Preventing Spam

Written and published December 8, 1999

Before I get to this week's column ... Today is exactly the 1st birthday of Mac Efficiency 101. I'm thrilled that all of you have found this column and I thank you for reading. When I took on this column I had no idea how much fun it would be and how many great people I'd get to know because of it. It amazes me how many of you write to me just to say thanks or to offer information. Thanks to all of you who have written and to all of you who read Mac Efficiency 101. I look forward to my second year and hope you'll join me in it.

Now let's look at some more ways to prevent landing on a spam list.

Protecting you address on your own site

When you put up your own web site, you become vulnerable to spam. How? By having your e-mail address listed on your site. Matt Ridley explains this well and offers some deterrents:

Automated programs ("robots" or "spiders") will read through the HTML source of every page in your Web site, and extract all the e-mail addresses. This is one of the most common methods of mining e-mail addresses. The robots will find e-mail addresses in plain text, ALT tags, META tags, 'mailto' links, and even inside JavaScript code.

How to fight it:

  • Don't include your e-mail address in a usable form on your web pages. [If you] write your e-mail address [in the page write it] with spaces in it, or using words (such as "deb at maccentral dot com").
  • Don't link your e-mail address with a mailto link. Instead:
  • Try to use web forms instead (using your ISP's CGI scripts).
  • Or, you can do it the clever way: use JavaScript to construct your e-mail address after the visitor clicks the link.

Deb's note: Matt does this at his site. You can see it at Matt's site. Stealing his code, this is what you would put as the mailto info in place of "" Notice that he even breaks up the word mailto to make it even harder for robots to find the link info.

<a href='javascript:window.location="mai"+"lto:"+"deb"+"@"+"mac"+"central"+"."+ "com";' onmouseover='window.status="mail"+"to:"+"deb"+"@"+"mac"+"central"+"."+"com"; return false;' onmouseout='window.status="";return false;'>

* Or, sign up for a free web-based e-mail address from Hotmail or such, and use that e-mail address on your website. Save your proper ISP e-mail address for your friends and colleagues.

Protecting your address on lists

Again, Matt Ridley says it well and offers great advice.

Newsgroup/talklist mining. Miners subscribe to hundreds of newsgroups and e-mail talklists, and automated programs extract the e-mail addresses of all the people who post to those groups.

How to fight it:

Make a special e-mail account (in your e-mail program; you don't need to ask your ISP about it or pay anything extra), with a false "Reply To" address. Your false reply-to address should contain a certain phrase which can be removed to give a valid address. For example, you could create an account with the reply-to address "". You would then add a note to your e-mail signature, telling people to remove the word "REMOVE" from your e-mail address to be able to e-mail you. (Spammers and miners know about common phrases, like NOSPAM and REMOVE, so add something random to your e-mail address.) Add the false phrase to the domain part of your e-mail address (the bit after the @ symbol), not to your username (the bit before the @ symbol).

Remember not to mention your actual e-mail address in your e-mail signature. Better to put your false reply-to address in your signature, beside the note that tells people to remove it.

Deb's comment about the first idea here: I love this but in Outlook Express there is no separate Reply-to entry and placing "deb@ REMOVE" in the e-mail address field creates an error that says OE can't resolve the outgoing address. I seem to recall that Claris Emailer used to have a separate Reply-to field that would be handy for this use.

Everyone can definitely put the false address in the signature, though. Here is what the outgoing e-mail looks like. When the recipient clicks the link in the signature, the new message is addressed to deb@ The sender then needs to delete the word "REMOVE."

Protecting your address from yourself

Another way you become the recipient of unsolicited e-mail is by bringing it on yourself. I'm invoking my rights under the constitutional amendment to protect my source on this first one.

At sites that require a login and your information:

If it's the site of a company I've done business with and I know they are okay, I give the information. If it's a company I don't know, or a site that's new to me, then I give at least one piece of false information, but typically more than one. For example, when I went to look around the wine site (I love good wine), they wanted some information to authorize log in. I expect it was to market products of their advertisers. I gave a bogus name and just checked my annual income as less than $10,000. That way I was filtered out of the marketing attack because they think you're too poor to buy their products. You can place yourself in whatever demographic you expect they don't target. So far it's working.

Along those same lines, Matt Ridley, once again has some info for us.

Many companies you are in contact with will sell your personal details to other companies for profit. Think of the number of times you've given your e-mail address online when you've signed up for a service or entered a competition or bought something. Every time, your e-mail address could have been sold to a spammer.

How to fight it:

If you've got your own domain, or if your ISP account allows unlimited e-mail addresses, it's easy to track who is selling your details. Every time you have to give your e-mail address when signing up for something, change the username to something which tells you which company you're giving the details to. For example, if you sign up for a competition to win an iMac from an online, then enter your e-mail address as "" (or whatever). That way, whenever you receive spam, you can check what address it was sent to and know what company has sold your details. You can also set up e-mail filters to trap out any emails which are to " onlineretailer" but which are not from the original company.

Warning: do not just put a completely false e-mail address, because companies will want to get in touch with you legitimately from time to time. For example, if you buy software online then you'll probably receive an e-mail with the activation code and purchase confirmation.

Another reader wanted to pass on this info. Because the subject is reporting specific spam, I am again keeping the originator of this message to myself.

One particular source of Usenet spam is really starting to annoy me:

Every day I see numerous usenet spams from users of their service. I know they have a strict policy of canceling the accounts of spammers, but the very nature of their business encourages their users to spam. They pay for every referral, and what easier way is there to get a ton of referrals than posting it all over the place.

I've taken to reporting all such spams to FrontierNet (which provides AllAdvantage's DNS service) as well as AllAdvantage and the user's ISP in hopes of either getting AllAdvantage shut down or forcing a change in their business model to no longer encourage spamming.

Fun ways to combat spam

I know this is a long column but heck, since it's Mac Efficiency 101's birthday, here's a silly gift to you all.

Another reader points out that when a spammer provides a toll free 800/888 number to call for their product and service. For example, spammers set up a server with a one day IP address, hooked up to an ISP they hacked into, send their Spam, and then close down hoping the P.O. Box address and/or 800-888# they provide will do the rest for them. It costs them money if you call the number. If all of you who receive Spam were to call those numbers a few times and cost the spammer money ... Might it be a payback or deterrent?

And Richard Davis won my heart with this one:

Thought you might like this one ... I love to receive spam with a Fax Form in the message. I respond via fax with a 32 page, ONE (1) letter per page fax requesting to be removed from their e-mail list. Two such faxes resulted and immediate halt in spam with fax form returns. Coincidence? 6 months later I received another Fax Form Spam, responded with my fax and haven't seen another for over a year.

For the spam with phone numbers, considere setting up and old computer using phone pro to dial their numbers and play a recording (over and over) requesting removal. It would tie up their phone lines for several minutes (their phone line is busy until the caller hangs up).

One final possible warning to leave you with

In the past I mentioned that you shouldn't reply to spam because it verifies your address. A reader points out that if a phone number is provided to call and remove yourself from the list, be careful. Don't call it. It could be the old trick of rerouting the call to places like the Dominican Republic or a 900 number and you may be in for major charges. I'm not sure if toll free numbers can be re-routed to become toll calls. If so, we really need to be careful.

Next Week

I think we've pretty much covered spam. We'll get on to fun e-mail stuff next week.

Previous Column • • •
Button that takes you to the index.
• • • Next Column