It’s all Geek to Me- Die, Spam! Die!!

Really, I’m not that frustrated over the number of spam e-mails I get these days. No, I actually enjoy spending precious minutes of my day going through several hundred messages in my spam filter folder, checking to make sure there isn’t a legitimate e-mail amid the many stock tips and cheap viagra offers… okay, maybe I am that frustrated about it. I used to dream about winning the lottery, Salma Hayek or finding a mint copy of Action #1 pressed in an old book I bought at a garage sale, but now I dream about meeting someone who is responsible for any number of the tens of thousands of spams I’ve gotten in the last year in a dark alley with no one else in sight… except maybe Salma Hayek. The point is spam drives me nuts.

Years ago in my previous website incarnation I utilized a trick to help reduce spam that I forgot to use when I had the site redone. That trick was called E-mail Obfuscation. The theory behind it is that one method spammers use to get addresses to add to their spam lists is via spam-bots. Spam-bots are e-mail harvesting programs that crawl though web pages and copy any e-mail addresses they find in plain text form. Any time your e-mail address is spelled out on a web page’s HTML (like through a “mailto:” link) a spam-bot can ‘harvest’ it for use by spammers. E-mail Obfuscation converts your e-mail address link into HTML source code, which is less vulnerable to spam-bots. Most think it just HTML page code and ignore it. Here’s a link for generating and using the trick. Hard to say if it works or not.

I thought I may have found a new method for eliminating spam that was the best one I’ve ever heard of. It’s a server side program called BoxTrapper. I read about in an anti-spam article somewhere recently, and was surprised to see it as an option with my web hosting service. It takes a bit of set-up work but it is 100% effective. No more spam. Unfortunately after researching it more I have decided for the good of all mankind I cannot in good conscience use it. Too bad as it worked very well.

BoxTrapper is not a spam filter. Those usually work on the client side (meaning on your computer through your e-mail program) using programs like Norton Anti-Spam or other spam filters. Some filters like SpamAssassin work on the server side. Filters look for things common in spam messages, like certain words or other red flags, and then deposit those suspicious e-mails into a spam folder for you to double check for legitimate messages before deleting. Some programs also check known spam databases on-line like antivirus software does for the latest flavor of spam. That’s all fine and good, but it isn’t foolproof. Spammers are always coming up with ways to fool the filters and even the best programs both let through some spam and zap some legitimate e-mails. Worst of all, I still end up having to look at all the suspected spam as it is likely to contain at least one real e-mail, and I have to flag the spams that got through as spam. Not much of a timesaver.

BoxTrapper takes a different approach. It’s a verification program rather than a filter, placing the onus of delivering the e-mail on the sender. It operates on the principal that spammers by nature do not use legitimate “reply to” addresses in their spam, not wanting to be deluged with automatic “screw you, buddy” replies. They only like doing the deluging, not being the delugee. A reply to a spam goes nowhere, and will not be answered by a human or an automated responder. BoxTrapper works by keeping a database of “allowed” e-mail addresses called a “white list”. When an e-mail comes in to the mail server, BoxTrapper checks to see if the sender is on the white list. If he/she is, the e-mail is delivered as usual. If it isn’t, BoxTrapper puts it into a queue on the server and generates an automated message requesting the sender to respond to it in order to approve the e-mail for delivery. The e-mail sits in limbo in this queue, waiting for the response from the original sender. If it receives this response, it adds the sender to the white list and delivers the e-mail to the server, so it will get downloaded to your computer the next time you check your mail. If it doesn’t get a response, or gets one without the proper header info, the e-mail is never delivered and gets deleted at the end of a specified wait period. Spammers do not reply, and therefore spam never gets to your inbox. The only hang up here are automated messages I actually DO want to receive, like newsletters I have signed up for, on-line billing statements, alerts I want to get, etc. These also come from addresses that will not reply to the verification message. Here’s where some effort is involved, but only for a little while. You can add these addresses to your white list manually or check your message queue periodically for them and approve them from there. Once you get your legitimate senders all added there is zero chance of a real e-mail being zapped. If you sign up for a new service or newsletter that will send automated e-mails, you’ll need to watch for their first message or ask for the reply e-mail and add it manually. A small price to pay for a blissfully empty spam folder.

So, why am I not using it? Because although BoxTrapper does a great job of eliminating spam in my inbox it only makes the world’s spam problem worse. Instead of 450 spam messages a day dead ending in my spam folder, 450 additional e-mails are sent out into cyberspace by my BoxTrapper asking for a reply, many of which get responded to by the replied to server if only to say “sorry, nobody is here to get your e-mail”, thereby generating yet another several hundred e-mails. Imagine, if every spam sent out in the world ended up generating two more e-mails each. Worldwide use of BoxTrapper would triple the amount of spam generated e-mail, crippling mail servers everywhere. Plus, many spammers use spoofed e-mails that are real addresses of unsuspecting people, who I am spamming with my verification message. No, the problem is bad enough without exacerbating it by using well meaning programs like BoxTrapper. I’ve read where cPanel, the web host managing software, is removing BoxTrapper from it’s menu on some servers for those very reasons.

My current anti-spam measures seem to be the best. My web host has a server side spam filter called SpamAssassin. It is a simple program and not very effective overall, but for my purposes it does not need to be. It can be configured on a scale of 1 to 15 for aggressiveness, 1 being very aggressive and 15 being least. I’ve experimented for a setting where a decent amount of spam is flagged, but more importantly no false positives appear. My goal is to catch the most number of spams I can with SpamAssassin where I have no chance of a real e-mail being mistaken as spam. I have found 6 to be the best setting for that. It identifies about 60% of all my spam, with no false positives. Then I set a server side rule that all messages marked as spam by SpamAssassin get deleted without ever being delivered to my mail server inbox. The result is all my legitimate e-mails get through and only about 40% of the spam. Then I use Apple Mail’s spam filter to scrutinize the mail that does get delivered, placing what it thinks is spam into a spam folder for review later. Using this double check method, most of my spam is never delivered to me or downloaded at all, and I only have about 180 spams to check in my spam folder a day instead of 450. That makes a big difference in time and frustration levels.

Yes, I suppose it’s possible that one day a real e-mail or two will get zapped by SpamAssassin, but it’s highly unlikely. If it will let in 40% of the real spam, an acual, legitimate e-mail is likely to go through every time. I’ll take the risk knowing that I am being spared wading through some 2,000 spams a week telling me my member is too small or I have to get these penny stocks.

Gotta run… apparently my Paypal account has been compromised and I need to log into it via a link they sent me and confirm my password and account info! Whew… good thing they sent me that e-mail!