Bon Journal

Spam : weapons of mass disruption

feature contribution by the Hungry Poet

Personal Computers and the Internet are amongst the greatest inventions of modern times, arming individual users with tools of mass communication and productivity at the finger tips. With various accessibility tools, people with disabilities can also communicate and participate in cyberspace activities through voice recognition and other sensory interaction applications.

Unfortunately, along with these marvelous inventions came inventions such as Worms, Viruses and Spam Mailers which are clearly ill-conceived weapons of mass disruption.

You can install reputable virus detection software, keep your system software and virus scandata up-to-date, and combine these with prudent practices and disciplines to more or less keep most viruses and worms at bay. Systematic update, discipline, and common sense.

But how do you fight a war against privacy terrorism such as Spam mail ? How do you disarm these weapons of mass disruption ? No spam filtering software has been known to effectively deal with spam mail in a satisfactory manner. You can never filter enough and at the same time you are afraid of filtering out important and critical emails. Why is this so ?

Unlike worms, viruses and their various mutations which are usually produced by techie nerds and jerks of cyberspace and hence constrains the number of possible creators, any person including automated computer programs can easily produce and propagate spam mail effortlessly. The possible number of spam mail creator is essentially unlimited if you count automated spam software.

The problem with not being able to filter out spam mail effectively is many-fold, here's just a short list of some:

1. Spam sender addresses keep changing and may use popular domains such as Yahoo.com or Hotmail.com
2. Spam subject lines are disguised as innocent titles and everyday subject matter like "how are you" etc
3. Spam message format and content vary infinitely
4. Spam mailings are sent through thousands of unsecured SMTP servers in cyberspace making it impossible to detect network of origin (*don't worry about the tech-talk)

Successful relentless spam mail often relies on some form of "stealth" characteristics in disguising itself as innocent everyday email messages to get past detection by spam filter software.

The key to spam mail working is the email addresses everyone uses to communicate with each other. Your email addresses are recorded in some computers somewhere. Spammers discover your email addresses through a variety of very simple and very creative means - below is not an exhaustive list yet:

1. Supplied by free online subscription websites, search engines, and free membership organizations - they need "sponsors", right?
2. Supplied by free webmail service providers (including previously the "Hot" one) - yes, nothing is free.
3. Hacking into databases of protected online paid subscription websites, corporate databases, business directories and professional membership organizations.
4. Extracting from Web pages, online forum postings and bulletin boards that featured your entries.
5. Web advertisers "click tracking" software which accumulate email addresses and click patterns into a repository.

...the list is endless.

In a nutshell, your email address stored anywhere in cyberspace can be discovered by spam mailers, often through "robots" and "spider" automated address scanning programs no different from how search engines discover web pages and web content. As long as you have an email address, you cannot hide from spammers.

Other than installing spam mail filtering software, here are some rules on how to combat spam mail:

Rule No. 1: Avoidance
Rule No. 2: Refer to Rule No. 1.

Avoidance is still the first and best strategy. You can never avoid all spam mail, but you can reduce the level of disruptions caused by spam mail through applying basic avoidance tactics such as:

1. Never disclose your "permanent" email address, the one you get from your ISP for your Internet connections, be it ADSL or dial-up connections.
2. Establish a set of protected email addresses for different applications and be selective who you disclose which to.
3. Use only free and changeable public domain email addresses when subscribing to any free online services or non-critical memberships

1. Your Permanent Email Address

This is strictly a nondisclosure item if you can help it. Once you get relentlessly spammed on this address by automated spam software, the only way to fix it is to change this address and that usually means signing up for a new ISP account. Surely you don't want to do this often.

2. Protected Email Addresses

You should have at the very least three email addresses which are "protected" and you do not simply disclose to non-relevant parties. Never use these addresses for registration with any free online services including free magazines, newsletters, news services, non-critical memberships, and the likes.

i) Personal email address for personal emails with friends, relatives and personal contacts and you only disclose this email address very selectively.

ii) Professional email address which you usually get assigned to you by your employer or business organization - disclose this only strictly to business or professional contacts and avoid using this for unsecured professional subscriptions or membership registrations unless you are assured its privacy policy protects disclosure.

iii) General email contact address for general email usage outside the realm of personal friends, relatives or business contacts, meant for casual email contacts. Disclosure can be somewhat relaxed but still avoid registering this for free online services. There is a high likelihood of this address being spammed because one of your casual contacts has unwittingly (or willingly) revealed this to spam address collectors, so be prepared for this eventuality. If this is a serious concern you may wish to relegate this to a "changeable email address" discussed in the next section.

For subscriptions to professional membership organizations and paid online subscriptions, you can use any of the above, but make sure the privacy policy protects disclosure.

3. Changeable Email Addresses

For unprotected usage, non-critical applications, or usage anywhere that has "high-risk" of discovery of your email address, you should use a set of changeable email addresses which you can obtain from free web mail service providers such as Yahoo.com, Hotmail.com, Mail.com and lots more.

These are also your email addresses for registering to free online services such as newsletter subscriptions, free downloads, free membership organizations, and the likes. Nothing is free in cyberspace, so you can almost guarantee that any free online service provider will sell or disclose your email address no matter what the privacy policy. Alternately, they get hacked into by spam mail address collectors for the purpose of accumulating email addresses.

You can be very sure your email addresses here will be the victim of spam mail within very short time of establishing them, and the volume of spam mail here will continue to grow without restraint.

Be prepared to change these addresses when spam mailing gets out of control, that's why it is best to use free web mail service providers. When you change such addresses, it will be a hassle to redo all the free online registrations, but this is by far better than being spammed on an email address you cannot change and you are helpless at stopping the endless flow of spam mails to your protected email address.

It is best to keep the mailboxes of these free email addresses on the web service providers' own servers, and not download them into your Microsoft Outlook, Outlook Express, Eudora, Lotus Notes, Netscape Communicator, and whatever POP mail client software you are using. This has several advantages:

1. Faster access, no time-consuming unnecessary download time
2. Less risk of virus attack on your PC in case of malicious mail attachments
3. Easier to mass delete spam mail by examining the headers and unfamiliar senders
4. Reducing risks of all sorts by keeping this separate from your critical communication system

One last word on using free web mail services. When you sign up for free email addresses, and they ask you for an "alternate" email address, never disclose your protected email address. This entry is also a source of spam mail address collection.

Spammers Favourite Tricks

Spam mail address collectors who sell their databases of email addresses usually charge a premium to web advertisers when they can guarantee that the email address is a legitimate recipient who opens his/her mail. Web advertisers sending out spam mails may be interested to know if their mail is opened, so as to target the recipients in a relentless manner. Whatever the reason, there are several tricks employed by spam mailers to obtain these "acknowledgments".

Most spam mailings come with a "remove" or "unsubscribe" button for you to click on. If you are tempted to believe clicking these will stop the spam mail from coming, don't. Clicking on any button in the spam mail is just about the LAST thing you do to a spam mail - it is an acknowledgment that you have opened the email. Guess what - one click and you will get thousands more spam mail.

Spam mails (or any other mail for that matter) can contain "web bugs" which access a website and pass on a token (typically an illegal marked URL) to the website that the spam mail has been opened if you open the spam mail while online. This is another way to obtaining "acknowledgment" from the recipient. As a good practice, you should always go "off-line" before opening and viewing suspected spam mail to ascertain its content if you want to avoid sending these "acknowledgment".

When using POP mail client such as Microsoft Outlook, Outlook Express, Eudora, and others, always disable the setting "Send Read Receipt" which basically automatically sends an email message to the sender address acknowledging opening of the email each time you open an email which contains a read receipt request. Allowing this may be a great way for friends to know if you are opening each others' emails. But it is also a great way of acknowledging the opening of spam mail.

Conclusion

It is no doubt troublesome and inconvenient to keep so many email addresses, but in this age of cyberspace mass communication, there is almost no other alternative if you wish to protect yourself against these weapons of mass disruption. By restricted disclosure of protected email addresses, and using changeable addresses for high risk usage, you are combating spammers using their own tactical advantage - stealth. Moving targets are harder to shoot at than fixed ones.

With a clear set of avoidance tactics and email address strategy described above, maintaining strict discipline and prudent practices combined with common sense, you may stand a chance at combating these weapons of mass disruption and make your existence in cyberspace less stressful, more productive and a little more enjoyable.

Note from editor:

This article has been generously contributed by the Hungry Poet who assisted Anne Ku with anti-spam tactics. See "Victim of spam" for related Bon Journal entry.

25 February 2003 Tuesday