BestPrac.Org

Stop Spam : Best Practice in Email
Spam Prevention and Eradication

Spam Bots - and how to avoid them : Part 3

(Released - January, 2003)

.....Continued from Part 2

The previous two articles in this series have concentrated on actions webmasters and site administrators can take to prevent their websites being harvesting grounds for spam bots. In this third and final part of this series, we look at actions the average, ordinary, every day internet user, even who does not own a web site, can and should take to protect themselves from spam bots.

Lock the door before the horse bolts: The best time to begin protecting yourself from spam bots is from the very moment you open a new account with your ISP or other email provider.

Once your email address is in the hands of spammers, regaining control of your inbox is a very, very difficult job indeed. For many people, the only way to regain control is to close their accounts and start all over again. That is a hard pill to swallow, as it means remembering, then contacting, everyone who you want to know your email address, and advising them of the change.

In a future series of articles, we will at techniques for regaining control of your inbox, tracing spammers and reporting them for abuse. For now, we will concentrate on avoiding problems arising in the first place.

Spammers have many ways of collecting email addresses. Not all of them involve spam bots. For example, some e-greeting cards sites are believed to retain the email addresses of people who use their services and of the people to whom they send electronic greetings, and then sell these lists to spammers.

Every precaution should be taken against spam bots, but they obviously are not the only worry for internet users. Always be careful about giving out your email address to anyone. Do they really need it? Can you really trust them with it? If it is a web site, do they have a clearly presented privacy policy guaranteeing that your information will not be given or sold or rented to any other party? It pays to be vigilent, even suspicious, about giving your email address out just because you are asked for it.

This article is not about protecting yourself from yourself. It is about protecting yourself from the spam bots who seek to capture your email addresses without your knowledge or consent.

Where do spam bots look for email addresses?

To be blunt, they look everywhere they possible can. Examples include:

• Web pages
• Guest books
• Mailing list archives
• Directory databases, including instant messenger databases
• Chat rooms
• IRC servers
• Message boards
• Usenet / newsgroups
• and more.

As if this is not worse than bad enough, unfortunately some spammers stoop to even lower levels, such as hacking ISP servers to get lists of customers. (Hopefully, your ISP knows these risks and has installed and operates every possible security precaution.)

Other spammers resort to "dictionary attacks". With these, the spammer works on the assumption that if there is a "joebloggs@example.com" there may well be other accounts by the name of "joebloggs@.........com". These spammers will compile a list of tens of thousands, or even hundreds of thousands, of plausible-sounding email addresses or ones that have been used at other ISPs or email service providers, change the domain name of them to a new mail server they want to "examine", and hit the server with massive quantities of emails - just to see which ones actually make it through and which ones bounce.

As if spamming was not despicable enough in itself, this further abuse of the internet can and often does overload and crash the servers of the victims, and tie up bandwidth resulting in a slowing down of the internet for all internet users. We often hear reports of even small regional ISPs with less than a couple of thousand customers who get hit with these "dictionary attacks" of 100,000 or more spams in a single session.

Ways NOT to protect yourself.

We do not recommend using a false email address. With the size and growth of the internet today, it is all too easy to think you are inventing a fictitious email address, yet in the process accidentally use some else's real email address - or that by co-incidence someone will open an email account or domain with that name next week. Therefore, take extreme care that, in the process of protecting yourself, you do not put any other person at risk.

We do not recommend "munging". A few years ago, there was advice commonly given to "munge" your email address when using it in these interactive forums. The idea of "munging" was to type it in a manner that the human eye could tell that it was not correct and easily identify what it should be - yet not possible for spam bots to interpret what the human eye could plainly see.

For example:

• example@NOSPAMexample.com
• example [at] example [dot] com
• and the like.

There are websites online even today who continue with this sort of advice. We must advise against it.

It seemed like a good idea a few years back, and true, it worked quite nicely at making it easy for a human to understand, while impossible for a spam bot to understand. Unfortuanately, that word "impossible" is all too often inaccurate. Many modern spam bots have been programmed to recognise "munged" email addresses, and to reform them. It is a simple process for a programmer to write software that identifies a string of capitalised letters in an otherwise lower-case email address, and simply remove that string. It is a simple thing for a spam bot programmer to write the bot to recognise when the sequences [at] and [dot] are in close proximity, and put the email address back in place again.

Sad to say, but if any method of "munging" becomes widespread, the evil-doing spam bot program writers are all too ready to design the software to "de-munge" them again.

In short, while "munging" was once a good idea, its goodness has expired. It is effective no more. So don't do it, or those spam bots are still going to find you.

How TO protect yourself.

1. In many forums, such as Message Boards and Usenet Newsgroups, you do not expect anyone to email a reply to you. You expect any responses to be made in the forum itself. Therefore, wherever possible, simply do not provide an email address at all.
2. Never submit your email address into any of the numerous "email directories" available online. If you are already listed, contact the operators and ask to be removed.
3. If you send an email to multiple recipients, either send it individually to each, or send it using the BCC field in your email software. Never put multiple recipients into the "To:" or the "CC:" fields...... and teach your friends this same piece of basic netiquette. (Many emails get forwarded around the net, and this can sometimes produce a list of thousand of 'productive' email addresses if it lands in the wrong hands.)
4. Remove your address from the Member Information databases of your Instant Messenger software. If someone has a legitimate reason to want your email address, let them ask you for it.
5. Have multiple email addresses.

Save your main email account specific for those people you absolutely trust the most. Never make this email address available in any public area. Keep it as private and confidential as possible, and ensure that the people who you do entrust with it understand and respect your confidentiality needs.

Open at least one extra email account (or even more than one) for use when you are left without a choice but to provide an email address. Some discussion forums mandatorily require you to provide an email address to log on to the service, for example. Software registrations also usually require you to provide an email address. Open a web-based "free" (banner advertising supported) email account at one of the many, many providers of these types of services.

Another recent innovation are free or low cost services for disposable email addresses. With these, you open an account which allows you to invent multiple new email address names. Use a different email address for everything to which you subscribe, register, or post. Any email sent to these addresses is then redirected by the service provider to your main email account (the one you don't give out!). If spam starts to arrive, you simply cancel that particular email address. Remember - you only provided it to one place, so you know where the spammer found your disposable address. Some examples of providers of these disposable email address accounts, or variations of them, include:

• Spam Motel
• Spamex.com
• Sneakemail.com
• Spamgourmet.com

Be sure to use these disposable addresses, or a "throwaway"address from a free web-mail provider, when visiting chat rooms, IRC, and other high risk locations where you cannot avoid providing an email address.

Be very thoughtful and creative when you chose a name for an email account. Make sure it is something very unique - to the extreme. And never use that same email account name at more than the one email service. Use a different extremely unique name for each new email account you open.

In conclusion:

Spam bots are evil, destructive tools in widespread use by spammers in the online world. They are used to locate email addresses and compile large databases for spamming unsuspecting, innocent victims. There is barely an internet user in the world today who is unaffected by spam, and it is spam bots, those programmed "spiders" that roam the internet looking for email addresses to harvest, that are responsible for a very large proportion of the lists used by spammers today.

Still, there are numerous methods for internet users, whether ordinary individual surfers, or sensible and responsible webmasters and site administrators, to use to reduce their vulnerability to spam bots.

The forces of good vs evil are continually at work, and methods which worked a year or two ago may not be as effective today. Likewise, protection measures that work well today may be circumvented by spam bot programmers further ahead in time.

Still, it is incumbent upon all responsible internet users to take all available precautions to protect themselves and others from spam bots. This series of three articles serves as a solid foundation towards that end, with current effective techniques and tools provided with explanations and descriptions.

Footnote: Links to outside sites, and the CGI program and .htaccess file templates provided in this series of articles are provided in good faith, though no responsibility is accepted for any loss or disruption resulting from their use. Bestprac.Org has no affiliation with any of the third-party websites or services mention within this series.

Return to Part 1

Return to Articles Index

© Copyright, 2000-2011. BestPrac.Org : PO Box 2136, Strawberry Hills. NSW 2012. Australia. Ph. +61 2 9699-4860