Angus's Personal Site: Spam Aware

- Spam Aware -

Introduction
Why is the term "spam" used?
OK, so what is spam?
Who or what sends spam?
What should I do, or not do, when I receive spam?
What else can or should I do?
What if I have a website?

INTRODUCTION
Many Internet users get inundated with lots of junk e-mails, and wonder from time to time where they all come from. In this article, I hope to be able to help you re-evaluate certain ways in how you use the Internet that may result in an increase of enjoyment by way of reducing the amount of electronic junk mail you get. Much of what I say is common sense, and published elsewhere as well, but hopefully you'll find it fun and informative.

This article starts out as being suitable for anyone to read, but towards the end some technical aspects are introduced that will be of more interest to those having a background or interest in the technical side, and maybe to those who have their own websites. I think it's best if you can persevere with it until the point where you say to yourself, "What the heck does that mean?" then stop there as you'll probably find the remainder of the article irrelevant to your situation.

From time to time I update this article as I come across or become aware of new information, so please do check back from time to time. The last time I updated it was on the 18th April, 2003.

WHY IS THE TERM "SPAM" USED?
Spam is more formally known as Unsolicited Commercial E-mail (UCE) or Unsolicited Bulk E-mail (UBE). Both these phrases are quite a mouthful and have quite an inelegant feel to them, so the term spam is more commonly used. It would appear that the origin of the term is unknown, however there are two likely possibilities.
One is a take from a Monty Python Flying Circus sketch in which "spam, spam, spam, spam ..." is sung louder and louder thus drowning out all meaningful conversation (and it's easy to see that as a lot of Internet spam can drown out the real messages that are sent and received as well as wasting bandwidth (download time)). The other likely possibility is that it's an acronym for Self Propelled Advertising Material, although other acronyms (usually rather cynical) have also been suggested.

OK, SO WHAT IS SPAM?
In practical terms, spam is any irrelevant unrequested message or e-mail. This includes off-topic posts to message boards, blogs and Usenet groups, rubbish postings to such places, and unwanted advertising sent to your inbox. Sometimes a message posted to a blog may be slightly off-topic, but has been triggered by an totally on-topic posting or thought .... personally I would say that this does not count as spam provided there is a degree of relevance there, and/or it's in the general direction of the other postings.
This article is concerned primarily with junk e-mail messages rather than other forms of spam.

WHO OR WHAT SENDS SPAM?
Good question. Usually when you receive spam it comes from an e-mail address you do not recognise. Sometimes it looks sensible and sometimes it doesn't. You are left wondering who on earth would use such an e-mail address and how they found you.

The answer usually lies in programs that scour websites looking for e-mail addresses to which they can send spam. These programs are known as "spambots" - taken from "spam" and "robot". In Internet parlance, a robot is a program that scan websites on behalf of the search engines, and usually visits by robots are welcome to websites as it could mean the inclusion and/or update of its information on a given search engine. There are certain rules that robots will obey when scanning a given website which the spambots will typically ignore. Websites can exploit this to lure a spambot into a trap where it will think it is getting useful information whereas in fact it is simply being fed with rubbish. There is more on that later aimed mainly at the the more technically-minded.

Another way in which spambots can collect numerous e-mail addresses is to have a few guesses (well, more likely a few million guesses). What may happen is that an address will be guessed by taking well-known and well-used names together, then adding names of well-known e-mail providers at the end.
For example, let's say we have 4 popular men's names: Peter, James, John, and Paul. Now let's have 3 common surnames: Jones, Harris, and Smith.
It is easy to see that stringing these together with an underscore ("_"), a dot, or nothing will give quite a number of combinations. Examples include:

peter_smith
peter.smith
petersmith
james_smith
john.jones
john_smith

Using only these names and methods of connecting them, we can create 4 times 3 times 3 (i.e. 36) different possibilities. Add to that the permutations allowed by adding numbers, random (but likely) dates of birth, and the e-mail provider (Hotmail, Yahoo!, etc), and you can see how millions of e-mail addresses can be generated in no time at all. Many of these will not exist, however a substantial number are likely to be addresses that are in use. That's probably why you still get spam even if you don't post your e-mail address anywhere on the Web or sign up for anything online.

One thing worth pointing out here is that some free e-card providers may well use spamming to generate their revenue. What happens is that a well-meaning person sends you an e-card, which requires your e-mail address, and unbeknown to both the sender and the recipient both addresses get sent to spambots! The result is that after having been sent the e-card, you start to receive a lot of junk e-mail, sometimes of an offensive nature.

Once a spambot has obtained a load of e-mail addresses, it then sends spam to them mercilessly. Any person or program that undertakes such an activity is usually referred to as a "spammer".

WHAT SHOULD I DO, OR NOT DO, WHEN I RECEIVE SPAM?
Quite honestly, it's up to you! However, there are some steps you can take if you wish to reduce the number of rubbish e-mails you receive.

Try to discern spam.
If possible, do not open it. Delete it immediately. Many spam messages are invites to visit nefarious websites, but some messages will actually connect you to a website in order to download images. This can be used by the website concerned to recognise that you have opened the e-mail, thus your address is active. This increases its value to spammers thus it is more likely that you'll receive more such messages in the future.
Some messages are obviously spam - immediately noticeable by a rubbish e-mail address, a nonsensical subject title, or a subject title that indicates that the message is clearly concerning something you're not interested in. Unfortunately though, some of the senders names and subject titles do look genuine hence you are tempted to open the message up ... only to find it's not a real message for you at all. On this, a word about E-mail services.
- If you use a web-based E-mail provider such as Yahoo! or Hotmail, please note that if you have (for example) 2 messages in your inbox, the first of which is sensible and the second of which is spam, it's worth deleting the spam before opening the real message up. If when you open your real message up you decide to delete it or move it to another folder, your next e-mail may be opened up for you automatically. Result: you've opened your spam unwittingly!
- If you use e-mail software such as Outlook Express, it's worth turning the Preview Pane off. See the Help for your software for how to do this. Not only will this prevent the first e-mail being opened automatically (which could prove to be spam) but may also help give a degree of protection against viruses as well (although if you don't have anti-virus software installed, get some now. Today. Don't delay. Tomorrow could be too late).
  Make sure you are disconnected from the Internet before opening any message from an unrecognised sender. That way, should the message prove to be spam and nefariously try to connect you to a website, it will fail, you'll be alerted to it, thus you can safely delete the message with no ill effects.
However, you will at some stage inevitably open some of your spam, and the next points here are addressed to those situations where you have already opened the message up.
Do not reply to spam.
All the articles written on how to handle spam put this one at or near the top of their list, so my article is therefore no exception. One of three things is likely to happen if you reply, even if to say something along the lines of, "Please remove me from your list": your e-mail could go to some unsuspecting individual who has had his/her e-mail address hijacked (this can and does happen) so your reply will have no effect, or it will bounce because the sending e-mail address has been forged and thus does not exist, or (much more likely) your reply will be registered with the spammer and your e-mail address noted as active, thus you will open yourself up to receiving more junk messages.
Never do what a spam message tells you to do.
Some spam messages tell you to visit a specified website, or follow a link, or "Click here to unsubscribe." Why should you do this? After all, you don't know the sender from Adam, they don't know you either, so what right have they got to tell you what to do? It can be very tempting to click an "unsubscribe" link but you should never do this as it will most likely register your e-mail address with the spammers so they know they have found an active account, thus you will end up getting MORE spam, not less. Many spammers are dishonest and use this tactic to lure you into receiving more of their junk messages.
One point that may be of interest to the slightly more techcically-minded is that if you mouse over the link to a website given within a spam message, you'll often see the website address followed by a question mark, then a string of seemingly random letters and numbers. This is very likely to be an encoded form of your e-mail address which is sent to the computer hosting the website in question should you follow the link. This is then decoded back into your e-mail address. Result: the spammer knows you have read the e-mail, did what it asked, thus your e-mail address is very valuable to them. You'll inevitably get more spam as a consequence.
Try to reduce the amount of spam you receive.
This may sound like a tall order, but there are a few things you can do that may help reduce the amount of spam you receive.
- Use two or more e-mail addresses.
  Use one for your correspondence, and another one as a dump account. Whenever you sign up online for a service or purchasing products, try to get away without providing an e-mail address if one is asked for. If it is mandatory, provide the dump account's address. Should the company or organisation concerned indulge in spamming techniques or sell a list of addresses to another company that does, it will be your dump account that gets the rubbish and not your correspondence address. After all, you wouldn't want your telephone number circulated all over cyberspace for all and sundry to see, so why risk compromising your e-mail address?
  This goes for anything you buy by way of mail or telephone order, product registration forms, etc. as well.
- Set up some message rules to filter out spam.
  Message rules can be a bit of a pain to set up, but can prove invaluable in sorting out your messages into folders. Usually, you can filter by such criteria as who the message is from, what words or phrases appear in the subject title, and what words and phrases appear in the main body of the text.
  I have an article on how to set up message rules which contain some general principles, but specifically aimed mainly at Outlook Express users.
  You may also be able to configure what to do with the message: typical actions would include not downloading from the server, deleting the message from the server, and moving the message to a specified folder of your choice.
  For instance, you might have been receving e-mail from a given sender, and know that it's mail you do not want to receive. You could set up a message rule to delete it from the server, or send it directly to the trash. Clearly though you need to make absolutely certain that you will never be interested in mails from that particular sender.
  You need to be careful with message rules though. For example, supposing you filter out all messages that contain the word "sex" in the title, and send them directly to the trash. That might seem a reasonable thing to do, but you might receive a message from a friend with a title such as, "What sex is your sister's new baby?" and you'd never see the message because of your own rules!
  Perhaps it's safer to set up a "quarantine" folder, and direct all suspected spam there. That way you can look at it in your own time, if you feel so inclined, and you know that mails being sent there are not getting in the way of your real messages. Simply modify an existing rule or add a new rule to catch further suspect mail. At least that way you can be sure you don't miss any "false positives".
- Consider installing anti-spam software.
  There are programs out there that help you manage your e-mail by letting you safely preview them before you download them. You can set up your own "blacklist" and friends list, and the program, using these lists together with heuristic analysis, will tell you whether any given message has come from a friend or is likely to be spam. One such program is called MailWasher and can be downloaded from www.mailwasher.net. This freeware version should be sufficient if you only want to protect one account (unfortunately Hotmail and the like is not supported), and the paid-for version (MailWasher Pro) can be downloaded from www.firetrust.com. This one supports Hotmail and the like, lets you manage multiple accounts, and has other features that the free version does not offer. If you find you receive a lot of attachments to your e-mails, you might also want to check out Benign, Firetrust's attachment-neutralising program.
- Be careful how you leave your e-mail address on website guestbooks, blogs, and other places on the Internet. Use your dump account instead of your real correspondence address. Obfuscate your address so that people can read and understand it, but at the same time makes an attempt at hiding it from the spambots. For example, if your e-mail address is my_name@my_domain.com, you could try one of the following:
  
  my_name AT my_domain DOT com
  my_name.at.my_domain.com
  my_name$my_domain.com
  my_name#my_domain dot com
  
  Some spambots are more intelligent than others, so some of these tricks may well be less effective than others. Be creative, it doesn't matter how you do it provided it's intuitive to readers. The list of ideas here is potentially endless.
  One thing I have noticed is that some guestbooks and blogs will reject your e-mail address if it's not valid. In that case you have to think of something that is technically valid (for example my_name@my_domREMOVEain.com) and put something in your posting saying the "REMOVE" must be removed in order for the e-mail address to work.
- Specify a subject line to use for first contacts.
  Ask people when writing to you for the first time to make the subject line specific, for example to begin with, "Website contact:" or "Saw your posting on..." along with a warning that any e-mail from unrecognised e-mail addresses will be deleted straight away if this is not done. Explain why this is necessary. Genuine people will usually appreciate this and go along with it. Of course, I guess it's always possible that you're up against a spammer who is a real person who actually reads instructions, but this should save you from a lot of electronically generated junk.
- Check the dump account from time to time.
  You may have received a legitimate e-mail there, or a genuine special offer from a company from which you have made a purchase. You'll soon get a feel for what is genuine and what is not, however the chances are you'll also open up some spam from time to time.
- Change the dump account from time to time.
  If you find you are receiving more spam than real messages, and it's really getting on your nerves, it may be worth changing the dump account. The beauty here is that your real correspondence address remains the same, so you don't have to send a circular e-mail around telling all your friends, family, and other contacts to update their address books. If you realise that you've given your dump account out in the past in such a way that it has encouraged spam, then this provides a good opportunity to learn from past mistakes and start afresh.
- Try to correct past mistakes.
  When I was new to the Internet, I was unaware of how bad the spam problem could be, and as a result I posted to a guestbook using my main correspondence address as a point of contact. I subsequently e-mailed the webmaster concerned who gladly changed the e-mail address. It's worth a go. The worst that can happen is that your request cannot or will not be granted. Nothing ventured, nothing gained, as the saying goes.

WHAT ELSE CAN OR SHOULD I DO?

Look up other articles on the Internet.
There are many excellent articles on what to do with spam on the Internet. Most, if not all, ISP home pages will have sections on what not and what to do. Here are some links to some articles pertaining to this issue:
Yahoo! Help article about spam (General)
Spamprimer: Getting Rid of Spam (General)
Spambot Beware (General, but gets technical)
The Anti-Spam Home Page (General, but gets technical)
Stopping Spambots - a Spambot trap (Technical)
My article on using message rules to sort out spam (General)
My list of anti-spam/junk email resources (General)
My list of computer security sites (General)
Tell your friends.
Point them to articles you have found useful on the matter. Recommend these articles to friends who speak to you about spam problems.
Be careful when sending e-cards.
When sending e-cards to people, check to see if there is a box you can check/uncheck that will sign either you or the recipient up for "special offers" and the like. Read the wording carefully, and ensure it is set such that no junk is sent out. For "special offers" read "spam" and you won't go far wrong. If the e-card is going to come with spam anyway (there is no opt-out because it's part of the deal), then find another e-card site.
Complain to the sender's ISP.
This can be of limited usefulness, since many spammers use bogus addresses and when they are closed down on one account they simply open up another one and continue working. If your e-mail address is in a spammer's address book, it will be deleted when the account is closed so you are no longer on their list, but it will not cure the problem whereby your e-mail address is on a CD-ROM along with millions of others.
Should you decide to complain to the sender's ISP, there are a few things worth noting.
1. Ensure the message is spam.
  This may mean violating what I've said before about not opening the message if you're using your browser to read your e-mail because you'll need to open it in order to get the information you need.
2. Ensure the "Show all headers" option is enabled.
  You'll know if this is the case because the top of the message will contain technical gobbledigook concerning how the message got to you. See your documentation for how to enable all headers if you are unsure.
3. Check the ISP's Acceptable Use Policy.
  Many ISPs actively discourage the use of their services for spamming, and there will be strong statements to that effect in their Terms of Service agreement. This is easy to do when the sender's address is something at hotmail dot com, or yahoo, but where the ISP is not easily discernable then you may be better off not bothering to complain as you could end up visiting a site you've been trying to avoid!
4. Send the entire spam message.
  When you are sure that the message you have received is spam, and that it violates the terms of acceptable use for the sender's ISP, look for the section where you can make complaints and follow the instructions there. You will almost certainly have to send a copy of the entire e-mail message, unedited, with all headers shown. The ISP support staff will do the rest.

WHAT IF I HAVE A WEBSITE?
Remember in the introduction I said that towards the end this article will get more technical? Well, this is it. If you don't have a website and/or are not technically minded, this remainder of this writing will probably not be of much interest to you. But if so, please read on...
I guess I'm writing here mainly for people who have personal websites rather than commercial ones - I believe personal sites tend to be a rich source of e-mail addresses for spammers and/or spambots, so it's worth taking a few steps to help reduce the amount of electronic abuse you and your visitors receive.

Use a web mailform instead of giving out your e-mail address
I have an article and webform on my new website which covers this in more detail. Please click here to read it and see how you can utilise either my form, or a copy of it, on your site (opens a new window).
Obfuscate your e-mail addresses.
This has already been covered to some degree, but as a webmaster you might like to consider making the protection more robust.
One way to do this is to use character encoding instead of plain and simple e-mail addresses. Supposing the e-mail address you wish to obfuscate is my_name@my_domain.com. Your regular tag might look thus:

<a href="mailto:my_name@my_domain.com">Name</a>

and you could obfuscate it by changing some (not necessarily all) of the characters into their respective codes, such as in the following:

<a href="mailto:my_name@my_domain&#46com">Name</a>

This will fool some spambots; however others are smart enough to decode these once the mailto: has been spotted. It is further possible to "hide" the mailto: itself and it will still work, as in this example:

<a href="mailto:my_name@my_domain&#46com">Name</a>

Note that it is not necessary to encode the whole thing; perhaps it's better not to because if a spambot cannot understand it then one character should be sufficient if it can, it will make no difference.

Here are some of the codes that could be used in this method:
- : (colon) = :
- . (period) = .
- @ (AT sign) = @
- a = a
- b = b
- c = c
- ... and so on upto ...
- z = z
Another method is by the use of JavaScript. Although this is far more robust, it does have the disadvantage that not all people have JavaScript enabled on their browsers. Spambots are not able to understand JavaScript, and it is unlikely that they will be rewritten to do so. Your script need not be long and complex ... a short piece of code such as the following should do the trick:-

mt2 = "to:";
period = ".";
sign = "@";
mailaddr = "my_name" + sign + "my_domain" + period + "com";
document.writeln("<a href=mail" + mt2 + mailaddr + ">");
document.writeln(mailaddr);
document.writeln("</a>");

That may seem like a lot of work just to hide an e-mail address, but it may be worth considering the time taken to do that as offset against the time that you would waste deleting spam should a spambot have harvested it.
Don't forget, you can always package that up into a function and place at the top of your page or in a separate ".js" file and just call it whenever needed.
Guestbooks, Weblogs, and Forums.
I don't have anything against these, in fact I think they can be quite good fun. But I have noticed a few things about them:
1. E-mail addresses are inserted "as-is" thus it is as if your visitors have written that section of code themselves. This could open them up to spam if they are unaware of the issue should a spambot visit your site.
2. You may get nefarious postings in your guestbook/blog. The last thing you want is totally irrelevant entries, possibly linking to inappropriate websites, even for a short space of time. You'll find yourself needing to check the postings from time to time in order to remove such entries.
3. <off topic>Some guestbooks and blogs, it seems, cannot handle navigating away from frames. Should a visitor follow a link to another website from your framed guestbook, they will end up viewing the other site from within your frameset. This is usually considered bad form on the Internet.</off topic>
4. Some guestbooks and blogs validate the e-mail addresses that have been supplied. A visitor's nice and witty obfuscation technique may be kiboshed. My favourite one at the moment is anguscook@SendAllSpamTo/dev/null.yahoo.co.uk, and I know for a fact that this does not always get accepted as a valid address.
You may therefore want to consider using a feedback form instead, and use any replies from it as DIY Guestbook entries. It's easy enough to customise the look and feel of such a guestbook, plus you get to "nip it in the bud" when it comes to unwanted postings. This also gives you the opportunity to write a JavaScript function to "hide" e-mail addresses from spambots, but at the same time making them normal clickable links for everyone else.
The downside is, of course, that it removes the interactivity afforded especially by blogs. It's a trade-off: you'll need to decide which is more important to you.
Another issue is that many people surf with JavaScript turned off, thus e-mail addresses obfuscated using that technique will not be rendered on JavaScript-disabled browsers. It may be desirable to code some form of NOSCRIPT alternative so people using browsers where JavaScript has been disabled will at least see something sensible. However, one needs to be careful there as you could end up inadvertently putting in e-mail addresses in a form that spambots can understand, thus all your hard work will have been in vain!
Write your own guestbook or blog. No, this is not a joke.
My new site (opens a new window) has a guestbook that I have written myself. There is even a tutorial (again, new window) there on how to write your own guestbook using PHP and MySQL. Clearly, you'll need access to a database and some kind of server-side scripting in order to be able to do this, but you can create exactly what you want if you do.
You can also create administrative tools of your own to remove any unwanted entries!
Fight back!
Did I really say that??!?! Is it even possible to hit back at spammers? Certainly it may be possible to lure spambots into a trap where you can feed it junk e-mail addresses or broken links. People have written scripts that generate thousands of non-existent e-mail addresses. I had such a script myself until recently, but decided to take it down. The reason is that this can result in junk e-mails being fired off to non-existent e-mail addresses with the result that cyberspace gets filled with more rubbish. The end result is that we all suffer because servers spend their time routing rubbish instead of delivering web-pages and delivering ligitimate e-mail! However, I'm currently investigating something called The Honeypot Project - take a look at that site to find out more about this (link opens a new window). It looks like a promising way of collecting the spambots before they have a chance to collect you, and ban them before they can do any damage!

Need an Extradisambiguator? Click here!