oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

The Fight Against Spam, Part 3
Pages: 1, 2

Address Masking Tips

Address masking techniques range from the easiest tricks to the most complex setups. However, even if some serious scrambling is sometimes necessary, simple methods can be pretty powerful in real life and keep you out of trouble. Here are a few ideas that may prove more or less effective with time, but that all provide some layer of protection.
  • Scramble your address by replacing "@" with {at} and "." with "{dot}". Simple but effective against the robots that cannot recognize the string as an address. Of course, since this method is almost as old as the Internet itself, robots are getting pretty good at recognizing it, so use your imagination... If myname {at} my provider {dot} extension sounds mundane, try variations like {dot], (d.o.t) or even ]do.t[... as long as your correspondents can understand the address but a machine cannot, you're all right.
  • A similar method consists of adding words into your address and then giving some information about what to remove. For example, "My address is myname@myproviderILoveElephantsAndMice.extension (remove animal-related information)" probably won't be a threat to your real address. However, note that a spambot will still pick up the address and try to send mail to it. This is why it is better to scramble the domain name than your user name--even better, scramble both, though this can become a bit too cryptic. Why? It will not prevent your email provider from receiving mail for a nonexistent person, which it will have to process and bounce back. Of course, make sure that you do not pick a domain that actually exists.
  • Create an image for your address. Spambots cannot read images, especially if they contain distracting visual elements. Place an image with your address on your home page, site, or forum signature instead of writing it. Of course, do not make it a "mailto" link since putting your address in the HTML code of the page would have the same effect as typing it in plain text.
    The two main drawbacks to this method are that it makes sending mail a lot less spontaneous for your correspondents and can raise accessibility concerns, making it a bad idea depending on the accessibility legislation that applies to you or the customers you want to reach. To circumvent that, you could always create an audio file with your address, but this is a lot less convenient. On the other hand, this method is probably one of the most effective.
  • A popular option is to create a JavaScript that you can embed in your pages. This script will take care of rendering addresses on the fly, making them theoretically invisible for a robot that reads the source code. Be cautious, though, robots are getting pretty good at spotting these. Here is a sample script:
    <script language="JavaScript">
    var name = "myname";
    var domain = "myprovider.extension";
    var subject = "";
    document.write('<a href="mailto:' + name + '@' 
                             + domain + '?subject=' + subject + '">');
    document.write(name + '@' + domain);
    // -->

    Of course, this requires your readers to have JavaScript support enabled in their browsers.

  • When creating forms on your site, do not enter your address in the site's source code, since this is actually the same as entering your email address. Some server-side scripting can come to the rescue here, but CGI scripting is out of the scope of this discussion.

Be Cautious in Real Life Too

It is extremely tempting to print your email address on all your business papers and publications. However, it is at least as dangerous. So, make sure that you do not print your address unless it is absolutely necessary and only use your third address.

If you deal with a customer on a regular basis, you can always "escalate" him to the second address.

Help, I Made a Mistake with My New Address

If you receive spam, all is not lost. Indeed, even though your filters should contain it efficiently, you can try to prevent it from reaching your inbox by using a few common tricks.

In the following paragraphs, we are going to see how you can fight back against existing spam. These methods are probably not 100 percent effective but they should help a great deal.

Never Reply to Spam Mail

Replying to spam email is like asking to be sent more, even if you see an "unsubscribe" link. Indeed, in most cases, all it does is confirm that your address exists, therefore, encouraging the spammer to send you more and sell your address email--since a known "good address" is worth a lot.

Therefore, as a general rule, you should never reply to spam, regardless of the reply. Of course, this raises certain issues, since some "unsubscribe" links are in fact legitimate. For example, newsletters sent by a company you know almost certainly include a legitimate link. However, when in doubt, it's better not to confirm that you have received the mail and to let your filters delete it.

Bounce Them Back, But Be Careful

Mail has a great feature called "Bounce." What does it do? It simply sends the mail back to the sender, telling him that it could not be delivered because the address was incorrect.

Many spammers use software that checks for such replies and removes addresses that generate them, so that they can focus on the good ones. In order to use it, simply follow these steps.

  • Click on the message once to highlight it
  • In the "Message" menu, select "Bounce"
  • Read the alert sheet and confirm

If you use it often, you can, of course, add a bounce button to your toolbar. Its icon looks like a red stamp and is actually quite cool.

This method is great for ridding your inbox of unwanted correspondents who simply bother you and with whom you cannot deal in a more courteous way, or from whom you receive "legitimate spam" that you cannot deactivate manually.

You should be cautious, though! Unless the email specifically contains your address in the "To" field, don't use it. It could cause your mail provider to "fill in the blank" when the mail travels back and provide the spammer with your actual address.

It's up to you. Just keep in mind that this feature is great but may, under certain circumstances, have unwanted affects. Under some special circumstances, it could also generate a bounce war. What if the address you bounce too has been spoofed and the other correspondent bounces back too? You could well end up bouncing the same mail back and forth when deleting it would have been a much easier choice.

Contact Your Email Provider

If your email provider maintains anti-spam filters, this mail should not have gone through them. Even the most well-configured servers cannot stop everything but you can make them better!

Simply contact your email provider and provide them with the complete header of the message, so that they can see from where it came. Most email providers have a specific address to which you should send such notifications.

They can then take appropriate steps and ensure that the same mail won't make it to you next time. This can range from simply adding a custom rule to their anti-spam server to contacting the spammer's provider, depending on how much information they have and how willing they are to fight back against spam.

Contacting your own provider is usually very effective since you have common interests--the less spam they let come into their network, the less their servers work and the happier their customers are. Modern server-side filtering technologies can be reconfigured in minutes, making the task easy. Of course, they will probably wait until a few users have reported the spam to them before adding it to their filters to avoid slowing their filtering servers down with one-of-a-kind messages. But they probably will react.

The email address to use will probably be something like "abuse @ your email provider" or "spam @ your email provider". However, since every company has its own policy, make sure that you check with them first.

How Do I Collect the Necessary Information?

When reporting spam, you'll be asked for the whole header of a message. Why? Because headers are the lines of information that are added by the various servers that handle the mail while it travels across the Internet, as well as by the email client used by the sender. Therefore, the header is extremely valuable when dealing with spam since it allows investigators to track the message's source.

Here's an example. The "From" header may indicate that a spam message comes from the .Mac domain, leading someone who only sees this header to think that it comes from .Mac and to complain to Apple. However, a look at the "Received" headers will probably reveal that this mail never traveled on the .Mac SMTP server, which probably means that it wasn't sent from .Mac but from another location. Like your computer when it is connected to a network, email servers have a domain name and an IP address, making them identifiable.

Of course, some virus-infected computers are used as spam relays by remote spammers, making even the information provided by the headers inaccurate or at least incomplete. This is, however, not always the case and headers remain the main source of information by which an investigation should begin.

The easiest way to grab all the information you need is to show a message's long headers. In order to do so, simply select the message and use the "View" menu to select "Message" and "Long headers." You can also chose "Raw source." This may reveal some interesting facts about the message since it strips all the nice rendering your email application does for you, exposing the actual code of the message (if applicable) as well as some technical information or requests that your client processed. Actually, using "Raw source" is the preferred method in most cases, so you normally can't go wrong with this option.

Copy all these headers and paste them in the notification mail you send. Headers contain very detailed information, so make sure that you do not unwittingly send confidential information to a third-party. Unfortunately, the catch is that altering headers might cause your email provider to reject the notification since it is no longer an accurate proof. But you never know. Some providers may accept altered headers, so its worth giving it a try if you must "x-out" certain information. Just make sure that you clearly state that you altered the headers so that they have all the information they need. Also, use "X" to mask information (or any other identifiable character) but do not enter bogus information that could interfere with the tracking process.

Some mail providers will also ask you to send the contents of the mail, depending on how their spam filter works, but this is less common. In that case, do not send them any infected attachments, HTML code, or scripts (JavaScript and the like). If you think that this is an essential element, discuss with your email provider what is the best way to proceed to avoid creating technical issues on their servers.

Again, keep in mind that the "From" field is probably spoofed by the spammer and that the person in question has probably never sent the mail you are receiving. This is why it is essential to include all the header information.

Should I Contact the Spammer's Email Provider?

Many tutorials advise you to contact the spammer's provider or to report the spam to a third-party reporting site. While this might be done, you should keep in mind that the spammer's ISP may not be willing to close the spammer's account and may even work with the spammer, in which case your action may well cause you lots and lots of trouble.

In the following section, I'll outline the major steps to follow to do just that. However, I strongly recommend that you read them "for information purposes only" and really do think twice before actually following them since, again, they can have unwanted and damaging effects.

Look at the message's raw source: the "Received" headers actually describe which way the mail went while traveling over the Internet. Getting used to the way they are formulated may take a few minutes, but they are actually very logical. At the top, you'll find your email provider and its servers while at the bottom, you will see the provider of the spammer--at least, it should be the case since everything is spoofable.

What about the sites in the middle? Are they spammers too? Maybe, maybe not. Many servers accept "relay" mail from other services, effectively giving a hand to spammers as well as to legitimate users. In most cases, the administrators of these sites have no malicious intentions and simply made a configuration mistake or are not aware that their servers are used for such purposes.

Once you have isolated the originating domain name, it is time to do some serious research. What kind of organization is it? Is it an email provider? Does the company that sent you the mail manage its own servers? While doing your research, try to determine whether the site actually replies to complaints or not. You should also make sure that you can safely go further.

Now that you have located the provider, you can, if you really are willing to do so, send them your polite complaint, again with all the necessary headers so that they can process the information efficiently and take appropriate steps.

But what are you supposed to do if the site is not known to reply to requests? In that case, you can contact their "upstream provider." In other words, the company they are relying on to provide them with Internet access and email services. To locate it, you can use the "Traceroute" feature, available through the "Network Utility" located in your "Utilities" folder.

Traceroute will list all the places the data goes through to get from the original domain to you. These are the people that you can theoretically try to contact, by working from the bottom to the top. As usual, locate the contact information and send a detailed but courteous message.

The main problem with these steps is that you are entering into direct contact with companies that you do not know and to which you are providing your email address. That's why many spam-reporting services are available on the Internet, some bad, some excellent. Good reporting services will hide your address from the spammer as a security measure. But be aware that nothing is entirely secure. Your safest bet is to ask your email or Internet provider for a name they would recommend. They may even do all this themselves, allowing you to forget about it and to focus on your work instead of tracking unwanted email.

FJ de Kermadec is an author, stylist and entrepreneur in Paris, France.

Return to the Mac DevCenter