Spam? No thanks, I'm trying to quit.¹

by Andreas Haberstroh

I have a client with real old school values — when I visit his office he calls me "mister" or "sir," which strikes me as odd since he's 25 years my senior. His old-fashioned manners spill over into every aspect of his life, including his email etiquette. Once I found him attacking a list of new emails in his Inbox, writing curt responses and punching Send. He was responding to a lot spam, unwittingly encouraging the very spammers he was trying to ward off.

When a chunk of spam lands on your plate, the first question to ask is, "How did I get on a spam list to start with? My business card? I gave my card to someone that sold me to a spammer's mailing list!" Paranoid? Good. This scenario is a bit farfetched, but here come scenarios that should inspire real paranoia.

Crawling for dollars (and addresses)

The Internet is based on a huge directory of domain names — the so-called whois database. The entire database can be purchased from database vendors (see http://www.networksolutions.com). Whois contains the official names of all registered domains. Spammers start here to harvest information using a method called "web crawling." Search engines continuously crawl websites — including yours — without you even noticing. The same goes for spammers. But, spammers are looking specifically for email addresses, the better to spam you with. Charity begins at home, and so does combating spam. Your mission, should you choose to accept it, begins at your website.

Still paranoid? Coming back to this article after removing your email address from your website? You acted too hastily! There are more effective ways of foiling the spammers while making it easy for legitimate friends and clients to keep in touch.

The first technique is to capture your email address as a .jpg or .gif image. In your favorite paint program, create an image of your email address using the text tool. Then, include the graphic on your website. The downside to this technique is that a visitor will have to retype the address in his mail client, since the image can't be copied and pasted. A mailto: link from the graphic defeats the purpose of the image: the spam crawler speaks HTML and will harvest the address from the link.

A more sophisticated technique is obfuscation — placing your email address on the page your visitor sees via his browser's javascript engine. Most spambots are not sophisticated enough to process javascript, so they'll crawl right past the address. The following examples employ a simple javascript (available at http://www.ibusy.com/email.js) that you'll need to include on any webpage that needs to obfuscate an email address.

Your current webpage includes harvestable HTML mailto links something like this:

<a href="theduke@johnwayne.com">theduke@johnwayne.com</a<

You will replace all such links with an obfuscated address:
 

<script>javascript:mail_to('theduke','johnwayne.com');</script<

Human visitors see what they expect, a clickable link:

theduke@johnwayne.com

Spambots, seeing nothing to harvest, crawl on.

Guess again, spammer

Another method that spammers use is a name-based method. Knowing that a user will often simply choose her first name for an address — mine is andreas@ibusy.com  — spammers run through a dictionary list of names emailing spam to your domain. For instance, andrea, andreas, andrew, and so on. I've seen this happen when I set up a new domain. Before the domain is even a week old, before I publish names anywhere, suddenly the spam starts flowing in. Email addresses that use name variants that are not in the dictionary can foil a spammer's attempt to guess your email address. Addresses of the form firstname.lastname, or that combine initials and a name such as ahaberstroh or andreasgh are hard for a computer program to guess. Remember, spamming is an automated activity run by computers, so chaos is king.

Sign our guestbook, get free spam!

Spammers also troll for addresses at public websites that publish email addresses. What kind of a website would publish your email address without your permission? How would they find YOUR address? Many listservs maintain web archives for their readers. These archives store copies of the email that the site receives from readers. Lo and behold, your email address is published! Newsgroups also maintain archives that contain email addresses. These places are prime trolling territory.

The sad part is that list members don't realize they can get spammed simply by participating. These lists provide important public forums for all manner of discourse, and fear of spam should not deter you. I suggest creating a throwaway account somewhere, and use that for emailing news groups and listservs. (I use Yahoo!'s free email service for this purpose.)

"She gave me no reply. . ."

A final piece of advice: when you get spammed, do not respond. Do not pass go, do not collect $200. Just say "Delete." If the message invites you to "Click here to remove me from your mail list," don't do it. Many spammers keep track of the accounts they send to, and by clicking on ANY link you may improve your ranking in their database. Why? Clicking on a link proves you opened the email. You're a "live one." If you go so far as replying to spam, even with a terse "leave me alone" (as my client was doing back at the beginning of this article) you increase your value by demonstrating that you actually read spam. It's all a statistical game. That's how my poor well-mannered client ended up getting more and more spam. He was signaling the spammers that he actually read their mail, and therefore, he was a potential buyer.

As a side note, he doesn't do that anymore.

¹[Reproduced with permission. Copyright © iBusy, Inc. 2003]
 

Send questions or comments to:

Copyright © dbkAssociates, Inc. 2002-2008; Modified Thursday, October 16, 2008

You are here =>