Spam is the scourge of the Internet. The odd thing is, span is completely unnecessary. If we all signed our emails using a certificate, two things would happen:
- We could set a rule to ignore any un-signed email.
- Spammers sending signed email could be identified by the cryptographic signature and blacklisted.
I signed emails while at IBM but the experiment failed. Many of my clients were behind corporate domains where anti-malware filters examine all email. If the email is signed, they reject it for some reason. In other cases, list servers and corporate filters added text to the email which broke the crypto signature.
Of course, none of my family or friends sign their emails nor do they know what to do if they get a signed email from me. In short, until we reach a tipping point of people using crypto, spam will continue. As long as we’re stuck with it, I decided to take measures to mitigate it. Here’s what I did and some of the findings.
The problem with spam is you can’t really tell where it comes from. If you have an email address that you never use, you probably don’t get too much spam there. But if you use the same email address for everything, it gradually gets more and more spam until you are forced to abandon it. That suggests that the address leaks out with some specific activities online, but which ones? If you knew, you could stop doing those things that resulted in the most spam. Better yet would be the ability to retroactively undo an unfortunate decision.
The approach I took to combat this problem is to make a different email address for every vendor or web site. Then when I start to get spam, I know who was careless with, or worse deliberately sold, my personal data. Better yet, if they abuse it I can burn the address. This has worked out great and over 10 years it has provided a lot of insight into security (or lack thereof) of my personal data. For example, when the email contains my name or other personal information in addition to the email address, I know someone has been very naughty.
It’s also become clear that many companies who are good about respecting your privacy when you are their active customer, sell your data the moment you close the account. Apparently they feel the TOS and privacy policies apply only to their customers and once you close the account, your data becomes a depreciated asset which they can sell by the pallet at auction like a worn-out PC. Similar to this are the accounts that suddenly get spammed after the original company changes hands through acquisition or bankruptcy.
Some companies just plain whore out your data. Case in point is The Biggest Loser. I lost a lot of weight in 2007 and was a (somewhat less) big fan of the show. Until I signed up for the forums. Then it became clear that the company behind the show is hell-bent on extracting every last possible cent out of a population of people who are desperate not just for medical help, but for compassion and human dignity. The show promised interaction with the on-air personalities but after paying for a forum membership I discovered that meant an occasional blog post from a contestant, nothing from the stars (unless you wanted to pay again) and nothing interactive.
But worse was the barrage of spam that soon followed. All of it said I’d opted in to receive it but didn’t say from where. Fortunately, I had a unique email address set up and knew exactly who had sold it. The addresses are more valuable once you validate that they are good. You don’t even have to reply because the same beacons and trackers present in web pages are present in HTML email. All you need to do is preview or open the email to confirm your address. And if you should happen to use the unsubscribe link at the bottom (as required the CAN SPAM Act), the do actually unsubscribe you from their list but to make the money back, they sell you to a dozen more lists.
Sometimes the unsubscribe links are in plain text so I tested out this resale theory several times. I would copy the unsubscribe link from the email, then paste it into the browser and edit the email address in the URL query field before submitting. Even though I used a freshly minted and pristine address for these experiments, in all cases it began almost immediately to show up in new, seemingly unrelated spam campaigns.
This is potentially quite useful for spam control. Often spam contains a reply-to email address. This is common for example in the Nigerian scam where the mark is told they will be given a commission on a large money transfer if they just pay the fees to unlock the funds. It would be possible to keep a list of these unsubscribe links that accept unencrypted email addresses and submit the spammers’ reply-to email addresses to these links. Not that I would EVER actually do such a thing. You see, that is actually a Federal offense that can land you years in jail whereas what the spammers do is not completely legal but occurs at such scale and moves about with such rapidity that it’s impossible to stop.
Unless we all started using signed email, in which case spam stops overnight.
Click the pic to take a look at my most previous week’s worth of span at t-rob.net. I’ve annotated the image with spam sources and some history. Let me know what you think. Who are your worst vendors when it comes to selling/losing your data? Are you able to tell? How often are you forced to change email addresses?