How One Innocent Slip Turned an Online Security Expert into a Spam Magnet
I’ve got nothing against spam…so long as it’s clogging up someone else’s inbox.
But when you waste my time trying to sell me all kinds of crap or, worse, sucker me into wrecking the security of my computer or bank account, I’m going to do everything in my power to avoid you. And I have.
Since I first wrote and advised consumers about spam for Consumer Reports way back in 2002, when spam was still in its infancy, I’ve learned a lot about how to minimize the time spam wastes. For example:
• Don’t post your e-mail address publicly, especially not on a website.
• Don’t open a spam and don’t respond to it.
• An off-beat e-mail domain makes you less of a target (e.g. kool51.com)
• Using e-mail filters helps you get your important mail sooner
I’ve used these, and other techniques, to keep spam under control for many years. Not eliminate it; just keep it down to a tolerably low level. Until this past spring, that is.
There I was in March, coasting along with only 3 to 5 spams per day, nearly all of which my e-mail client, Outlook, was catching. (Yes, I know that webmail can do a better job of foiling spam. But I prefer client-based e-mail, as I explained in 4 reasons not to use webmail for Consumer Reports.)
In April, without warning, my spam experienced an uptick. By May, I was averaging about 15 per day. As the chart below shows, month by month it climbed until, by mid-August, I was often getting 150 to 200 spams per day.
Where had I slipped up?
After a little research I learned that, in the course of doing me a favor, a friend had unwittingly included my e-mail address in a single tweet. That’s it. One tweet. Some 8,000 spams later, I have a far greater appreciation for that old World War II era caveat, Loose lips sink ships.
Still, how was it that spammers got hold of that tweet? It’s possible that one of my friend’s many Twitter followers was actually a spammer who jumped on that tweet. More likely, though, the tweet was picked up for a reason of which many Twitter users may not be aware: All public tweets are posted on the web and are as accessible to spammers as if they were posted on the front page of NewYorkTimes.com.
To see how many others might be revealing personal e-mail addresses through their tweets, I used Google to find some of the most common e-mail addresses on twitter.com. (You can find e-mail addresses buried with tweets this way, too. Just use the search term: “@gmail.com” site:twitter.com and substitute the domain or address of your choice between the quotes).
For you would-be spammers, here’s a handy list of how many hits I found at Twitter.com for some of the largest e-mail domains. The actual number of unique addresses and users exposed this way is likely to be far smaller. But this still shows that many e-mail addresses whose owners think they are private are publicly available to spammers.
• Yahoo.com, 230 million
• Gmail.com, 102 million
• Hotmail.com, 7.5 million
• MSN.com, 2.5 million
• AOL.com, 303,000
• Comcast.net, 148,000
What to do about it
If you don’t relish the prospect of having your e-mail address harvested by spammers combing through your (or your friends’) tweets, don’t disclose it via your tweets. And ask your friends not to use your address that way, either: “Friends don’t let friends tweet their e-mail address.”
As for me, I’ve got two choices now:
1. I can stick with Spam Assassin, the server-based spam blocker from my e-mail provider, which works very well. But if I do so, I will be forced to forever update my “white list” of contacts (now numbering 165) to keep Spam Assassin from blocking them. And because I make new contacts fairly often, I will still have to regularly comb through hundreds of spams on the server just to make sure its Junk folder doesn’t contain an important e-mail.
2. Using a domain that I own, I can create an entirely new (and hitherto unknown) e-mail address and switch my entire online life over to it, which I’ve done before. In the long run, that would probably save more time than would choice #1. Provided I keep a tight lid on the new address and make sure none of my friends tweet it
So here’s fair warning to my friends: Do not tweet my new e-mail address. If you disregard this request, I may be forced to take drastic measures–such as tweeting yours!