Back in the old days

when the Spy as a grad student had his first e-mail account at SFU via BitNet North (circa 1972 or so) there was no such thing as spam. Sending unwanted e-mail messages would get your account cancelled, as would doing any commercial advertising on the net, whether by mail or on a newsgroup. As one consequence of this, we were all quite unguarded about circulating our mail addresses. Hey, we wanted people to be able to contact us by this novel means.

But how times have changed

today now that unwanted e-mail has become a plague. Termed "spam" because it utterly lacks taste and spreads all over the place (apologies to the product, which is not that bad), junk e-mail is completely out of hand. This cholesterol of the network bids fair to choke the vital information pipeline, lead to a network heart attack, and bring the entire system to its knees.

In one of his many network presences, the Spy also runs Arjay Web Services, retailing domain names at WebNameSource.com and nameman.net, and also selling web space on his own leased servers at WebNameHost.net. Most recent server statistics indicate more than 70% of the mail is classified as "High spam" content, another 20% as "low spam" (rarely a false positive even in this category), and a few more percent with viruses. On a typical day, only 9-10% of the mail is apparently valid. "Apparently" because even some of what remains is still spam (false negative), for the more active junk e-mailers check the commercial filters and work around them on a daily basis.

Indeed, if the Spy himself were not using evasive measures, he'd get over a thousand uninvited and unwanted messages a day. After all, those old e-mail addresses from the early seventies (with sight suffix alterations) still work, as do many more recent ones.

A low fat diet

is certainly indicated, but because the Spy's e-mail addresses are readily available in thousands of locations all over the web, there's some limit to how much of this is applicable to him, unless he shuts some of them down in a last ditch desperate manoeuvre to dig out.

So, what can the average Josephine Do?

Let's suppose you have an e-mail and webhosting account for the domain boop.com at WebNameHost.com or a similar service using a control panel such as cPanel (instructions will vary otherwise, but most are still a propos.)

1. Arrange to have a different username for signing on to your web hosting control panel than you will use for e-mail. If your e-mail account user name is to be "betty" make your account user name "lizzy" or even just "bettyb". This way, those who find out the one name don't automatically get the other. This approach also gives you better control over your addresses and slightly added security (by obfuscation) over your main account. Don't forget to set up the actual e-mail account.

If you didn't set things up this way in the first place, ask your host to change your main user name, then use the control panel yourself to set up the mail account under the old name.

2. Create additional POP mail boxes as needed for reading with either a WebMail client or a local mail client, and also enter any "forwards" that you might need. For instance, you could have a mailbox for your husband and each of your children, and also decide to forward mail addressed to family@boop.com to betty@boop.com

3. Do not forward mail to an external address (such as a yahoo, gmail, or aol account), but read the main mail account directly from the box where it is located. A POP mail reader such as Eudora can read any number of boxes, or you can employ a webmail reader such as Squirrel or Horde. When you forward mail, and some of it turns out to be spam, you will get your host's entire server blacklisted, and hundreds of other e-mail accounts will be interrupted until your host can guarantee everyone you won't do it again. Of course, this also implies you should never simply forward the entire domain to another box.

4. Set the "default" e-mail address for the domain to :fail: (including both colons. This determines what happens to mail sent to users at your domain that do not have either a forward or a POP mail box. Do not use :blackhole: for this purpose, as the former rejects the mail before it gets into the system, but the latter accepts it and only then discards it, which is more work for the machine. Note also that under the cPanel hosting panel most hosts use, this will not work if you have not undertaken step one above by making the username and your mail account name different.

5. Give out your e-mail address only to those you trust. Never publish it on your web site. If you really want to have site visitors able to mail you, obfuscate your address on the site by typing it as something like "betty-AT-boop.com". Human readers will know what to do with this on sight, but automated robot programs that scour web sites for e-mail addresses probably will not.

What to do if you order goods and services on the net? You have to give an address, for a net-based operation has no other way to contact you. If you trust their purported guarantee not to divulge your data, or your address is, like the Spy's, already so compromised that you don't think it matters, go ahead and tell them.

But the truly paranoid who deal with, say, Widget Inc., will employ their host/mail control panel to create a forward, say widgetinc@boop.com ==> betty, then give out this pseudo-address to the Widget people. Mail that they send to this address will be transferred to your account, but if they sell your information and you begin getting spam, you can simply remove the forward and said mail longer reaches you. Most hosting control panels, including cPanel, will allow an unlimited number of forwards. As above, put them in and take them out to control exactly what "departments" at your domain receive mail, and let the rest fail. By the way, spammers address mail to "advertising", "service", "help", "Webmaster", and so on, hoping for one message to get through. Be more creative in naming your departments, and don't publish their names on the web.

Better yet: For most other purposes, use the private messaging system of a forum (your own or an ally's) for people to communicate with you, and tell the forum software not to publish your address. Then no one knows the real address but you and your 600 closest and most intimate friends. Contact forms may work, but some are themselves vulnerable to hijacking to send junk mail.

6. Don't install a guestbook on your Web Site. These attract spammers in droves. Don't install a forum or portal on your site unless you are committed to keeping the software up-to-date, as these attract spammers and hijackers as well.

7. Even if your host makes it available DO NOT use a "challenge" system like Boxtrapper. These work by sending out challenge messages to new correspondents, waiting for them to acknowledge being a real person, and only then admitting the e-mail in question (and future ones from the same account without further challenge). Sound like a good way to eliminate machine-generated junk mail? That's what a lot of web hosts mistakenly thought. Unfortunately, most spam has forged return addresses. Challenging such mail meant sending to a false address, either annoying the real holder of that domain, or creating an undeliverable, resulting in a message back to the challenger. Effect: the volume of mail tripled.

8. If your host has not already done so, try to persuade her to install a sophisticated spam filter such as MailScanner (or at the very least, SpamAssassin) on the server. These use regularly updated rules to classify mail as "high spam", "low spam", "not spam", "virus infected" or "clean".

Then use your own hosting control panel to set the MailScanner (or other software) preferences. Typically, this means you tell it that some servers are blacklisted (meaning they cannot send mail to you), and some are whitelisted (meaning their mail is allowed through even if it appears to be spam). MailScanner has server-wide default scores determining "high" and "low" spam. These usually come set to 20 and 5, respectively, but after you gain some confidence with the system, the former can be set lower, say, to 12.

You can then order MailScanner not to deliver any high spam classified messages, and they will never appear in your inbox. In addition, most hosting control panels allow additional filters to be established so you can classify mail yourself as spam, or refuse it altogether when it contains certain keywords or phrases.

And, over on your home machine where you are reading the mail, make sure you use a quality POP client such as Eudora or Apple's Mail program, one that has junk mail filters that work, and is known not to have exploitable "holes" big enough to drive truckloads of viruses through. Create a "junk" box and filter all the messages marked as spam into it for checking once a week or so.

9. Never believe an e-mail message purporting to be from the accounts manager, service representative, security department, or salesperson at your bank, credit card company, web host (even WebNameHost), your own domain, yourself, PayPal, a real estate agent, lawyer, accountant, bank manager, or any other person or entity, even when you were expecting mail from them. Almost all mail that asks you do do/say/send something is faked to get you to click on a phoney web page link in the mail or reply via e-Mail.

In either case, they now know they got mail through to a real person (and will send much more), and they can get advertising in front of your eyeballs, or send you to a fake Web Site whose only purpose is to steal your username and password (phishing scam). Some such web sites can actually create problems on your machine just by visiting them. Better e-mail products like Eudora can show you a fake link just by you hovering the cursor over it. If you go to a web site like PayPal, type the URL in your browser navigation bar rather than clicking an e-mail link.

Pay no attention to and never forward an e-mail asking for money or help, telling a sob story, or constituting a petition. Most that mention money are either scams to clean you out or illegal get-rich pyramid schemes (do you want to go to jail?) Remember, if it sounds too good to be true, it is.

10. In parallel action, and to prevent an abrupt coronary thrombosis of your computing system, install anti-virus software and keep it up-to-date. MailScanner and its ilk will block known viruses, but those getting through can damage your system extensively. Never click on a file attachment unless it is one you requested from a known and trusted source. Almost all such are malware of some kind. Do not be complacent even if you have a Mac. Sure there are zero active malware programs attacking OS X compared with well over 100 000 targeted at W*nd*ws, but sooner or later someone will break through Apple's defenses.

Oh, and by the way, don't visit porn, hacker, cracker, or illegal software/music download sites. The nasties know such sites are popular, some are actually traps, mere visits to which can damage your computer's files. Hey, you should have better reasons not to visit such sites.

That's all very well, but

isn't there a better antidote for the spam epidemic? Yes, and here the Spy turns prognosticator. There is a way to end all this, but you won't want to hear it any more than he wants to say it.

Since, by the Spy's first law, there's no point in legislating against the stupidity of sending/believing spam, we won't be free of this dreck until it can be made to cost rather than pay. Yup, people who send e-mail will have to pay for it, by the message, servers will have to be registered as pay-for-send, and only accept mail from others that are likewise. Even if the charge is only a few cents, such a scheme would put the worst spammers out of business in short order.

I know. I know. The Internet is supposed to be free. To that I answer, you get what you pay for. If we want a spam free Internet, that's what we're going to have to do.

Oh, and before we forget: No one company should have a monopoly over the pay-for-mail scheme. It should run under an open standard approved by ISO or similar body, and able to be run on any server by any company. How to collect, and who gets the cash will need work, but these are engineering problems, not matters of principle. Free used to work, but it doesn't any more. It's time to try pay.

--The Northern Spy

Rick Sutcliffe, (a.k.a. The Northern Spy) is professor of Computing Science and Mathematics at Trinity Western University. He's written two textbooks and several novels, one of which was named best in the science fiction genre for 2003. His columns have appeared in numerous magazines and newspapers, and he's a regular speaker at churches, schools, academic meetings, and conferences. He and his wife Joyce have lived in the Aldergrove/Bradner area of BC since 1972.

Want to discuss this and other Northern Spy columns? Surf on over to ArjayBB.com. Participate and you could win free web hosting from the WebNameHost.net subsidiary of Arjay Web Services. Rick Sutcliffe's fiction can be purchased in various eBook formats from Fictionwise, and in dead tree form from Bowker's Booksurge.

URLs

The Northern Spy Home Page: http://www.TheNorthernSpy.com

WebNameHost : http://www.WebNameHost.net

WebNameSource : http://www.WebNameSource.net

nameman : http://nameman.net

Arjay Books: http://www.ArjayBooks.com

Booksurge: http://www.booksurge.com

Fictionwise: http://www.fictionwise.com

The Spy's Laws collected: http://www.thenorthernspy.com/spyslaws.htm

Eudora : http://eudora.com

MailScanner : http://www.mailscanner.info