Anti-spam techniques (e-mail). End-user techniques

(From Wikipedia, the free encyclopedia)

Avoid responding to spam
Spammers often regard responses to their messages—even responses like "Don't spam me" - as confirmation that an email address is valid. Likewise, many spam messages contain Web links or addresses which the user is directed to follow to be removed from the spammer's mailing list. In several cases, spam-fighters have tested these links, confirming they do not lead to the recipient address's removal—if anything, they lead to more spam.
It must be noted that sender addresses are often forged in spam messages, so that responding to spam may result in failed deliveries or may reach innocent e-mail users whose addresses have been abused. In many countries providing a false identity in that way is a criminal offense. Criminal spammers sometimes send their messages from purposely compromised computers in order to hide their real identity. Benign spammers reveal their identity, allowing recipients to respond.
In Usenet, it is widely considered even more important to avoid responding to spam. Many ISPs have software that seek and destroy duplicate messages. Someone may see a spam and respond to it before it is cancelled by their server, which can have the effect of reposting the spam for them; since it is not a duplicate, the reposted copy will last longer.
Contact Forms
Contact forms allow users to send email by filling out forms in a web browser. The web server takes the form data, forwarding it to an email address. The user never sees the email address. Contact forms have the drawback that they require a website that supports server side scripts. They are also inconvenient to the message sender as they are not able to use their preferred e-mail client. Finally if the software used to run the contact forms is badly designed they can become spam tools in their own right. Additionally many spammers have taken to using contact forms to send spam to the intended recipient.
Disable HTML in e-mail
Many modern mail programs incorporate Web browser functionality, such as the display of HTML, URLs, and images. This can easily expose the user to offensive images in spam. In addition, spam written in HTML can contain web bugs which allows spammers to see that the e-mail address is valid and that the message has not been caught in spam filters. JavaScript programs can be used to direct the user's Web browser to an advertised page, or to make the spam message difficult to close or delete. Spam messages have contained attacks upon security vulnerabilities in the HTML renderer, using these holes to install spyware. (Some computer viruses are borne by the same mechanisms.)
Mail clients which do not automatically download and display HTML, images or attachments, have fewer risks, as do clients have been configured to not display these by default.
Disposable e-mail addresses
Disposable e-mail addressing (DEA) refers to an alternative way of sharing and managing e-mail addressing. DEA aims to set up a new, unique e-mail address for every contact or entity, making a point-to-point connection between the sender and the recipient. Subsequently, if anyone compromises the address or utilises it in connection with any e-mail abuse, the address-owner can easily cancel (or "dispose" of) it without affecting any other contact. Following the cancellation or replacement of a disposable e-mail address, the (ex-)owner need notify no more than one person/contact of the change.
Disposable e-mail addressing, in essence, sets up a different, unique DEA for every sender/recipient combination. It operates most usefully in situations where someone may sell or release an e-mail address to spam lists or to other unscrupulous entities. The most common situations of this type involve online registrations for things such as discussion groups, bulletin boards, chat rooms, online shopping, and file hosting services. In a time when e-mail spam has become an everyday nuisance, and when identity theft threatens, DEAs can serve as a convenient tool for keeping network users safe and sane.
Most likely, but not always, cancellation of a disposable e-mail address takes place because someone starts to use the address in an illegitimate manner. This may occur through the accidental release of an e-mail to a spam list, or because the original recipient unscrupulously and deliberately obtained it deceptively. Alternatively, the user may simply decide not to receive further correspondence from that company. Whatever the cause, DEA allows the address owner to take unilateral action by simply cancelling the address in question. Later, the owner can determine whether to update the recipient or not.
For the sake of convenience, disposable e-mail addresses typically forward to one or more real e-mail mailboxes where the owner receives and reads messages. The contact with whom a DEA is shared never needs to know the real e-mail address of the user. If a database manages the DEA, it can also quickly identify the expected sender of each message by retrieving the associated contact name of each unique DEA. Used properly, DEA can also help identify which recipients handle e-mail addresses in a careless or illegitimate manner. Moreover, it can serve as an effective tool for spotting counterfeit messages, or phishers.
Advantages over traditional e-mail
Ideally, owners share a DEA once with each contact/entity. Thus, if the DEA should ever change, only one entity needs to be updated. By comparison, the traditional practice of giving the same e-mail address to multiple recipients means that if that address subsequently changes, many legitimate recipients will need to receive notification of the change and to update their records — a potentially tedious process.
Additionally, because access has been narrowed down to one contact, that entity then becomes the most likely point of compromise for any spam that account receives. (see "filtering" below for exceptions to this) This allows users to determine firsthand the trustworthiness of the people they share their DEAs with. "Safe" DEAs that have not been abused can be forwarded to a real e-mail account, while messages sent to "compromised" DEAs can be routed to a special folder, sent to the trash, held for spam filtering, or returned undeliverable if the DEA is deleted outright.
Further, because DEAs serve as a layer of indirection between the sender and recipient, if the DEA user's actual email address changes, for instance moving from a university address to a local ISP, then the user need only update the DEA service provider of the change, and all outstanding DEAs will continue to function without updating.
Security and filtering
It is possible for spammers to "guess" commonly used DEAs by trying addresses in the form of < CommonCompanyName@RandomName.DEAServiceProvider.com > or other widely used formats. This is especially likely if a user's subdomain (The "RandomName" part) has already been posted publicly somewhere. To combat this, users can make their e-mail addresses more obscure through using random names, checksums, a mutated form of a name, or some combination of the above. A harder-to-guess example might be < CompanyName.Checksum@YourDomain.DEAServiceProvider.com > or < RandomTextCompanyNameRandomText@YourDomain.DEAServiceProvider.com >. There is an obvious tradeoff in that the more obscure an address is, the harder it will be for users to remember and quickly type them. Mentally computed checksums may help with this.
"Poor man's DEA"
The plus addressing technique allows users to create DEAs using an existing e-mail address without the need for a DEA service provider. (This does not rule out using this technique with a DEA service provider, so long as plus addressing is supported.) All that is required is for the e-mail server to support plus addressing. A checkstring, which is optional, allows the MTA to block attempts by spammers to bypass the DEA filtering. As an example, a static string or checksum that can be computed in one's head (or by a MTA with sieve or procmail) can be used as a checkstring that can be added to a DEA to evade spammers. As an example, < User+CompanyName.CheckString@EmailServiceProvider.com > can function as a hard-to-compromise "poor man's DEA". It is possible for a human (or a program) to extract the real e-mail address just by removing everything after the plus; however it is considered unlikely that a program would bother going to this effort, since the vast majority of e-mail addresses do not use this technique.
The downside
Many forum and wiki administrators dislike DEAs because they obfuscate the identity of the members and make maintaining member control harder. As an example, trolls and vandals like to use throwaway e-mail addresses to get around attempts to ban them. Using a DEA provider only makes this easier; the same convenience with which a person may create a DEA to filter spam also applies to trolls. For this reason, most forum programs have functionality to make it easier to ban DEAs. As a result, forum, wiki administrators, blog owners, and indeed any public site requiring user names may have a compelling reason to ban DEAs.
As a counterbalance to the risks of asking a user to give a "permanent" e-mail address in a publicly accessible site, administrators have the option to prevent, or give the option for hiding, the publication of users' email addresses. An "e-mail this user" script can be used to allow communication with the user without the sender knowing their e-mail address. This protects users from spam and allows them to use real email addresses, which may make a ban on DEAs easier for users to accept.
Caught in the crossfire between Internet undesirables and administrative attempts to deal with them, DEA providers have trouble presenting a total solution. A user may find it advantageous to decide whether to provide a "real" e-mail address to a public/commercial entity on a case-by-case basis. On the one side, the trustworthiness and reputation of the site administrators, the availability of options to hide e-mail addresses, and the existence/enforcement of an acceptable privacy policy are all factors that should be taken into account. On the other, there are the risks of confusing people by using long or oddly named addresses often associated with DEAs, being perceived as a troll or someone with a motive to hide their identity, and the chance that the DEA provider may eventually cease operations.

More about End-user Anti-spam techniques (e-mail)...