After using the Internet for a number of years and witnessing several email addresses losing their usefulness I started researching into spam and the most effective methods of keeping it away from my inbox. After much trial and error I've now managed to reduce my daily intake of spam to a mere trickle. Some weeks, I see no spam whatsoever and in some email accounts I see none at all!
Realising that the effect of spam was more than simply from the time wasted in deleting it, I've compiled this one-stop guide to help others do the same. I hope the information offered here is of some use to you in the fight against spam.
Spam is also known as Unsolicited Commercial Email or UCE for short. It's usually some sort of electronic communication that you haven't agreed to receive hence the unsolicited. The sender of the spam (the spammer) usually wants money from you either by directly trying to sell you a product or service or indirectly by asking you to visit a website or call a phone number. Spam is the Internet equivalent of the cold caller.
Spammers often employ a whole range of tricks and tools to ensure that they can keep sending these messages. They often employ covert tracking techniques to establish valid email addresses so even if you don't reply to an email to 'unsubscribe' they'll already know you're there and reading!
If you've spent any reasonable length of time on the Internet and you keep an email account, it's almost a certainty you will have received junk mail at some point. Even if you've taken great precautions spammers will eventually get through to you.
There are dozens of methods spammers can use to obtain or harvest your email address. The most likely way is that you've probably (or worse, someone you know has) published your email address somewhere that is publicly accessible on the Internet. It might have been a forum or a USENET newsgroup posting. There's hardly a place on the Internet where it's safe to put an email address in plain sight!
Many of the techniques that people use to hide their email addresses are known to spammers. Popular anti-spam methods usually result in spammers will work harder to develop countermeasures! If you know how something works then you can be sure that a diehard spammer will too! Whilst it's doubtful that any one technique is foolproof or completely impenetrable, some will stand the test of time better than others.
Note that we're talking specifically about methods to counter the harvesting programs. If an email address is understandable to a human then it's always possible that the same human may add your name to a spam list manually. Unfortunately, there's not much you can do about that except to filter any spam that you receive.
Let's look at some of the methods that email harvesters use to obtain email addresses:
Dictionary or brute force. This is a method where the spammer will use a dictionary of common words and names, joins them in various combinations to create email addresses and then sends email to them. There's no guarantee the email addresses created actually exist, but because this method can be automated, thousands of emails can be sent every day without any intervention at all by the sender. It's common for this type of attack to be used against the popular email services such as HoTMaiL™.
Web harvesting. An automated computer program or script can be designed to crawl it's way around the Web by following hyperlinks that appear on webpages. Along it's way, the program records anything that appears to resemble an email address; usually a sequence of alphanumeric characters surrounding an @ symbol, arranged in specific groups. Anything that has a mailto link will be recorded as an email address too. These are special hyperlinks that when clicked, open up your email application with an email primed with a particular recipient email address. Even if you don't openly publish your email address on a website, if you participate in any online forums then you should be aware that these can be traversed by the harvesting programs too.
USENET newsgroup harvesting. Similar to Web harvesting only that the harvester program trawls through the many thousands of discussion groups, again, looking for anything that resembles an email address to report back.
Email lists. If your email address has ever received even just a single piece of spam through it then it's possible that your email address will be passed on as one in a list of many. These lists of confirmed and unconfirmed email addresses are often used and sold on by spammers.
Now I don't mean how to beat them physically (I'm sure you could figure that out for yourself!), but the best way to beat spam is to protect your email address and never let spammers get hold of it in the first instance. Even if your email address does manage to make it's way into a spammers address book then all is not lost and that email address may still be useful. As in most cases, prevention is definitely better than the cure in terms of effectiveness!
Malicious email attachments are often talked about in the mainstream media. Much attention is drawn to email borne viruses and the like that can take over your computer and destroy your data. We're often warned about opening attachments from people we don't know or for things we haven't requested. What you don't get to hear about as much is the fact that by merely opening an email or, very often, the act of previewing a malicious email is all it takes for a damaging effect.
A popular trick used by spammers (but not just by spammers) is to embed a small, invisible graphic into a HTML email i.e. an email that contains the same markup language used by webpages. These tiny graphics (web bug or web beacon) can't be seen by the eye, but by using particular email client applications to open or preview the emails in fully rendered HTML you can cause something to register back at the spammers server, confirming yet another live email address.
Don't publish your email address on your website in plain text! I know that this sounds counterproductive. After all, people visiting your website might well want to contact you. You might want people to be able to contact you directly by email.
There are a number techniques you can use in order to allow people (rather than harvesting scripts) to contact you by email.
Embed this piece of JavaScript into your HTML page. Change the text as necessary.
Whilst this is one of the simplest forms of protection you can employ you must remain aware that not all web browsers will be able to interpret it because it is JavaScript. Also, as spammers develop more advanced harvesting programs and as this method is text based I wouldn't be surprised if it becomes obsolete sooner rather than later.
This is another method of encoding that renders you email address intact onscreen, but when read by harvesters is gibberish. Download the Character Entity Hyperlink Encoder Windows application from the download area to encode your own hyperlinks.
A graphical representation of your email address allows your visitors to email you as well as foil those pesky harvesting programs! Ensure that you don't make the graphic a clickable mailto link. Those of you really paranoid may want to ensure that the text in the graphic can't be read by Optical Character Recognition (OCR)! This forces your visitor to type your email address, but that in itself is no great hardship.
If you've the means and the ability to create such a thing then this can provide your visitors with a visible email address that remains clickable.
Instead of showing your email address as yourname@yourdomain.com try a variation e.g. yourname AT yourdomain DOT com.
A contact form allows a visitor to your website to send you an email directly from one of your webpages. This means no extra typing for the visitor, which in turn means it's not possible for them to type your email address incorrectly. If the script that you use to process the form can handle errors correctly then it can present your email address using an alternative method should it fail when trying to process the form. In order to make use of a contact form you'll need to be able to run certain types of scripts on your web server. Contact your host to see if this is possible if you're not sure.
One of the methods used by spammers to confirm live addresses is to include a link to an unsubscribe facility, perhaps on their website. DO NOT USE THIS! It's almost certain that it's existence is simply to confirm that an email address is actually in use and is a worthwhile target for more spam.
If you have a main email address, perhaps one that is associated with your ISP account, then this is probably the one that you'll want to protect the most as it's probably going to be the hardest one to abandon should it become unusable. If you have to supply your email address to someone you don't fully trust to keep it secure then you should consider signing up for a free webmail account. There are plenty to choose from and you don't have to go for the major brands. By avoiding the big players you will effectively be moving out of the firing line of some spammers as they'll tend to aim their dictionary attacks at the email providers with the most subscribers.
Try searching Google™ for a free webmail or email service. The likes of Yahoo! ™ Mail offer some limited form of spam protection as well as other useful features. The fact that they're web based means that you can identify spam email without having to download it to your computer first.
Many of the free email providers maintain member directories. Make sure you decline the option of being a listed member otherwise you will be sabotaging your own efforts! These options are often provided during registration so keep your eyes open for them.
With certain Internet domain name registrars, you have the ability to set up email redirection with domains you register through them. For example, if you register yourdomain.co.uk and then set up two email forwarders; one for personal and one for work purposes. Let's say these are personal@yourdomain.co.uk and work@yourdomain.co.uk. You can configure the forwarding such that any emails being sent to these email addresses automatically get forwarded onto other email addresses without the sender of the email knowing where their email is actually going to.
personal@yourdomain.co.uk -> your main ISP email account
work@yourdomain.co.uk -> your office email account
The likes of 123-reg offer domain names at very reasonable prices and without the catches you get with some other registrars. Best of all, they allow you to forward email to 100 different addresses so if you find that one particular email address gets a lot of spam then you can simply stop using it, turn the redirection off and create a new forwarding address!
There are applications made specifically for the job of filtering spam email. These vary in terms of functionality so you should always ensure that they can perform the basic functions such as displaying an email as plain text. This means that any embedded tracking graphics aren't rendered on your screen so the sender has no way of knowing whether or not you've actually opened the message.
Whether or not you can rescue an email address from drowning in irrelevant email depends on the spammers and the methods they use. Some will just keep on spamming regardless. Others will remove your address from their target lists if they detect that it doesn't exist. This helps them to maintain the quality of their lists.
The best thing you can do to reduce the amount of spam you receive into any particular email address is to avoid previewing and opening suspect emails by using a filtering application on your computer. Simply ignoring emails isn't always enough because unless they receive an error message, spammers may just assume that any email they sent must have reached a recipient. The more advanced email filtering software will provide you with the ability to bounce emails identified as spam. This is effectively mimicking an email sent by your email provider to the spammer to inform them that the email account they've tried to send email to doesn't exist.
There's a Windows email filtering application that I use and recommend. It's called MailWasher Pro. Sitting quietly in your taskbar tray, it checks your email accounts for email at regular intervals. Any email found is then partially (or fully) downloaded and analysed using sophisticated threat detection algorithms. MailWasher Pro also allows you to read a plain text version of any email sent to you. Viewing emails loaded with tracking images in this way is safe to do. Emails that have been analysed will be marked according to how they are scored. Spam can be automatically marked for deletion and a bounce email can be returned to the sender to mimic a non-existent account (use this feature with caution as the return email address may well be spoofed and not actually belong to the spammer at all).
There's also a companion application to MailWasher Pro called Benign. It does the job of sitting in-between the Internet and your email application, acting like a doorman by stripping out any dangerous or malicious code (e.g. viruses, worms, scripts, web bugs) before it reaches your inbox.
An alternative method to the rule-based filtering that MailWasher Pro offers is Bayesian filtering. This method works as a proxy so your email client collects email through it rather than connecting directly to the email server. Email filtering is performed using statistical analysis on the email that you've received before. In order for this to work you must maintain two distinct pools of emails; one for spam emails and another for non-spam emails. Basically, the Bayesian filters learn by analysing the wording used in the emails that you receive. Because of this, these filters are very effective on an individual basis because they work on the spam you get rather than what other people get.
The Bayesian filter application I favour is SpamWeed, mainly because it works with almost any POP email client, even includes set up instructions for my chosen email editor, The Bat!, and because it comes pretrained meaning it's ready to use out-of-the-box. A fully trained system takes time to build. For some people, this will be a faster process than for others, but users have shown this method to be over 99% accurate so it's well worth the effort. The training process itself is easy to do. If you spot a misclassification of a particular email then you just move it across to the correct pool. SpamWeed learns from this and takes it into account immediately.
On a similar note, if you don't have any anti-virus software running then you should take a look at the free version of AVG Anti-Virus Free Edition.
You might wonder why people would go to all this trouble in order to send out a few junk emails that are usually trashed as soon as they're recognised as being spam. Out of the many emails that they send out, although the vast majority will be deleted, a small percentage are successful in creating direct sales. Even if they don't succeed in getting you to part with any money if they've been able to confirm that your email address is live then that's worth something to someone e.g. another spammer who is willing to purchase a list of live email addresses.
Because the means by which spammers work have become relatively cheap, having only a small percentage of success makes it all worthwhile. So until every email user learns to deal with spam appropriately then the spammers will continue spamming.