March 19, 2003 1:52 PM PST
Study suggests spam-stopping tricks
Dealing with spam
CNET White Papers
In a new study of spamming tactics, " Why Am I Getting All This Spam?" the policy group Center for Democracy and Technology found the most successful methods of avoiding unwanted messages involved obscuring e-mail addresses or hiding them altogether.
"Obscuring your address had a very significant impact," CDT policy analyst Rob Courtney said.
For the past six months, the group baited spammers by posting a variety of e-mail addresses in different Web locations to glean some insight into where bulk e-mailers get their targets. At the same time, the center also experimented with some antispam techniques that consumers could easily adopt, including translating e-mail addresses into plain English and opting out of receiving future mailings from dot-com companies.
After receiving more than 10,000 messages to 260 e-mail addresses it created, CDT came to this hopeful conclusion: Some simple consumer tactics might actually help ward off spam.
Perhaps the most surprising finding of the study was that when people used what the study called "human-readable" addresses when posting their e-mail address to a message board or similar venue--say, "bob smith at domain name dot com" in lieu of "firstname.lastname@example.org"--they received no spam.
What's more, most companies in the study actually heeded people's requests, made when signing up for new Web services, that they not be contacted as part of promotional campaigns and the like. The study did not address whether to reply to opt-out notices in spam, traditionally considered a ploy used by spammers to identify working e-mail addresses.
The most surefire way to attract hordes of spam is to post your address on a public site, the study found. But surprisingly, posting addresses in locations including the Whois database, which contains contact information for domain name registrants, attracted little spam. The study also found that even addresses posted on a public site have a relatively short shelf life. Once such addresses were taken down, spam decreased dramatically.
The study comes as spam is rapidly evolving into the No. 1 nuisance among Web users, a trend that some fear will make e-mail virtually obsolete in the near future. According to a December 2002 study by the Gartner Group, as much as 50 percent of all messages in a given corporate in-box are unwanted e-mail--a rate that's sure to grow.
Although the center doesn't recommend getting a fake ID or dying your hair, CDT did say there are some ways people can hide from spammers, including:
Disguising e-mail posted to a public place. The group found that e-mail addresses placed at the bottom of a public Web page received the most spam, accounting for a full 97 percent of unwanted mail received during the study. Meanwhile, disguising the address--either by writing it out in plain English or replacing it with an HTML numeric equivalent--virtually eradicated spam. CDT also suggests people ask their employers not to post their Web addresses in public directories.
Exercise choice when filling out online forms. Surprisingly, Web site operators tend to keep their word when people ask them not to contact them. CDT urged people to pay special attention to check boxes that ask for the right to share their e-mail address. In the study, CDT found that companies honor requests by people who don't want to be contacted. Those who go back later to ask the site not to contact them don't have as much luck.
Use multiple e-mail addresses. CDT suggests that people visiting an unfamiliar Web site use disposable e-mail addresses. Companies such as Mailshell.com offer free services that consolidate multiple e-mail addresses in a single location and let people turn them on or off at will.
Use a filter. Although CDT acknowledged that spam filters aren't perfect, it did say they help.
Don't use a short e-mail address. CDT found that addresses such as bob@ or toms@ will receive more spam than longer, less common, or more complex e-mail addresses. Spam experts say one of the most popular tactics used by spammers is the random e-mail address generator. During the course of the study, CDT was itself struck by a spammer using a brute-force attack. In such an attack, a bulk e-mailer floods a particular domain name by using a program that generates millions of possible Web addresses, such as email@example.com, firstname.lastname@example.org, and so on.
Although the suggestions do offer consumers some means for controlling bulk e-mail, as most people know by now, today's spam foils are tomorrow's spammer tools.
"Currently there is no foolproof way to prevent spam," the study said. CDT's Courtney acknowledged that "even a user who's really careful can still get spam." He also noted that although Whois and other sources aren't targets of spammers right now, they could be in the future.
Privacy expert Ray Everett-Church, chief privacy officer for Philadelphia-based consultancy the EPrivacy Group, said CDT's suggestions may help stem the flow of spam, but only in certain cases.
"These kinds of approaches work well with responsible entities who are not trying to push messages to people who might not want them," Everett-Church said. "Where you run into problems is the rest of the world."
CDT visited sites including Amazon.com, eBay.com and WebMD.com, companies that for the most part strive to be good corporate citizens. But Everett-Church said many spammers don't care if they annoy people.
"They have absolutely no interest in not bothering you," Everett-Church said. "They don't care about permissions management. They only care about putting out a lot of spam."
What's more, Everett-Church warned, as spammers increasingly turn to software that randomly generates e-mail addresses, obscuring addresses won't matter.
Meanwhile, the battle to fight spam is continuing on several fronts. Technological options for spam blocking include server- and PC-based filters as well as "black hole" lists that block mail from certain IP addresses. Many companies are incorporating spam-blocking features into their consumer service offerings and corporate network management tools. The FTC has vowed to take on spammers, and some companies are turning to the courts, too.
Microsoft is so fed up with spammers that it has actually sued in federal court to learn the identities of some, and it has promised to pursue similar suits. Both AOL and EarthLink have won monetary damages in suits against spammers.
Others have suggested changing the fundamentals of the Internet in order to halt spam.