Ask anyone who has spent any considerable time online if they would like to avoid receiving any Unsolicited Commercial Email, aka "Spam" and they will all say the same thing: "Yes"! Spammers will do anything and everything they can to get fresh addresses to send their junk email to. Their thinking is simple, and it is proven to be correct: If they can send enough email to enough people, it stands to reason that at least some of the recipients will actually purchase their products.

The fact that this works is well established. The power of Direct Mail was proven long before the Internet, as we know it was even around. The principle is that all you need to do is get the advertisement in front of the potential buyer at his or her time of need and you increase your chances of a sale exponentially. If you sell home improvement products and you are able to get your advertisement in front of new homeowners, you automatically stand a greater return on your efforts than say a regular newspaper ad.

Spam works on this same principle, but with one very important exception: Spammers do not pay for postage, envelopes, or paper for their direct mail. Anyone with a computer and access to the Internet can start a direct spam email advertising campaign. If they know what they are doing, they can send spam to tens of thousands of people a day. Sending out ten thousand pieces of junk snail mail will cost $3400. Sending out ten thousand spam emails is free. Return on investment, at least in terms of the advertising of their product, is easy to see. Enough about why people spam; lets get into how they get your email address.

Spammers get your email address in one of three ways:

Dictionary Attacks

Some spammers have programs that will automatically generate generic usernames and append them to (mostly) the largest domain names out there, such as AOL, MSN, Yahoo, Earthlink, and so forth. Commonly referred to as a Dictionary Attack, the program is made to generate common words and combinations of these words with numbers and letters. Dodging these kinds of spam emails can be simple: At the sysadmin level, the mail server can be set up to bounce all email to nonexistent addresses. For personal email addresses, the best method to avoid this type of spam generation is to own your own domain name, and to use a screen name that does not involve your actual name or common words. Unfortunately for those using their work email, most companies require the use of your name in some way, and so this might not be entirely possible.

Buying Lists

A growing number of spammers are now actually buying their addresses from other people. These addresses come about from a few methods and once harvested, they sell these lists for a lot of money, because often, these addresses are found to be valid and are therefore more valuable than randomly generated addresses. Some of these addresses are harvested from user registrations on websites. For instance, if you register your software, register for newsletters, or even put your resume online, you may find yourself receiving spam because of it. Often, these registration forms will contain a question such as "Would you like to receive offers from some of our partners? ". You should always answer "NO" to this question! If you do not you will fall victim to someone selling your address to other people. Mailing list sales are often a very lucrative form of additional income for companies who have a lot of people signing up for things. Once you have been signed up onto one mailing list, your name can likely be sold over and over to different people.

Additionally, you will likely find yourself entered into a "found valid" email list anytime you click on the "Click here to remove" link found at the bottom of most spam emails. Despite the fact that law supposedly requires these removal links, it is common knowledge that these links are often nothing more than links that identify yours as a working address. The removal URL often contains the corresponding ID for your address in the spam database. Clicking the link moves you from "unconfirmed" to "confirmed" status and you can now be added to the list of valid emails for sale and for more spam from that particular spammer as well.

Again, the solutions for this problem are quite simple, really. Never sign up for anything online using your primary email address. Personally, I have a small handful of free email accounts I have signed up for with Yahoo and Hotmail. Anytime I sign an online form, I use one of those free email accounts, so that if the registration requires some form of active confirmation on my part, I can do so. I check those accounts once a month and in a year of doing this, I have never received anything but spam to those addresses. Spam that I know would be littering my primary address. The second way to avoid having your address sold to others is to never click any sort of "Remove" link. Do not reply to the spam email and do not click removal links.

Email Harvesting

In addition to the random username method of generating fresh email addresses, some spammers hungry for fresh addresses will employ small programs known as "bots" which automatically crawl from page to page looking for email addresses. These spambots will spider the page for an anchor tag with the mailto: scheme. The bot will then harvest whatever is in that particular link tag and automatically enter it into the spam database. It may also automatically send the actual spam email at the same time. This takes shameful advantage of those who put their email address on their website so people can contact them for legitimate reasons.

The problem with obfuscating email addresses:

Many methods have been created by people wanting to obfuscate their email address so that they can fool the bots into thinking the link is not an email address. These methods often revolve around generating the address with JavaScript and using a document.write to write the address to the page with either regular text in a mailto: link or writing the entire link in an encoded form such as HTML Entities, ASCII text, or hex code. Other methods involve the same type of obfuscation, but without JavaScript. A good description of these methods can be found at http://www.u.arizona.edu/~trw/spam/index.htm. Five methods are listed, but at the time of this writing, one is broken. I will describe them here.

<li>The first method "converts your email address into a seemingly random string of characters using a simple substitution cipher. The link will then be decoded by the script into your correct address. "</li>

<li>The second method " takes your e-mail address and converts it into the ISO-Latin-1 character code for each character. It then makes a big array of those codes. Which then get written into your document using the document.write method"</li>

<li>The third method "takes your e-mail address and converts it into the hex code for each character. It then creates a mailto: tag composed of these codes. "</li>

<li>The fourth method simply uses JavaScript to write the email address to the page.</li>

Using a freeware program called EFGrabber, which I will not provide a link for because I do not want to empower any spammers, I tested the above methods. All but one of these methods failed. The third method above, the obfuscation of the email address into hex code, worked against EFGrabber, but nonetheless shares the same weakness as the other methods.

The reasoning behind this is extremely simple. If it can be encoded, it can be decoded. Writing an email harvesting program like EFGrabber is extremely simple, and the code to harvest the address is amazingly easy. You create the program to do the following things:

1. Search the page for the "a href" tag
2. Ignore all "a href" tags that do not have the "mailto: " scheme
3. Loop through each relevant tag to determine whether the contents are regular text or obfuscated by one of the above methods.
1. If the email address is NOT obfuscated, enter it into the spam database
2. If it IS obfuscated, detect for the method of obfuscation and Decode the address with the appropriate method
4. Enter the address into the spam database.

Worth mentioning here is something that anyone attempting to devise or use such a method should understand as the basis of what we are talking about here. Whether your address is written to the browser as some long hex code representation or "mail@domain.com" does not matter. We are talking about characters of text, which are ultimately interpreted by the browser or its plugins. The harsh reality is that most (if not all) major programming languages have built-in functions to encode-decode these characters, and the loop described above would only involve about a dozen lines of code. Entering the address into the database involves more coding than the detection and decoding of the address.

Avoiding The Spam

So now the wind has been taken out of your sails and you are wondering exactly why you should bother hiding from spammers? Most of what I have described above is nothing more than hypothetical for the reason that email harvesters have no need to spend time trying to overcome obfuscated email addresses. There are just so many out there that are not munged. Still, I chose to present my findings above merely to show that, if they wanted to, spammers could still get any address that can be interpreted by the browser. All indications are that spam bots do not have any built-in JavaScript interpreters. In the end though, hiding your address from spammers is amazingly easy and does not involve any silly obfuscation methods that add 100 lines to your webpage just to present an email address.

Ditch The Current Address

If you are currently receiving spam, you might as well dump your current address. Just email your friends, family, and associates and inform them of the change and then dump the account. Once you are found valid by spammers, you will not stop the flood of spam. Like I said above, they make additional money by selling your address to other spammers.

Ditch The Free Mail Account

Do not use free email services such as Yahoo or Hotmail as your primary email account. Despite their well publicized lawsuits against spammers, many people allege that these services sell their customer lists to third-parties. These lists can therefore be resold. Whether or not this is the case, they are still frequent recipients of dictionary spam attacks. Still, no matter what domain your address is with avoid using common words and or names for your screen name.
Watch what you sign up for

Do not list your primary email address when you sign any online forms. Also, make sure you do not check "yes" on any questions about your willingness to receive third-party offers. Instead, use a garbage email address and always select "No" on whether you want to be on mailing lists
Stop confirming that you're out there to receive their junk

Do not click any "Remove" links at the bottom of the spam email that does happen to find you. Doing so will not stop spam but rather opens you up to more spam.

Don't publish your address

Do not place any links to your email address on any websites. I have saved this for last, because this is the final bastion against spam and probably very troubling for people with commercial websites. After all, your email address is there so people can contact you! In the world of sales, it is important to ensure that your customers (aka "Sales Leads") can get in touch with you as easily as possible. Common practice is to provide an email link on every page. Salespeople know that this is very important. No matter how much information you put on your site, customers will undoubtedly have more questions, and you must make sure you are easy to contact. Yet studies show that the most common addresses to receive spam are ones that are placed on a web page.

To avoid this type of spam, all you need to do is place a contact page on the site, and change those email address links on each page to a link to the contact form. Then, create a basic form so that users can go to it, enter their message, hit "Send" and email their message to you.

There are a few small but important considerations with this method that will help eliminate spam. First, do not use "mailto: " in your action attribute for the form. Instead, use a server-side script to process the form entry. These scripts can be easily written in PHP, ASP, or Perl. Free scripts, already written, can be found on any of the many free script libraries on the Internet. Be careful NOT to use the popular formmail script, which many regard as insecure and can be used to send out spam. Second, ensure that the recipient email address (yours) is not set as a hidden field in the form. Instead, this should be contained in the script that processes email.
The ultimate goal

Unsolicited commercial email is a plague upon the entire connected world. It robs bandwidth from legitimate traffic. It also requires additional server resources and personnel resources to deal with. Moreover, pornographic spam is an increasing problem. It can often be offensive and businesses can run the risk of sexual harassment lawsuits if they do not take steps to eliminate the possibility of pornographic spam reaching their email boxes.

While many states are enacting laws that make UCE illegal, there has yet to be a well established precedent of multiple successful lawsuits by individual recipients of spam. In truth, it is just so easy, cheap, and lucrative for spammers that no matter what laws are enacted in the United States, spammers are increasingly using foreign mailservers and ISPs to send their spam, therefore complicating the ability to find them and ultimately hold the appropriate people responsible.

What ultimately matters most is avoiding the spam in the first place. By diligently applying the above mentioned practices, your own amount of spam should diminish greatly. Many software products and online services exist to help to further eliminate your chances of receiving spam email. Depending upon the importance you place on eliminating spam and your existing amount of received UCE, these products and services may warrant a closer look. For everyday Internet users and those who create and maintain their own sites, the above methods should do the trick. More information regarding spam can be found in my links section, including links to spam laws, notorious spammers, and spam fighting tools.

This article is free for distribution provided the user gives a link to http://www.karlcore.com on their site.