Spam is the closest thing we’ll ever find to an Internet plague. No matter who you are, spam will one day find you and you’ll have no choice but to put up with its pestilence. It’s a pandemic that people have been trying to fight for decades, yet it’s still as strong as ever. But how do spammers find you in the first place?
The primary method of spamming is through email. So, logically, you might think that as long as spammers don’t grab a hold of your email address, you should be clear from its reach, right? But it’s not that simple. Spammers have had many years to innovate and perfect their techniques, and as it turns out, they have a whole bunch of ways in which they could lay hands on your email address.
As always, knowledge is power. If you know the techniques that spammers use, then you’ll be better equipped to at least hinder them. Instead of 500 spammers knowing your email address, maybe only 5 will know it. To me, that’s better than nothing.
Method #1: Mailing Lists
One of the oldest methods that spammers have used to harvest email addresses has been through mailing lists. It makes sense; mailing lists are basically compilations of valid email addresses already. But the specifics of it may be a surprise.
Mailing list services observe certain protocols to help prevent the leakage of their email addresses to outside sources. If a mailing list service was known for a lack of email address protection, their customer base would dwindle. Even still, spammers often make requests from mailing lists to obtain a list of all the people subscribed to that list. The services will frequently deny these requests–but sometimes it works.
Furthermore, spammers can actually request a list of all mailing lists rather than a list of all the individual email addresses. They then send spam email to the mailing lists themselves, which is then sent out to all the hidden addresses on those lists.
Method #2: Unsubscribe Links
On the topic of mailing lists, here’s another method that spammers sometimes use–and it’s a tricky one. If you’ve ever been subscribed to a newsletter or mailing list, you should know that at the bottom of every email they usually have an unsubscribe link.
Now, for most legitimate businesses, this unsubscribe link will do exactly what it’s supposed to do. If you’re receiving a newsletter from somewhere and it’s a newsletter that you purposely signed up for, then there shouldn’t be any problem with unsubscribing later.
But sometimes you’ll get spam email that poses as a newsletter and presents you with an unsubscribe option. In this case, that link could very well be deceptive.
Spammers send out these kind of emails en masse to randomly generated email addresses. By clicking on the unsubscribe link, you could actually be confirming the validity of your email addresses. This tells the spammer that your email address should be targeted with spam later.
Method #3: Brute Force
And that brings me to the next method: brute force generation. In other words, the shotgun approach to finding email addresses.
Every email address is designed with a specific structure: [name]@[domain].[com/net/org/etc]. The domain part is easy to figure out since all you have to do is look for the most popular email services and use that as a basis.
So the only important part, really, is the [name] section. At this point, the spammer can just generate a bunch of random letter-and-number combinations and send out emails to [randomly-generated-name]@[popular-domain].com. For example:
Suppose your email address was firstname.lastname@example.org. Eventually, the randomly generated email will hit your real email address and send out spam to you.
Over the course of one spam campaign, a spammer could generate millions and millions of random email addresses. If even 1% of those email addresses are legitimate, that’s still a ton of people who have to deal with spam.
Method #4: Web Crawler Bots
Another common tactic is to use bots (called crawlers) that crawl through webpages, searching for email addresses that are laid out in the open. This might sound scarier than it actually is, so let me explain.
Every time you access a certain web page, the contents of that web page are sent to you through the Internet and then your browser is responsible for displaying that data to your screen. However, spammers have coded programs that request web page data from web servers without having to use a browser.
Once the data comes in, the program can quickly read through all of its contents and determine if there are any email addresses on that web page. If there are, they’re stored away into a database. And because these programs are only requesting data (not displaying it), they can go through a ton of web pages quickly.
So what kind of web pages do they crawl? Forums are a popular target. User profiles on forums often have user email addresses out on plain display. These web bots can crawl through the entire members list of a forum and pull out tons of email addresses there.
Another popular target is social networking websites. Visit the profile of one of your friends on Facebook and chances are you’ll see their email address. If you can see it, it’s likely that a bot can see it, and if a bot can see it, that email address will be stored away for spam.
Method #5: Obtaining Email Databases
Lastly, sometimes all a spammer has to do is offer up some cash and they’ll land themselves a hefty list of valid email addresses. That’s right: some companies will sell their database of email addresses in exchange for a lot of money.
Any time you register on a website or sign up for a newsletter, your email address gets inputted into a server-side database. This could be for anything–online games, forum accounts, social networking services, news outlets, blogs, what have you. Whenever you enter your email address into an online form, the risk is there.
More rarely, spammers will hack into company databases and steal their email addresses without their knowledge.
Now that you know about the various ways in which spammers can obtain your email address, it’s your responsibility to be more protective over your information. Like with any piece of personal data–credit card numbers, social security numbers, home addresses and phone numbers–be diligent in keeping it off the Internet.