How long does it take a fresh new e-mail address to get spam? We decided to find out by creating a fictitious new Salon staffer, Wallis Sanford (a nod, of course, to the once notorious Spam King Sanford Wallace). We wanted our new “junior staff writer” to live life dangerously on the Web and see how quickly he fell victim to spammers. So we set him up with new accounts on America Online and Hotmail. We also set up a Geocities home page, posted a question on Usenet, and put him on the Salon masthead — in each case, listing a separate Salon e-mail address set up expressly to collect spam. Then we sat back and waited to see which of the five lures would get the first bite.
It didn’t take long for an e-mail address to get hit on by a bulk e-mailer. After four days, an unsolicited commercial e-mail made its way to the address listed on the masthead. The message touted “the all new exclusive Y2K highly targeted e-mail address CD volume #7!” And to make doubly sure that Wallis didn’t miss his chance to buy one of the 27 remaining CDs, the spammer sent two copies of the same e-mail. We got spam!
But after four weeks, Wallis had received a mere 20 pieces of spam (along with 10 pitches from observant public relations representatives) at the address listed on the masthead. Surprisingly, none of the other addresses got even a nibble. It was a rare moment; we were a bit annoyed that spammers were ignoring us.
“Give it four months,” advises Alan Schwartz, co-author of “Stopping Spam.” “A spammer spends more time harvesting e-mail addresses than mailing to them. They’ll probably spend a month gathering addresses and then do one mailing at the end of the month. It doesn’t pay to be mailing every week.”
Besides, AOL, Hotmail and other companies have implemented filters to keep bulk e-mail out, says Jason Catlett, president of Junkbusters, a site that provides tips on how to avoid spam.
But we were doing the right thing — if we wanted spam — by putting our e-mail address on Web pages. “An e-mail appearing undisguised in a public Web space — a member directory, Geocities, Usenet — all of these are equally quick routes to being spammed,” adds Catlett. An address is even more inviting to spammers if it appears in a “mailto” link, which lets people click on a link and send e-mail directly from a Web page, says Catlett.
We may have unwittingly discouraged spammers by giving our straw man an unusual name. “A lot of it has to do with the exact address you pick, since the spammers attack all the major ISPs and go through the dictionary, asking the SMTP [mail] servers if they’ve got a “john1,” a “john2,” and so forth,” explained Catlett. But Wallis was also pretty safe because he laid low, only posting twice on Usenet within the month. “The more times you appear on Usenet and on Web pages, the more likely you’re going to get spammed,” said Catlett.
What else triggers spam? If you sign up in order to download software or use a Web service from a company of dubious standing, it may sell your e-mail address. “There are lots of individuals that offer Web services who aren’t that scrupulous about what they do with the addresses,” says Schwartz. He also pointed out that subscribing to mailing lists may put you in the path of spammers. Sometimes these automated lists aren’t properly secured and will give up their lists of subscribers to anyone who asks.
And Catlett was optimistic about Wallis increasing his spam intake: “A while back, someone did an analysis of the names on one of these bulk mailing lists. Many of the addresses on the list had been dead for years and years,” he says. “It may take a while to get on one of these lists, but it’s going to take a lot longer to get off of one.”