3 Strategies for Getting (Almost) No Spam December 7, 2006
Posted by TimTheFoolMan in Computers, Digital Identity, email, IT Security, Science & Technology, Spam, Technology.trackback
I have several close friends and co-workers who are fighting an apparently hopeless battle against unwanted e-mail, typically referred to as “spam.” In sharp contrast, I get virtually no spam at all.
Why the huge difference? Why are my co-workers and friends swimming in the stuff, and I go through the day relatively spam-free? Here are the three things that I do. What differentiates me from my co-workers and friends, is that they do only one or two of these things. The key is to do all three.
1. Protect Your Address
When I first started using the Internet, my e-mail was through CompuServe. At first, I could only send messages to other CompuServe users, but eventually, they opened up a gateway, and I could (with some difficulty) send messages to AOL users, and eventually, to every other major messaging provider.
Back then, I published my e-mail address everywhere. I wanted people to send me messages because it was so… well, geeky and cool. I could see, within minutes, messages from across the country. As I moved into a role that required me to have more communication with the general public, and my e-mail address (at that point, no longer CompuServe, but hosted by a regular Internet Service Provider, or ISP) became more broadly known, and I started getting a lot of e-mail, but virtually all of it was generated by humans that just wanted to communicate with me.
That was then. This is now. At the present time, publishing an e-mail address on any web page in the canonical form of address@provider.com is just a bad idea. Automated programs crawl the web, constantly searching for any potentially valid e-mail address, throw those addresses into a list, and sell the list to people who want to engage in mass mailings. (I’ll skip the part where these people are sentenced to Hell in the afterlife, where they are required to respond, individually, to every copy of every e-mail they ever sent, or had sent by a proxy.)
As of this writing, none of these automated programs have ever discovered my primary work e-mail address. I never, ever, ever publish that address in any public place. If I am asked for an e-mail address, I give another address (more on that in a second). Interestingly, they’ve never discovered my primary home e-mail address either, for the same reason.
“What?” you may ask, “You have two e-mail addresses?”
Well, no. Actually, I have (I had to stop here and count them) seven. Why? That’s strategy number two.
Before I get to the details of that, I can imagine you’re saying, “But Tim, that won’t work for me. I have to put my e-mail address on my company’s web page so customers can contact me.”
Really? Is it absolutely necessary? If for some reason the answer is “yes,” then you can deal the automated “mail sniffers” by making your address readable to a human, but very difficult for a machine. For example, I could put:
Bob Smith
Director of Intergalactic Sales
(555) 555-5555 Cell Number
(555) 555-1212 Information Number
(666) 666-6666 Number of the Beast
bob.smith at bigcompany dot com(replace “at” with “@” and “dot” with “.”)
As you can imagine, there are lots of variations of this. If you can’t use this approach, then you can either resign yourself to dealing with a huge amount of spam, or you can move to strategy number two.
2. Use Different Addresses
As noted above, I have seven different e-mail addresses. Why seven?
The first is my home e-mail, where I communicate with friends and family. I may share this with a bank or other institution, but only if I have a high degree of confidence that their privacy policy is solid (you do read those, don’t you?) and that they can be trusted with that type of information. In general, I don’t give my home e-mail address to anyone I wouldn’t trust with my social security number. (And based on news stories of laptops being stolen and lost with thousands of S.S. numbers, the number of people I trust with this data is going down quickly.) This address contains my real name, which is one of the reasons that I don’t publish my last name on this site. (The other is the plausible deniability that it gives to my sons when I tell stories about them.)
Before I go on, I should point out that I get nasty when people CC me on “please send this on to everyone on your list” e-mails. It doesn’t matter to me what the cause is, how heart-wrenching the plea, or how noble the theology, I won’t send chain letters. They do nothing to glorify God, waste bandwith, and waste my time. Even more annoying, these messages are almost always rooted in urban legends. Lastly, there’s no telling where my e-mail address goes when someone tosses it into a CC list along with “dozens of their closest friends.”
The second address is my work e-mail, where I communicate with business associates. I protect this address using the techniques as stated above. Recently, we changed the hosting of my company’s e-mail. Suddenly, everyone else started getting spam. Well, everyone but me. My inbox remained completely spam-free. Zero. Nada. My co-workers were seeing spam that had previously been blocked by our ISP. With the change in hosting, we lost the previous filtering, and viola’, spam returneth.
Recently, the flood of spam stopped hitting my co-workers inboxes. I’m testing, but I believe we have put a “validated senders only” filter in place. This is a solution, of course, but a draconian one. If a new customer tries to contact us, their e-mail will hopefully bounce. (I said “hopefully” because it remains to be seen if we will bounce them back a “You are not an authenticated sender” message, but that runs the risk of validating the address to a spam-sending program, which will likely result in even more mail hitting this address, making the flood even bigger than before.)
The third and fourth e-mail addresses are my all-purpose, send-it-anywhere, don’t-care-who-sees-it, don’t-care-if-its-on-the-web address. These addresses are hosted by Yahoo. This is related to strategy number three.
Address number five is hosted by my home ISP, is not my real name (it’s a nickname), and uses the same prefix as one of my Yahoo addresses. It’s not hard to guess what this nickname is.
This fifth address is what I use when I want to allow someone to contact me, or need to validate who I am, but don’t yet trust the other party. For example, if I want to download a trial version of an application, I’ll use this address. As with my home e-mail, number five is not published anywhere. Interestingly, I get almost no spam to this address either, in spite of me submitting it in various forms, use it with Ticketmaster, and other online services.
Address number six and seven are tied to my cell phone. If you think I’m paranoid about my home e-mail address, you should try to get one of my cell phone e-mail addresses. I protect this the same way I protect my cell phone number, which is to say that I very rarely give this out. Work contacts may receive my number via e-mail, but they are definitely not going to get this by looking it up on a web page. Fortunately, only one of the e-mail addresses (the one for text messaging) is easy to discern from knowing my number. The other, is kind of munged from parts of my name. Regardless, I don’t want spam on my phone, so I protect them
3. Let Someone Else Deal with It
Yahoo spends lots of time figuring out how to filter spam. It’s important to their business. Their business is, in part, e-mail hosting and communication services. They are going to be pretty good at this, arguably much better at it than I could hope to be. (One of the reasons my company e-mail didn’t see much in the way of spam before is that we used Yahoo’s business services to host our e-mail, and interfaced to it via POP3 and SMTP. We moved away from this for various reasons, but I was not part of that decision.)
By now, you’ve probably figured out how to send the message to my Yahoo address. That’s ok. That’s not my problem… it’s Yahoo’s. By using a Yahoo-hosted account, I have handed off responsibility for dealing with spam to someone who is much better at it, has more resources to deal with it, and has the capacity to get hit with massive floods of e-mails that would cripple a small or medium-sized ISP. (I don’t want to even think about self-hosted e-mail accounts having to deal with what is effectively a denial-of-service attack when a barrage of spam hits one or more accounts.)
Using Yahoo (or MSN, or GMail) is an effective way to balance the need for having a public e-mail address, but not having to deal with the spam problem that goes along with it. Used in concert with the previous strategies, you too can remain spam-free.
By the Way…
One last thing. If you absolutely have to host POP3 and SMTP servers at your business, consider filtering out (as far upstream as possible) all HTML-formatted e-mail. There is a strong correlation between HTML e-mail and spam, for a number of geeky technical reasons. Suffice it to say that most of the time, HTML e-mail is superfulous, and asking your friends and co-workers to send plain text e-mail isn’t that much of an inconvenience. (Steve Gibson of GRC, filters his e-mail accounts this way, and bounces back a “please use plain text” message as an auto-response.)
Oh, and one more thing. I lied. I’ve got a GMail address too. 😀
A Fool and his Words are Soon Parted 
These are excellent suggestions. And I think Dante would approve of your suggested spammers’ fate.
Great ideas! I’ve been using all three myself for years now, they SHOULD be intuitive, but it’s amazing how many people just don’t get it.
PS- It’s terribly ironic that I have to enter a valid e-mail address to post this message, but fortunately I can use my ‘generic internet use’ one!
[…] and as an afterthought, this post is very good too. Possibly related posts: (automatically generated)No Title3 Strategies for Getting […]