Helping people with computers... one answer at a time.

Spammers use many techniques to fool you into opening and acting on their messages. I'll look at what they do to your email address.

Spammers try to use many, many techniques to try to fool you into opening and reading their message.

One of the most common is playing around with the email addresses to which they send their spam.

I'll review the most common approaches, and theorize a little bit as to where they come from and why they might be used.

First, a definition: email addresses when used in email messages typically have two parts:

  • the actual email address like "johndoe@somerandomservice.com"

  • the display name that goes along with it to make it more easily identifiable to humans, like "John C. Doe".

If you take a look at email headers, you'll see they're listed together:

To: John C. Doe <johndoe@somerandomservice.com>

Only the address is actually required. If both are present your email program may show only the display name, or it may show both.

The spam I see falls into a few different buckets:

Spam sent directly to me, with matching name and email address.

In other words, not only is the spam sent to one of my email addresses - "leo@somerandomservice.com" - but the name that's displayed is mine - "Leo A. Notenboom". This is most likely the case when my email address has been harvested from email itself, or from being sold by or stolen from some service where I provided both pieces of information.

I expect that this is the most valuable kind of target for a spammer, since the email is clearly addressed to me, increasing the chances that I'll open it.

Spam sent directly to me, using only an email address.

When there's no display name at all in spam, just an email address, it's more likely that the email address came from either of two places: it was harvested from a web page - where your display name is not associated with the email - or the result of what's called a "dictionary attack".

Dictionary attacks are the result of just trying likely email names until one works. A spammer might send email to leo@somerandomservice.com, leon@somerandomservice.com, leonard@somerandomservice.com, and so on. Those that aren't real accounts may bounce or simply disappear, but the spammer doesn't care as it didn't cost him anything. As long as one gets through, mission accomplished. People with just their first names as their email address often get a tad more spam because of this technique.

"Just an email address" is still valuable to a spammer, because once again the email looks like it was directed at you, specifically, and you're hopefully likely to open it.

Spam sent to me by my email address, but with a different display name.

This is probably the most confusing.

You'll see the display name as someone else's, and yet the email address that appears to be associated with it is yours:

To: Groucho Marx <leo@somerandomservice.com>

You may only see "Groucho Marx" as the recipient, when in fact it was sent to some email address completely unrelated to Groucho (or whatever name appears) - yours.

To be honest, I'm not exactly sure why spammers do it, other than perhaps to leverage the confusion factor. "Why am I getting email for Groucho, I wonder what it says?". There was a type of spam that actually played on this misdirection, appearing to be some kind of private message to Groucho (or whomever), attempting to entice you to visit some web site. I haven't seen that particular type of spam for a while, though.

More common are "From" lines where the email address and display name don't match, in a further attempt to obfuscate that origins of spam - the more confusion the better when it comes to trying to trace spam back to its source.

But regardless of why, it does happen often, in a deliberate attempt to mislead and confuse you.

Spam sent to me where my email doesn't appear at all.

This is the result of being "BCC'ed" or "Blind Carbon Copied" on the email. This is a way to send email to someone (typically in addition to someone else) where the fact that you're getting a copy is not displayed. In fact, when you receive the email there's no way to tell who may have been BCC'ed on the email.

Spammers send hundreds of thousands of emails at once, but sometimes rather than sending that many individual emails they'll send a smaller number, with perhaps 10 or 100 email addresses BCC'ed. It's a smaller number to send (thus more likely to side step attempts to throttle the number of emails that they can send at once), and by BCC'ing it can still look like a "personal" message to only one recipient - albeit someone you've never heard of.

Regardless of the technique used, the goal is the same: to fool spam filters so as to end up in your email inbox, and then to entice you to open the email, and act on its contents.

Don't.

Article C4230 - March 25, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

4 Comments
Ken B
March 25, 2010 11:56 AM

I've seen plenty of spam that has my e-mail address as "from", but a different name attached. I'm pretty sure the reason for this is that many people whitelist their own e-mail address, so an e-mail addressed "from" me (if I were to whitelist myself) would pass through the spam filters. But, many e-mail clients show the name, rather than address, of the "from", which would probably confuse many would-be victims. So, they set it up to show "from: Bob", which is more likely to be opened.

Bill
March 30, 2010 9:00 AM

One way around these questionable emails is to look at your email while it is still on the ISP's server. Then accept what you want, delete (or bounce) what you don't and download the rest. I use a program called Mail Washer for that purpose.

Warren
March 30, 2010 4:51 PM

I use MailWasher. I either bounce or delete the emails I don't want. You can teach the program to do this automatically. Then download only what you want into your email program. I have used this for years now and wouldn't be without it.

Carlos Coquet
April 23, 2010 12:48 PM

There is NO substitute for YOUR own personal judgement. Filters are NOT infallible. In fact, Thunderbird still flags Leo's newsletter as a possible scam even though I have told it dozens of times it is not. I have often people tell me they did not receive something I eMailed them and when I tell them to look in the Junk folder, there it is. This creates a real problem when people AUTOMATICALLY empty their so called spam or junk folder without at least looking down the messages.
And while I am on this, another way spammers are now harvesting SUPER VALID eMail addresses is by replying to CraigsList ads with generic crap like "Anything wrong with this?" or "Why are you selling it?". Some even scan for the item and mention it in the generic reply. Then when you come back to them, bingo, they have you eMail address.
I warn in all my CraigsList ads that any replies from Web based free eMail domains (Yahoo, GMail, AIM, HotMail, et al) will be ignored unless they include a telephone number or are explicit enough to make me believe someone actually read the ad. (CL could actually cure this problem very quickly by challenging reply clicks with a graphic but they just don't.)

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.