Stopping Spam
March 3, 2004 2:57 PM   Subscribe

Where the hell did spammers get my email address and what can I do to stop it? (more)

Seriously. I have a personal Yahoo address that I've used for 3 years for nothing other than corresponding with friends and family. No usenet posts, no ordering crap, nothing of the like with it. Ever. I now get 15 or so spams a day, always porn and most from what appears to be the same or related senders. Granted, I know that 15 isn't a huge number (the addresses I use for usenet, ordering crap, etc are generally flooded with spam, but that's expected), but it's annoying nonetheless. I'm a bit of a control freak and would like to keep that account clean. Any suggestions?
posted by item to Computers & Internet (16 answers total)
 
They could have got it as a result of a dictionary or bruteforce attack where they send mail to @yahoo.com. So what if 99.9999% of those bounce.

You're likely screwed. Set up a white list filter so you only see mail from addresses you've added, and accept the inevitable.

posted by willnot at 3:05 PM on March 3, 2004


that should have been [randomstring]@yahoo.com
posted by willnot at 3:06 PM on March 3, 2004


If the address is anything like "item" or reasonably guessable with a dictionary attack, chances are that's how it's been found. An account name like 234y^GREW$ will almost never get spam, while "Fred" will.

Or one of your correspondents could put your address in a form for an e-card from an unscrupulous type, or a "mail this link" form or ...
posted by bonaldi at 3:07 PM on March 3, 2004


Fast fingers willnot on the keyboard slipped.
posted by bonaldi at 3:08 PM on March 3, 2004


Buy a personal domain, and pay the $5 a month necessary to get email there. Then guard your email address carefully - don't post it on the internet, only give it out to friends. When a company you don't trust wants your email address, give them your yahoo address. When a company you trust wants your email address (and you want to get their email), give them something like amazon@example.com, and set up that address to dump into your main account. Then if you ever get spam there, just shut down that email address.

Anyway, that's what I did, and I haven't received a single piece of spam in about two years.
posted by gd779 at 3:27 PM on March 3, 2004


I also get little to no spam to my real accounts, mostly through use of the disposable-email forwarding address services of mailshell.com. Highly recommended.
posted by stavrosthewonderchicken at 3:48 PM on March 3, 2004


nothing other than corresponding with friends and family

Well, there you have it. One of them got some kind of virus or spyware bot which spammed out their entire address book, getting your address very much out there. It's inevitable and unavoidable that this will happen unless you whitelist, filter, and virus scan constantly. Don't feel bad that you're now in the unwashed mass of people who get spam. You can do a lot more to abate than you can to avoid entirely.
posted by scarabic at 3:51 PM on March 3, 2004


Some of my favorite tricks:

1) Register your domains through Domains By Proxy. I haven't done this yet but probably will next time. They spam-filter mail sent to your (cloaked) WHOIS address. And if you have a domain of your own, you WILL get spammed on your WHOIS addresses.

2) Set up a spamtrap if your mail server allows it. This allows your mail to come helpfully marked as spam by the spammers themselves. Basically, a spamtrap is an address that you give out as much as you can to TRY to get it on as many spammers' lists as possible. It should be in the same domain as your main e-mail address and alphabetically close to the real address's account name. When mail arrives to the spamtrap address, it is not delivered to ANY of the addressees. That is, if a given piece of mail is addressed to both steve@example.com and spamtrap@example.com, it gets bounced and not even steve@example.com gets it! The hope is that most of your spam will arrive addressed to the spamtrap in addition to whatever real recipient it is destined for. This is what I mean by the spammer marking it as spam for you.

3) If you block e-mail that a) doesn't have a valid message-ID and b) doesn't have your name on the To or CC line, you will eliminate about 75% of spam. You should not use this on your main e-mail address, since a lot of legitimate e-mail from Web sites and mailing lists will meet this criteria, but any additional e-mail addresses you use for Usenet postings or Web site comments are good candidates for this sort of filtering. If you also include a filter that blocks messages larger than say 30K, you will also block a lot of viruses. (Had to do this on my Usenet mail address due to swen.)

4) If you have e-mail addresses that you expect communication on only from certain parties, put a filter on them to accept mail only from those senders. For example, my WHOIS address only accepts e-mail from my registrar.

5) Statistical filtering cleans up the rest of it pretty nicely.

You can do more before resorting to the statistical filter, but those are fairly easy things to do that make a big difference. After that you start getting to the point of diminishing returns, IMHO.
posted by kindall at 4:10 PM on March 3, 2004


There is a bright side to this.

Your penis is about to get a lot bigger, a good thing since Candie's tighter than a drum, likes 'em big, and even as we speak is sending you naked pictures from last night. Be sure to open that attachment pronto. As she'll say in her subject line, Candie wants you all night long, a snap since your sexual stamina is about to rocket so wildly that it will knock the roof off your house, a condition easily remedied by the low-interest home improvement loans already approved for you. Be sure to spend some of that cash to stock up on herbal marijuana alternatives, viagra, and chinese-manufacturer pipe fittings, which you will no doubt need on your free 7-night vacation in the Bahamas with your new friend.

Welcome to the world of spam!
posted by scarabic at 4:31 PM on March 3, 2004


The other way your address could get out there is if one of your friends or relatives CCed you with a lot of other people, which message was then forwarded along, and forwarded along, and forwarded along, your address tangled up in the commented headers the whole way. Somewhere along the line it hits an address-culler, and WHAM! you're never spam-free again.

It won't stop, by the way.
posted by Mo Nickels at 5:51 PM on March 3, 2004


My yahoo address of a few years gets almost no spam.

It might be that one of your soon to be ex-friends signed you up for "free movie tickets" or something.
posted by callmejay at 7:12 PM on March 3, 2004


Just a word about gd779's suggested tactic of using "amazon@example.com" or "metafilter@example.com" to track abuse of your address: Some spammers have figured this out and routinely use those addresses at every domain they can find.

I know this because last year I received hundreds of e-mails addressed to "amazon", "metafilter", "slashdot", "microsoft", "orbitz", "expedia", the names of at least a dozen prominent porn sites, and countless others at several of my domains, addresses which I had never used.
posted by bradlands at 9:12 PM on March 3, 2004


I would agree with bradlands's warning -- the better choice is something like amazon.email@example.com or priceline.messages@example.com when you can reasonably trust a company to treat your address with respect. For sites that might spam you (as opposed to sending out a newsletter of info you really want) or sell your e-mail address, use something like hallmarkcards.spam@example.com with a filter that sends anything with [whatever].spam@example.com to a holding pen where you can get to it whenever you're ready.
posted by Dreama at 2:21 AM on March 4, 2004


What gd779 and bradlands said. I even create an email address that I use on my web pages--something along the lines of web_randomstring@example.com. That gets changed about every two months or so (in practice, whenever I get the first spam at web_randomstring@example.com, randomstring is changed). Also, I use a server-side include so changing the address in one place changes it on all my web pages.
posted by DevilsAdvocate at 4:30 AM on March 4, 2004


I own my own domain, and have used the "site-specific" email alias trick for some time. I've found that those disposable email addresses don't get spam- merchants and reputable membership sites have gotten good about respecting privacy, I think. But, in the 8-or-so years that I've had my main email address, it's gotten posted on a couple sites, my WHOIS entry, and lived through the heyday of the dot-com decline and nebulous privacy regulations, when I'm sure my email address got whored around to no end. I now get between 100 and 150 spam messages a day.

It sucks, but the combination of SpamAssassin on my hosted mail server (if you get a domain, make sure your provider offers this- it's a godsend) and local mail filtering gets 99% of that, if not more.

Bottom line- your email getting out is, sadly, a question of "when", not "if".

And never EVER use the "unsubscribe" functionality in spam messages- it just validates your email address to a spammer.
posted by mkultra at 9:18 AM on March 4, 2004


Another thing that spammers like to do is include a Return-Receipt-To header that causes many mail servers to return a receipt to the sender when the mail is placed in your mailbox. This gives them confirmation that the address exists. This can be disabled in many e-mail servers. Make sure it is.
posted by kindall at 10:44 AM on March 4, 2004


« Older Name our cafe!   |   Laptop Batteries Newer »
This thread is closed to new comments.