Helping people with computers... one answer at a time.

There are many ways spammers harvest email addresses. While unlikely, simply sending and receiving email might well be enough.

I'm confident you won't spam me Leo, however the fact is that I still get spam addressed to this disposable email address that I set up solely for your newsletter. What I don't understand is, since you are the only one I've told the address, and you don't pass it on, how come I'm getting spam?

In all honesty, this is a legitimate newsletter publisher's worst nightmare. You go through all the effort of playing by all the rules, not selling or sharing your subscribers' email addresses with anyone, anywhere, any time, and by making sure to use only industry leading and trusted service providers ...

Only to find out a subscriber of yours is getting spam on an email address they use only to subscribe to your newsletter, and nowhere else.

I know, because as you can see it's happened to me.

It's very common to sign up to newsletters or on-line stores with a unique email address that's used nowhere else, specifically to detect this case. For example, a user named Fred might create a new email address "fred-askleo@example.com" and use that only to subscribe to my newsletter, and taking extra care to make sure it never appears anywhere else - especially anywhere on the web.

In theory, that means if he gets anything else on that email address it's because I or my service provider did something bad - like share the email address with someone else, accidentally or otherwise.

In theory.

And the theory is correct most of the time.

"... spammers are always on the lookout for new ways to identify and capture valid, working email addresses."

Unfortunately, "most of the time" isn't "100% of the time".

If we examine the path(s) that email relating to, say, a newsletter subscription can take, we'll see that there are other opportunities for that email address to be captured by spammers.

  • Spyware - the few reports I've gotten have been from people I trust are on top of this, but it needs to be included. If you have spyware or some kind of virus on your machine all bets are off. Anything you do could be monitored and data could be captured. From the moment you fill in a subscribe form, to every time you read an email, spyware could be watching for anything that looks like an email address and sending it off to some kind of spammer central. We often hear of viruses that routinely collect the contents of address books, and it's not at all uncommon for email programs to automatically add some recipients to address books, perhaps as a side effect of your saying "it's ok to display images from this person".

  • Social Media Tools - one of the most frightening new "features" I've seen of late are social media sites that offer to connect you to all of your friends. In order to determine who your friends are, they ask you to upload or provide access to your contacts list or email address book, even if it's on some other service. Unfortunately, they don't know which addresses are "real" and which are single-purpose addresses. What these sites do with those addresses, real or not, is totally unknown. You're trusting that they won't also end up in the hands of spammers. You could be wrong.

  • The Network - email is typically sent completely unencrypted, over unencrypted connections. I'm not talking about WiFi connections here, I mean the entire internet. Everything from the DSL connection to your ISP, to the ISP-to-ISP connections that make up the internet itself. Anyone with access to a router or hub in the right place could be sniffing for and collecting anything that looks like an email address - or worse. It's infrequent, but possible, be it in the email stream itself, or the sequence of web page fetches that occur when you sign up or manage a subscription.

  • Open WiFi - have you downloaded email without taking any extra precautions using an open WiFi hotspot? Then it's possible that anyone in range of that hotspot could see and capture your email traffic. As I mentioned in the previous point, email by default is not encrypted - and that includes not only your email account username and password, but the very contents of the email you send and receive.

  • Mail Servers - as email travels along the path from sender to receiver, it typically touches at least two mail servers: the sending server and the mail server to which you connect to download your email. If either of these servers is compromised in any way, the traffic through them could be captured.

  • Your ISP - since everything is typically unencrypted, your ISP can see everything you do. Usually that's not a problem in the least, but it is another point of access into the email you send and receive and the email addresses that you use.

  • Mailing List Providers - I hesitate to even mention this, since I have a tremendous amount of respect and trust in the service that I use, but again, for completeness it must be mentioned. Not all mass mailing service providers are as secure and ethical as others. Some are sloppy, either technically or with their personnel, others are actively unethical - using the information you as a mailing list owner give them for other purposes. I have absolute faith and trust in AWeber, the service I use - but others may not be as trustworthy.

In most of the points above I make it sound like spammers are looking for email addresses.

They are.

Spammers work one of two ways: they blast their spam to millions and millions of email addresses, not knowing whether or not they are valid. Most are not, but enough are to make it worth their while. The other approach is to blast only to known good email addresses. These are much more valuable because the spammer doesn't need to send nearly as much spam in order to reach "real people".

As a result, spammers are always on the lookout for new ways to identify and capture valid, working email addresses.

Now, I also need to say that the long list above looks pretty dire. It makes it seem like there's no way to even send an email without getting your email address snagged and starting to get spam on it.

It's not nearly that bad. Possible, yes, but highly unlikely.

As I write this I have 40,000 subscribers to my newsletter. I've sent out something like 144 issues over nearly three years. (I'll estimate that as having sent somewhere over 2,000,000 emails accounting for the growth over that time).

I've had exactly two complaints of this form.

Email addresses are much more commonly harvested by things like being published on web pages (do a Google search on your own, you may be surprised.)

So the real point of all this is to show that there really are no absolutes. You, and I, and our ISPs and our service providers, we all do the best we can to keep things as secure and as private as is possible.

But 100% security just doesn't exist.

Article C3506 - September 19, 2008 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

11 Comments
Anthony
September 21, 2008 9:21 AM

Thanks to this article i found out why my kids e-mail was getting spam her e-mail was published. in her help forum profile. now that i had her change that i hope to see a drastic reduce in amount of spam. Thanks Leo and thanks Google

You'll probably not see a reduction, since that email address has already been harvested by spammers. :-(
- Leo
22-Sep-2008

Ziggie
September 22, 2008 6:21 AM

Sadly, Anthony, you probably won't as the e-mail address is in some spammer's database somewhere. Sad, but true.

Dan Ullman
September 22, 2008 9:33 AM

Leo, you forgot to list dumb luck. Spammers send mail to likely but not known if working addresses. Even unlikely addresses. I once made a throw-away hotmail address that I never used. Random letters for the most part. It got one spam.

RJ
September 22, 2008 9:49 AM

Yeah, like Dan mentioned, it's also likely that they could have just used random word generators to try and mail to every possible e-mail your provider could give out. One thing that's unfortunate about e-mails vice regular mail (at least in a spammer perspective) is that there is effectiely no cost from the spammer's view to send an e-mail, even if they send it to a hundred, a thousand, or even a million addresses at once. The cost only gets applied on the recipients' mail servers, who need to handle the flood of spam coming for their members.

Nick
September 23, 2008 9:16 AM

Thanks for that Leo. I'm going to conduct a wee experiment. What I'll do is create another new disposable email address and sign up to your newsletter again with it, and see whether the spammers find it again. If they do I'll let you know.

It's only that one firm of spammers, btw, that I mentioned in my previous comment on the subject.

Nick
September 23, 2008 11:46 AM

The experiment continues. I've re-subscribed using (as Leo can see) a new but similar disposable email address. I shall check in my Trash folder over the next few days to see whether any spam arrives addressed to the new address.

Incidentally, I'm also glad to have re-subscribed for another reason, as it means I get a copy of Leo's e-book on Internet Safety, which I am looking forward to perusing.

Ray
September 23, 2008 4:58 PM

Leo,

All good explanations. I also like the "dumb luck" and "random" explanation, though hardly dumb luck or random. When I was on Earthlink, about once a week I'd be cc'd on an e-mail with a nonsensical message in the body. The sender wasn't even shy about hiding the cc list:

aaaaaa@earthlink.com; aaaaab@earthlink.com; aaaaac@earthlink.com; aaaaad@earthlink.com; ...

or some similar progressive block of 20 to 30 addresses that happened to contain mine. Earthlink could have easily blocked such "fishing" expeditions (at the time they were running an expensive TV ad complain touting their anti-spam team) but refused to do so even after repeated complaints.

Don't get me started on free WiFi increasingly common in hotels and airports. They routinely harvest information such as e-mail addresses, legally if you agree to their TOS.

Leo, what is AWeber and what user information do you share with them?

AWeber is the service I use to send my weekly newsletter. When you sign up for that they're the one's collecting your email address and confirmation, and then once a week they're the ones who actually send the email. They're perhaps the most respected email service provider in the industry.
- Leo
23-Sep-2008
Fred
September 23, 2008 11:22 PM

And spam can already be directed to the address.
As in: someone already had it, did something stupid, got plenty spam, closed the account, then you get the account, and the spam is still coming......

Terry Hollett
September 24, 2008 5:39 AM

I have 4 email accounts. My main one is at Yahoo, for my web site. I have an Hotmail one because my relatives started using MSN Messenger. I have a Gmail account - reason still unknown - it seemed like a good idea at the time. I also have my email from my ISP.

I have never given or used the Gmail account but when I log in the Spam folder has currently 1283 emails. Amazingly, the spam in the other accounts have dropped considerabily.

I use to average between 150 to 200 emails daily. That has dropped to about 30 - I take no credit for it :-).

Ray
September 24, 2008 12:59 PM

Thanks Leo! I was just wondering.

I have gotten spam through my GMail account. I'd used Google Checkout and it turned out the merchant's computer was infected. Google doesn't scan checkout related mail for spam. Fortunately, you can elect not to receive e-mail from checkout merchants, which solve that problem.

As I explained elsewhere, through my own domain I've created a primary e-mail account whose address I give to friends and relatives. For everyone else I create a individual custom domain forward to my primary account. If I ever start getting spam through a forward, I'll just delete it and create a new one for the merchant or organization.

Since setting up about four months ago, the amount of spam I receive has went from over a hundred a day to zero. Of course this method can't be used by e-mail accounts that must accept messages from arbitrary senders.

Nick
October 14, 2008 9:39 AM

On Sept 23rd I wrote "I'm going to conduct a wee experiment. What I'll do is create another new disposable email address and sign up to your newsletter again with it, and see whether the spammers find it again. If they do I'll let you know." Well, it seems to have worked, as I am no longer receiving the spam.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.