Some of the measures I've taken, and recommend, to reduce the volume of unsolicited commercial email you receive:

  • Filter. Filter filter filter. And then filter.

    • The first way to do this is to use an email program that has filtering capabilities. Most of the commonly-used programs, like Thunderbird, Outlook, Eudora and Pegasus, can filter your mail for you now. Check TUCOWS if your current email program doesn't have filters built in.

    • If you have access to procmail, set up filters yourself.

    • Then there's the not-free—but not expensive—service, SpamCop. They catch almost all the spam, and you can set up your own whitelist and blacklist of addresses in addition to their filters. I've been using their service for over a year now, and I love it. If you're on a lot of mailing lists, though, you'll probably want to set up a separate account for those that doesn't go through SpamCop, as they charge by volume.

  • Expect spam from any address used in a domain registration
    It's a given, so don't use an address that you don't want to have spammed. I use an address at SpamCop, because I know their filters will catch most of the spam. In the past, I used an address that I had never used anywhere else or for any other purpose, and simply ignored most of the email that went to it.

  • Remove yourself from web-based directories
    There's been some progress in this area since I first wrote this article a couple of years back. Several of the people directories are now offering the option of having yourself listed—so old friends and family can find you—but hiding your email address. People can still send messages to you, but unless you choose to reply they will not know your email address. That keeps spammers from scooping the address and adding it to their lists. I understand that BigFoot, Switchboard, and WhoWhere are offering this feature now.

    Go to all of the people directories you can find and search to see if your name is in them. If it is, and it isn't one of the ones that will shield your email address, request that they remove you from their lists. Each directory has directions for doing this somewhere on their site, although some are harder to find than others. They will probably try to dissuade you by pointing out that their terms as posted on their sites prohibit use of the information in their directories for any unsolicited email, but they have absolutely no way to enforce that and the spammers happily ignore their rules all the time.

  • Be careful in posting to usenet.
    • Munge your address for usenet posting
      Please be aware that munging is somewhat controversial—some people consider it net abuse. And it won't do a thing if you aren't using a virgin address that you have never used for any usenet post, mailing list, web site, software registration, etc.
      Change the settings in your newsreader so that your email address does not appear in the headers of your newsgroup posts. You can use something like "nospam@invalid" or whatever you like. Please be careful to be sure that whatever you put after the @ is not a valid domain,* as the spammers will add this invalid address to their list, and the UCEs they send will go to that domain and put a strain on its mail server even in bouncing the messages. You can safely use "invalid" because it will never be a valid domain. If you use a common pattern when munging your address, it isn't too hard for the spammers to write a script to de-munge your address. Some news servers will not allow posting without a valid (or valid-seeming) email address in the headers, and if you post to any moderated newsgroups you will probably have to use a valid email address there.

      I recently learned that the spambots almost never look for the address that's in the reply-to header, so it's supposedly fairly safe to put your email address there. I'm not entirely sure of this, as I know there is address-collecting software that's designed to work specifically with archives at DejaNews, and I don't know if that software scoops reply-to headers or not. I've stopped putting my email address in regular form in the body of the post, as there are automated methods of grabbing addresses there, as well. I have used the phrase "send email to cynthia at mindspring dot com" in my sig line at some times, which seems to work quite well. (If you do munge your email address, please provide your email address in some form in your .sig line or somewhere—it's simply polite to let people know who's speaking.) "Munged" addresses truly annoy some people who don't like the extra trouble needed to reply to a post. If I were seeking email in response to my newsgroup posts, I suppose that would bother me—but I prefer to discuss posts in the forum to which they were posted, so I don't mind. If you are looking for email responses to your posts, this probably isn't the best idea for you. W.D. Baseley has written an excellent FAQ that will tell you much more about munging addresses if you're interested.

    • Instead of munging your address, you could use a throwaway address to post to usenet.
      Don't do this unless you are sure you don't ever want to see any email from someone who saw your postings—in fact, I think it's only polite to note, possibly in your .sig line, that the address given functions solely as a spamcatcher and that you do not read anything sent to it. Most people set up an account with any of the free web-based email messages to use this way. I use an address on my domain that is configured to go straight to the bit bucket.

    • Use an X-No-Archive: yes header for usenet posts
      The X-No-Archive: header tells the scripts for archives like Deja.com to ignore the message so it won't be archived. It's an honor system, though—there are almost certainly archives that ignore that header. Since some spammers do harvest addresses from DejaNews, it's a good idea to use this header. It won't be perfect—people who reply to your post and quote it, but who aren't using the x-no-archive header, will cause some of your post to show up in DejaNews. The headers, at least, won't be there, and your email address probably won't be there if you munged it in your from: header.

  • Take your email address out of your web browser
    Keep your valid email address out of the settings in your web browser. I don't even configure the mail server settings there, as there are no circumstances under which I send email from my web browser—that's why I have an email program that's much better than the ones I've seen in any browser. No, cookies don't grab your email address, but there are malicious JavaScripts and other methods that can get it. This one is less likely to expose you to problems than the others, but if you're really serious . . .

  • Use any filters your ISP or email provider have in place
    Ask your ISP or online service if they provide any filtering, and if they do then take advantage of it. If it's important enough to you, and they don't provide that service, either switch or put pressure on them to add that feature.

    • If you're a MindSpring customer, enable Spaminator on all the mailboxes on your account. Anytime a spam gets through the filters, forward it (with full headers) to spaminator@mindspring.com so MindSpring can improve their filters.

    • Earthlink users have an even better option—Brightmail's fitlering system is available to you. It isn't installed on the MindSpring mail servers, apparently, although the filters for all Earthlink and MindSpring customers are called Spaminator. Enable Spaminator on your account, and you'll find it working much better than it does for poor legacy MindSpring customers like myself.

    • AOL users can enable filtering by changing their preferences somewhere online—under Marketing Preferences, I think, but it's been a long time since I used AOL (and they didn't offer those filters back then).

    • MailCircuit claims to offer free, completely spam-free accounts.

    • WhiteIce offers spam-free email accounts and web pages.

    • Hotmail and some of the other web-based email services also offer spam filtering now, although I don't know how well they work.

  • Be aware of what information you're providing to whom
    Don't provide personal information—including your email address—to any web site unless you would want to receive email from them. The same goes for any information requested in the meat world—I see more and more response forms requesting an email address if you have one. Some of the sites that do require that you enter an address have a selection box where you can note that you don't want to receive email from them. You can make sure you tell them you don't want the email—or you can just enter a bogus address in the first place (again, make sure that it couldn't be anyone else's valid email address).

  • Use different email addresses for specific purposes
    Some people, especially those who own their own domains, use different email addresses every time they provide an address to anyone. If they register to use Microsoft's tech support site, they'll use one address for that. They'll use another address as a contact point for an account with Amazon, and a third to register a Salon, and so on. They keep track of which addresses they used where, and if they start receiving spam at those addresses, they know who is selling the address to spammers. They can then chose to delete that particular email address and not do business with the offending organization again.

  • Be careful of mailto links
    • Redirect any mailto links on your web pages to a page explaining how to contact you without putting the email address in a format that bots can scan and grab for lists. This technique greatly reduced the number of UCEs I received when I was using it. It does make it more difficult for those visiting your site to email you, so if you're really looking for a lot of email responses from visitors it may be unwise for you.
    • Another alternative is to obscure the address using Javascript, but you need to remember that some older browsers do not support Javascript, and some people disable it in their browsers due to security concerns.
    • If you can use forms on your site, considering doing so. There are many free CGI or PHP scripts available, most of which can be changed slightly to conceal your address if they aren't already designed to do so. I like PHPFormMail.


  • Watch that member directory!
    AOL users should definitely go in and delete the member profiles for every one of their screen names, as spammers just love that Member Directory. Someone told me that profiles are automatically created for each screen name now, with your real name, so check even if you didn't ever create a profile yourself. Other ISPs ometimes have similar directories, so ask yours if that's the case—and if so, get your email address taken out of it.

  • Check the configuration for your mailing lists
    Some mailing list software permits people to query the list server to get all the addresses subscribed to a particular list. This, as you can imagine, is like hitting the jackpot for spammers. Good software can, however, be set up so that only those who subscribe to the list can see who else is subscribed—ask the list owner to do that. Since spammers do sometimes subscribe to lists to get around that, an even better option is to set your own preferences on the list so that nobody but the list owner can see that you are subscribed by doing such a query.

  • Keep your messages out of list archives
    Some email programs, like Eudora, can be configured to add an extra header to all outgoing messages that reads:
    Restrict: no-external-archive
    That keeps your messages from being archived for some lists. Because spammers have been known to go through list archives to harvest addresses, that may be desirable. The downside, though, is that some people only read the web-based message archives for lists hosted by Yahoo!Groups and similar organizations, and they won't ever be able to see your messages.

  • Don't trust a web-based postcard site that isn't an established, respectable company—and ask your correspondents to do the same
    I recently learned that some greeting-card sites are selling the addresses of people who send cards using their sites as well as the email addresses of the recipients. In addition, some legitimate sites are leaving themselves open to abuse. Check the privacy policy of any site you consider using.

*Use whois to check the validity of the domain if you aren't sure.


Back to I Hate Spam!

Last updated October 25, 2001

About the Author

Cynthia Armistead is a freelance technical writer, quality assurance analyst, and Internet security advocate with a broad spectrum of experience.

Please if you'd like to discuss a project.