McAfee SiteAdvisor Blog

One of the things we spend a lot of time thinking about is how to help you better understand the practical implications of your everyday online activities, so you can make more informed decisions about where you search, browse, and share your personal information.

We emphasize practical, because there are many cases when a Web site or e-mailer is complying with the letter of the law even as they install intrusive adware on your system or send you a barrage of annoying advertisements by e-mail. The law may not be on your side in these cases, but SiteAdvisor is.

Today we’ll explain how we track and display the e-mail practices of Web sites in order to help you avoid what most people would call “spam" (even if the law doesn’t always strictly agree with that definition).

Bot # 213, grab another new e-mail address off the shelf
In our last entry we introduced you to our automated Web bots who spend all day, every day, crawling the Web looking for things to test. When our crawlers encounter a Web site with a page asking for an e-mail address, they’re only too happy to comply. They choose a brand-spankin’ new e-mail address, specially constructed so that the odds of accidentally sending to that address are extremely low. After entering the new e-mail on the page, they take note to never use that e-mail address again. Then they continue filling in other information if requested, and click 'submit.' (Sidenote: We don’t submit fake information on these forms; we actually use real data.) At that point, we know that any e-mail we receive at the e-mail address our bots chose is a direct result of our signing up on that site.

Real people don’t read every bit of tricky fine print, so our bots don’t either
One thing we don’t do when we provide our e-mail address on Web sites is try to uncheck every pre-selected box which may be asking if we want to receive ‘partner offers’ or other such spam-bombs. Our philosophy, consistent with what responsible e-mail marketers consider to be a best practice, is that consumers should be asked to choose what they want ( “opt-in") rather than be forced to say what they don’t want ( “opt-out.")

Plenty of sites may claim that it was your fault you forget to uncheck all those ‘send me this’ and ‘send me that’ boxes when you originally signed up. But let’s face it, many times those opt-out boxes are easy to overlook. (One of my personal pet peeves: I’m completing a registration form and remember to opt-out of ‘partner communications’, but receive an error after clicking because I forgot my home phone or my credit card’s expiration date or whatever… and when the site bumps me back to correct the problem, it has also rechecked all those marketing boxes again. Grrrrrrr).

Let the barrage begin
Having provided our unique e-mail address to a Web site, we can now track the volume and spamminess of future e-mails that the site sends us, and report that information back to you.

E-mail volume is pretty straightforward. Our computers log every e-mail we receive and map it back to the original place it came from. We then compute the resulting rate (e-mails per week or per month) that you can expect to receive if you signed up at the same site. We even show you a sample in-box to document our tests and help you better understand what your own in-box is likely to look like after you sign up at a particular site.

Spamminess is a bit trickier. To determine an e-mail's spamminess score, we start our analysis with a software program called SpamAssassin. SpamAssassin rates individual e-mails on a variety of criteria and assigns scores based on whether the e-mail is more or less likely to be what most people would consider spam. For example, SpamAssassin evaluates an e-mail's commercial content and whether the e-mail employs tricks known to be used by spammers attempting to get through spam filters. Specific spammy actions trigger higher scores.

Somewhat confusingly, SpamAssassin scores range all over the place. I’ve seen scores of -4 (for a non-spam e-mail that also comes from a bonded sender) to +40 (for a spammy e-mail that fails all sorts of spamminess tests). Any individual e-mail that scores +5 or more is likely to be considered spam by most people.

SiteAdvisor shows you the average SpamAssassin ratings for all the e-mails we receive from a particular sender. This gives you an overall sense of how spammy your inbox is likely to become after submitting your e-mail address to a particular e-mail sender. We report this exact average on our detailed site analysis pages but also simplify it visually on our ‘Low to High’ spamminess scale, as shown above. (So you know, the vast majority of our scores fall between 0 and +20.)

Out with the Inbox
One way to explain all this is to look at a couple of individual e-mails.

We received one e-mail headlined: “Gas Bills Paid For One Year - Valued at $1800". Inside, we found the following blinking “Click Here Now!" graphic:

SpamAssassin gave the e-mail a score of +20.5 because it triggered so many of their spam sensors. For example, unbeknownst to the human reader, the e-mail is riddled with invisible text. Embedded in the e-mail are lots of links, often a sign that it’s full of commercial pitches. The image dominates the “square footage" of the e-mail, again signaling strong commercial content. And the sender is part of a black list of known spammers compiled by anti-spam activists.

Each of these clues, along with several others, bumps up the e-mail’s score well past the +5 it needs to earn to be considered spammy.

By contrast, here’s part of an e-mail we received after signing up with a home builder:

Thank you for contacting Dominion Homes. This is a confirmation email to let you know that your inquiry has been received and a Dominion Homes representative will follow up with you shortly. We look forward to learning more about how Dominion Homes can help you in your new home search.

First off, the e-mail didn’t trigger any spam sensors. More than that, SpamAssassin’s statistical analysis of the actual words used reduced its overall score to -2.6.

Let’s say, for the sake of the this blog entry, that both e-mails came from the same sender. We would average the scores together to +8.95. Given that score, we would consider this provider to have questionable e-mail practices.

Hold your breath…
Where all this really gets interesting is analyzing the various players involved in each piece of e-mail which reaches us, particularly e-mail with a high spamminess rating. By comparing the sender of each e-mail with the place where we originally signed up, we can determine which companies are directly or indirectly doing business with one another to sell, rent, or give away e-mail addresses. We are practically bursting to share some of the fascinating things we’ve already discovered on this topic, but sorry- you’ll just have to wait. This blog entry is long enough already.