Why Are You Getting So Much Spam?

Wondering where all those spammers are getting your e-mail address? Likely from public Web sites, according to a six-month experiment conducted by the Center for Democracy and Technology.

But the news isn't all bad: It's easy to fool the e-mail harvesting software used by spammers, the CDT found.

The center set up about 250 dummy e-mail addresses, and during the six-month test those addresses received a combined 8842 e-mail messages that the center researchers classified as unsolicited e-mail, which is commonly known as spam. But about 97 percent of that spam--8609 e-mail messages--was received by six e-mail addresses listed at three Web sites: GetNetWise.org, ConsumerPrivacyGuide.org, and CDT.org.

Usenet newsgroup postings were the second-largest source of spam, but e-mail addresses registered at e-commerce sites, posted to online discussions on Web sites, or listed as the contact for domains in the WHOIS database generated little spam, according to the study released Wednesday, titled "Why am I getting all this spam?"

Disguise Your Address

Addresses on those three sites disguised by simply replacing the @ symbol with "at" or coding the addresses in HTML instead of in regular text received no spam at all during the six months.

And the spam fell off significantly on three addresses that were removed from public view two weeks into the center's test. For example, an e-mail address listed on GetNetWise.org for the full six months received 6,035 pieces of spam, but an address removed after two weeks received only 894 pieces of spam during the length of the study.

"The shelf life of an e-mail address when it's pulled off the Web is fairly short," noted Rob Courtney, a policy analyst with CDT.

Usenet Experiments

To test spam from Usenet, CDT used dummy addresses to post to 13 newsgroups, ranging from alt.sex.erotica to alt.kids-talk, and 85 percent of those addresses received spam. But those addresses only received 110 pieces of spam over six months, and disguised e-mail addresses received no spam.

Another piece of good news was that CDT received little spam from 31 top-trafficked e-commerce Web sites, Courtney said. In every case in which CDT registered at a Web site and asked not to receive commercial e-mail, its wishes were respected.

"We certainly found that for the most part, when Web sites did offer privacy policies and choices, that meant something," Courtney said.

Opting Out

CDT also used other dummy addresses to opt in to commercial e-mail and later opt out. At five sites, CDT continued to receive commercial e-mail--a total of 82 pieces--after it gave Web site operators a two-week grace period to shut off the e-mail spigot.

Twenty-six of those 82 spam messages came from Priceline.com, but a spokesperson there said the Web site uses a third-party, "off-the-shelf" opt-out solution that several other companies use. "If it happened to us, it'd strike me that a lot of other companies would have the same problem," the spokesperson said.

The spokesperson said Priceline.com would examine the CDT study further to understand what happened. "The last thing we want to do is spam people," he said. "Our policy is if somebody wants to opt out, we let them opt out."

CDT received only 15 pieces of spam from posting to discussion forums at ten Web sites, including Monster.com, EBay.com, and Amazon.com. All 15 came from an e-mail address that was posted to InteliHealth.com. CDT received just one piece of spam from e-mail addresses entered in the WHOIS database.

Brute Force Attack

However, separate from the more than 8,800 pieces of spam generated in the study, a "brute force" attack on a CDT server generated more than 8,500 pieces of spam in the middle of the study.

In a brute force attack, the attacker tries many different letter combinations to try to guess active e-mail addresses. Short e-mail addresses, such as bob@something.com, were more likely to get spam from brute force attacks than longer addresses, the CDT noted.

"Even a user who's really careful about where they give their address would still get spam from attacks like this," Courtney said. "No matter what precautions the user will take, there's still a chance they will get spam."

Steps to Take

The CDT study, available at CDT.org (PDF), recommends several actions e-mail users can take to avoid spam:

• Disguise e-mail addresses posted in public places.
  
  
• Carefully read privacy policies at sites asking for your e-mail address and look for opt-out choices.
  
  
• Use multiple e-mail addresses, including ones for specific purposes such as posting to newsgroups.
  
  
• Consider a spam filter if your Internet service provider offers one.