School of Medicine Home » Dean's Office » IRT » Web & New Media Services » References

Purveyors of unsolicited bulk mail buy and sell lists of email addresses and use them to send mass mailings pitching all sorts of products and services from the mundane to the obscene. Early Netizens took to calling it "spam" because it reminded them of the Monty Python skit where restaurant patrons choose from a menu made up exclusively of items like "Spam, spam, spam, spam, spam, baked beans and spam" and are slowly drowned out by a rising chorus of Vikings and other people chanting "spam, spam, spam, spam." over and over. Perhaps one day email spam will be relegated to the dustbin of Internet history. For now though, spam appears to have joined death and taxes on the short list of life's inevitable problems.

Good news/bad news

The bad news: Once you start getting spam, there's really no truly effective way to stop it. The best you can hope for is to keep the flow from increasing. If you're getting more spam than real email with an account, the best bet may be to change email addresses and be more careful with the new address.

The good news: There ARE things you can do to prevent or minimize the amount of spam you get, especially if you start clean and are disciplined about limiting behavior that promotes spam. The same applies when you start over with a new address.

back to top

Some basics

Spam exists because it's commercially profitable. Remove the profit motive and spam will evaporate.

Don't spam

Don't send spam yourself. If you send mass mailings, a joke or family holiday note for example, make sure to use the BCC field in your email program so the other addresses are hidden from recipients. Chain mail with loads of CC addresses can put these addresses in the hands of spammers.

Don't respond

Never respond to spam. Even if it says you can be removed from the list. At best you're removed from this one list. At worst, and much more likely, you confirm to the spam artists that your email address is still valid, opening the floodgates for more.

Delete unread spam

It's usually not difficult to determine what's spam just by looking at the From and Subject indicators, even before opening the mail, especially if the mail is from a stranger. Subject lines will often be sexually related, offer weight loss "miracle" drugs, or try to sell mortgage packages. With practice, you will notice which subject lines you expect from your contacts and can select and delete spam mail without opening it.

Spam filters

Numerous services and enterprises have sprung up to address the scourge of spam. Most work on some kind of filtering principle, i.e. recognizing spam sources and shunting possible spam away from your regular mail stream. At this time, no one appears to have a perfect solution, but you may find one or more useful. Here are some cutting-edge anti-spam software:

1. Spam Sifter (PC)
   This software automatically blocks spam based on the subject lines of your email. You can also create custom filters if there's something it's not catching. The registered version is $19.95.
2. Email Magician (Mac)
   Spam filters for the Macintosh platform are hard to come by. This filter works with Eudora and automatically blocks email based on subject lines and known spammer's email domains. The lists are completely customizable. The registered version is $35.
   
   Note: These links are provided as a convenience to the user and do not imply endorsement by IRT or Stanford.

Stanford provides directions for filtering incoming mail into different folders in your mail directory. It's a little hairy, but does a powerful job.

Here are some handy links to Google searches for junk email prevention and junk email to get you on your merry way to finding the filter to suit your specific needs for spamlessness.

back to top

Not so basic

Web listings

Is your address listed on the web anywhere? This is a key source for email lists. Spammers use software robots to scan public sites for "mailto:" links and addresses. This is a hard one, because it may be important to get your address to people with legitimate reasons for contacting you. There are some tricks you can do with JavaScript to make your address available but unreadable by robots. I suppose that as robots become more sophisticated, these tricks also become fallible. When dealing with spam, the mission is to keep one step ahead of the bad guys. Perhaps Thomas Jefferson was referring to spam (presciently) when he said, "The price of freedom is eternal vigilance."

A simple solution

One solution to this problem is to avoid listing people's contact information on your site's page, and instead linking to the person's listing in Stanford.Who. In this way, the information is accessible, but the person can control what information is available to the public, including email, phones, etc.

To do this, simply go to Stanford.Who and search out the info page for the person in question. Here's an example:

John Hennessy
(link will appear in a new window)

Here's the URL:
https://stanfordwho.stanford.edu/SWApp/detailAction.do?key=DS883L573

Note that the link format above is for the public Stanford.Who. You can also use the same technique for internal Stanford.Who, but should warn users that they need a SUNet ID. Like this:

John Hennessy
(SUNet ID required; will appear in new window)

SUNet ID holders can omit contact info that shows in the public version of Stanford.Who from the public version, although not everyone does so. What is and isn't displayed is controlled through Stanford.You (SUNet ID required).

If you have a lot of contacts to process, you may want to try a different linking technique. Use the following form for the URL:

Public
http://stanfordwho.stanford.edu/SWApp/lookup?search=Last,+First
Example: John Hennessy (link will appear in a new window)

Private
https://stanfordwho.stanford.edu/SWApp/authSearch.do?search=Last,+First
Example: John Hennessy (SUNet ID required; will appear in a new window)

Make sure to verify that the person is in StanfordWho before using this techniqe and always check your results to make sure you get the right person (many people have very similar names).

JavaScript to the Rescue

You can use JavaScript to hide your mailto links from SpamBots*. A number of approaches have been developed, most of which can be found in Google. Here is one approach:

A typical mailto link takes this form: Jane Crayon: jane@crayon.net Here's the code: <b>Jane Crayon:</b> <a href="mailto:jane@crayon.net">jane@crayon.net</a> The following two techniques break up an email address into chunks that are unitelligible to most robots but are perfectly sensible to the Web user: Method 1: Sample: Jane Crayon: Code: <b>Jane Crayon</b>: <script type="text/javascript"> <!-- emailE=('jane' + '@' + 'crayon.net') document.write('<a href="mailto:' + emailE + '">' + emailE + '</a>') //--> </script> Simply copy the code from the box above and change the jane part to your username and the crayon.net part to your email domain (e.g. stanford.edu) Method 2: Sample: Jane Crayon: [jane at crayon dot net] Code: <p><B>Sample: Jane Crayon</B>: <A href='javascript:window.location="mai"+"lto:"+"ja"+"ne"+"@"+"cr"+"ay"+"on.n"+"et";' onMouseOver='window.status="mai"+"lto:"+"ja"+"ne"+"@"+"cr"+"ay"+"on.n"+"et";return false;' onMouseOut='window.status="";return false;'><B>[jane <br /> at crayon dot net]</B></A></p> To make use of this technique, copy all the code from the text box above and modify it to reflect the address you wish to hide, i.e. change "ja"+"ne"+"@"+"cr"+"ay"+"on.n"+"et", in both places it occurs in the code. So, for example, somebody@stanford.edu could be rendered "some"+"body"="@"+"stan"+"ford.e"+"du" * IRT only maintains top-level pages for the School of Medicine. If your address is on a Web page you don't maintain yourself, and you wish a change to your listing, you will need to contact the maintainer of the site directly.

Newsgroups

Do you use newsgroups? Newsgroups are email lists used to communicate on any topic you can imagine. Because the postings (and their sources) are typically open to the public, their use can be a major source of spam. If you post to newsgroups, you may want to set up a special email account for that purpose. See below for more about getting free email. You can also disguise your email address in your posts. With these tricks, users can determine your real email address to contact you, but robots used to gather email addresses will not get yours. Simply change the settings in your news reader to display your email address like one of the following:

DELETE_CAPS_TO_REPLY_yourname@your.com

yourname@DONTSPAMyour.com
   * delete DONTSPAM to reply
yourname@##your.com
   * delete ## to reply
yourname@your.com*
   * delete the trailing asterisk to send back a reply
yourname at your dot com
   replace "at" with @ and "dot" with . to reply

yourname@yourXX.com
   delete XX's to send back a reply
yourname@yourxyz.com
   delete xyz to send back a reply
yourname@your.org
   replace org with com to reply
yourname@yourjoke.com
   delete "joke" in the return address to reply

Hide behind an alternate address

You sometimes have to provide an address to subscribe to a site, use its services, or to buy something online; you don't have to give them your main address that your friends write to. It's very easy and recommended to set up a free email account you can give to web sites with the full understanding that it will likely become a hot target for spam.

The most popular free email services are Hotmail, Yahoo! Mail, and Netscape. Also check out this Google search for free email.

back to top

Browser Vulnerabilities

Your browser can help put you in Spam Hell. Ever registered on a site so you could use it's services (pay or free)? You usually have to give your email address in exchange. These sites, even large corporate ones looking to make another buck, may use or sell your email address to spammers. If you are concerned about a particular site, look for a link (usually in the page footer) to a privacy policy, which will explain what a site intends to do with your private information.

Newer browsers include features like AutoFill and AutoComplete to simplify the browsing experience by offering to automatically fill in forms with your basic information that you provide, which of course includes your email address. While the security hazards involved here aren't clear, it's best to be prudent and remove this information from your browser if it's already there and simply fill in the information into the forms you want. This affects IE5+ on Mac and PC.

To turn off this feature on the Mac, in IE select "Edit > Prefences> Forms AutoFill > AutoFill Profile" and make sure that ALL the fields are blank, especially the "E-mail address" field.

On the PC, in IE select "Tools > Internet Options > Content > My Profile" and clear all fields.

Also you may want to explore the AutoComplete options and disable these for local security reasons (i.e. if you leave your computer unattended).

back to top

Regarding List Servers

Membership on mailing lists can result in spam, if the access to the list is not controlled. Check policies and practices carefully on non-Stanford list servers.

If you manage a Stanford list on Majordomo, make sure your list is protected from spammers. You want to be sure that no one can get view your subscriber list that isn't a list owner.

Set your list configuration to private_who. This limits access to your list of addresses to subscribers, so it's only helpful against spammers if you also tightly control who can subscribe. The more helpful configuration is private_owner_who which can be used to prevent Majordomo from giving out your list to anyone but an owner of the list.

If you are considering subscribing to a Majordomo list, you might want to check its vulnerability before subscribing. Send an email to majordomo@lists.stanford.edu with the following in the BODY of the email (the Subject line is ignored):

who <list-name> 

where <list-name> is replaced by the list name you would use to subscribe, i.e. "who some-list-here"

If you receive an email back from Majordomo containing a list of addresses, the list is vulnerable, and you may not want to subscribe as anyone can retrieve your email address. It is also a good idea to inform the owners of the list by sending an email to owner-<list-name>@lists.stanford.edu (i.e. "owner-some-list-here" from the example above) informing them of the vulnerability.

back to top

Starting over

When you set up a new email account, try to avoid having your old account transfer email to the new address. Instead, when you're sure the new address is working, email all your active contacts your new address and ask them to update their address books. Set a date at which you'll stop responding to mail to your old address.

back to top

Stanford Email

Stanford email (recognizable by the @stanford.edu ending) offers some options for changing email addresses. Your email options are managed through Stanford.You (SUNet ID required). In addition to your SUNet login ID (example: jcrayon for Jane Crayon), you also get two free "aliases" (examples: jane.crayon, scribble.crayon). Leland turns these into email addresses (examples: jcrayon@stanford.edu, jane.crayon@stanford.edu and scribble.crayon@stanford.edu). Stanford.Who displays the information you have set as public, potentially including your email address(es).

It is very difficult to have your SUNet login ID changed once it's set. ITSS generally only does this when you change your legal name. But you can turn the email address that uses the login ID (jcrayon@stanford.edu in our example) off using Stanford.You. When you go through Stanford.You > Your SUNet Services Settings > Change SUNet IDs, you will find a checkbox next to your login ID. Unchecking this box turns off email to this address. You must have at least one alternate SUNet ID (also set on this page), and the alternate ID(s) are then new addresses you can use. If you're already using an alternate rather than your login ID, you can use the second alternate to create a new address and transition to it.

While you're in Stanford.You, you might want to review your privacy settings. If you don't want your email address(es) to be public, you can make it/them private. There's also a settings page for email and web addresses.

Stanford has also installed anti-spam software on its servers. Based on the content of the message, the softwae automatically identifies patterns that resemble spam. All of this occurs before you receive the message. When a message is determined to be spam, the message is sent to you with the keyword "[SPAM:###...]" appended to the beginning of the subject line. You can set up your mail program to filter such messages to a Spam folder for review before permanent deletion. For more information go to Stanford's anti-spam email page.

back to top

Non-Stanford Email

For personal email address changes, contact your ISP (i.e. AOL, PacBell, Delphi, etc.). AOL for example, allows you up to 7 "screen names," each with its own email address. And you can always make use of the free email services mentioned to create new addresses.

Once you have a fresh address you'll probably still get the occasional spam, but if you follow the advice above, you should be able to keep it to a manageable minimum.

back to top

Standing Up to the Spammers

In recent years, the spam issue has become so grave that many countries and states have passed anti-spam legislation. If a particular spammer becomes a persistant nuisance and refuses your calls to stop sending you mail, you can bring the case to court. Generally a stern threat of suit against a particular offender will solve the problem and save you court fees. In California, for example, the worst offenders can be fined up to $25,000. Check out out these sites and related articles:

• Whether Anti-Spam Laws are Constitutional
• California Spam Laws (from PacBell)

back to top

Resources

• http://spam.abuse.net/
• Coalition Against Unsolicited Commercial Email
• ITSS on Spam
• Junkbusters
• Stop Spam FAQ
• SpamLaws
• California Spam Laws

back to top

© 2008 Stanford University School of Medicine     |     Terms of Use