« Cross Campus Connectivity | Main | VMware Case-Study »

May 14, 2006

Anti-spam 101

Spam No, not that kind of spam!

It's time for another internal training on anti-spam.  I did a bit of venting on this a while back, but I keep forgetting that *some* people don't spend hours a day trying to figure out how to reduce spam by another .05% :-)  Our training will really be pretty simple, with hopes that it will apply at work, but also transfer to home and friends and family.  We're opening it up to all staff members, but there will be about 12 people who will get special invites.  Those 12 collectively are responsible for easily 80% of all spam received at Perimeter.  If their email addresses were wiped out, our spam problem would just about disappear!  Well maybe for a little while...

Here's the summary of what I plan to cover in this 30-45 minute presentation. 

Some background

Let's talk about spammers

  • At best, poor souls who have been duped by a "you too can get rich on the Internet"
  • Generally deceptive
  • Scammers.  The electronic version of what was previously seen as flim-flam
  • Some are big businesses, operating mass mailing services
  • Occasionally, technically legitimate businesses that do both commercial bulk email (legitimate, even if unwanted) as well as spam
  • Almost always: LIARS!  (I don't use that word loosly)

Quick aside: Spam vs. other email threats

  • Viruses (and Trojans, time bombs, spyware, etc.) are programs that do something bad to your computer.  NOT spam
  • Phishing is a lure to capture personal information, perhaps even leading to identity theft.  Usually has an urgency; some look very legitimate.  NOT spam
  • Spam is "just" advertising; trying to get you to buy something.  Very fine line between commercial email and Unsolicited Commercial Email.  Some people distinguish between commercial email, spam, and UCE.  Most agree, "junk" mail is spam.

Just  because it's mail you don't want (or no longer want) doesn't mean it's spam

  • Email from an individual, to you (or to a small number including you) isn't spam
  • Email that you requested, but no longer want, isn't spam
  • Treating either of the above as spam can have multiple negative consequences

Part 1: how do you get on spam lists?

  1. Supplying your email address to "risky" web sites
  2. Exposing your email on ANY web site
  3. Falling for email scams (including do-not-spam lists!)
  4. Responding to scams/probes/spam
  5. Having the wrong friends and family - those who mass mail and expose addresses, including yours

YOU have a lot of control over the first four, but what do you do about friends and family?  Suggestion: when you receive an email that exposes a lot of email addresses, kindly respond back to them about the risk they are creating.  {I would sure like to find some good verbiage to suggest!}

Part 2: Practical avoidances for yourself

  1. Perform a web search for your own email address.  If you find it, you can expect that the spammers will too
  2. Hide addresses when emailing
  3. Avoid "forward this to everyone you know" types of emails.  Don't send them, look out when you receive them
  4. Use disposable email addresses for potentially risky needs
  5. Use reply-to-all sparingly, or not at all
  6. Beware using your email address on behalf of your children, or especially having them use your email address

Part 3: Helping others help themselves (and you)

  1. Teach others to hide addresses
  2. Teach other about phishing
  3. Tell others NOT to reply to spam
  4. Teach others not to mass forward
  5. Avoid trivial email messages, including attachment only email.  Teach others to do the same
  6. Avoid "killer" subjects and phrases in your messages

Part 4 OK, how do I get off spam lists?
Here's the bad news. You don't.  The email addresses that have been passed around are going to be spammed forever.  (Spammers don't clean up their lists -- they keep reselling old addresses to each other)

  • Switch to a new address
  • Carefully tell others about your new address
  • Wean yourself from the old address - how quickly can you afford to do this?

Miscellaneous
Good email messages
Efforts to fight spam may cause any of us problems.  It may take a bit of effort to be sure your legitimate messages are properly communicated, and that other's messages to you are received

  • Subjects
  • Subject doesn't start with hi, hello, or hey  (worse if that's the entire subject)
  • Non-trivial body text
  • NOT just an attachment! (including pictures)
  • If replying, include the original, or extracts from it (but supressing email addresses)

Learn all your email addresses
Perimeter Staff members automatically have quite a few email aliases.  You can have more!  Use different addresses for different purposes, helping you trace problems.  Suggestion: learn to read email headers to see what address has been used.

Extra session for our spam "dirty dozen"
If we can solve your problem, then we've probably solved the problem for a lot of others.  Have I missed any risky behaviors?

  • We want to ask you to change your "primary" email address.  Consider firstname.lastname@perimeter.org.  It's OK to be a bit creative here
  • Carefully give this new address to legitimate contacts, following safe email practices
  • Change items on the web and in printed materials that reference your old address.  Do not use plain text email addresses on the web
  • We will also create an "disposable" email address for you to use in any risky situations.  For instance firstname.lastname06@perimeter.org
  • At a time mutually acceptable, we'll disconnect your old (spammed) email address from your account and route emails to a public folder you can choose to check as frequently as you want
  • When the public folder quits having valuable email, we'll blow away the old address

* It will be interesting to see how long it is before we start seeing mail directed to [literally] firstname.lastname@perimeter.org!

Posted at 08:32 PM in AntiSpam |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/t/trackback/466957/4868889

Listed below are links to weblogs that reference Anti-spam 101:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Why do your staff have quite a few email addresses? Ours only have one and thats all i provide for them... well except distribution lists.

Posted by: Austin Spooner | May 15, 2006 at 12:11 AM

We provide multiple address aliases to make it easier to reach us. (Sounds like a conflict to anti-spam, doesn't it?) If we hire a new staff member, John Smith, then we'll create all of the following email aliases:
JohnS
JSmith
John.Smith
JohnSmith
That way, when somebody wants to email John, but doesn't know our standard, they can make any of several good guesses and still reach our staff.

When someone has an unusual name, we further alias to cover all likely permutations. We even watch our NDRs and when we see an error come in that we can readily recognize, we'll create an alias for the future.

So...it's still just one email account, but different aliases to it.

Hope that helps.

Posted by: Tony Dye | May 15, 2006 at 11:47 AM

The comments to this entry are closed.