The Fight Against Spam, Part 1
Pages: 1, 2
Carefully Choosing Your Email Provider
There are thousands of email providers out there, some free, some fee-based. However, as easy as opening an email account somewhere may seem, it is important to pick your provider carefully and to ask you not only what mail box size they offer (you will rarely use more than a few MB and even the ones offering tons of space restrict attachment size, making this feature somewhat less attractive), but what features they provide and how they fight spam and viruses.
Of course, even the best provider cannot prevent all spam from reaching your inbox, but server-side filtering can make a huge difference. In my experience, Apple's very own .Mac mail is extremely resistant to spam. Also, the support teams do reply to your inquiries and are extremely helpful.
As a way to test whether your mail provider filters for viruses, you can send yourself an EICAR.COM test file. These files are not actual viruses but are used to trigger anti-virus systems and test them. To create an EICAR.COM file, enter the following string in a new TextEdit text-only document:
and save it. Test it with your anti-virus software and make sure that it triggers an alert. If it doesn't, make sure that you have created it properly. Then name the file EICAR.COM, attach it to an email and send it to yourself. Good email providers should stop the file in transit or provide you with a warning.
Of course, since this file actually triggers anti-virus systems, it is a bit like testing the smoke detectors of your local supermarket by smoking underneath them. It can cause unnecessary concern and be illegal in some areas, so, please, do check with your provider first whether this is permitted or not. As we said, emails generated by viruses are not technically spam, but they can be so devastating that checking whether you are protected against them right now cannot hurt.
It is generally a good idea to pick an email provider that is independent from your ISP. That way, if you need to switch ISPs for any reason, you do not need to change your email address.
Webmail, IMAP, and SSL are three features that no Mac user should be without, either. Make sure that they are available when you sign up. When a provider states that "SSH tunneling" is required for secure mail reading, this is both bad and good news. It means that they know something about security (a plus), but that checking your mail will likely involve Perl scripts and shell commands (a huge minus for most users).
Carefully Picking Your Email Address
When you sign up for an email service, you are usually encouraged to select a cool, easy-to-remember address. However, this is not always a good idea.
Indeed, spammers now use nifty robots that invent addresses by compiling common user names with common domains. For example, if your name is "John Smith," you are guaranteed to be spammed if you pick "smith," "john," or "jsmith" as your email address. The same applies to nicknames like "Bill," "Geek," or "Superdude."
That's why your IT manager at work may have assigned to you an address that contains strangely placed dots, dashes, or underscores. Sure, it may be a pain to type sometimes, but it can also be a lifesaver. Apply the same rules to your home email and the amount of spam you receive should decrease.
Of course, the chances increase if your address is hosted on a commonly used domain such as Hotmail, Yahoo, or the like. Don't get me wrong, this does not mean that there is something wrong with these domains. They simply make a more tempting target since once is almost guaranteed to find a match for any name there.
Using Multiple Addresses
This may sound silly and expensive, but it is now a strategy that you should consider. Some tutorials advise you to create two different accounts; I would suggest using three.
That way, you can have one account to receive email from trusted people. In other words, any user that is technically minded enough not to submit this address to a spammer and to protect her computer against viruses and trojan horses. The trusted group can also include very important people for you -- your boss, your close relatives -- but do make sure that providing them with your address does not ruin all of your anti-spam efforts.
The second address will be for a semi-trusted group. In other words, the general public, your customers, and your extended family. You can expect to receive a certain amount of spam on this address and should exercise caution when checking it. Of course, this does not mean that the people you give the address to are "semi-trusted" as individuals, but simply means that this address will circulate a lot more around the Internet and could potentially be intercepted.
The third one will be your junk address, the one you will give to untrusted companies and people you don't know. Of course, you should still be prudent. The fact that you can throw this address away does not mean that you should knowingly allow spammers to use it. Why? Because it would make checking it a lot more difficult, and even potentially dangerous.
Additional Tricks to Create a Well-Protected Address
Now that you have created these addresses and paid your yearly subscriptions, they should be relatively safe and spam-free. However, if you use them heavily, there are additional ways to protect yourself.
The easiest precaution is to create a screen of smoke and dissociate the address you give to people from your real one. This may look like a superfluous step, but it can be extremely effective. In fact, more and more, people I know use this tactic every day.
Register Your Domain Name
We have seen that commonly used domain names are more commonly used as targets to attacks. Why not create your own? Some registration services allow you to register your own domain for a low price.
Even if you do not host a web site, having your own domain will increase your chances of not receiving spam and will also make your email address look ultra-cool. Families, friends, or small businesses can create a common domain name and have separate addresses to share costs. Just make sure that you establish in advance who will be your postmaster.
Of course, you should make sure that the company that you deal with to create your domain name is a trusted one. Also, some countries may not allow you to register a domain or restrict the process: always ask your legal advisor before purchasing one. If such limitations not exist where you live, please, do respect naming conventions: .com for commercial sites, .org for non-profit, etc. This will make things easier to remember for your correspondents. And, let's face it, it makes more sense.
Set Up Mail Forwarding
Now that you have set up your domain name, it is time to create inboxes associated with it. However, professional mail services and customized mail servers are not cheap.
Therefore, you can simply set up mail forwarding to your existing addresses. That way, you can give a professional-looking address to your correspondents and keep your "real" address for you. When they receive a reply from you, your correspondents will be able to find out what your real address is, but if you receive spam, you wouldn't reply anyway. If you're willing to go the extra mile, you can have a custom SMTP server set up for a few dollars a month. But at this point, it may be simpler to get a "professional" email account.
Forwarding in itself cannot protect you against spam. However, what makes this method interesting are the spam filtering and anti-virus scanning systems provided by your forwarding company, meaning that the mails that you receive will travel through two layers of scanning: the one set up by the forwarding company and the one set up by your actual email provider. Since spam can go through various detection software, having multiple layers that use different engines will greatly improve their efficiency.
One of the other advantages of this method is that it allows you to create disposable addresses extremely easily. Many forwarding services allow you to create a few addresses for a fixed price and to change them as often as you please.
With such a setup, you can create a bogus username such as "spam_from_strange_site.april_04," send it to a site you don't trust, and once you have the information you want, destroy it. This is much easier to do than opening a free mailbox somewhere, and has the advantage of not cluttering your provider's customer database with unused mailboxes that can ultimately raise a security concern -- if you forget about them and someone breaks into them to perform illegal actions, for example.
Of course, we are not talking about anonymity here, just protection from unwanted mails. When you register a domain name, you are normally required by law to give valid contact information.
Setting Up Your Email Client
Now that you have a perfectly well-chosen address, safely put behind a smoke screen that allows you to give various identities to various people without paying a cent, we need to see how you can protect yourself in the long run.
The easiest way to do that is to use a good email client and to set it up properly. Email clients are like browsers: they allow you to interface with an open world in which the best and the worse coexist, which makes them extremely important. They should provide a good balance between security features and flexibility.
Email clients are not created equal. However, nowadays, it's impossible to say that one client is "good" and that another should be avoided at all costs. Most of them have pros and cons and you will probably find one that best fits your needs.
In this article, however, we will have a look at Mail, the client that is built into Mac OS X. Why? Well, it is free, is capable of handling huge amounts of mail, is quite powerful under its user-friendly interface, and is perfectly integrated with iChat and Address Book. However, the main reason is that it features a state-of-the-art "Junk Mail filter," developed by the world-leading scientists that work on Mac OS X's language technologies -- which include the Speech technologies I discussed last month.
Even if you use another client, you will want to read the following paragraphs. The advice they give can be easily translated (for the most part, at least) and you may actually discover that the application you have always dreamed of is right at your fingertips.
In a successful attempt to make it even easier to use for newcomers, the Mail development team has designed an interface that allows users to access emails directly. That's great, but for various reasons, heavy mail users will want to turn off some of these features.
The first feature to disable is "Display images and embedded objects in HTML messages." To do so, simply uncheck the corresponding checkbox in the "Viewing" preference pane.
Why? Because many spammers use HTML as a way to check whether or not your address is valid. When this option is turned on, your computer will download any image that the mail contains, in order to display it properly. By doing so, this alerts the spammer that the mail has indeed reached someone and that, therefore, the address is valid.
Most legitimate mails do not use HTML code or, at least, images, but these are sometimes used only by companies who wish to send attractive advertisements and newsletters. If you receive legitimate HTML mail, Mail will display a button as soon as you open it, allowing you to load the images on the fly, viewing them as the original author intended.
If the companies you deal with give you a choice, I would recommend that you chose to receive text-only emails. They weigh a lot less, won't clutter your mailbox, and won't take hours to download from your mailbox -- an especially good point if you are on the go, away from your broadband connection.
The second setting to alter can be found in the "Advanced" tab of your account preferences. The "Keep copies of messages for offline viewing" pop-up menu allows you to specify whether or not Mail will download attachments automatically. Unless you cannot do so for a specific reason, I would recommend that you download messages but omit the attachments. Why? This will make Mail faster and allow you to avoid downloading malicious attachments to your computer.
The final step to take is to prevent Mail from automatically loading the messages you receive. As long as you follow the steps above, you should be safe, but it cannot hurt to add a layer of security.
In order to do that, look closely at the line that separates the mail list with the viewer area: it has a small dot in the middle. Double-click on that dot so that the line moves to the bottom of the window. Do not drag the line, since this would resize the viewer instead of closing it, even if you make it really small. Now, you will need to double-click on the emails to open them, but you will also be able to delete junk mails without actually opening them.
In part two, which will run this coming Tuesday, I'll drill deeper into Mail.app, especially examining the underpinnings of its junk mail filter. Be sure to stop by for a look.
FJ de Kermadec is an author, stylist and entrepreneur in Paris, France.
Return to the Mac DevCenter