the secure:channel

Click here to read more about SpamStopsHere, the e-mail security company that brings you this blog.

This week, I’m going to cover the most important things that you can do to prevent spammers from finding the valid e-mail addresses at your organization, also known as e-mail address harvesting. Preferably, these measures will be implemented at the same time that your organization gets on the Internet and starts using e-mail to have the best chance of actually stopping your organization from ever having a spam problem. However, it’s never too late too start, in order to prevent your spam problem from getting worse.

A Unique e-mail address for each contact

One tactic that is very useful in controlling your spam exposure is using unique disposable e-mail addresses. Instead of giving your actual e-mail address out, you can create an e-mail alias for each person that needs to contact you by e-mail.

For example, if your e-mail address is doej@example.com, and you need to provide an e-mail address when placing an order online with Acme, quickly make an address just for that purpose, such as acme4921@example.com. Make this addrss an e-mail alias that forwards e-mail to doej@example.com, and not it’s own inbox. This should clearly indicate to you that you created this e-mail alias for acme.

After doing this, if you start getting spam sent to acme4921@example.com, you’ll know that either Acme is sending you the spam, Acme sold your e-mail address, Acme had a security problem and your e-mail address was stolen, or your own computer’s security was compromised. This tactic was used by TD Ameritrade users to identify a security breach in 2007, when the users started getting spam sent to the unique e-mail addresses that they provided to the brokerage.

In my experience, when contacting companies about receiving spam to the unique e-mail address that you gave them, one of the first excuses you will hear is that the spammers probably guessed the e-mail address. The random digits after the company’s name in the e-mail alias are to help when arguing your case against that possibility. The second excuse you will hear is that you had a security leak on your own computer, which is a possibility that you will want to investigate before pointing a finger. If you start getting spam to multiple unique e-mail addresses at once, you may have a security problem on your end. Ultimately, you will find that if the company had a security breach or sold your e-mail address, it’s likely that the company is unscrupulous enough or not security conscious enough to take your report seriously, but I urge you to report it anyway. This can be a very serious matter, especially if you provided personal or financial information to the company.

Using unique disposable e-mail addresses is also useful for detecting phishing scams, where a criminal third party contacts you about your Acme account, pretending to be Acme in order to get account or other personal information from you. If you get e-mail about your Acme account to doej@example.com, it should seem even more suspicious than a phishing scam would normally be, because it wasn’t sent to the unique e-mail address that Acme uses to contact you.

Finally, if you are unable to get control over the spam sent to acme4921@example.com, you can delete the e-mail alias, taking advantage of its disposability. You can then choose whether you want to create a new alias for Acme to contact you at and provide them with the new address, or simply stop trusting that company with your e-mail address or other private data.

You will only be able to use this anti-spam method if your organization has it’s own domain name, such as example.com, and it will only be feasible if you are able to make e-mail aliases for your account when needed. Additionally, providing a unique e-mail address to everyone, even your mother, can get tedious. This can be especially annoying when you’re on the phone with a new vendor and you’re asked for your e-mail address. Not only did you not have time to create one before hand, but when you tell Jane from Acme that your e-mail address is acme4921@example.com, she may find it a little odd that her company’s name is in your e-mail address. You also may need to settle on an e-mail address for a business card. However, the benefits of using unique disposable e-mail addresses are worthwhile if implementation is possible.

Don’t forget, when using this method no one should actually have your doej@example.com address, because if you start getting spam to it, you’ll need to change it as well.

Tomorrow, I’ll be covering the most basic principle in e-mail security, discretion.