However careful you are about not publishing or releasing
your e-mail address except to your friends and colleagues, sooner or later your
mailbox starts filling up with SPAM (or UCE, Unsolicited Commercial E-mail, to
give its formal title).
e-mail from a company you've never heard of? Of course you have. Are
you convinced that they cannot conceivably be connected with any other company
you may have dealt with? If so, you are almost certainly on a List
How do they get your
e-mail address? Every
time you buy a product or service online, or register with a site for any number
of reasons, it is likely that you will be required to supply your e-mail address. This is often quite legitimate and, in the case of reputable organizations
that even highly reputable companies may seek to sell or otherwise make available
your e-mail address either to third-parties or their own affiliates. If so, this
should be clearly stated on the form where the information is collected - usually
worded something like "From time to time we may send you information on special
offers.........etc". There should also be an opt-out method on the form -
normally you have to check a checkbox to indicate that you don't
want to receive such information. If you fail to invoke the opt-out you have,
by definition, invited the organization to send you e-mail
In the case
of, say, a high street bank or household name in the United Kingdom, you can be
reasonably confident that if you opt out of any "send me stuff about products
we think you may be interested in", you'll be safe.
Check the site's
it states clearly that it is registered under the Data Protection Act and specifies
who the Data Controller is.
If there is no mention on a form you are about
to submit of whether or not your personal information will be used to send you
what your personal information will be used for.
Remember that it's not
just on the internet that you might be asked for your e-mail address - increasingly,
paperwork you fill in for subscriptions, services, almost anything these days
in fact, asks for it as well. Again, there should be an opt-out method on the
form and again, it will almost invariably be so presented that you must tick a
box to indicate that you don't want them or their
affiliates to e-mail you whenever they feel like it.
this is fairly obvious - but beware, not all organizations on the web are reputable
(surprise, surprise) and you only need to have your e-mail address acquired by
one unscrupulous List Operator to start an ever-increasing
flood of SPAM.
List Operators List Operators collate vast databases of e-mail addresses
of both companies and individuals, which they make available to anyone who wants
to use them. Sometimes they sell them outright, more often they will themselves
send out e-mails on behalf of an organization trying to sell its products.
List Operators (and there are reputable ones as well as unscrupulous ones) acquire
e-mail addresses in a variety of ways. They may buy them from reputable organizations
to whom people supplied an e-mail address, but did not opt out of the "we
may send you......etc" clause. Of course, less scrupulous organizations sell
e-mail addresses even when people have opted out
of receiving unsolicited e-mails from them or their affiliates.
WHOIS harvesting WHOIS is publicly accessible
information on the Registrant (owner) and other contacts concerned with
administering an Internet domain name. If you have registered a domain name, anyone
can look up the information in WHOIS, the content of which varies between registries.
For example, the information shown in WHOIS for a UK SLD (Second Level
Domain) such as .co.uk does not contain any e-mail addresses. TLDs (Top Level
Domains) such as .com, .net and .org show at least the administrative contact's
e-mail address(es) and gTLD (global Top Level Domains) like .biz and .info show
For example, compare the WHOIS data for some of our domains:
The Registries are required to make this information publicly accessible
for a variety of reasons. WHOIS data was never intended to be 'mined' by robots
- automated systems that constantly query WHOIS services to harvest e-mail addresses
- nevertheless this is what happens. This helps to explain the numerous e-mails
you will inevitably receive, soon after registering a TLD or gTLD domain name,
from web hosting companies, so-called search engine optimization experts and so
Ever get SPAM addressed to nonexistent e-mail
addresses? Once a SPAM merchant knows that a domain has been registered,
it is a fair bet that e-mail addressed to certain widely-used addresses will be
delivered to the target. The common ones include postmaster, root, hostmaster,
webmaster, info, sales, admin, etc.
Furthermore, most commercial domains'
e-mail servers are configured so that e-mail addressed to unknown users is delivered
to a designated address within the domain, perhaps postmaster or another account.
To demonstrate this, we have registered the domain tangerine-aardvark.com for
the purely fictional company Tangerine Aardvark Productions. Tangerine Aardvark's
CEO is Fred X. Bloggs and his PA is Arthur Dogsbody. Only Fred and Arthur
have actual e-mail accounts on the domain, their e-mail addresses being email@example.com
Aardvark does not want to lose wrongly addressed e-mail from its clients, some
of whom can't type very well, so we don't want to reject e-mail to firstname.lastname@example.org
just because the sender is having finger trouble on his keyboard. Being a business,
we don't want to lose anything sent to email@example.com
either. In fact, Fred's policy is that the company will accept absolutely anything
so long as the domain name is correct. Of course, as CEO, Fred's time is far too
valuable to waste sifting through lots of SPAM on the offchance that there might
be something useful there, so Tangerine Aardvark's mail server is configured to
place e-mail for unknown users in Arthur's mailbox so he can deal with it.
e-mail address was harvested from the WHOIS?
data soon after the domain was registered, so he gets a substantial and ever-increasing
amount of SPAM.
This being a demonstration system, both Fred's and Arthur's
accounts have autoresponders which will send a reply to the sender thanking them
for their interest. Feel free to send mail to the domain and see what happens.
do you get correctly addressed SPAM even on a free ISP account you've only just
set up? Even if SPAM merchants don't know a valid e-mail address, that
won't stop them trying to send you some SPAM, even to an e-mail account you set
up at an ISP or free service provider.
If you have given your
new free service or ISP e-mail address to absolutely nobody, you might be surprised
to receive some SPAM within a week of setting up your account. Don't automatically
blame the service provider - chances are they haven't released your address to
anyone - you remembered to opt out of receiving "special offers from us or
our partners.....etc", right? What has happened is that a
robot system has 'guessed' your e-mail address.
Fred? Suppose that, in addition to his business e-mail address at Tangerine Aardvark
Productions, he sets up a nice new e-mail account with some free ISP and his new
address is firstname.lastname@example.org.
Somewhere, there will be a robot doing nothing else today except generate names
at random and send e-mails to them. They can be extremely sophisticated and use
all possible combinations of surnames, first names, initials, with or without
dot or hyphen separation, with or without prefixes and suffixes, in addition to
purely randomly generated letter/number sequences. It won't take long to 'guess'
fred.bloggs, or fbloggs, fredbloggs27 and so on - at the rate of several hundred
thousand an hour - and then append '@somefreeisp.co.uk' to form email@example.com
Only a very
tiny number may get through, but what do they care? Bandwidth is cheap. And when
somefreeisp.co.uk blocks the domain and/or IP address that is sending their customers
all this SPAM, they just change to another one. You can absolutely guarantee that
the 'from' and 'reply-to' addresses in the SPAM are either fake, or have been
Why you should never
respond to SPAM Most SPAM will usually have some
small print at the end of the message containing instructions to stop them sending
you any further SPAM, such as:
- Reply with the subject "Remove" to unsubscribe or
- This message was sent to you as a result of your intention and permission to
receive 3rd party messages. [List_Operator_Name] always respects your wishes
and you may remove your address from our list anytime.To do so, please use this
You would be forgiven
for assuming that following these instructions would have the desired effect -
i.e. no more SPAM from that source and, in the case of reputable organizations,
you might be right. However, the only effect it will definitely
have is to confirm that your e-mail address is current,
thereby ensuring that you receive even more SPAM.
in the United Kingdom makes it a criminal offence to send Unsolicited Commercial
E-mail This has, in many cases, so far resulted in nothing more tangible than
the rewording of the SPAM small print to include something along the lines of
"you are receiving this e-mail because you have indicated your willingness
to receive information from us or one of our partner web
sites......etc". Note the part in blue and realize how difficult it
may be to prove otherwise. Anyway, the Internet is a global phenomenon and United
Kingdom legislation is unlikely to deter a SPAM operation in the United States
or Grand Cayman, is it?
So much for
how and where SPAM originates - how can you stop it? The short answer,
as you will have realized from the above, is that you can't. Don't despair, though
- let's qualify that - you certainly can't stop them sending
SPAM, but you can avoid having to read it or even
receive it. Let's look at some of the measures you can employ...
filters in some e-mail clients (Outlook, Outlook Express etc) let you select
a piece of SPAM and create a rule that automatically either deletes the next e-mail
from that sender or diverts it into a given folder. The problem with this is that
the really irritating and/or offensive SPAM merchants will never use the same
'from' and 'reply to' addresses, 'subject', message phraseology or even server,
twice. This tends to reduce the effectiveness of the strategy. SPAM
filters that you can install on your system operate on much the same principle
as Junk filters and rules. Although some of these are much more sophisticated,
it is virtually impossible to filter SPAM on more or less any set of criteria
and always get it right. For example, not every e-mail containing the words 'FREE'
or 'URGENT' or the phrase 'LOOK AT THIS' is necessarily SPAM.
You can easily spend as much time adjusting and tweaking filtering criteria as
you would have spent reading and deleting the SPAM.
case, it's highly irritating that you have wasted your bandwidth downloading the
SPAM in the first place, even if you've got broadband and are not paying for the
connection time it is wasting.
So the ideal solution would
be not to receive the SPAM at all.
Some service providers
now offer SPAM filtering designed to delete the offending items on their servers
before you ever see it. This option, however, is not always free and suffers from
the same tendency to delete some non-SPAM items
as well as not stopping everything that is SPAM.
The main advantage is that they, not you, do all the work to try to recognize
and block SPAM - and at least you're not downloading so much of it.
a cloaked domain A cloaked domain is one where your
e-mail address does not appear in WHOIS data (so cannot
be harvested) and which is configured to reject any e-mail not addressed to a
Back to our friend Fred again..... Fred
was sick of the SPAM he was getting on his ISP e-mail account at firstname.lastname@example.org
(even though he hadn't given the address to anyone he didn't trust absolutely)
that he decided to register his own personal cloaked domain.
a look at the WHOIS information for Fred's cloaked domains (we registered three
so you can see the different WHOIS data)
WHOIS data is taken from the domain
record at the Registrar concerned and the only reason they ever e-mail the registrant
in normal circumstances is when the domain is coming up for renewal. Cloaked domains
registered through kadrex only show kadrex e-mail addresses, not the registrant's
and kadrex will e-mail you renewal reminders. Even the Registrant's name and address
can be care of kadrex if desired, to avoid even the possibility of junk snail
domains for personal use only have a single valid address which is designed to
be very difficult for robot systems to guess. This is what Fred has done on his
given enough computing power, a robot system could eventually guess it, but they
generally concentrate on easier prey such as free service providers and ISP accounts.
If you put a web site up on the domain, do not publish your e-mail address on
it - or it will be harvested by web crawlers.
you're a SPAM merchant - try to send e-mail to any address you like at Fred's
cloaked domains and see how frustrating it is.
the best approach is twofold. Use a combination of a free e-mail account (or one
that comes with your dial-up connection from your ISP) and a personal
to the following strategy: only ever give the e-mail address on your cloaked domain
to people you really trust not to give it out to
anyone else - i.e. family, trusted colleagues etc.
If you must
register with a web site for whatever reason, use your free or ISP account address,
opt out of any "we may send you information......" options, make a note
of where you registered and your login details. Follow the same rule when filling
out paper forms. You can always stop using this account and open a new one if
it starts getting hit with SPAM. Update your registration records with the sites
you trust to reflect the new free service or ISP e-mail address.
e-mail arriving on your cloaked domain forwarded to your free or ISP account -
you can change the forwarding address at any time.
not even we, can absolutely guarantee that a domain remains SPAM-free, but a kadrex
cloaked domain at least eliminates 'harvesting' - the rest is up to you.
register a cloaked domain, call kadrex on +44 845 1668691