EMAIL

Spam Bam, No Thank You Ma'am

The Annoyance:

Spam spam egg sausage and spam that's all I get in my inbox. How did these spammers get my email address?

The Fix:

Spammers can grab your email address in any number of ways. If you posted your address in an online forum, newsgroup, or on a web page, it was probably harvested by a spambot special software that scours the web looking for "@" signs, then collects the addresses surrounding them. You may have signed up for an online sweepstakes at a site like jackpot.com or grouplotto.com and agreed to receive the junk, even if you're not aware you agreed to it. (See the "How to Read a Privacy Policy" sidebar in this chapter.) Or a friend might have signed you up at one of these sites (friends like this you don't need). More likely you were the victim of a "dictionary" or "brute force" attack, where a spammer overwhelms your ISP's email server with messages sent to random combinations of letters (like bob-aaa@yoursisp.com, bob-aab@yourisp.com, etc); those that don't bounce back are added to the spammers' collection and then sold over and over and over. So, in other words, you could do absolutely nothing on the Net and some spammer could still find your email address and start filling your inbox with junk.

For a detailed discussion of the many ways spammers harvest email addresses, see http://www.private.org.il/harvest.html. For a good general discussion of Spam, read the FAQ provided by the Coalition Against Unsolicited Commercial Email (http://www.cauce.org/about/faq.shtml).

Whose Address Is It, Anyway?

The Annoyance:

I'm tired of being a magnet for electronic luncheon meat. What can I do to wrest my email address from the clutches of these evildoers?

The Fix:

Sorry. Once a spammer has your address there isn't much you can do to get it back, short of abandoning your old address and starting from scratch with a new one. But you can limit exposing your new address using a few time-tested tricks. For a start, don't use your primary email address when you fill out web forms, especially for sites that offer something free in exchange for your information. Instead, set up a junk address on a free web mail service (such as Yahoo Mail) and use that one when you sign up. You may have to check that address periodically for legit mail, such as the confirmation messages you get when you sign up for some sites.

If you post information to newsgroups or online forums, you can subtly alter your real email address so it's easy for humans to decipher but impossible for spam bots to harvest. Something as simple as "Bob at yourisp dot com" will tell people you can be reached via bob@yourisp.com. If you're starting over, choose an email address that's harder for brute force attacks to guess, such as bob1776smith@yourisp.com. That may slow the attackers down a bit.

Finally, if you've got your heart set on putting your email address on your web site, do it by creating an image of your email address with a tool such as Windows Paint, or take a screenshot of your email address (that you've typed into a Word document) and save it as a GIF or JPEG file. Then plop the image onto your page like any other picture. Spambots can't read graphics.

Some ISPs and web services offer disposable email addresses you can use to fight spam. For example, Yahoo Mail Plus ($20 a year, http://mail.yahoo.com) lets you create up to 500 addresses you can use to register at sites or hand out in public. All the mail is funneled to your normal Yahoo inbox. When that address starts gathering spam, you can throw it away essentially turn it off so the spam no longer flows into your real inbox. ZoEmail ($12 year, http://www.zoemail.com) offers a similar system for creating and managing temporary email addresses.

Nix Those Nasty Pix

The Annoyance:

I don't mind deleting spam. Sometimes I even enjoy reading the stranger ones it's like haiku for geeks. But the porn photos do intrude on my right to be let alone. How do I turn these images off?

The Fix:

You need to tell your email client to stop displaying email formatted to look like a web page (i.e., written in HTML), and instead display it as plain text. To turn off HTML display in Outlook 2003, for example, you'd select ToolsOptions, click the Preferences tab, click the E-mail Options button, then check the "Read all standard mail in plain text box (see Figure 3-5). Click OK twice and you're done. From now on, all your mail will be displayed as plain text, with links taking the place of images.

But remember, this change also applies to newsletters and other HTML-formatted mail whose pictures you would want to see. To get around this setting, open the email, right-click the bar across the top of the message that says "This message was converted to plain text," and select Display as HTML.

Some ISPs and web mail services likewise let you turn off pictures in email. In Yahoo Mail, click the Mail Options link, then Spam Protection, scroll down to the Image Blocking section, and decide whether you want to block all images or only those in messages marked as spam; then click the Save Changes button. (If this is the first time you're setting up spam protection, you'll first go through Step 1, Step 2, and Step 3 screens.) With Hotmail you select MailOptionsMail Display Settings, and then under Display Internet Images select "Remove images until messages are reviewed," followed by OK. If youre using AOL 9.0, select SettingsMail Settings, and check the "Notify me before opening mail containing pictures box and the "Hide images and disable links in mail from unknown senders" box, then click the Save button.

annoyances 3-5. You can tell Outlook 2003 to display HTML pages (bottom) as plain text (top) and effectively turn off offensive images. When you get an email you want to see in all its HTML glory, you can restore its appearance with just a couple of clicks.

When you create email filters, include misspellings and junk characters like "ci@lis, cia*lis, cialus," and so on which spammers use to thwart anti-spam software.

Declare War on Spam, Part I

The Annoyance:

Deleting spam takes forever. Isn't there some way to get rid of all the junk before it hits my inbox?

The Fix:

Yes, but the solution will cost you time and/or money. The cheap fix is to set up filtering rules in your email client that look for obvious spam messages and route them to a special folder, where you can look them over. If you get only a handful of junk each day, this approach can be effective. If you're swimming in the stuff, you'll spend more time creating and tweaking the rules than you would simply deleting each spam that comes in.

Some email packages, such as Outlook 2003 or Eudora 6.0, already have spam filtering built in (see "Declare War on Spam, Part Deux"). Most other email clients let you build rules from scratch. For example, to set up a filter in Outlook Express 6.x, you'd select ToolsMessage RulesMail, select the Mail Rules tab, then click the New button and select the conditions and actions for the rule. For example, to limit the number of Cialis ads you receive, check the "Where the subject line contains specific words box, move down to the Rule Description area and click the "contains specified words" link. Type Cialis into the dialog box that appears, click the Add button and then OK. In the Select the Actions area, check the "Move it to specified folder" box and below in the Rule Description area, click the "specified folder" link. You'll see a list of your current email folders. Highlight Local Folders, click the New Folder button, and name the folder where you want to stash the spam, then click OK twice. At the bottom of the dialog in the "Name of the rule" area, type in a name for your rule (e.g., "No Cialis Spam Rule") and click OK twice.

Now all suspect mail with "Cialis" in the subject line will be shuttled to your spam folder where you can review the messages before deleting them, just in case your filter catches legit mail by mistake. When you create the rule, make sure the rule also searches the From field, message text, and so on. You'll also need to continually add new filters and tweak old ones as new spam pours in.

Declare War on Spam, Part Deux

The Annoyance:

It sounds like creating and maintaining email is more work than just deleting the junk.

The Fix:

You got that right. Fortunately, there are simpler solutions. You can use tools provided by your Internet or web mail service provider to block spam, provided they have any. You can buy a third-party spam filter that works with your existing email package (the best ones actually work inside your email program, which saves you some hassle). You can move up to an email package that has spam filtering built in. Or you can adopt a new email service that filters mail for you. Here's the skinny on each.

1. The biggest service providers AOL, Microsoft Networks, EarthLink, Hotmail, and Yahoo all stop millions of junk messages so the stuff never reaches your inbox. They also give you tools for filtering spam that manages to slip by. For example, AOL, MSN, and Yahoo let you provide feedback to the filters by telling them what is and isn't spam which they use to improve the filters' performance. You can also tweak the settings to stop more spam; for example, you can choose to only receive email from people whose names are already in your address book (a so-called whitelist). This works pretty well for stopping junk, but this also means you'll never get email from new business contacts or your old high school girlfriend.

2. If you don't use one of these services or their spam filters suck eggs, buy a third-party spam filter. This software scans your email as it comes in, shuttles the likely spam into some safe place, and sends the rest of your email to your inbox. There are hundreds of such programs, all claiming to be the best. My personal favorites are Mail Frontier Desktop ($30, http://www.mailfrontier.com) and Qurb ($30, http://www.qurb.com). Both insert themselves directly into Outlook or Outlook Express, nail the junk, and automatically update themselves to keep up with the latest spammer tricks. But no spam filter is perfect, so you'll still have to delete some junk by hand. All such tools also flag some legitimate email by mistake especially email newsletters formatted in HTML, which look like spam to most filters. You'll need to periodically scan the junk folders to make sure there aren't any ponies in all that manure.

   SPAMOLOGY 101 Approved sender list (or whitelist). This is a list of the people you want to get email from. Many spam filters automatically generate this list by importing contacts from your address book and from mail you've already saved in folders. You can add or delete people from this list at will depending on, say, how nice they are to you. Blacklist or blocklist. The opposite of a whitelist; a blacklist consists of email addresses that have sent you spam. Filters will block all subsequent mail from these addresses, but that's small comfort, since spammers rarely use the same address twice. There are also regularly updated blacklists maintained by numerous web sites (such as Spamhaus.org or Spamcop.net) that contain Internet addresses of companies known to have sent unsolicited email. Some spam filters let you check incoming mail against these lists before accepting or rejecting the messages. Challenge/response. A system where mail from anyone not on your approved sender list is blocked, until the sender can prove (by answering a question, usually via a web form) that they're human beings and not spambots. Very effective but may be off-putting for your correspondents. False positive. A message your filter thinks is spam, but isn't. No spam filter is perfect, so you must be on the lookout for false positives or you could lose important correspondence. Junk or quarantine folder. Where spam filters stash all those Viagra ads. You'll need to scan this folder regularly to look for false positives. Phisher email. A phony message designed to lure you to a bogus web site so scammers can steal your personal information. Most phishers pretend to be from banks and other financial institutions, and may look genuine enough to fool your spam filter. Spam. Everyone has their own definition. Mine is "commercial email you don't want from people you don't know." Yours might be 'damn near everything in my inbox.' Spam threshold. Most spam filters let you control how strict they are when they mark messages as spam. The stricter the setting, the more messages both spam and legit mail they will block. Unsubscribe. A link at the bottom of an email ad that theoretically takes you off the spammer's list. Legit businesses are required by law to honor your request. In the past, spammers were notorious for using unsubscribe requests to verify your email address (and thus send more spam). Today they might honor your request but don't bet on it.

   
   

3. Switch to an email app that comes with anti-spam features built in, such as Outlook 2003 or Eudora 6.0. Generally, these filters work as well as the standalone programs, which means you'll still need to boot a few stragglers from your inbox and scan your spam folders for legit messages. But integrated filters can be harder to update than standalone anti-spam programs, so their effectiveness may degrade over time as spammers implement new tricks.

4. Web email services dedicated to blocking spam, such as Spam Arrest (http://www.spamarrest.com)and EarthLink's spamBlocker, can stop 100 percent of the spam, but at a price. Each time someone new sends you mail they must answer a challenge typically by visiting a web page where they answer a simple question before their message can reach you. Only those you give the answer to can get through. Because most spam is sent by machines and not humans, challenges aren't answered and the nasty stuff is stopped in its tracks. It's the only type of spam blocker that's 100 percent effective, but impatient humans may ignore the challenge entirely, which means you'll never get their mail.

There Oughta Be a Law. Wait, There Is a Law!

The Annoyance:

I thought spamming was illegal. Why am I still getting this stuff?

The Fix:

At last count, 36 states had rules on the books outlawing various spamming practices (for a list of the state laws, see http://www.spamlaws.com/state/). But in 2003, Congress passed The CAN SPAM Act of 2003, which pre-empted most of those statutes. ("CAN SPAM" stands for Controlling the Assault of Non-Solicited Pornography and Marketing, proving once again that Congress is better at coining acronyms than writing laws.) The Act essentially says that companies can send you unsolicited email until you tell them to stop, as long as they follow a few simple rules such as including a real return address on each message, as well as a way to unsubscribe from future mailings. If the bulk mailer doesn't follow the rules, it can be sued by ISPs or the Feds (but not by you). Downsides: you'll have to unsubscribe from every company that sends you mail, which could mean doing it thousands of times a year. And it won't do squat to stop scofflaw spammers many of them located offshore from flouting the law and continuing to hawk fake prescriptions, work-at-home scams, and other flimflams. In fact, the volume of spam has increased dramatically since CAN SPAM was passed from around 40 percent of all email to about 70 percent, by most estimates. So yes, spamming is illegal, but the law ain't helping much.

Fight Fire with Water

The Annoyance:

I am so sick of spam I could just scream. Blocking the junk isn't enough. How can I fight back?

The Fix:

Unfortunately, the CAN SPAM Act does not allow individuals to sue spammers (don't blame me, blame Congress). But it does allow Federal agencies and ISPs to sue the bastards. In March 2004, AOL, EarthLink, MSN, and Yahoo filed their first suit against spammers under the new law. You can add fuel to their fires by forwarding spam to your ISP's abuse department (usually something like abuse@yourisp.com) and to the Federal Trade Commission's spam "refrigerator" at uce@ftc.gov. If the spam is also a scam, you can also register a complaint with the Internet Fraud Complaint Center, which is run by the FBI and the National White Collar Crime Center. You'll find a link to the complaint form at http://www.ifccfbi.gov/cf1.asp. But remember, they don't accept anonymous complaints, so you'll have to surrender a fair amount of personal info, like your name, phone, email, and date of birth.

Don't Bank on It

The Annoyance:

I got an email that looks like it came from my bank asking me to verify my account information. Should I be suspicious?

The Fix:

Very. No bank worthy of your business will ask for your account information via email. You've got what's known as a phisher spam email that pretends to be from a financial services firm (or ISP, or online payment site), but is really designed to coax personal information from you. Phisher email can be quite sophisticated; many feature genuine logos and working links to the corporation's actual site. Some even take you to the real site, then pop up a window that asks for your name and account info; that data gets shuttled to scammers who sell your identity to crooks, who then use it to buy stuff and open new accounts in your name essentially stealing your identity. According to the Anti-Phishing Working Group (http://www.anti-phishing.org), phishing attacks are increasing at a rate of more than 100 percent per month. So expect to see a lot more bogus bank emails.

Some spam blocking packages, such as MailFrontier Desktop and Qurb, have filters to identify possible phisher scams. EarthLink offers a free ScamBlocker toolbar (http://www.earthlink.net/earthlinktoolbar/download/) for Internet Explorer that warns you when you attempt to visit a site operated by a known phisher gang (see Figure 3-6). Support for other browsers is due later in 2005, but with dozens of new phishers scams emerging each day, EarthLink can't possible track all of them. Be alert!

annoyances 3-6. So despite all my warnings you clicked the link in that phisher email after all, eh? If you had EarthLink's ScamBlocker toolbar installed, this is what you'd see.

Another option is to download Corestreet's free SpoofStick toolbar (http://www.corestreet.com/spoofstick/), which installs into Internet Explorer or Firefox and displays the name of the web site you're really on a fast way to separate phisher sites from the real McCoy.

To install SpoofStick in IE, click the download link on the Corestreet site, and in the File Download window click Open. Follow the prompts in the install wizard. IE will shut down automatically. When you re-launch IE, the SpoofStick toolbar should be prominently displayed below the address bar.

In Firefox the steps are a little different. If Firefox prevents sites from installing new software (as it should by default), click the Edit Options button in the banner that displays across the top of the page. In the Allowed Sites dialog, click the Allow button, then OK. When Firefox asks you to confirm your choice, click the Install Now button. Restart Firefox, then select ViewToolbarsCustomize, find the SpoofStick icon, drag it onto the toolbar of your choice, then click Done.

If you use a different browser, your best recourse is to never click any links inside an email message that claims to be from your bank or other financial institution.

For the skinny on who is behind most of the fake private dick software hawked on the Net, visit the State of Florida's excellent corporations search page at http://www.sunbiz.org/corpweb/inquiry/cormenu.html, click the Name List link, type "Cyberspace to Paradise" and click the Submit button. In the Corporate Name list, click the "Cyberspace to Paradise, Inc." entry. Though literally thousands of affiliate sites sell this software, this is where most of the money eventually ends up. And you don't need detective software to find them.

Always type the name of your bank's web site into your browser, and make sure you arrive at a secure site the address should begin with https and you should see a tiny padlock icon in the lower right corner of your browser. When in doubt, contact your bank. If there's a phisher scam circulating in their name, they'll likely know about it.

So, is it the real deal or a fiendishly clever spoof? Check the following five tell-tale signs to see if you've got a phisher mail, as illustrated in Figure 3-7.

1. The message was written by someone who flunked sixth-grade grammar or appears to be a non-native English speaker.

2. It threatens that if you don't take immediate action your account will be terminated.

3. It asks you for sensitive information, such as account numbers, Social Security numbers, or date of birth, or directs you to a web site where you're required to provide this information.

4. The web address link doesn't match your bank's normal web address, or the URL shown on the email doesn't match the address of the site when you roll your mouse pointer over the link.

5. The message lacks other ways of contacting the sender, such as a toll-free number. Some phisher emails do include an 800 number, so call it. If your bank answers, ask to speak to someone who can verify the email is legit.

annoyances 3-7. Anatomy of a phisher scam.

Watching the (Digital) Detectives

The Annoyance:

I'm bombarded by spam that claims I can find out anything about anybody, simply by buying a $30 software package. Are these things for real?

The Fix:

Well they're real in the sense that the people who sell these things really do take your money. But no software product can turn you into a virtual Philip Marlowe, or conversely, expose your secrets to the world. The "detective" software products I've seen consist largely of text files explaining how to find and use public records databases, along with links to paid search sites (such as the ones discussed in "Fend off Cyber Stalkers"). Because the data is public and largely available for free at sites like Search Systems (http://www.searchsystems.net) and Public Record Finder (http://www.publicrecordfinder.com) there's no earthly reason to spend 30 bucks. And since you can't do much to suppress public records (such as property ownership or professional licenses), it makes little sense to worry about it.

Swat Web Bugs

The Annoyance:

I've heard that it's possible for spammers to tell if you've read email they've sent you. That just creeps me out. How do they do this, and how can I stop them?

The Fix:

You heard right provided they're sending you HTML mail. In fact, this is becoming standard practice for all bulk emailers, legitimate and otherwise. The trick involves embedding a tiny transparent graphic often a single pixel in the message that's tied to a bit of HTML code. When you open the message, that little bit of HTML code tells the page to go fetch a picture from another server out on the Net. But there's no picture to fetch; the server on the other end craftily records that the email was opened, the email address of who opened it, their IP address, browser used, and potentially more. Many web sites use the same technology to determine what pages people open when they visit a site.

To turn off web bugs in email, follow the steps outlined in "Nix Those Nasty Pix" above. To detect the little critters in web pages, download the free Web Bug Detector from Bugnosis (http://www.bugnosis.org). Two caveats: it only works inside Internet Explorer 5.x or later, and you may quickly grow tired of the little noise the detector emits as it encounters bug after bug after bug...

Enquiring Minds Don't Really Want to Know

The Annoyance:

I received a message from a web site claiming that other people have made inquiries about me. But to get more information, they want $25. Should I pay up to find out what people are saying about me?

The Fix:

Not unless you want the word "sucker" tattooed on your forehead. This is an old scam that comes from a variety of domains, such as http://www.word-of-mouth.org and http://www.shareyourexperiences.com. (See the Snopes Urban Legends page at http://www.snopes.com/computer/internet/wordofmouth.asp for more details.) Even if someone was investigating you (doubtful), all these sites do is let you contact them anonymously via email. That's hardly worth 25 bucks.

Free Web Mail, Free Spam

The Annoyance:

I signed up for one of those free webmail accounts so I could use it as a spam repository. Now I'm getting spam sent from the web mail provider to my primary email account!

The Fix:

You didn't think those accounts were really free, did you? The price for using a "free" email account is to be pelted with ads and the occasional spam (see Figure 3-8). Netscape Mail is particularly egregious it automatically signs you up to receive all types of marketing sludge, including junk mail and telemarketing calls, and not only from Netscape but from its cousins in the Time Warner mediopoly, such as like America Online, MapQuest, and Fortune magazine.

Fortunately you can tell them to bug off. With Netscape, sign into your webmail account, click the My Account button below your sign-in name, then select Tools & Services from the menu on the left of the screen, and click the Preferences link under the Communication heading. Change all the Yes answers on that page to No, then click Save, then OK.

Yahoo isn't quite as bad; a free Yahoo Mail account opts you into Yahoo marketing slop, but only the electronic kind. To remove your name, sign in to your mail account, click the My Account link just to the right of the Yahoo Mail logo (you'll have to sign in again), then click the "Edit your marketing preferences" link in the Member Information area, and uncheck all the boxes. Click the Save Changes button, and then sign out.

With Hotmail, the only dreck you're automatically signed up for is email from MSN about new services. Unfortunately, the only way to stop it is to cancel your Hotmail account. The good news? At least half the time, Hotmail's own spam filters shunt such messages to its Junk folder, where they disappear after 7 days.

Or you might just sign up for a free Gmail account, which comes 100 percent free of marketing sludge. However, Gmail's servers will scan the content of your email, then serve up text ads based on keywords inside your messages (see Figure 3-8). This can lead to some interesting juxtapositions such as ads for baby products showing up inside porn spam. For some folks, having anyone read their email, even if it's only a machine, constitutes a privacy violation.

annoyances 3-8. Google's Gmail service scans the content of your email, and then delivers ads based on keywords inside the message.