Were I writing this article a year ago, I’d probably be discussing what best practices you could take to limit spam.  But today, I need to start farther upstream and elaborate first on viruses, worms, harvesting and spoofing — the nasty little incubators of a spam list.

In today’s digital landscape, the effects of viruses and worms have become a major distiller of spam lists.  Collectively, they and spam cause great harm and inconvenience.  It’s important to understand this before designing and applying best practices to guard or limit the amount of spam you receive. 

About four years ago, I was determined to rid myself of spam.  Though we had a very good corporate anti-spam system in place, I was receiving about 50 spam messages per day.  After I switched companies, I started the practices I’ll enumerate shortly.  I stuck to them religiously, and today I receive only about one to five spam messages per year.  Have I piqued your interest?

Know Thy Enemy
What’s a virus?  Is it the same thing as a worm?  What are harvesting and spoofing?  How do spammers get my e-mail address?  I don’t even know these people to whom I supposedly sent e-mail!

Viruses.  These typically require a manual execution to start — the user.  He or she launches a virus by clicking on an e-mail attachment, opening a Web link or running a macro or application that has been swapped out by the virus itself.  It is easy to be deceived by these creations for their authors are skillful, and the viruses, like their biological counterparts, want to survive.  So awareness should always be the number one best practice.  Don’t be fooled by promises of cheap pharmaceuticals, instant winnings, foreign embassies wanting to give you money, promising new jobs, pictures of friends, etc.  I always offer this advice:  if you’re not sure who is sending it, zap it.  If you really do win ten million dollars, chances are good someone will call you.

Worms.  These are automalicious; they are self-replicating and do not need any assistance from you.  Worms take advantage of software features — in this case, the kind we don’t like, security holes — that permit computers to interact with each other.  Once connected to another computer, the worm transports itself, like a slinky, to the new host, and the process is repeated exponentially.  Some worms even carry their own e-mail engine.

Following is a fictional, yet not uncommon, scenario.  It may even have happened to you.

Tom Hapless has been traveling on business, and his laptop has not received virus or system updates in a few weeks because his hotel does not offer broadband access for his VPN connection to get the updates (although it does have an excellent gym).  So the only alternative Hapless has to get to the Internet is to go through a local area dial-up connection where he can connect to his firm’s website to read webmail.  The dial-up Internet is a raw place and fluid for worms.

The next day Hapless is back in the office.  He harbors his laptop into the docking station, turns it on and assumes all is well.  But an hour or so later, Tom’s connection to the Internet, along with those of his colleagues, becomes annoyingly slow.  Within the hour IT broadcasts an alert that they need to do emergency maintenance and that all systems and e-mail will be unavailable until further notice.  IT also requests any user who thinks he might have a virus or worm to call the helpdesk.  Wonder if Hapless realizes he could be the one.

The Worm Turned
Here’s what might have happened.  Dialup Internet connections, being a raw environment not as well protected as many broadband infrastructures, can be crawling with worms.  Since Tom’s road machine hadn’t been connected to the corporate intranet for a time and therefore hadn’t downloaded the latest patches and virus updates, it probably picked up a variant of the worm that sensed its vulnerability and hopped on.  Once Hapless reconnected inside the corporate environment, the virus hopped off, bypassed the corporate firewalls and infected the entire system.  Certainly, Tom didn’t intend to cause the problem — he was just, well, Hapless.

How a Worm Worms Itself In
Here’s how it works.  Malicious code is released that first replicates itself to other images of itself under various filenames in case the laptop has some virus protection that might sense its presence, then it begins to test Internet connectivity to search through the local laptop’s hard drive looking for e-mail addresses — known as harvesting.  After harvesting, the code may randomly select an e-mail address from that list (possibly yours), then use that e-mail address as the sender — known as spoofing.  Next, the code composes a bogus e-mail message, attaches itself to that message and resends itself out onto the Internet to all the e-mail addresses it has harvested.  As an infected e-mail is halted by another corporation’s anti- virus/spam technology, the e-mail message is blocked, stripped of the virus and a return-to-sender message is generated, identifying you as the culprit.  All it takes is for one of these messages to get through to complete the cycle. 

So when you receive these rejection notices — and you never sent a messsage, and the returned message warns you about sending viruses — the only real thing to do is to dismiss and delete it.  But in the days or weeks that follow, if you begin to receive more spam than usual, your address was most likely picked up by spammers from the harvesting, and unfortunatley your address is now out there for use.  There are other ways to inadvertently wind up on spam lists, but it’s the viruses and worms that are doing the majority of the collecting these days.

Some Ways of Getting on a Spam List 

• Do you routinely give out your corporate address for everything?  Get your own address.  It can be free; it’s easy to set up; and in some cases, it offers utilities to forward or notify you that you have received  e-mail on that account so you never have to remember to checkDo you use your corporate e-mail address for personal use?  Signing up for Internet free services, filling out a warranty card for that new DVD player, etc. is like playing Russian Roulette on the Net.
•  Can they find you?  Go to a well-known Web search engine like Google or Yahoo.  Type in your e-mail address or just your corporate domain name, for example: “abc_company.com” into the search field and select [search].  If you receive a hit, bingo.  Go to your own corporate website and type in your e-mail address — see if you get a hit.
•  Have you attended any conferences lately where you handed over your business card to every vendor to win the conference car or trip to Hawaii? 
• Do you click on the links that say, “Click here to remove yourself from this list.”?
• Do you let your kids use your corporate laptop and to surf the Net?
• Do you allow cookies on your desktop or laptop? 
• Do your friends or business contacts have your e-mail in their systems?  Are those systems protected?
• Do you give out your corporate e-mail address to telemarketers, focus groups, etc?

Ways of Guarding Against Spam
If you are receiving an inordinate amount of spam, and your corporate environment already has an anti-spam/virus platform in place, it will be difficult to change that without changing your e-mail address.  However, there are ways to limit further exposure:

Awareness.  Don’t open e-mail messages or click on Web links if you’re not sure who or where they came from.  Anything or anyone asking you for your login, password, PIN, social security or bank account number should IMMEDIATELY set off an alarm in your head.  When you see your e-mail has an attachment, don’t open it unless you know who sent it.  Keep yourself up-to-date on the latest hoaxes, too.

Education.  The Internet has some great sites to read up on the subject of spam.  Go to the websites of vendors who sell products in this space, and you’ll find more articles and white papers on spamming than there is spam itself!  All of these sites offer free white papers and some have free newsletters on the subject:

www.sophos.com
www.postini.com
www.ciphertrust.com

Discretion.  Do not feel obligated to give out your e-mail address.  For example, if you are walking by a trade show booth and suddenly crave that cool hat or mouse pad,  don’t automatically toss your card into the bowl.  I have two sets of cards, one listing my business e-mail address on it; the other, my personal e-mail address.  Guess who gets the corporate card?  Not the crew with the hats or mouse pads.  The cards with my business e-mail address are reserved for legitimate business uses.

Awareness.  Education.  Discretion.  Combined, they form the core of best practices for protecting you and your firm against spammers.  Isn’t that worth the effort?

About our author . . .

David Nadas is the Associate Director of Information Technology at King & Spalding LLP in New York.  Having started his career in marine biology, he later went back to school to learn computer programming.  During his 20-year technology career, David has worked in and out of the legal industry for such firms as Davis Polk & Wardwell, Darby & Darby and Weil Gotshal & Manges.  He can be reached at 212.556.2350 or dnadas@kslaw.com.