Connecticut and New York City based Web design Company specializing in web and graphic design, content management, flash animation, and e-commerce.

Business Edge News

What's fit to print in the world of Business Edge
Featured Case Study

Tremont Capital in Westchester NY
Tremont manages hedge fund products and multi-manager portfolios, and prides themselves on providing their clients with quality risk-adjusted returns on a consistent basis over the long-term. This type of service, while vertainly valuable and profitable, was inately difficult to put a branded "face" on. So Business Edge's team began work on trying to do just that.
Read Tremont Capital in Westchester NY Case Study

Protecting your company's email addresses from spammers

8/27/2003

Everyone is complaining about getting way too much spam these days, and it’s amazing to me how few people are looking at the true source of the problem. It’s just too easy for spammers to harvest and sell your email address. Without email harvesting, there would, of course, be no spam. There are some simple, and of course not so simple things you can do to prevent your company’s email addresses from being harvested, sold, and abused. Please read on.


How Harvesting works - how they get your email


There are 3 widely used methods for harvesting your email address.


1. From your web site. The spammer will run a relatively simple program that walks through the Internet and hits every page on your web site. Whenever it finds an email address, it scoops it up and continues on its merry way until its done with your web site - then it visits another site.


To battle this, a few companies have removed all their email addresses from their web site completely. Others will force a normal visitor to fill out a cumbersome web form in order to send you email, which is a royal pain. But for many companies, such as law firms who need to display their attorney's email address, or other service companies who want to be contacted easily, this is not a viable option.


There is also the problem of your email addresses appearing on other sites that do not offer your data any protection from spammers, such as the law firm directory www.martindale.com and other directory sites. Some of these sites actually charge you for displaying your email addresses, and then do nothing to stop spammers from harvesting them! The Martindale site is largely responsible for much of the email harvesting problems that plague law firms. For instance, if your law firm has 100 lawyers but only 20 of them are listed on their site, chances are that those lawyers will get substantially more spam than the lawyers that are NOT on this site.


There are some very effective methods of having an email address included on your web site without the spammers being able to read it using special encryption. We have a customized program that you can implement on your web site, so spammers cannot harvest emails from your site. Please call us for details.


2. The Domain Registration Database. The second most common email-harvesting source is the Network Solutions database. When you register a domain name through NS/Verisign, it requires that you enter an email address. The resulting database of domain administrators has been harvested and sold and abused perhaps more than any other list of email addresses on the Internet. So, if your email address is on a domain registration for your web site, you already know the wrath of the spammers. But again, there are things you can do to help. Read on.


3. Directory Harvest attacks. The Spammer’s latest tool is called a “Directory Harvest attack”. During a DHA, spammers attempt to deliver messages to multiple addresses, such as johndoe@yourcompany.com, jdoe@yourcompany.com, and john@yourcompany.com. Addresses that are not rejected by the receiving mail server are determined as valid. These addresses are compiled and sold to other spammers worldwide. Within hours, a brand new email box can be full of unsolicited, junk email. So if you have wondered why you get spam and your email address has never been listed on a web site, this could be why.


Once the spammers already have your email address


For years, the major ISP's and IT managers have been concentrating on how to stop the spammers after they already have your email address, with little or no success. It is much easier to “hide” your email address from the spammer’s harvesting tools, than it is to prevent spam from coming to your inbox once its already been harvested.


Since 80% of spam comes from overseas, this lack of success won’t be changing anytime soon, even if pending anti-spam legislation goes through. In other words, if you’re already getting spam at your current email address, be prepared for more. Spam blocking is clearly not working as well as we’d all like, so other options need to be looked at.


If your firm does not receive lots of spam yet, but you’re noticing an increase, you may want to consider taking some of the preventative actions mentioned below. If you are already getting lots of spam and it’s reaching a boiling point with your employees, it may be too late for preventative measures, so here is an idea worth looking into.


Find a small focus group of people who are fed up with the spam they receive, and are willing to change their email address. Even if it’s a slight change in the address name. They of course may need to send out an email to everyone who emails them regularly to notify of the change. The email administrator can also set up their current email address to not forward any email, but simply respond to the sender with the new email address, preferably encoded so the spam programs can’t pick it up. Once you have set up the new email address, follow the recommendations below to prevent future harvesting of that email address.


Follow this focus group carefully to see if they remain spam-free. Of course they will need to be educated to not submit their new “clean” email address to newsgroups and other common email traps. Once the determination is made that the new procedures are successful, more employees can join the focus group and, hopefully, stay spam-free.


How to prevent future harvesting of your email address


None of these solutions are particularly painful or expensive, and some may actually save you money. Reducing and/or eliminating spam is the long-term reward.



- Using a special email encryption process, the email links on your web site can be made safe from harvesting programs. However, encoding the email address can be quite time-consuming if your site has many email addresses, such as large law firms who have hundreds of attorney email addresses. If your law firm has a content management system, chances are Business Edge can implement the email fix relatively quickly. But, even smaller sites with just a handful of email addresses can be affected, and these companies should take steps to encrypt their email links as well.



- The Network Solutions domain administrator database is very easy to change. They will allow you to enter a dummy email address, something like novalidemail@yourdomain.com. Since most domain registry companies send you a renewal bill by snail mail, there’s no reason to have your company email address on this record, so remove it as soon as you can. You will not see an immediate decrease of spam for this email address right away, in fact it could take several years, as this database of emails has been sold and re-sold countless times for many years.



- For the IT people: If you are a larger company and have a lot of employees, you are a prime target of a DHA, mentioned above. One of the ways to protect yourself from this type of harvesting attack is to enable a feature called “tarpitting” on your email server. When “tarpitting” is active, the email server monitors any attempts to deliver messages to unknown users. If too many unsuccessful attempts are made by the same IP address, that address is blocked for a set amount of time. Ask your email administrator if this can be done.



- The email address naming standard that you use within your company is also a big factor, as its very easy for a spam harvester to figure out john@ibm.com but not so easy to figure out john.d.smith.sales101@ibm.com for instance. If you decide to create new email addresses or change your naming standard, choose one that easy to remember, and yet hard to automate.



- Find out what directory sites are displaying your email address. Give them a set amount of time to either remove them or encode them before you make any changes to your email system. If they don’t respond, have them remove your email addresses from their listings.



Available Products & Conclusion


You can buy all the spam-blocking programs in the world but their effectiveness will never be 100%, and many times they block valid customer emails. Therefore the best way to prevent spam in the long run is to protect your internal email addresses from being harvested in the first place.



Business Edge includes anti-harvesting techniques in their Content Management system for law firms, which protects firms from having their web sites attacked. Web Email encryption of the email addresses on your site can prevent future harvesting.


There is also a product from a company called Postini that will help in the DHA attacks, but it is expensive and only recommended for larger companies. If you depend entirely on spam-killer software, you’re treating the disease, rather than trying to prevent it from starting.



Back

 

 
Contact