Choosing an email address

A lot of spammers fire off tons of emails to randomly generated email addresses. Those that don't bounce are considered live addresses and made targets of further SPAM. These addresses are not really random but are generated from typical patterns that folks use to create email addresses such as one or two initials followed by the first part of a last name. The idea is to generate as many good addresses as possible with the fewest bounces. One of the best defenses to this ploy is to include both letters and numbers in your email address. Some folks add one or more numbers to the end of the address, but a more effective method is to embed one or more numbers in the middle of the address. The form I like is one, two, or three letters followed by one or two numbers followed by several more letters. An example would be j23perry@nobodysisp.com. This form of email address should always be used for your primary email address (see below).

Protect your primary email address

Many ISPs use your initially assigned email address as your account identifier and will not allow you to change it without closing the account. If this account is compromised there is no way to stop the SPAM short of closing the account. Thus the primary rule of SPAM fighting is to make sure this address is well chosen (see above) and to NEVER USE THE PRIMARY EMAIL ADDRESS FOR ANYTHING except to log on to your ISP.

So, how do you use email if you can't use your email address? Thankfully, most of these ISPs also allow you to have several email alias or sub addresses. These are what you use. If one of your alias or sub addresses becomes compromised you can change it yourself and stop the SPAM. I use three personal email addresses: 1) for Family and friends, 2) for legitimate web vendors, 3) for mail lists. This way a single compromised email address can be changed without having to change all of the addresses. If I'm suspicious of a web vendor or for USENET posts (which are particularly susceptible to email harvesting), I create an additional alias just for that purpose. Of course all of these alias addresses should be well chosen (see aboove)

What can you do if your ISP doesn't support email aliases? Choose your primary email address properly (see above) understanding that you will have to close your account if the SPAM gets too bad. That would also be a good time to change to an ISP that allows email aliases. Alternatively you can use one of the free email services such as Yahoo!.

Don't let the spammers know you exist

READ ALL MESSAGES IN PLAIN TEXT! This is important. Most email applications have this option. Spammers send out HTML email which goes to their web site to access images or text. The access request contains a code generated from your email address. Once the spammer gets an access request with that code he knows he has a live email address. If you read all messages in plain text the access request is never generated and the spammer doesn't know you exist. Some email software now have the option of not allowing external links. This prevents the access requests and should be selected if available.

NEVER, EVER REPLY TO SPAM TO REQUEST REMOVAL! Just don't do it. You will confirm that your email address is good. The only exception to this rule is a legitimate vendor that you have done business with and that you trust. If you have not done business with them, never ask to be removed. Your spam problem will only get worse.

Protect your email address on web pages

This only applies to folks who have their own web pages. One of the purposes of a web page is to promote communication with folks with similar interests. So how do you post your email address and protect it from an email harvester?

The answer is to encode the email address using HTML Character Entities. This is not absolute protection but in practice there are so many more unencoded email addresses available for harvesting that it's just not worth the spammers effort to try to harvest encoded addreses. There are a host of free email address encoders available on the web. Just search for "email address encoder" and use the one you like. If you wish, you can use My Email Address Encoder

This is what an unencoded email address looks like in HTML:
<a href="mailto:j23perry@nobodysisp.com">John Perry</a>

...and this is what the same address looks like encoded:
<a href="mailto:&#x6a;&#050;&#x33;&#112;&#x65;&#114;&#x72;
&#121;&#x40;&#110;&#x6f;&#098;&#x6f;&#100;&#x79;&#115;
&#x69;&#115;&#x70;&#046;&#x63;&#111;&#x6d;">
&#x4a;&#111;&#x68;&#110;&#x20;&#080;&#x65;&#114;&#x72;&#121;</a>

Does all this really work?

Yes! I've been amazed at how well it works. I manage two web sites and use at least 5 different email addresses. I went to these procedures over a year ago and the results have been impressive. Before implementation I was receiving over 80 SPAM emails a day. After killing the old email addresses and implementing the new procedures I've received less than a dozen SPAM emails on all of these addresses over a period of more than a year.

Update (6-15-06) After over two years I finally had to kill the email address I used for mail lists as spam had gotten up to 2-4 spam messages a day. My email addresses for trusted vendors, and family and friends (also posted on my web site but encoded) are still spam free after 2 years.