Software

E-mail spam: How to stop it

What if I said I know of an approach that would definitely reduce the amount of e-mail spam you receive? No way? Well, read on. Michael Kassner has a method that's simple, it works, and he'd like to share it with you.

We all know the infamous e-mail spam three step:

  1. A spammer obtains your e-mail address.
  2. The spammer begins to inundate you with e-mail spam.
  3. You receive the e-mail spam and get rid of it.

It's common knowledge that the easiest way for spammers to obtain e-mail addresses is to purchase them from Web sites that require e-mail addresses for some reason or another. A typical example would be where an e-mail address is exchanged for desired information being advertised by the Web site. After which the host is free to use the e-mail address per the fine print agreement, which all of us typically don't read.

Recently I read about a unique method that eliminates the risk of being spammed after providing an e-mail address to a Web site. Before I get into that though, I'd like to look at what's being currently used.

Somewhat successful anti-spam methods

Spam filtering is the technology of choice to reduce/eliminate (depending on your viewpoint) e-mail spam. The only problem with this approach is that it's after the fact. It's also a never-ending battle to keep either a black list or white list up to date. There are heuristic spam filters, but they're known for erratic results, more often than not capturing an important e-mail that you wanted to get through.

Keeping e-mail addresses a secret is another semi-successful method, but doing so is becoming virtually impossible in today's Internet world. Besides there's very little difference between keeping an e-mail address secret and not having an e-mail account.

Still that brings up an interesting point. Why not get several Web-hosted e-mail addresses, they're free. Start getting too much spam, just close that particular e-mail account.

Sacrificial e-mail accounts seems plausible

Sounds like that might work. Even with all the effort to open the accounts, it's still worth it to eliminate any amount of e-mail spam. At least that's what I thought, but there's a gotcha that I hadn't considered.

Let's use me as an example to explain the gotcha. I started getting all sorts of e-mail spam from one of my sacrificial accounts so I decided to close it. Great, I'll show them. The next day I was surfing and wanted information from some Web sites, which happened to require e-mail addresses in exchange for the information. No problem, I used my new sacrificial e-mail account. All is well in my world.

What I wasn't prepared for was how soon I started getting e-mail spam again. It didn't take long before I came to the conclusion that my sacrificial e-mail addresses definitely weren't the answer. Luckily for me, I came across Kurt Wismer's article "How to Avoid Email Spam" on the anti-virus rant's Web site.

Wismer explained the flaw in my theory about sacrificial e-mail accounts:

"A number of people are already familiar with the idea of a throw-away email address and often use hotmail or some other free webmail provider to make one. Unfortunately that leaves you with no way to know who leaked your address to the spammers. So when you need to change addresses (because the current throw-away address has gotten too spammy) you'll have no way of knowing which organizations to not give the new address to."

I'd go through all the work to change my e-mail address to a new sacrificial one and get caught again.

One-time e-mail addresses

Wismer goes on to explain that there are applications and Web hosts that allow the use of easily disposable e-mail addresses so a different one can be used for each site that's visited:

"This is where true disposable email addresses come in. You need to use a different address for each site. You give an address to (whether it's ebay, amazon, or your bank) so you can identify which one leaked the email address simply by looking at which email address got leaked. So that you only have to turn off that one address when it starts getting spammed rather than changing addresses and updating a potentially long list of sites with your new address."

There are several services that will allow the use of disposable e-mail addresses. They are divided into two different categories. The first type is the most familiar:

  • A throwaway e-mail address is selected.
  • Give the address out to Web sites whenever needed.
  • Check the service's home page or RSS feed for any responses.
  • If the return e-mail is spam, just delete the e-mail address.

I know of two services that work this way, mailinator.com and dodgeit.com. I prefer the next type, because the service forwards any return e-mail to my actual e-mail account. The steps used by these services are (courtesy of sneakemail.com):

  • Instead of typing in your real e-mail address, you select your Sneakemail bookmark, which pops up Sneakemail.com in a small window. You log in and click on Create a New Sneakemail Address.
  • Here you find a simple form. You label the Sneakemail address so that you will recognize where that particular e-mail address was used. Click Create, and a new and random e-mail address such as jlsjk02@sneakemail.com is created.
  • Paste jlsjk02@sneakemail.com into the form at the Web site. You never give out your real e-mail address.
  • Now when mail is sent to jlsjk02@sneakemail.com, it goes to a Sneakemail server where it's forwarded to your real e-mail address. The e-mail is mostly unaltered, except the From line reads, From: Web sites email address |label you created| jlsjk02@sneakemail.com.
  • By looking at this line, you can see that it originally came from the Web site that you visited and was sent to the Sneakemail address you specifically labeled in your account.
  • If you begin receiving spam at this particular Web site and you were careful to give this address out only to that Web site, you know exactly where the spammer got this address. Also, you can go to Sneakemail.com and delete the e-mail address, eliminating any further spam.

I've tried two services that use this approach, sneakemail.com and mailnull.com, and had equal success with both. Mailnull.com also has an added feature called Web Contact Form, which is great for Web-site hosts that don't want to advertise an e-mail address to avoid spam e-mail spiders but would like to give visitors the option of contacting them.

Final thoughts

I like these approaches. There's a certain satisfaction in deleting an e-mail address knowing that any spam aimed at that address will be eliminated. I realize it's an added step, but I'm willing to take it just to gain back some control.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic’s Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

123 comments
bcarradero
bcarradero

MERRY XMAS U ALL. I TRIED A DIFFERENT WAY TO STOP SPAM. I WRITE DOWN ALL THE ADDRESSES OF THE MAIL THEN DELETE ALL THEN I GO TO MAIL OPTIONS, SPAM & ADD THEM TO BLOCKED ADDRESSES. THEY WILL USE ANOTHER ADDRESS & U BLOCK THAT TOO. IN ABOUT 7 TO 8 DAYS YOUR SPAM IS ABOUT DOWN TO 2 EVERY OTHER DAY & THEN NONE. BACSI1VIETNAM. GOD BLESS

CisfRjsii
CisfRjsii

There is an Easier method that works so, so well. It`s called Iconix.com. It works on all accounts. Yahoo, outlook, comcast, hotmail and the list goes on. Simple, small in size, but to the point and the Best part is that it`s FREE !!! Ziggy.42o ?? SKYPE: Ziggy.42o SKYPE:+1-912-228-4907 Cisf?tm.Rjsii: 1984-?-2084 eMail: CisfRjsii@comcast.net Computer Interface Systems ? First

mike_patburgess
mike_patburgess

Funny thing is you cannot stop it unless there is some legislation at the ISP level. Legislate them to remove SPAM before it gets to you (similar to the do not call) service we have now. As it is now our PC/workstations are coping with processing non-productive work (virus scanning, SPAM processing, spybot elimination..and the darn list goes on and on. And not only that, the applications that protect us have to stay resident so that they can try and capture any junk that might get through. Sigh, give me the good old days when there was just text email and no junk...

Jaqui
Jaqui

mailwasher out? http://www.mailwasher.net/ freeware. [ free, open source, server version also available, works with MS Exchange, sendmail and qmail ] it grabs the headers from the email server and lets you mark spam, then it bounces the spam back to the sender and blacklists the sender.

letter_2_roy
letter_2_roy

hi ! Dear Sir, With due respect, I appreciate the logic behind the solution. with thanks & regards, swapan.

diverjack
diverjack

I've been using MailWasher for the last 3 years, and I wouldn't use anything else! It lets me see the spam, which address it's going to (I have 4), and it learns the good from the bad mail. Plus it allows me to blacklist, bounce and delete.

camjes
camjes

Start charging for emails, doesnt have to be much, include say 100/month for a home user account,maybe more for corporate. Seriously a corporate mail server with say 100 users is not going to generate more than say x thousand per day outside their own network. It wont be comfortable for some, but geez I would be happy to spend a $1 a month/user for sending and not worry about getting any garbage. Who doesnt spend that on filtering the garbage now?

mark.silvia
mark.silvia

I usually use the 'disposable' or temporary email when giving it to a potential spammer. If network traffic wasn't an issue I would take all known spammers and give each one each others' address so they can spam each other to the hearts content. I will not do this because our bandwidth is to precious for over abundance of crap that would be transmitted. I am tempted to give those who send junk faxes other junk faxers' fax numbers and drain their resources as much as possible. This would be the fun way. A better way would be to report them to the FCC so they can face fines. I am happy to hear that some spammers are being convicted and sent to prison.

tohca1
tohca1

Thanks for the tip. I use gmail for the purpose and though it's not engineered like snakemail, you can easily add new emails and forward it to your 'real' email. Cheers! The Malaysian Explorer

techrepublic
techrepublic

You can get a domain and a hosting account for about $10/month these days. Most hosts allow you to have catch-all e-mail addresses where all unrouted e-mails are sent to. Once you set up a catch-all, you are free to start using single use e-mail addresses for each site (e.g. techrepublic@mymaildomain.com)... if you start receiving SPAM to the particular e-mail, just block it or forward it to the appropriate abuse e-mail address... and presto. SPAM-B-GONE.

dcolbert
dcolbert

This is a great approach for an individual to minimize spam - but it doesn't really address combating enterprise SPAM and/or doesn't provide a solution that an e-mail admin can require his users to do. It has to be a self-actualized plan. As a self-actualized plan, it seems that the biggest problem with a throw away address is that often the "catch" that "requires" your e-mail address is that they'll use it to send your e-mail/password should you forget it for that site in the future. This is a feature I often use. Because of this, I'm always hesitant to close an account - I've found that I don't have enough discipline to use my "throw away accounts" effectively. A one time throw away account might work better - if I know I've been spammed because I gave them my e-mail, well - then I don't want to visit that site under any conditions in the future, would go the logic. I also have concerns that there are other ways that spammers harvest e-mail accounts then simply by gathering user data harvested from web-sites that require registration. Fowarded chain mails with huge cc: lists are one example - and generally, you can't prevent some well meaning luser from sending you a "cute" chain mail in all good faith - that also includes a list of hundreds of other addresses. In that sense, I've had accounts that I rarely used (and never used for a site registration) that started getting spam quite quickly after I created them. As Exchange Admin is one of my roles, I was very interested based on the title of this article, but I'd say the title is a little optimistic. At the best this should LIMIT the spam an individual user might expose themselves to - but I still think it is nearly impossible to STOP spam.

jkameleon
jkameleon

I know a couple of people, who travelled abroad, used email there, and got spammed from the country they've travelled to a couple of days later. For example, after a trip to Mexico, they got phishing email to a Mexican bank. After a trip to Ghana, they got an offer to transfer 20 millions of dollars out of it shortly afterwards. In this cases, email addresses were obviously sniffed off the internet. Since email addresses travel across the internet unencrypted, this shouldn't be much of a problem. Guarding your email therefore doesn't help much.

Gennady
Gennady

I use one-time email addresses. I have my own domain and just add aliases for every site that asks for email address. all the aliases forward to my 'real' email address that is not disclosed to anyone. this way, every site I visit gets its own address and when I get spam, I know for sure who compromised my address. Does it stop spam? NO. I still get spam as spammers 'harvest' email addresses from sites and from mail relays they succeeed to infect or from traffic they can possibly introspect. I can remove a specific alias right after first instance of spam from it, but I will receive that first instance. Also, this method does not work good for sites that I *really* need the subscription from. I give them one alias, some spammers harvest it and I replace it with another alias until spammers catch the new one... So the method of one-time email addresses is good (if you have your own domain and can add aliases quickly), but it does not protect you from getting spam to those addresses that are published on web sites, even with the help of aliases.

Cactus Pete
Cactus Pete

For about 10 years now I've had my own domain and a linux server running my sendmail. The last line of my virtual user table is @[domain].com (where I obviously replace [domain] with my actual domain). Any address that comes to my domain forwards to one of my accounts. So when I register my email address with a vendor, I give them their.vendor.name@[domain].com. Obviously, if I get viagra spam from that vendor, I'll know who's fault it was. This once happened with Leatherman Tools. I called them up and actually got their IT guy. They mentioned that they had outsourced the registration and no longer use that company because of this issue. They made amends, and kudos to them. When the email is compromised, I simply stop accepting that address. But I don't have to worry about setting up a specific address each time - it's good on the fly. This is great when I do it out of the office, or on trips. The blackberry gets the messages right away. The drawback, however, is that I will get messages to randomly.generated@[domain].com from time to time. But this is why there is still a spam filter. Obviously not a solution for everyone. But for the technically adept, I highly recommend it.

putinsky
putinsky

Why not forward all the spam to the site that gave up your address and let them deal with it

bob
bob

That's all well and good, but I've had my own e-mail address - myname@mylastname.org for over 10 years, and I want to keep it. Everyone who knows me knows that that is my forever e-mail address. Outlook's filter provides enough of a filter to keep me happy. And I have nothing to maintain constantly.

jhardy
jhardy

First, a general disclaimer--I work for SmarterTools, the maker of SmarterMail. Many of our customers are enterprises and hosting companies with tens of thousands of mailboxes--so spam is a REALLY big deal that can eat a lot of resources. We run a layered approach to spam protection that keeps the majority of spam off the mail server. Sure, we use white and black lists (etc.) and heuristics, but we also use baysian filtering, DNS checks, grey listing, spam assassin, and more. But it is also very important that these are done in the right order (some perhaps on a gateway in high volume environments). Spammers are a moving target--always adjusting their techniques. So we are always looking to improve as well. But employing good, proven protections in a systemized, layered approach can stab-off 98% right off the top. We have written white papers and architecture recommendations on this topic and we get those results in real world situations right now. Be well, Jeffrey J. Hardy

jmollema
jmollema

Why are people still jump through hoops dealing with Spam when there is Red Condor. It just works like no other. Of course, you have to own a domain because it doesn't work with POP mail, but still, what a difference!

isabel.tiong
isabel.tiong

It is a good way to reduce the spam that each of us receive. And with regards to email spams, I would like to open up the topic about email forgery. I have SPF records on my domain, but still, my emails are forged. Is this a sign that SPF is not the answer?

Michael Kassner
Michael Kassner

Still, the advances in technology outweigh the down side. At least in my opinion. Kind of like cars, I remember when you had to get a tune up every three or four thousand miles. Now they run forever, but we complain that they're too complicated to fix.

Michael Kassner
Michael Kassner

I agree Jaqui. Except that it's only POP3 and not Exchange-friendly as far as I can see.

Michael Kassner
Michael Kassner

If you start using Sneakemail or something similar, please report back with your thoughts as to if it's a good solution or not.

Michael Kassner
Michael Kassner

I just finished looking at it and was getting excited. It appears that MailWasher will not work with Exchange though.

Michael Kassner
Michael Kassner

It's still a great deal better than having to use your real e-mail address. Once again you have to realize your level of expertise compared to the millions of users that just want to use the Internet and e-mail and not worry about having their own domain.

imaguid
imaguid

if an organization can't keep your one-time address safe then stop dealing with them whether it was malice, negligence, incompetence or no fault of their own, you can never know - best to just part ways with them and find someone else who can protect your contact info

Dr Dij
Dr Dij

this is what I used to do. Problem is, with a 'catch-all' - allowing ANY email address to be accepted, even if you don't publicize or give out only certain addresses, causes, as mentioned previously, spammers to send random emails@yourdomain. After getting 5000 spams from one chinese address in one day, I switched to yahoo paid email. These 5000 spams weren't even directly from the spammers, I was 'spammed' by stupid companies sending replies to spam that the person didn't exist at that address. Problem is that they ended up spamming ME because someone forged return address to my domain! Never again. Yahoo disposable addresses will put your email directly into folders based on what disposable address it comes in on, and you don't have to setup to forward anything, you don't need to setup any filters, and being web based you can access it anywhere.

Michael Kassner
Michael Kassner

It also was encouraging to hear about a responsible vendor that fixed the problem.

Michael Kassner
Michael Kassner

How much you want to bet. It's what I've found to be very prevalent.

Michael Kassner
Michael Kassner

You are a knowledgeable user and that makes a difference.

imaguid
imaguid

there's no reason why you should need to give up your 10 year old address but just so, there's also no reason why you should hand out that address to some website run by people you don't know keep the old address so that your friends and family can contact you easily, but use disposable addresses for sign-ups

Michael Kassner
Michael Kassner

Many people are not in the know about many of these options. That's why I hope this article starts a land slide of information.

bop
bop

Dear Michael I mis your ussual analytical approach to the issue (spyware and botnet)!. Try analyse how a header from a spam-mail looks like. I did that with one of my friends and former co-workers at ZyXEL comm. DK. The idea is that you pipe the mail your mail server throug a simple script, first you check if the domain/mail server in the "return-path" or "from" field exist by making a SNMTP connect - if no connect dump the mail. If the mail server responds the next thing is to request a connect to the specific account, here 85+% will be discarded. An added check on the account is for the mail server not to accept mail from outside that claims to be from inside the domain. Our guess is that less than 10% of the spam would survive this simple script. The third check in the script might be obsolete by using SPF but in short - check that the originating domain pops up somewhere in the delivery route - this is not fail safe so SPF is a better solution. If this is done by retreiving headers-only and then retreiving the rest for the spam-free mails afterwards you might even save traffic - at least to your mail server. This is just a brainstorm-thing and we don't know if it works - does anyone se a flaw or a bright idea ?. It seems like mail server administration is done by a junior or the latest member of the IT dep. except for at the BIG-4.

TechRepublic
TechRepublic

I don't think SPF is the complete answer, and won't be, until both sides of the email conversation implement SPF. If the receiver doesn't implement checks and then deprioritize or throw away (if you say to do that in your SPF record) incoming mail that isn't from one of your servers, then you will continue to be the victim of forgery. Does your SPF record end with "-all" or something like "~all"? If the latter, then you aren't really telling anyone anything, as that tells them that you *do* have other servers sending mail for you that aren't in your list. If you really want to tell them that it's okay to drop anything on the floor but what's in your SPF record, then you need the "-all" in there. The big-4 (Yahoo, Gmail, MSN, AOL) all will do SPF checks, but of all of them Gmail is the only one that I know of which will truly deprioritize email (e.g., junk it) if the SPF doesn't match. All of them are moving to DKIM within the next year which provides even greater forgery control as it won't be just on the mail server sending the mail, but actually checking the contents of the message and headers to see if it is being forged or mucked with in transit! I hold out hopes that the combination of SPF and DKIM will help put a real damper on spam in the future. Again, it won't really have any effect until all parties in a legitimate email conversation recognize and implement the authentication checks that these provide.

scarville
scarville

It's more likely a sign that most mail admins don't bother to set up SPF checking for their MTA. I find that kind of surprising. The SPF record is trivial to set up and all the major MTA software supports it. Maybe I'm missing something but it seems to me that SPF could offer a large benefit for a small cost.

Michael Kassner
Michael Kassner

I'll look into it. As you, I'm not that impressed with it at this time.

Jaqui
Jaqui

have the FREE server version that will integrate with exchange. :) not only is it free, it's open source.

Jaqui
Jaqui

the server version, free and open source, works with exchange. mailwasher pro will run on linux under wine.

Cactus Pete
Cactus Pete

There is a tag you can put on all your outgoing messages, that when a bounce comes back without the tag in the header, the message is dropped as obviously not yours.

Michael Kassner
Michael Kassner

What do you think the spammers were trying to accomplish by doing that. Did the spam you received have advertisements in it as well?

tech
tech

I'd be interested in working with someone regarding programming a filtering application or a better email client. From what I've seen Bayesian filtering used to be all the rage, but why are we looking at the content of the message and probability when we could focus on the true Header of the message for originating IP (comparing a cache of known MX records - is that what you meant Bop?) and possibly build a client that has to "turn on" allowable domains, country of origin or addresses to let them in instead of cutting them off? I would think this could be done easily with an "outside the envelope" approach to email (which may require some RFC re-writing). Maybe Obama will create some leadership in that direction. Any programmers out there want to start a company? Maybe we could get government backing. I used to drudge through spam for an ISP years ago and it can really make you re-think many things.

Michael Kassner
Michael Kassner

I've been asking around and there aren't many that have it in place. Strange, as you said it's easy and has some value.

Michael Kassner
Michael Kassner

Typically an application that's showing quality tendencies in one OS will exhibit them in others.

Jaqui
Jaqui

it will be sendmail or qmail I try it on. I don't have ANY exchange to install. :p [ all open source os here, remember ;) ]

Michael Kassner
Michael Kassner

Please let me know what you think. I don't have a spare Exchange box to try it on and I'm a little hesitant to just dump it on a production Exchange server.

Jaqui
Jaqui

I only found the server version yesterday myself. I'm looking through the source code before building and testing it out. :D [ much prefer source builds, both more control and more stability in the app that way. ]

Michael Kassner
Michael Kassner

I wasn't looking in the right area. That's pretty cool, having both a client and server version. Have you used it? If so, what's your opinion about it? I have a client that this would be perfect for. Thanks for straightening me out.

Michael Kassner
Michael Kassner

Thanks, Jaqui The Web site just mentioned POP3 and I don't use that on the Exchange server. If it works that would solve all sorts of problems for the non-profits that I take care of.

Michael Kassner
Michael Kassner

I suspect you are referring to the other comment and BATV. I feel silly for not knowing about that. Thank you for sharing that information.

Michael Kassner
Michael Kassner

I assume that is installed on the e-mail server? I was trying to find out if it was available for Exchange and as of now it appears that it isn't.

Cactus Pete
Cactus Pete

When a spammer forges your return mail address, to hide their identity, any mail server set up to bounce spam, or when the spammers' addresses are out of date, the resulting bounced messages are backscatter. http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation Certain anti-spam devices used to create just as bad a situation as they helped. Sending me (a non-spammer) a message that a message is blocked because it is considered spam creates more traffic and headache than just letting the spam sit on a server for eventual deletion. It's well known that spam is forged, usually an address stolen from an addressbook when someone was infected or harvested. Using BATV would help those of us who use catch-all servers. There are drawbacks - not all other servers can handle the additional tag, and barf on the message. Of course, it wouldn't be necessary at all if servers were set up to reject spam messages, rather than bounce them.

Michael Kassner
Michael Kassner

I was trying to determine if it was just a straight DoS or if it had a spam payload as well.

Dr Dij
Dr Dij

of course I was trying to delete it as quick as possible and didn't really look. It hung up my email thing for an hour retrieving it all from my ISP, and all bounces, not directly to me. Of course some is to try to entice you to a website t hat will infect you or download something for same purpose.

Michael Kassner
Michael Kassner

I agree that innovation in this area seems stalled. If you and BoP continue along this approach, I'd appreciate you both keeping the members up to speed.