Helping people with computers... one answer at a time.
There are many ways spammers harvest email addresses. While unlikely, simply sending and receiving email might well be enough.
I'm confident you won't spam me Leo, however the fact is that I still get spam addressed to this disposable email address that I set up solely for your newsletter. What I don't understand is, since you are the only one I've told the address, and you don't pass it on, how come I'm getting spam?
In all honesty, this is a legitimate newsletter publisher's worst nightmare. You go through all the effort of playing by all the rules, not selling or sharing your subscribers' email addresses with anyone, anywhere, any time, and by making sure to use only industry leading and trusted service providers ...
Only to find out a subscriber of yours is getting spam on an email address they use only to subscribe to your newsletter, and nowhere else.
I know, because as you can see it's happened to me.
It's very common to sign up to newsletters or on-line stores with a unique email address that's used nowhere else, specifically to detect this case. For example, a user named Fred might create a new email address "email@example.com" and use that only to subscribe to my newsletter, and taking extra care to make sure it never appears anywhere else - especially anywhere on the web.
In theory, that means if he gets anything else on that email address it's because I or my service provider did something bad - like share the email address with someone else, accidentally or otherwise.
And the theory is correct most of the time.
Unfortunately, "most of the time" isn't "100% of the time".
If we examine the path(s) that email relating to, say, a newsletter subscription can take, we'll see that there are other opportunities for that email address to be captured by spammers.
Spyware - the few reports I've gotten have been from people I trust are on top of this, but it needs to be included. If you have spyware or some kind of virus on your machine all bets are off. Anything you do could be monitored and data could be captured. From the moment you fill in a subscribe form, to every time you read an email, spyware could be watching for anything that looks like an email address and sending it off to some kind of spammer central. We often hear of viruses that routinely collect the contents of address books, and it's not at all uncommon for email programs to automatically add some recipients to address books, perhaps as a side effect of your saying "it's ok to display images from this person".
Social Media Tools - one of the most frightening new "features" I've seen of late are social media sites that offer to connect you to all of your friends. In order to determine who your friends are, they ask you to upload or provide access to your contacts list or email address book, even if it's on some other service. Unfortunately, they don't know which addresses are "real" and which are single-purpose addresses. What these sites do with those addresses, real or not, is totally unknown. You're trusting that they won't also end up in the hands of spammers. You could be wrong.
The Network - email is typically sent completely unencrypted, over unencrypted connections. I'm not talking about WiFi connections here, I mean the entire internet. Everything from the DSL connection to your ISP, to the ISP-to-ISP connections that make up the internet itself. Anyone with access to a router or hub in the right place could be sniffing for and collecting anything that looks like an email address - or worse. It's infrequent, but possible, be it in the email stream itself, or the sequence of web page fetches that occur when you sign up or manage a subscription.
Open WiFi - have you downloaded email without taking any extra precautions using an open WiFi hotspot? Then it's possible that anyone in range of that hotspot could see and capture your email traffic. As I mentioned in the previous point, email by default is not encrypted - and that includes not only your email account username and password, but the very contents of the email you send and receive.
Mail Servers - as email travels along the path from sender to receiver, it typically touches at least two mail servers: the sending server and the mail server to which you connect to download your email. If either of these servers is compromised in any way, the traffic through them could be captured.
Your ISP - since everything is typically unencrypted, your ISP can see everything you do. Usually that's not a problem in the least, but it is another point of access into the email you send and receive and the email addresses that you use.
Mailing List Providers - I hesitate to even mention this, since I have a tremendous amount of respect and trust in the service that I use, but again, for completeness it must be mentioned. Not all mass mailing service providers are as secure and ethical as others. Some are sloppy, either technically or with their personnel, others are actively unethical - using the information you as a mailing list owner give them for other purposes. I have absolute faith and trust in AWeber, the service I use - but others may not be as trustworthy.
In most of the points above I make it sound like spammers are looking for email addresses.
Spammers work one of two ways: they blast their spam to millions and millions of email addresses, not knowing whether or not they are valid. Most are not, but enough are to make it worth their while. The other approach is to blast only to known good email addresses. These are much more valuable because the spammer doesn't need to send nearly as much spam in order to reach "real people".
As a result, spammers are always on the lookout for new ways to identify and capture valid, working email addresses.
Now, I also need to say that the long list above looks pretty dire. It makes it seem like there's no way to even send an email without getting your email address snagged and starting to get spam on it.
It's not nearly that bad. Possible, yes, but highly unlikely.
As I write this I have 40,000 subscribers to my newsletter. I've sent out something like 144 issues over nearly three years. (I'll estimate that as having sent somewhere over 2,000,000 emails accounting for the growth over that time).
I've had exactly two complaints of this form.
Email addresses are much more commonly harvested by things like being published on web pages (do a Google search on your own, you may be surprised.)
So the real point of all this is to show that there really are no absolutes. You, and I, and our ISPs and our service providers, we all do the best we can to keep things as secure and as private as is possible.
But 100% security just doesn't exist.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.