Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Snake Oil for the Spam that Ails You

Created: 08 May 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:59:43 GMT
Symantec Security Response's picture
0 0 Votes
Login to vote

“Ladies and Gentlemen, step right up and feast your eyes on this!” The special today is a cure for a little ailment called “spam.” Well, not all spam. Just spam with certain polka-dots on them. Call it a flavor if you will, and why not? I mean, you’ve got Heinz touting 57 varieties (in reality, there’s much, much more), so why not different flavors of spam? Dr. Seuss might even serve it up with some green eggs if you let him.

I digress. The spam du jour is of the self-inflicted kind. No, not the kind that you get after you sign up for a random online sweepstake. No, not even the kind you randomly pick up just for having an email account. The spam we are talking about is the kind that you get because your email appears on a Web site that you might maintain.

Imagine if you will, that one day you decided that you wanted to put up a Web site. What goes on this site? Well, first there are the usual pictures and maybe some prose. Then sprinkle in a blog if you’re adventurous and, oh, let’s not forget the resume. But wait, there’s more! It just so happens that you are a friendly kind of person and you want to have visitors to be able to contact you, so you decide to post up an email address while you’re at it. “For questions or comments, email me at myname@someaddress.com” You step back, take a look at the results, and pat yourself on the back. Hey, not bad. That’s a pretty nifty site you’ve got going there.

“Where are you going with all of this? Wait, your honor, I have a point, I promise.”

OK, now here’s the part that gets interesting (or annoying, depending on your perspective). Let’s say I’m a seedy character or maybe I just want to make a few extra dollars on the side, or maybe both. (Remember, I’m selling snake oil here, so I’m all about the quick buck.) So, I decide to write a little program that basically goes out running amuck all over the Internet looking for email addresses like a kid looking for loose change in between couch cushions. Finders, keepers. OOPS! Guess what? My program just stumbled upon your Web site and—YOINK! —I’ve just “harvested” your email address into my collection of targets for spamming. Next thing you know, your inbox is filled with a large volume of things like fraudulent emails claiming that your account is suspended at an institution you never even belonged to, promises of products that will enhance your satisfaction, or random gibberish that can be quite amusing.

Anyway, now that I have your email address, that’s it: there’s no going back for you, as your email has now become a part of my income earning potential. Sure, I’ll throw emails at you that tell you that you can unsubscribe by clicking a link but, in reality, all you are doing is confirming that your email is real and active and that I should continue to throw spam at you. You might think to yourself, “Why should I worry? My email program has a spam filter to block out the bad stuff.” Well, the reality is that the spam filter may reduce the amount of spam you see or conveniently move spam into a single folder; but it won’t completely eliminate all spam.

Oh, did I mention that I might sell my list of emails to spam to some of my buddies as well? Yep, the popularity of your email address just went up. So here is the part where many people ask me, “What, oh what, could I have done to prevent this?” Well, to answer that question, let’s take a trip in the time machine back to when you were putting your Web page together. POP. ZIP. FIZZLE. “You are a friendly kind of person and you want to have visitors to be able to contact you, so you decide to throw up an email address...” WHOA! Not so fast! Hold on. Let’s take a look at some options.

Well, there is the obvious step of not posting an email address up at all. What’s that you say? You do want people to be able to contact you after all? I suppose. I mean, how else are they suppose to offer you a job after reading your fantastic resume, right? OK. As the saying goes, the customer is always right. If you must post an email address, one simple thing to do to help reduce it from being harvested is to replace that “@” in your email address with a random character like maybe “#” or “*”. (Just remember to let people know to replace the “@” when they email you.) This makes it harder for my little harvesting program to determine whether what it is seeing is indeed an email address or just random text.

You can get more creative and really stick it to the spam-man, using an idea that I borrowed from the Gausebeck-Levchin test: turn your email address into a picture! Yes, that’s right, get in touch with the Michelangelo within you, and get creative with the look and feel of your email address. (Just make sure you put enough distortion in the way the email appears). Wait! Before you think I’m a complete lunatic, read on.

What's that you ask, what's the Gausebeck-Levchin test? Good question. I’m sure by now that there’s a good chance that you’ve signed up for an online account here or there that asked you to read some squiggly characters in an image and then enter it in a text field. This is done to make sure that you are indeed a living, breathing human being that is signing up for an account and not a machine or program trying to pass for one.

As cognitive humans, we don’t care if the words are typed or drawn or drawn poorly. Heck, even if there are missing portions of a word or letter, we can infer and understand what the word or letter was suppose to be. A computer program can’t. In fact, most programs can only understand typed text, and some that are more sophisticated can do character recognition off an image, but only if the portion of the image containing the wording is clean and uncluttered. Please refer to my original point, which stated that you should transform your email address into an image and make it look distorted and cluttered, and voila! Your email is virtually unreadable by any programs out there.

How’s that for a cure? You know what? Since you’ve been such a kind and patient audience, go ahead and take this bottle of snake oil on the house and give it a try. There’s always more where this came from.