It’s easy to fool e-mail harvesting software, even though the primary source for spammers’ e-mail lists are e-mail addresses listed on public Web sites, according to a six-month experiment from the Center for Democracy and Technology (CDT).
The Center set up about 250 dummy e-mail addresses, and during the six-month test those addresses received a combined 8,842 e-mail messages that Center researchers classified as unsolicited e-mail, which is commonly known as spam. But about 97 per cent of that spam – 8,609 e-mail messages – were received by six e-mail addresses listed at three Web sites: GetNetWise.org, ConsumerPrivacyGuide.org, and CDT.org.
Usenet newsgroup postings were the second-largest source of spam, but e-mail addresses registered at e-commerce sites, posted to online discussions on Web sites, or listed as the contact for domains in the WHOIS database generated little spam, according to the study released Wednesday, titled Why am I getting all this spam?
Addresses on those three sites disguised by simply replacing the @ system with “at” or coding the addresses in HTML instead of in regular text received no spam at all during the six months. And the spam fell off significantly on three addresses that were removed from public view two weeks into the Center’s test. For example, an e-mail address listed on GetNetWise.org for the full six months received 6,035 pieces of spam, but an address removed after two weeks received only 894 pieces of spam during the length of the study.
“The shelf life of an e-mail address when it’s pulled off the Web is fairly short,” noted Rob Courtney, a policy analyst with CDT.
To test spam from Usenet, CDT used dummy addresses to post to 13 newsgroups, ranging from alt.sex.erotica to alt.kids-talk, and 85 per cent of those addresses received spam. But those addresses only received 110 pieces of spam over six months, and disguised e-mail addresses received no spam.
One piece of good news was that CDT received little spam from 31 top-trafficked e-commerce Web sites, Courtney said. In every case in which CDT registered at a Web site and asked not to receive commercial e-mail, its wishes were respected.
“We certainly found that for the most part, when Web sites did offer privacy policies and choices, that meant something,” Courtney said.
CDT also used other dummy addresses to opt in to commercial e-mail and later opt out. At five sites, CDT continued to receive commercial e-mail – a total of 82 pieces – after a two-week grace period it gave Web site operators another two weeks to shut off the e-mail spigot.
Twenty-six of those 82 spam messages came from Priceline.com, but a spokesperson there said the Web site uses a third-party, “off-the-shelf” opt-out solution that several other companies use. “If it happened to us, it’d strike me that a lot of other companies would have the same problem,” the spokesman said.
The spokesperson said Priceline.com would examine the CDT study further to understand what happened. “The last thing we want to do is spam people,” he said. “Our policy is if somebody wants to opt out, we let them opt out.”
CDT received only 15 pieces of spam from posting to discussion forums at 10 Web sites, including Monster.com, eBay.com, and Amazon.com Inc. All 15 came from an e-mail address that posted to InteliHealth.com. CDT received just one piece of spam from e-mail addresses entered in the WHOIS database.
However, separate from the more than 8,800 pieces of spam generated in the study, a “brute force” attack on a CDT server generated more than 8,500 pieces of spam in the middle of the study. In a brute force attack, the attacker tries many different letter combinations to try to guess active e-mail addresses. Short e-mail addresses, such as bob@something.com, were more likely to get spam from brute force attacks than longer addresses, the CDT noted.
“Even a user who’s really careful about where they give their address would still get spam from attacks like this,” Courtney said. “No matter what precautions the user will take, there’s still a chance they will get spam.”