'Robots'surf Net to harvest addresses for spam e-mail
February 20, 2002
An e-mail address posted on the Internet is vulnerable to junk e-mail within hours of being online and recipients can expect to receive a lot more spam, according to a New York-based Web site operator.
In an effort to snuff out the insidious practices of Internet marketers, Justin Beech embedded a randomly generated e-mail address in the code of his Web page, dslreports.com, and concealed it so well it was invisible to the average surfer. Only a curious programmer who bothered to look at the Web page's source code would have seen the random string of letters and numbers, followed by @dslreports.com.
Mr. Beech runs the well-known Web site that follows the industry of dsl (digital subscriber line), a type of high-speed Internet access over telephone lines.
"It was an interesting experiment to see how these people find every nook and cranny of the Web. I just set it up and left it," he said.
Within eight hours, the first piece of spam arrived -- advertising a set of 10 million e-mail addresses for sale to marketers.
As the weeks went on, the supposedly hidden e-mail address received more and more junk mail, pushing everything from gas masks to stock advice, weight-loss plans, get-rich-quick schemes and, of course, lots of pornography.
Now, the address gets daily spam from hundreds of computers around the globe, suggesting the address was sold to many different people since it was posted last year. Mr. Beech tracked that first e-mail to a residential cable modem in Arizona.
Posing as a regular Internet browsing program, such as Netscape or Explorer, this home computer was in fact using a "harvesting robot," the spammer's most effective tool, Mr. Beech said.
A robot is a piece of software that trolls the Internet posing as a regular surfer but searching for strings of characters containing the @ symbol. Most of these are e-mail addresses that can be sold to marketers in vast quantities -- usually in the millions -- for use in spamming.
To combat harvesting robots, savvy Web surfers often replace the @ symbol in their address with at, or they add the word "nospam" after the domain name to fool the robot.
It is quite easy, though, to write a program that sidesteps these security features, Mr. Beech said.
"There's clearly a lot of robots out there, scraping up every bit of information they can," he said.
He suspects most spamming is done by a few people harvesting e-mail as a full-time job, because that is the only way it could be profitable.
Robots are even more effective than "dictionary attacks," which generate e-mail addresses based on common words and names, then send out spam and hope the address is real, said Neil Schwarzman, chairman of the Canadian Coalition Against Unsolicited Commercial Email, which lobbies the government for anti-spam legislation.
He said there has been a flurry of anti-spam activity this year in the United States among such software companies as Microsoft and marketing companies, possibly because they expect Congress to enact its own legislation and they want to appear to be combatting the problem.
Yesterday, the Australian government launched an investigation into spam e-mail after the lobby group Coalition Against Unsolicited Bulk Email estimated Australian Web surfers received six times more spam in 2001 than in 2000.
Richard Alston, Australia's Information Technology Minister, said the main concerns were the overloaded computers of service providers and the pornographic nature of much of the spam.
Mark Jeftovic, co-founder of Toronto-based domain registrar easyDNS Technologies, said his company's computers process several gigabytes of spam each week and it hurts both companies and regular surfers.
"We're transporting more spam than real e-mail," he said.
He compared spamming to junk faxing and said it should have such restrictions as the required identification of the sender and, if it is being forwarded, identification of where the e-mail came from.
by Joseph Brean, National Post