Building Your Personal Anti-Spam Strategyby Michael Herrick
You're just getting back from a well-deserved and much-enjoyed vacation. For two weeks, you haven't touched a keyboard, looked at a screen, or put a phone to your ear. Now it's payback time. It's your first morning back in the office and you can't put it off any longer. You've got to check your email.
Your first glance at the email status bar confirms your fears. There are 1,840 messages waiting to be picked up. You groan. You know that translates to about 1,800 spams. Well, it's nice to know someone cares. Hold my calls for the next hour. I'm deleting spam.
What used to be a minor annoyance has become the scourge of the Internet, ruining your email experience. Everyone gets spam, of course, but you've been depending on business email for years, so you get a lot of spam. When your Aunt Gussy starts complaining about the junk she gets on her AOL account--"positively dozens!"--you just roll your eyes. Try hundreds. Try thousands. Day in and day out. What can you do about it?
Maybe you accept spam as an inevitable annoyance. Maybe you've grown used to hovering over the delete key while reading email. Maybe you've given up.
Spam may seem like a big problem, and it is, but you can do something about it. In fact, you've got to. You don't have a choice. If you're one of those people who receive 50 or 100 or more spams every day, you've simply got to find a way to manage it. Fortunately, there are steps you can take to reduce the time you spend dealing with spam. In this article, we'll look at some of the ways you can reduce or limit the amount of spam you receive by becoming invisible to spammers. In the next article, we'll discuss some ways you can automatically identify and remove spam you are already receiving. Put them together and you can build a personal anti-spam strategy that works for the kind of mail and the kind of spam you receive.
Spam's Not Funny, But Don't Stop Smiling
The first essential in any anti-spam strategy is a sense of humor. A sense of humor can protect us from the natural, but pointless fits of powerless indignation. I'm not at all suggesting a grin-and-bear-it, "I-just-hit-the-delete-key" approach to dealing with spam. I don't recommend resignation. But if we can't laugh at spam, what can we laugh at? Yes, spam is an unconscionable intrusion on your time, an immoral theft of electronic resources, and a repugnant reminder of the most shameful degradations endemic to human nature. But where else can you receive serious, money-laundering offers from third-world con-artists, candy bars with 1,200 negative calories, or incompetently faked nude photos of celebrities you don't even recognize? Yes, they really expect you to believe it. And some people do. Isn't it fun to imagine a disappointed customer sending before-and-after photos to the attorney general proving the ineffectiveness of the latest enlargement formula?
The need for humor is one reason why I always insist on referring to the problem by its most evocative name, spam. I get impatient with anyone who insists on referring to it with some polysyllabic incantation of Latin origin or, worse, an acronym. Maybe a bombastic name is helpful when trying to bamboozle a senator into sponsoring an anti-spam bill he doesn't really understand, but those of us outside the world of legislation (which was once likened to another processed meat product) can afford to be less stuffy. What better way to refer to in-box crud than with the name of a funny meat that makes a yucky slurking sound when it plops out of the can? Spam is a fun word, even a legally permissible word, that can take some of the sting out of processing the daily flood of digital sewage.
Spamfire removes unwanted commercial and pornographic email from any email account. Works with any email program. Automatic filter updates keep fighting spam. Click here for more info.
Having armed yourself with the mental attitude needed to protect yourself from useless bursts of wrath, what technical steps can you take to stem the flood of spam? First, you should begin at the beginning. Before you start trying to delete the spam you're already receiving, is there anything you can do to prevent new spam?
In order to send spam, spammers need email addresses. To date, the most common way for spammers to obtain valid email addresses has been Web page harvesting--the use of specialized automation software called "spambots" to scan thousands of Web pages and save all the email addresses that can be found. Spammers continue to develop nasty new ways to get your address, but publishing your email address on a Web page is still the easiest way to get attention from spammers.
Anytime you publish an email address on a Web page, you should take steps to protect it from being harvested by spammers. There are several ways you can protect your email address, ranging from the totally useless to the reasonably effective.
- Try to obfuscate the characters of your email address. Some people
paraphrase their email address--spelling out "at" and "dot
com"--or insert extraneous characters intended to trip up spambots.
Not only do such techniques look unprofessional, they provide very little
protection. Any decent spambot can decode them and get your actual email address.
- Create a robots.txt file to keep spambots away. The robots.txt file
is a file you can place on your server to specify how automated software should
be allowed to access your pages. But adherence to robots.txt guidelines is
wholly voluntary. Legitimate Web crawlers will honor a robots.txt file, but
spambots don't care. Simply posting a "No mosquitoes allowed" sign
on your patio will not guarantee a pleasant barbecue.
- Encode your email address with HTML entity codes. Every keyboard
character has an ASCII number equivalent that can be specified on a Web page
in lieu of the actual character. Browsers automatically convert the code to
the required character, but spambots, it was assumed, do not. In fact, spambots
figured out this trick a long time ago, so changing the @ character into @
doesn't offer any protection.
- Render your email address with a server-side script. All server-side
scripting environments allow you to ask for the name of the browser program.
You can choose to block access from known spambots or unrecognized browsers.
Unfortunately, most spambots spoof their credentials and claim to be the latest
version of Netscape Navigator, so you're not fooling anyone with this trick.
- Render the text of your email address in an image file. Don't type
your email address into your Web page or link to a graphic file that is an image
of your email address. Spambots are unlikely ever to implement graphics-to-text
converters, so this method is a pretty sure-fire way to prevent harvesting
while still making your address readable by most users. But the graphical
approach has disadvantages. Your email address won't be readable by visually-impaired
users or users with certain browsers, including some wireless devices. It
is not possible to create a clickable email address link with this tactic
since the HTML code for the email link would be vulnerable to harvesting.
And a graphically rendered email address may be more difficult to maintain,
especially when many email addresses are involved. You might be able to alleviate
some of the maintenance problems by creating a single graphic of an @ symbol
and using that, in combination with text, to produce a readable email address.
into an email address but which looks like gibberish to most spambots. In
document.write( "jim_smith" );
document.write( "@" );
document.write( "matterform.com" );
- Create contact forms instead of email links. By making a contact form that sends you an email, or stores messages in a Web-enabled database, you can keep your email address off the Web altogether. Just make sure you store the email address in the server-side script or CGI application that processes the form, not in the form itself, where it would still be vulnerable to spambots. If you do it right, you get complete protection. Your email address will be completely protected and completely hidden from any spambot. It requires additional setup time and expertise, which may be impossible if your Web hosting provider doesn't let you create custom scripts or CGI applications, or unfeasible if you have numerous addresses to protect. And you may decide that contact forms just aren't appropriate for your site. I have always felt that a real email address published on a Web page, along with a phone number and snail-mail address, goes a long way towards establishing credibility in the e-commerce world.
New email addresses can stay spam-free for a long time if you simply take some precautions against harvesting. Of course, you also need to be aware of how you use the new address. Don't type it into other Web sites or into Usenet discussion groups. Keep throwaway addresses on hand for those occasions or type out the URL of a spam-protected Web page. Don't allow employees to use their business email address for personal purposes; offer them a free personal account on your mail server that can be kept separate from the business account, or insist that they get a personal account elsewhere. And don't publish personal addresses at all if you can avoid it. Instead, publish department addresses, like, which can be redirected when new staff come on board and abandoned entirely and replaced if they start to get bogged down in spam.
Protecting email addresses on your Web site will prevent most new spam, but there are other ways spammers can get your address. Other ways to protect the privacy of your email address include the following:
- Don't give out
your address unless you have to. Whether it's an online business or a
brick-and-mortar business that's asking you, phony addresses, throwaway
addresses and outright stubborn refusal are your best protection.
- I don't really
have to remind you, do I, that you should never reply to a spam or use an
unsubscribe link. If it's something legitimate you really remember signing
up for, you can probably sign off, but don't believe the dirt balls who
tell you that you asked for their spam.
- Don't even open or
preview spam unless you know that your email program is configured not to
auto-load images and other rich media content. Not only does this expose
you to graphics you'd rather not see, the images themselves can be
configured to trigger a script on a spam server that marks you as someone
who reads spam. This nasty trick is called a WebBug and is becoming more
and more common.
- Don't use your
primary address when registering a domain name. Spammers can look up
domain name records and steal the email addresses of the administrative,
technical, and billing contacts. When registering a domain, use an email
address that you've set aside for nothing but domain name registrations.
It will still get spam, but it will be separate from the rest of your mail
and easier to deal with.
- An unusual,
unguessable email username can't hurt. Because spammers send out junk to
randomly chosen addresses,
gets way more spam than
may want to consider disabling any wildcard email addresses that
including lots of spam, right to your personal account. Also, you should
be aware that some domains have worse spam problems than others. Hotmail
is notorious for the amount of spam their addresses receive, but Apple's
.Mac service goes largely unnoticed by spammers.
- As far as I know
this hasn't happened yet, but it's only a matter of time before spammers
figure out how to use viruses to harvest email addresses. You could be put
on a spam list not because you got a virus but because the cousin who forwards all those chain
letters to you got a virus and you were in her address book. It will be a
technical challenge to deliver the email addresses to the spammer without
leaving a trail for law enforcement to trace, but you can bet that
spammers are working on it right now.
- The big and dirty spammers are beginning to use a technique called "Directory Harvest Attacks" to obtain valid email addresses. This allows them to steal addresses right from your service provider's mail server. I don't have room here to discuss counter-measures, but you should make sure your system administrator or Internet service provider is taking steps to protect your email addresses from these attacks.
Unfortunately, the only way to become perfectly and permanently invisible to spammers is to become invisible to everyone else. Close your email accounts, and stay off the Net and the spam will disappear like magic. If that's not an option for you, though, spammers will find you from time to time, no matter what you do. Nevertheless, prevention remains an important part of any anti-spam strategy. Once you've patched the serious privacy leaks that are opening you up to lots of spam, you'll be ready to get serious about identifying and deleting existing spam, and that will be the topic of our next article.
Return to Mac DevCenter.