SUBSCRIBE NOW!

Vol. 11 No. 10 — Nov/Dec 2003

E-mail is a bit like a large German shepherd. It will take over your life if you let it. The trick is to handle it calmly, consistently, and with a great deal of patience. Mind you, there's no way to automate effective training of a German shepherd. But luckily there are tools out there to help you manage your e-mail.

That's a good thing. These days almost anyone with a computer has an e-mail address. Some people buy a computer simply to get e-mail access. At work, e-mail has become a ubiquitous and essential mode of communication. And so the skills to manage e-mail effectively have become more and more critical.

But before we can discuss the bright side of e-mail, we must fact the dark side, the biggest threat to e-mail as we know it: spam.

There are certain equalizers in life, things that affect rich and not-so-rich, tall and short, weak and strong, young and old. Spam may be one of them. Even Bill Gates gets spam, and has had enough. (See "Even Gates Gets Spam," PC World, June 23, 2003, http://www.pcworld.com/news/article/0,aid,111318,00.asp.)

And though you and your neighbor may not agree on the war in Iraq, Americans stand united in their hatred of spam. According to a recent poll, 79 percent now favor making mass-spamming illegal and only 10 percent oppose doing so. (The Harris Poll, #38, July 16, 2003, http://www.harrisinteractive.com/harris_poll/index.asp.)

Spam may be the biggest threat to e-mail as we know it, but drowning in the stuff is not as inevitable as death and taxes. You can fight back. Because it is such a universal problem, there are many people trying to solve it, from congresspersons pondering legislative methods to software programmers creating spam filters. Until things get better, however, you should do what you can to prevent spam and fight back with one of the many anti-spam products in the marketplace.

Lessons Learned

I consider myself well qualified to discuss spam because I am a case study in how to get on every spammer's e-mail list from here to China. I had an Internet e-mail account almost from the time the Internet first became available commercially. I started creating Web pages when Lynx was the only Web browser and Mosaic just a twinkle in Marc Andreessen's eye. In those days, posting your e-mail address on a Web site or participating in newsgroups and mailing lists seemed harmless enough. And I did both.

Then I started publishing on the Web, obtaining additional e-mail addresses specific to that Web site and posting those e-mail addresses on the Web. Little did I know that I was setting myself up for the deluge of spam that followed, which worsened over the years, and, at its peak, totaled hundreds of spam e-mail messages daily.

Obviously, I'm not the only one. In a recent editorial in Presentations magazine, Tad Simons listed several "laws of the technological universe." Last, but not least on his list: "Spam's Curse: The amount of spam in your inbox is inversely proportional to your desire to marry someone from Russia, use Viagra, lend money to the heir of a Nigerian fortune, earn $1 million in real estate, or correspond with anyone name Desiree or Stormy." He tactfully left out "and increase the size of a part of your anatomy that you may or may not possess." And I don't know about you, but I don't have a septic tank.

In my life on the Net, I've seen them all. I'll never forget the first time a former Nigerian official politely requested my help, in exchange for a percentage of the funds, to transfer money to the U.S. (For more information on the Nigerian spam craze, see the FTC site at http://www.ftc.gov/bcp/conline/pubs/alerts/nigeralrt.htm.)

An Ounce of Prevention

So let's talk prevention. It's arguably impossible to completely avoid spam. But at least learn from my mistakes. Don't post your e-mail address to a Web page, either in the text, e.g., george@hotmail.com, or in an html mailto tag. If you must include an e-mail address on a Web page, spell it out, e.g., george at hotmail dot-com, or put the address in an image where it can't be harvested. There are other ways to hide e-mail addresses on the Web. For more information see SpamBot Beware at http://www.turnstep.com/spambot/html.html#mail2, or NetMechanic Design Tip: Hide from Email Spiders at http://www.netmechanic.com/news/vol4/design_no21.htm.

If you post to listservs and/or newsgroups, consider obtaining a free e-mail account on Yahoo!, Hotmail, Spam Motel, etc., to use just for this purpose. You can easily shut down the account and move on should the spam get out of control. Do the same if you frequent chat rooms, another spammer's dream. For more information on spam prevention, visit the FTC article "You've Got Spam: How to 'Can' Unwanted Email" at http://www.ftc.gov/bcp/conline/pubs/online/inbox.htm.

It's difficult to know how much spam is generated from shopping on the Web, another activity that I took to early on. But honestly, I suspect that only a fraction of my spam is a result of shopping. I carefully check the box asking NOT to receive notice of future sales, specials, etc., unless I think that, in fact, this information might be useful to me. (I DO like to be notified of new versions of software that I've purchased, for example.) And I believe that generally my preferences are honored most of the time. A recent study by the Center for Democracy and Education bears this out. "Most of the major Web sites to which we provided e-mail addresses respected the privacy choices we made — when a choice was made available to us" [http://www.cdt.org/speech/spam/030319spamreport.shtml]. Still, to be on the safe side, you may want to only provide a temporary e-mail address as referenced above.

Should you attempt to unsubscribe from spam? Here's my rule of thumb on that eternal question. If you want to discontinue an opt-in e-mail, that is, an e-mail that you asked to receive and so technically isn't really spam, unsubscribing will probably succeed. I've easily unsubscribed from opt-in e-mails resulting from software I've purchased, mailing lists I've joined, updates I've requested, etc., all by simply following the instructions to do so.

However, if you're receiving run-of-the-mill, unsolicited spam from senders you are certain you never would have contacted or requested anything from in a million years, regardless of their claims that you asked to receive their e-mails, you must use a different strategy. Do not succumb to their offer to remove you from their list. You will only confirm the validity of your e-mail address to the spammers. And the results won't be pretty. It goes without saying that you should never, never, never buy anything from a spammer.

If you do everything right, you still may receive spam. That's because some spammers send to randomly created e-mail addresses on the assumption that a certain percentage will likely prove valid. According to Consumer Reports ("E-Mail Spam: How to Stop It from Stalking You," August 2003, p. 12+), a longer, harder-to-guess e-mail address will reduce the amount of spam that you receive. But of course it will also be longer and harder to remember.

To Report Or Not to Report

Many people recommend reporting unsolicited spam to the sender's e-mail provider. To do so, forward the offending e-mail to the postmaster or abuse addresses at the domain from which the message appears to have come (for example, postmaster@hotmail.com or abuse@hotmail.com). To determine the appropriate abuse address for a domain, you can use a lookup available at abuse.net — http://abuse.net/lookup.phtml. Another option is to forward spam to the FTC at uce@ftc.gov.

Just keep in mind that reporting spam isn't as straightforward as one would hope. Most unwanted e-mails use fake "from" addresses. So if you report the spam to the ISP listed on the "from" field, you may not be reporting to the originating domain. In my mind, the ultimate spam indignity is receiving spam and viruses with my own e-mail address in the "from" field. It happens to me all the time, another example of e-mail addresses being harvested and used for nefarious purposes.

You can try to decipher the e-mail header to determine the actual originating domain (see Genie Tyburski's "Instruct on the Basics of Determining the Origin of Email," The Virtual Chase, 9 Oct. 2001, at http://www.virtualchase.com/
researchskills/quality_emailheader.html), but most of us will lose patience at this point.

If you get one or two spam e-mails a week, reporting spam may be do-able, but if you receive large quantities of spam, it just means spending still more time handling the darn stuff, thereby increasing the burden that spam places on your time. But if reporting spam makes you feel better, there are tools out there to make it easier. For example, Spamcop offers a free reporting service at http://spamcop.net/anonsignup.shtml. You can even use SpamDeputy to submit a report to the Spamcop reporting service directly from Outlook [http://www.spamdeputy.com/]. If you're receiving spam on your employer's e-mail address, report it to your IT department so that they can filter out e-mails from that sender in the future.

Join the Battle

Perhaps for you, as for me, the ship has sailed on spam prevention. Your address has appeared on Web sites, you've participated in newsgroups and chat rooms, and you've generally spread your e-mail address far and wide. "What now?" you might ask.

Perhaps the simplest and most obvious method is to simply start from scratch, that is, obtain a new e-mail address and discontinue the old one. You may not even need to close your account to do so. (Check with your Internet service provider.) Then follow the instructions above. The painfulness of this solution depends on how many people already have your e-mail address and how inconvenient it would prove to lose e-mail contact with those people for even a short time.

If you're like me, and you'd like to hold on to your e-mail address for time in perpetuity, you will need some outside help fighting spam. But there's one thing you have to understand going in. No spam fighter is perfect. Depending upon the filter configuration, almost all will, at some point, kill a legitimate e-mail message. It's a trade-off. Most tools can be configured to be very conservative about what is considered spam. But the more conservative you are, the more spam that will continue to invade your inbox. If you don't have the stomach for it, and feel that even one legitimate e-mail lost is one too many, you may want to forgo these tools.

Your ISP may constitute your first line of defense again spam. Make sure to check to see if your ISP has anti-spam software on its servers that can be turned on for your e-mail address. For example, Earthlink offers the SpamBlocker to its users. This is an optional tool and you must visit the Earthlink Web site to turn it on and configure it for your account, which I did shortly after it became available
[http://www.earthlink.net/home/tools/epa/spaminator/].
Many other ISPs have similar services available at no additional charge.

Other tools integrate into your e-mail client, such as PC World's Best Buy, IHateSpam. It installs a toolbar in Outlook that offers several options. You can flag spam that the program missed, send a complaint to a spammers ISP, maintain your own blacklist of spammers, in addition to a "whitelist" of friends that you don't want blocked. (See PC World, "Natural-Born Spam Killers," May 2003, p. 113 [http://www.pcworld.com/reviews/article/0,aid,109698,00.asp] for more reviews of spam software.)

PC Magazine rates another integrated tool, Qurb, as a Best Buy in its Spam Product Guide, http://www.pcmag.com/category2/0,4148,4795,00.asp. Qurb uses a very different method of filtering e-mail than IHateSpam. After you install Qurb, it populates a list of legitimate e-mail addresses by looking at your contacts list and your saved e-mail messages. It continually and automatically updates the list and allows you to manually update it as well. It doesn't delete messages not in your "whitelist", but instead puts them in a folder for messages from unexpected sources, which you will want to review on a regular basis. You can also opt to have Qurb require confirmation messages, which are e-mail messages sent to unidentified senders. The sender must respond for the message to get through to you.

This kind of technology is the latest development in spam-fighting — e-mail with sender verification. (See PC World article, "Email Evolves — New Spam Slammers," http://www.pcworld.com/news/article/0,aid,110921,pg,3,00.asp.) Mailblocks [http://www.mailblocks.com], a Web-based service, also uses this method. Here's how it works.

• You provide a list of approved e-mail addresses corresponding to those people you actually WANT to hear from.

• If an e-mail arrives from any of the approved e-mail addresses, the e-mail is delivered to you.

• If an e-mail arrives from an e-mail address NOT approved, an automated process begins wherein a challenge e-mail goes to the sender, requiring some kind of direct response.

• The sender responds and the e-mail then goes to you.

• If the message is spam, the sender will not respond and the e-mail will stay blocked.

As with all spam-blocking systems, there are some downsides. You have to take special steps to ensure that automated mail, such as mailing list e-mails and order receipts, etc., can be delivered. The sender has to take the time to respond, likely delaying the delivery of the e-mail. And, of course, a legitimate sender may choose not to take the time to respond.

Gonna Wash that Spam Right Out of My Hair

So what do I use? I've been using Mailwasher from Firetrust for some time now and have been relatively satisfied with its slightly different approach to spam. Mailwasher is a stand-alone program that does not integrate into Outlook or any other e-mail client. (Warning: I once tried a utility that attempts to integrate Mailwasher into Outlook, but the problems outweighed the benefits.)

Here's the routine. I open Mailwasher and also open Outlook. Mailwasher is set to automatically check my account for e-mail, a feature which I have turned off for Outlook. Mailwasher flags suspected spam and possible viruses, checks my blacklist, and filters to flag additional spam for deletion. If I spot an unmarked spam, I can quickly and easily add the sender to my blacklist. I can read the message in the Mailwasher window if I so choose.

Here's the fun part. Once all this is done, I click "process." The spam is deleted and bounced back to the sender, indicating that there is no such e-mail address. The idea behind the bounced message is that the sender may then consider my e-mail address as no longer valid and remove it from their list. Does this happen? Hard to say. Most of the time I don't think so. But I find it satisfying all the same. And if nothing else, the spam never makes it into my inbox. Once the mail is processed, I go into Outlook and click send/receive to collect the remaining e-mail.

This may sound like a long complicated process, but the whole thing is really quite easy once you get the hang of it; it typically takes me less than a minute and saves me quite a bit of time overall. The downside? When I was collecting e-mail from several different e-mail accounts all with their own spam and had to review over 100 e-mails in one sitting, it was easy to tag something to be bounced/deleted that was actually legitimate e-mail. In that case, I'd usually get a call from someone wondering if my e-mail address had changed. Now that I review fewer e-mails per sitting, this doesn't happen nearly as often. (For information on the free or "Pro" version of Mailwasher, see http://www.mailwasher.net/.)

The Future of Spam

New tools for fighting spam are cropping up all the time, so keep your eyes and ears open for even better solutions in the future. After all, there is a lot of money to be made in fighting spam.

And though spam is undoubtedly out of control, there is hope. Ryan Hamlin, general manager of Microsoft's antispam technology and strategy group, believes spam can be contained within 2 years, given the combined efforts of legislators, large ISPs including AOL and Earthlink, and software companies such as Microsoft [http://www.pcworld.com/news/article/0,aid,110936,00.asp]. Let's hope he's right. However, he does admit that the situation will likely get worse before it gets better. So my suggestion is to decide the right strategy for you, hunker down, and fight back!

Spam Prevention in a Nutshell

• Don't post your e-mail address to a Web site.

• Use a temporary, disposable e-mail address in chat rooms, for listserv subscriptions, when shopping, etc.

• Unsubscribe from bulk e-mail only if you know that the e-mail is the "opt-in" variety.

• Never purchase from a spammer or respond in any way to obvious spam.

• Shop only on Web sites with stated privacy policies, and make sure to "opt-out" of future e-mail distributions from that Web site.

• Check with your ISP to see if it has a spam filter that can be turned on for your account.

• When choosing your e-mail address, make it long and difficult to guess.

• Purchase a spam-filtering product.

Spam Motel

Spam Motel, a new source for "disposable" e-mail addresses [http://www.spammotel.com], offers an interesting twist on spam prevention. First, you set up an account. Then the next time you need to provide an e-mail address, let's say to register to use a Web site, it will create a random @spammotel.com e-mail address that you use instead of your "real" e-mail address. When you request the address, you can also type in reminder notes, e.g., to whom you gave the address and why. Any e-mail sent to that address in the future is forwarded on to you. If, at any time, you want to discontinue receiving any e-mails sent to that specific address, you can do so.

Don't Get Conned

The first time I received the classic Nigerian e-mail spam, I wondered whether there were really people out there who would fall for what seemed like such an obvious scam. Apparently there were. Many, in fact. However, many other spam scams make their way around the Internet that could easily trap even the more cynical amongst us.

The newest version typically arrives in the form of an e-mail which states that you need to update your credit card number, password, mother's maiden name or Social Security number on such mainstream sites as eBay, AOL, or Paypal, among others. Upon clicking on a link, you are directed to a site that looks just like the real eBay, AOL, or Paypal site, but, in fact, is an unauthorized copy designed to lure you into providing your personal credit information to people who no doubt shouldn't have it.

Ironically, I recently received an e-mail from eBay saying that my credit card information wasn't accurate, and I discarded it, assuming it was a scam. After some second thoughts, I decided to double-check. I went to eBay, looked under "My Account," and found that in fact, I DID need to correct my credit card info. So go figure. All I can say is, "Be careful out there."

For more information on e-mail scams, see Steve Bass' article, "Home Office: Caution! It's an E-Mail Impersonator," Feb. 12, 2003, http://www.pcworld.com/howto/article/0,aid,108949,00.asp, and "Caution! Even More E-Mail Impersonators!," Feb. 19, 2003, http://www.pcworld.com/howto/article/0,aid,108957,00.asp, which includes tips for protecting yourself from such scams.

Anti-Spammers

There's a new breed of vigilante out there who some might consider to be the heroes of the cyber-world. Spam vigilantes. Anti-spammers.

The New Zealand Herald (August 22, 2003) reported that one such intrepid soul located a prolific spammer by taunting him repeatedly until he responded from his home e-mail address. Peter Bennett, a 43-year-old director of a small IT company, then distributed the spammer's identity and whereabouts to the anti-spam community, resulting in a barrage of phone calls and e-mail.

There are worse things than having your contact information distributed to hostile parties. One unnamed systems administrator tracked down a spammer, hacked into the spammer's computer, downloaded the information on the computer compete with nude pictures of her, and posted it all to the Internet.

There are plenty of hackers putting their skills to good use harassing spammers in a variety of imaginative ways. For example, one day all 24 of the office phones at Scott Richter's e-mail marketing company started ringing at once, the result of an anti-spam attack on the phone system. Some use simpler methods, tracing spam e-mails back to their source and spamming back, thousands of messages at a time (The Times Union, Albany, New York, May 26, 2003).

Even some members of Congress would like to encourage those who track down spammers. U.S. Rep. Zoe Lofgren includes in her bill, the Reduce Spam Act of 2003, a bounty as an incentive for reporting spam violators [http://www.house.gov/lofgren/congress/antispam.htm].

But if you're tempted to take on the spammers yourself, think again. Amateur "anti-spammers" can easily get in over their heads. Responding to spam and/or giving the spammers a piece of your mind can result in a flood of additional spam. So please ... don't try this at home. Leave it to Robin Hood.

Further Reading

Links

FTC's Spam Email — Harvesting Your Email Address

http://www.ftc.gov/bcp/conline/edcams/spam/coninfo.htm

Silicon.com's Spam Report Channel

http://www.silicon.com/category/165/10.html

Paul Ruschmann's Anti-Spam Laws page

http://www.paulruschmann.com/research/spam.htm

Spamotomy

http://spamotomy.com

Spam Facts

"How Much Spam Do We Get?"

http://www.silicon.com/news/165-500001/1/4618.html

"Study Puts a Price on Spam: Spam costs $874 per employee per year, Nucleus Research says," PC World, July 2, 2003,

http://www.pcworld.com/news/article/0,aid,111433,00.asp

Can Spam Be Banned?

"Legislative Attempts to Control Spam"

http://www.silicon.com/news/165/1/4648.html

"Uncle Sam vs. Spam," PC World, August 2003

http://www.pcworld.com/reviews/article/0,aid,111112,00.asp

Spam and the Law, PC Magazine, Feb. 25, 2003

http://www.pcmag.com/article2/0,4149,849442,00.asp