Pinging Knight

This is the second installment of a series about spam. It will discuss the various ways spammers find your email address and how they avoid being caught and slowly impaled by those that dislike them. # Introduction to Spam # How They Find You and Avoid Being Found (current) # Beginning to Fight Back # Death to Spam # Additional Resources == == h4. How They Find You and Avoid Being Found Just how is it that spammers manage to find you, anyway? You certainly didn't just invite them to your inbox; if you did, you'd a flaming idiot and it wouldn't fit the definition of spam. There are many ways that spammers find your address and it's nearly impossible to avoid. Learning how to avoid a few of the pitfalls can help, nevertheless. First, there is one way that is almost an invitation: signing up for stuff. You enter your email address in to register for something—membership at MP3.com for example—so you can download songs. It works. Except now the email address provided is filled with spam. If you rush through forms, you may not notice that some sites stipulate that they will share your information and send you emails notifying you of "special offers and services". Every legitimate business should have a privacy policy that you should read. A privacy policy describes what they are allowed and not allowed to do with your data, so it's not just protection for email. Second, there are spam bots. These are scripts that roam around the net, scanning and collecting email addresses. If you've ever left your email address in a post or blog comment, your email may have been harvested. There are ways to try to avoid it: writing your address with HTML(HyperText Markup Language) entities, adding parts that many people recognize to strip (caiuschen@NOSPAM.fallenearth.org), using Javascript to hide the address, or perhaps writing it like caiuschen (at) fallenearth (dot) org. None of them are particularly convenient, and all of them have been circumvented by smarter bots. Encoding your address does help protect it against many of the dumber bots, but I personally do not bother.There are, however, ways to avoid some of the bots. They will be covered in the next article. The third way is really lame: they catch your email when you try to unsubscribe. In many states, companies are legally obligated to include an unsubscription option. A quarter of these don't actually work. About another quarter of them actually subscribe you to more spam. Even if they do unlist you on that particular list, you can find yourself in a vicious circle: you unsubscribe from list A and accidentally get yourself subscribed to list B and C. You unsubscribe from B, and you find yourself resubscribed to A and you now also get D. Luckily, legislation and enforcement is increasing against this. Even if you don't ever reveal your email address, you may still get spam if your email is easy to guess. jsmith12@comcast.net may have never ever used his email, but you can bet spammers have tried to send stuff there. A lot of spammers even use things called web bugs to check if it's a valid address. A web bug is basically an image (sometimes transparent) that contains your email address encoded in the reference. When jsmith12 opens up the spam in an insecure HTML(HyperText Markup Language)-compatible client, he'll download the image. The spammer will check the logs and see that jsmith12@comcast.net is indeed a valid email address and add it to his list. The lists formed by the various email harvesting methods above are a business in itself. They are sold and traded for thousands of dollars. Quite a bit of the spam industry is made up of people who simply collect addresses and never send a single piece of spam. Then, they sell the lists to people who do send spam. So, now we now how spammers find you, but how do spammers avoid angry death threats from the people being spammed, being reported to their ISP(Internet Service Provider), and vigilante hackers? The ways they hide can be very technical, so I'll try to keep the explanations simple. One of their defenses is employed by perfectly innocent people: anonymous proxy servers. People can choose to route all their internet traffic through a proxy server so that when they are surfing the web, the logs record the proxy server's IP(Internet Protocol) address instead of the spammer's. There are people who are genuinely concerned about their privacy and use proxy servers with no evil intentions, so you can't just block the proxy server's IP(Internet Protocol) address. This is the most basic step, but spammers often use multiple proxy servers, providing a chain of defense. Another step for spammers to duck and hide is by using open relays. Apparently, Mr. Bayle keeps one. They're email servers that will accept mail from anywhere and send them off to their destination. They can fake their routing information, making spammers much harder to trace. A similar tactic is to used an unsecured email script that a random website may have. Surely though, you can track them down from your email address? Not quite. Spammers often fake their address, called spoofing. I used to do that to send emails from santa@northpole.org. It's really bad when a spammer spoofs a real address; innocent people can get angry death threats or thousands of unsubscription requests. Incidentally, the recent SoBig.f virus spoofed addresses to make it harder to track down where the virus came from. That's why you may have gotten emails that say you've sent the virus out even though you know you're clean. I hope this has been of some use. It ended up being much longer than I expected; I'll probably go through and edit things. Next time, I'll cover some ways to fight back.