[huridocs-tech] Policy Post 9.08: New CDT Report Shows How Spammers Can Get Your E-Mail Address

CDT POLICY POST Volume 9, Number 8, March 19, 2003

A Briefing On Public Policy Issues Affecting Civil Liberties Online
from
The Center For Democracy and Technology

Contents:
(1) New CDT Report Shows How Spammers Can Get Your E-Mail Address
(2) Spam "Harvesters" Target Web Sites, Newsgroups
(3) Privacy Policies and Exercising Choice Can Help Users Limit Spam
(4) Tips for Avoiding Spam

-----------------------------------------------------------------------

(1) New CDT Report Shows How Spammers Can Get Your E-Mail Address

A new report from the Center for Democracy & Technology entitled "Why Am I
Getting All This Spam?" sheds some light on one of the Internet's most
pressing issues -- unsolicited commercial e-mail, a.k.a. spam.

Armed with lists of e-mail addresses, "spammers" send billions of e-mail
messages every day, mostly to users who don't want them. As it mounts up,
this spam inconveniences tens of millions of Internet users and imposes
huge costs on ISPs.

Part of what has made spam such a difficult issue is that it's often
impossible to tell how a spammer acquired a user's e-mail address. To
address this, CDT embarked on a project to begin to determine the source
of spam. We set up hundreds of single-use e-mail addresses and posted or
disclosed them on Web sites and newsgroups, and to a variety of corporate
and organizational online service providers.

It should come as no surprise to most e-mail users that many of the
addresses CDT created for this study attracted spam (nearly 9,000 spam
messages in all), but it is interesting to see the different ways that
the addresses attracted spam depending on where the e-mail addresses
were placed.

The project's results offer Internet users some insight about how certain
online behaviors can result in spam, as well as tips to help users reduce
the spam that they receive.

"Why Am I Getting All This Spam?" is available at
http://www.cdt.org/speech/spam/030319spamreport.shtml [HTML]
http://www.cdt.org/speech/spam/030319spamreport.pdf [PDF]

Additional information about spam, and the policy issues associated with
it, is available at http://www.cdt.org/speech/spam/

-----------------------------------------------------------------------

(2) Spam "Harvesters" Target Web Sites, Newsgroups

Over 97% of the spam we received was delivered to addresses that had been
posted on public Web pages. Spammers use software harvesting programs such
as "robots" or "spiders" to record e-mail addresses listed on Web sites,
including both personal Web pages and institutional (corporate or non-profit)
Web pages. These programs scour the code of Web pages looking for anything
that looks like an e-mail address. When they find one, they add it to a
list for future spamming.

Spammers' use of harvesting programs is not limited to Web pages. We found
that they are also used to siphon e-mail addresses from the headers of
postings to USENET newsgroups. We received spam to 85% of the addresses
we used to post on USENET.

In order to understand how these harvesting programs work, we tested two
methods of "obscuring" e-mail addresses to prevent their harvesting. We
found that be posting an address in "human-readable" form -- i.e., the
address "user@example.com" could be written "user at example dot com" -- or
in HTML-obscured form -- a form that Internet browsers can read, but
harvesting programs can't, i.e. "user@example.com" becomes us
er@example.
com" -- is an effective way to avoid spam. None of the obscured
addresses we used in our postings, either on Web pages or in USENET
postings, received a single piece of spam.

As technology advances, harvesters may gain the ability to see through
these methods of obscuring an e-mail address. For the time being, obscuring
is an effective way to avoid spam.

-----------------------------------------------------------------------

(3) Privacy Policies and Exercising Choice Can Help Users Limit Spam

Our project also examined whether disclosing an e-mail address to popular
Web companies and other organizations could lead to an increase in spam.
We also looked at whether "opting-out" of e-mail from these Web sites
would have an impact on the amount of e-mail received by an e-mail address.
We found that both privacy policies and "opt-outs" can play an important
role in helping users control the amount of spam they receive

Many of the Web sites to which we disclosed e-mail addresses had posted
policies describing how those addresses would be handled, including whether
they would be shared with third parties, used for marketing purposes, or
other important details. While the terms of the policies we encountered
varied, we found that almost all sites followed the policies they had
posted on their Web sites. Users who are concerned about spam should review
the privacy policies of any Web sites to which they consider disclosing
their e-mail address.

In addition, when users were offered the opportunity to "opt-out" of
future e-mail communications, that choice was respected in the majority
of cases. In most cases, within a few days of "opting-out" of future
communications for a given e-mail address, the flow of e-mail to that
address stopped. There were, however, a few instances in which we tried
to "opt-out" of future e-mail communications to a certain e-mail address,
only to have the flow of spam continue.

More information about these exceptions and additional data from the
project are available in our report, "Why Am I Receiving All This Spam?".

-----------------------------------------------------------------------

(4) Tips for Avoiding Spam

Currently there is no foolproof way to prevent spam. Based on our research,
we recommend that Internet users try the following methods to prevent spam:

1. Disguise e-mail addresses posted in a public electronic place. Users
    can prevent their e-mail addresses from being "harvested" by obscuring
    it, either in the "human-readable" (user at example dot com) or the
    "HTML-obscured" ("user@...) methods.

2. Read carefully when filling out online forms requesting your e-mail
    address, and exercise your choice. If you don't want to receive e-mail
    from a Web site operator, don't give them your e-mail address unless
    they offer the option of declining to receive e-mail and you exercise
    that option.

3. Use multiple e-mail addresses. When using an unfamiliar Web site or
    posting to a newsgroup, establish an e-mail address for that specific
    purpose. This can make it easy to shut off any address that is attracting
    spam. A number of Web sites now offer "disposable e-mail addresses" that
    will help you do this.

4. Use a filter. Many ISPs and free e-mail services now provide spam
    filtering. While filters are not perfect, they can cut down tremendously
    the amount of spam a user receives.

5. Short e-mail addresses are easy to guess, and may receive more spam. At
    least one spammer tried to guess the e-mail addresses used in this study
    by sending mail to every possible address on our system (a@example.com,
    b@example.com, c@example.com, etc.). Other spammers may use "dictionary"
    attacks that try to combine common names or initials in order to guess
    e-mail addresses. Such techniques are more likely to result in spam
    when e-mail addresses are short or use common words. E-mail addresses
    need not be incomprehensible, but a user with a short or common name
    may want to modify or add to it in some way in his or her e-mail address.

-----------------------------------------------------------------------
Detailed information about online civil liberties issues may be found
at http://www.cdt.org/.

This document may be redistributed freely in full or linked to
http://www.cdt.org/publications/pp_9.08.shtml.

Excerpts may be re-posted with prior permission of ari@cdt.org

Policy Post 9.08 Copyright 2003 Center for Democracy and Technology

--
Michael Clark, Grassroots Webmaster
mclark@cdt.org
PGP Key available on keyservers

Center for Democracy and Technology
1634 Eye Street NW, Suite 1100
Washington, DC 20006
http://www.cdt.org/
voice: 202-637-9800
fax: 202-637-0968


========== HURIDOCS-Tech listserv ==========
Send mail intended for the list to <huridocs-tech@hrea.org>.
Archives of the list can be found at:
http://www.hrea.org/lists/huridocs-tech/markup/maillist.php
To subscribe to the list, send a message to <majordomo@hrea.org>,
with the following text in the message: subscribe huridocs-tech
To unsubscribe from the list, send a message to <majordomo@hrea.org>,
with the following text in the message: unsubscribe huridocs-tech
If you have problems (un)subscribing, contact <owner-huridocs-tech@hrea.org>.