What can individual users do about spam?
Reducing the odds that you will receive spam is always going to be better than trying to deal with it later. With this in mind, here are some tips that might reduce the likelihood of you getting your address into spammers' databases.
1: Reduce the exposure of your e-mail address
Try not to put your e-mail address in places where spammers will easily find it: this means not putting it onto any web pages, or if you must include it, including it in an encoded form that web spiders can't detect so easily. Also, consider asking your friends not to add you to their addressbooks: if their system gets compromised by a virus, at least then your e-mail address won't be an innocent victim.
2: Consider using a separate address for "dangerous" activities
Consider starting up a second e-mail address you can use for activities that have a higher likelihood of getting you into a spam database: this includes shopping online, website registrations and posting to public newsgroups. Keep your "real" address private and give it only to people you trust: that way, if your "high risk" address is compromised, there's less disruption and your really important correspondence will be unaffected.
3: Only give out your e-mail address when there is a justifiable need
Many web sites, subscriptions, journals and businesses may ask for your e-mail address on a "pro-forma" basis, even if they don't really need it or you don't necessarily want them to communicate with you via e-mail. When someone asks you for your e-mail address, ask them to explain why they want it. If they cannot give an explanation that satisfies you, decline to supply your address to them. If you have any doubts about a site or person who asks for your e-mail address, do a Google search on them and see if there are any reports of them being unreliable. It's amazing what a simple Google search can turn up.
If you operate in the real world, it's unlikely that you're ever going to be able to prevent all spam from getting to you unless you send little or no mail. If prevention fails you, here are some things you can do to help reduce the spam that does get to you.
1: Work out where you really stand
Spam often promotes levels of hysteria and anxiety quite out of proportion to its actual impact. If you're only receiving a couple of spams a day, then in all honesty, your spam problem is so small that any solutions for it are likely to be more troublesome than the spam itself. Ask yourself how much genuine inconvenience you are suffering from the levels of spam you are receiving: if the answer is less than "lots", perhaps you should think twice about looking for solutions. Always remember that there is no perfect technical solution to spam - once you introduce filters or other anti-spam methods, you expose yourself to the risk of missing legitimate mail through misclassification. Keep this knowledge in mind as you make up your mind how to proceed.
2: See if your Internet Provider has spam filtering services
Many Internet Service Providers now provide spam filtering as a service to their customers, either as a free service or as a low-cost extra. In many cases, your ISP may not turn spam filtering on automatically - it may require a request from you. Call your ISP's helpdesk and see what services they offer: a summary of services provided by a number of New Zealand ISPs and how to contact them is provided in the 'other resources' section.
3: Consider using an e-mail client that has spam filtering built-in
If your current e-mail program does not have spam filtering, perhaps you should consider switching to one that does. Ask your friends and your ISP what they recommend - different systems have different pros and cons, and you need to make sure that whatever you choose is a good compromise between effectiveness and ease-of-use. Also, if your mail program does not have spam filtering, search the web (Google is your friend) to see if third-party products exist that can add it.
4: Don't forget that you can always change your e-mail address
Sometimes it's easier to change your e-mail address and start from scratch than it is to fix a bad spam problem. Most e-mail programs will let you change your e-mail address without losing any of your existing mail, so the only negative part of the process is having to notify your correspondents of the changed address; it may well be that this is easier than building barriers around an e-mail address that has already been badly compromised.
What can businesses do about spam?
If you are a business that hosts your own mail and web services, there are many things you can do to reduce the impact of spam on your operation, but you should always be conscious of the risk of the false positive - legitimate mail that is incorrectly detected as spam. Because a message lost can mean a deal lost, businesses must always walk a fine line between reducing the amount of cruft they receive and ensuring that no legitimate mail is ever turned away in error. For this reason, businesses often have to accept a higher amount of spam than an individual might be willing to endure.
The first thing you have to ask yourself is: how much spam am I willing to tolerate? The next question must be: what false positive rate am I willing to accept in order to achieve that level of spam? The way you balance the answers to these two questions has an overriding impact on the strategies you will adopt to reduce spam.
The technical process of reducing spam begins with tightering the operation of two key components of your Internet presence - your web pages, and your mail server. The following two sections of this topic offer a brief overview of the type of changes you should consider. Parallel with these technical changes, you must also consider actively educating your staff in certain key areas to ensure that they know how to avoid becoming spam victims: the fourth page in this section gives some ideas of the type of issues you should be raising with them.
1. Web server
Your web server might seem like an odd place to start combating spam, but a significant proportion of the spam you receive arrives in your mailbox because of the content you display publicly on your web site. Spammers employ programs called web spiders (also known as web crawlers) to rummage through your web site and "harvest" any e-mail addresses they can find. Here are some things to consider changing on your web site to make it harder for spammers to harvest your e-mail addresses.
1: Use "obfuscated" URLs
Web spiders scan the HTML of your web site looking for mailto: URLs and any text that looks like an e-mail address. HTML, however, allows text and URLs to be represented in a variety of ways. By using legal HTML encodings to "obfuscate", or obscure your e-mail URLs, you can confuse or defeat some of the simpler web crawlers employed by spammers without impacting on legitimate browser users at all. Obfuscation is easy and there are sites that can do it for you, like this one.
2: Consider using graphics for your e-mail addresses
Web spiders can't extract an e-mail address from a graphic, so consider using small graphics instead of normal text to display your e-mail addresses. The down-side of this is that your addresses cannot be hyperlinked when you use this approach, but it's an infallible way of preventing your addresses from being harvested.
3: Consider restricting access to your "e-mail contacts" page
Think of this: when a visitor clicks to go to your "e-mail contacts" page, you bring up an "authorization" page that asks the visitor to type in a word you have displayed on the page as a graphic in order to proceed. This will defeat all known web spiders, and if you have a clear explanation of why you are doing it, reasonable users will not mind the small inconvenience it entails.
2. Mail server
Spam is - by definition - e-mail, so your mail server is the place where you will fight your primary battles against it. Unfortunately, e-mail servers have a tendency to be arcane (mostly because e-mail has been around for such a long time and has a lot of "baggage" to carry around), so you may be well-advised to consider retaining a consultant who specializes in the area to shore up your system's defenses. Some key points are listed below: we apologize for the level of "computer jargon" on this page - it's largely unavoidable in this particular case because of the technical nature of the subject material.
1: Close your relays
"Relaying" is the process by which one computer system delivers a mail message to its destination by asking a system between it and the end-point to act on its behalf. When you send a mail message from your copy of Outlook, or Eudora, or Pegasus Mail, you are relaying your message. Relaying is open to considerable abuse, and must be configured carefully if you allow it at all. We recommend that you only allow relaying when the system requesting it has successfully issued an STMP AUTH command. Most modern e-mail clients support SMTP authentication.
2: Consider introducing connection controls and using blacklists
Many mail servers allow you to enforce compliance with policies you specify: for instance, you may wish to refuse to accept mail containing only HTML data because it is far and away the most common vector for both spam and viruses. Some servers also support the use of Real-time Blacklist services, such as The Spamhaus Project's SBL, as a means of detecting hardened spammers. Careful and considered use of facilities like these can stop spam before it even reaches your mail queue.
3: Install competent spam filtering software
Many mail servers have built-in spam filtering of their own, and if your server does not, products like SpamAssassin, MailMarshall or POPFile can often be added on to fill the gap. Filtering systems can detect a significant proportion of the spam you receive and divert or delete it accordingly.
4: Centralize your mail handling
It's easier to implement spam prevention and detection in one place than in many, so you should consider centralizing your mail services. A little careful configuration can allow you to have all the mail for your site flow through a single "front-end" server that implements your anti-spam policies, passing legitimate mail on to the servers "behind" it.
3. Education
Teaching your staff how to handle spam is probably the most important, and yet under-rated thing you can do to reduce the effect it has on your organization. We strongly recommend that all staff who receive e-mail from outside your organization be required to attend a training session on this subject - it need be nothing more than a half-hour in-house session from a staffer who understands the issues: the key is simply getting a set of very simple guidelines across to people so they can integrate them into their daily work habits.
The most important thing for your staff to understand is covered in the Four Golden Rules section of this site - never buy from spam, never reply to spam, never use the "remove" option in spam, and always distrust mail you receive from people you don't know. Following these simple rules will ensure that you are not exposed unnecessarily to spam that can be easily avoided.
Other training possibilities include encouraging your staff to read this web site at staff meetings, and putting the Four Golden Rules from this web site in your staff newsletter - but however you do it, you should not overlook the value of quite minimal levels of anti-spam education.