How Do Spammers
Your email address should
not be considered public domain. It is your property, you are paying for it,
and you should decide what you receive and don't. Unfortunately, this isn't
the case. Professional spamers realize that 99.9% of their recipients do not
want to hear from them, and would rather not have their email address known.
Therefore, these pros employ a number of tricks to find, steal, and otherwise
coerce your email address.
Webpage harvesting is the
act of searching the html of webpages for anything resembling firstname.lastname@example.org.
This harvesting is accomplished by small programs called "spiders"
that traverse the web from page to page searching for email addresses and following
any links they encounter. In this way, a single spider can harvest thousands
of email addresses embedded in webpages and record them for later use by spammers.
If you participate in usenet
newsgroups, or your email address has been mentioned in a newsgroup article,
then your email address may have been harvested. Spammers regularly scan UseNet
using programs designed to pickout email addressses from the headers and bodies
articles. By listing your email address in an article on UseNet, you are notifying
harvesters that your email account is active, and giving them an open invitation
to spam you.
From Mailing Lists
Spammers may attempt to get
the list of subscribers to legitimate mailing lists in order to steal valid
and active email addresses. This can be accomplished in a number of ways. For
some low security mailing list servers, the spammer can simply request a list
of subscribers to a specific mailing list and be provided with this list. There
are also techniques that involve modifying the header of an email to the server
in such a way that it is tricked into sending a record of its recent mail deliveries
(including email addresses). Yet another trick is to request a list of all mailing
lists from a mailing list server (an option that some servers employ for the
convenience of their legitimate users). Once a spammer has this list, they just
send their spam message to each of the mailing lists and the mailing lists will
automatically forward it to every subscribed email address. If you have added
your email address to a mailing list on an insecure server, you may therefore
receive emails that claim to be coming from your desired mailing list but are
From Online and
Many websites have forms
on them requesting specific information from users. If you enter your email
address in a web-based form, it may become available on the internet. This can
occur if the form or webpage hosting it are insecure, allowing outside individuals
to view their contents. Domain name registration forms are a popular target
among spammers. This is because the emails entered in them are almost always
valid, and their owners pay close attention to them because they are expecting
to receive important information.
Some companies and websites
make a living selling lists of the email addresses they collect through their
online forms and paper forms. When you give out your email address at an event,
conference, or convention, it may be compiled into a list which is later sold
when no longer useful. Some spammers may even go as far as to manually type
out email addresses listed in professional directories and conference procedings.
Using Social Engineering
There are an infinite number
of ways to convince someone to give out their email address. One common trick
is to send a chain-mail letter claiming that "You will receive a (insert
incredible prize here) for every person that you forward this email to."
Since this offer only stipulates that you CC the original sender when forwarding,
it may seem harmless to an inexperienced internet user. However, doing so gives
this person not only your email address, but the email addresses of
the people you forward the message to (usually your friends, family, co-workers).
Another common method used
is to simply guess email addresses. Many addresses take on similar formats such
or a combination of first initial and last name or first name and last initial.
There are also a number of standard email address prefixes that are frequently
used such as: info, webmaster, root, postmaster, contact,
support, just to name a few.
guess at these email addresses and send out tens of thousands of test emails.
When they receive an error message in response, they know that a particular
email address isn't valid. If they receive an actual live response, or nothing
at all, then they can assume that this email address is valid, and add it to