Spam And Spyware And Worms, Oh My!

Once upon a time, in a very different life, I sat comfortably behind a corporate firewall and enjoyed the support of a proactive IT staff, blissfully ignorant to the growing cyberturmoil that was raging just outside those cozy confines. Things sure have changed since then. We collectively seem to be under assault by ever bigger and ever nastier big nasties, and nowadays I've only got myself to rely on. Here are some tricks I've learned over time which, while not a panacea as far as total protection goes, represent a moderate level of success and just might help other creative-types like myself stand a fighting chance.

Why?

First off, I readily admit that this particular subject doesn't quite fit into our traditional content model, but we've gotten to the point where protecting one's computer(s) is no longer solely the domain of the quote-unquote IT professional. Every computer user has the obligation of being vigilant, because it takes only a few unprepared users to really screw things up for a lot of people.

In the creative space, there are quite a few boutique shops or freelancers or whoever that don't have either the need nor budget to contract for any IT help at all, and are therefore put in the position of wearing that particular hat on top of all the other ones they already sport. And even if you're not one of the "little guys," creatives in a larger environment might already be mavericks in terms of bucking the corporate hegemony, and may have even been "disavowed" by your particular IT folk for whatever reason. If any of these scenarios apply to you, then, like me, you're largely on your own. And while it took about a year of mostly trial and error before I found a workable system, it's possible that just by giving up an afternoon you may be able to drastically reduce Internet-caused computing headaches, as what I've found over time can really be boiled down to just a few hours of work.

Now, with that said, disclaimer time: I want to stress up front that all this stuff works FOR ME. For example, I've gone from upwards of 100 pieces of spam clogging my Inbox every day to maybe seeing one straggler every other week or so, and to this day I've never had a virus infect any computer I've ever owned (knock wood). However, as always, your mileage may vary. Implement any or all of these hints at your own risk, as you could still end up getting a virus or losing data or whatever in spite of all the precautions. Finally ready? Allrighty then! Let's all don our tinfoil hats and start battening down the hatches.

Two-point philosophy

The easy solution is to not use the Internet at all. That's always an option, but damned if the Internet doesn't actually have some useful qualities, so I embarked upon finding a way to not get viruses and spam and all the other goodies today's Web experience seems to entail without having to completely de-Webify everything. And with all the fits and starts I went through (and still endure, to some degree) in the battle with the Web for control over my computers, I was a little surprised to find that everything I eventually implemented pretty much boiled down to two relatively simple tenets:

1) Stop it before it gets there. I'm trying to eke as much speed and performance as possible out of all of my systems, as well as reduce any potential conflicts between the various software packages I use, so I came to realize that the less I have to rely on my production boxes to handle the day-to-day soldiering against this stuff the better. Generally, I've tried to offload as much of the guarding and filtering and scrubbing duties as I can, so my main systems can remain lean and mean. The added bonus is that by keeping things separate, everything's portable and still works wherever you happen to be.

2) You get what you pay for. The other main thing I found is that while many users expect various Web services like email and site hosting to be free, to get any sort of customization (and frankly, any decent level of protection at all) you're going to have to pony up a few bucks. However, in most cases, "a few bucks" means just that, as providers that do charge aren't exactly asking for a limb or your first born.

Even if you decide that none of the tips I'm about to spew forth from this point are right for you, approaching the way your machines are locked down with these two points in mind might just be all the help you need. In any event, away we go with some specifics:

Use common sense

Apparently, common sense isn't quite so common, as the sheer proliferation of really nasty worms and spam and everything else shows that most computer users either don't know or don't care one whit about keeping themselves or those around them safe. I hope the following is old hat for most or all of you, but just in case:

Don't open email attachments you aren't expecting. I really, REALLY hope this one is fairly obvious by this point. If you do a lot of transferring via email, might I suggest taking the time to use a lovely FTP or WebDAV server to facilitate the bulk of your file transfers? Either can be relatively easy to set up in-house, and Web hosting companies usually offer one or both protocols either as part of a package you may already have or as a nominal a-la-carte option. Whomever runs or pays for your email service will thank you for it. If that someone is you, then you'll just have to thank yourself, won't you?

Don't encourage spammers. I'll get into this in detail shortly, but for now I'll leave you with the fact that there are a few simple habits that are pretty easy to adopt and can dramatically cut down on your signal-to-noise ratio (spammically speaking, if I may simultaneously coin a phrase and butcher the Queen's English).

Backup, backup, backup. OK, so you've done nothing and one day, out of the clear blue, Swen Jr. hoses your hard drive or causes your machine to spontaneously combust or whatever. You've got your data backed up, right? Right?

Pay attention to what you're doing online. This is another area I'm going take a closer look at later on, so just hang tight here.

Spam-stopping strategies

Email is Public Enemy Number One for several reasons, not the least of which is the sheer, choking amount of unwanted email, affectionately known as spam, that seems to clog our collective Inboxes. However, it is quite possible to dramatically cut down on the amount of spam you do get, depending on how far you want to go.

Find a service that filters or blocks spam. This will be the first of many times you're going to hear me recommend my particular provider, FastMail, for the absolutely fantastic service that it is. FastMail offers tiered subscription options that range from free to enhanced, and the paid levels are very reasonable. Plus, it's incredibly customizable, offering more features and options than you can shake a stick at. And no, I don't get anything out of mentioning them (unless, of course, you want to put "ksdd" as the referring user if you sign up with them). It's just an amazing email solution. Anyway, regardless of who handles the heavy lifting, make sure that they offer spam blocking at the server level. Of course, it doesn't hurt to use an email client that has a junk mail filter as well, but whatever rules you may have set up in your email program don't do much good if you use multiple computers or log on through a Web browser.

Use more than one email address. This is the simplest solution, and can be free to boot. If you're currently drowning in spam, you're probably going to have to start over with a brand new email address for your personal mail, which can be a painful transition. The upside, however, is that you're not going to have very much (if any) spam mixing it up with your legitimate mail after you make the switch. If you're going the free route, sign up for an address at one of any number of providers. Shockingly, I suggest the free FastMail tier here, since you can start slow and upgrade later should your needs change, but MyWay is also shaping up to be pretty good. The more obscure the service, the better (at least for now), since spammers are less likely to blanket spam an entire domain (like Hotmail). Then sign up for a second address (it can even be with another service if you like). Guard the first one with your life. Only use it for actual contacts (family, friends, clients, etc.). USE IT FOR NOTHING ELSE. That's what the second one is for. Use that one for online shopping, signing up for software evals, whatever -- places where you're not going to be expecting frequent email interaction. When the spam gets to be too much at the secondary address, just stop using it and get a new secondary address. Of course, you'll have to keep track of what's going on, so you can change your address with a vendor or whatever, but the amount of spam lumped in with your personal correspondences should be dramatically less.

The other way to do this is to administer an entire domain. Sure, that sounds daunting, but it's really not a big deal. Let's say you buy the domain "nofreakingspam.com" (which is still available, by the way). If you have an account with, oh, say, I don't know, FastMail, you can send and receive nofreakingspam.com mail and manage it all through FastMail's excellent array of services. Since you have the entire domain, you have every conceivable combination of email addresses you want. So, you can set up you@nofreakingspam.com to be your personal address, and then give, for example, amazon@nofreakingspam.com to Amazon as your email address. This way, you can block an individual address if you start noticing spam show up at a custom address you've given. You can also tell who's selling your information to spammers.

Ignore the spammers. So, you've investigated that business deal in Nigeria that came to you through email and determined it not to be a wise investment at this time, and now you just want that particular offer to stop. For Pete's sake, don't click the unsubscribe link at the bottom of the message! It just confirms to the spammer that there's someone at the end of the line that they can send more spam to, so you're not helping yourself this way.

Legitimate businesses that you've dealt with also tend to send spam in the form of newsletters or special offers on (unfortunately) an opt-out basis, and those unsubscribe links do work. But I would suggest not ever clicking on a link inside of an unwanted email message. Scammers are faking email from sites like PayPal that link to fake sites and ask you to enter your credit card or other information that you would rather not be in the wrong hands. And those links and sites look very real. I'll usually fire up my browser and go directly to the company's site myself and log in that way, as it usually isn't hard to find the subscription preferences on legitimate sites. So don't even chance clicking on a link in any spam message. And if you do ever get a message asking for your credit card info or whatever, call the company (using a number on their actual site rather than in the spam message) that purportedly needs the info to confirm and/or report what's going on.

Blacklists or whitelists? Both? Neither? Maintaining either a spam blacklist or whitelist can be a daunting task, with no guarantee of either stopping spam or not blocking legitimate messages. I've tried a ton of variations on the whole list thing, and finally have arrived at something that works. Again, I'm plugging FastMail here, because the sorting options and address management it provides for an entire domain make all of this possible. First, I don't use a catch-all for my entire domain, which automatically eliminates almost all spam right off the bat. Instead, I set up custom addresses to let mail through as I described earlier. Then, I use rules to route mail to specific addresses directly to my Inbox, and others addresses to other locations I don't check as much. If a certain address starts receiving spam, I take it off my "good" list. This way, I don't have to try and block individual senders or only accept messages from certain addresses.

Don't post email addresses (that you care about, anyway) anywhere online. Spammers are a sneaky lot, and they've got little programs that visit Web pages and harvest email addresses to add to their various spam lists. I don't even follow my own advice sometimes, as my email link contained in my DMN bio (at the end of this and all my articles) is free and clear and has definitely been spammed more than once. Don't let this happen to you! The answer lies in obfuscation. If you're posting to a newsgroup or forum or something, post your email address incorrectly so that a human can figure out what to do but a harvester can't. For example, if your address is someuser@somedomain.com, post it as someuser<at>somedomain<dot>com (or whatever you like). Little bit of hassle for the user, but less spam.

If you want to be user-friendly and provide a clickable link to site visitors, which is probably good to do in a business situation, you're in good shape there too. There are any number of JavaScript or ASCII encoding solutions out there, and you need do little more than enter the words "mailto" and "obfuscate" into Google to be off and running.

Avoid the Noid

I'm writing this on the heels of some of the nastiest worms to hit the 'net so far: NetSky, MyDoom, MSBlaster, SoBig, Swen, MiMail, and so on. It seems like all the really bad worms to date have been distributed by email, so even if you aren't a Windows user, chances are that your Inbox may still have been clogged with instances of these worms. In any event, getting a worm or a virus (or even the extra email they can and do generate) isn't the most desirable thing in the world, but there are a few steps you can take to help decrease the risk:

Use a firewall. Just when I get finished telling you how all these baddies come in over email, my first tip is to protect yourself from all the things that don't do their work via email. Regardless of how you're connected to the Internet, there's no excuse to not have a firewall anymore. Open ports on your system can be an invitation to a cracker to put some zombie code on your machine and then use it as a place to stash porn or help out with Denial of Service attacks or whatever else they're up to. I personally prefer the hardware kind that sits between my cable modem and my computer(s), but you certainly can rely on one of any number of software firewalls, from the built-in ones in Windows XP and Mac OS X to commercial solutions like ZoneAlarm, FireWalk, or (the admittedly dated but still useful) Brick House. And once you have your firewall set up, swing by GRC's ShieldsUp! site to see how well it's working.

Patch, patch, patch. While some OSes are laughably insecure, all operating systems need a little TLC in order to stay current. Regardless of the OS you're using, make sure you patch your machine with the latest updates as soon as possible, especially when the update contains a vulnerability fix. Mac OS X, Windows, and most Linux distros have a software update feature built right in, so use it, dad gummit!

Antivirus software(?) I must admit that I've never really used AV software, since more often than not I've found that whatever I had installed caused at least a little system instability. It's a calculated gamble, since I've got a number of other precautions in place that mitigate the risk of something nasty making it that far, so it's a tossup as to whether installing an antivirus program will actually help. Doesn't hurt to try and see if it munges up your system performance. A better solution, at least for me, was to...

Use an email service with virus protection. Almost all email providers have some measure of virus protection. Make sure yours does. Again, I'm going to point you to FastMail, but even free services like Hotmail have at least a little antivirus goodness packed in between the layers of crunchy peanuts and luscious nougat. If you're in a corporate environment, I would hope your IT staff is on the ball about this already, so check with them for specifics.

Avoid Microsoft Internet products I used Windows for a long time before I figured this one out. Using IE, Outlook/Outlook Express, or even Windows Media Player leaves you embarrassingly open to so much garbage out there, from popup ads to self-executing VBScripts to malicious ActiveX controls. And since all of these products are tied in to the underlying Windows OS, your whole system is left wearing a big virtual "kick me" sign. I became a much happier Windows user once I stopped using anything Microsoft except for the OS itself (I became an even happier Windows user once I switched to OS X, but that's another story entirely). Mozilla works beautifully for both browsing and email (with built-in popup blocking to boot), and RealPlayer (pre-RealOne, which you can still get) took the place of WMP without a hitch. Hell, I even went as far as to remove (yes, remove) just about everything from XP down to the bare chassis using XP Lite, and then installed a fully MS-populated Windows 2000 environment using the excellent, excellent, excellent VMWare PC virtualizer for the rare times I needed to fire up a MS program. XP was a rock after that. I realize that "all MS, all the time" is mandated in a lot of environments, but if it's at all possible, stop using MS's Internet software.

Download software from trusted sources. Grabbing (or, more accurately, stealing) the latest version of whatever software package you need is certainly easy to do these days, but it wouldn't be unheard of for said package to have a nice trojan or piece of spyware/malware (or whatever else) packed in there as well. There are plenty of legitimate sites to get "the real deal" on at least a trial basis, from the developers themselves to any number of shareware and other download sites. And if you're not yet addicted to Version Tracker, there's no time like the present to start.

Big Brother is watching, or at least probably selling your information to someone who is

I'm sure what follows is going to sound unbelievably paranoid, but the fact of the matter is that just about anything you do online is being tracked to some degree. These little crumbs of info you drop while using the Internet will most likely be snatched up by advertisers to better target their victims...er, customers. But, of course, the wrong info in the wrong hands can be used for much more nefarious purposes, such as all the scumbags out there that are making identity theft such a growing boil on our collective bottoms. Anyway, while paranoia may reign in the next few tips, the bottom line is to be careful and mindful of who you either purposely or inadvertently hand out your info to.

Do you really need that P2P program? I alluded to this earlier, but take a long, hard look at your P2P program (if you're using one). There's been some egregious instances of spyware being snuck into some P2P software (Kazaa comes to mind, although they may have removed it since I last checked). These stealth programs have no problems "phoning home" and building a record of what you're sharing. You may want to weigh whatever advantages a P2P program have for your setup, especially if you're using that setup as part of your business.

Read the privacy statements. Providing at least a little personal information is unavoidable for online commerce, software evaluations, and e-newsletter subscriptions (among others), so make sure to carefully check the privacy statement these sites provide before giving them a damn thing. If there's not (at the very least) a token mention of how they're not going to sell or otherwise transfer your personal info, you can bet you'll be seeing spam at whatever address you give them in the very near future.

Real cookies = good. 'Net cookies = not so good. For the uninitiated, a cookie is a small file that a Web site writes to your hard drive, usually with some sort of identifying information that the site will retrieve later. It's how Amazon, for example, is able to greet you personally when you return to their site. For the most part, cookies are used in this benign fashion, but they also can be (and are) used by advertisers to track where you're going so they can target pop-up ads and the like directly to you.

There are a couple ways to counter this to some degree, provided that you even care to do so. After all, it's not like you'll see any fewer ads or anything if you do -- you're just removing a few of the crumbs you spill while online. Anyway, the first thing you can do is to set your browser to disable cookies altogether (a feature that every major recent browser offers in some form), or at least tell it to ignore cookies that don't come from the site you're currently visiting. If you choose to turn cookies off, you'll find a lot of broken sites, so the originating server option is a good compromise. The other thing to do is to go straight into the belly of the beast. You can actually receive an advertising opt-out cookie direct from DoubleClick, which is the company that handles a huge percentage of online ad tracking. Just visit the DoubleClick Web site, click the Privacy button, and then the Ad Cookie Opt-Out button.

I can't stress this enough...

I realize that computing environments vary wildly, so I want to reiterate that while the tips I outlined in this series have worked pretty well for me, they may not be right for you. And, of course, I've probably omitted a tip or ten that would also be good advice, so use the (un-obfuscated, for shame!) email link below to let me know what's working for you if the mood grabs you. Regardless, the old adage that an ounce of prevention is worth a pound of cure definitely rings true when it comes to protecting your computers and data from the big, bad Web.

Filed under: Feature on February 15th, 2004

^ Top of Page

Got Feedback? to send an email. I'll do my best to answer. Really.