A six-month experiment in the US has proved that it is easy to fool e-mail harvesting software, even though the primary source for spammers' e-mail lists are e-mail addresses listed on public web sites.
The Center for Democracy and Technology (CDT) set up about 250 dummy e-mail addresses, and during the test those addresses received a combined 8,842 e-mail messages that centre researchers classified as spam.
But about 97% of that spam - 8,609 e-mail messages - were received by six e-mail addresses listed at three websites: GetNetWise.org, ConsumerPrivacyGuide.org, and CDT.org.
Usenet newsgroup postings were the second-largest source of spam, but e-mail addresses registered at e-commerce sites, posted to online discussions on websites, or listed as the contact for domains in the WHOIS database generated little spam, according to the study released yesterday (Wednesday), titled "Why am I getting all this spam?"
Addresses on those three sites disguised by simply replacing the @ system with "at" or coding the addresses in HTML instead of in regular text received no spam at all during the trial, and the spam fell off significantly on three addresses that were removed from public view two weeks into the test.
For example, an e-mail address listed on GetNetWise.org for the full six months received 6,035 pieces of spam, but an address removed after two weeks received only 894 pieces of spam during the length of the study.
"The shelf life of an e-mail address when it's pulled off the web is fairly short," noted Rob Courtney, a policy analyst with CDT.
To test spam from Usenet, CDT used dummy addresses to post to 13 newsgroups, ranging from alt.sex.erotica to alt.kids-talk, and 85% of those addresses received spam. But those addresses only received 110 pieces of spam over six months, and disguised e-mail addresses received no spam.
One piece of good news was that CDT received little spam from 31 top-trafficked e-commerce websites, Courtney said. In every case in which CDT registered at a website and asked not to receive commercial e-mail, its wishes were respected.
CDT also used other dummy addresses to opt in to commercial e-mail and later opt out. At five sites, CDT continued to receive commercial e-mail - a total of 82 pieces - after a two-week grace period it gave website operators a two-week grace period to shut off the e-mail spigot.
Twenty-six of those 82 spam messages came from Priceline.com, but a spokesman there said the website used a third-party, "off-the-shelf" opt-out solution that several other companies use. "If it happened to us, it'd strike me that a lot of other companies would have the same problem," the spokesman said.
The spokesman added that Priceline.com would examine the CDT study further to understand what happened. "The last thing we want to do is spam people," he said. "Our policy is if somebody wants to opt out, we let them opt out."
CDT received only 15 pieces of spam from posting to discussion forums at 10 websites, including Monster.com, eBay.com, and Amazon.com. All 15 came from an e-mail address that posted to InteliHealth.com. CDT received just one piece of spam from e-mail addresses entered in the WHOIS database.
However, a "brute force" attack on a CDT server generated more than 8,500 pieces of spam in the middle of the study. In a brute force attack, the attacker tries many different letter combinations to try to guess active e-mail addresses. Short e-mail addresses, such as firstname.lastname@example.org, were more likely to get spam from brute force attacks than longer addresses, the CDT noted.
"Even a user who's really careful about where they give their address would still get spam from attacks like this," Courtney said. "No matter what precautions the user will take, there's still a chance they will get spam."
The CDT study recommended several actions e-mail users can take to avoid spam:
- Disguise e-mail addresses posted in public places
- Carefully read privacy policies at sites asking for your e-mail address and look for opt-out choices
- Use multiple e-mail addresses, including ones for specific purposes such as posting to newsgroups
- Consider a spam filter if your internet service provider offers one.