Thursday, January 29, 2009

All About Spam: Why am I sending spam??

All About Spam is a series of blog posts about common spammer techniques. Have a question about a type of spam that you'd like to see in a future blog post? Send an email to!

The first time you see a piece of spam that's From: your own email address is a pretty scary moment. "Has my email address been hacked?!" Luckily, that's almost never the case. Unluckily, it's incredibly common to get your email address forged in spam.

The least troubling occurrence is when spammers forge spam to look like it's coming From: you. This is simply a method to sidestep spam filters -- many people make their own email address a trusted sender (or whitelist), and spammers are just exploiting that habit. (That's why you can't add your own Pobox address as a trusted sender!)

Sometimes, though, you may find yourself getting loads of bounce messages, and maybe even a complaint that you are spamming someone! A spammer has forged your email address, and spammed other people. This has two possible causes: backscatter, or a joe job.

Backscatter happens when a system accepts a message, then bounces it. This sends a bounce message to the email address in the headers. However, since most spam headers are forged, this means that the person who gets the bounce is almost never the person who actually sent the message. (Avoiding backscatter is the reason your Pobox filters can't bounce messages that have their content checked.) Most companies try to reduce backscatter, so if your email address is forged in spam, you may not even be aware of it, or you may just get a handful of bounced messages.

A joe job is a purposeful attack, designed to get many people angry at you. If you've been joe-jobbed, you'll know it -- many, many bounce messages, spam complaints, people threatening to call the Federal Trade Commission, Better Business Bureau, etc.

Like most spam, there isn't a good solution to spammers using your email address is their messages. Sender authentication (Sender ID, SPF and DKIM) is something that groups have been working on for years, but adoption is not nearly widespread enough for accurate filtering.

Thursday, January 22, 2009

Understanding false positives and false negatives.

False positives and false negatives are terms that originally came to us from medical tests. When you perform a pregnancy test, bloodwork, or a scan for a disease, there is the result, and then there is what's actually true.

  • When you are pregnant, but the test says you're not, that's a false negative.
  • When you're not pregnant, but the test says you are, that's a false positive.

The same thing can happen with spam filters. When a message that you actually want to receive is rejected, that's a false positive. The filters saw something that was not spam, but thought it was. False positives are a very serious problem, because you've lost mail that you need!

The easiest way to prevent false positives is to make a complete trusted sender list. That's why we try to make it as easy as possible for you to add trusted senders. You can add them yourself, but we also automatically create them for you when you send mail through Pobox. We also try to learn from our mistakes; when you release a message from the Spam section, you can add a trusted sender automatically.

When you receive a message, but it's spam, that's a false negative. False negatives are still annoying, but you usually have to make a trade-off -- the more aggressive you make your spam filters, the more likely you are to get a false positive, a missing message that you wanted to receive. So, most people accept some small amount of spam in their lives, to make sure they don't miss any of the messages they want to receive.

If you don't agree, we have lots of options for aggressive spam fighters! You can set your spam filters to block mail from countries where you don't know anyone. You can turn our filters up to super aggressive, and bounce messages that you don't want. You can even block everything that comes from someone who isn't one of your trusted senders!

Tuesday, January 13, 2009

Protecting Your Account with Effective Passwords

I used to be very lazy about my Internet passwords. There are just so many darn sites out there, and you can't really be expected to remember a password for all of them, can you? Then, catastrophe struck one of my friends. She used the same password for Gmail as she used for a bunch of other sites, and one of those other sites was compromised. Spammers ended up spamming like crazy from her account. Luckily, they spammed her husband, which is how she figured out that someone else was using her account.

After that, I went crazy changing my passwords. The most important passwords to keep different, secure and difficult are for your bank, your credit cards, and your email address.

My email, you might say? How could that be as important as my money? Well, what does your bank do when you forget your password? That's right.... they email you the link to create a new one. Keeping your email address secure is a way to keep all your other accounts secure.

What can you do about it?

1. Don't reuse passwords for your important accounts. A password is only as secure as the least secure site you use it on.

2. Make it hard to guess. Again, a password is only as secure as you make it, and if you use the password "password" (which a very surprising number of people do), it's not going to be that hard to guess. Use a mix of letters and numbers, and make it at least 8 characters.

3. Write it down. As I read somewhere once, "we've already developed a system for keeping important, private information secure. It's called a wallet."

4. Get help. I use 1Password, and it generates random passwords, keeps track of stuff, and can auto-fill passwords across browsers. And then I keep the password for 1Password very secure.

There are also lots of passwords you don't have to worry about. Unless you are worried about people masquerading as you, any passwords you need for message boards, photo sites or any sites where you don't have a credit card on record, re-using the same password is fine.

Wednesday, January 7, 2009

Mailstore Storage increased to 5GB


We are pleased to announce that all Mailstore accounts now include 5 gigabytes of storage! Combined with recent upgrades to the Mailstore backend, this should make using Pobox for all your mail easier than ever!

As always, if you have any questions or problems, please contact Customer Support.

Tuesday, January 6, 2009

All About Spam: What is a "dictionary attack"?


All About Spam is a series of blog posts about common spammer techniques. Have a question about a type of spam that you'd like to see in a future blog post? Send an email to!

Sometimes, people will set up a new Pobox account, and then start getting spam almost immediately. When they write in, I take a look at their account, and see that they've registered Dear Ansel Adams, you are the victim of a "dictionary attack".

As you've certainly learned on the Internet, if you go to 100 sites, and try to enter your first name as a username, unless you're named Kabir, you're probably going to get told, "That username is unavailable."

I'm sure, way back at the dawn of Internet time, Bob Smith the Spammer was signing up for Hotmail, and tried 5 different usernames, and getting frustrated. At every domain he went to, there were some very common usernames that were never available. And then, he had this grand realization:

"I can just assume some addresses will always exist, and spam them."

And thus, the dictionary attack was born.