I have all sorts of fascinating new interests. According to the rapidly increasing number of email spam I receive, I have "expressed interest in receiving information" about everything from buying property in Spain to making millions on the Internet. How the heck did all these people get my email address?

Unfortunately, the answer is, very easily. Your work email, if it's posted on your company's Web site, is probably even more vulnerable than your personal address. Your personal email is likely to be culled from newsgroups, but savvy email marketers are more likely to troll company Web sites for email contacts.

For home use, you can change your email address, or simply get an alternative "spam catching" address from a free email service and use it when you post to newsgroups or fill out forms on the Web. But businesses can't have employees changing their email address every time the spam piles up. Nor would it be good business practice to remove employees' email addresses from the company Web site.

Relying on legislation to halve the size of your inbox has proved a waiting game, although plenty of legislatures are trying to whittle away at spam. In California, the unsolicited email I receive is required by law to have a label of "ADV" or "ADV:ADLT" in the subject line, only three of the last 50 spams I received were appropriately labelled. Obviously, email transcends state boundaries--much of it originates overseas--which makes such the legislation difficult to impose. In some cases, it's weak by design. If, for example, you live in Delaware and receive a spam email from out of state, your state's anti-spam law only applies if there's "a reasonable possibility" that the sender knows you are in Delaware. Just keep deleting.

Where it all starts

Perhaps the best explanation for the growing volume of spam comes from a spammer; a recently received email proclaims, "Email marketing is spreading around the whole world because of its high effectiveness, speed, and low cost." The first point--spam's effectiveness--might be hard to swallow, but the rest goes without saying.

Not only is it quick and cheap, but the targeting of business Web sites for email marketing campaigns is getting more sophisticated. And it's the employees who largely shoulder the burden of filtering spam, sapping company productivity.

A lot of email marketers get their start with courses and software from the likes of the Internet Marketing Centre. IMC encourages the people who take its courses to be responsible email marketers and avoid practices such as renting sloppily gathered email lists. But regardless of how well-targeted these email campaigns get, it's still a given that most of these emails will end up in the trash along with the Viagra sales pitch--only your employees will have to read more than just the message headers to determine that they're cold calls.

Ed Brooks, for one, knows about cold calling. Before launching his Internet marketing firm, Beyond the Site Marketing, he did just that for telephone services. Now he applies that experience to marketing products on the Internet.

First, Brooks uses specialised software that costs less than $100 to gather email addresses from Web sites. He types a search term into his application, which uses 36 search engines to gather URLs; then he determines how many levels he wants to go into the URLs. He can tell the software to exclude order pages, FAQ pages, etc., and to determine whether the search phrase is located in keywords or only in body text. Then he tells it what types of email addresses he wants to gather: "You can filter out customer service addresses, support (staff) addresses, things like that."

With returns of up to 1,000 Web pages per search engine, Brooks can generate a list of 36,000 Web pages.

Fight back!

Even though Brooks says he manually checks each site he finds to determine its relevancy, all that work doesn't mean his email recipients don't label him a spammer. To Brooks, Web sites are open invitations. "I'm just responding to their request to have people contact them."

As a result of this open invitation, your employees could spend valuable work time sending requests to be removed from such lists. Brooks says he honours all removal requests, but acknowledges that many others don't, and that spammers of the worst ilk just consider such requests proof that there's someone at the other end.

After trolling Web sites and gathering email addresses, it's time to send the message. Email automation programs, which cost anywhere from $100 to $400, can handle that task with ease. Typically, these programs do three things: process email lists, send email, and handle incoming responses, most often with an automated reply.

Some of these programs work better with databases than others. While some require the sender to manually import, export, and update the email lists, more sophisticated programs can directly query SQL databases.

A feature that Brooks says is particularly important is sequential mailing. That is, you can program the software to send a different email every few days to the same address list, like a series of follow-up sales calls.

But even if you enlist an anti-spam product or service, someone still has to sift through the mail that's been filtered to make sure nothing business-related has been snared in the spam net. "Some firms do that by establishing a spam folder for each user and then writing the filters," says Bob Johnston, CISSP, manager of credentialing services at the ISC2, the International Information Systems Security Certification Consortium. But other companies balk at the delays in delivery times that putting spam filtering software on a mail server can cause. "That's why many firms choose not to implement the spam filters--it takes too long."

Sweetening the pot

Spam-fighting methods have had to mature because spammers figured out how to bypass simple content filtering, which looks for words such as "free" and "credit card". These days, spam filtering providers collect spam in databases with the help of honeypots, a term also used to describe the luring of hackers into attacking a simulated network service.

To establish a honeypot network, spam filtering providers set up email addresses on a variety of mail providers for the sole use of receiving spam so they can better understand it and create new filters for it. The profiles of the fictional people associated with these email addresses are given a variety of interests, and posts are made to newsgroups in their name. What's key is that these email addresses aren't subscribed to anything, so it's a virtual guarantee when a message is received that the address has been harvested without permission, and that what's received is spam.

While such analysis might seem more suited to a spam filtering service provider, CipherTrust thinks enterprises might want to use the tool themselves. You can manually set up a honeypot in the current version of the company's IronMail software, but Director of Research and Development Paul Judge says the next version will feature an automated process for setting up honeypot addresses.

But honeypots won't be enough. Nor will the fuzzy algorithms that can detect if a message is spam even when random data at the end of the message derail efforts to read its signature.

A variety of clever spam-fighting techniques are out there, but for now, you still have to dedicate someone to sift through the filtered mail to make sure no legitimate correspondence is dropped. For now, the battle of wits between spam filter developers and savvy spammers is far from over.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.