WizGidget

Last week we were discussing having an email address compromised by having it published on a website.

The problem is that if an email is published on a webpage that the search engines can find, then the cybercrooks can find ‘em, too with a tool called a web-crawler. I’ve had an address compromised this way within 2 weeks of being published! They’ve gotten pretty crafty about it, too. I used to use a simple technique to fool the cybercrook web-crawlers – I substituted the “@” of the address in the html code (“html” is the programming language of web pages that defines how they look) with the characters “@” which web browsers translate into an “@”. So the web-crawlers saw bobcomedian@mydomain.com instead of bobcomedian@ mydomain.com and didn’t recognize it as an address. Unfortunately this obfuscation no longer works. There are other techniques that involve using a browser-based programming language called javascript, but I suspect those techniques will also become ineffective eventually. The only way to really spam-proof a public web page is to use a webform that includes some form of “captcha” or “turing” test. You’ve seen these before I’m sure, often they’re some goofy image of random characters or numbers, designed to fool character recognizers, that you have to translate and copy into a text box. You can see a homegrown example of this in the “Contact Us” page at www.wizgidget.com/contact.html.

It is also possible to spam-proof a page by making it less-than-public. Web pages can be password-protected, which means that you have to enter a username and password to get to any pages beyond a point in a website. This works fairly well for organizations, because the username and password can be distributed to members so the information is still freely available to the organization but unavailable to cybercrooks.

Another way is to have a page that isn’t linked in anywhere – there are no webpages anywhere that contain links to the page that needs to be kept private. I call this “Security by Obscurity.” You don’t need a username and password, but you won’t find the webpage unless you know the “URL” – the web address.

The last means of not-so-accidental compromise is one that most people will never face: that of being a domain owner. When a domain is registered, the registration information must include the email address. AND, this information is not only public, but publicly available on the internet. So, all a cybercrook has to do is craft a computer program to go through all the domain registrations and collect email addresses. Voila! Instant spam list. Some of the registrars now have something in place called a “private” registration, which means the registrant’s information is kept private, but they charge extra for that service and I’m too “frugal” to spend my money on that. Instead, I use one of the tricks I use for dodging spam that I’ll discuss next week.

I used to get something like 600 to 700 spam emails.. a day! Hopefully you don’t get that many, and I’ve managed to whittle mine down to four or so a week. This article begins a 3-part series of how I managed to collect so many spam, and how I was able to throttle the deluge. We’ll start with how spammers get email addresses in the first place.

These days you get on a spammer’s list a couple ways: your address gets guessed by a spammer, or it is compromised. Webster says compromise means to reveal or expose to an unauthorized person and especially to an enemy. It can be compromised “accidentally” by one of those “typhoid” friends we’ve roasted previously or a virus on your computer, or because you’ve been tricked into giving it away by a cybercrook technique called “phishing” (pronounced “fishing”, a topic for a future article). Finally it can be compromised not-so-accidentally because your email is published on a webpage or in association with a domain registration.

If your address is easy to guess, that can become a major source of spam. Spammers use a “dictionary list” of names to add to the domain, which include common names. Bob@mydomain.com is a common name and would be targeted. Bob.Hope@ mydomain.com is harder to guess, and bobcomedian@ mydomain.com is harder yet because they combine the common name with parts that are not common. People like myself who operate internet domains can become targets for this type of spam, because often the “dictionary list” will include things like “admin” or “webmaster – names that are commonly used in association with a domain. I recommend making sure email addresses are not easily guessable.

The last compromise is the not-so-accidental vectors such as being published on a webpage or through a domain registration. Publishing your email address on a webpage means you’ve had your address included on a webpage that is “visible” to a search engine such as Yahoo or Google, which means there is a link to the webpage on websites or web pages that the search engine already has indexed. This is actually a quite common practice; after all you want people who see your web page to be able to reach you, yes?

Sometimes having your email published is quite unintentional on your part, for instance you may be on a committee, and your organization webmaster publishes your email address on the organization website – which is why I recommend that churches and other organizations include in their internet policy (your organization has one, right?) a requirement that personal information like phone numbers, physical addresses and email addresses must be on pages that are password protected – pages that the search engines can’t index because they require a username and password to access the page. I use this technique for several websites I host.

Next week we’ll continue the discussion of not-so-accidental compromise vectors.

The “Typhoid Mary” article explained why it’s a Really Bad Idea to copy lots of people in the To: or Cc: of an email.  Recently a church friend made the comment “Just use a Mac, you won’t get the spam.”  That’s not exactly true and I’ll explain why.

Spam is not a PC or Mac thing, it’s an email thing.  The way people get spam is that their email address has been gathered or guessed by cybercriminals.  I say cybercriminal because there is a federal law against sending unsolicited email to zillions of people, and to distinguish them from people who simply have poor taste or moral stature.  So regardless of whether you use a Mac, PC or even one of those newfangled smartphones, if you use email you will get spam.

The traditional response to the deluge is to use a spam filter.  The filter can be on the email server or the “client” such as MS Outlook.  Regardless of where the filter resides, they work the same way – they look for terms or phrases the filter considers offensive, and if the email contains matches email is marked as spam.

End of story?  Not quite.  The filter isn’t intelligent; it makes mistakes.  You still have to go through the “spam” mailbox to fish out the wrongly accused “good” emails, and the filter doesn’t catch all the spam.  The cybercriminals have gotten creative about misspelling gender-specific anatomy and pharmaceuticals so that the spam filters don’t catch them.  Sometimes the misspellings are due to the author being from Rumania or wherever and no speaky engleesh.

Another issue is that, when you start to accumulate a lot of spam, it can start to slow down retrieving your email, especially if you’re on a slow connection.  Also if you’re getting email on a smartphone it’s impractical to get lots of junk email.  It’s too much work to slog through them, and just imagine your phone buzzing away back in the pew while you’re trying to serve Communion!  I was receiving 600-700 a day at one point.  I’ll explain why and how I solved the problem in the “Can the Spam” series.

So, back to the Mac thing.  What’s different?  I would agree that the Mac is probably a lot more secure than a PC running Windows – Microsoft is notoriously poor at security.  Also, I’d guess PC’s with Windows outnumber Mac’s at least 10 to 1.  So, just like having good lock on your door to discourage burglars, it’s easier and more fruitful for the cybercriminals to pick on the computers with swiss cheese for security.  A Mac is much less likely to get a computer virus and hence probably not the 1 in 20 whose PC is chugging out spam for the cybercriminals.  That’s the only difference with regard to spam.  You can still be Typhoid Mary with a Mac by copying all your friends on the To: or Cc:

You can link to this article at http://www.wizgidget.com/typhoid2