Prevention - Address Circulation
November 5, 2006
This is a summary document,
consolidating information from our various articles.
Please distinguish SPAM
from SPAM reaction
(filtering, etc.) The former is highly effective and effortless. The latter is
laden with adverse side-effects, demands perpetual on-going efforts &
expenses, and often is a "cure" worse then the disease, for all but the
address is ruined, it can never be recalled from circulation, and one
must resort to increasingly aggressive filtration and suffer the
implied consequences, or start anew (yet again)!
How SPAMmers obtain your email address:
Public Records (strangers scouring/harvesting)
- Worldwide Whois databases (domain registrant contacts)
- if you're not using private registration, domain contact emails are
- in addition, all easily guessable addresses such as: admin@,
webmaster@ are routinely being used. Some even use dictionary attack to
sequentially try all common first names, in carpet-bomb fashion.
- Your own web site:
- plain text displaying actual email addresses
- Plain text <mailto:> tag (although it's hidden to human
- V-Cards (.vcf files) for public download
- subtle leaks, despite your active measures
- Graphics rendition of email address (can still be extracted via OCR)
- From/Reply address in acknowledgement email for submissions
- Subsequent replies by you to web form "inquiries"
- inadvertent open directories
- Use of ISP-provided, or other free hosting space. The
sub-domain/directory names gives away your account name, which is
also your email address. Often the providers of free space actively
publicize & circulate the directory, to increase
traffic and boost revenue.
- Professional organization membership records
- Government records
- Bulletin board/forum membership records and activities
- ISP or Portal site user profiles and/or directories
- Vendor directories (if you're a representative/affiliate)
- Your recruitment ads in newspapers and web sites
- email addresses used in Ebay/Paypal or other similar transactions
Legitimate Correspondents Leakage (your friends caused it)
- Forwarding your email to others,
leaking to all downstream generations.
- Listing your address in open To/CC (not BCC) when sending jokes,
- Their systems compromised by spyware/worm/virus, with
- They voluntarily provide your address to qualify for "free
- They add you to the "notify/invite" list when they join a
free "social network" (Ringo, Bebo, MySpace, Facebook,
- They sent you a greeting card from a "free service" site.
- Your friends/associates use a commercial mass email
service to SPAM you about their events/services. The mass
email service provider then capture the list for their own use and to resell.
Social Engineering (you voluntarily provided it)
- Subscription to rogue "newsletters" or web
- Phishing schemes via email and web sites.
- Strangers calling your front desk requesting email
addresses for individuals.
Breaching Your System (statistically, this is the least
- Targeting your systems/network and take advantage of
- Compromise your system by spyware/worm/virus and/or
- harvesting data by scanning your hard drive
- planting key-logging software/device
- Carpet bombing, guessing address by sending to
numerous names at your domain
- such probing tactics can be defeated only by a "blackhole"
(non-notification of "unknown user") policy
What To Do:
You can prevent SPAM by addressing each and every one of the above
causes. Each path of leakage has a corresponding effective counter-strategy. To summarize:
- Use primary email address only for
correspondence, with the few selected
key correspondents (clients, key
Create (multiple) "disposable" email
aliases to be given out to all others.
- Systematically retire aliases as needed,
notify senders on a selective basis.
- Use private domain registration (use
registrar as proxy).
- Refrain from mass forward, and
always use BCC, not To/CC.
- Do not allow your primary address to
be on a "forward list" for jokes, etc.
security best practices on your own
- Most web developers are not familiar
or even aware of this
- Designers tend to focus on
appearance and "features"
- Typically, you must provide your own
expertise (or out-source)
- A multi-discipline team of experts
ensures all aspects are addressed
- Arrive at a sensible, balanced happy
medium: budget, features, usability &
ergonomics, appearances, etc.
- At least comply with all basic "must
haves," and "must-avoids"
- Exercise common sense when joining
- List contact page (web form) instead of email, on vendors' directories.
- Establish formal defensive policies
regarding giving out email.
- Establish tracking mechanism (for