- sensibilium
- » sensiblog
- » How to beat the spammers.
How to beat the spammers.
A guide to securing yourself against intrusive and offensive unsolicited emails.
First off, you have to be prepared to purchase your own domain, so this is not for the "I want everything free" crowd. You get what you pay for as they say. Then you'll be needing a web/email hosting service to which you can map your domain to. To do this you would need to be able to set your nameservers on your domain (these will be provided by your web domain host). If you can't do any of this stuff yourself then make sure you find someone reputable that isn't necessarily cheap but will be a safe bet.
After getting all that setup, you need access to your mail account settings on your server, and ensure that you can add/edit/delete email accounts and email forwarders.
Now to the juicy bit.
In order to kill off locally-delivered spam you need to know where the spammers are getting your email address from in the first place, so first thing to do is setup an email account that only you know, tell no-one about this email address, don't post it to any websites, don't use it for anything other than what I suggest below, otherwise you will start getting spam and have no way of stopping it without using silly anti-spam software (which often provide false-positives).
Set up your POP3 email client to retreive mail from your new email address.
Return to your domain host administration and start adding email forwarders that point to the new email address you created.
These email forwarders should be related to the people you are supplying the email address to. For example, if your domain name is mydomain.com then for Paypal setup a forwarder called mysillypaypaladdress1 at mydomain dot com (or similar). Do this for every site where they need your POP3 email account details and set them up to their individual email addresses.
For outward communication to friends, provide a webmail address instead (this should be the only place you'll ever get spam), use that same webmail address to sign up for unimportant sites such as forums (or create another just for this purpose).
So, where's the spammer-fighting?
Ah here's the trick. After adding all your forwarders, and changing your email address at your chosen sites, just sit back, relax and wait.
Soon there will be a spam mail that appears in your inbox for your hidden email account. View the headers of the email to see which forwarder it was sent to. If it's been sent directly to your hidden address, you messed up and possibly chose an obvious default email address - remember, security-thru-obscurity.
Dependent upon which forwarder has been compromised, try and discover how it was compromised (perhaps you published it to your own site in a contact form), and fix that first. Add a new email forwarder for the compromised one.
Go to the site which has that forwarder in your account, and change it to a new forwarder. For example if your Paypal email address is compromised, add mysillypaypaladdress2 at mydomain dot com (or other), return to Paypal, add the new forwarder, set as your Primary, delete the old email address, and finally delete the old compromised forwarder from your domain host.
No more spam will ever get through now on your old forwarder address as long as you have your default mail set to :blackhole: (or similar on other systems), which basically means that your default mail account is not a catch-all email address.
Cross-posted to Khazad-Dum.
First off, you have to be prepared to purchase your own domain, so this is not for the "I want everything free" crowd. You get what you pay for as they say. Then you'll be needing a web/email hosting service to which you can map your domain to. To do this you would need to be able to set your nameservers on your domain (these will be provided by your web domain host). If you can't do any of this stuff yourself then make sure you find someone reputable that isn't necessarily cheap but will be a safe bet.
After getting all that setup, you need access to your mail account settings on your server, and ensure that you can add/edit/delete email accounts and email forwarders.
Now to the juicy bit.
In order to kill off locally-delivered spam you need to know where the spammers are getting your email address from in the first place, so first thing to do is setup an email account that only you know, tell no-one about this email address, don't post it to any websites, don't use it for anything other than what I suggest below, otherwise you will start getting spam and have no way of stopping it without using silly anti-spam software (which often provide false-positives).
Set up your POP3 email client to retreive mail from your new email address.
Return to your domain host administration and start adding email forwarders that point to the new email address you created.
These email forwarders should be related to the people you are supplying the email address to. For example, if your domain name is mydomain.com then for Paypal setup a forwarder called mysillypaypaladdress1 at mydomain dot com (or similar). Do this for every site where they need your POP3 email account details and set them up to their individual email addresses.
For outward communication to friends, provide a webmail address instead (this should be the only place you'll ever get spam), use that same webmail address to sign up for unimportant sites such as forums (or create another just for this purpose).
So, where's the spammer-fighting?
Ah here's the trick. After adding all your forwarders, and changing your email address at your chosen sites, just sit back, relax and wait.
Soon there will be a spam mail that appears in your inbox for your hidden email account. View the headers of the email to see which forwarder it was sent to. If it's been sent directly to your hidden address, you messed up and possibly chose an obvious default email address - remember, security-thru-obscurity.
Dependent upon which forwarder has been compromised, try and discover how it was compromised (perhaps you published it to your own site in a contact form), and fix that first. Add a new email forwarder for the compromised one.
Go to the site which has that forwarder in your account, and change it to a new forwarder. For example if your Paypal email address is compromised, add mysillypaypaladdress2 at mydomain dot com (or other), return to Paypal, add the new forwarder, set as your Primary, delete the old email address, and finally delete the old compromised forwarder from your domain host.
No more spam will ever get through now on your old forwarder address as long as you have your default mail set to :blackhole: (or similar on other systems), which basically means that your default mail account is not a catch-all email address.
Cross-posted to Khazad-Dum.
- This post has 14 comments, the last was posted by ahdkaw on Tue 4 Apr 2006 at 3:48am GMT
Comments
& who supplied this tip? Been doing this for years.
Oh joy is being a miserable old twat.
Oh joy is being a miserable old twat.
This method could give you leverage if you want to take some unscrupulous company to court for selling your personal property without your consent.
Humorously I would first send an invoice for 500 quid to the offending seller of your stuff.
Ironically, though almost consistent with the paypal reference above; my ebay address was compromised. “stupidly I answered a question from prospective (not) buyer”. I like that Ebay has since provided a method for sending messages without using your email address directly. The irony comes in here since I kept the compromised email address as a bit of a joke. I use this to monitor how effective the Spam assassin rules are on the server. I direct mail that spam assassin has tagged as spam. I’m happy to report that it has a 100% success rate on the spam I receive – unlike MSN’s hotmail which I’m 100% sure has a purposefully useless success rate. Last check on MSN, out of 242 messages of which all 200 were spam, MSN considered only 17 to be spam. Complete bollocks. So essentially I could rid myself of spam completely, but life is more interesting with a little spam isn’t it? You know the drill, 1am open mail client, no messages, … 2am open mail client – wanna bigger dong? Click here!, OK – delete – bliss?
Humorously I would first send an invoice for 500 quid to the offending seller of your stuff.
Ironically, though almost consistent with the paypal reference above; my ebay address was compromised. “stupidly I answered a question from prospective (not) buyer”. I like that Ebay has since provided a method for sending messages without using your email address directly. The irony comes in here since I kept the compromised email address as a bit of a joke. I use this to monitor how effective the Spam assassin rules are on the server. I direct mail that spam assassin has tagged as spam. I’m happy to report that it has a 100% success rate on the spam I receive – unlike MSN’s hotmail which I’m 100% sure has a purposefully useless success rate. Last check on MSN, out of 242 messages of which all 200 were spam, MSN considered only 17 to be spam. Complete bollocks. So essentially I could rid myself of spam completely, but life is more interesting with a little spam isn’t it? You know the drill, 1am open mail client, no messages, … 2am open mail client – wanna bigger dong? Click here!, OK – delete – bliss?
P.S. never could add
Yeah, whatever happened to the other 42? And what a number to fail to add!
A little bit of spam does spice ones life up, I agree, but even for me there are levels of spam that are completely unacceptable.
However, after considering that this has now been indexed by all the major search engines, wouldn't the spammers start randomly spamming guessed email forwarders? Send 1,000,000 to paypal@whateverdomain.com and see what happens I suppose.
A little bit of spam does spice ones life up, I agree, but even for me there are levels of spam that are completely unacceptable.
However, after considering that this has now been indexed by all the major search engines, wouldn't the spammers start randomly spamming guessed email forwarders? Send 1,000,000 to paypal@whateverdomain.com and see what happens I suppose.
Hmm not sure spammers are really that smart. It's probably easier to buy lists containing 100's of millions of addresses than to guess addresses.
Though like I mentioned some are(were) being proactive by reaping live ebay addresses, only those stupid enough to use their email address for ebay correspondance will continue to be spammed that way.
This site needs a way for members to post - like a wordsmith type blog, am sure that would be a simple tweak.
Though like I mentioned some are(were) being proactive by reaping live ebay addresses, only those stupid enough to use their email address for ebay correspondance will continue to be spammed that way.
This site needs a way for members to post - like a wordsmith type blog, am sure that would be a simple tweak.
Wordsmith-like blog? Firstly I would have to find out what such a thing is, and then I would have to consider the technical requirements and levels of pain in the arseness, before implementing such a system (which is presently pleasantly unknown to me presently).
You could be right about spammers, considering the recent spammification of the comments of another post (the one after this), they certainly ain't the sharpest knives in the drawer, mind you I the people they are targetting aren't exactly the sharpest knives in the drawer either.
[center]Buy CAil15! \/1agrA! here![/center]
You'd have to be two pennies short of a pound to want to consider purchasing something from someone who is obviously obscuring words in order to avoid word-detecting spam filters.
You could be right about spammers, considering the recent spammification of the comments of another post (the one after this), they certainly ain't the sharpest knives in the drawer, mind you I the people they are targetting aren't exactly the sharpest knives in the drawer either.
[center]Buy CAil15! \/1agrA! here![/center]
You'd have to be two pennies short of a pound to want to consider purchasing something from someone who is obviously obscuring words in order to avoid word-detecting spam filters.
Ooh look, I broke my site. :)
re post 182
a) wordsmith is available via fantastico in your cp. I meant not that you install it, you can perhaps test it on the wordpress homepage, or google it, since its Monika will be at the bottom of every wordpress blog page, there will be thousands of example sites. Anyways getting to the point. nominating certain users to be able to post would perhaps prevent endless off-topic posts like this one. Essentially the method you use to post with some level of restricted authentication is all that would be required. Or install a pre-built blog such as wordsmith. Perhaps you could play on a spare domain. I have one on a sub domain. You can probably find it if you guess around & I'm completely sure you know who the funk I am.
b) agreed with the fact that spammers targets are not the sharpest knives either. though its a numbers game. The cost of the spam campaign, including zombies, filter testing and effectiveness etc must me miniscule to the revenue. I too find it hard to understand why people buy shit from spam messages, some must. maybe we need to make computers as hard as possible to use again so that the average moron can't even use one without first passing a computers for morons test.
c) Amplifying the off topic scenario; anyone listened to the new (Feb. 29th) Coldcut CD? It's a departure from the coldcut I knew. It Sucketh.
a) wordsmith is available via fantastico in your cp. I meant not that you install it, you can perhaps test it on the wordpress homepage, or google it, since its Monika will be at the bottom of every wordpress blog page, there will be thousands of example sites. Anyways getting to the point. nominating certain users to be able to post would perhaps prevent endless off-topic posts like this one. Essentially the method you use to post with some level of restricted authentication is all that would be required. Or install a pre-built blog such as wordsmith. Perhaps you could play on a spare domain. I have one on a sub domain. You can probably find it if you guess around & I'm completely sure you know who the funk I am.
b) agreed with the fact that spammers targets are not the sharpest knives either. though its a numbers game. The cost of the spam campaign, including zombies, filter testing and effectiveness etc must me miniscule to the revenue. I too find it hard to understand why people buy shit from spam messages, some must. maybe we need to make computers as hard as possible to use again so that the average moron can't even use one without first passing a computers for morons test.
c) Amplifying the off topic scenario; anyone listened to the new (Feb. 29th) Coldcut CD? It's a departure from the coldcut I knew. It Sucketh.
re: Ooh look, I broke my site. :)
wtf happened to the calendar?
wtf happened to the calendar?
1. I uploaded a new version of my blog but failed to notice that I was only halfway through the calendar re-development. So that's what's wrong with that, I will likely have it completed and uploaded before the end of this coming weekend.
2. Part of Fantastico? Oh well, in that case, I will have to give it a whirl on a test domain. Glad you pointed that out.
3. I want to be able to allow EVERYONE to post comments, so if you are suggesting that for comments, then it's a no go. However, for specified users to create blog posts, I could definitely look into. It's not as simple as adding authentication though, I would have to produce a secondary blog posting area, as my blog-posting area allows me to fuck about with virtually everything.
4. New Coldcut sucketh? Are you absolutely certain about that, have you given it enough listenings? I remember when you thought Little Britain was crap (you probably still do), but it's been lauded as one of the greatest new comedy shows since The Office.
2. Part of Fantastico? Oh well, in that case, I will have to give it a whirl on a test domain. Glad you pointed that out.
3. I want to be able to allow EVERYONE to post comments, so if you are suggesting that for comments, then it's a no go. However, for specified users to create blog posts, I could definitely look into. It's not as simple as adding authentication though, I would have to produce a secondary blog posting area, as my blog-posting area allows me to fuck about with virtually everything.
4. New Coldcut sucketh? Are you absolutely certain about that, have you given it enough listenings? I remember when you thought Little Britain was crap (you probably still do), but it's been lauded as one of the greatest new comedy shows since The Office.
Banging on about spiced ham again. Having being a proponent of mail alieses to successfully obfuscate my real, and now single large imap mailbox for some time - Ahdy raised an important issue. That spammers could start to randomly generate addresses with such prefixes such as ebay, paypal or amazon etc. A solution therefore would be to place a suffix after such a prefix.
ebay@domain.com
could become
ebay_A7FE@domain.com
If the suffix was truly random , this would make remembering the email address used more difficult to remember though, so if you don't mind a little metal computation, you could (as in the above example use A7F in all your address suffixes and then use the first letter of the email address 'e' as the last letter in the suffix 'E'.
It's hardly random, but may be a further step you could take if you don't like simply using ebay@domain.com
ebay@domain.com
could become
ebay_A7FE@domain.com
If the suffix was truly random , this would make remembering the email address used more difficult to remember though, so if you don't mind a little metal computation, you could (as in the above example use A7F in all your address suffixes and then use the first letter of the email address 'e' as the last letter in the suffix 'E'.
It's hardly random, but may be a further step you could take if you don't like simply using ebay@domain.com
A good idea I think, but perhaps the randomness of the suffix needn't be so complex. Perhaps you could use just one extra letter, or a word that you share across your aliases.
ebay_goit@domain.com for example.
ebay_goit@domain.com for example.
Spose so. What ever tickles your fanny.
Unless anyone has a better idea?
Some way to keep the suffix random, short: 2 characters?, and most importantly easy to remember.
I had a thought, that since its still possible that an address could be compromised, that the calculation of a suffix would not necessarily work 100%. However It was only through my own stupidity that my ebay address was compromised, and since that time, I have not issues since, so the calculation method shold be ok. Then too, my passwords are all in a database (as you know ahd), so I often have to look up the ones I haven't used in some time, or those where my ailing short term memory has filed under abyss. Though I did manage to use a psuedo random method there too for a handfull of sites as a test - Don't think I'm giving too much waway there LOL.
Another thing I was thinking about. Imagine you were a company was was about to pawn your database of email addresses to the highest bidder. Would you first eliminate any that had your own domain as the prefix, Perhaps in an effort to sidestep any litigation? I expect you would have to be aware of this method.
Unless anyone has a better idea?
Some way to keep the suffix random, short: 2 characters?, and most importantly easy to remember.
I had a thought, that since its still possible that an address could be compromised, that the calculation of a suffix would not necessarily work 100%. However It was only through my own stupidity that my ebay address was compromised, and since that time, I have not issues since, so the calculation method shold be ok. Then too, my passwords are all in a database (as you know ahd), so I often have to look up the ones I haven't used in some time, or those where my ailing short term memory has filed under abyss. Though I did manage to use a psuedo random method there too for a handfull of sites as a test - Don't think I'm giving too much waway there LOL.
Another thing I was thinking about. Imagine you were a company was was about to pawn your database of email addresses to the highest bidder. Would you first eliminate any that had your own domain as the prefix, Perhaps in an effort to sidestep any litigation? I expect you would have to be aware of this method.
All they have to do is look at their email list. But saying that, if they have a "list" they are likely to sell it anyway. Most respectable companies do not sell such personal information, so this really only targets the unscrupulous.
It really is a handy method of weeding out the good from the bad.
Talking of stupidity, it was my paypal address that was compromised within hours of setting it up, I was publishing the address in my paypal forms.
It really is a handy method of weeding out the good from the bad.
Talking of stupidity, it was my paypal address that was compromised within hours of setting it up, I was publishing the address in my paypal forms.
