It’s been just over a year since my personal e-mail account started getting upwards of 20 junk mails a day and I ditched it for a new, spam-free one. I created another — simple enough when you have your own domain — but found in mere months that I was right back where I started. Even taking great care not to let my personal address fall into the hands of spammers, my inbox nonetheless came to resemble the last five pages of a porno mag. How did this happen to me again, and so quickly?
As you read this, a war is on between spammers and those working to stem the flood of unsolicited commercial e-mail (UCE). It’s partly a legal battle, with laws being passed in the United States and Europe that define strict guidelines for the transmission of UCE and stiff penalties for firms that fail to comply. But the Internet is a global entity, and any discussion of legislation regarding the control of Internet-borne content must eventually confront the thorny issues of jurisdiction and enforcement. Consequently little progress has been made in legally dealing with spam, though everyone agrees that a problem exists.
The scale of the problem of junk e-mail is becoming clearer as data on spam’s growth become available. Reports on the spam’s financial impact are released regularly. One recent report by Ferris Research ( www.ferris.com ) estimates the cost of spam in the U.S. alone at over $10 billion in 2003. Quantified in terms of CPU cycles, disk storage requirements, bandwidth requirements and reduced productivity, the figures clearly demonstrate the immense and growing scale of the problem.
Today spam is said to account for as much as 40 percent of all Internet e-mail traffic. This represents a 100 percent increase over just a year ago, thanks to rapidly improving technologies used to create and distribute UCE.
Among spammers’ tools are open relays, Internet-connected e-mail servers that are configured to allow “relaying” (delivery to a remote e-mail server) by anyone who connects to the system. Spammers use open relays as launch pads from which they can send spam with impunity, not having to worry about being traced.
For the hijacked open relay, consequences can be dire. Assuming it doesn’t crash under the weight of millions of e-mail messages or its own now-massive log files, it still has to face the very likely possibility of being listed in one of the many public databases created to fight spam. Systems such as the Open Relay Database ( www.ordb.org ) keep tabs on “open” e-mail servers and share this information with system administrators who wish to block messages from those servers.
These databases — called “blacklists” — are increasingly being used by ISPs and e-mail system administrators to block unwanted mail. Tokyo-based Global Online (now part of Exodus Communications) uses ORDB as part of its antispam arsenal, enabling its e-mail account holders to block messages from all listed sites.
Other tools for combating spam include off-the-shelf products, like McAfee’s SpamKiller ( www.mca fee.com ), that use an elaborate combination of filters and message rules to block or dispose of messages that appear to be spam. While these tools are effective, they have two main shortcomings. The first relates to currency in terms of the software’s ability to remain up-to-date and effective against increasingly clever spammers. The second is the problem of “false positives” — e-mail messages that get evaluated as spam and are blocked or, even worse, deleted without you ever seeing them.
Aside from relying on software tools and the efforts of spam fighters, what can you do keep your inbox free of the assorted “Make Money Quick!” ads and enticements to launder money out of Nigeria? Here are some tips:
* Never click on the “Remove Me” link in a UCE message. All this does is let the spammer know that your address is valid and working properly, meaning it will most likely be sold to someone else.
* Avoid typing your e-mail address in any online form. If you must provide an address, consider maintaining a separate, expendable address for such purposes, and also be sure to answer “No” when asked for permission to contact you with product info, special offers, etc.
* If you use USEnet (Internet newsgroups), be sure to configure your newsreader software with a bogus e-mail address or one “munged” so that it needs to be fixed before sending (e.g. embedding “*NOSPAM*” in the address, as in username*NOSPAMemail@example.com).
* If your Web browser allows you to automatically supply your e-mail address when connecting to anonymous FTP (file transfer protocol) sites, either disable that function or use a fake address. Savvy spammers can easily collect that address using simple HTML.
* Choose your e-mail service wisely. E-mail services like Microsoft’s Hotmail, though they employ sophisticated spam-screening techniques, are still ripe targets for spammers due to the large number of users. These high-volume servers have been targets of a long-running “dictionary” attack by China-based spammers who use guessing techniques to discover valid e-mail addresses. Some users have reported receiving spam within hours of creating a new account. (See www.spahmaus.org for more info.)
If it’s already too late to try the spam prevention tips above, you can consider starting fresh with a new e-mail account. Finally, if you want to take a more personal role in fighting junk e-mail, take the time to report spammers whenever you receive a UCE message. See www.abuse.net or www.spamarchive.org for more information on reporting spam.
See related story, “Getting to know you,” for information on resources used to harvest e-mail addresses.
Send questions and comments for Michael Rollins to firstname.lastname@example.org
* USEnet and the Web — Spammers search Internet newsgroups (otherwise known as USEnet) for e-mail addresses included when participants post messages to the group. They also employ software “robots” to search Web pages for e-mail links. The links appear as “MAILTO:” tags in the HTML and will launch an e-mail composition window when you click on them. Therefore, anytime your address appears in any Web page it is ripe for harvesting by spammers.
* Mailing lists — Some mailing list software will publish the e-mail addresses of all list members if given the proper commands.
* Online and paper directories — Sites like Four11 ( www.four11.com ) and BigFoot ( www.bigfoot.com ) publish e-mail addresses over the Internet.
* IRC and chat rooms — Some Internet Relay Chat client software will provide your e-mail address to anyone who asks for it. AOL chat rooms are another favorite because the profile for each user is viewable as well.
* Web browsers — Configuring your e-mail address in your Web browser makes it relatively easy for spammers to record the address using coding tricks. Pointing your browser to www.privacy.net/analyze/ will let you see some of the information you’re sharing with the Web at large.