A six-month experiment in the US has proved that it
is easy to fool e-mail harvesting software, even though the primary
source for spammers' e-mail lists are e-mail addresses listed on
public web sites.
The Center for Democracy and Technology (CDT) set up about 250
dummy e-mail addresses, and during the test those addresses
received a combined 8,842 e-mail messages that centre researchers
classified as spam.
But about 97% of that spam - 8,609 e-mail messages - were
received by six e-mail addresses listed at three websites:
GetNetWise.org, ConsumerPrivacyGuide.org, and CDT.org.
Usenet newsgroup postings were the second-largest source of
spam, but e-mail addresses registered at e-commerce sites, posted
to online discussions on websites, or listed as the contact for
domains in the WHOIS database generated little spam, according to
the study released yesterday (Wednesday), titled "Why am I getting
all this spam?"
Addresses on those three sites disguised by simply replacing the
@ system with "at" or coding the addresses in HTML instead of in
regular text received no spam at all during the trial, and the spam
fell off significantly on three addresses that were removed from
public view two weeks into the test.
For example, an e-mail address listed on GetNetWise.org for the
full six months received 6,035 pieces of spam, but an address
removed after two weeks received only 894 pieces of spam during the
length of the study.
"The shelf life of an e-mail address when it's pulled off the
web is fairly short," noted Rob Courtney, a policy analyst with
CDT.
To test spam from Usenet, CDT used dummy addresses to post to 13
newsgroups, ranging from alt.sex.erotica to alt.kids-talk, and 85%
of those addresses received spam. But those addresses only received
110 pieces of spam over six months, and disguised e-mail addresses
received no spam.
One piece of good news was that CDT received little spam from 31
top-trafficked e-commerce websites, Courtney said. In every case in
which CDT registered at a website and asked not to receive
commercial e-mail, its wishes were respected.
CDT also used other dummy addresses to opt in to commercial
e-mail and later opt out. At five sites, CDT continued to receive
commercial e-mail - a total of 82 pieces - after a two-week grace
period it gave website operators a two-week grace period to shut
off the e-mail spigot.
Twenty-six of those 82 spam messages came from Priceline.com,
but a spokesman there said the website used a third-party,
"off-the-shelf" opt-out solution that several other companies use.
"If it happened to us, it'd strike me that a lot of other companies
would have the same problem," the spokesman said.
The spokesman added that Priceline.com would examine the CDT
study further to understand what happened. "The last thing we want
to do is spam people," he said. "Our policy is if somebody wants to
opt out, we let them opt out."
CDT received only 15 pieces of spam from posting to discussion
forums at 10 websites, including Monster.com, eBay.com, and
Amazon.com. All 15 came from an e-mail address that posted to
InteliHealth.com. CDT received just one piece of spam from e-mail
addresses entered in the WHOIS database.
However, a "brute force" attack on a CDT server generated more
than 8,500 pieces of spam in the middle of the study. In a brute
force attack, the attacker tries many different letter combinations
to try to guess active e-mail addresses. Short e-mail addresses,
such as bob@something.com, were more likely to get spam from brute
force attacks than longer addresses, the CDT noted.
"Even a user who's really careful about where they give their
address would still get spam from attacks like this," Courtney
said. "No matter what precautions the user will take, there's still
a chance they will get spam."
The
CDT
study recommended several actions e-mail users can take to
avoid spam:
- Disguise e-mail addresses posted in public places
- Carefully read privacy policies at sites asking for your e-mail
address and look for opt-out choices
- Use multiple e-mail addresses, including ones for specific
purposes such as posting to newsgroups
- Consider a spam filter if your internet service provider offers
one.