Thursday, April 28, 2005

sp4m prevention

How they do it

Everyone gets it, and if you're a normal nontechnical consumer you have no idea what to do about it, except delete the crap as it comes in.

How does it happen that you get this stuff?

Well, every web discussion forum and every e-commerce transaction you do, anything that requires your email address, gives *someone* your email address. Some forums and web merchants are good and ethical about their customers/members. Some are not. They make money off you by selling your email address to other merchants or organziations or individuals. Some of these buyers have ethics levels that include the rule "You shouldn't run over dogs because it gets the bumper dirty. Cats only leave a little stain, though."

Have you ever donated to a charity and then, a few months later, began receiving beg-letters from other charities you never heard of? That's what the recipient of your donation did: made even more money from you by selling your name and address to other charities. I guess they weren't satisfied with what you gave them.

I hate that. That behavior strikes that charity off my list forever. By the way, CARE and the Sierra Club do this. I used to think Sierra Club was a good cause.

Anyway, spammers do exactly the same thing.

Another method spammers use is called a dictionary attack. A lot of people's user names consist of regular words, like 'peekaboo' or 'doglover,' or combinations of human names, like 'jsmith' or 'john_doe.' Knowing this, scum, err, spammers use computer power to combine words and/or letters into possible user names, and use that list to spam. It doesn't matter if the recipient doesn't exist. All they need is for the computer to tell them the message didn't bounce as undeliverable, and they have a "confirmed" address. All they is for the victim to reply, and they have a "confirmed opt-in" address.

Preventative measures

Rule number 1: spammers lie. Don't *ever* reply to a spam message. Don't ever believe them when they claim their spam is legal because they're complying with some bill (S1618) that died and never became a law. Don't ever believe them when they say you "opted in" (though for your own self-organization, you should keep track of which websites you bought from or are a member of.) Don't ever believe that replying with "unsubscribe" (or however the spammer directs you) is actually going to work; it actually confirms that you are a working email addess. Don't ever click that link that wants you to confirm your credit card number or account information ('phishing' needs a whole 'nother article in itself).

When you buy online or sign up for anything, make sure you have removed checkmarks (or done whatever's appropriate) to things like "I want to receive more information" or "subscribe" or "Give me offers." Make sure you scroll all the way to the bottom of the screen. Hunt for those checkboxes.

Try to check if the merchant has high marks or a good reputation. This doesn't necessarily mean they won't spam you, because satisfaction with online purchases usually means prompt delivery and good communication about the transaction itself. But it may help. When buying from a merchant I'm unsure of, I Google the name of the business along with the words: bad complaint 'bad experience' . I do this to see if anyone has actually been so pissed as to put something on a webpage about the business. Usually I get nothing (or as close to nothing as Google will give) and that, generally speaking, is good.

Inbox already overwhelmed?

I got my first internet account in 1991 or so, right around when large-scale spamming was beginning. I had no idea that posting on Usenet would eventually cause my email address to be "harvested." I ended up with a lot of spam and put up with it for years before getting proactive.

There's limits to what you can do if you're already on spam lists. The fastest method for getting rid of spam is getting a new email address. Cancel your account and get a new one. Try not to give your new account a name vulnerable to dictionary attack.

After you set up a new account, also get yourself a free mail account, such as on Yahoo or Gmail, as a decoy. Use this free account for all your purchasing and forum sign-ups. If and when it gets overwhelmed, dump it and get a new one.

No comments: