SPAM
Prevention
November 5, 2006
This is a summary document, consolidating
existing information from several other pages. Please note that SPAM
prevention is totally different from SPAM reaction (filtering, etc.)
How SPAMmers obtain your email address:
Public Records:
- Worldwide Whois databases
- Professional organization membership records
- Government records
- Bulletin board/forum membership records
- ISP or Portal site user profiles and/or directories
- Vendor directories (if you're a representative/affiliate)
- Your recruitment ads in newspapers and web sites
- Your own web site:
- Plain text <mailto:> tag
- plain text mentioning actual email addresses
- V-Cards (.vcf files) for public download
- Graphics rendition of email address (extracted via OCR)
- JavaScript encoded <mailto:> tag (via decoding)
- From/Reply address in acknowledgement email for submissions
- Subsequent replies by you to "inquiries".
- Open directories
- Use of ISP-provided, or other free hosting space. The
sub-domain/directory names gives away your account, and therefore
the email address. Often the providers of free space actively
publicize and circulate the directory of all sites, to increase
traffic and boost revenue.
Legitimate Correspondents Leakage:
- Forwarding your email to others
- Listing your address in open To/CC field when sending jokes,
etc.
- Their systems compromised by spyware/worm/virus
- They voluntarily provide your address to qualify for "free
offers."
- They add you to the "notify/request" list when they join a
free "social network" (Ringo, Bebo, MySpace, Facebook,
Friendster, etc.)
- They sent you a greeting card from a "free service" site.
- Your friends/associates use a commercial mass emailer
service to SPAM you about their events/services. The mass
emailer than capture the list for their own use and to resell.
Social Engineering:
- Strangers calling your front desk requesting email
addresses for individuals.
- Phishing schemes via email and web sites.
Attacks Against Your System:
- Targeting your systems/network and take advantage of
software vulnerabilities.
- Carpet bombing, guessing address by sending to
numerous names at your domain.
- Compromise your system by spyware/worm/virus and/or
hardware:
- harvesting data by scanning your hard drive
- planting key-logging software/device
What To Do:
You can prevent SPAM by addressing each and every one of the above
causes. Each path of leakage has a corresponding strategy/procedure that
is effective. To summarize:
- Use primary email address only for
serious, business-related
correspondence, with the few selected
key correspondents (clients, key
vendors, etc.)
- Create (multiple) "disposable" email
aliases to be given out to all others.
- Retire disposable aliases as needed,
and notify senders on a selective basis.
- Use private domain registration (use
registrar as proxy).
- Refrain from mass forward, and
always use BCC, not To/CC.
- Do not allow your primary address to
be on a "forward list" for jokes, etc.
- Follow best practices on your own
web site.
- Exercise common sense when joining
forums, etc.
- List contact page (web form) in
stead of email on vendors' directories.
- Establish defensive policies
regarding giving out email.
- Establish tracking mechanism (for
larger firms).
|
See also:
|