Web design and e-commerce | Domain search | Contact | Manage account  

However careful you are about not publishing or releasing your e-mail address except to your friends and colleagues, sooner or later your mailbox starts filling up with SPAM (or UCE, Unsolicited Commercial E-mail, to give its formal title).

Ever received e-mail from a company you've never heard of?
Of course you have. Are you convinced that they cannot conceivably be connected with any other company you may have dealt with? If so, you are almost certainly on a List Operator's database.

How do they get your e-mail address?
Every time you buy a product or service online, or register with a site for any number of reasons, it is likely that you will be required to supply your e-mail address.
This is often quite legitimate and, in the case of reputable organizations with a clear Privacy Policy, should not present a problem. Bear in mind, however, that even highly reputable companies may seek to sell or otherwise make available your e-mail address either to third-parties or their own affiliates. If so, this should be clearly stated on the form where the information is collected - usually worded something like "From time to time we may send you information on special offers.........etc". There should also be an opt-out method on the form - normally you have to check a checkbox to indicate that you don't want to receive such information. If you fail to invoke the opt-out you have, by definition, invited the organization to send you e-mail

In the case of, say, a high street bank or household name in the United Kingdom, you can be reasonably confident that if you opt out of any "send me stuff about products we think you may be interested in", you'll be safe.

Check the site's Privacy Policy and, if it is operated by a United Kingdom organization, make sure it states clearly that it is registered under the Data Protection Act and specifies who the Data Controller is.

If there is no mention on a form you are about to submit of whether or not your personal information will be used to send you marketing or other information, the site's Privacy Policy should tell you exactly what your personal information will be used for.

Remember that it's not just on the internet that you might be asked for your e-mail address - increasingly, paperwork you fill in for subscriptions, services, almost anything these days in fact, asks for it as well. Again, there should be an opt-out method on the form and again, it will almost invariably be so presented that you must tick a box to indicate that you don't want them or their affiliates to e-mail you whenever they feel like it.

All of this is fairly obvious - but beware, not all organizations on the web are reputable (surprise, surprise) and you only need to have your e-mail address acquired by one unscrupulous List Operator to start an ever-increasing flood of SPAM.

List Operators
List Operators collate vast databases of e-mail addresses of both companies and individuals, which they make available to anyone who wants to use them. Sometimes they sell them outright, more often they will themselves send out e-mails on behalf of an organization trying to sell its products.

List Operators (and there are reputable ones as well as unscrupulous ones) acquire e-mail addresses in a variety of ways. They may buy them from reputable organizations to whom people supplied an e-mail address, but did not opt out of the "we may send you......etc" clause. Of course, less scrupulous organizations sell e-mail addresses even when people have opted out of receiving unsolicited e-mails from them or their affiliates.

Domain WHOIS harvesting
WHOIS is publicly accessible information on the Registrant (owner) and other contacts concerned with administering an Internet domain name. If you have registered a domain name, anyone can look up the information in WHOIS, the content of which varies between registries.

For example, the information shown in WHOIS for a UK SLD (Second Level Domain) such as .co.uk does not contain any e-mail addresses. TLDs (Top Level Domains) such as .com, .net and .org show at least the administrative contact's e-mail address(es) and gTLD (global Top Level Domains) like .biz and .info show much more.

For example, compare the WHOIS data for some of our domains:

 WHOIS data comparison 


The Registries are required to make this information publicly accessible for a variety of reasons. WHOIS data was never intended to be 'mined' by robots - automated systems that constantly query WHOIS services to harvest e-mail addresses - nevertheless this is what happens. This helps to explain the numerous e-mails you will inevitably receive, soon after registering a TLD or gTLD domain name, from web hosting companies, so-called search engine optimization experts and so on.

Ever get SPAM addressed to nonexistent e-mail addresses?
Once a SPAM merchant knows that a domain has been registered, it is a fair bet that e-mail addressed to certain widely-used addresses will be delivered to the target. The common ones include postmaster, root, hostmaster, webmaster, info, sales, admin, etc.

Furthermore, most commercial domains' e-mail servers are configured so that e-mail addressed to unknown users is delivered to a designated address within the domain, perhaps postmaster or another account.

To demonstrate this, we have registered the domain tangerine-aardvark.com for the purely fictional company Tangerine Aardvark Productions. Tangerine Aardvark's CEO is Fred X. Bloggs and his PA is Arthur Dogsbody.
Only Fred and Arthur have actual e-mail accounts on the domain, their e-mail addresses being fred.bloggs@tangerine-aardvark.com and a.dogsbody@tangerine-aardvark.com

Tangerine Aardvark does not want to lose wrongly addressed e-mail from its clients, some of whom can't type very well, so we don't want to reject e-mail to fres.nloggs@tangerine-aardvark.com just because the sender is having finger trouble on his keyboard. Being a business, we don't want to lose anything sent to sales@tangerine-aardvark.com or info@tangerine-aardvark.com either. In fact, Fred's policy is that the company will accept absolutely anything so long as the domain name is correct. Of course, as CEO, Fred's time is far too valuable to waste sifting through lots of SPAM on the offchance that there might be something useful there, so Tangerine Aardvark's mail server is configured to place e-mail for unknown users in Arthur's mailbox so he can deal with it.

Arthur's e-mail address was harvested from the  WHOIS? data soon after the domain was registered, so he gets a substantial and ever-increasing amount of SPAM.

This being a demonstration system, both Fred's and Arthur's accounts have autoresponders which will send a reply to the sender thanking them for their interest. Feel free to send mail to the domain and see what happens.

Why do you get correctly addressed SPAM even on a free ISP account you've only just set up?
Even if SPAM merchants don't know a valid e-mail address, that won't stop them trying to send you some SPAM, even to an e-mail account you set up at an ISP or free service provider.

If you have given your new free service or ISP e-mail address to absolutely nobody, you might be surprised to receive some SPAM within a week of setting up your account. Don't automatically blame the service provider - chances are they haven't released your address to anyone - you remembered to opt out of receiving "special offers from us or our partners.....etc", right? What has happened is that a robot system has 'guessed' your e-mail address.

Remember Fred? Suppose that, in addition to his business e-mail address at Tangerine Aardvark Productions, he sets up a nice new e-mail account with some free ISP and his new address is fred.bloggs@somefreeisp.co.uk. Somewhere, there will be a robot doing nothing else today except generate names at random and send e-mails to them. They can be extremely sophisticated and use all possible combinations of surnames, first names, initials, with or without dot or hyphen separation, with or without prefixes and suffixes, in addition to purely randomly generated letter/number sequences. It won't take long to 'guess' fred.bloggs, or fbloggs, fredbloggs27 and so on - at the rate of several hundred thousand an hour - and then append '@somefreeisp.co.uk' to form fredbloggs27@somefreeisp.co.uk or postmaster@fredbloggs27.somefreeisp.co.uk.

Only a very tiny number may get through, but what do they care? Bandwidth is cheap. And when somefreeisp.co.uk blocks the domain and/or IP address that is sending their customers all this SPAM, they just change to another one. You can absolutely guarantee that the 'from' and 'reply-to' addresses in the SPAM are either fake, or have been closed down.

Why you should never respond to SPAM
Most SPAM will usually have some small print at the end of the message containing instructions to stop them sending you any further SPAM, such as:
- Reply with the subject "Remove" to unsubscribe
- This message was sent to you as a result of your intention and permission to receive 3rd party messages.
[List_Operator_Name] always respects your wishes and you may remove your address from our list anytime.To do so, please use this link: http://[some_link]

You would be forgiven for assuming that following these instructions would have the desired effect - i.e. no more SPAM from that source and, in the case of reputable organizations, you might be right. However, the only effect it will definitely have is to confirm that your e-mail address is current, thereby ensuring that you receive even more SPAM.

Recent legislation in the United Kingdom makes it a criminal offence to send Unsolicited Commercial E-mail This has, in many cases, so far resulted in nothing more tangible than the rewording of the SPAM small print to include something along the lines of "you are receiving this e-mail because you have indicated your willingness to receive information from us or one of our partner web sites......etc". Note the part in blue and realize how difficult it may be to prove otherwise. Anyway, the Internet is a global phenomenon and United Kingdom legislation is unlikely to deter a SPAM operation in the United States or Grand Cayman, is it?

So much for how and where SPAM originates - how can you stop it?
The short answer, as you will have realized from the above, is that you can't. Don't despair, though - let's qualify that - you certainly can't stop them sending SPAM, but you can avoid having to read it or even receive it. Let's look at some of the measures you can employ...

Junk filters in some e-mail clients (Outlook, Outlook Express etc) let you select a piece of SPAM and create a rule that automatically either deletes the next e-mail from that sender or diverts it into a given folder. The problem with this is that the really irritating and/or offensive SPAM merchants will never use the same 'from' and 'reply to' addresses, 'subject', message phraseology or even server, twice. This tends to reduce the effectiveness of the strategy. SPAM filters that you can install on your system operate on much the same principle as Junk filters and rules. Although some of these are much more sophisticated, it is virtually impossible to filter SPAM on more or less any set of criteria and always get it right. For example, not every e-mail containing the words 'FREE' or 'URGENT' or the phrase 'LOOK AT THIS' is necessarily SPAM.

You can easily spend as much time adjusting and tweaking filtering criteria as you would have spent reading and deleting the SPAM.

In any case, it's highly irritating that you have wasted your bandwidth downloading the SPAM in the first place, even if you've got broadband and are not paying for the connection time it is wasting.

So the ideal solution would be not to receive the SPAM at all.

Some service providers now offer SPAM filtering designed to delete the offending items on their servers before you ever see it. This option, however, is not always free and suffers from the same tendency to delete some non-SPAM items as well as not stopping everything that is SPAM. The main advantage is that they, not you, do all the work to try to recognize and block SPAM - and at least you're not downloading so much of it.

Use a cloaked domain
A cloaked domain is one where your e-mail address does not appear in WHOIS data (so cannot be harvested) and which is configured to reject any e-mail not addressed to a valid account.

Back to our friend Fred again..... Fred was sick of the SPAM he was getting on his ISP e-mail account at fred.bloggs@somefreeisp.co.uk (even though he hadn't given the address to anyone he didn't trust absolutely) that he decided to register his own personal cloaked domain.

Take a look at the WHOIS information for Fred's cloaked domains (we registered three so you can see the different WHOIS data)

 WHOIS data comparison on cloaked domains 


WHOIS data is taken from the domain record at the Registrar concerned and the only reason they ever e-mail the registrant in normal circumstances is when the domain is coming up for renewal. Cloaked domains registered through kadrex only show kadrex e-mail addresses, not the registrant's and kadrex will e-mail you renewal reminders. Even the Registrant's name and address can be care of kadrex if desired, to avoid even the possibility of junk snail mail.

Generally, cloaked domains for personal use only have a single valid address which is designed to be very difficult for robot systems to guess. This is what Fred has done on his cloaked domains.

Of course, given enough computing power, a robot system could eventually guess it, but they generally concentrate on easier prey such as free service providers and ISP accounts. If you put a web site up on the domain, do not publish your e-mail address on it - or it will be harvested by web crawlers.

Pretend you're a SPAM merchant - try to send e-mail to any address you like at Fred's cloaked domains and see how frustrating it is.

Possibly the best approach is twofold. Use a combination of a free e-mail account (or one that comes with your dial-up connection from your ISP) and a personal cloaked domain.

Adhere rigidly to the following strategy: only ever give the e-mail address on your cloaked domain to people you really trust not to give it out to anyone else - i.e. family, trusted colleagues etc.

If you must register with a web site for whatever reason, use your free or ISP account address, opt out of any "we may send you information......" options, make a note of where you registered and your login details. Follow the same rule when filling out paper forms. You can always stop using this account and open a new one if it starts getting hit with SPAM. Update your registration records with the sites you trust to reflect the new free service or ISP e-mail address.

Have e-mail arriving on your cloaked domain forwarded to your free or ISP account - you can change the forwarding address at any time.

Nobody, not even we, can absolutely guarantee that a domain remains SPAM-free, but a kadrex cloaked domain at least eliminates 'harvesting' - the rest is up to you.

To register a cloaked domain, call kadrex on +44 845 1668691

Contact | Domain name rules | Registration agreement | Privacy Policy | Manage Account