Building Your Personal Anti-Spam Strategy

You're just getting back from a well-deserved and much-enjoyed vacation. For two weeks, you haven't touched a keyboard, looked at a screen, or put a phone to your ear. Now it's payback time. It's your first morning back in the office and you can't put it off any longer. You've got to check your email.

Your first glance at the email status bar confirms your fears. There are 1,840 messages waiting to be picked up. You groan. You know that translates to about 1,800 spams. Well, it's nice to know someone cares. Hold my calls for the next hour. I'm deleting spam.

What used to be a minor annoyance has become the scourge of the Internet, ruining your email experience. Everyone gets spam, of course, but you've been depending on business email for years, so you get a lot of spam. When your Aunt Gussy starts complaining about the junk she gets on her AOL account--"positively dozens!"--you just roll your eyes. Try hundreds. Try thousands. Day in and day out. What can you do about it?

Maybe you accept spam as an inevitable annoyance. Maybe you've grown used to hovering over the delete key while reading email. Maybe you've given up.

Don't.

Spam may seem like a big problem, and it is, but you can do something about it. In fact, you've got to. You don't have a choice. If you're one of those people who receive 50 or 100 or more spams every day, you've simply got to find a way to manage it. Fortunately, there are steps you can take to reduce the time you spend dealing with spam. In this article, we'll look at some of the ways you can reduce or limit the amount of spam you receive by becoming invisible to spammers. In the next article, we'll discuss some ways you can automatically identify and remove spam you are already receiving. Put them together and you can build a personal anti-spam strategy that works for the kind of mail and the kind of spam you receive.

Spam's Not Funny, But Don't Stop Smiling

The first essential in any anti-spam strategy is a sense of humor. A sense of humor can protect us from the natural, but pointless fits of powerless indignation. I'm not at all suggesting a grin-and-bear-it, "I-just-hit-the-delete-key" approach to dealing with spam. I don't recommend resignation. But if we can't laugh at spam, what can we laugh at? Yes, spam is an unconscionable intrusion on your time, an immoral theft of electronic resources, and a repugnant reminder of the most shameful degradations endemic to human nature. But where else can you receive serious, money-laundering offers from third-world con-artists, candy bars with 1,200 negative calories, or incompetently faked nude photos of celebrities you don't even recognize? Yes, they really expect you to believe it. And some people do. Isn't it fun to imagine a disappointed customer sending before-and-after photos to the attorney general proving the ineffectiveness of the latest enlargement formula?

The need for humor is one reason why I always insist on referring to the problem by its most evocative name, spam. I get impatient with anyone who insists on referring to it with some polysyllabic incantation of Latin origin or, worse, an acronym. Maybe a bombastic name is helpful when trying to bamboozle a senator into sponsoring an anti-spam bill he doesn't really understand, but those of us outside the world of legislation (which was once likened to another processed meat product) can afford to be less stuffy. What better way to refer to in-box crud than with the name of a funny meat that makes a yucky slurking sound when it plops out of the can? Spam is a fun word, even a legally permissible word, that can take some of the sting out of processing the daily flood of digital sewage.

Protect Yourself

Spamfire removes unwanted commercial and pornographic email from any email account. Works with any email program. Automatic filter updates keep fighting spam. Click here for more info.

Having armed yourself with the mental attitude needed to protect yourself from useless bursts of wrath, what technical steps can you take to stem the flood of spam? First, you should begin at the beginning. Before you start trying to delete the spam you're already receiving, is there anything you can do to prevent new spam?

In order to send spam, spammers need email addresses. To date, the most common way for spammers to obtain valid email addresses has been Web page harvesting--the use of specialized automation software called "spambots" to scan thousands of Web pages and save all the email addresses that can be found. Spammers continue to develop nasty new ways to get your address, but publishing your email address on a Web page is still the easiest way to get attention from spammers.

Anytime you publish an email address on a Web page, you should take steps to protect it from being harvested by spammers. There are several ways you can protect your email address, ranging from the totally useless to the reasonably effective.

1. Try to obfuscate the characters of your email address. Some people paraphrase their email address--spelling out "at" and "dot com"--or insert extraneous characters intended to trip up spambots. Not only do such techniques look unprofessional, they provide very little protection. Any decent spambot can decode them and get your actual email address.
   
   
2. Create a robots.txt file to keep spambots away. The robots.txt file is a file you can place on your server to specify how automated software should be allowed to access your pages. But adherence to robots.txt guidelines is wholly voluntary. Legitimate Web crawlers will honor a robots.txt file, but spambots don't care. Simply posting a "No mosquitoes allowed" sign on your patio will not guarantee a pleasant barbecue.
   
   
3. Encode your email address with HTML entity codes. Every keyboard character has an ASCII number equivalent that can be specified on a Web page in lieu of the actual character. Browsers automatically convert the code to the required character, but spambots, it was assumed, do not. In fact, spambots figured out this trick a long time ago, so changing the @ character into @ doesn't offer any protection.
   
   
4. Render your email address with a server-side script. All server-side scripting environments allow you to ask for the name of the browser program. You can choose to block access from known spambots or unrecognized browsers. Unfortunately, most spambots spoof their credentials and claim to be the latest version of Netscape Navigator, so you're not fooling anyone with this trick.
   
   
5. Render the text of your email address in an image file. Don't type your email address into your Web page or link to a graphic file that is an image of your email address. Spambots are unlikely ever to implement graphics-to-text converters, so this method is a pretty sure-fire way to prevent harvesting while still making your address readable by most users. But the graphical approach has disadvantages. Your email address won't be readable by visually-impaired users or users with certain browsers, including some wireless devices. It is not possible to create a clickable email address link with this tactic since the HTML code for the email link would be vulnerable to harvesting. And a graphically rendered email address may be more difficult to maintain, especially when many email addresses are involved. You might be able to alleviate  some of the maintenance problems by creating a single graphic of an @ symbol and using that, in combination with text, to produce a readable email address.
   
   
6. Render your email address with a JavaScript. You can create a very simple JavaScript that any modern browser program can effortlessly convert into an email address but which looks like gibberish to most spambots. In its simplest form, your JavaScript might look something like the following:
   
   

   <script language="JavaScript">
document.write( "jim_smith" );
document.write( "@" );
document.write( "matterform.com" );
</script>

   
   When interpreted by a JavaScript-enabled Web browser, that script looks like this:
   
   JavaScripts like this are easy to write; you might even be able to automate their creation. The more complicated you can make the JavaScript, the less likely a spambot will ever be able to decode it. Numerous free Web sites let you instantly convert any email address to a reasonably obscure JavaScript, and a few companies (including mine) publish commercial software that can automate the process on multiple Web pages at once. If your JavaScript creates the right HTML code, you can offer your visitors a clickable email link, something not possible with other techniques described here.
   
   The main disadvantage to JavaScript rendering is that the resulting email address and/or link is readable only by JavaScript-enabled browsers. Many wireless devices do not support JavaScript, and many desktop users disable JavaScript. Compatibility can be improved through the use of <noscript> tags, which allow you to display special content to non-JavaScript browsers. Just be aware that the contents of the <noscript> tag will be visible to spambots, so any information you put there must be protected. A graphically-rendered email address is a good choice for the <noscript> tag. It allows you to provide a text-based, clickable link to JavaScript users, along with a decent substitute for non-JavaScript users. (The email addresses on this page have been protected by my company's product, Spam Vaccine, which uses just this sort of JavaScript and graphic combination. View the HTML source to see how it's done.)
   
   
7. Create contact forms instead of email links. By making a contact form that sends you an email, or stores messages in a Web-enabled database, you can keep your email address off the Web altogether. Just make sure you store the email address in the server-side script or CGI application that processes the form, not in the form itself, where it would still be vulnerable to spambots. If you do it right, you get complete protection. Your email address will be completely protected and completely hidden from any spambot. It requires additional setup time and expertise, which may be impossible if your Web hosting provider doesn't let you create custom scripts or CGI applications, or unfeasible if you have numerous addresses to protect. And you may decide that contact forms just aren't appropriate for your site. I have always felt that a real email address published on a Web page, along with a phone number and snail-mail address, goes a long way towards establishing credibility in the e-commerce world.

Anti-Harvest Measures

Setting aside the first four methods, which don't work, what anti-harvest measures would work best on your Web site? If you have a casual, personal Web site, a simple GIF image file displaying the text of your email address is a simple and certain way to escape the attention of a spambot. Your site may require a more professional solution. If compatible with the overall design of your Web site, custom contact forms provide unbeatable protection, but they can be time-consuming to set-up and don't usually work well with long lists of email addresses such as might be found in a staff directory. For situations like this, a JavaScript solution may be your best bet. While not totally spam-proof, JavaScript protection is reasonably effective, scalable and maintainable. Just make sure you provide some way for non-JavaScript browsers to get your email address or alternate contact information.

Will anti-harvest measures reduce the amount of spam you receive? Not anytime soon. If you already get lots of spam, don't expect it to disappear overnight just because you've scrambled your email addresses with JavaScript. However, anti-harvest measures are a must for any new email address. Whether you're putting a new employee's address on the company directory, creating a Web site for a new business, or adding a contact point for a new product or service, you should never publish a new address without implementing some anti-harvest measures. Harvest deterrence should be standard practice for all Web sites and all Webmasters.

New email addresses can stay spam-free for a long time if you simply take some precautions against harvesting. Of course, you also need to be aware of how you use the new address. Don't type it into other Web sites or into Usenet discussion groups. Keep throwaway addresses on hand for those occasions or type out the URL of a spam-protected Web page. Don't allow employees to use their business email address for personal purposes; offer them a free personal account on your mail server that can be kept separate from the business account, or insist that they get a personal account elsewhere. And don't publish personal addresses at all if you can avoid it. Instead, publish department addresses, like

Protecting email addresses on your Web site will prevent most new spam, but there are other ways spammers can get your address. Other ways to protect the privacy of your email address include the following:

1. Don't give out your address unless you have to. Whether it's an online business or a brick-and-mortar business that's asking you, phony addresses, throwaway addresses and outright stubborn refusal are your best protection.
   
   
2. I don't really have to remind you, do I, that you should never reply to a spam or use an unsubscribe link. If it's something legitimate you really remember signing up for, you can probably sign off, but don't believe the dirt balls who tell you that you asked for their spam.
   
   
3. Don't even open or preview spam unless you know that your email program is configured not to auto-load images and other rich media content. Not only does this expose you to graphics you'd rather not see, the images themselves can be configured to trigger a script on a spam server that marks you as someone who reads spam. This nasty trick is called a WebBug and is becoming more and more common.
   
   
4. Don't use your primary address when registering a domain name. Spammers can look up domain name records and steal the email addresses of the administrative, technical, and billing contacts. When registering a domain, use an email address that you've set aside for nothing but domain name registrations. It will still get spam, but it will be separate from the rest of your mail and easier to deal with.
   
   
5. An unusual, unguessable email username can't hurt. Because spammers send out junk to randomly chosen addresses, gets way more spam than . You  may want to consider disabling any wildcard email addresses that forward anything, including lots of spam, right to your personal account. Also, you should be aware that some domains have worse spam problems than others. Hotmail is notorious for the amount of spam their addresses receive, but Apple's .Mac service goes largely unnoticed by spammers.
   
   
6. As far as I know this hasn't happened yet, but it's only a matter of time before spammers figure out how to use viruses to harvest email addresses. You could be put on a spam list not because you got a virus but because the cousin who forwards all those chain letters to you got a virus and you were in her address book. It will be a technical challenge to deliver the email addresses to the spammer without leaving a trail for law enforcement to trace, but you can bet that spammers are working on it right now.
   
   
7. The big and dirty spammers are beginning to use a technique called "Directory Harvest Attacks" to obtain valid email addresses. This allows them to steal addresses right from your service provider's mail server. I don't have room here to discuss counter-measures, but you should make sure your system administrator or Internet service provider is taking steps to protect your email addresses from these attacks.

Final Thought

Unfortunately, the only way to become perfectly and permanently invisible to spammers is to become invisible to everyone else. Close your email accounts, and stay off the Net and the spam will disappear like magic. If that's not an option for you, though, spammers will find you from time to time, no matter what you do. Nevertheless, prevention remains an important part of any anti-spam strategy. Once you've patched the serious privacy leaks that are opening you up to lots of spam, you'll be ready to get serious about identifying and deleting existing spam, and that will be the topic of our next article.

Michael Herrick is the president of Matterform Media, a small software development company, and the lead developer of Spamfire.

Return to Mac DevCenter.

Other tips are more than welcome. How do you fight back?
You must be logged in to the O'Reilly Network to post a talkback.

Showing messages 1 through 18 of 18.

• Anti-spam solution
  2008-04-11 06:21:53  stevenoldford [Reply | View]
  
  
  Hello people,
  
  I want to add my two cents into this discussion - I just want to suggest the spam blocking mail client that I use - I use gafana.com as a mail client and I don't know problems with spam..

• Eat Spam
  2003-11-18 18:12:20  anonymous2 [Reply | View]
  
  
  The email system isn't broken, email addresses don't need to be fixed. It's the abusive users of the system that should be authenticated. http://spameater.com/

• 7. Create contact forms instead of email links
  2003-10-05 23:16:23  anonymous2 [Reply | View]
  
  
  I'm using the Contact form service in order
  to create this forms.
  
  It's very useful service to provide contact form
  without CGI or PHP scripting

• anti spam hints
  2003-05-21 20:19:32  anonymous2 [Reply | View]
  
  
  very helpful.

• anti spam tips
  2002-12-26 21:14:45  anonymous2 [Reply | View]
  
  
  check out the maximum pc of january 2003 on the
  page #28 to 38 page number .very good tips and no dont work for the magazine .
  

• New Anti-Spam Mail-System
  2002-11-13 14:41:36  anonymous2 [Reply | View]
  
  
  A perfect solution for the future against spam would be to introduce a new mail protocol. In this new mail protocol a user would have to pay to send an email (but not for receiving them). The amount of payment for each mail can be quite small (even less than a dollarcent). Because spammers always sent mails in very large quantities they will quickly get into large amounts of money. However almost all standard users only sent a limited amount of mails a year (less than a 1000).
  
  Disadvantage is that all mail programs will have to be updated for using this protocol. And that every user will have to open an account and transfer some money to it. But I would gladly
  pay a few dollars to be rid of spam forever!
  

• Mail.app filtering
  2002-11-11 08:32:24  anonymous2 [Reply | View]
  
  
  It seems to me that the new spam filter built in to Mail.app that does syntactic analysis is sufficient; my spam volume is not huge, but it does filter a couple dozen spams a day, only missing one or two. It hasn't given a false positive since about a week after I got it, either.

• Spam, Spam, Spam
  2002-11-11 01:06:04  anonymous2 [Reply | View]
  
  
  I have several web based e-mail accounts. Excite and Yahoo are the two I use. Of these two the Yahoo account gets quite a large volume of spam. The Excite account is mostly used for ordering and registering items, it gets spam but not near the amount of the other.
  
  Both accounts have spam fighting capabilities, mine are used and are maxed out for the number of filters that they can have. Yahoo has a 15 filter limit and I just saw that I can block up to 100 addresses (something else to set up). Excite has 11 filters and unlimited address blocking.
  
  One address I will add to both are hotmail. This service seems to have the most spammers. Since no one I know sends me anything originating from a hotmail account I will reject all mail from that domain. I’ll have to read up on how messages are rejected, not sure if the mail is bounced or just goes pouf.
  
  My ISP is Adelphia and I get very little to no spam there. Of course that address isn't used or disseminated as much as the web based ones are.
  
  I use Mail as of mid October, before that it was OE. Both have extensive filters. I employ the use of both positive and kill filters.
  
  My .mac account has been getting spam from basically one source. I'm not sure if the real domain is peoplepc.com that is the address that is viewable. I have tried to bounce over ten of these mailings and all have been returned with an error form the .mac server stating that it was undeliverable. Bouncing has never worked for me.
  
  I have recently started using Spam Cop. I'm using the free service and haven't used it long enough to be able to report a yea or nay on its effectiveness.

• Free Javascript encoder and filtering "service" - no software...
  2002-11-10 10:11:03  anonymous2 [Reply | View]
  
  
  We offer a free Javascript encoder than guarantees that nobody will be able to decode it with a spambot. It encodes the length of your email address right into the encoded address. This will prevent any spambot from decoding it.
  
  http://www.CleanMyMailbox.com/free.html
  
  Also, we offer the Internet's first and only anti-spam ASP that allows you to build a custom filtering solution that works no matter where you check your email. It's server-side, requires no software to install, and no mailbox or MX record changes. Free trial at:
  
  http://www.CleanMyMailbox.com
  
  

• Apple Laptop Keyboards Unsuitable for Unix Users
  2002-11-07 23:12:06  anonymous2 [Reply | View]
  
  

  Apple laptops are effectively unusable for unix users.
  
  

  I am a long-time Unix user. That means I need to have the Ctrl key to the left of the A key. This is a genuine need, not merely a want; it is based upon ergonomics. The Ctrl key is heavily used in unix, and it must be easily accessable. It cannot be off in the lower left corner of the keyboard where it is difficult to get at, and where it distorts the position of your left hand such that you can't easily type other keys while holding the Ctrl key down.
  
  

  Apple desktop keyboards are now all USB. They are all OK. The CapsLock key can be re-mapped into a Ctrl key.
  
  

  Unfortunately, even in this modern age, all Apple laptops have built-in ADB keyboards. The ADB keyboard is broken-by-design. It is, in general, not possible to remap the CapsLock key into a Ctrl key.
  
  

  There are some exceptions, but they are horrible kludges. They are horrible kludges because the original design of the ADB keyboard was a horrible kludge. The correct solution would be for Apple to re-design their laptop motherboards to use built-in USB keyboards. This hasn't happened yet. If you run Linux, use Debian's solution. For Mac OS X users, uControl works. There are no solutions (that I know of) for either NetBSD or OpenBSD. Please note once again that the "solutions" above are in fact kludges, because of the original bad design of the ADB keyboard.
  
  

  Apple provides a technical note on how to remap the keyboard, but provides no solution to the hardware problems caused by the design of the ADB keyboard. This tech note helps foreign language users, but does nothing for the CapsLock/Ctrl problem.
  
  

  Apple is (currently) ignoring Unix users! This is not merely speculation on my part. In an on-going email exchange I am having with an Apple employee (whom I won't name) in their marketing department, the Apple marketing person directly stated to me that Apple was catering to their historic Mac customers, and is purposely ignoring the Unix market. He also claimed that Apple would soon start paying more attention to the Unix market. I won't hold my breath. Apple has been ignoring Unix users for more than 12 years. I expect that trend to continue. (Also note that my Apple contact indicated that Macs would never ship with a 3-button mouse, even though Apple intended to port almost all X-window software and deliver it either on a CD/DVD or installed directly on each Mac's hard drive. How Unix friendly is a 1-button mouse with X programs that often require 3 buttons?)
  
  

  Apple has now lost two opportunities to sell me hardware. I really wanted an Apple laptop for their superior battery life, and for the PowerPC with Altivec CPU. (The Altivec is vastly superior to the x86 line for DSP.) Because I can't live with the broken-by-design built-in ADB keyboard in all Apple laptops, Sony and IBM sold me laptops instead. If Apple fixes this problem, they will sell me a PowerBook next year; if they don't, I'll still be running OpenBSD on x86 hardware, and wishing I could use a Mac.
  

• Why laws aren't needed
  2002-11-07 10:24:43  matterform [Reply | View]
  
  
  While I support anti-spam legislation, I think technical solutions will improve to the point where people lose interest in legal solutions. Do not imagine that techniques like address obfuscation and content filtering have no effect on spammers. One spammer recently complained "My operating costs have gone up 1000% this year" trying to get defeat anti-spam efforts.
  
  Once everyone is using good, adaptive technology to eradicate spam automatically, spam will cease to be a worthwhile business. Already, spamhouses tell their customers that they can reliably deliver only to 50% of the addresses on their list. That number will continue to shrink. Because nobody is willing to wait for politicians to figure out what to do about the problem.

• to expand on arkham99's response
  2002-11-07 05:09:32  anonymous2 [Reply | View]
  
  
  i always use company@mydomain.com when filling out web-forms - if they sell the list of addresses, i know who's responsible.
  
  and mail.app's bounce to sender is a god-send - i automatically bounce all spam, and within a couple of weeks went from tens a day to a couple a day.

• A Free Encoder and JavaScript Wrapper
  2002-11-06 11:55:52  anonymous2 [Reply | View]
  
  
  Seems to do the same thing that SpamVaccine does (wrap encoded text in JavaScript) but it's free.
  
  http://hivelogic.com/safeaddress/
  
  You can even download a Mac version!

• Legal Solutions Can Help but no Panacea
  2002-11-06 05:16:34  anonymous2 [Reply | View]
  
  
  Many factors motivate spammers, but a principal reason for spamming is to make money, directly or indirectly. In this sense, it is not at all the source of the spam that is at issue, but rather the sink of the money. If illegal spam promotes the sale of goods or services, and there is a venue to place the money, a legal system can seize the money, punish the offenders and provide at least some disincentive.
  
  True, there will always be people who care not about the law, or will find ways to skirt it. But even a mild amount of friction can significantly reduce the mass of spam. The trick is not to make spam free to send. Just a little friction can make a lot of difference.
  
  True, there will always be risk of first amendment and free speech violations in spam regulation. Bit it need not be so -- effective spam regulation can be obtained merely by making it illegal to lie about the spam. Consider one modest proposal.

• Other options
  2002-11-05 09:14:59  arkham999 [Reply | View]
  
  
  There are some more active things you can do.
  
  1) Create a separate email for spam. I have my spam2@theresistance.net address. I use that for any web forms I need to fill out. Then treat that mail very suspiciously (route it to a separate folder if it makes it through the spam filters).
  
  2) All my mail gets spam-filtered three times before I see it (first by Eudora Internet Mail Server's black list, then by Spam Assassin, then finally by Mail.app's Baynesian filter. Of the 50+ spams I get a day, maybe 1 or 2 get through.
  
  3) Bounce any spams that get through. Some spammers use a real return address to know which emails bounce and which get replies (to make their lists better). If you bounce the spams you get (Mail.app does this for you with the click of a button), you may be able to reduce your exposure.

• legal system cannot fix spam
  2002-11-05 07:32:04  anonymous2 [Reply | View]
  
  
  The legal system cannot fix spam. The only thing a comprehensive law against spam in the US would achieve is an increase in the amount of spam I receive from .ru (Russia) and other countries. I don't even waste my time with that. It would be nice to at least see legislation that requires all unsolicited mail marked as such, and at least for it to be illegal to spoof the from and reply-to addresses, but even that won't stop spam.

• One solution - change countries
  2002-11-03 14:39:16  anonymous2 [Reply | View]
  
  
  Obviously spammers are primarily interested in North America. I have had my email address available for all to read for the last 5 years on our web site at www.casa.gov.au. I also get all our webmaster@ emails. On an average day, I get less than 10 spams.
  
  I'm not indiscriminate in handing out my email address to web sites but I don't hesitate if I trust the site.
  
  Presumably a .gov.au address is just not a prime target for most spammers.

• It won't work
  2002-11-02 09:25:00  anonymous2 [Reply | View]
  
  
  The whole idea of using your email address as a password permitting others to send mail to you simply is misguided. It contravenes everything that security people know about effective password schemes. We need to destroy spammers and the ISPs that collude with them, using the legal system. That will take time, but in the end, it is the only thing that will have a lasting effect.