FC: Charles Platt: "A cautionary tale about spam"

From: Declan McCullagh (declanat_private)
Date: Wed May 28 2003 - 23:23:12 PDT

  • Next message: Declan McCullagh: "FC: The Onion: Terrifying surveillance bill passed during NBA playoffs"

    Three spam-proofing techniques I've tried with at-the-time virginal email 
    addresses:
    1. Encoding a mailto: link -- for example, A HREF="mailto:declan@&#99 
    etc.  Ancedotally, this works reasonably well. After a year or so, I've 
    received less than 10 spam messages at that address.
    2. Using a standard mailto: link but hiding it behind a CGI script, with 
    the assumption that spambots hesitante to enter a CGI thicket. After 18 
    months, this does not work well, with about one or two spam messages 
    arriving a day. I also have an autoreply message set for this account, 
    which may encourage smarter spambots.
    3. Using an image file to store an email address. After eight months, *NO* 
    spam messages so far. Yes, eventually spammers may start OCRing, but they 
    haven't yet.
    
    -Declan
    
    ---
    
    Date: Wed, 28 May 2003 11:24:52 -0400 (EDT)
    From: Charles Platt <somewhereat_private>
    To: Declan McCullagh <declanat_private>
    cc: politechat_private
    Subject: Spam: A cautionary tale
    In-Reply-To: <5.2.1.1.0.20030528021944.0474b6d0at_private>
    
    A lighter note on the spam problem:
    
    I have been forced to abandon my old account at panix.com mainly
    because of spam. I made the mistake of posting messages to Usenet from
    that account, years ago, and ended up with at least 100 spam emails coming
    in each day. Various attempts at filtering were unsuccessful (panix.com is
    not very good at helping users do that kind of thing). So, I moved to a
    different hosting service and sent out a few hundred change-of-address
    notifications.
    
    However, once in a while I do still receive "real" email at cpat_private,
    mainly because that address appeared on every Wired feature I wrote for
    about six years. I didn't want to miss those "real" messages (hey, someone
    could be offering me a writing assignment!) so I set up an autorespond
    message. The question was, how to word the message in a way that would be
    intelligible to humans but impenetrable to spambots. In other words I was
    now in the position of doing the opposite of what the spammers do. They
    try to concoct subject lines and messages that spam filters will accept as
    "real" email. I was trying to concoct a subject line and message that the
    spammers would reject as "unreal" email.
    
    After various ideas I thought I had the perfect solution. I included my
    new email address written BACKWARD. There's no way a spambot would know
    that it was backward, because it still had an @ sign in the middle, and my
    new address does not end in .com.
    
    I was really pleased with my ingenuity until, THE VERY NEXT DAY, I
    received spam at my new address from a gentleman in Nigeria who had a
    truly amazing story to tell, involving unclaimed millions in a US bank
    account.
    
    Yes, some poor wretch, possibly in the third world, had actually taken the
    trouble to READ my autoreply, figure out the backward address, and remail
    his spam to me at my new location. And now today I have my second piece of
    spam, offering to enlarge my penis to truly amazing dimensions, presumably
    because the gentleman in Nigeria has resold my new address for 1 cent or
    so, thus recouping the time he invested decoding it.
    
    The moral of this story: When you are up against this kind of relentless,
    mindless mentality, the law is an inappropriate tool. In my long-forgotten
    book ANARCHY ONLINE, 8 years ago, I wrote that antispam laws would never
    work. I still believe this, because the ingenuity of spammers will always
    exceed the imaginations of legislators. Of course this won't stop the
    legislators from trying, and their antispam laws will have unintended
    consequences that will be damaging, as Tim May points out.
    
    My autoreply from panix.com now sends a message telling people my phone
    number and asking them to call me to get my new email address. This seems
    a safe strategy because of course phone calls actually cost money (unlike
    email which is virtually free), and consequently telephone spam is much
    less of a problem.
    
    The conclusion is obvious.
    
    --CP
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    -------------------------------------------------------------------------
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    Like Politech? Make a donation here: http://www.politechbot.com/donate/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Wed May 28 2003 - 23:51:31 PDT