An open letter to a spam newbie…
April 3, 2004
We recently had a web hosting client who suddenly started getting “several spam messages a day”. Ironically, this happened shortly after we had moved her mailbox to a server with considerably more spam filtering than she’d been behind previously.
Understandably, she felt there must have been a correlation, since she started receiving them afterwards. Since many of us have been getting hundreds or thousands of spam messages a day for a long time, it takes a little bit of thinking about how to best explain this to the person “enjoying” spam for the first time.
How do you first start receiving spam? Well, it could have happened in any of several ways…
It might have happened through your own actions.
One of the most reliable methods of getting spam is to ever have your e-mail address appear on a web site. Address harvesters trawl the world wide web endlessly looking for addresses on business and personal sites, web forums, guest books, mailing list archives, and pages with information inadvertently posted by businesses or government entities.
Spammers also troll mail servers—every e-mail address has a domain name associated with it. Sooner or later, the mail server for that domain will be trolled by a spam bot sending mail to common account names, random account names, and even account names generated from dictionary attacks. The message that gets sent is liable to be innocuous—it might appear to be a misaddressed message with no commercial content. However, it may also contain an embedded html image reference (maybe even a single white pixel that you’d never notice) that will signal a web server on the other end with the fact that this message connected to a live person. If you use a mail client that supports HTML mail, sooner or later this is going to happen. If you have “preview” on, you don’t even need to ever open the message.
Other messages sent in such a fashion may contain a ‘receipt request’ that is acted on automatically by your e-mail client (cough) Outlook (cough) without you ever knowing it. This can be sent back to the spammer verifying your address even if you delete the message without ever previewing or looking at it.
Giving out your e-mail address for web site registrations, information requests, even jotting it down on a giveaway form for a local business may get it added to some spammer’s list immediately. If the recipient of the address does not spam directly, they may sell their mailing list to others, or it may get stolen by a hacker or (more likely) by an employee or other person with access who knows its value.
Alternatively, it might have happened through no fault of your own.
Perhaps you never, ever, post your address on the web, use it to register for a service on a web site somewhere, post to a mailing list or put it on a contest entry form at the grocery store. You don’t use any common mail client like Outlook or Outlook express with heavily exploited vulnerabilities. Even still, you may sooner or later start getting spam.
Presumably, if you have an e-mail address you give it to someone, somewhere, to send you mail, or at least have sent mail to someone (which includes your return address). If not, problem solved—you won’t be missing any mail, so don’t use your mail client and you’ll never see that spam.
But the fact is, you get mail from someone, or you’d never care. Now, it’s possible that the other party will actively give your address away (Hey! I can e-mail this neat article to so-and-so!). Even if they don’t, however, they may sooner or later get a virus.
Modern viruses work hand in hand with spammers (and many may be designed by spammers)—they can search the victim’s machine for e-mail addresses and send them back to the mother ship. They may also install hidden processes on the user’s machine so that it begins sending out spam also, unbeknownst to the owner.
The sad truth is that if you have and use an e-mail address, you will sooner or later start getting spam. Until something major changes, spam is a fact of life for 99.995% of us. It’s probably not a lot of consolation that you may not get much spam, relative to how much some of us get—I’ve had several e-mail addresses for over ten years now, and worse, they’ve been publicly posted on various web sites at times—at first before anybody was trawling for addresses, and later, after it made no difference anymore. I get somewhere north of 3,000 spam messages on an average day, and the number goes up every week.
So, what do you do?
If you just have a few, the thing to do is to just delete them. Do not, ever, ever, ever reply to one, or click on a link in one (yes, this means do not use the “delete me” feature mentioned in the message). Once you do, you prove that a real live human reads mail at that address, and the amount you will receive will go up by an order of magnitude.
If you have enough spam to be a problem, it’s time to look into a mail filter. Many ISPs and web hosts will do some mail filtering for you, but since “false positives” are a big problem with any spam filtering, their filtering is likely to be not terribly aggressive. If they do filter for you, be sure you have a way to check for mail that got inadvertently caught. (For example, some spam filters will grab a message that contains the word “Specialist” because that word contains “Cialis” a commonly spam-advertised drug)
Whether your ISP does or doesn’t filter for you, if you still have enough spam getting into your mailbox to annoy you, you need to start filtering yourself. Most built-in spam filters in most e-mail clients aren’t very good. A good aftermarket filter or filtering service will learn the kind of e-mail you get and want and will tend to get fairly accurate at sorting out your spam from your good mail as you train it by letting it know when it makes mistakes.
There are a lot of good alternatives out there. Personally, I’m partial to Cloudmark’s Spamnet on Windows Outlook or Outlook Express. On the Mac, C-Command’s SpamSieve is doing a good job for me.
While you’re getting an unpleasant lesson in the way of the ‘net, circa 2004, be sure also to pick and use a good anti-virus program, and a good spyware remover, so you’re not contributing to the problem yourself.
Let’s be safe out there…