When I got my first e-mail address in 1993, relatively few people had ever heard of the Internet; even fewer had actually used it. Back then, an e-mail inbox could be a very lonely place. If you wanted to exchange greetings with a far-flung friend, you’d most likely be out of luck. Your friend probably didn’t have e-mail.

Although the Internet in those days was a ghost town compared to the Calcuttan bazaar it’s become since, it did have its charms. One was the lack of spam, the unsolicited e-mail with which we’ve since become involuntarily familiar. Unfortunately, the wide-spread adoption of innovative technology often lets people annoy each other in innovative ways. As the use of e-mail grew, so did the volume of spam.

2003 was a breakout year for spam. The nuisance that could be grudgingly tolerated at the beginning of the year had become a daily war—one I was losing badly—by year’s end. So I did something I’ve never done before: I made a New Year’s resolution that I’m actually planning on keeping.

2004 will be the year I banish spam.

Victory will not be total; there is no way to guarantee complete freedom from spam, at least not with the technology that currently delivers Internet e-mail. And it will take some work—like switching to new addresses and ditching those that have become spam-laden. Unfortunately, my efforts to avoid spam will do nothing to solve the problem for you. But by understanding how spammers find new e-mail addresses, you can take defensive measures to shield your own inbox.

There are four ways to significantly increase the chances that spammers will discover your e-mail address:

• Post your e-mail address on the web
• Have an address from a large internet service provider (ISP) like AOL or MSN
• Use a free e-mail account, such as those from Hotmail or Yahoo
• Enter your address into a web form

There are many computer programs—called spiders or crawlers—that scour the web looking for specific types of information.

To work, spiders must be fed a set of “seed” pages. These are the addresses of web pages that the spider visits first. Spiders analyze each page they hit, looking for links to other pages. When a spider finds a new link, it goes to that page, looking for even more links. Eventually—given the right set of seed pages—a spider can theoretically visit every public page on the Internet.

Without spiders, search engines like Google would have no way of finding information for you. Google has spiders that constantly roam the web, looking for pages to put in Google’s database. When you perform a search, Google checks its database for pages that contain the words you typed. Each page appearing in the search results is there because a Google spider found it first.

But spammers also use spiders. Their spiders—sometimes called spambots—look for e-mail addresses, and when they find one, it becomes a target for spam. That’s why it’s a good idea to keep your e-mail address off the web: the spam spiders can’t find it if it’s not there.

Often, though, people have very good reasons for putting their e-mail addresses on the web. If you absolutely must post your address, there are ways to hide it from spambots without preventing people from corresponding with you. Techniques like e-mail address obfuscation and scrambling work by changing e-mail addresses into forms that spambots can’t recognize. Although the mechanics of these techniques are beyond the scope of this article, you can see an example on the contact page of my site.

When bank robber Willie Sutton was asked why he robbed banks, he was quoted as saying, “because that’s where the money is.” Spammers are no different: they go after large internet service providers because that’s where the e-mail addresses are.

AOL alone has more than 20 million customers, many of whom have more than one address. Spammers know this, so they use various methods to try to figure out valid AOL addresses. One tactic is to send e-mails to randomly-generated addresses. When an e-mail is sent to an invalid address, it “bounces” and is returned to the sender. But if an e-mail doesn’t bounce within a certain period of time, the spammer can assume the address is valid.

Employing this type of brute-force technique can be time-consuming and computationally expensive, so it’s typically used only against domains like “aol.com” that can yield many addresses. You’re safer with an e-mail address that uses a less popular domain name; spammers are much less likely to bother.

Free e-mail accounts promise something for nothing, even though it costs millions of dollars each year to maintain e-mail systems like those provided by Hotmail and Yahoo. Revenue from banner ads and pop-ups don’t cover the costs, so the operators of those systems must look elsewhere to recoup their expenses.

Although many free e-mail providers claim that they don’t sell your address to spammers, free e-mail accounts nevertheless seem to be the ones most burdened by spam. Coincidence? Maybe. Or maybe systems like Hotmail are victims of the same brute-force spamming methods that plague providers like AOL.

Whatever the cause, if you want to be spam-free, free e-mail is not the way to go.

Be wary of web forms that ask for your e-mail address. Unless you know precisely how the web site intends to use the information you provide, you should assume that giving away your e-mail address will eventually result in spam.

Many sites post a privacy policy outlining how they use the information you enter into web forms. If you don’t see one, you may want to think twice about entering your address. Ultimately, though, it is a matter of trust: whether or not the site posts a privacy policy, ask yourself if you trust the operators of the site to respect your e-mail address.

You should also try to be considerate of the addresses of others. Many sites allow you to refer web pages to others or send e-cards, invites, etc. If you’re not comfortable giving your own e-mail address to a site, then you shouldn’t give someone else’s address to that site, either.

Even if you take every possible precaution with your e-mail address, you may end up getting spam anyway. If so, there are a few defensive techniques that could prevent the trickle of spam from turning into a flood:

• Don’t click on any of the links in a spam e-mail. Often, the links in those messages are encoded with information that identifies the recipient. So, if you click on a link, you’re telling the spammer that your e-mail address is valid; you’re asking for more spam. Don’t even click on any “unsubscribe” or “remove me” links. Although a few spammers will actually remove you from their list, spammers in general are not the most scrupulous sort. Do you really trust them to remove you?
• If your e-mail system allows it, turn off automatic loading of images. As with links, graphics that appear in e-mail can also be encoded with information that identifies you. Whereas links require action on your part, automatically-loaded images require only that you view the e-mail. If you can turn off automatic loading of images, you prevent spammers from using this trick to determine whether your address is valid.
• Some e-mail programs have a feature that allows you to return an e-mail to the sender, making it appear as though the e-mail bounced. Although in many cases, this is useless against spam—spammers usually send e-mail from bogus addresses—this will help against spammers that try to keep their mailing lists clean. Because the value of any mailing list is the number of valid addresses, and because a high proportion of bad addresses increases the time and cost of sending spam, some spammers will remove invalid addresses from their lists. Bouncing spam back to such spammers will likely get you removed from their list, and it may cut down on the amount of spam you receive in the future.
• Don’t reply to spam. Like clicking on a link, sending a reply that was obviously written by a human (as opposed to a computer-generated response like a bounce message) signals that your e-mail address is valid. Besides, if the spam was sent from a bogus e-mail address, any time spent writing the response is wasted.

If you’re drowning in a deluge of spam and you can’t take it any more, you may have to change your e-mail address. Obviously, this is an annoyance. First, you have to get a new address. Then, you have to notify people that you’ve switched your account. And if there are web sites that send you e-mail—for example, if you’re subscribed to a mailing list or if your bank sends you monthly statements—you’ll need to update your address on those sites as well.

Give yourself a transition period—perhaps as long as a month or two—when you check both accounts. That way, if you forgot to notify someone or if you missed changing your e-mail address on a particular site, you won’t miss something important.

You can even enlist your computer to ease the transition. Many e-mail systems have a feature that sends automatic responses whenever a new message is received. Most often, you see this used for those “I’m on vacation” notices, but if you’re switching e-mail addresses, it’s also useful for pointing people to your new address. Be careful, though: spammers may use programs to extract e-mail addresses from messages they receive, so if you set up an automatic response, don’t include your new address in its normal form. Instead, write it in a way that’ll be understood by people but not programs. Simply replacing “@” with “ (AT) ” and “.” with “ (DOT) ” should provide sufficient protection. Nevertheless, it is still possible—although unlikely—that a spammer will detect your new address in this type of auto-response e-mail.

Unfortunately, one of the best defenses against spam is not for the casual Internet user. But if you have access to the technical know-how, I strongly recommend getting your own domain name and finding a hosting provider to use for your e-mail.

Personal domains are much less likely to be targeted by spammers than, say, AOL. In addition, most hosting providers will allow you to create an unlimited number of e-mail addresses for your domain. This means you can create different addresses for specific uses. When you absolutely must provide an e-mail address to a given site, you can use a unique address just for that site.

For example, if I were to sign up for a PayPal account, I might tell PayPal that my e-mail address begins with “evan-paypal@”, followed by my personal domain name. Then, if one piece of spam is ever sent to that address, I know PayPal sold me out.

The benefit of this technique is that I can track which sites are giving out my address, and I can stop using those sites. I can also shut down the addresses that have become spam targets without affecting the other addresses I use.

Doing this costs money—for the domain name and for the hosting provider—but if you’re fed up enough with spam that you’re willing to pay to avoid it, this solution might be for you.

Today’s Internet e-mail system has its roots in the 1970s, when the network was primarily used by a small number of academic and military researchers. The designers of the system did not envision such widespread use, and therefore did not build in the kinds of security mechanisms that would be useful in the fight against spam. Because most e-mail servers gladly accept messages without knowing whether the sender’s identity is real, anyone can forge e-mails and make them appear to be from someone else. That’s why most spam is sent from addresses that are bogus or hijacked. Cloaked in the anonymity of fly-by-night addresses, spammers can continue to flood your inbox with little worry about getting shut down or filtered out.

Most of the work in the fight against spam has gone into blocking it before it reaches your inbox. Recently, there have been many promising innovations—like Bayesian filtering, black lists and white lists—but each has its downsides. Filtering analyzes the words contained in an e-mail, so many spammers now turn their messages into graphics, which can’t be parsed by filters. Black lists often result in legitimate senders being blocked, and white lists require manual approval of senders, sometimes in advance. None of these techniques stop spam completely, and they all risk preventing legitimate communication.

As for anti-spam laws? Forget it. Unless such laws are passed and aggressively enforced by every nation on Earth, they will do little to slow down spam.

Spammers and anti-spammers are engaged in an arms race. For every spam-blocking technique that’s created, spammers eventually devise a way to circumvent it. Unfortunately, this will be the case until the plumbing of Internet e-mail is ripped up and replaced. Until then, all you can do is minimize the problem. Sorry.