Why Am I Getting All This Spam?

Every day, millions of people receive dozens of unsolicited commercial e-mails (UCE), known popularly as “spam.” Some users see spam as a minor annoyance, while others are so overwhelmed with spam that they are forced to switch e-mail addresses. This has led many Internet users to wonder: How did these people get my e-mail address. CDT embarked on a project to attempt to determine the source of spam. To do so, we set up hundreds of different e-mail addresses, used them for a single purpose, and then waited six months to see what kind of mail those addresses were receiving. It should come as no surprise to most e-mail users that many of the addresses CDT created for this study attracted spam, but it is very

interesting to see the different ways that e-mail addresses attracted spam ? and the different volumes ? depending on where the e-mail addresses were used. The results offer Internet users insights about what online behavior results in the most spam. The results also debunk some of the myths about spam. Major Findings ? Our analysis indicated that e-mail addresses posted on Web sites or in newsgroups attract the most spam. o Web Sites ? CDT received the most e-mails when an address was placed visibly on a public Web site. Spammers use software harvesting programs such as robots or spiders to record e-mail addresses listed on Web sites, including both personal Web pages and institutional (corporate or non-profit) Web pages. CDT tested two methods of obstructing address harvesting: Replacing characters in an e-mail address with human-readable equivalents, e.g. “example@domain.com” was written “example at domain dot com;” and Replacing characters in an e-mail address with HTML equivalents. E-mail addresses posted to Web sites using these conventions did not receive any spam. o USENET newsgroups ? Newsgroups can expose to spammers the e-mail address of every person who posts to the newsgroup. Newsgroup postings, on average, generated less spam than posting an e-mail address on a high-traffic web site. In our study, we discovered that most newsgroup-related spam is sent to the address in the message header, even if other e-mail addresses are included in the text of the posting. ? For the most part, companies that offered users a choice about receiving commercial e-mails respected that choice. Most of the major Web sites to which we provided e-mail addresses respected the privacy choices we made ? when a choice was made available to us. ? Some spam is generated through attacks on mail servers, methods that don’t rely on the collection of e-mail addresses at all. In “brute force” attacks and “dictionary” attacks, spam programs send spam to every possible combination of letters at a domain, or to common names and words. While these attacks can be blocked, some spam is likely to get through. In many cases, spam generated by these attacks will be directed to shorter e-mail address (like bob@domain.com) before it is directed to longer addresses (like bobwilliams@domain.com). Tips for Avoiding Spam Currently there is no foolproof way to prevent spam. Based on our research, we recommend that Internet users try the following methods to prevent spam: ? Disguise e-mail addresses posted in a public electronic place. CDT received the most spam just by placing an e-mail address at the bottom of a webpage. Spammers “harvest” these addresses with computer programs that collect and process addresses and add them to spam mailing lists. If a user must post his/her e-mail address in a public place, it is useful to disguise the address through simple means such as replacing “example@domain.com” with “example at domain dot com” or other variations such as the HTML numeric equivalent, in which “example@domain.com” could be written “example@d omain.com.” Opt out of member directories that may place your e-mail address online. If your employer places your e-mail address online, ask the Webmaster to make sure it is disguised in some way. ? Read carefully when filling out online forms requesting your e-mail address, and exercise your choice. If you don’t want to receive e-mail from a Web site operator, don’t give them your e-mail address unless they offer the option of declining to receive e-mail and you exercise that option. If you are asked for your e-mail address in an online setting such as a form, make sure you pay attention to any options discussing how the address will be used. Pay attention to check boxes that request the right to send you e-mails or share your e-mail address with partners. Read the privacy policies of Web sites. If you suspect that a Web site has violated its privacy policy, you can report it to your state attorney general or the Federal Trade Commission. ? Use multiple e-mail addresses. When using an unfamiliar Web site or posting to a newsgroup, establish an e-mail address for that specific purpose. Alternatively, instead of just using one or two e-mail addresses, you can use “disposable e-mail addresses,” which consolidate e-mail in a single location but allow you to immediately shut off any address that is attracting spam. By recording which disposable address was used at which web site, one can track what sites are causing spam. Many Web sites are now providing free e-mail accounts. A search in Google Directory for “disposable e-mail addresses” provides a list of e-mail providers designed for one-time use e-mails. ? Use a filter. Many ISPs and free e-mail services now provide spam filtering. While filters are not perfect, they can cut down tremendously the amount of spam a user receives. ? Short e-mail addresses are easy to guess, and may receive more spam. At least one spammer tried to guess the e-mail addresses used in this study by sending mail to short and common addresses. E-mail addresses composed of short names and initials like bob@ or tse@, or basic combinations like smithj@ or toms@ will probably receive more spam. E-mail addresses need not be incomprehensible, but a user with a common or short name may want to modify or add to it in some way in his or her e-mail address. Conclusions 1. E-mail addresses harvested from the public Web are frequently used by spammers. By an overwhelming margin, the greatest amount of spam we received was to addresses posted on the public Web. When an address has been posted on the public Web, it can potentially be viewed by hundreds of millions of users. People who develop spam lists exploit this feature by using address-harvesting programs to surf across thousands of web sites, collecting any e-mail addresses that they encounter. Most users have no idea that their addresses have been harvested until they begin receiving spam. 2. The amount of spam received by an address posted on the public Web is directly related to the amount of traffic that Web site receives. The more visitors a Web site has in a given period of time, the greater the likelihood that an address-harvesting program used to send spam will scour it. As a result, addresses posted on high-traffic Web sites are likely to receive a greater amount of spam than address posted on smaller sites ? popular Web sites are more frequently “harvested,” and addresses posted on those Web sites are added to a greater number of spam lists. 3. E-mail addresses harvested from the public Web appear to have a relatively short “shelf life.” When e-mail addresses we posted on the public Web were removed, there was a pronounced drop in the amount of spam they received each day. The change was not absolute ? on a given day, an address might receive a few spam messages even months after it had been removed from the public Web. But such spam was on the order of 2 or 3 messages per day, compared to the thirty or more messages received by addresses still on the public Web. 4. Addresses posted in the headers of USENET messages can receive significant spam, though less than a posting on the public Web. Like most Web sites, USENET postings are publicly accessible and may be targeted by e-mail address-harvesting programs. When a user includes his or her address in the heading of a USENET message, that address can be harvested and used to send spam. Our preliminary data indicates that some USENET newsgroups are more frequently harvested for e-mail addresses than others. 5. Obscuring an e-mail address is an effective way to avoid spam from harvesters on the Web or on USENET newsgroups. Even when posted in publicly accessible areas, none of the addresses we obscured ? whether in English (”example at domain dot com”) or in HTML ? received a single piece of spam. Users who want to avoid spam should consider obscuring their addresses when possible. 6. Sites that publish their policies and make choice available to users generally respected those policies. A major element of the CDT project was to submit e-mail addresses to a number of popular businesses and other organizations on the Web. Many of these sites had privacy policies describing how they handle e-mail addresses and other potentially sensitive pieces of information. While the terms of these policies varied, we found that almost all sites followed their policies. In addition, when consumers were offered choices about how their personal information would be handled, those choices were respected. 7. Domain name registration does not seem to be a major source of spam. Despite the fact that the WHOIS database is publicly accessible, our project received just a single spam message to an address that was in WHOIS for six months. This leads us to believe that, at least for some people registering new domain names, listings in the WHOIS database may not be a major source of spam. However, because our project had a relatively short duration, we were not able to examine whether additional spam would be received as a domain name approached its renewal date. 8. Even when an e-mail address has not been posted or shared in any way, it is still possible to receive spam through various “attacks” on a mail server. In our study, a “brute force” attack on the mail server generated a tremendous amount of spam, even to addresses that hadn’t been shared anywhere. Anecdotal evidence from network operators indicates that such attacks are not uncommon, and that while alert network administrators can sometimes block them, a significant amount of spam can still result. Sometimes, these attacks take the form of “dictionary attacks,” in which the attacker sends e-mail to all the words in the dictionary, or attacks in which e-mail is sent to common surnames and first initials (such as “jsmith” or “bjones”). For individual Internet users, there is little that can be done to avoid the spam that may result from such attacks.