Posted on July 11, 2017 11:00 am

How Spammers Obtain Your Email Address

Spam is amazing. In an unprecedented and astonishing effort, junk email reaches almost everybody online.

All it takes to get on the mailing lists used by spammers is an email address. There is no need to sign up for anything or ask for emails. The spam just starts coming, out of nowhere, apparently without any plan, and without a reason. It invades email addresses that are never used.

But how do spammers discover email addresses?

Dictionary Attack

Big free email providers like Windows Live Hotmail or Yahoo! Mail are a spammer’s paradise, at least when it comes to finding spammable addresses.

Millions of users share one common domain name, so you already know that (“hotmail.com” in the case of Hotmail). Try to sign up for a new account and you will discover that guessing an existing username is not difficult either. Most short and good names are taken.

So, to find email addresses at a large ISP, it’s enough to combine the domain name with a random username. Chances are both “asdf1@hotmailcom” and “asdf2@hotmail.com” exist.

To beat this kind of spammer attack,

  • use long and difficult addresses.

Brute Searching Force

Another tactic employed by spammers to discover email addresses is to search common sources for email addresses. They have robots scanning web pages and following links.

 These address harvesting bots work a lot like the search engines’ robots, only they’re not after the page content at all. Strings with ‘@’ somewhere in the middle and a top-level domain at the end are all the spammers are interested in.

While not picky, the pages the spammers are particularly keen to visit are web forums, chat rooms, and web-based interfaces to usenet because lots of email addresses are likely to be found there.

  • disguise your email address when you use it on the net or, better yet,
  • use disposable email addresses.

If you post your address on your own web page or blog, you can

  • encode it

so visitors who want to send you an email can see and use it, but spambots cannot. Again,

  • using a disposable address

provides a very effective and at the same time convenient alternative.

Worms Turning Infested PCs Into Spam Zombies

To avoid being detected and filtered, spammers seek to send their emails from a distributed network of computers. Ideally, these computers are not even their own but those of unsuspecting users.

To build such a distributed network of spam zombies, spammers cooperate with virus authors who equip their worms with small programs that can send bulk emails.

Additionally, these spam-sending engines will often scan the user’s address book, web cache and files for email addresses. That’s another chance for spammers to catch your address, and this one is particularly difficult to avoid.

The best anybody can do is

  • keep their email program updated and patched,
  • be wary of any attachments they did not request and
  • do virus scans with a free, up to date scanner regularly.

 

There are four ways that spam senders get people’s email addresses:

  1. Spammers will illegally buy lists of real people’s email addresses.
  2. Spammers will use “harvesting” programs that scour the Internet like Google and copy any text that contains the “@” character.
  3. Spammers will use “dictionary” (brute force) programs like hackers.
  4. You will unwittingly volunteer your email address to dishonest subscribe/unsubscribe online services.

Harvesting programs, aka “crawl and scrape” programs, are also commonplace.Any text on a web page that contains “@” character is fair game for these programs, and lists of thousands of addresses can be harvested within an hour via these robotic harvesting tools.

Dictionary programs (brute force programs) are the third means to get spam target addresses. Just like hacker programs, these products will generate alphabetic/numeric combinations of addresses in sequence. While many of the results are incorrect, these dictionary programs can create hundreds of thousands of addresses per hour, guaranteeing that at least some will work as targets for spam.

Lastly, dishonest subscribe/unsubscribe newsletter services will also sell your email address for a commission. A very common unsubscribe tactic is to blast millions of people with a false “you have joined a newsletter” email. When users click on the “unsubscribe” link, they are actually confirming that a real person exists at their email address.

How do I defend against spammers harvesting my email address?

There are multiple manual techniques to hide from spammers:

  1. Disguise your email address using obfuscation
  2. Use a disposable email address
  3. Use an email address encoding tool for publishing your address on your website or blog
  4. Avoid confirming an “unsubscribe” request from a newsletter you do not know. Simply delete the email.