Relatively few people know you personally, so most people you do business with or otherwise meet in the course of your daily life rely on unique information to identify you, such as your full name, date of birth, Social Security number, mother’s maiden name, zip code, and credit card number.

For all intents and purposes, however, anyone who possesses this information can trick others into thinking that he or she is you. The identity thief needn’t have the skills to physically mimic your behavior, appearance, or manner of speaking to assume your identity.

Anyone can become a victim of identity theft. Just ask Oprah Winfrey, Steven Spielberg, and Tiger Woods. But when identity thieves target ordinary people, it’s almost always because they have the opportunity, not because they took the time to target you specifically.

Identity thieves usually get your personal information one of three ways:

If a hacker breaks into a bank’s computer and steals your account numbers and Social Security number along with your mother’s maiden name, there’s not a thing you can do about it. Your personal information is only as secure as the computers it’s stored on, so it’s important to share such data only with trusted institutions. And then pray that they protect it as best they can.

Dumpster diving just means digging through someone’s trash looking for something valuable. Identity thieves look for documents with personal information printed on them, such as unopened credit card offers that already have a name and address on them. The identity thief can then fill out the application and have a credit card sent to you. Next, unless you have a locking mailbox, he watches your mail until the new card arrives. At this point, the identity thief can start racking up charges on a credit card that you don’t even know exists (but that has your name printed on it, as will the bills that start pouring in a month later). Military bases are popular places for identity thieves to work because these locations often give them access to mail for a large number of people, which they can then intercept even without being a postal employee.

Another objective of dumpster diving is finding useful items such as bank account numbers on deposit slips, credit card bills (with credit card numbers printed on them), or tax return information (which can include Social Security numbers).

To protect yourself against dumpster divers, shred anything that contains personal information, and destroy credit card applications to prevent someone from filling them out without your knowledge. For further protection, get a mailbox with a lock.

If you’re truly paranoid, get a post office box and have all financial information, such as credit card and bank statements, sent there. Of course, you still have to trust the people sorting the mail at your post office.

Finally, identity thieves can get your personal information through phishing, either by sending you email or calling you on the phone and pretending to be a legitimate company. To reach as many potential victims as possible, identity thieves may send a bogus email to thousands of people at once (a more malicious form of spam) and wait for a certain percentage of the recipients to fall for the scam and enter their personal information on their website.

Another strategy of phishers is to call potential victims directly, typically targeting senior citizens. Phone call phishing takes more time and effort, but can still yield the desired personal information.

In rare cases, identity thieves may set up sidewalk polls and ask respondents to provide their name, address, and phone number in the process. Since people aren’t giving away anything that can’t be found in a telephone book, they often see nothing wrong with doing this. What they don’t realize is that they’ve made the identity thief’s job a lot easier. He can use this information to find that person’s Social Security and credit card numbers later.

The key to minimizing your risk of becoming an identity theft victim is to give out your personal information only sparingly, shred any papers with information that someone could exploit or use to find additional information about you, and never respond to unsolicited phone calls or emails.

Also be careful when giving out information to “trusted” organizations like banks or businesses. While they may request sensitive information like Social Security numbers for “marketing” purposes, you can always refuse to give them this information if it isn’t legally required. By restricting who has access to your personal data, you limit the chances that someone can steal your personal information from someone else.

Despite taking every precaution, you could still fall victim to an identity thief. To help you monitor and protect your credit rating, start by getting a free copy of your credit report, which you can request once every 12 months in one of the following ways:

Under federal law, you can also receive a free copy of your credit report if a company takes adverse action against you, such as denying your application for credit, insurance, or employment. If this happens, you can request a free copy of your credit report within 60 days of receiving notice of the action. Reviewing your credit report can help you determine whether an identity thief has ruined your credit rating.

If you want to buy a copy of your credit report, contact one of the following:

To avoid receiving credit card offers in the mail (and having to shred them to protect yourself), you can have credit card companies stop sending you their applications in the first place. To opt out of credit card offers by mail, call 1.888.5.OPTOUT (1.888.567.8688). Finally, create a document with all the bank and credit card phone numbers to call in case you need to close an account in a hurry.

Protecting your identity is much easier than trying to clean up your life after an identity thief has struck, so it makes sense to take the time to prepare now. For more information about identity theft, visit the following websites:

Spammers often flood Usenet newsgroups, where they can target their products to people with specific interests. For example, a spammer selling vitamin supplements will likely find a receptive audience in the misc.health.alternative newsgroup.

Of course, newsgroups represent only a fraction of potential customers on the Internet. Before spammers can flood the Internet with their messages, they need a list of email addresses. Although email lists can be bought, they are not always accurate or up to date. So spammers use email address extracting programs to build their own lists. These programs harvest addresses from three sources: newsgroups, websites, and database directories.

Newsgroup extractors

When you post a message to a Usenet newsgroup, your message appears with your email address. Newsgroup extractors simply download messages stored in a Usenet newsgroup, strip away the text, and store the return email addresses, as shown in Figure 18-1.

Figure 18-1. A newsgroup extractor can scan newsgroup postings and retrieve a list of email addresses within seconds.

To prevent your email address from getting sucked up by a newsgroup extractor, use a phony address or an anonymous remailer when posting messages to a newsgroup. Although this will prevent other newsgroup users from contacting you directly, it also prevents spammers from flooding your account with garbage.

Because newsgroup extractors harvest thousands of email addresses at once, some people substitute the @ symbol in their address with the word AT, such as swapping [email protected] with joesmithATyahoo.com. Initially, email extractors wouldn’t recognize the word AT in the middle of an email address, but newer versions are smart enough to replace the word with the @ symbol, so even this technique is slowly losing its effectiveness.

<html>
<body bgcolor="#FFFFFF" text="#000000">
E-mail: joesmith&#64yahoo.com
</body>
</html>

SMTP server extractors

An SMTP (Simple Mail Transfer Protocol) server is a computer that sends and receives email. An SMTP server extractor is a program that retrieves valid email addresses from an SMTP server, as shown in Figure 18-2.

Figure 18-2. An SMTP server extractor can dig out valid email addresses from any SMTP server.

This is how it works. First, the extractor makes up an email address and asks the SMTP server if it’s valid. It repeats this process indefinitely with fabricated addresses until it stumbles across a valid one that it can store for future spamming. To snare as many valid email addresses as possible, SMTP extractors typically target the servers of Internet service providers (ISPs), which can have thousands of customer email addresses waiting to be discovered.

Spammers may incur the wrath of several hundred (or several million) irate victims. Some spam recipients respond with angry messages; others launch their own email bomb attacks, sending multiple messages to the spammer’s own address, clogging it and rendering it useless.

Unfortunately, crashing or clogging the spammer’s ISP can also punish innocent customers who happen to use the same service provider. To avoid such counterattacks, many spammers create temporary Internet accounts (on services such as Hotmail or Juno), send their spam, and then cancel the account before anyone can attack them. Getting kicked off an ISP and opening new accounts is just part of the game bulk emailers play. If someone actually wants to buy the spammer’s product, he can click a link in the spam message that will take him to the spammer’s website.

Of course, for those spammers who can’t be bothered to open and close email accounts, there’s an easier way. Many bulk emailing programs simply omit or forge the sender’s email address to avoid counterattacks.

Most ISPs limit the amount of email a single individual can send to avoid bandwidth hogs from impeding other customers’ Internet access. If an ISP catches someone sending out an inordinate amount of email, it can cancel the account. So, spammers may sign up for bulk emailing accounts, which are special mail servers that allow anyone to send massive amounts of email—for a price, of course.

Another alternative is the less expensive (and less ethical) method of sending spam through “zombie” computers, which have been previously hijacked by a worm or Trojan horse (see Chapter 5).

After infecting a network of computers with worms or Trojan horses, the hacker can control the infected or zombie computers with a program, called a bot, which may be stored on an IRC chat room. The hacker then rents out his network of infected computers to spammers, who send their spam to the controlling bot, which in turn distributes it through the zombie network. This has several advantages over other spamming methods for the unscrupulous bulk emailer.

First, since the spam appears to be coming from the email account of each individual zombie computer, or through each infected computer’s ISP’s mail server, tracing the spam to its source leads to an innocent person, not to the spammer himself. Second, by sending spam through a network controlled by a bot, known as a botnet, the spammer isn’t directly violating his ISP’s ban on bulk mailing. Third, and most importantly, many spam filters work by blocking messages from known bulk email accounts. When the spam comes from computers connected through different ISPs such as Earthlink, spam can often circumvent any filters people have installed. (If a filter detects massive amounts of email coming from a single ISP, the spam filter will block it. But if the email is coming from multiple ISPs, the filter often wrongly assumes the email is valid.)

Spammers can also hijack legitimate email accounts and use that account to flood the Internet with spam. Now if anyone traces the spam back to its source, they’ll find an innocent (and likely confused) person, while the real spammer has long since disappeared to hijack other email accounts to send spam through over and over again.

When you receive spam, the message may include an email address where you can request to have your address removed from the spammer’s list. Sometimes this works, but it’s more likely that this email address itself is phony, or that your reply simply alerts the spammer to the fact that yours is a valid email address, which might encourage him to sell your address to other spammers.

Even if you can’t find a valid return address in to the spammer’s message, you may still be able to uncover one elsewhere. To do so, search the spam’s header for the ISP’s address, such as earthlink.net, buried in the From field or Message-ID heading. Once you identify the ISP, you can complain directly to it.

For example, consider the following email:

The “From” heading identifies the message as coming from [email protected], and the “X-Originating-IP” heading identifies the IP address of the sender as 198.31.62.48.

To verify that the IP address (omahasteaks.com) matches the numeric IP address shown in the X-Originating-IP heading, you need to do a reverse DNS lookup, using the tools on a site such as through ZoneEdit (www.zoneedit.com/lookup.html), as shown in Figure 18-3.

Figure 18-3. A reverse DNS lookup can verify that an IP address belongs to a certain domain name, such as omahasteaks.com.

In this case, the numeric IP address matches the domain name, so the email probably hasn’t been forged. This means you should be able to contact the sender ([email protected]) directly and request to be removed from its list for future mailings. You could also try contacting the ISP used by the sender, which in Figure 18-3 is identified as DartMail.net. However, if you visit the DartMail.net site, you’ll find that it’s a service that specializes in mass emailing, so complaining to them about unwanted spam won’t get you very far.

In this next message example, the email address ([email protected]), which looks like it’s from a site in Spain, appears to be forged. A reverse DNS lookup of the IP address identified by the X-Originating-IP heading reveals that 69.61.230.16 belongs to Fuse.Net, which is a Cincinnati-based ISP. Since the email address is phony, you can’t complain directly to the spammer but you can complain to what appears to be his ISP, Fuse.Net.

ISPs can’t monitor all of their users, but if they receive a flood of complaints about one particular customer, they can take action against the spammer and stop future abuses (maybe).

To notify an ISP of a spammer, email your complaint to [email protected], [email protected], [email protected], or [email protected], where spammer.site is the site from which the spammer sent the junk email.

Not all spammers use bulk emailing services or botnets to mask their identity, so complaining to the spammer’s ISP might actually get the spammer kicked off.

Because many spammers promote get-rich-quick schemes, there’s a good chance they don’t keep proper tax records of their earnings. So one way to take revenge on these spammers is to contact the Internal Revenue Service (or your own government’s tax agency) to investigate. American citizens can forward spam either to [email protected] to report fraudulent make-money-fast (MMF) schemes or to [email protected] to report tax evaders. Reports of tax fraud should be sent directly to your regional IRS Service Center, for which there is currently no Internet email address for reporting suspected offenses.

To avoid getting caught by their government’s tax agency, many spammers make their physical location hard to find. They may live in one country but host their website in another. And it’s hard to tell for sure who actually owns the website, especially if the spammer uses a free web hosting service such as Geocities or Tripod. With electronic payment transfers, spammers can live anywhere in the world and collect money from their websites, regardless of where they’re hosted. This can make tracking them down to pay income taxes nearly impossible. But hey, you’ve gotten it off your chest anyway, right?

Once you know the IP address or domain name of a spammer’s website, you can do a WHOIS lookup using a service such as DNS Stuff (www.dnsstuff.com). This will tell you the name of the company or person who registered the IP address or domain name, as shown in Figure 18-4.

Figure 18-4. A WHOIS lookup on a domain name or IP address can identify the person who owns a particular website.

Unfortunately, spammers know that their websites will become targets so they often disguise their real site address through a third-party server, such as a specialized bulk email ISP. One such ISP even advertises the following:

As a result, it’s possible to browse a spammer’s website without ever knowing the exact domain address that you can use to look up the spammer’s real address and telephone number.

Content filtering is the most common type of spam filtering. It works by analyzing the text in each message using probability theory developed by the mathematician Thomas Bayes. Most spam can be readily identified by subject and text headings like “!!!MAKE MONEY FAST!!!” However, other types of spam can be more subtle.

If you identify any spam messages that slip past the filter, the program can gradually “learn” and get better at sifting through similar spam in the future, as shown in Figure 18-5. Because spammers constantly change their tactics, you’re always going to get some spam, but content filtering can gradually reduce a potential flood to a mere trickle.

Another filtering technique involves blacklists or whitelists, or both. A blacklist is simply a list of known spammer email addresses or domains, including domains of entire countries (because many spammers route spam through mail servers located in Russia or Romania), as shown in Figure 18-6. The moment the filter recognizes that a message has come in from a known spammer, it blocks the message.

Figure 18-5. You can configure a Bayesian filter to “learn” how to recognize spam.

Blacklists can supplement content filtering, but are easily fooled by themselves because spammers change email addresses so often. As a result, some filters also use whitelists.

Figure 18-6. Blacklists and whitelists define banned and approved email addresses.

A whitelist defines acceptable email addresses. If the filter receives email from anyone on its whitelist, the email may pass freely. All others will be rejected. In many cases, the filter will respond to any rejected email address, requesting that the user resend the message to a specific address or using a specific code. Any person sending legitimate email will have no trouble with this, but a spammer isn’t likely to take the time to read and follow these additional instructions.

Several organizations, such as SpamCop (www.spamcop.net) and ORDB (Open Relay DataBase)—www.ordb.org, maintain lists of known spam sources. To get their information, the maintainers of these lists deliberately solicit spam for analysis. To supplement its list of known spam sources, SpamCop creates lists of bogus email addresses that nobody uses, which they post on web pages. When spammers harvest these bogus email addresses and try to use them, SpamCop immediately recognizes them as spam.

Many mail servers on the Internet don’t accurately record where email comes from, either through negligence or deliberate intent (such as special bulk mailing services). These types of mail servers are known as Open Relays, and because spammers tend to use these to mask their own email addresses, DNS lookup lists record known open relay servers and either reject any messages sent from them outright or scrutinize messages from these servers extra carefully to weed out spam, as shown in Figure 18-7.

Figure 18-7. You can tell your spam filter to reject all email from known spam mail servers.

Many spammers send their entire message as a graphic image that can’t be read by content filters. In response, some spam filters include attachment filters that look for email messages containing nothing but graphic images. Of course, these attachment filters can’t identify the visual content of a graphic image, but, when combined with other filtering techniques, they can flag suspicious messages.

Attachment filtering can also help prevent infection by screening out .exe (executable), .wsh (Windows Script Host), or .vbs (Visual Basic Script) files that could contain viruses, worms, or Trojan horses.

Filtering will never stop spam, so some people prefer to go on the offensive and attack spammers directly. In 2004, Lycos Europe distributed a special screensaver called Make Love Not Spam, as shown in Figure 18-9.

Figure 18-9. The Make Love Not Spam screensaver would launch an email bombing attack against sites known to advertise through spam.

When a computer was idle, the Make Love Not Spam screensaver would kick in and request to view a known spammer’s website. If enough screensavers sent their requests at the same time, the spam website would become slow and overloaded, either making it inconvenient for legitimate users to purchase the spammer’s products or denying them access altogether.

Shortly after the Make Love Not Spam screensaver appeared, however, Lycos Europe killed the project. Public outcry over a commercial organization using a denial of service attack created too much controversy. Still, it shows that corporations are not above using hacker techniques and that the real future of hacking might lie within the payroll of a corporation.

IBM has developed a similar tactic for its FairUCE (www.alphaworks.ibm.com/tech/fairuce) spam filter. Unlike traditional filters that examine a message’s content to identify spam, FairUCE analyzes email to determine where the message might have been sent from, despite forged email addresses and spoofed headers that mask its true source. Instead of trying to identify the spammer’s email address, FairUCE tries to identify the domain that sent the spam in the first place. Then, it bounces the spam back to the sending domain in an attempt to slow it down and prevent it from sending more spam.

Another tool in the fight against spam, the OptOutByDomain (www.OptOutByDomain.com) site, lets you tell spammers which domains you don’t want them to spam, rather than listing one email address at a time. Under the CAN-SPAM Act of 2003, spammers must legally comply with such a request or they can get sued, which is what OptOutDomain’s companion site, SueASpammer (www.sueaspammer.com) is all about, as shown in Figure 18-10.

Figure 18-10. The SueaSpammer site hits spammers in the pocketbook by threatening and taking legal action.

Despite laws, threats, and physical action against it, spamming is so cost-effective that it’s probably here to stay. If spam really irritates you, consider joining and supporting the Coalition Against Unsolicited Commercial Email (CAUCE)—www.cauce.org—an organization consisting of Internet users who have banded together to lobby for new laws to regulate unsolicited email.

To show you how influential one person can be in the fight against spam, visit Netizens Against Gratuitous Spamming (www.nags.org). This website shares tips for identifying and dealing with spam and offers an example of chaff, which is garbage data designed to fool spammers who retrieve email addresses from websites.

To keep up with the latest news regarding spam and to learn more about how to defeat spam, visit Death to Spam (www.mindworkshop.com/alchemy/nospam.html), Spam News (www.spamnews.com), Junk Busters (www.junkbusters.com), Fight Spam (http://spam.abuse.net/spam), and The Spamhaus Project (www.spamhaus.org).

No matter how assiduously you protect your email address or run filters, you’re going to get spammed, so it’s nice to know that at least you have allies on the Internet who want to help you trace, identify, and stop spam as much as humanly possible.