From the desk of: Sam C. Chan

SPAM Prevention - Address Circulation

November 5, 2006 

This is a summary document, consolidating information from our various articles.

Please distinguish SPAM prevention from SPAM reaction (filtering, etc.) The former is highly effective and effortless. The latter is laden with adverse side-effects, demands perpetual on-going efforts & expenses, and often is a "cure" worse then the disease, for all but the most desperate. Once an address is ruined, it can never be recalled from circulation, and one must resort to increasingly aggressive filtration and suffer the implied consequences, or start anew (yet again)!

How SPAMmers obtain your email address:

Public Records (strangers scouring/harvesting)

  • Worldwide Whois databases (domain registrant contacts)
    • if you're not using private registration, domain contact emails are visible
    • in addition, all easily guessable addresses such as: admin@, webmaster@ are routinely being used. Some even use dictionary attack to sequentially try all  common first names, in carpet-bomb fashion.
  • Your own web site:
    • plain text displaying actual email addresses
    • Plain text <mailto:> tag (although it's hidden to human eyes)
    • V-Cards (.vcf  files) for public download
    • subtle leaks, despite your active measures
      • Graphics rendition of email address (can still be extracted via OCR)
      • JavaScript encoded <mailto:> tag (via decoding, extremely unlikely)
      • From/Reply address in acknowledgement email for submissions
      • Subsequent replies by you to web form "inquiries"
    • inadvertent open directories
    • Use of ISP-provided, or other free hosting space. The sub-domain/directory names gives away your account name, which is also your email address. Often the providers of free space actively publicize & circulate the directory, to increase traffic and boost revenue.
  • Professional organization membership records
  • Government records
  • Bulletin board/forum membership records and activities
  • ISP or Portal site user profiles and/or directories
  • Vendor directories (if you're a representative/affiliate)
  • Your recruitment ads in newspapers and web sites
  • email addresses used in Ebay/Paypal or other similar transactions

Legitimate Correspondents Leakage (your friends caused it)

  • Forwarding your email to others, leaking to all downstream generations.
  • Listing your address in open To/CC (not BCC) when sending jokes, etc.
  • Their systems compromised by spyware/worm/virus, with addresses harvested
  • They voluntarily provide your address to qualify for "free offers."
  • They add you to the "notify/invite" list when they join a free "social network" (Ringo, Bebo, MySpace, Facebook, Friendster, etc.)
  • They sent you a greeting card from a "free service" site.
  • Your friends/associates use a commercial mass email service to SPAM you about their events/services. The mass email service provider then capture the list for their own use and to resell.

Social Engineering (you voluntarily provided it)

  • Subscription to rogue "newsletters" or web services/memberships
  • Phishing schemes via email and web sites.
  • Strangers calling your front desk requesting email addresses for individuals.

Breaching Your System (statistically, this is the least likely):

  • Targeting your systems/network and take advantage of software vulnerabilities.
  • Compromise your system by spyware/worm/virus and/or hardware means:
    • harvesting data by scanning your hard drive
    • planting key-logging software/device
  • Carpet bombing, guessing address by sending to numerous names at your domain
    • such probing tactics can be defeated only by a "blackhole" (non-notification of "unknown user") policy


What To Do:

You can prevent SPAM by addressing each and every one of the above causes. Each path of leakage has a corresponding effective counter-strategy. To summarize:

  • Use primary email address only for serious, business-related correspondence, with the few selected key correspondents (clients, key vendors, etc.)
  • Create (multiple) "disposable" email aliases to be given out to all others.
  • Systematically retire aliases as needed, notify senders on a selective basis.
  • Use private domain registration (use registrar as proxy).
  • Refrain from mass forward, and always use BCC, not To/CC.
  • Do not allow your primary address to be on a "forward list" for jokes, etc.
  • Follow security best practices on your own web site.
    • Most web developers are not familiar or even aware of this
    • Designers tend to focus on appearance and "features"
    • Typically, you must provide your own expertise (or out-source)
    • A multi-discipline team of experts ensures all aspects are addressed
    • Arrive at a sensible, balanced happy medium: budget, features, usability & ergonomics, appearances, etc.
    • At least comply with all basic "must haves," and "must-avoids"
  • Exercise common sense when joining forums, etc.
  • List contact page (web form) instead of email, on vendors' directories.
  • Establish formal defensive policies regarding giving out email.
  • Establish tracking mechanism (for larger firms).


See also:

Copyright @2005-2006   Bravo Technology Center  *  Bravo:GO  *  Contact Us