From the desk of: Sam C. Chan

SPAM Prevention

November 5, 2006 

This is a summary document, consolidating existing information from several other pages. Please note that SPAM prevention is totally different from SPAM reaction (filtering, etc.)

How SPAMmers obtain your email address:

Public Records:

  • Worldwide Whois databases
  • Professional organization membership records
  • Government records
  • Bulletin board/forum membership records
  • ISP or Portal site user profiles and/or directories
  • Vendor directories (if you're a representative/affiliate)
  • Your recruitment ads in newspapers and web sites
  • Your own web site:
    • Plain text <mailto:> tag
    • plain text mentioning actual email addresses
    • V-Cards (.vcf  files) for public download
    • Graphics rendition of email address (extracted via OCR)
    • JavaScript encoded <mailto:> tag (via decoding)
    • From/Reply address in acknowledgement email for submissions
    • Subsequent replies by you to "inquiries".
    • Open directories
    • Use of ISP-provided, or other free hosting space. The sub-domain/directory names gives away your account, and therefore the email address. Often the providers of free space actively publicize and circulate the directory of all sites, to increase traffic and boost revenue.

Legitimate Correspondents Leakage:

  • Forwarding your email to others
  • Listing your address in open To/CC field when sending jokes, etc.
  • Their systems compromised by spyware/worm/virus
  • They voluntarily provide your address to qualify for "free offers."
  • They add you to the "notify/request" list when they join a free "social network" (Ringo, Bebo, MySpace, Facebook, Friendster, etc.)
  • They sent you a greeting card from a "free service" site.
  • Your friends/associates use a commercial mass emailer service to SPAM you about their events/services. The mass emailer than capture the list for their own use and to resell.

Social Engineering:

  • Strangers calling your front desk requesting email addresses for individuals.
  • Phishing schemes via email and web sites.

Attacks Against Your System:

  • Targeting your systems/network and take advantage of software vulnerabilities.
  • Carpet bombing, guessing address by sending to numerous names at your domain.
  • Compromise your system by spyware/worm/virus and/or hardware:
    • harvesting data by scanning your hard drive
    • planting key-logging software/device

 

What To Do:

You can prevent SPAM by addressing each and every one of the above causes. Each path of leakage has a corresponding strategy/procedure that is effective. To summarize:

  • Use primary email address only for serious, business-related correspondence, with the few selected key correspondents (clients, key vendors, etc.)
  • Create (multiple) "disposable" email aliases to be given out to all others.
  • Retire disposable aliases as needed, and notify senders on a selective basis.
  • Use private domain registration (use registrar as proxy).
  • Refrain from mass forward, and always use BCC, not To/CC.
  • Do not allow your primary address to be on a "forward list" for jokes, etc.
  • Follow best practices on your own web site.
  • Exercise common sense when joining forums, etc.
  • List contact page (web form) in stead of email on vendors' directories.
  • Establish defensive policies regarding giving out email.
  • Establish tracking mechanism (for larger firms).

 

See also:

Copyright @2005-2006   Bravo Technology Center  *  Bravo:GO  *  Contact Us