« E-mail address security: Day 3
An official looking e-mail from the IRS may be a virus »
3rd
Apr '08

E-Mail Address Security: Day 4

Posted at 12:26 pm by Mark Adams in E-Mail Security.

Click here to read more about SpamStopsHere, the e-mail security company that brings you this blog.

This week, I’m going to cover the most important things that you can do to prevent spammers from finding the valid e-mail addresses at your organization, also known as e-mail address harvesting. Preferably, these measures will be implemented at the same time that your organization gets on the Internet and starts using e-mail to have the best chance of actually stopping your organization from ever having a spam problem. However, it’s never too late too start, in order to prevent your spam problem from getting worse.

Countermeasures for e-mail address harvesting methods used by spammers

In day three of this series of articles, I discussed several methods that spammers use to gather e-mail addresses for their mailing lists, also known as e-mail address harvesting. Today, I’m going to cover countermeasures for most of these methods.

Protecting Whois information

To stop spammers from getting your e-mail address from the public whois database, which contains registrant information for domain name owners, you should use your domain registrar’s domain privacy service to hide your e-mail address. These privacy services usually cost extra, but they are worth it if you don’t mind the veil of anonymity. Sometimes using a domain privacy service can prevent anyone from contacting you legitimately regarding your domain name, or can make your business seem shady, since many use this  type of service to hide their identity not just to stop spam.

Publishing e-mail addresses on the web

To stop spammers from scraping your web site looking for e-mail addresses, it’s important to not list any e-mail addresses in plain text, as spammers often use automated text parsing means to gather e-mail addresses that are published on web sites. The simplest countermeasure is to put any e-mail addresses in an image. However, for accessibility by visually impaired visitors, you may need to also make it available in an audio format.

Another method is by using javascript, a scripting language that runs on most web browsers. The most common javascript method involves garbling the e-mail address on the web site, but then having the web browser load a javascript application to ungarble the e-mail address. This is quite possibly the most transparent to most users, because most browsers will support this transparently. When this works, the users sees the e-mail address in plain text and any mailto anchor links will still be functional, which can be clicked on to open up the visitor’s e-mail client to start sending you a message. However, this is even a bigger accessibility issue than putting the e-mail address in an image, because users without javascript, and many screen readers used by visually impaired visitors, won’t be able to parse the e-mail address. This may be the best method, along with an audio cue, for actually publishing your e-mail address on your web site.

If you don’t want to publish your e-mail address at allThis is the image part of a visual CAPTCHA, which is an acronym for completely automated public turing test to tell computers and humans apart. The human would need to successfully type the characters from the image into a form field to pass the test., and simply want people to have a way to contact you from your web site, the best method is to use a contact form. Make sure that your e-mail address is not in a hidden form field, but rather in the CGI application that handles e-mailing the contents of the form submissions to you. Many organizations use CAPTCHAs on their contact forms, which is a reverse turing test to stop automated submissions, such as requiring the submitter to type in characters from a graphic image.

However, many CAPTCHAs are also not accessible to the visually impaired and may require secondary methods such as audio cues. Many tests are available that aren’t visual, such as simple puzzles, but CAPTCHA purists say they aren’t true turing tests as they’re not algorithm based and can be passed by current artificial intelligence. These tests involve asking the person filling out the form to answer a single simple math question such as the sum of two plus two, or a kindergarten level question such as what color is the sky, the latter being open to interpretation of course. Any of these tests require the user to jump through some obvious hoops to contact you, and may discourage any contact.

I feel the best and simplest method to stop automated form submissions, which are usually spam, is to use a two page contact form that does some form field validation. No type of obvious test should be necessary, and this can stop the perception that the user is having to jump through hoops to contact you. Contact forms are recommended for personal web sites.

Don’t give your e-mail address away

To prevent typing your e-mail address into traps that spammers set up, such as web sites that offer some perceived value if you provide your e-mail address to them, simply exercise discretion as covered in the second article in this series. When necessary to provide your e-mail address, use a disposable unique e-mail address like I mentioned in the first article.

Stopping directory harvesting

To help with spammers guessing your valid e-mail address by doing general brute force attacks, where e-mail is sent to every possible e-mail address at your domain, or using more targeted dictionary attacks where e-mail is sent to common names at your domain, there are a couple of countermeasures that can be used. Some e-mail servers can be configured to start dropping connections from an Internet address if that Internet address tried to send e-mail to too many invalid addresses. This is somewhat useful, although it can result in blocking legitimate senders, including your anti-spam service if you’re not careful. The e-mail will also be sitting there in the queue on the sender’s e-mail server being retried if you just don’t accept the connections. If the sender has more than one Internet address, as many spammers do, it may simply come in on another Internet address. Although you may be able to keep blocking each new Internet address, some spammers control armies of computers with thousands of Internet addresses at their disposal.

Another method to help fight against brute force guessing of legitimate e-mail addresses involves e-mail messages sent to multiple recipients. Often these brute force attacks will come in as a single e-mail message addressed to ten e-mail addresses at your domain. If more than one, or any configurable number, of the e-mail addresses are invalid, instead of just rejecting e-mail sent to the invalid e-mail address, you can reject e-mail to all of the e-mail addresses. Using this method, the spammer would need to make sure that at least nine of the ten e-mail addresses were valid in order to find a single valid e-mail address at your domain. This also rejects the e-mail message so that it will be discarded, and won’t continue to be retried from the sender’s outgoing queue. SpamStopsHere uses this type of directory harvesting protection.

Tomorrow, I will be summarizing this week’s information and discussing some things not to try.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
This entry was posted on Thursday, April 3rd, 2008 at 12:26 pm and is filed under E-Mail Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

« E-mail address security: Day 3
An official looking e-mail from the IRS may be a virus »