It’s all Geek to Me- Die, Spam! Die!!

March 2nd, 2007 | Posted in It's All Geek to Me!

Really, I’m not that frustrated over the number of spam e-mails I get these days. No, I actually enjoy spending precious minutes of my day going through several hundred messages in my spam filter folder, checking to make sure there isn’t a legitimate e-mail amid the many stock tips and cheap viagra offers… okay, maybe I am that frustrated about it. I used to dream about winning the lottery, Salma Hayek or finding a mint copy of Action #1 pressed in an old book I bought at a garage sale, but now I dream about meeting someone who is responsible for any number of the tens of thousands of spams I’ve gotten in the last year in a dark alley with no one else in sight… except maybe Salma Hayek. The point is spam drives me nuts.

Years ago in my previous website incarnation I utilized a trick to help reduce spam that I forgot to use when I had the site redone. That trick was called E-mail Obfuscation. The theory behind it is that one method spammers use to get addresses to add to their spam lists is via spam-bots. Spam-bots are e-mail harvesting programs that crawl though web pages and copy any e-mail addresses they find in plain text form. Any time your e-mail address is spelled out on a web page’s HTML (like through a “mailto:” link) a spam-bot can ‘harvest’ it for use by spammers. E-mail Obfuscation converts your e-mail address link into HTML source code, which is less vulnerable to spam-bots. Most think it just HTML page code and ignore it. Here’s a link for generating and using the trick. Hard to say if it works or not.

I thought I may have found a new method for eliminating spam that was the best one I’ve ever heard of. It’s a server side program called BoxTrapper. I read about in an anti-spam article somewhere recently, and was surprised to see it as an option with my web hosting service. It takes a bit of set-up work but it is 100% effective. No more spam. Unfortunately after researching it more I have decided for the good of all mankind I cannot in good conscience use it. Too bad as it worked very well.

BoxTrapper is not a spam filter. Those usually work on the client side (meaning on your computer through your e-mail program) using programs like Norton Anti-Spam or other spam filters. Some filters like SpamAssassin work on the server side. Filters look for things common in spam messages, like certain words or other red flags, and then deposit those suspicious e-mails into a spam folder for you to double check for legitimate messages before deleting. Some programs also check known spam databases on-line like antivirus software does for the latest flavor of spam. That’s all fine and good, but it isn’t foolproof. Spammers are always coming up with ways to fool the filters and even the best programs both let through some spam and zap some legitimate e-mails. Worst of all, I still end up having to look at all the suspected spam as it is likely to contain at least one real e-mail, and I have to flag the spams that got through as spam. Not much of a timesaver.

BoxTrapper takes a different approach. It’s a verification program rather than a filter, placing the onus of delivering the e-mail on the sender. It operates on the principal that spammers by nature do not use legitimate “reply to” addresses in their spam, not wanting to be deluged with automatic “screw you, buddy” replies. They only like doing the deluging, not being the delugee. A reply to a spam goes nowhere, and will not be answered by a human or an automated responder. BoxTrapper works by keeping a database of “allowed” e-mail addresses called a “white list”. When an e-mail comes in to the mail server, BoxTrapper checks to see if the sender is on the white list. If he/she is, the e-mail is delivered as usual. If it isn’t, BoxTrapper puts it into a queue on the server and generates an automated message requesting the sender to respond to it in order to approve the e-mail for delivery. The e-mail sits in limbo in this queue, waiting for the response from the original sender. If it receives this response, it adds the sender to the white list and delivers the e-mail to the server, so it will get downloaded to your computer the next time you check your mail. If it doesn’t get a response, or gets one without the proper header info, the e-mail is never delivered and gets deleted at the end of a specified wait period. Spammers do not reply, and therefore spam never gets to your inbox. The only hang up here are automated messages I actually DO want to receive, like newsletters I have signed up for, on-line billing statements, alerts I want to get, etc. These also come from addresses that will not reply to the verification message. Here’s where some effort is involved, but only for a little while. You can add these addresses to your white list manually or check your message queue periodically for them and approve them from there. Once you get your legitimate senders all added there is zero chance of a real e-mail being zapped. If you sign up for a new service or newsletter that will send automated e-mails, you’ll need to watch for their first message or ask for the reply e-mail and add it manually. A small price to pay for a blissfully empty spam folder.

So, why am I not using it? Because although BoxTrapper does a great job of eliminating spam in my inbox it only makes the world’s spam problem worse. Instead of 450 spam messages a day dead ending in my spam folder, 450 additional e-mails are sent out into cyberspace by my BoxTrapper asking for a reply, many of which get responded to by the replied to server if only to say “sorry, nobody is here to get your e-mail”, thereby generating yet another several hundred e-mails. Imagine, if every spam sent out in the world ended up generating two more e-mails each. Worldwide use of BoxTrapper would triple the amount of spam generated e-mail, crippling mail servers everywhere. Plus, many spammers use spoofed e-mails that are real addresses of unsuspecting people, who I am spamming with my verification message. No, the problem is bad enough without exacerbating it by using well meaning programs like BoxTrapper. I’ve read where cPanel, the web host managing software, is removing BoxTrapper from it’s menu on some servers for those very reasons.

My current anti-spam measures seem to be the best. My web host has a server side spam filter called SpamAssassin. It is a simple program and not very effective overall, but for my purposes it does not need to be. It can be configured on a scale of 1 to 15 for aggressiveness, 1 being very aggressive and 15 being least. I’ve experimented for a setting where a decent amount of spam is flagged, but more importantly no false positives appear. My goal is to catch the most number of spams I can with SpamAssassin where I have no chance of a real e-mail being mistaken as spam. I have found 6 to be the best setting for that. It identifies about 60% of all my spam, with no false positives. Then I set a server side rule that all messages marked as spam by SpamAssassin get deleted without ever being delivered to my mail server inbox. The result is all my legitimate e-mails get through and only about 40% of the spam. Then I use Apple Mail’s spam filter to scrutinize the mail that does get delivered, placing what it thinks is spam into a spam folder for review later. Using this double check method, most of my spam is never delivered to me or downloaded at all, and I only have about 180 spams to check in my spam folder a day instead of 450. That makes a big difference in time and frustration levels.

Yes, I suppose it’s possible that one day a real e-mail or two will get zapped by SpamAssassin, but it’s highly unlikely. If it will let in 40% of the real spam, an acual, legitimate e-mail is likely to go through every time. I’ll take the risk knowing that I am being spared wading through some 2,000 spams a week telling me my member is too small or I have to get these penny stocks.

Gotta run… apparently my Paypal account has been compromised and I need to log into it via a link they sent me and confirm my password and account info! Whew… good thing they sent me that e-mail!


  1. SteveH says:

    Spam is a real headache, period! I have spawned my url all over the net to ensure traffic comes my way and over the years it has paid off except for the spammers who find it all too easy to get a hold of my email addy, jessh! Ah well its a price to pay but like you Tom, I would love to shoot them in the spleen and watch them die a slow painful death! Japan was very cool thanks! Wendy and I hope to visit there again sometime in the next couple of years and also try to fit in a visit to Hawaii flying out from Tokyo!

  2. annarichmond says:

    It’s always Salma with you! What’s she got that I don’t? Oh, yeah… Well, does she wash your shorts? I think not! Just keep dreaming Honey, as long as it’s in my bed 🙂 Luv U!

  3. Tom says:

    Ooops. I forgot my wife, The Lovely Anna, has internet access and some damn fool told her I have a website. Better watch what I say from now on.

    Salma has nothing on you, baby! 😉

  4. A technique I’ve found effective is giving everybody a disposable email address to email me at. Like at, I would use the email address examplessuck@blunketspice.fod(or “fromexampleaddress@blunketspice.fod”). Whenever I get an email either from them or someone they give my address to, I can verify it by where it’s sent to(Paypal emails sent anywhere other than paypal-address@blunketspice.fod are fake). I may get wanted newsletters at first, but if I suddenly start getting spam sent to that email address, I know who gave them my address(based on the TO address), and this is where the “disposable” part comes in. I just block emails that are to that address. I might also pass my displeasure along to the offending site in some way that doesn’t give away my “real” address.
    After a friend(trusted) gave my personal-only email address to his brother(untrusted), who tried to sell me something, I realized I have to do this with friends as well. I also remembered an old address that family often sent email postcards to by giving my address to those sites, which in turn gave me spam.


    You need your own domain name with a catch-all account. This is crucial. Yahoo also has this option somewhere, but I know not of its ease of use.

    It’s hard to have to think up an email address on the spot for a friend that asks you for it. I try to think of something that doesn’t sound like I’m using this method, because it sounds like I don’t trust them personally, when in fact I do this to everybody.

    Having to explain your system to people, if you find you have to.

    You can’t apply it to existing addresses. I still keep some old addresses because I still get important email on them, even if it’s buried in spam. I might be able to contact all the approved sites with my new address and do away with that old to-websites-only address.

    You have to go to the effort of actually blocking emails sent to that address. I’ve been neglecting that step and continue to be spammed by people a certain website has given my email address to. I really should get around to setting that filter.

    You will get test-spam to addresses like info@blunketspice.fod and marketing@blunketspice.fod, but those can be blocked anyway.

    Notes: If a one-friend-only email address gets compromised, you can send that one friend a change-of-address email along with a warning not to give the new address to websites again.


New profile pic courtesy of my self-caricature for the Scott Maiko penned article “Gotcha! Mug Shots of Common (but Despicable) Criminals” from MAD 550

Workshops Ad

Dracula ad

Doctor Who Ad

Superman Ad

%d bloggers like this: