Part 1: Getting organized
How do you hide from spammers? A two-part article that will show you how to keep your email address from getting into the hands of spammers.
In order to prevent spam (and deal with it when it arrives regardless) it's very important to get your email organized so that spammers won't get hold of your address. A good approach is to have multiple "visible" addresses used for different purposes, while keeping a single real address invisible to the spammers.
In this article, I'll start from the assumption that you're already getting spam (who doesn't?). I'll outline a strategy for how to get in control again, and avoid (most) spam.
You will need:
- a secret address
- a 'friendly' address only for family and friends
- throw-away addresses for software downloads, service registrations and such
- more throw-away addresses for newsgroups and mailing lists
- A tool to keep track of which address is used for what
Disclaimer
I'm listing a lot of services and products on this page. I am in no way connected to any of these companies. You should also realize that I cannot possibly provide a complete overview of all such services and products nor is it intended to: I've merely done my best to give a good overview of what's available in terms of features, platforms and pricing. Where prices (other than free/freeware) are quoted, it's always the lowest level available, or a single-user licence. Check out the sites linked to for other options. I have no editorial control over what ads Google is showing in the sidebar, but they will most likely be for anti-spam products and services.
A secret address
The first thing you need is a brand-new, clean email address, that you're not going to give to anyone except a few services that will hide this address from the world. If you run your own email server, just create a new popbox. (You may also want to turn off a "catch all" capability since it would catch all email not sent to any specifically set up user or alias would arrive anyway.) Some providers also allow you to create several popboxes: create a new one; if you can also define aliases, define at least one, and only use the alias for the rest of this recipe. If you can't create a new popbox on your own server or with your current provider, you may consider another provider or even a service that lets you create free addresses and access them (via POP or IMAP) from a normal email client.
What's important is to make sure that your brand-new email address isn't "pronounceable" or "guessable": don't use a common or even less common name, or a word that occurs in the dictionary; not even if followed by one or more digits: spammers use "dictionary attacks" by trying to send email to addresses consisting of names, dictionary words and numbers. (If you choose a 'normal' name at your provider or at a free service, you may even find you start receiving spam immediately since the address was pre-owned and dropped by the previous owner...) Your address needs to be invulnerable from such attacks (statistically speaking): just like a good password, it should consist of a random string of letters, numbers, and (if the email service allows it) some punctuation.
An 'invulnerable' name will simply be a string of random letters and numbers. The form below can generate such a string for you; the generated string will be 8-32 characters long. You can choose to add some punctuation (dash, dot or underscore) as well: the result will be a valid email address that is practically impossible to guess. You may also start with punctuation included and then take out what is not allowed; for instance some services allow only a single dot in an email name.
Family and friends: limited-access address
Your secret address must remain secret: you do not even give it to family and friends. Really. They'd probably appreciate an easier to remember address than your random string anyway. So you'll need a 'friendly' address to give out to a limited number of people, and which will forward your mail to your secret address. Since a 'friendly' address will be susceptible to dictionary attacks, it should also be easy to replace with a new one, should it start to receive spam.
The solution is to use email forwarding. If you control your own email server, you will already know how to do this. If not, there are services that can do this for you, and let you choose a 'friendly' address (or more than one). Some such services are free, some require a subscription fee; you may also get extra features like spam filtering and blocking. The sidebar'Forwarding services' box below has short descriptions of a few forwarding services you could use for a 'friendly' address that will hide your real, secret address from the world.
Emailaddresses.com mentions more free email forwarding services (some with special requirements for signing up).
Since many ISPs these days will block email from any source that looks 'spammy' to protect their customers from the deluge, it's advisable to choose a forwarding service that provides spam blocking one way or another. If they simply let through any mail, including spam, you'd run the risk that the provider where you have your main, secret address will block them as a spam source - with the result that you'd not only miss the spam, but the 'ham' as well!
It's also a good idea to educate your family and friends about how to keep your address from getting known to people you didn't give the address to: their friends may not be your friends! Many people don't know how (or why) to use the Bcc: header in their mail client, and will reveal your address if they send a mail to a group of people by using the To: or Cc: header instead. Help them to keep your address safe!
Software and service registrations: disposable addresses
If you download trial software, register purchased software, buy from an online merchant or sign up for a service, you usually need to give an email address. Some of those companies may not have a good privacy policy (or none at all); or be less than scrupulous with their lists. Even if they don't sell their data, they may be taken over by another company that is not so scrupulous with their database, or an (ex-)employee may earn a little extra income by selling addresses.
Here, the strategy is to use a unique, disposable email address (DEA) for each registration: if you start getting spam at an address, you'll not only know who to blame (complain to that company!) but you can just throw it away again since it was used for one thing only. Of course it's up to you to keep track of which address you've used for what purpose, but you are in control of how companies can contact you (or not).
There are lots of services that provide DEAs, some of them free, some for a fee, with lots of different options. With some services, addresses will automatically expire, so they're good for just a trial download for instance; others offer more permanent addresses, which are better for other purposes such as software registrations, where you do want to allow that company to contact you - but that company only. The sidebar'Disposable Email Addresses' box below has short descriptions of a few of such services.
Mailing lists and newsgroups: more throw-away addresses
Mailing lists
Mailing lists form a special problem: you need to subscribe with an email address, and that address will be revealed to all list members - at least. At least, because many mailing lists have archives available on a web site; not all archives hide the email addresses. And many of those archives are indexed by search engines, too. While a spammer might sign up to a mailing list to get at the addresses, if there is an online archive that doesn't hide them, "standard" spammers tools can easily harvest the email addresses of all present and past mailing list members.
Clearly, you need a DEA here, too. While a service like Sneakemail provides management tools so you can (temporarily at least) stop spammers, this turns out to be a "high maintenance" option for some lists where addresses are easily harvested. But whichever service you use, when it starts attracting more than a very occasional spam, you'll need to throw the address away and get a new one. Take care you do things in the correct order here: first create a new address, and sign up (again) for the list with that. Once that works, unsubscribe with the old address. Only then can you throw away the old address. Both subscribing and unsubscribing often require confirmation. Do not just throw away an address without completing unsubscription first! If, like me, you have many mail list subscriptions, converting them all for the first time will take some time - but it's time well spent.
Again, it makes sense to have a separate DEA for each list you subscribe to (unless maybe when they are closely related and managed by the same person or organization). Some lists provide a web interface which is more than just an archive but allows posting, too; if you do this, use the same DEA you are signed up with; or if you want to avoid signing up altogether, create a separate DEA for posting via the web interface.
Newsgroups
Newsgroups pose the same problem as mailing lists do in that they are often archived; Google has an archive of many groups in Google groups, for instance. But while Google makes posters' addresses unusable for spambots, many newsgroups on private servers have their own archives and these don't always have the email addresses 'munged'. More fodder for the spambots. And some spambots can collect addresses from newgroups directly: no need for an archive.
Since you don't need a "real" email address to use a newsgroup, it's common practice to 'munge' the public email address used for a newsgroup, or to use an invalid address. There are rules for munging addresses on newsgroups. An important rule is: if you want an invalid address, don't just make up a domain: it might already belong to someone else, or someone may register it in the future. There are reserved domains that will never belong to anyone, so you can use one of these reserved domains for a public email address. And certainly don't use an address that you know belongs to someone else - not even an address that's intended for reporting spam!
Still, you might want to reply to a newsgroup post by email (you might have to "unmunge" the poster's email address when you do this!), but if you want to allow that person to reply, you need a working address: here a DEA comes to the rescue again. In many newsgroup clients you can configure a "public" as well as a "private" address for each server; use an invalid or munged public address, and a DEA for the private address. You may even want to create a DEA for a specific reply, so you can track who you "gave" that address to.
Keeping track - securely
Email boxes, online services, mailing list subscriptions, almost all require passwords for access or to manage your subscription. If you're using separate addresses for everything, as outlined above, the need to keep track of things increases enormously. While some of the services mentioned in this article give you management tools to keep track of things, these tend to be geared towards their service only. And it's not really a good idea to store passwords in plain text on someone else's server - however much you may trust that service.
A more secure and flexible solution is to use an application on your own machine: that way you'll need to remember only a single password to get access to all others. You should be able to add notes as well so you know what's what. The sidebar'Password management' box below lists such applications for several platforms, with various features and prices (including freeware); prices shown are for a single-user license only.