In June, I wrote about a technique used by spammers to harvest names and email addresses of “live” targets for their spam.
In a nutshell: you post an ad to Craigslist; the spammer sends you an automated email which makes you think that maybe the sender is interested in your ad; you send a response, “Are you interested?” thus revealing your name (if it’s configured in your email client) and real email address to the spammer; and within hours, you are deluged by spam at that address, which uses your name from your email header, thus making it more likely that you will read it and that it will make it through your spam filter.
As I noted in my earlier blog posting, the fix to this is simple: Craigslist should tweak the email headers so that the entire exchange from poster and respondent is sent through Craigslist’s proxy server, so that the poster’s name and email address is never revealed in the header of a message sent by him/her to the spammer. Given how prevalent this problem is on Craigslist, it’s a mystery why they don’t do this.
Alas, the problem has gotten worse, not better. At the bottom of every email message sent through Craigslist’s proxy server is a link that people can use to report the message as spam. People who are moderate to heavy users of Craigslist can recognize these phishing messages immediately and report them as spam, thus helping Craigslist to figure out who should be blocked from sending messages through them. Alas, the spammers have figured out how to break the flagging link at the bottom of their email messages.