Thursday, March 16, 2017

How I’ve Eliminated Spam Emails

Spam (junk) email is a pretty serious problem.  I haven’t seen a statistic lately, but the last time I did, it was that more than 90% of email being sent on the Internet is spam.  Yikes!  That’s absolutely awful.

You Have MailI feel a little disconnected from the problem, though.  I don’t get spam.  At least not more than a couple times a month.  And the funny thing is, it actually wasn’t that hard to eliminate it.  Without having to worry about any real email being flagged as spam, ever.

Before I jump into my solution, let’s talk about why spam is such a problem.  It basically boils down to the easy access that spammers have to email address lists.  It is trivial for someone who wants to send out mass emails to find a list of email addresses on the Internet.  They are available all over the place.  And if your address happens to be on the list, well, unless your spam filter is exceptionally amazing, you’ll be getting at least some of it.  And once your address is on a list, there’s no way to take it off.  So as long as your email address is still valid, you’ll keep getting more and more of it.

Where do these lists come from?  Based on my own experience (you’ll understand how I know this in a minute) they tend to come from web sites that have been hacked.  Many, many websites have been hacked over the years, some of them even major players – Yahoo, Adobe, LinkedIn, Dropbox, and MySpace just to name a few.  And chances are that you’re using at least one of those sites, so your email address is in a spammer’s database.  And there is, unfortunately, nothing you can do about that.

Most companies that provide email services take a reactive approach to try to eliminate spam.  That is, they put a lot of time and money into coming up with intelligent filters that will try to detect spam and delete it, or at a minimum mark it as such and stick it in a folder for you to review later.  It works – kind of – but not without a few legitimate email messages being detected as spam when they shouldn’t be. So they have to keep most of the spam around for you to review manually.  It’s an ugly solution.

So what can be done if your address is already on their lists and it can’t be removed?  How can we fight back?  There isn’t much you can do, honestly, once they have your address.  There’s no way to edit those lists.  But I came up with a solution to the problem more than a decade ago and it has worked flawlessly that whole time.

The trick is that I have my own internet domain name just for my email.  There’s no web site or any other server there – it’s just for email.  I won’t disclose what it is publically for obvious reasons, but for the sake of discussion we’ll say it is secretemail.tld.  And on that domain, I accept any email sent to any address.  (It’s called a catchall.)  So doug@secretemail.tld, junk@secretemail.tld, xyzxyzxyz@secretemail.tld, jane@secretemail.tld, etc. are all valid email addresses that all go to the same email inbox.  I get all of it, in one place.  I don’t have to create a new account for each address I give out because anything in front of the @ works.

Because anything in front of the @ is valid, whenever someone – anyone – asks for my email address, I give them something unique, usually based on who it is that is asking.  For example, if I’m creating an account at Amazon, the email address I give them is amazon@secretemail.tld.  Google? google@secretemail.tld.  Apple gets apple@secretemail.tld, and so on.  They can all send me email, and I will get it. 

(I do get some strange looks occasionally when I do this.  Or questions like, “Do you work at Target?” when giving a Target cashier that address.  Or, “Do you have an email account setup just for Jamba Juice?”  [Well, I kind of do…] They don’t get it, which is to my advantage.)

So here’s where this all pays off, though… these addresses are disposable.  And since spammers all use the same email databases over and over again, if one of those @secretemail.tld addresses that I’ve given out is included in one of those lists, I block all incoming email sent to that one particular address.  The address is thrown away and never used again.  So if LinkedIn had linkedin@secretemail.tld as my email address when it was hacked, I’ll log into the site, change the email address in that account to something else (maybe even as simple as linkedin2@secretemail.tld), then add linkedin@secretemail.tld to my block list.  LinkedIn can still communicate with me, but now the spammers that have that address cannot.  If they try, they get an “email address doesn’t exist” error before they can even try to send the body of the message. Anyone that tries to use that original, leaked email address is rejected outright, no matter what they are trying to send me.  Once the address has been compromised I block all attempts to use it.

Using this method, I get no more than a couple junk email messages per month, if that.  It is very rare.  If I do happen to get one, it is very easy to prevent the email address they’ve used from ever working again, thus cutting them and anyone else that has that address off forever.  The other upside is that I never have to worry about legitimate email messages being tossed into a junk mail folder.  Because I don’t have one – at all!

The other upside to this is that companies that intentionally share my email address also get blocked.  And they don't get a new email address from me, so I never have to hear from them again.  Anyone that abuses the privilege of having my email address loses it permanently.

I know what you’re thinking… if I accept anything sent to any address at that domain, wouldn’t that open me up to tons of spam?  Because anyone can send anything to any address at that domain and it won’t get blocked?  Well, you’d think so… but in reality that just hasn’t happened.  So far none of the spammers out there have figured out my trick, or at least if they have it isn’t worth their time to try to circumvent it.  I keep my fingers crossed, obviously…  but if someone someday does figure out my trick, I’ll find another way to keep them out… perhaps creating a simple list of addresses that I’ll accept.  But in reality, though, it isn’t worth their time to figure out a workaround.  I’m not the low-hanging fruit and their efforts are better focused elsewhere if they want a return on their investment.

Google sort-of does something similar, but it doesn’t actually help.  Anyone with a Gmail account can give out a unique address.  Google ignores anything after a plus sign in a gmail address, so if your Gmail account is, you can give out as your email address and you’ll still get the message.  The bad part about that is that spammers know this, so all they have to do is strip anything after the plus sign and they have your real email address, and there’s no way for you to know where they got your address.  So this trick doesn’t necessarily help in eliminating spam, but it can help you in identifying where someone got your email address (sometimes).

In terms of my solution, it’s kind of amazing that something so simple has worked so well.  But the truth is, that it has worked.  I still have a couple other spam protection tools installed on my server, but they just aren’t ever kicking in, and I still don't get spam.  Having a list of addresses to block that have leaked has cured the problem.

The spam problem overall isn’t going to be going away any time soon.  As long as even a handful of people click on the links, it is totally worth it to spammers to keep doing what they’re doing.  It costs so little to send out millions of emails that even if 1% of 1% click on a link, it’s worth the spammer’s investment.  And since we can’t convince that 1% of 1% to stop it, it’s just going to keep coming.  At least to everyone but me. :)

If a solution like this interests you, I can give some guidance on how to set it up (you’d need your own server and technical knowledge of how to administer it, though if you already have all of that you could probably figure the rest out on your own), or even give you some space on my server for a small fee.  Reply below and I’ll be in touch.

Google Search