By Kirk Kirksey
From Computor Edge, San Diego, CA, 9/27/02

How Did They Get My Address?

In the spam business, collecting email addresses for a blitz is called "harvesting." Harvesting e-mail addresses for fun and profit has become an art, science, and business of its own. Here are five of the most common e-mail harvesting methods.

Web pages: Search engines like Google send out "bots" that crawl Web pages and send keywords back to the mother ship for indexing. It’s the same for mail-harvesting software. Like Google, products like Atomic Harvester will send intelligent software agents to Web sites. Instead of keyword indexing, Harvester’s bots are looking for e-mail addresses. These products can simultaneously search multiple sites, and send back hundreds of e-mail addresses every hour, all with varying degrees of control. For example, Harvester allows exclusion of pages containing certain keywords. The product can also be set to avoid certain domains, like .edu and .gov.

Usenet newsgroups: Similar to Web page e-mail harvesting, other products are able to target, and then crawl, specific Usenet groups and topics. Products in this category come with built-in lists of groups, organized by topic, for more targeted harvesting. Some of these babies are even able to scan and harvest from chat rooms. (AOL is a big target here.)

Your Web browser: In some cases, Web pages can invisibly collect e-mail addresses of visitors. There are a couple of commonly used ploys here. In some cases, a Web page will force a surfer to retrieve information via anonymous FTP. Often, the user’s email address (entered as part of browser setup) is used behind the scenes as the FTP password. Once the browser is connected to the FTP site, the e-mail address can be pinched. Email bandits have been known to create JavaScript "mouse-overs" capable of sending the user’s e-mail address to another location. Last but not least, there’s the HTTP_FROM header capture method. In some cases, older browsers will send a header containing the e-mail address to a Web page as part of the connection initiation process.

Directories: White and yellow pages are common Web tools for finding names and addresses. Many of these directories also contain e-mail addresses that are automatically (and invisibly) added. It is rumored, for example, that a Hotmail registration will automatically update the BigFoot (www.bigfoot.com) directory. E-mail nabbers can easily construct software that continually queries a directory, such as Bigfoot or corporate LDAP lists, and captures addresses.

Simple guessing: Free E-mail domains have millions of subscribers. Knowing the domain names "@hotmail.com" and "@yahoo.com" is half the battle. All a spammer needs to do is add common names, words, and combinations (e.g. pretty..girl, macho_man, pcangel), and chances are, he will come up with a high percentage of valid addresses.

Can Spamming Be Stopped?

Sadly, the answer to this question is a resounding no. Although anti-spam groups are active and legislation is appearing, stopping spam completely probably won’t happen. In this writer’s view, most anti-spam activities are grassroots, and the direct-marketing lobby in Washington and in state governments is simply too powerful. When money talks, politicians listen, I’m sorry to say.

There are steps we mere mortals can take to reduce the amount of spam we receive.

Trick the Harvesters

If you have a Web site, there are some simple actions you can take to fool those evil e-mail harvesting agents. A "spambot deathtrap" is software designed to supply a high number of bogus e-mail addresses to bots visiting your site. Wpoison (www. monkeys. com/wvoison) is CGI-based software that creates fake URLs and e-mail addresses when a spambot is detected.

Another strategy is to hide real email addresses by not using the "name@domain" convention. In some cases, webmasters have used something like "send e-mail to Steve at rnysite.com," without the underlying mailto:   link. For a good discussion about hiding your e-mail address, check out the University of Arizona site (www.u.arizona.edu/~trw/spam).

Avoid High-Risk Web Stuff

CNET writer Matt Lake conducted an informal spam study in 2001 (www.cnet.com/software/0-3227888-8-6602372-1.html). According to his findings, posting his e-mail address on a message board generated the most spam activity. Other high-risk activities include AOL chat rooms and responding to online lotteries.

Get Off Hotmail and Yahoo!

Yeah, I know they’re free, but not really. Spammers make you pay. Several years ago I changed my primary e-mail address, but kept my Hotmail account. The difference in the amount of spam I receive in my Hotmail account is mind-boggling.

Use Spam-Blocking Software

If spam is really bugging you, there’s plenty of high-quality, not-too-expensive anti-spam software worth considering. Some products, such as e-mailInspector (www.emailinspector.com), attempt to sort email into different Inboxes. Adult material, for example, would go to a special Inbox. Mail with spam characteristics would go to another. Other products allow you to actively block known spam addresses and domains. (SPAMCURB)

Resist the Temptation: Don’t Flame

Your first instinct may be to reply to a spammer with a particularly pointed insult. Don’t. Spammers have been known to place flamers on hit lists and pass their e-mail addresses on to others.

Complain, Complain, and Complain Some More

Sometimes it really does work. For those particularly nasty e-mail weasels, try complaining to the spammer’s ISP and an anti-spam group. Check out www.spamabuse.net. This site is a treasure-trove of anti-spam information, including tips for tracing spammers, hiding e-mail addresses, products and complaint sites.

I’m sorry to say, spam isn’t going away, but here’s the good news: Little Guys like you and me can do plenty to reduce the amount of spam we receive. And for all you spammers and bulk e-mail lowlifes out there, I have a suggestion: Do yourself and the rest of us a favor. Get a real job.