SPAM: How to Avoid It & How Not to Send It

Joshua Peskay and Kim Snyder recently talked to a group of NPCC members about how to avoid sending and receiving spam.

Some computer professionals estimate that over 70 percent of email floating around is spam. By definition, spam has two primary characteristics: it is unsolicited and it is sent to multiple recipients. To read a more detailed definition, go to www.spamhaus.org/definition.html.

How to Avoid Sending SPAM

If you send email to multiple recipients who haven’t asked you to send them email, you’re sending spam. Even a well-intentioned nonprofit (not selling anything illegal or illicit) can be accused of sending spam and could be blacklisted.

Blacklisting involves about a dozen databases that contain domain names, internet addresses and email addresses that will be blocked by an ISP (internet service provider) should a message originating from that address try to go through that ISP. Read more about blacklisting at www.webopedia.com/TERM/B/blacklist.html and at www.spam-blockers.com/SPAM-blacklists.htm.

There’s only one answer to the question, “How can I send spam without being blacklisted?” The answer is, “Permission.” Create an opt-in and opt-out mechanism for users to subscribe to and unsubscribe from your emails. And respect it, with no exceptions; if a user asks to opt-out, do as he or she requests. It is recommended to keep a copy of the email permissions, because it’s a lot easier to stay off a blacklist than it is to get removed from a blacklist. When you have permission, you’re not sending spam.

How to Avoid Receiving SPAM

How to deal with spam involves your tolerance for it. If you’re only getting five to ten spam emails a day, your best bet may be simply to delete them. However, if you find that you’re spending large amounts of time dealing with spam, you probably need to investigate some of the suggestions below.

1. Never respond to spam, even if it contains an alleged “unsubscribe” link. It probably isn’t an actual way to unsubscribe and will most likely result in your receiving more spam.

2. Install antivirus software. Update your antivirus definitions daily (this can and should be done automatically) since antivirus software is only as good as its latest definitions. If your computer has only yesterday’s antivirus definitions, it won’t do any good against a new virus unleashed today. Antivirus software can be purchased through TechSoup Stock (www.techsoup.org/stock) for as little as $15 for Norton Antivirus.

3. Install a firewall on the perimeter of your network and one on every computer or workstation.

All servers should have a firewall running. It’s even better security to install a firewall in each computer or workstation so that you have double security, especially if there are peer-to-peer file-sharing functions. Microsoft Windows XP Service Pack 2 offers a relatively “quiet” firewall, as opposed to a “noisy” firewall that catches every single thing, even legitimate breaches, that cause users to spend way too much time monitoring the firewall. Other popular and free firewalls are Zonealarm and Sygate.

4. Install anti-spyware software. Spyware is software that covertly gathers user information through the user’s internet connection without his or her knowledge, usually for advertising purposes. Be cautious of free or limited-time offers of spyware because in some cases they are actually spyware themselves. Three legitimate spyware include Ad-Aware: www.lavasoftusa.com/software/adaware; MS Antispyware: www.microsoft.com/athome/security/spyware/software/default.mspx; and Spybot: www.safer-networking.org/en/index.html.

If you’re uncertain about the legitimacy of a software program you’re considering, Google it to see what the computer chatter says about it or see if it’s been reviewed at www.ZDnet.com.

5. Turn on your computer’s anti-spam filters. Most email programs have a spam-filtering component with various settings for severity. Test the settings to see if legitimate emails get caught up, and if so, try reducing your settings.

6. Educate your users. Create a policy defining how staff should deal with email attachments: when not to open, when to delete attachments, etc. Viruses frequently travel as attachments in spoofed emails and are activated if the user opens the attachment.

7. Use disposable emails or free accounts. When signing up for a free subscription or when a website requires an email, instead of giving your real email address, use a disposable email from SneakMail (http://sneakemail.com) or Mailinator (www.mailinator.com) or sign up for a free account through HotMail or Yahoo.

8. Hide email addresses on websites. People receive varying amounts of spam due, in part, to how public their email address is. If your email addresses appear on a public web page, whether your organization’s site or a public list-serv, crawlers are probably harvesting it. There are a couple of different ways to “hide” public emails that appear on websites so they can’t be harvested. One way is to spell out part of the email address or use Java script to create the email link. That way, a crawler won’t recognize it as a legitimate email.

Indiana University hosts a page offering several different ways to disguise email addresses at http://kb.indiana.edu/data/alcm.html#javascript. West Bay Web has a script for encoding email in html at www.wbwip.com/wbw/emailencoder.html.

9. For web browsing, use Mozilla’s Firefox. Mozilla’s Firefox is free, open source software that provides a greater level of security from spyware than many other web browsers, in addition to being able to block pop-up ads. Go to www.mozilla.org.

A computer user can get viruses by browsing the web, especially if virus protection software isn’t installed and up-to-date and a firewall isn’t installed. If an infected computer is acting as a zombie host (sending spam email), and your ISP (internet service provider) notices, you could be shut down or blacklisted.

Email spoofing is when a hacker makes an email appear as if it came from someone or somewhere other than it is actually from. A “spoofed” email address does not mean that your computer is infected by a virus. It means that someone out in cyberspace got hold of your address, and is using the name of your email address to send emails. A zombie is a computer that has been infected with a program that is utilizing it as a host.

Additional Readings

To read up on anything computer-related, go to How Stuff Works at http://computer.howstuffworks.com.

TechSoup offers articles at www.techsoup.org/learningcenter.


Joshua Peskay and Kim Snyder are with the Fund for the City of New York’s Nonprofit Computer Academy and can be reached at 212-590-9506 or at jpeskay@fcny.org. The Fund’s website is at www.fcny.org.

This article originally appeared in the July 2005 issue of NPCC's monthly newsletter, New York Nonprofits. www.npccny.org