.
I tend to talk to people I know on the phone and just check my e-mail once per week to see if anyone sent a message about my programs. Even if you are right, I have to sit for 14 minutes doing nothing except deciding which messages with "Hi, Oleg" subject to open. And I deleted quite a few legitimate messages because I didn't recognize the address.
By the same token, if I went to sleep at 4am I won't want to have a chat with a telemarketer at 9. So I end up turning off my phone until I wake up and possibly missing calls from friends. And I don't want my physical mailbox to overflow just because I went on a one week trip during the holiday season. But spam is definitely the worst.
Communication between people is good. I should be able to publish my postal address, my phone number and by e-mail on the web and invite people to contact me if they looked at my stuff and want to chat. Remember when shareware came with a README file with all kind of contact information to send $15? I actually got a few nice snail mail letters with checks.
Spam has destroyed our ability for this kind of casual communication. People sending it or selling the products advertized make very little money compared to the value of our time or forced changes in our behaviour. It's time to stop them using technological, political or cultural methods, whatever works best.
So according to the article, HTML-encoding the email addresses on your web pages can keep them from being harvested by spammers. E-Cloaker is a nice little free utility to do this for you.
Most address grabber tools do not write their own web browser/html interpreter. They simply link using IE's APIs, so anything IE can decode / unobfuscate, so can most email harvesters. The best solution is to not post email addresses on the web.
When the spammers finally do teach their bots to recognize the increasingly common "myname at domain dot com" techniques or the masking tricks, we will still have another method of defense: dispensing with text for listing email addresses. We can avoid detection by posting the names in graphic form, inserting a GIF of the email inline with the rest of the page's text.
If the spammers ever respond with OCR, we could hold them at bay (where practicable) with slightly distorted text in the gif, like what you see in the PayPal registration screen.