In just a short few decades, the Internet has revolutionized communication, commerce, entertainment, and...crime. It’s sad, but the reality is that every pond has its bottom feeders. And the Internet is a very large pond indeed.
Some years ago, before the Internet was commonly available to home users, America Online (AOL) was an innovative service accessed by dial-up modems. It was appealing, but not cheap. Some people figured out that obtaining free access was as simple as using a program to generate a fake credit card number and using that to open an AOL account. It took AOL a few weeks to figure out that the credit card number was no good, after which another fake number got the ball rolling again.
AOL eventually put a stop to this, so, naturally, even more reprehensible practices ensued. A program called AOHell emerged. It could send a barrage of instant messages to subscribers, posing as an AOL representative, luring them into providing personal account information. Voilà, free credit card numbers. The program’s creator referred to this practice as phishing, a play on the earlier term phone phreaking, in which people tricked the telephone system into connecting free long-distance calls.
AOHell has been retired, but the basic concept is still used by thieves around the world: the use of diffuse targets (a broad swath of victims), social engineering (a plausible story), and technology to gather the information volunteered. This is the essence of phishing.
By all accounts, phishing is prevalent and highly successful. Studies done on human susceptibility to specific, concocted phishing scams have varied greatly in results, with anywhere from 3% to 70% of the message recipients being susceptible. But even if just one person in a hundred falls prey, with the number of people online today, the number of potential victims is astounding.
You are certain to run into many categories of online fraud, of which classic phishing is just one. We list a few of them here. Regardless of the con, the criminals are after one of the following things:
Your personal and financial information—You’ll give it to them, and they’ll use it to go on a spending spree or will sell it to other criminals.
Your money—You’ll send them money and get nothing in return.
Your computer—You’ll follow a link to a bogus website or even a legitimate website that’s been hacked. Your computer will get infected with a virus just by viewing the web page, in what’s called a drive-by attack. The criminals will record your keystrokes to get your password and banking information, or they’ll use your computer to commit any number of online crimes: sending spam, collecting information stolen by phishing, launching denial-of-service attacks, breaking codes and passwords, committing “click fraud”.... The list goes on and on.
It’s pretty ugly stuff. The following sections detail a few of the techniques criminals use to lure you in.
An email arrives seemingly from an organization or business that you’re actually affiliated with. The email says something significant has happened. There is endless variety to the messages used, but the goal is always to arouse your curiosity, your concern, or both. Here are some examples:
Your account was suspended due to suspicious activity. You need to respond immediately to restore your account.
A sum of money was posted to your account; can you confirm it?
An expensive online purchase you made is on its way to you.
Someone tried to change the password on your account. Click the link if it wasn’t you. (This is a clever one. It seems as though it might be safe to confirm that you didn’t do anything.)
You receive instructions to log on to a website to confirm or deny the activity. It’s a phony website, decked out to look just like the real one, and you’ll be asked to provide personal information to log on. Of course, this scam works only if you actually have an account with the purported sender. They don’t know if you do or not. But that doesn’t matter. They send millions of these emails, so they’ll hit plenty of actual customers just due to the numbers.
You get an email, Facebook message, or other online message from a friend or relative who’s traveling or is in jail and has lost his wallet and passport. He is apologetic but desperate, and needs you to wire some money urgently. The message really is coming from your friend’s account, which has been taken over by a criminal who bought the username and password online from other criminals who use software to guess passwords.
Tip
If you don’t want your email or social networking account used to try to con your friends, don’t use the same password on multiple websites. If hackers break into one poorly protected website and steal the username and password list, they’ll use it to break into your accounts on other websites. Most people use the same password everywhere, so this pays off in a big way. Hackers get your password by hacking into some poorly protected, little online business site (such as Adobe Corporation’s, for example, from which hackers lifted 3 million email addresses, passwords, and security questions in 2013), and then they use that same password to get into your Facebook account, email account, bank account, and so on.
You are invited into an exchange in which someone will send you money, and you’re to send them less money back. For example, you post something for sale on Craigslist, usually something for which you’re asking at least several hundred dollars. Someone wants you to ship the item to them, and it’s quite a distance. They offer to pay with a cashier’s check or money order made out for the amount of the item plus plenty more to cover whatever shipping will cost, and you’re supposed to send the leftover money back to them. The money order or cashier’s check will turn out to be phony, but you won’t find out until after you’ve sent them the change.
There is a large sum of money in an account in a distant foreign country. A very respectable, high-ranking person is looking for help getting it out of that country into yours, and he found you. He will split the sum with you in return for your help. If you respond, it will turn out that you will have to wire him money to help cover his expenses in getting the process started. (I got one of these letters by postal mail once, actually from Nigeria. I kept the stamp. It was beautiful.)
It’s your lucky day: you won the lottery, airplane tickets, a chance to be on a TV show, a magazine subscription, a mail-order bride.... Well, whatever it is, it’s free, valuable, rare, and exciting. You’ll just have to provide a credit card number to cover shipping and handling.
An email arrives from a plausible source: the post office, a shipping company, or an online reseller such as Amazon. The email makes it sound as if you’re about to miss something important, and it has an attachment that contains an important invoice, a past-due notice, instructions for picking up a package, a confirmation of a tax refund, or some such. It’s just interesting enough and plausible enough that you open the attachment to see what it is. A virus then takes over your computer.
There really is no end to the inventive means that criminals come up with to part you from your money. Most seem laughably obvious—the bad grammar and spelling, the incorrect information, the implausible scenario.... However, I promise you that one day, one will slip by your internal BS detector. It has happened to me and it will happen to you. You won’t even think about it. You’ll just click and....
You can just hope that before you type in your banking password or your credit card number, you’ll have a second thought and will want to find out if the thing is real or not. That can take a bit of investigation, as we discuss in the next section.
A typical phishing email tends to report that some activity has taken place in your account with a specific organization: a password was changed, a deposit or withdrawal was made, money was transferred, a shipment was made, or an important message is waiting. The email requires that you click a web link to attend to the matter immediately, to confirm the activity, or to deny that you initiated it. Now, you’ll know right away it’s phony if you aren’t actually affiliated with the bank or company in question. But if you are affiliated, you might not know whether it’s a fraud, at least not right away. You have to look deeper.
Figure 34.1 shows an example of a rather sad attempt I found in my inbox.
On the surface, it appears my bank is worried about frauds and spoof reports (whatever that means), so they want me to sign in to confirm my password and banking information. I don’t think so! The language is peculiar and the bank’s logo is missing. No legitimate corporation would let an email go out so badly written.
So, this one is pretty clearly a fake, but some phishing letters are actually pretty good. Let’s see what other clues there might be to tell us this letter isn’t legitimate.
Caution
The phishing lure’s aim is to trick you first into opening the email and then clicking a web link and divulging your banking password. In other cases, criminals exploit bugs in web browsers, PDF viewers, and media players to create websites that put viruses and spyware onto visitors’ computers just by opening the site. These are technically called drive-bys, because you get hit just for being to the wrong place, without even typing anything. We talk about these more in Chapter 31, “Protecting Windows from Viruses and Spyware.” The take-away message is, it’s best never to even click a link in an email if you have even the slightest suspicion about it.
The main clue that this email is not the real deal lies in the web link. The word HERE is innocuous, and in most phishing emails the links look absolutely legitimate. It doesn’t matter either way; the displayed text is not the actual “active” address inside the link. It doesn’t matter what any blue underlined text says, because the text you see is just an arbitrary description of the underlying actual URL. Before you click a link in any email that seems even the least bit suspicious, look to see where any link it contains would take you. Here’s how to check:
1. If you’re using the new Microsoft Edge (Modern-style) browser, select the ... item at the right side of the navigation menu; then select Open with Internet Explorer.
2. In Internet Explorer, hover the mouse over the link, and then look in the status bar in the lower-left part of the browser. A URL should be displayed there. If the URL looks bogus, it is bogus. Stop! But this text can be easily forged. If the URL looks reasonable, don’t trust it yet. Instead, proceed to step 3.
3. Right-click the link and select Properties. If the link is too long to fit in two lines, you might not see it entirely, but if you click and drag over the link, it will scroll to display the entire link.
Alternatively, right-click the link, select Copy Shortcut, and paste the copied text into Notepad or Word.
If the URL display says something like onclick();
rather than a recognizable URL, the link’s target is determined by script programming inside the email or web page, and you can’t easily or reliably determine where it leads. If you see this, treat the email as very suspicious. (Scripting of clicks isn’t evil by itself, but because you can’t see what the script will do if you click the link, you have to assume the worst.)
If the actual URL doesn’t look like it leads to the organization you expected, stop! And even if it looks reasonable, you should examine it carefully, as we will explain.
In my sample phishing email, I found that the real link was this:
http://bofamerica.online.tc/sitekey/
The bofamerica part does seem plausible, but look at the domain name, the part between // and the first /. Start at the end of the domain name and work backward. The .tc at the end is a dead giveaway. Tc is the country code for the Turks and Caicos Islands. It’s a lovely place, but Bank of America isn’t based there!
A domain name that is clearly invalid is a dead giveaway that this email is bogus. An all-numeric addresses like http://64.101.32.1012/bankofamerica.com would also have been a sign of an invalid site location. Corporate websites never use numeric addresses.
Finally, notice that the link starts with http: instead of https:, so it’s not a secure web page. No truly secure login page starts with http:.
So this phishing email gave itself away as a fraud; however, some are not so easy to spot. Sometimes the email’s language and formatting are perfect, and only by looking at the URL do you see a clue.
Tip
The commonly recognized site names that end with suffixes such as .com, .org, and .gov should be immediately preceded by the core organization name and immediately followed by a slash (if anything). Some examples of normal URLs include the following:
https://accounts.mybanksite.com/mainpage.asp
Here are some URLs that are likely malicious:
http://www.mybanksite.com.elsewhere.com/
http://www.elsewhere.com/mybanksite
http://www.mybanksite.com.xx/, where xx is not your country code
http://202.12.29.20/mybanksite.com/
Don’t enter account, password, or personal information into a web page that uses the http: prefix. If it doesn’t start with https:, consider it suspicious. And a legitimate corporate domain name is owned by the corresponding company. See “Whois Database” at the end of this chapter for a way to find out who actually owns a domain name.
Although the astute observer might not fall for the particular phishing email I got, it’s highly possible that a bleary-eyed, unsuspecting computer user who has not yet had morning coffee might miss its warning signs. This is where Microsoft’s SmartScreen Filter comes in. Figure 34.2 shows what is presented when the link is clicked.
When IE’s SmartScreen Filter is enabled, Internet Explorer sends every URL you click to Microsoft for screening against a list of known fraudulent or virus-infested websites. In the case of this phishing email, Internet Explorer has communicated in no uncertain terms that it is a known dangerous site. It provides the option to continue to the web page, if desired, but it explicitly states that clicking the link to proceed is absolutely not recommended.
To be sure that the SmartScreen Filter is enabled, open Internet Explorer, click the gear (Settings) icon in the IE toolbar, and then select Safety. If the pop-up menu contains the choice Turn Off SmartScreen Filter, it’s currently on, and you don’t need to do anything. Just press Esc or click outside the IE window. Otherwise, select Turn On SmartScreen Filter.
Then open the Microsoft Edge browser. Click the ... item at the right end of the navigation bar, select Settings, and then scroll down to the Services section. Be sure that Help Protect My PC from Malicious Sites... is turned on.
As stated earlier, when the filter is enabled, every URL you view is sent to Microsoft for checking against a list of known bad sites. This list is built up by feedback from users, information gathered from spam, and presumably is verified by Microsoft staff. When a site is under investigation, Internet Explorer might prompt you to “vote” on your feeling about the site’s safety.
Does SmartScreen slow down your web surfing? Not by much, if at all. When you browse to a website, Internet Explorer starts downloading the site’s content, and it sends the URL to Microsoft’s SmartScreen servers at the same time. The amount of information exchanged is very small, and IE continues to download content while SmartScreen is checking. If the response from SmartScreen is delayed, IE may still decide—based on its analysis of the web page content itself—to go ahead and display the page, so you don’t have to worry that if Microsoft’s servers go down, you’ll be stuck.
If the SmartScreen Filter flags a site that you know is safe, click the down arrow next to More Information in the warning screen. You can tell Microsoft that you think the site is legitimate by clicking Report That This Site Does Not Contain Threats. You can continue past the warning to view the site by clicking Disregard and Continue.
If you find that the SmartScreen Filter fails to flag a site that you feel is fraudulent, or if it does flag a site that you know is safe, you can report the error back to Microsoft. This will help other IE users.
Here’s how to report an error:
1. If you’re using the new Modern-style Microsoft Edge browser, pause for a moment. If you’re reporting a site that wants to install malicious software (that is, the site brought up a message from an antivirus program or from Windows Defender), just close the page and stop. Don’t proceed.
2. If you want to report phishing, select the ... item in the navigation bar and select Open in Internet Explorer.
3. In Internet Explorer, click the gear (Settings) icon in the IE toolbar; then select Safety, Report Unsafe Website.
4. Check the relevant boxes, and enter the “captcha” letters at the bottom of the page, which proves that you are a human being and not software that is trying to scam Microsoft. Click Submit.
Caution
Internet Explorer’s SmartScreen Filter tries to make educated guesses about the validity of URLs, but in reality, it’s only as good as Microsoft’s list of known phishing sites. Don’t rely on it entirely! Be very skeptical. If you suspect that an email allegedly from one of your financial institutions or organizations is not legitimate, don’t click any links in the email. Instead, visit the organization’s website directly, by typing its URL yourself, or call your bank and ask if the email is legitimate.
In addition to the SmartScreen Filter, all web browsers should display a lock icon when you are viewing a site whose data is encrypted in transit, and whose identity is at least reasonably assured. The lock icon is displayed right next to the URL it describes, as shown in Figure 34.3.
You can view the site’s certificate information by clicking the lock icon, and it will show up against a red background if there is anything odd about the site’s certificate.
The lock section of the address bar is shaded green if the site’s identity is (reasonably) assured with Extended Validation (previously High Assurance SSL) certificates. This indicates that the site has submitted to a rigorous identification process and has paid for the new certificate type.
On the other hand, a new trend on the Web will make bad URLs harder to spot: Internationalized Domain Names (IDNs). Until recently, you had to worry about only your native alphabet or character set in the URL bar, but now you can get international character sets that could look similar to something in your native language yet be a different site entirely. Would you think it was safe to visit http://www.päypal.com? Use a keen eye to watch for accent marks and oddly shaped characters!
If you use a public computer, for example, a computer in a library, an Internet cafe, or even a friend’s house for that matter, you should be concerned that the computer might be infected with viruses that may monitor your activity and steal your information. Never use a public computer to conduct banking or work with sensitive information. Think twice even about checking your email or social networking account; your logon name and password might be recorded and collected by criminals before you even sign out.
If you do use a public computer to conduct personal business, consider using InPrivate Browsing, in which Internet Explorer deletes all information about your browsing activity when you close Internet Explorer. To use it, select Tools, InPrivate Browsing from the menu. Close Internet Explorer when you’re done. If you use the Microsoft Edge browser, click the ... icon at the right side of the window, then select New InPrivate Window. Be sure to close Edge when you’re finished working.
If InPrivate Browsing doesn’t work with the site you’re using and you have to use Internet Explorer in its normal mode, be absolutely sure to sign out of any website you logged on to. And when you’re finished, clean up Internet Explorer’s cache of retained information before you walk away, using these steps. We give the instructions for Windows 10. (Previous versions of Windows and other web browsers have similar tools. You’ll have to hunt for them.)
If you’re using the Microsoft Edge web browser, select the ... item at the right end of the navigation bar, select Settings, and scroll down to the Privacy selection. Click Clear Browsing Data. Check all the items, and then click Delete.
If you’re using Internet Explorer, click the gear (Settings) icon on the toolbar, and then select Safety, Delete Browsing History. By default, Temporary Internet Files and Website Files, Cookies and Website Data and History are checked. Check Form Data and Passwords as well; then click Delete.
Authentication is the process of proving that you are who you claim to be. The frequent use of bogus websites demonstrates the need not only for users to prove their identity to a site, but also for a site to prove its identity to the users. One way to accomplish this type of two-way authentication is for a user to choose a secret symbol, such as a small picture of a tropical sunset, which is known only between the user and the site. Henceforth, whenever that user visits the site, that tropical sunset picture is displayed alongside the rest of the site information. A malicious site replica will not know which symbol to produce, so even if a user is tricked into visiting one, it will be clear that the site is not authentic. Sounds like an improvement, and it is. Many financial institutions are using this system now, and you may already have seen it in action.
The system works by placing a unique signature on your computer. When you visit the site and provide a valid account name, the site checks this to see whether your computer has been used successfully before. If it has, the picture of the sunset (for example) is displayed along with the password prompt. You will recognize the picture, know it’s the right site, and type in the password. Nice plan. But what if you are at a computer that you don’t usually use? In that case, you will be asked to answer some additional security questions before the site will display the secret symbol and ask for your password.
The most pervasive example of single-factor authentication is having a password to prove that you are who you say you are. Two-factor authentication involves both something you know and something you have. A password or PIN is something you know. Something you have can come in many different forms but is usually either an electronic token (device) of some sort, which displays a frequently changing code number, or a biological property, such as your fingerprint or retina, that can be used to identify you. Another two-factor technique that’s become common is a one-time code that’s sent to you by text message, or less often, by email. (In this case, the thing you have is your phone or a separate logon on a different web service.)
Using two factors to prove who you are is much better than using a password alone: Whereas a password can be electronically stolen, obtaining both a password and a unique physical device—or a finger, for that matter—is substantially more difficult.
Tip
If your bank, email provider, social media site, or any other website you use offers text message or emailed two-factor authentication on its website, be sure to sign up for and take advantage of it. It greatly reduces the chances that a security breach somewhere else will compromise your information and money.
One challenge with two-factor authentication is that the computer must be capable of validating the “something you have.” For example, to scan your finger for authentication, the computer must be equipped with a fingerprint reader. To use a special electronic token, you need a piece of equipment that can validate the token. When you consider that some institutions have millions of customers, the cost of extra hardware adds up.
Windows includes built-in support for new and better two-factor security devices such as biometric readers, so hopefully the use of this sort of equipment will increase. (On the other hand, with all the large-scale data thefts we see these days, I doubt that even these security measures will be useful in the long term. Once “XXX Corp.” accidentally leaks a few hundred million electronic fingerprint records, the scheme won’t be worth using anymore.)
Because no centralized or standard system exists for managing usernames and passwords across different websites, users are forced to improvise solutions for managing their various electronic identities. The solution most people employ is to just use the same password on every site. Unfortunately, doing so is extremely risky. Just one data theft from one of the sites or vendors you use will expose your “favorite” username, email address, and password (and more) to the world.
A different, complex password for every site is the right way to go, but it’s impossible to remember them all. You might end up cutting and pasting the information from a Word document every time you log on, but this is incredibly unwieldy, and most people end up going back to the one-password-everywhere-who-would-care-about-my-data-anyway method.
You can take up your web browsers’ offers to memorize passwords for you, and that’s a partial help, but, you’re still stuck keeping manual records of your passwords for when you travel and as a backup.
There’s another way, though, using third-party tools. Password-management programs keep track of all your various usernames and passwords, and store them in a safe, encrypted format. They often have browser-integrated features that, with your permission, automatically fill in your credentials by site. Programs such as Roboform, LastPass, and 1Password provide one-click logons and enable you to use diverse and more complex usernames and passwords because you don’t have to remember them. However, you can still get them out of the program when you want to. It’s nice to know that with so many people focused on making life difficult with malware, innovative and pragmatic software developers are making life on the Web easier.
Email users of the world are no doubt nostalgic for a time when Spam was just a tasty pork product. Now it is the scourge of email systems throughout the world, as unsolicited email messages from an ever-increasing number of junk-mail senders congest mail systems and take up space on our computers. Spam is such a problem because, on the scale of subversive electronic activities, it is fairly easy to do, fairly difficult to be caught, and very inexpensive for the sender. Despite ridiculously low response rates, spammers continue to dupe shady advertisers into paying for it.
Although the most important cost involved with spam is in human time—time spent reading, deleting, and devising ways to fight it—there’s actually a huge environmental cost as well: To filter out the estimated 95 trillion junk emails sent in 2010, computers burned through enough electricity to generate more than 28 million metric tons of CO2 emissions.
Thankfully, antispam technology continues to get better, and you can take several practical steps to both make spam less of a nuisance and reduce the risk that it will lead to even more serious problems, such as email-borne viruses or information theft.
Tip
To make it more challenging for spam tools to guess an email address, use uncommon combinations instead of common naming conventions. Although it’s less intuitive than [email protected], using initials and meaningful (to you) combinations of numbers, such as [email protected], makes you a more difficult spam target.
If you want to avoid spam, it helps to understand a bit about how you get targeted in the first place. Spammers generally find email addresses by harvesting them from public sources, such as message boards or web pages. They buy them from website operators who aren’t above selling email addresses they’ve collected from visitors, registration pages, or guest books. They may distribute virus software that steals email address books from victims’ computers. They also use special programs called spambots to methodically crawl the Web for email addresses wherever they might be. Then, because they’re not above scamming their own customers, they pad their lists with a huge percentage of email addresses they just make up using common names and domain suffixes. Because little cost or penalty is associated with sending spam to the wrong email address, spammers trade and compile enormous email lists, with many incorrect and probably some legitimate addresses as well. If your email address ends up on one of these lists, it will probably stay there, so the best defense is to keep your email address off the list in the first place.
The best way to avoid getting on spammers’ lists is to share your email address only when necessary and only with the trusted few. One of the simplest ways that information is inadvertently shared is bad email etiquette. When you send a single email to multiple people, it’s best to use the Bcc field and keep the names out of the To and Cc lines. The exception to this rule is when you are on a private network, such as a corporate email system, where the email will not generally travel over the Internet unprotected.
Another way to reduce spam is to use multiple email addresses for different purposes. One email address could be a primary address for trusted friends or merchants, and another could be for sites that are less familiar, or for times you need to register with a site for a one-time use. Keeping one address for important communications and another for “junk email” not only is effective at reducing spam, but also can help protect you in other ways. In the phishing example earlier in this chapter, an email arrived from PayPal at my junk email address, yet I knew I had provided PayPal with my trusted email address, so it was a clear red flag. This approach works even better if you have yet more-specific email addresses for important lines of communication. Free email address services abound. Many of them have good spam-filtering capabilities, so they make good choices for a junk email address. (I’m very impressed with Gmail.)
Note
Here’s an unsolicited plug: In my experience, the spam filtering provided by Google’s Gmail and the related Google Apps for Business is absolutely amazing, filtering out about 99.98% of the 1,000 or so spams targeted at my email address each day. About 900 of these are refused outright; that is, the Gmail email server recognizes that the email sender is a virus or known spam program and won’t even allow it into their system. Of the remainder, less than one per day makes it into my Inbox; the rest are automatically categorized as spam and filed accordingly.
In the past year, only a couple dozen legitimate emails were incorrectly categorized as spam, and only one was a personal email; the rest were bulk mailings from companies that I’ve done business with. That’s an incredible success rate, and it’s far better than any of the other online email services I use—some of which are abysmal.
Better yet, some email systems let you add a suffix to your email address. For example, if my address is [email protected], I can also use [email protected] and [email protected]; in fact, I can use brian+anything@myisp.com. If you have such a service, make up a distinct email address every time you register your email address on a website. Then, if one of these appears in a spam list, you can block just that address and never be bothered by it again. (And send a nastygram to the website owner while you’re at it.)
Despite good faith and antispam tactics, an email address will eventually receive some spam. Spammers might be innovative, but equally innovative people are at work preventing spam from taking valuable time away from your life. Spam filters analyze email and relegate spam to a junk mail folder or the like. They use various methods, including some similar to other antimalware programs, to detect and get rid of spam before it hits your inbox. All online email service providers, such as Yahoo! Mail, Gmail, and so on, provide free spam filtering as a matter of their own survival as much as for good customer service. Filtering spam at the server level is actually more effective than filtering it in your own computer, because servers will typically receive the same spam email for thousands of customers at once, giving it a higher profile.
Windows Live Mail, a free downloadable email program you can get from microsoft.com, has a built-in junk mail filter and some powerful tools for dealing with spam. Microsoft Outlook, which is part of the Office productivity suite, includes spam filtering. Most third-party email programs offer spam filtering as well.
You may also install an aftermarket spam filter as an add-on. It will insert itself between your email program and the Internet. There are even some plug-in hardware devices that protect from spam at the network level.
If you still get large quantities of spam, you might consider changing email providers. Or you might keep your current account and have it forward all of your email to an account on a service with better filtering. Then read your email on the second service.
Spammers have hundreds or maybe thousands of tricks up their grimy sleeves to bypass filters. Still, you can do plenty of simple things to limit exposure and reduce junk email in its various forms.
Some spammers appear repentantly courteous. That is, they have violated your inbox by being there uninvited, but now that they have your attention, please don’t be offended, because you can simply click this link to opt out of receiving any more spam from them. Honest.
Do not reply to spam that claims to provide an “opt out” link. By clicking the link in an attempt to stop receiving spam, you are confirming that your email address is good. You are just increasing your value as a spam target, and your spam level likely will increase. In fact, it’s a good idea to never respond to spam, especially to buy anything. Although it is possible some well-intentioned but ill-advised vendors are using spam to sell legitimate products, all purveyors of spam are suspect simply because of the insidious nature of the communication: unsolicited, unauthorized, unwelcome, and often illegal. Avoid spam like the plague it is. If you suspect an email message is spam, you’re probably right. Don’t opt out. Don’t even open it; just delete it.
Read the terms of use and privacy policies when you register with a website, to make sure the site will not sell or share your information. Often at the end of the form are preselected check boxes indicating that you’d love to receive email from them, their sponsors, their affiliates, and so on. Clicking those boxes is considered opting in and permits them to legally bombard you with spam. Many spammers disregard the law anyway, but it’s never a good idea to give them carte blanche with your inbox.
The right way for an upstanding website to manage an email list is called confirmed opt-in, and you’ve probably used it before. Good citizens of the Internet will not start sending email to you until they have confirmed, by receiving email from your email address, that you actually want it. Without such confirmation, anyone could type your email address into a hundred different Send Me Mail forms, some of which are perhaps distasteful, and every day you’d have an inbox full of junk. This is such an important premise that, in general, if it’s not a confirmed opt-in, it might as well be spam.
Note
Several Internet sites have evolved to fight electronic chain letters, spam, and especially urban legends that compel so many people to send massive amounts of ultimately groundless email. Snopes.com has emerged as an excellent source to determine whether an email is fact or fiction. Use it often. Your friends and relatives will thank you.
Junk email can come from the most unlikely sources. Well-intentioned relatives bent on protecting their loved ones from syringes on movie seats, international kidney thieves, or cancer-causing agents in shampoo are responsible for a type of spam that’s hard to avoid because, although it might be tempting, you don’t want to filter everything that comes from them. And if you feel the urge to forward a tantalizing or tender tidbit, before asking others to spend time reading the message, take a moment to search and make sure it’s true.
So far, this chapter has taken the Aikido route to spam and fraud defense: avoidance and being “like water.” Among our many techniques, we sidestep dangerous links, make email addresses slippery to spambots, and use identity management software to leave would-be keyloggers with nothing. These are useful defensive techniques, but sometimes an offensive approach to vanquishing online foes is more effective and satisfying. Some spammers can be identified and extinguished. Once discovered, phishing sites can be quickly put out of business.
Many commercial Internet sites provide readily available tools to report suspicious activity. For example, eBay and PayPal request that you forward suspected fake emails to [email protected] or [email protected], respectively. They will quickly take appropriate action. Responsible sites display security or fraud-related links on the front page, so you can easily find their preferred mode of communication. If you suspect a phishing scam, consider taking a moment to find the right email address and report it. You may save someone else a lot of heartache and will validate your own “sleuthiness.” If you stumble upon a suspected phishing site with Internet Explorer, report the site using the SmartScreen Filter tool discussed under “Flagging a Fraudulent Site,” earlier in this chapter.
Reporting spam can be easy, too. Free email services used with a web browser often provide a “report spam” button that can automatically notify the provider to take action. This removes the message from your inbox and could help eliminate hundreds of thousands of other copies in other people’s inboxes.
If you prefer to use a separate email program, such as Windows Mail, a plethora of add-ons can help you report and eliminate most spam. Some of the most interesting and effective ones use collaborative networks. Like the free email services that have potentially millions of users, these add-ons are based on the premise that humans can filter spam better than any algorithm alone. When a number of users identify a particular message as spam, the other members of the network can be spared the trouble. It’s a successful strategy used by companies such as Cloudmark, and there are other successful strategies as the field continues to evolve to provide convenient, active ways to fight spam.
On the other hand, there are not-quite-so-convenient yet more active ways for those who desire to “get medieval” on spammers. With a little practice, it’s not difficult to track down email headers using publicly available Internet resources. You can often identify the service provider whose network was used to send spam, and they can opt to shut down the spammer’s Internet access if enough complaints are received. Additionally, the Federal Trade Commission encourages you to forward spam to the appropriate governmental agencies for analysis. Consider forwarding particularly obnoxious spam to one of the following addresses:
The government will likely not respond to individual complaints, but it will go after the worst spammers. Every so often you hear of an arrest, followed by a distinct downturn in the daily worldwide volume of spam.
Anyone registering an Internet domain name is required to file contact information with a domain registry. This is supposed to be public information, and you can use it to find out whether a domain is owned by the company it purports to be, and how to contact the owners of a domain whose customers have sent spam mail or with whom you have other concerns.
Finding the registrar for a given domain name can be cumbersome. You can find the registrar information for any .aero, .arpa, .biz, .com, .coop, .edu, .info, .int, .museum, .net, or .org domain via the following web page: www.internic.net/whois.html.
The search results from this page indicate the URL of the whois lookup page for the associated domain registrar. Enter the domain name again on that page, and you should see the contact information.
It’s a bit harder to find the registrar associated with two-letter country code domains ending in, for example, .au, .de, .it, and so on. The InterNIC site recommends searching through www.uwhois.com.
You can find the owner of an IP address (for example, the address from which an email arrived) through a similar lookup at www.arin.net/whois. Enter an IP address to find the owner of the block of IP addresses from which the specific address was allocated. This is usually an ISP or, in some cases, an organization that has had IP addresses assigned to it directly. You might have to visit www.apnic.net or another registry.
3.128.198.49