Quebec Family History Society
	Research » Spam

What is spam?

Spam is generally considered to be unsolicited e-mail arriving in your in-box. While this isn't quite true - an e-mail from a long-lost relative probably wouldn't upset you even if it is unsolicited.

A message from your ISP (Internet Service Provider) telling you that they have stopped a virus before it reached your in-box is a welcome, though unsolicited, message. Spam might be had to define, but like good art - I can't define it but I know what it is.

Why do many Internet users get more spam than legitimate e-mail? Spam usually tries to sell you something and is usually sent to a large number of addresses. E-mail is the cheapest way to reach potential customers in bulk, so vendors are naturally attracted to it.

Many ISPs are trying to block spam before it reaches your computer but it is difficult task. My ISP blocks spam with a commercially available program but the results aren't perfect. One of the many e-mails that still get through are ones promoting Viagra. The ISP could block any e-mail that contains that word, but what happens if someone sends a joke on that subject - it would be blocked, even though it wasn't spam.

Once they blocked messages with the word "money" in the subject. You can imagine how many legitimate e-mails were blocked!

How to prevent spam reaching you?

In short, you can't stop all spam, unless you never use the Internet. But there are ways to reduce your exposure to the e-mail harvesters. If they don't have your address, your will get less spam but your still might recieve some.

What's that? You say I can get it even if my address is not knowm to the spammers? Some use brute force to find an e-mail address. They send to every possible combination of letters at myisp.com. Eventually your address will be found and a message lands in your in-box. Then you read it and delete it and the spammer now knows that your address is a good one.

Huh? Have your ever miss-spelled an address? Have you spelled "sympatico" as sympa c tico with an extra " c" - I have and the message gets bounced back to my in-box as undeliverable. If the spammers message doesn't get bounced, then it must be a good address. Remember that they aren't looking for "your" address, but they are looking for any legitimate address and once they have it, they can sell it to other spammers and suddenly your in-box is full.

That's one of the ways that spammers get messages to your you. Other methods are described in the article below.

How to Deal With it Once it Passes the ISP

Most e-mail programs all your set set up filters to direct e-mail from a specific address, web site, or ISP to a "possible spam" folder, or directly to the junk folder. You can also filter based on words in the subject line, or in the body of the message. Like the filters my ISP use, these are only a first line of defence - spam can still slip through if the filters aren't specific enough or legitimate messages will be blocked if the filter is too general.

Another defence is to use programs that let you view the sender and the subject line, before the message is downloaded to your computer. You can then decide to accept the message or to delete is at your server.

Some ISPs provide that service as part of the package but if not, there are programs available for download (free and for a price) that do much the same thing. An interesting feature allows you to "bounce" the meassage back to the sender in a way that makes it look like your e-mail address is no good. The programs can be set up to mark mail from friends as "friendly" and others as "blacklisted".

The program uses the filters the next time and marks the messages appropriately but you can choose to let a blacklisted message through or you can bounce, or only delete a message from a friend if you widh. For those bothered by a lot of spam, a program like this can be a great help.

Remember that an address that is not in use is of no use to the spammer so bouncing should eventually get your off of his, and other lists.

Every day, millions of people receive dozens of unsolicited commercial e-mails (UCE), known popularly as "spam." Some users see spam as a minor annoyance, while others are so overwhelmed with spam that they are forced to switch e-mail addresses. This has led many Internet users to wonder: How did these people get my e-mail address?

In the summer of 2002, CDT embarked on a project to attempt to determine the source of spam. To do so, we set up hundreds of different e-mail addresses, used them for a single purpose, and then waited six months to see what kind of mail those addresses were receiving. It should come as no surprise to most e-mail users that many of the addresses CDT created for this study attracted spam, but it is very interesting to see the different ways that e-mail addresses attracted spam -- and the different volumes -- depending on where the e-mail addresses were used.

The results offer Internet users insights about what online behavior results in the most spam. The results also debunk some of the myths about spam.

• Our analysis indicated that e-mail addresses posted on Web sites or in newsgroups attract the most spam.
  • Web Sites - CDT received the most e-mails when an address was placed visibly on a public Web site. Spammers use software harvesting programs such as robots or spiders to record e-mail addresses listed on Web sites, including both personal Web pages and institutional (corporate or non-profit) Web pages.

    CDT tested two methods of obstructing address harvesting:

    • Replacing characters in an e-mail address with human-readable equivalents, e.g. "example@domain.com" was written "example at domain dot com;" and
    • Replacing characters in an e-mail address with HTML equivalents.

    E-mail addresses posted to Web sites using these conventions did not receive any spam.

  • USENET newsgroups -- Newsgroups can expose to spammers the e-mail address of every person who posts to the newsgroup. Newsgroup postings, on average, generated less spam than posting an e-mail address on a high-traffic web site. In our study, we discovered that most newsgroup-related spam is sent to the address in the message header, even if other e-mail addresses are included in the text of the posting.
• For the most part, companies that offered users a choice about receiving commercial e-mails respected that choice. Most of the major Web sites to which we provided e-mail addresses respected the privacy choices we made -- when a choice was made available to us.
• Some spam is generated through attacks on mail servers, methods that don't rely on the collection of e-mail addresses at all. In "brute force" attacks and "dictionary" attacks, spam programs send spam to every possible combination of letters at a domain, or to common names and words. While these attacks can be blocked, some spam is likely to get through. In many cases, spam generated by these attacks will be directed to shorter e-mail address (like bob@domain.com) before it is directed to longer addresses (like bobwilliams@domain.com).

Tips for Avoiding Spam

Currently there is no foolproof way to prevent spam. Based on our research, we recommend that Internet users try the following methods to prevent spam:

• Disguise e-mail addresses posted in a public electronic place.

  CDT received the most spam just by placing an e-mail address at the bottom of a webpage. Spammers "harvest" these addresses with computer programs that collect and process addresses and add them to spam mailing lists. If a user must post his/her e-mail address in a public place, it is useful to disguise the address through simple means such as replacing "example@domain.com" with "example at domain dot com" or other variations such as the HTML numeric equivalent, in which "example@domain.com" could be written "example@d omain.com."

  Opt out of member directories that may place your e-mail address online. If your employer places your e-mail address online, ask the Webmaster to make sure it is disguised in some way.
   

• Read carefully when filling out online forms requesting your e-mail address, and exercise your choice.

  If you don't want to receive e-mail from a Web site operator, don't give them your e-mail address unless they offer the option of declining to receive e-mail and you exercise that option. If you are asked for your e-mail address in an online setting such as a form, make sure you pay attention to any options discussing how the address will be used. Pay attention to check boxes that request the right to send you e-mails or share your e-mail address with partners. Read the privacy policies of Web sites. If you suspect that a Web site has violated its privacy policy, you can report it to your state attorney general or the Federal Trade Commission.
   

• Use multiple e-mail addresses.

  When using an unfamiliar Web site or posting to a newsgroup, establish an e-mail address for that specific purpose. Alternatively, instead of just using one or two e-mail addresses, you can use "disposable e-mail addresses," which consolidate e-mail in a single location but allow you to immediately shut off any address that is attracting spam. By recording which disposable address was used at which web site, one can track what sites are causing spam. Many Web sites are now providing free e-mail accounts. A search in Google Directory for "disposable e-mail addresses" provides a list of e-mail providers designed for one-time use e-mails.
   

• Use a filter.

  Many ISPs and free e-mail services now provide spam filtering. While filters are not perfect, they can cut down tremendously the amount of spam a user receives.
   

• Short e-mail addresses are easy to guess, and may receive more spam.

  At least one spammer tried to guess the e-mail addresses used in this study by sending mail to short and common addresses. E-mail addresses composed of short names and initials like bob@ or tse@, or basic combinations like smithj@ or toms@ will probably receive more spam. E-mail addresses need not be incomprehensible, but a user with a common or short name may want to modify or add to it in some way in his or her e-mail address.

1. E-mail addresses harvested from the public Web are frequently used by spammers. By an overwhelming margin, the greatest amount of spam we received was to addresses posted on the public Web.

   When an address has been posted on the public Web, it can potentially be viewed by hundreds of millions of users. People who develop spam lists exploit this feature by using address-harvesting programs to surf across thousands of web sites, collecting any e-mail addresses that they encounter. Most users have no idea that their addresses have been harvested until they begin receiving spam.

2. The amount of spam received by an address posted on the public Web is directly related to the amount of traffic that Web site receives. The more visitors a Web site has in a given period of time, the greater the likelihood that an address-harvesting program used to send spam will scour it. As a result, addresses posted on high-traffic Web sites are likely to receive a greater amount of spam than address posted on smaller sites -- popular Web sites are more frequently "harvested," and addresses posted on those Web sites are added to a greater number of spam lists.
    
3. E-mail addresses harvested from the public Web appear to have a relatively short "shelf life." When e-mail addresses we posted on the public Web were removed, there was a pronounced drop in the amount of spam they received each day. The change was not absolute -- on a given day, an address might receive a few spam messages even months after it had been removed from the public Web. But such spam was on the order of 2 or 3 messages per day, compared to the thirty or more messages received by addresses still on the public Web.
    
4. Addresses posted in the headers of USENET messages can receive significant spam, though less than a posting on the public Web. Like most Web sites, USENET postings are publicly accessible and may be targeted by e-mail address-harvesting programs. When a user includes his or her address in the heading of a USENET message, that address can be harvested and used to send spam. Our preliminary data indicates that some USENET newsgroups are more frequently harvested for e-mail addresses than others.
    
5. Obscuring an e-mail address is an effective way to avoid spam from harvesters on the Web or on USENET newsgroups. Even when posted in publicly accessible areas, none of the addresses we obscured -- whether in English ("example at domain dot com") or in HTML -- received a single piece of spam. Users who want to avoid spam should consider obscuring their addresses when possible.
    
6. Sites that publish their policies and make choice available to users generally respected those policies. A major element of the CDT project was to submit e-mail addresses to a number of popular businesses and other organizations on the Web. Many of these sites had privacy policies describing how they handle e-mail addresses and other potentially sensitive pieces of information. While the terms of these policies varied, we found that almost all sites followed their policies. In addition, when consumers were offered choices about how their personal information would be handled, those choices were respected.
    
7. Domain name registration does not seem to be a major source of spam. Despite the fact that the WHOIS database is publicly accessible, our project received just a single spam message to an address that was in WHOIS for six months. This leads us to believe that, at least for some people registering new domain names, listings in the WHOIS database may not be a major source of spam. However, because our project had a relatively short duration, we were not able to examine whether additional spam would be received as a domain name approached its renewal date.
    
8. Even when an e-mail address has not been posted or shared in any way, it is still possible to receive spam through various "attacks" on a mail server. In our study, a "brute force" attack on the mail server generated a tremendous amount of spam, even to addresses that hadn't been shared anywhere. Anecdotal evidence from network operators indicates that such attacks are not uncommon, and that while alert network administrators can sometimes block them, a significant amount of spam can still result. Sometimes, these attacks take the form of "dictionary attacks," in which the attacker sends e-mail to all the words in the dictionary, or attacks in which e-mail is sent to common surnames and first initials (such as "jsmith" or "bjones"). For individual Internet users, there is little that can be done to avoid the spam that may result from such attacks.