×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

user's e-mail address is everywhere on the Web
6

user's e-mail address is everywhere on the Web

user's e-mail address is everywhere on the Web

(OP)

I've got a PIA user who bitches a lot about all the spam he gets. I recently told him that our filter catches about 400 spams per day. That isn't enough for him.

I decided to google for his e-mail address. I wasn't surprised by what I found. I got 57 hits. Two of them were our company web site, and the rest included lots of different sites.

Obviously it's good for the company that our people write articles on-line and get the company's name out there. At the same time, these users are doing something that causes them to get a lot of spam.

And I know he isn't the only one.

RE: user's e-mail address is everywhere on the Web

A couple of suggestions:

1. On your company web site, instead of publishing individual staff email addresses, have a general "feedback" or "Contact Us" form.
This way, the data gets written into a database or sent to a nominated generic mailbox that can be manually sorted.

Within articles, put "To contact the author, please use the contact us feature at www.example.com/contact" rather than direct contact information.

2. Staff (both those who write articles and Reception or other teams who deal with external contacts all the time) need to be educated not to put direct personal contact details in their articles (email address, phone nos etc) and instad to advise people to use the internet facilities. If they don't have internet access (web, email) they should be instructed to write a letter to the company and post it.

John
 

RE: user's e-mail address is everywhere on the Web

(OP)

Well, how do I educate these people?

I couldn't care a less about phone numbers. That has nothing to do with spam.

I'm the one who has to spend all this time deleting all the spams that get into our filter. It gets old really fast.
 

RE: user's e-mail address is everywhere on the Web

Surely the spam filter allows you to set up scheduled jobs to remove anything over a certain age? If not, you should certainly be able to do it via a scheduled job through the operating system.

For the educating, I would start with those ultimately responsible for IT policy within your organisation by demonstrating to to them:
- the quantities of spam that are captured on average by the spam filter (over a month, week etc).
- the number of false positives (ie those that you have to release onto the recipient).
- Your (and colleagues) time spent in doing this when you could be doing other things (think of long outstanding projects that will have great benefits for your organisation).
- the reasons for the vast majority of this happenning (inclusion of email addresses on public web sites being harvested for use)
- the security risk this brings in by having direct contact details in the public domain; transmission of spam and other nasties (eg means of bringing in viruses, spyware etc) to your network.
- Savings made in terms of less server load (less coming in so less to store and process); less staff time (both yours and end users) in dealing with this etc.

Suggest this as one means of reducing the quantity of spam generated for mailboxes at your organisation.

Re Phone numbers - talk to your reception staff and see what they get about cold calling salesmen; the chances are they have the same sort of problems. It just won't be on the same sort of quantity.

John
 

RE: user's e-mail address is everywhere on the Web

3

Quote (hinesward):

Obviously it's good for the company that our people write articles on-line and get the company's name out there. At the same time, these users are doing something that causes them to get a lot of spam.
...
Well, how do I educate these people?
You can't.
People who write articles are expected to put in there their contact information. In the past years, that was usually your company's official mailing address; maybe also a phone number with an extension.

These days, that just won't cut it. Scientists, college professors, all people who are creating new technologies/new theories, inventing and patenting their inventions, etc. are expected to have their contact information other than snail mail address published. Check any scientific jornal or magazine, on any topic - you won't find many articles without an e-mail address in the header. That's why they have it - to be contacted by the collegues and other interested parties, not to chat with a faraway grandma and not to annoy you. There is nothing you can do about it. Only in some cases a company's website with a contact link may substitute for a direct e-mail address.

The only thing you can do is to look at it this way. It's not "them" are there for you to create you some work to do. It's you (and the whole IT department, or whatever you have there) are there to serve the company and "them". In most cases, "they" existed and did their jobs long before your job was even invented. They needed and hired you to assist them do their work in the Internet age, not the other way around.

So your job is to fine-tune your spam filter the best you can, and to teach the users to fine-tune whatever tools of sorting and organizing their e-mail they have in their posession to take care of the rest. I don't think you can tell them to not put their e-mail address into their articles.

 

RE: user's e-mail address is everywhere on the Web

Are the posts of his/her email address serving a legitimate business purpose?  If so then I agree with Stella.

If not I would get with HR and review your business use policies to see if this covers personal use of company email addresses.  If it doesn't, change it.  If it does, come down on him/her, as warranted.

Software Sales, Training, Implementation and Support for Macola, Synergy, and Crystal Reports.  Check out our Macola tools:
www.gainfocus.biz/exceladdin.html

RE: user's e-mail address is everywhere on the Web

Also, if you have not done so already, block NNTP (Usenet) for this guy. Lots of spam originates there.

-- Francis
I'd like to change the world, but I can't find the source code.

RE: user's e-mail address is everywhere on the Web

2
The simple solution is just a better SPAM solution. Really. I have users who have their email all over the place, and can count on one hand the total number of spam they've received in the last 6 months.

You can't control whether spam is going to be sent to your users. You can only control what you do with it.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
http://www.ucblogs.net/blogs/exchange/
 

RE: user's e-mail address is everywhere on the Web

What are you using for your spam filter?  I've used a number of products in the past that use a combination of methods for blocking spam, and they have all been far superior than anything that uses a single methodology.  I usually recommend a combination of blacklists, greylisting, and (after tuning) a Bayesian filter.  At my last job I implemented a new spam filter and cut the volume of spam that got through from thousands of messages a day to under ten by simply implementing blacklisting and greylisting.  It was over a year before I even got around to building up the Bayesian filters because the blacklist/greylist combination worked so well.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCSE:Security 2003
MCITP:Enterprise Administrator  

RE: user's e-mail address is everywhere on the Web

enabling recipient filtering (and tarpitting), connection and sender filtering, and you've most of the way there.

Some cloud based solutions are VERY good, and drastically cut down on bandwidth used by email since only the valid email hits your wire.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
http://www.ucblogs.net/blogs/exchange/
 

RE: user's e-mail address is everywhere on the Web

There are a number of things that you can do to cut down on the amount of spam.

Turning on rules in your e-mail server helps; stuff like verifying the e-mail is coming from the domain that they're listing, using Open Relay database lookups, and blocking from DHCP addresses.  Since most spam is generated by bots, and 99% of those bots are on DHCP, just blocking emails from DHCP IP's will reduce it drastically.

Then, using a product like SpamAssassin should nip the majority of what DOES get through in the bud.

 

Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg  http://parallel.tzo.com
 

RE: user's e-mail address is everywhere on the Web

Blocking from DHCP is a double edged sword though. Some Comcast business connectiones are persistent DHCP. So legitmate businesses could get blocked.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
http://www.ucblogs.net/blogs/exchange/
 

RE: user's e-mail address is everywhere on the Web

(OP)

It looks like this thread has went completely off course. I initially asked about how one educates users on a security issue.

The human being is still the greatest security breach. Writing down your password and posting it on your monitor is a security breach. And so is putting your e-mail address out everywhere in a scannable form.

I recently even discovered that an e-mail address for one of our distribution lists was in a spammer's database. An e-mail address for an internal distribution list should never be given out. I ended up changing the address for the list.

All these users have to do is something like this:

user(at)company(dot)com

I don't trust most spam filters. Every three months or so, I have to deal with some issue that involves somebody at my company not being able to send to somebody else because of some stupid spam filter.
 

RE: user's e-mail address is everywhere on the Web

True, but internal email DLs should be configured to only accept email from internal recipients. Problem solved for that.

Someone's email address becoming public is nowhere near what I would call a security breach. It's a form of communication, and is probably listed on business cards and other places. Spam filters, when properly administered, work great. But spam prevention isn't set it and forget it. New and evolving technologies are constantly changing. 1 year ago, you could send to a lot more places than you can today - completely because no one was checking SPF records. That's changing. And quickly.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
http://www.ucblogs.net/blogs/exchange/
 

RE: user's e-mail address is everywhere on the Web

To be fair, most organisations use some standard format like firstname.familyname@somethingcompanyish.country.com, which renders the whole thing fairly obvious anyway, unless you take great trouble to ensure the names of your employees never come out in public in any form.
 

RE: user's e-mail address is everywhere on the Web

Ho hines,

I've 'scanned' the responses, so please ignore if I'm duplicating, but are you aware of lists of 'spammers' out there on the 'net - download-able as CSV?

Have a system in place for individual employees to add emails to a spam-list (let them do some of the donkey-work - you cannot identify all spam for them), but, also cover as much as you can via publicly available spammer-list updates.

Educate users that this is 'par-for-the-course' with no 'magic bullet'.

winky smile

J



 

RE: user's e-mail address is everywhere on the Web

That's not a valid solution. The blocked senders list has a hard limit as to how many entries it can contain.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
http://www.ucblogs.net/blogs/exchange/
 

RE: user's e-mail address is everywhere on the Web

(OP)
58sniper,

Nobody in this entire discussion has come up with a valid solution to the actual problem.

If my users are going to put their e-mail addresses everywhere on the Web, then they should accept the spam that will inevitably come from doing so. First and foremost, you avoid spam by keeping your e-mail address out of spammer databases.
 

RE: user's e-mail address is everywhere on the Web

Quote (hinesward):

Nobody in this entire discussion has come up with a valid solution to the actual problem.

If my users are going to put their e-mail addresses everywhere on the Web, then they should accept the spam that will inevitably come from doing so. First and foremost, you avoid spam by keeping your e-mail address out of spammer databases.

Well, there you go. I have been spammed, somehow, even at work. I never use my work e-mail for anything non-work related. Spammers are not stupid.

You will be on a spammer's list within an hour of getting a new e-mail address.

The best solution for me, personally, is using Gmail. Their spam filter is very good; better than any other spam filter I've seen. Very few false positives (for me, maybe one every month or so).

The best solution in general is education. There will always be some gullible newbies out there, but the fewer naifs there are, the less profit there will be for these sleazebag spammers. Don't click - delete!

-- Francis
I'd like to change the world, but I can't find the source code.

RE: user's e-mail address is everywhere on the Web

Bah!

A properly configured antispam solution will handle nearly all inbound spam. That should take place at the gateway/perimeter. Any legitimate business needs to address it. It doesn't matter if the user advertised their email address on a billboard in the middle of town, or the user never gives out their address. A business email system will be sent spam. Period.

Imagine this - you have a user who sends their spouse an email. The spouse saves the email address of your user in their Contacts/Address Book. Their machine gets infected with an email-bourne malware that grabs the Contact list and sends it back to a database. Neither user did anything wrong - yet now the email address is on a list that will be sold to spammers. You simply cannot stop an email address from getting publicized. You can only deal with the results of that.

And a business has no way of knowing HOW that address got onto a specific spammer list that resulted in a specific email getting sent to their mailbox.

Imagine a user goes on vacation, and turns on their Out Of Office setting, with a message that says "I'm away.... for assistance, please contact bob@yourdomain.com". Spam hits the mailbox, gets the OOF reply, and now knows two things: the original email address is valid, and so is Bob's.

Any business that says it's the users fault for getting spam is just trying to deflect the blame to avoid having to admit fault. There are many simple solutions that resolve the problem nearly 100%. Some are cloud based, some are on-premise. But all should happen near the perimeter.

I don't say this because corporate messaging is my line of work and I want some business. I say it because I see this all the time, it's not terribly difficult to resolve, and a businessed can reap the rewards by addressing it with determination.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
http://www.ucblogs.net/blogs/exchange/
 

RE: user's e-mail address is everywhere on the Web

I agree with Pat.  My email address is published all over the web as I write articles and speak at user groups and they all have my email address posted.

We use Exchange at the office, and with the SPAM settings set about as low as possible almost all spam going to be is captured.

You can't blame people for getting spam.  There are spammers out there that will find a domain name, then start sending emails to every possible address on the domain looking for which ones bounce and which ones don't.  The ones that don't are added to the spam database to be sold.

Denny
MVP
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)

My Blog

RE: user's e-mail address is everywhere on the Web

mrdenny:

Exactly.  Even my email server at home has been "Harvested" several times, by a distributed network even!  Can't even block the harvesters, because I'll get a half-dozen from one PC, then it continues the next half dozen from another machine elsewhere in the world.

 

Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg  http://parallel.tzo.com
 

RE: user's e-mail address is everywhere on the Web

Quote (hinesward):


    Nobody in this entire discussion has come up with a valid solution to the actual problem.

    If my users are going to put their e-mail addresses everywhere on the Web, then they should accept the spam that will inevitably come from doing so. First and foremost, you avoid spam by keeping your e-mail address out of spammer databases.

If you have a company policy about using their company email address for personal use, then notify their supervisor and/or HR when they have violated the policy. You pop enough of them and the message will spread like wildfire through out the organization about it.

Two things will happen: 1) they'll learn to live with the SPAM they get so not to bring attention to it to IT, or 2) they will stop using their corporate email account for personal use.

Unfortunately, I've found you have to treat users like kids sometimes. If you bust a couple of them, the others will avoid "getting in trouble". They don't have to like IT, but they do have to respect the rules and guidelines set forth just like any other policy and procedure. I make no exception for SPAM complaints when the user violates the policy. Valid emails being filtered are one thing, but SPAM not being caught because of the user's disregard to the rules is their problem, not IT's. We in IT have too much to do as it is than play with SPAM filters and users that constantly create work for us because of their own actions.

--------------------------------------------------
Bluto: What? Over? Did you say "over"? Nothing is over until we decide it is! Was it over when the Germans bombed Pearl Harbor? No!
Otter: Germans?
Boon: Forget it, he's rolling.
--------------------------------------------------

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login


Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close