I used to get something like 600 to 700 spam emails.. a day! Hopefully you don’t get that many, and I’ve managed to whittle mine down to four or so a week. This article begins a 3-part series of how I managed to collect so many spam, and how I was able to throttle the deluge. We’ll start with how spammers get email addresses in the first place.
These days you get on a spammer’s list a couple ways: your address gets guessed by a spammer, or it is compromised. Webster says compromise means to reveal or expose to an unauthorized person and especially to an enemy. It can be compromised “accidentally” by one of those “typhoid” friends we’ve roasted previously or a virus on your computer, or because you’ve been tricked into giving it away by a cybercrook technique called “phishing” (pronounced “fishing”, a topic for a future article). Finally it can be compromised not-so-accidentally because your email is published on a webpage or in association with a domain registration.
If your address is easy to guess, that can become a major source of spam. Spammers use a “dictionary list” of names to add to the domain, which include common names. Bob@mydomain.com is a common name and would be targeted. Bob.Hope@ mydomain.com is harder to guess, and bobcomedian@ mydomain.com is harder yet because they combine the common name with parts that are not common. People like myself who operate internet domains can become targets for this type of spam, because often the “dictionary list” will include things like “admin” or “webmaster – names that are commonly used in association with a domain. I recommend making sure email addresses are not easily guessable.
The last compromise is the not-so-accidental vectors such as being published on a webpage or through a domain registration. Publishing your email address on a webpage means you’ve had your address included on a webpage that is “visible” to a search engine such as Yahoo or Google, which means there is a link to the webpage on websites or web pages that the search engine already has indexed. This is actually a quite common practice; after all you want people who see your web page to be able to reach you, yes?
Sometimes having your email published is quite unintentional on your part, for instance you may be on a committee, and your organization webmaster publishes your email address on the organization website – which is why I recommend that churches and other organizations include in their internet policy (your organization has one, right?) a requirement that personal information like phone numbers, physical addresses and email addresses must be on pages that are password protected – pages that the search engines can’t index because they require a username and password to access the page. I use this technique for several websites I host.
Next week we’ll continue the discussion of not-so-accidental compromise vectors.
[...] may remember the discussion of using “throwaway” email addresses in both the “Can the Spam” and “Free Email” series. This is another technique that is helpful in [...]
Pingback by Gone Phishing « WizGidget — July 21, 2010 @ 2:28 AM