Thursday, 8 December 2005

Fighting spam: address masking and spam filters

How can we minimise getting spam email, or at least getting our email addresses harvested by spammers? The results of a 5-week US Federal Trade Commission study on spam email, released on 28 November 2005 (summarised in their press release), were interesting but don't seem to have received much attention in the blogosphere relatively speaking (at least on checking with Technorati in relation to the URL of the report and press release and Blog Search in relation to the report and press release.)

The main findings were:

1. Email addresses posted on Websites are at much greater risk of being "harvested" by spammers (automated collection of email addresses) than addresses posted on chat rooms, message boards, USENET groups and blogs - in fact some chatroom operators took proactive measures to prevent the harvesting of email addresses. (..."nearly all of the spam received was
received by the Unfiltered Addresses that we had posted on website pages...") This is heartening, especially the finding that email addresses posted on blogs are relatively safe!

2. Anti-spam filters used by the two free web-based ISPs they studied (surely they must mean free webmail providers rather than ISPs?) effectively blocked the vast majority of spam sent to harvested addresses. This suggests ISP spam filtering technologies are very effective, but still impose costs on ISPs receiving the spam (who of course pass the costs on to us users, so not surprisingly fighting spam costs all of us).

3. The most interesting finding - “masking” of an email address was very effective in thwarting harvesting.
"...The “masking” of an email address involves altering the appearance of an email address so that it is understandable by a person who sees the address, but less likely to be discernable by automated harvesting software. For example, to mask an unmasked email address such as “,” the words “at” and “dot” can be written out, and segments of the email address can be separated by spaces. The masked version of the address would appear as “johndoe at ftc dot gov.”..."

Clearly, then, address masking is A Good Habit to get into if you're posting your email address on the Net (even on messageboards or chatrooms). Nevertheless, I suspect it wouldn't take much for spammers to get their harvesters to automatically change "at" to "@" and "dot" to "." and pick up common domains like "gov", "com", "org" etc. And it may not be long before the spammers start targeting blogs specifically. Plus, some of the masked addresses in the study still received a bit of spam - and once one spammer gets hold of an email address, you can bet that it will spread and the others will start using it too.

So, personally, while it's good news that address masking mostly works, I would not be complacent. I still use the free Spamgourmet disposable email address service myself in most cases, when I have to give out my email address online (including signing up for mailing lists). Using Gmail aliases can also help but as it won't take much for the spammers to get their software to strip out the alias bit from the address, I think something like Spamgourmet is the safest option.

Technorati Tags: , , , , , , , , , , , , , , , , , , , ,


Anonymous said... is a fun way to mask your email/text from spam bots.

Improbulus said...

Very neat whak'd, thank you!