Fog Creek Software
Discussion Board




Joel on Software harvested for spam

Yep, I got an e-mail addressed to fog@marktaw.mailshell.com, which I only use for this forum. According to the subject line it was for cigarettes.

I guess someone cracked Joel's "turn e-mail address into http equivelants."

At least they could've spammed me with tech ads. Oh well, I guess harvesters don't care what the e-mail addresses get used for as long as they get paid.

MarkTAW
Saturday, October 12, 2002

You will probably get even more now that you put your email address in plaintext.


Saturday, October 12, 2002

I don't imagine they target jos,  probably just a spider scanning in the same way as a search engine.

Tony E
Saturday, October 12, 2002

I'm curious.  What is the advantage of using javascript to write the address?

Brian
Saturday, October 12, 2002

"I'm curious.  What is the advantage of using javascript to write the address? "

Read the source code of this page. Check how much time you need to find out MarkTAW's email. Then estimate the time you need to do so if the email addresses were not using js.

S.C.
Sunday, October 13, 2002

"Read the source code of this page. Check how much time you need to find out MarkTAW's email. Then estimate the time you need to do so if the email addresses were not using js."

1:1

I thought it might be a better reason than obfuscation.

Brian
Sunday, October 13, 2002

One technique is to display the email address as a graphic. I use it on my site:

http://www.geeklife.com/profile.aspx?accountid=26

Luke Duff
Monday, October 14, 2002

Yeah, but because you think your so smart, I just manually submitted your email address to every major spam list on the internet... 

Guy Incognito, CBS ABC NBC
Monday, October 14, 2002

Displaying addresses as graphics works, at least until the spammers start using OCR, but it also makes life difficult for people using text-only readers, speech readers, and set-top-boxes which need larger fonts.

Using JavaScript to obscure the addresses used to work, but obviously there's enough message boards using this technique to make it worth their while adding JavaScript processors to their crawlers.

What's the next solution?

James

James Shields
Tuesday, October 15, 2002

Guy Incognito, hah!

I definitely would never post an email address I care about on this forum. I already get about 50 crap messages per day anyway.

What's the next solution? Taken to the extreme you could display the email address as a graphic but introduce random noise into the image that impairs OCR. You could also use a randomly selected goofy typeface that's barely readable by humans much less a computer.

Nothing is going to stop a person manually going through a site and keying them into a database. Though I wonder if that's ever worth it.

Luke Duff
Tuesday, October 15, 2002

Often people go to great lengths to not put their email address on the web, but does it work? You still get spam, plus the added trouble, that's all. I've always used the same real email address in public, for years now. I get lots of spam, but so does everyone else. I get 100/day, others get fifty.

The next step is a law against it. And tele-marketing while they are at it. What the hell, junk post mail too.

Or maybe they get smarter and realize that robin@debreuil.com has never read or bought a single thing from such losers and never will. Of course if they were that smart they would be doing something useful with their lives. Or maybe we can hunt them down, post their names and addresses on a website, and get everyone to kick them in the ass till they stop : ).

Robin Debreuil
Tuesday, October 15, 2002

Sorry to get off topic - I'd be grateful if someone could point me at a good reference on the main techniques spammers use to get their email addresses. If they can explain why my home address gets lots of spam and my work address none I'd be even more grateful.

David Clayworth
Tuesday, October 15, 2002

David,

The main technique used other than spiders is from stuff 'going around'.

Here's how it works:

1. David sees a funny article and sends it to his Aunt Ruth and his friend Bob.

2. Aunt Ruth thinks it's a real gasser and sends it to her entire mailbox which contains 1000 names of everyone who has ever sent her email.

3. 35 of those 1000 people are also lonely old women who spent too much time on the internet and send everything they recieve to their entire mailbox -- 35,000 copies go out.

Please note at this time that each forward contains each of the cumulative sets of email addresses as well as the 1000 new names.

It turns out that 0.1% of people using the internet are making a little extra money on the side selling guartanteed validated email addresses to spam harvesters. They make good money - $1.00 per 1000 names. These are high quality names since almost all of them are personal, primary, home email addresses that came from real address books. Very few are easily cancellable yahoo or hotmail addresses. An active harvester involved in a lot of funny email lists might be able to get 35,000 new email addresses each day! That's $35 of extra income which comes in handy to those living on a fixed income.

And bingo - David's now registered in every spammer's data base.

David doesn't use his work email address for his personal funny article forwarding so that email address ends up on fewer lists.

How to stop it:

1. You need to have a throwaway address at home for your family members and friends to and from whom you exchange funny emails. Don't let any of them see your real, primary address.

2. Explain to Aunt Ruth that when she mails stuff to 1000 people at once, put ALL their names in the BCC field NOT the TO field and NOT the CC field. Keep nagging her about it everytime she gets it wrong and explain BCC not TO. Explain to her why she should do this and about the people who are using her forwarded messages to sell her email address to child pornographers and the Nigerian Mafia.

X. J. Scott
Tuesday, October 15, 2002

OK, who's the first to introduce a groundbreaking web service:

"Raging for revenge? Report your enemy's secret e-mail address to spam lists! It doesn't cost you anything, but your enemy's mail box will be flooded with spam forever!"

"Tough competition? Report your competitor's e-mail addresses to spam lists! It doesn't cost you anything, but your competitor will be busy sorting out spam! Easy advantage over competitors, now! And it's all free!"

I hereby donate this business idea to the Public Domain. It could be called "Spam Revenge", but unfortunately the domain has already been registered.

http://www.spamrevenge.com/  (a funny site, though)

YF
Wednesday, October 16, 2002

Interesting. The forum added extra spaces to the URL. A bug maybe?

http://www.spamrevenge.com/

YF
Wednesday, October 16, 2002

I just installed SpamAssassin on our Linux mail server.  It can be used on a personal basis as well. 

I like the concept and it seems to be working so far.  It has about 50 or so rules for identifying spam (ranging from use of ALL CAPS IN SUBJECT LINE to the message being a previously identified spam email in the centralized Razor database).  The administrator sets a threshold value, and if enough rules are triggered, the email is classified as spam.  The text "***SPAM***" is added to the subject header, and your email program can then automatically filter it out.

The software is free, although like most open source stuff it took some effort to install and customize.

http://www.spamassassin.org

Will
Wednesday, October 16, 2002

When he has time, I'll get my intern-code-slave to change the code to keep the email addresses permanently hidden; clicking on a link will take you to a form to send an email to the poster.

But I highly recommend just getting a good spam filter. I've been using SpamAssassin (finally upgraded yesterday) and the new version is pretty close to 100% accurate. Once a week I glance through the Spam folder and delete everything ('real' email has only gotten in there a couple of times, mostly because of dumb friends who forwarded me spam!) Overall it's less effort than being obsessive compulsive about who gets my email address.

Joel Spolsky
Thursday, October 17, 2002

>>> Taken to the extreme you could display the email address as a graphic but introduce random noise into the image that impairs OCR. You could also use a randomly selected goofy typeface that's barely readable by humans much less a computer.

This is exactly what PayPal does :), check out http://jw.servebeer.com/space/HackingPayPal, for some other clever stuff they did..

Jeff Winkler
Sunday, November 17, 2002

*  Recent Topics

*  Fog Creek Home