Kruchoski.com -- Kruchowski.com

Fighting Spam: My Strategy

I've had my email address since 1997. Back then, unsolicited email was rare but welcome. People who found me on the Internet could add my email address to their address book and get in touch easily. I never accidentally overlooked their messages.

Today, the situation is much, much different. When I made a five-day work trip recently, I returned to a mailbox "stuffed" with more than 1,000 emails; the overwhelming majority were spam. I hope I didn't miss an important personal message as I slogged through my mailbox deleting all the junk mail.

It became clear that it's time to get serious about my own fight against spam.

According to several recent studies [1] [2], most spammers harvest email addresses from websites that show your address in plain text. If you've been online a long time and your email address has appeared on a variety of web pages, you'll almost certainly get spam. And that means it'll be hard to find those really important messages that you want to see.

Here's what I'm doing to make sure that your important personal email reaches me safely.

First, my Internet Service Provider (ISP), Lobo Internet, runs SpamAssassin and Tagged Message Delivery Agent (TMDA). SpamAssassin evaluates each message to determine if it is likely to be spam. Only a handful of real email is falsely identified as spam, and only a few more real spam messages slip past the evaluation algorithm.

I've configured TMDA so that it automatically drops all email marked as spam by SpamAssassin. Then TMDA forwards all email from senders who are already on my "white list" (i.e., valid senders). Finally, TMDA quarantines the remaining email, then sends a short message to the senders asking them to confirm they are not sending spam. If the sender replies to TMDA's message, the sender's original message is forwarded to me, and TMDA will remember that sender the next time. Those senders are then added to my "white list".

Spammers don't usually take the time to read replies (such as TMDA's automatic response), so eventually their messages are dropped from the quarantined mail. I never see their spam.

Second, I've used Spamex 's disposable email address (DEA) service for the past year whenever I "sign up" for automatic emails from vendors and users groups -- anything that's not really personal email but that I want to receive. Each address (such as mikey123@spamex.com) routes the sender's email through Spamex's mail servers and forwards it to my personal email address. If a particular DEA starts getting spam, I can turn off that email address, and I'll never see spam from that address again. Plus, I'll know who probably compromised that address, either by selling it or by unintentionally revealing it to spammers.

Finally, I've started encrypting my email addresses listed on web sites. For this, I use Hiveware 's (free) Anti-spam Address Enkoder, which convert's the "mailto" hyperlink to a javascript code that spammers' automatic email harvesters won't recognize.

Sometime soon my plain text, real email address will no longer appear on any web page. On web pages that I control, I'll provide a link to a single page with all my contact info. This page uses a DEA that is encrypted by Enkoder. For people who've disabled javascript, I've also included my DEA as an image, which email harvesters won't recognize but people can read.

On web sites I can't control, such as the various users' groups I subscribe to, I'll provide a DEA.

All this may seem like overkill, but it has already paid huge benefits to me. On my next work trip I can once again read my email while on the road because my mailbox won't be full of spam. And if you've sent me an important message, I'll get it quickly without having to wade through another 1,000 spam emails like I did recently.

Want to know more about fighting spam? See these reports: [3] [4] (both free) and [5] (paid).

Mike

Posted by ergo at November 7, 2003 09:19 AM