Guidance for Users to Avoid Spam

Be sensible in how you give out your email address

  • Most people give out their email address where, for example, they would not give out their phone number – mostly due to the perception that email addresses are more ‘anonymous’ than home addresses or phone numbers.
  • Whilst this was the case many years ago, it is now possible to derive more information about a computer user than you might think from their email address, particularly if they own the domain as well.

Don’t place too much trust in address obfuscation.

  • Some users religiously write their addresses for public view as john dot doe at johndoemarketing dot com. However, some harvesting bots pick this up with ease as the software used to harvest email addresses is considerably more complex than it used to be.
  • Other variations of this technique include writing scripts (e.g. JavaScript) to “generate” an email address every time a web page carrying an email address loads (so it doesn’t exist explicitly in user@host form in the HTML code). However, some spambots can render the script output before scanning it and so they can read the email address.

When signing up for a service which asks for an email address, read the relevant part of the small print.

  • Some forms say “check this box to receive our newsletter” and others say “check this box to opt out of receiving our newsletter”.
  • Also be aware that ‘spam’ and ‘email you don’t want’ are not necessarily the same. Its only really spam if you didn’t agree to receive it (either explicitly or implicitly).

Use a sacrificial email address for signing up to online services

  • If an email address starts to be sent too much spam it can be swapped for a new email; unlike usual business email.
  • Some users have a different email address for every online service that they sign up to, so they can easily see which service distributes their details.

Keep your operating system and other software that you use up to date.

  • There exist viruses and spyware that capture addresses. Also ensure that, in addition to up-to-date on-virus filters, you also have up-to-date adware/spyware detection.
  • Remember that if you have a n infection on your computer, it is likely that spammers are using your computer to send their emails to other people. In other words, your PC is a zombie in a botnet.

Users who run their own mail servers should ensure that they aren’t acting as an open relay.

  • If in doubt, seek advice.
  • Don't forget to check for misconfigured routers and firewalls.

Consider using a form of spam detection which includes verification of SPF and/or DomainKeysIM records, particularly if the email appears to come from a critical source such as a financial institution.

  • It will help to detect and block phishing attacks.
  • If you own your own domain and advertise SPF records (or sign outgoing email using DomainKeysIM), it will help to prevent other people spoofing your address.
  • It is very easy to send an email and make it look like it came from somewhere else, so if you don’’t have this level of filtering, don’t trust an email just because it appears to be from one of your friends.

Newsgroups have a particularly bad reputation for email address harvesting; this is because it is very quick and easy to get a list of email addresses from Usenet. Consider using a sacrificial/different email address when posting to newsgroups (e.g. using Google News).

Most people have some sort of an instinct about how legitimate online services appear to be. Don’t ignore this – it is very valuable.

  • If you have a ‘bad feeling’ about a site, or it doesn’t seem very professional, or there are too many grammatical or spelling mistakes, do not trust it.
  • However, note that phishers are becoming increasingly sophisticated in the graphic design of their email messages and web sites – it's easy to copy the design of a legitimate web site or transactional email.

Recognize social engineering techniques and don’t fall for them.

  • If someone asked for your bank account number or perhaps eBay password without a valid reason in person, you would be understandably suspicious. If you receive an email asking for personal details like that, and your instinct is to not trust the email, don’t.
  • In general, do not give out any personal details through email. Banks won’t ask you for passwords, account numbers or mothers’ maiden names by email. Bear in mind that giving out seemingly insignificant information, such as how long you have lived at home, could prove very useful to abusive users, particularly if they are trying to impersonate you.
  • Banks usually have advice explaining that emails asking for personal information apparently from them are hoaxes. Pay attention to this.

Be suspicious rather than trusting. Anyone offering an unbeatable or even unbelievable deal by email probably won’t be doing it for your benefit, however much it seems like it.

  • If you receive an email from someone you don’t know, claiming that you have a lot of money left to you by someone you’ve never heard of, it’s highly unlikely to be genuine.
  • Most people would not be fooled by this if it was verbal or through the post, so there’s no reason to be any more trusting because it is by email. If it seems too good to be true, it probably is.

Don’t ignore warning messages

  • If you go to https://online.banking and the web browser displays a warning message about the site appearing to be invalid (technically: the digital signer of the site’s certificate isn’t a trusted certification authority), don’t just click the OK button.
  • Genuine sites such as PayPal and banks have correctly signed certificates so if your web browser thinks it is not correctly signed, you’ll get a warning message – it's there for a reason.

To alleviate the concern over genuine email being classified as spam (false positives) consider using spam filters that provide some end user control

  • Some spam filters provide end user message reports that allow authorized end users to view what messages have been quarantined on their behalf and the reasons why. Messages can be released from quarantine by the end user, without the need for intervention by the IT support team.
  • Similarly, users should be able to include and manage their own personal white- and black-lists in addition to corporate lists. This would enable spam-like newsletters that an user wants to be delivered, even though many others would perceive this to be unwanted email.

... David Ferris, with thanks to Black Spider's Emma Dunstone

Post a comment

You must be logged in to post a comment. To comment, first join our community.