Forum Moderators: phranque
If you run a web business, your email gets on just about every evil spam list out there. I have a spam blocker that I use for my personal email, which works fine because I can add my friends to a buddy list. But I am afraid it would block customer emails if I used it with my web business emails. I need something more robust.
I searched the web, and I can't seem to find anything that is the overwhelming choice. Please PM me your favorite spam blockers.
Thanks,
John
I do both and I don't receive much spam.
Most of them are based on rules/keywords within the messages, not sources, so depending on how your clients word things if the spam blocker thinks it's an advertisement its going to drop it.
I do two things to prevent SPAM:
(1) Never put an e-mail address on your website. Use a form. DON'T use a form that has a "hidden" field with the email address in it, that's just as bad as having the mail address on the page. Embed the recipient addresses in your ASP/Perl/PHP/Whatever code.
(2) This is by far the best method for me. Set up a "catch all" account at your domain. So someone could send mail to "anything"@yourdomain.com and it gets to you. Then what you do is whenever you register for a site that requires your e-mail, put in the SITE NAME @yourdomain.com
Example: webmasterworld@yourdomain.com
Now whenever you get SPAM, just look and see who the recipient is - you'll instantly know which website you registered at sold-out your e-mail address. Then you can make message rules on your mail server to delete all future mail sent to that address.
Most of them are based on rules/keywords within the messages, not sources, so depending on how your clients word things if the spam blocker thinks it's an advertisement its going to drop it.
Smart filters work differently, and Spambayes is one of the smarter ones.
You'll have to train it on the specific spam/ham you receive, so that it will learn how your customers typically phrase things. A filter that doesn't adapt to your specific situation isn't a smart filter.
It will then sort the mail into three buckets, and you can configure where you want the boundaries to be, and what happens with each bucket.
The obvious (to the filter) spam is marked as such, and I've only seen false positives in there from one specific (automatic) sender, which would be easy to fix on their end.
The obvious (to the filter) ham is normally placed in your inbox as before. I receive hundreds of spams each day, and once a week or so I'll see one slip through there, which most of the time is in an unusual language so it's not covered by the training of the filter.
And then, the smart filter will have an "unsure" bucket, where it places anything that it doesn't consider obvious. What you'll find there are new forms of spam, bounces from spam that was sent faking your domain in the sender, and once in a while a legitimate message that uses "spammy language". It is a good idea to use those messages to refine the training of the filter.
In addition to that, you can use a variety of RBL type lists, but I've seen significantly more false positives as a result from that than from Spambayes.
check [spamassassin.org...] for more details.
Only 3 non-spam messages have been dubbed suspect, and only 1 spam message wasn't detected.
Seems like a good track record.
Since most spam comes with a faked sender address nowadays, you're harrassing an innocent person for every spam you receive. You're effectively doubling the amount of unwanted mail in circulation.
This isn't generally considered a good idea.
Any email it identified as possibly being spam I forward to a challenge/response system
These challenge/response systems are getting to be a problem. I get a message or two a day from them due to spoofing. People who pay to download an eBook from my site get an automatated receipt that also contains information about how to get a free update. Those that use challenge/response do not get the message.
Since I also market my engineering services through my web site I cannot use c/r; most people will not respond to the challenge but will go elsewhere.
In fact, if you do business or advertise your products or services over the web, a challenge/response system is the best way to discourage customers.
Another good way to discourage customers is to list your e-mail address with "nospam" inserted and instructions to remove that. You should make it easy for potential customers my using a working mailto: link for your e-mail. Spammers have software that will automatically remove the nospam and other modifications to e-mail addresses. I recently received some spam advertising spamming services that will automatically respond to challenge/response systems.
This is impossible if you're a real operation communicating with 1000s of potential customers per month, as once one of those correspondents PC is hi-jacked, your email is harvested by the spammers.
I just checked and two old email addresses (which we used in the mid-90s and I've removed since 1998 to create a "user unknown" 550 error by the MTA, yet references to them remain in many webpages around the world), receive and reject over 2500-3000 spam mails PER DAY, each one of them.
I can't imagine what a larger organisation might be getting. Our scale is very small in my opinion. And the example i mentioned was for non-profit things, i.e. it costs me a lot of time to deal with the side-effects of providing a free service to the Internet community. "No good deed goes unpunished" :-(
If one has the capability to operate and have FULL CONTROL over their own mailservers, I would recommend a combination of RBL and SpamAssasin. The latter is suppsed to implement support for SPF and other sender authentication technologies, like those proposed by Yahoo and Microsoft.
Unfortunately email and Web spammers are making things a lot more painful, complicated, costly, time-consuming and difficult for legitimate e-biz.
I didn't mind the old sales pitches, but now I get hard core porn, pictures and all. You know the ones, they start as a blue link box and expand into a full blown picture. Not good if the kids are playing in my office.
What about those services that require a reply to a verification email before letting an email pass through. Seems liks some legit customers could get scared away.
What about those services that require a reply to a verification email before letting an email pass through. Seems liks some legit customers could get scared away.
See my comment about challenge/response in msg#11.
Not only do potential customers get scared off (not always scared off, but they send an e-mail at one time and don't get the response until they check their e-mail, perhaps the next day). Also there are so many automatic systems--alerts from my bank, reports from business services (Adwords and Adsense, etc.), order and shipment confirmations or delay information, hotel and airline confirmations, etc. Challenge/response will eliminate them unless we know ahead of time the exact e-mail address they will be sent from.
I think that laws stronger than CAN-SPAM and tough enforcement of the laws is the only answer. That won't completely stop it but it should reduce the amount without making internet communications more difficult for legitimate non-spam use.
1. I turned off html email. I receive everything in plain text now. I also did this because I didn't want embedded beacons triggering whether or not I'd opened the mail.
2. I started using Mailwasher to pre-screen my mail.
I no longer use Mailwasher, as my ISP offers Postini spam screening. Very little spam gets through to my computer anymore.
I use one for work.
I have one personal account.
I have one hotmail (soon to be Gmail :)).
A second hotmail account.
I use the work email for communicating with work contacts and I never get any spam.
I use the personal one to communicate with friends, relatives etc. I never get any spam - this email has no spam filtering and is available on a public website.
I use the first hotmail one to sign up for legitimatenewsletters, mailing lists even for webmasterworld - any webpage which requires my email address gets this email address. I get about 1 spam a day.
I use the second one for signing up to online newspapers, public relations updates and competitors newsletters etc - anything where I can't be at least 75% sure of my email being distributed. I get around 5 spams a day.
Why am I not getting flooded with spam? I know that it is a searious problem for some but I just don't know why I'm not being affected.
I am sure many webmasters are having the same problem.
If you run a web business, your email gets on just about every evil spam list out there. I have a spam blocker that I use for my personal email, which works fine because I can add my friends to a buddy list. But I am afraid it would block customer emails if I used it with my web business emails. I need something more robust.I searched the web, and I can't seem to find anything that is the overwhelming choice. Please PM me your favorite spam blockers.
A year and a half ago I installed several bad bot traps on my site (hidden links with scripts which would add a deny from xx.xx.xx.xx line to .htaccess). Since then all my spam problems have disappeared, even if my email address is displayed prominently with a mailto: link in the contact page. Basically the traps block all email harvesting bots.
Unfortunately, the PRIMARY thing to do is to try to evade getting on spammers' lists.
Even more unfortunately, if you have an email address that's been around since 1995 there's simply no avoiding those lists... ;-)
Why am I not getting flooded with spam? I know that it is a searious problem for some but I just don't know why I'm not being affected.
Count your blessings. I guess in your case there is no way for spammers to get your address. For many people that is the case. However, for me (and many others) there is no way to keep the e-mail address from spammers.
On a site with information about my engineering consulting services I have my e-mail address, as well as snail mail and business phone number. I do get work (typically contracts for several months work) by e-mail. Sometimes the work comes from people who I worked with years ago but they did not have my contact information until they found the web site.
I also participate in work related newsgroups and forums that (unlike this one) allows e-mail addresses either as a part of the forum structure or as part of the signature line. I have received business this way.
I am a director of an international organization for control engineering. My e-mail address is listed on their web site. It is required that a member of the organization be able to e-mail me if he has any need (very few do, but it has to be possible).
I just had to send a message to a lawyer whom I did not know and have never had contact with. His e-mail address is listed on the firm's web page. I assume that the time reading my message will be billed to his client.
I average about 50 spams per day. Others I work with in similar situations get about the same amount or more.
I think strong laws (better than CAN-SPAM) and some real effort in enforcement is the only way to reduce spam. It won't be 100%, but it can reduce the problem.
spamcop. Spamcop. Spamcop.
It's simple.
Richard
(believe me - I am on every spammers list on the net)... 3k rejects a day out of 3.5-4k in)
I think strong laws (better than CAN-SPAM) and some real effort in enforcement is the only way to reduce spam. It won't be 100%, but it can reduce the problem.
Most spam nowadays is being sent from hijacked PCs all over the world (about 500k PCs by industry estimates), belonging to unsuspecting ordinary users in USA and Europe.
One could "follow the money", ie go after the people who stand to gain by spamming activities. But how can you be SURE and PROVE they actually ordered the mass-mail? e.g. if tomorrow someone sends 40million email messages via 5000 different IPs-PCs scattered all over the world, advertising this site, can we be certain that the WW owner ordered it and not e.g. a competitor trying to damage his reputation?
A year and a half ago I installed several bad bot traps on my site (hidden links with scripts which would add a deny from xx.xx.xx.xx line to .htaccess). Since then all my spam problems have disappeared, even if my email address is displayed prominently with a mailto: link in the contact page. Basically the traps block all email harvesting bots.
See point above. What if spammers do distributed harvesting of emails? Will you have a htaccess file blocking 1000s of IPs? What about performance?
Wrt email harvesting bots: Lately I've come across (never ran any of it) Win32 software that will let you "collect emails from your documents on your PC and web addresses" (a legitimate task for a small office that wants to organise contact lists of customers) that's given away FREE. I would suspect that such sw talks back to its creators and gives them your list.
We're reaching a point of mass-hysteria wrt spam and I understand it only too well. But it's VERY COUNTERPRODUCTIVE in doing business. I just read the mailing-list suggestions of spamcop at
[spamcop.net ]
How many small or medium sized businesses outside the IT sector have the resources to have such a "secure opt-in mailing list facility"? Only fairly recently the list software implemented such functions.
Outlook 2003. I've eliminated spam almost 100%
But what if one needs to access email outside the office? (home/on the road)?
At the moment, spamcop is struggling. The spoofed e-mail addresses are getting reported by those that don't understand what's going on and legitimate e-mail is getting blocked.
I have recently taken spamcop off my list of relays to check against.
By using a combination of mailwasher (checking third party relays and filters), bayesian filters and e-mail client filtering, we've just about eliminated all but a few spam messages and worms that hit the mailbox before they are distributed by our system (I think only one got through in the last three months).
One last point, whatver system you're using, don't respond or bounce any e-mails back to the spammer. It only proved you have a live address.
One last point, whatver system you're using, don't respond or bounce any e-mails back to the spammer. It only proved you have a live address.
I definitely agree with that!
And (previously) I would always add that your system should simply delete the spam. All of a sudden, however, I am wondering if messages determined to be spam shouldn't be forwarded on to maybe... my favorite senator.
"Dear Senator <your favorite senator>, I'm swamped with SPAM email. I am forwarding another one to you. PLEASE HELP! Please use your position to follow the money trail! Thank you!"
yeah - yeah - I know, what can one government do when it is a global issue. And people who do this will probably be the first ones actually convicted under the CAN-SPAM act. Just wishful thinking.
...spam shouldn't be forwarded on to maybe... my favorite senator.
I've done that. I usually forward my spam to uce@ftc.gov. The Federal Trade Commission actually requests that spam be forwarded to that address. It won't fill up anybodies in-box; I think it goes into a computer database for counting and analysis. (This is for US based readers).
One could "follow the money", ie go after the people who stand to gain by spamming activities. But how can you be SURE and PROVE they actually ordered the mass-mail? e.g. if tomorrow someone sends 40million email messages via 5000 different IPs-PCs scattered all over the world, advertising this site, can we be certain that the WW owner ordered it and not e.g. a competitor trying to damage his reputation?
It takes good, old fashioned, detective work. It is of no real use to track the e-mail; too much is from hi-jacked computers or people who change ISPs almost daily. However, if someone orders some "Viagra" or body part growth stuff, they have to enter a credit card number and the material is delivered (if it is delivered) through some means (typically not the post office to avoid Postal Inspector involvement.) Then the sender is tracked using credit card information and back tracing on the delivery. It takes work and money, but it can be done. Almost all the enforcement has been private civil actions.
For example, AOL has siezed an expensive sports car belonging to one spammer and will give it away on-line. They say that nothing scares the bad guys like the thought of losing their toys. Government law enforcement would work better because only the government agencies have subpoena, to obtain search warrents, wiretaps, etc. Some law enforcement agencies have sets of credit cards specifically used for investigations.
The U.S. Small Business Administration’s Office of Advocacy is looking out for the small businesses that do the spamming, however. They also took positions against junk fax regulations.(our tax dollars at work).
If the flow of money, typically though credit cards, to spammers is stopped, spammers can be stopped.
Thing of the past. Forced to eliminate the catchall. Had to set pop accounts for all users and eliminated about 20 email accounts and send everything else to dev null. Still, with all this we get nearly 1000 a day. A few years ago when we were only getting 50 or 60 a day we spent an hour or two a day tracking it and reporting it. Finally had to give up. Just got inundated. Now just run mailwasher and probably still spend an hour a day just deleting garbage. Hoping we didn't screw up and dump a good one by mistake.
And now, they don't seem to be satsified with this, they are starting to hit our bulletin boards. Tracking those IP's runs through a half dozen countries before it comes to a dead end. And even when you do track to a legitimate ISP, the bigger ones couldn't care less about bulletin boards. Don't even respond to the complaint.
This may be of some interest... [hostedscripts.com...]
No idea if it really works, but it's a shot. Interesting concept.
Funny you should mention that. Ever hear of ms's active sync? 1
1 it's a nightmare - me recommending a ms product!
A big advantage is that it sorts my mail into categories so I can just check the inboxes I am interested in at that time. All the dodgy stuff stays in the main inbox and I can check through it at my leisure. If I find something legit I create a new rule so next time it gets routed appropriately.
It works pretty well at the moment, but I only get a few hundred emails a day so I might have to go to something different if it increases.
