ARRGH! I have received my first piece of spam to one of my personal, unpublished email addresses! I try to keep the addresses I use for personal correspondence out of the hands of commercial services, which means never putting those addresses on the web (a sure-fire way to get spam) or Usenet, and never using those addresses for services, accounts, and especially contests. Even services with sensible posted privacy policies could change their agreement in a desperate search for income, get bought up by a less scrupulous company, get hacked, or simply violate their agreement and hope nobody notices. And mailing lists that keep web archives but do not obscure email addresses, shame on you-- though a well-trafficked list might have a subscriber that collects addresses for resale, so any list probably deserves using its own address. (Personal domain owners like myself will often use service-name@mydomain.com as the email address for a service or mailing list, so if spam is ever received at that address, the channel can be closed and the appropriate companies can be sued.)

But I can't control what addresses my friends and family use with electronic greeting card and send-this-to-a-friend services. This alone makes address partitioning futile. Not everyone is as spam-conscious as I am, or even aware that the act of entering an email address into a web form from an untrusted source can be signing the address up on countless mailing lists. Nor would I expect to be able to convince everyone I correspond with to know and adhere to my wishes about how my addresses are to be used, to read privacy policies of sites as diligently as I would before entering in my address. Some people think spam is inevitable and protecting an address isn't worth it. Maybe they were right after all, though I've been 99.99% spam free with 0 false positives using address partitioning and SpamAssassin together for years (SpamAssassin primarily for emails to info@ and webmaster@mydomain.com; the only reason I haven't been 100% spam free is because a few managed to slip pass SpamAssassin this way).

This leak, however, is probably not anyone else's fault (other than the spammer's). The address at which I received this particular spam is one Pine has been using for replies to messages (other than those to mailing lists), with the username at my webhost followed by my domain name. This could have been any of the dozen or so random web people that have contacted me personally for whatever reason, to which I've responded politely with an answer they've requested. Perhaps I slipped on an innocent-looking query from a person or service and hit reply without changing the reply address.

Even more aggravating is that this spam also slipped past SpamAssassin and into my inbox. With a rating of three stars (my current configuration is set to six), this little mail is quite ingeniously crafted and probably rigorously tested against the very software I'm using to block it. UCE clichés are either worded around (not "remove" but "removal"), or when specific to the actual product, munged with underscores (100%_money_back_guarantee). The product itself is quite innocuously named. Other clues seem obvious, however: it's HTML email, it contains an HTTP URL with an IP address instead of a domain name, and the header contains "X-Mailer: Shizzel Mailzer", for Pete's sake.

I, of course, feel silly spending so many words over one piece of spam when people receive hundreds if not thousands of unsolicited emails every day. But I've had a 100% success rate with 0 false positives for years, until now. Thankfully, I don't see any legitimate email scoring higher than 1 with SpamAssassin, so maybe I just need to lower the bar.