| |
The Sending & Receiving of Spam
We
all hate spam. Here's how to minimize it:
- Protect your address: Stop/minimize your email address from getting
in spam address list databases in the first place
- Filter
these pesky emails when you do receive them. New: "Postini" is available
- Appendix:
Migration strategy for new/virgin email address: Get-Well Steps if your email has already gotten "published"
1.
PROTECT YOUR EMAIL ADDRESS
Spam
happens because someone/computers get your email address. The primary
sources of email addresses are:
- Putting
your email address on web pages as live text
(there are various ways to try to hide this, yet let humans see your
address). Spam harvesters these days even parse the English word "AT"
and then look for a plausible username and domain name, as in
username [at] sherwoodhosting.com
It's of no consequence for the spam harvesters to guess wrong - it's
just one more wrong address out of millions that are rejected (at
no cost). SherwoodPhoto web design has several ways that we
can help spam-cloak your email address yet still make it functional.
Pros
& Cons of Email Address Listing Techniques
on web pages |
| "Live text" (clickable
or not!) |
Convenient for humans
to see & click |
| Not live text, not clickable |
Protected,
but not click-convenient (but read on...) |
| Clickable
(whether cloaked or not) |
Only
convenient/useful for installed-applications;
clickables aggravate people with web-based
email applications because clicking brings up an uninitialized
default mail application |
-
generic@mydomain.com (a.k.a. "dictionary" addresses):
Spam senders fabricate common account name combinations of email
addresses based on examples like: info, sales,
orders, webmaster, office,
help, etc. (not to mention common names: Joe, Jose, Mary, Maria, etc.) Thus even if you do not have a mailbox
with one of those names (e.g., sales@sherwoodhosting.com), spam
senders will still find your domain name and then add all sorts
of names like this as well as common first names (hoping to hit
a real mailbox). It does not "cost" spam senders anything
to send millions and millions of attempts. [Note: in the text descriptions
3 lines above, a live text email address was used (and
will surely be harvested)— but we don't care because we intentionally
don't use that address!]
Make sure you have your "default" mail address forwarding disabled
(set it to :fail: No such use here (or something similar))
Disabling will reject all "random" guesses for mailbox names for your domain name.
- Posting
newsgroup/discussion/bulletin board/chatroom notes
where your email address is accessible for anyone to see and harvesters
to capture.
-
Forwarding jokes, political info, etc. to distribution lists
(your email address is listed along with many others when these are
forwarded around) [Solution: use BCC (blind-carbon-copy)
so the distribution lists are not displayed; ask the receiver to erase
your address if they forward your message further] Although
this may affect virus propagation more than spam, it's still an important
preventative measure since there are silent viruses that scan your
email folders for addresses and transmit them back to someone's spam-central
for collection.
- A
sure-fire way of getting your address on spam lists is to sign up
for "free" search engine registration.
It's free because most likely they sell unsuspecting email submitters'
email addresses to spam lists.
- Unfortunately,
the domain registry database is getting harvested
more and more for the email address of all listed in the registry
WHOIS record. ICANN claims this is illegal, but what can anyone do?!
Registrars now offer "private" registrations which
hide all personal information for your WHOIS domain name entry, however
these are unnecessarily expensive. SherwoodHosting can recommend easier
ways that are free.
- Authoring
tools such as Dreamweaver, Contribute, and others may inadvertently
include your email address in logistical/history/lock files that are
uploaded to your site. Use a robots.txt file to instruct
search engines not to catalogue these directories. Fortunately we've
not heard of any harvesters that proactively look for these file types
unless they are catalogued and listed in search engines.
robots.txt
file placed in your top-level www directory, a sample |
User-agent:
*
Disallow: /Library/
Disallow: /images/
Disallow: /_notes/ |
You
have to be vigilant
to minimize "leakage" of all of the above sources.
And the remedy strategy is different for each.
First off, try google-searching for your email address "name@domain.com"
See who has listed your address on their web pages and ask them to remove
it, or point to your web site's Contact Us page where you should
have it appropriately "protected" (cloaked).
We
are avoiding telling you specific technical details, because these techniques
are our specialties that we offer with our web
design services.
Tip:
If you must give out your email address, use a throw-away(changeable)
address. A throw-away (expendable) address is one that you can
use temporarily and then delete it and use another. It would be different
from your main mail address. For instance, if your name is Bob and your
main address was bob@aol.com, then create bob1 that forwards to bob@aol.com,
then after using it (or a few weeks later), delete bob1 forwarder and
create bob2. Some credit card companies provide one-time-use-only credit
card numbers for internet purchasing usage—it charges that purchase
to your account but the credit card number (that for one usage "connected"
to your account) cannot be used again, although your main account is still
in tact.
2.
FILTERING SPAM once you're on their lists
Warning:
There is risk with any spam email filter that you
will prevent a legitimate email from reaching you:
- Your
filter is too pessimistic to label a message as spam (perhaps
it has a URL or picture in it) when ithe message is not spam but an important customer email;
- a
permission-based system (also called "challenge"
like earthlink's or TMDA or we offer SpamBT Boxtrapper) - (a) we strongly discourage usage of BT due to the trouble it can get you into (YOU being reported as a spammer because your automated email replies respond to various unintended recipients)- (b) it requires your potential customer to actively respond even when they thought their email to you would have gone through.
|
Categories
of Methods for Filtering Spam:
- Server-side
methods:
- Filters
(and there are lots of them) based on blacklists, keywords,
or other criteria that try to discern spam.
Now Available: Postini filter
Please inquire. $2.50/month and well worth it
- Challenge
methods where an email is sent to the sender
if not recognized/pre-approved by you, and the sender acknowledges
that s/he is a human-- NOT recommended - we will be disallowing this tool soon
- Queue
method- server queues messages from strangers and sends you
an email that a message is waiting from person x
- (Combinations/hybrids
of the above)
- Client-side
methods (on your computer):
- Similar
to the above three methods, but these would be installed on
your own computer, and you have to download all the spam into
a holding area where a program evaluates it and then if it's
okay it "sends" it along to your mail reader. So
this prevents you the human from seeing them and wasting your
time, but does not prevent your computer and network connection
from dealing with them. A downside is that when you are reading
mail away from your computer (where the anti-spam software
is installed), the filtering mechanism is not present.
|
Your
SherwoodHosting.com account includes free (built-in) features called Boxtrapper
and "Spam Assassin."
- Boxtrapper
is a server-side tool that challenges that the sender is
a human. This will be discontinued in the near future.
- Spam
Assassin is a server-side spam-flagging tool (marks the subject
line) that works together with a filtering feature in Outlook (or your
equivalent mail-reader application), you can automatically delete spam
email and not have it appear in your INBOX. Spam Assassin
is a two-step method. Like all filters, this is not perfect. In addition,
we offer BoxTrapper technology, although it may not be right for you.
Spam Assassin can also move suspected spam directly into its "spam box" (an inbox for spam) on the server for you to peruse as you like.
In
reality the Spam Assassin feature is a marking (tagging) mechanism in
our mail server that, when enabled, adds a line of text in the email body
for spam email it finds. (Some options had added a phrase in the Subject
Line.)
1.
First go to your Cpanel> Mail Menu> Spam
Assassin> Enable Spam Assassin
(Click here to see screen shot)
(Also note from this page you can fine-tune the algorithm's weightings
and other parameters; if you just want the standard settings, then ONLY
click on the Enable Spam Assassin button.)
2a.
MAILMANAGER FILTER METHOD:
After you set up your SpamAssassin settings above, go to
Cpanel> Mail> E-mailFiltering> AddFilter
choose "SpamAssassin Spam Header", "begins
with", and then enter "Yes" in
the box,
followed by Activate. Always test sending yourself mail for messages that
fail and those that are not supposed to. This method should not fill up
your email box while you're on vacation.
2b.
OUTLOOK METHOD:
In Outlook, you can set up a "rule" to delete messages that
include the body text
"Spam detection software"
by going to Outlook> Tools> Rules
Wizard> New>
Start creating a Rule from a template>
Move messages based on content>
Specific words> Spam detection
software (etc.)
There
are hundreds of customizations that you can do to fine tune this to suit
your needs. An important point: Identifying spam email is not 100% accurate
all the time—you may find that 1 in 100 messages are incorrectly
earmarked. So, we recommend that if you use your Outlook rule to
remove these messages, have it move the message to a folder so that you
can retrieve the message if a false accusation for spam is made. An example
of a mistaken spam identification like this would be if you were to create
a rule to move all messages with the word "Viagra" in the body
of the message to the deleted message folder. Then if someone you know
is sending you an email that has a URL link in it and a picture in the
message body itself, and mentions Viagra, then that message may be
moved to the deleted message folder without your even seeing it.
This is easy to modify because Outlook provides an exclusion list
feature where you can exclude the rule from being applied to messages
from people in your address book, or on a separate list. But having a
way to find a message at a later date may be quite important. That is
why it's always best to have the Outlook Rule to move the spam email it
"finds" to a labeled (separate) spam folder, so that in the
case that a real message inadvertently got placed there, you can retrieve
it.
We
unfortunately cannot support application of these features, but hope that
the above information lets you be aware of features that are available
to you to try.
3.
Appendix:
Steps to take if your email address has
already gotten out
Okay,
so unfortunately you're at the point of reading this page after your email
address has been poisoned. It's too late to follow the tips listed
above for your current mailbox. Here's a get-well plan for creating
a new mailbox (Yes this will be painful to have everyone change their
pointers to you) and then switching everything/everybody over. It's a
few steps, but they aren't too bad. They all involve simple clicks in
the MAIL portion (first icon) of your Cpanel.
-
Create
a new mailbox - Pick a name, perhaps similar (JohnD instead
of John) (capitalization is irrelevant, it just helps
humans parse(read) the name)
-
Create
a Forwarder from old to new - At this point, change your
mail reader to read only the new emailbox. Because of this new forwarder,
you'll be getting mail addressed to both addresses (for a while).
-
Announce
and post the new address - Send to your friends & colleagues
your new address, and ask them to help protect (see next bullet) your
new address.
-
BE
VIGILANT IN PROTECTING YOUR NEW ADDRESS - Re-read
the Protection Tips. Then re-read them again
and memorize! You don't want to have to go thru this again! Especially
in forums, newsgroups, dating systems, etc., use an expendable email
address that forwards to your new address (then you can change/delete
that expendable address if it starts receiving spam — visit
the message header to see how the message
got forwarded).
-
Create
an Autoresponder for the old - Do this after a few days to
give people a chance to change of their own accord based on your notification.
Be kind and tell people still sending to your old address that
you have a new address. We've never heard of a spam system "reading"
replies and taking note of a change of address. (Spam
systems receive millions of noise replies (bad address, out of office,
etc.), and they're not going to waste time finding 1 or 2 address
corrections, when it has billions more addresses left to send.)
-OR- Use your account's SET DEFAULT ADDRESS to respond with a failure but display the new address also, example:
:fail: to contact sherwoodhosting please address emails to newaddress@sherwoodhosting.com
-
Change
old Forwarder to point to :BLACKHOLE: - After a sufficient
time (a few weeks?), no longer receive email from the old address
— those messages go unread from this point on. The AutoResponder
will inform people to RESEND the email.
-
Delete
old mailbox and associated forwarder/responder - After a
much longer time, completely delete the old mailbox. Since this is
no longer bothering you (nor accumulating messages anywhere), it's
still polite to those who haven't written in a year to tell them you've
moved. Especially if you're a business, you don't want to lose a returning
client. If the old mailbox was a "standard" address like
"sales" or "info" (or your first name) you may
still want to leave the responder as a courtesy — it's no cost
to you to leave it.
-
Comfort
your new mailbox in its loneliness from spam! - You'll now
be wondering: "Is the server working? I haven't gotten email
all morning!" Sip your tea in the new calmness.
©2008
Sherwood Hosting LLC
|
