Stop Spam Email

When given the opportunity to interview Will Bontrager, I jumped at the chance. Will is an expert CGI programmer who, together with his wife Mari, owns and operates several resources that offer great information and perfect website tools and solutions.

I asked Will, “With website creation being relatively easy and inexpensive these days, many people with little technical experience are creating their own sites. These new webmasters are often unaware of the security and privacy vulnerabilities that exist. What are your top recommendations on how website owners can protect themselves?”

Will’s reply…

The first recommendation that comes to mind is to block directory listings.

A directory listing is when you put the URL of a directory or subdirectory into the browser (http://example.com/books/ for example) and you see a list of files and subdirectories. While the list itself may contain nothing you feel you need to hide, it might provide clues to crackers for trying other things with your server.

A subdirectory _vti_bin would be a clue that you use FrontPage, and some versions of FrontPage have security holes crackers can use. That’s just one example.

You can block directory listings. And you should, unless there is a compelling reason a specific directory listing must be available to the public.

Don’t give crackers an edge. Check your directories and subdirectories with your browser. If you find any that present a directory listing, upload a file into that directory named index.html (or index.htm).

That’s all you need to do. When an index.html file is in the directory, no listing can be obtained with a browser.

The index.html file doesn’t have to say anything in particular. It can even be blank. Just so it’s there.

Okay, that was one. Here’s another recommendation.

If you have other people install software on your server or hosting account, or provide account access for any other reason, give them only temporary passwords. When they’re done with whatever they’re doing, remove the passwords.

That’s not to say you can’t trust the people who install things. If you don’t trust them, don’t give them access in the first place.

However, there is more to it than just trusting them to do right on your server. They have your password, and they might or might not be diligent with it. Conscientious and forward-thinking service people will permanently delete passwords when they’re done with them.

Even with diligence, things can happen. Their computer might be stolen, for example, with your password recorded on it, available to the thief or whoever the thief sells the computer to. If the password is emailed, it can be intercepted. Passwords traveling on open Wi-fi bands can be intercepted. Lots of things can happen to those password critters.

If you provide only temporary passwords, and remove those as soon as they’re no longer needed, then you don’t have to worry any more about what happens to the passwords you give out.

Let’s add a little more to this recommendation; we’ll call it the recommendation number 2-1/2: The recommendation is this: Use passwords not easily guessed, even for temporary passwords. A series of nonsensical letters and numbers and symbols is generally considered the most secure, the more characters in the password, the better (within reason).

Now, let me address something everybody with experience on the Internet thinks about at least some of the time. Spam.

If you have a web site, spam is or is likely to become annoying. If you have a web site long enough, spam could become such a problem that you might even contemplate shutting your sites down just to get rid of it. (And most likely you still would not get rid of it all.)

I’m going to make two separate recommendations that can prevent much of the spam. One has to do with web page forms and the other has to do with web page email links. Both are the target of spammers, but in different ways. Both are controllable.

Therefore, Linda, the third recommendation in answer to your question is that site owners protect their forms from hijacking and have automatic submission protection available.

Form hijacking is a technique often referred to as “header injection,” a method where spammers’ robots insert hundreds or thousands of email addresses into email sent from your server. They create Cc or Bcc lines as they please. And do it again and again, mostly automatically with their robot software.

Thousands of spam could be sent every few minutes hosting accounts of an innocent site owners. When spotted, the hosting company will, most likely, shut down that script or maybe even the whole account as soon as it realizes what is happening - and ask questions later, after the spam flow has been stopped.

A year or so ago, form hijacking for spamming was rampant and looked like it might become an epidemic. But hosting companies handled it okay by demanding any scripts that send email be secure against that type of spamming.

Believe it or not, there is *still* software out there that has not been secured. They don’t generally advertise, “Use this script, it lets spammers spam from your site!” You take your chances when you download email sending software.Two software programs I know have code specifically to block that type of hijacking (because I wrote the code and upgraded the software myself) are Master Feedback and Master Form V4. For peace of mind, please use one or the other.

That addressed the dangerous part of this recommendation.

I further recommend auto-submission protection be available for your forms. Auto-submission, by itself, is not as dangerous as the hijacking addressed above. But it can be annoying.

Auto-submission is when a robot fills in your form with spew and robotically submits it. The spam ends up being sent to wherever the form usually sends its information.

Automatic submission of forms by robots can mostly be stopped with Master Form V4. The feature is an option you can turn on when you need it. Further, the software can block IP addresses and ban words to prevent even manually submitted spam (which generally are few, as spammers seem too lazy to send their spam manually, or maybe it takes too much of their time).

The auto-submission protection is designed to put an end to the annoyance and let you concentrate on doing things you really want to do.

I know, this is getting long-winded. Please be patient.

My fourth recommendation is to use harvest-proof email links.

An email link is one you click on that opens an email program with the destination email address pre-filled in.

Email addresses can be harvested by looking at the source code of the link. And they can be harvested by clicking on the link and copying the destination email address.

Most systems purporting to prevent harvesting ignore the second method.

True harvest-proof email links prevent both harvesting methods. Flow-To.com provides true harvest-proof email links. Your address is never disclosed with the Flow-To harvest–proof system.

Harvest-proof email links can be used on web sites, in newsletters, and on forums or other places that allow links to be posted. You can post the links with impunity, knowing your address is safe.

Get a harvest-proof email link. Because, once an email address gets on spammer’s lists, it will be there forever.

- - - - - - - - - - -

Find other website solutions at Willmaster.com and be sure to subscribe to The Possibilities Ezine for great tips and resources delivered to your inbox. We highly recommend these resources.