Unintended Consequences — Spam and the Blogosphere
Back in the day, one of the easiest ways to get spammed was to post your e-mail address to Usenet. Within days of posting, connoisseurs of Nigerian 419 scam letters could relish new variations on the theme (taking off the caps lock, for example). Putting your e-mail out on your website is still a good way to get a spam-a-lanche for your inbox. Lately, the comments section of reputable weblogs (oxymoron alert!) have been both the target of spamming and the source of e-mails to spam. Those families of deposed African dictators are nothing if not resourceful.
Actually, it's not the bereaved Mrs. Laurent Kabila who so diligently searches out the e-mails. Instead, there are programs called spambots or spiders that search web pages for valid e-mail addresses. The spammer either runs the program or purchases/steals a list generated by one. If you can confuse the spider, the e-mail address will either be unrecognizable or invalid. Since the spammer relies on massive volume, more than likely any error, no matter how trivial, will not be corrected.
Here are some strategies for reducing your spam:
- Spoofing your e-mail address with characters to be deleted or replacing the "@" sign with "at." This is sort of a Turing test — easy for a human, difficult for a computer to fake. This method is easy to use and widely known, so I suspect the spammers will figure it out before too much longer.
- Using javascript to either hide or encode the e-mail. You need access to the HTML to do this. The simple approach works very well -- I only received two spam e-mails in the first six months of using this method.
- Using disposable e-mail addresses. Either use one of the many free e-mail services and abandon them when you get spammed (not recommended except for occasional use), or use the wonderful Spamgourmet service. This lets you set up temporary e-mail addresses and specify how many times it can be used. The Spamgourmet database application forwards that many messages to your permanent e-mail account, then blocks any more. You can set up a temporary account that lets you track where the spammer got the e-mail. For example gum.2.mitcht@spamgourmet.com will forward two e-mails to my real e-mail address, and if I look at the message header, I can see what temporary address gave rise to the spam. This does not work very well for comments on blogs because the spiders seem to find the temporary address fairly quickly and use up the message allotment.
- Get your commenting software up to date. Samizdata uses a graphic Turing test to enable a comment to be posted. I believe it was installed by his excellency the Dissident Frogman when he gave their site an extreme makeover.
- Whitelists and blacklists. Most e-mail programs let you set the account to accept only messages from specific addresses. You can set it to allow only your close friends and family to reach you. It works best if you use another address for the general public. Blacklists simply block known pests.
- Filters. These vary in quality. Some legitimate messages get blocked and some spam inevitably squeezes through, but you really need to set the filters and accept the risks.