How Do Spammers Find Your Email Address?

How Spammers Find Email   How Do Spammers Find Your Email Address?Spam is the closest thing we’ll ever find to an Internet plague. No matter who you are, spam will one day find you and you’ll have no choice but to put up with its pestilence. It’s a pandemic that people have been trying to fight for decades, yet it’s still as strong as ever. But how do spammers find you in the first place?

The primary method of spamming is through email. So, logically, you might think that as long as spammers don’t grab a hold of your email address, you should be clear from its reach, right? But it’s not that simple. Spammers have had many years to innovate and perfect their techniques, and as it turns out, they have a whole bunch of ways in which they could lay hands on your email address.

As always, knowledge is power. If you know the techniques that spammers use, then you’ll be better equipped to at least hinder them. Instead of 500 spammers knowing your email address, maybe only 5 will know it. To me, that’s better than nothing.

Method #1: Mailing Lists

spammer mailing list   How Do Spammers Find Your Email Address?

One of the oldest methods that spammers have used to harvest email addresses has been through mailing lists. It makes sense; mailing lists are basically compilations of valid email addresses already. But the specifics of it may be a surprise.

Mailing list services observe certain protocols to help prevent the leakage of their email addresses to outside sources. If a mailing list service was known for a lack of email address protection, their customer base would dwindle. Even still, spammers often make requests from mailing lists to obtain a list of all the people subscribed to that list. The services will frequently deny these requests–but sometimes it works.

Furthermore, spammers can actually request a list of all mailing lists rather than a list of all the individual email addresses. They then send spam email to the mailing lists themselves, which is then sent out to all the hidden addresses on those lists.

Method #2: Unsubscribe Links

spammer unsubscribe link   How Do Spammers Find Your Email Address?

On the topic of mailing lists, here’s another method that spammers sometimes use–and it’s a tricky one. If you’ve ever been subscribed to a newsletter or mailing list, you should know that at the bottom of every email they usually have an unsubscribe link.

Now, for most legitimate businesses, this unsubscribe link will do exactly what it’s supposed to do. If you’re receiving a newsletter from somewhere and it’s a newsletter that you purposely signed up for, then there shouldn’t be any problem with unsubscribing later.

But sometimes you’ll get spam email that poses as a newsletter and presents you with an unsubscribe option. In this case, that link could very well be deceptive.

Spammers send out these kind of emails en masse to randomly generated email addresses. By clicking on the unsubscribe link, you could actually be confirming the validity of your email addresses. This tells the spammer that your email address should be targeted with spam later.

Method #3: Brute Force

And that brings me to the next method: brute force generation. In other words, the shotgun approach to finding email addresses.

Every email address is designed with a specific structure: [name]@[domain].[com/net/org/etc]. The domain part is easy to figure out since all you have to do is look for the most popular email services and use that as a basis.

So the only important part, really, is the [name] section. At this point, the spammer can just generate a bunch of random letter-and-number combinations and send out emails to [randomly-generated-name]@[popular-domain].com. For example:

  • johnsmith1@gmail.com
  • johnsmith2@gmail.com
  • johnsmith3@gmail.com

Suppose your email address was johnsmith700@gmail.com. Eventually, the randomly generated email will hit your real email address and send out spam to you.

Over the course of one spam campaign, a spammer could generate millions and millions of random email addresses. If even 1% of those email addresses are legitimate, that’s still a ton of people who have to deal with spam.

Method #4: Web Crawler Bots

Another common tactic is to use bots (called crawlers) that crawl through webpages, searching for email addresses that are laid out in the open. This might sound scarier than it actually is, so let me explain.

Every time you access a certain web page, the contents of that web page are sent to you through the Internet and then your browser is responsible for displaying that data to your screen. However, spammers have coded programs that request web page data from web servers without having to use a browser.

Once the data comes in, the program can quickly read through all of its contents and determine if there are any email addresses on that web page. If there are, they’re stored away into a database. And because these programs are only requesting data (not displaying it), they can go through a ton of web pages quickly.

So what kind of web pages do they crawl? Forums are a popular target. User profiles on forums often have user email addresses out on plain display. These web bots can crawl through the entire members list of a forum and pull out tons of email addresses there.

Another popular target is social networking websites. Visit the profile of one of your friends on Facebook and chances are you’ll see their email address. If you can see it, it’s likely that a bot can see it, and if a bot can see it, that email address will be stored away for spam.

Method #5: Obtaining Email Databases

spammer sell database   How Do Spammers Find Your Email Address?

Lastly, sometimes all a spammer has to do is offer up some cash and they’ll land themselves a hefty list of valid email addresses. That’s right: some companies will sell their database of email addresses in exchange for a lot of money.

Any time you register on a website or sign up for a newsletter, your email address gets inputted into a server-side database. This could be for anything–online games, forum accounts, social networking services, news outlets, blogs, what have you. Whenever you enter your email address into an online form, the risk is there.

“But what about privacy policies?” you might ask. Well, not every company practices honesty and integrity. Sometimes a company will build up a large pile of email addresses then give their own privacy policy the middle finger. Most of the time, however, email address leaks are usually performed by a single rogue employee who has high-level access.

More rarely, spammers will hack into company databases and steal their email addresses without their knowledge.

Now that you know about the various ways in which spammers can obtain your email address, it’s your responsibility to be more protective over your information. Like with any piece of personal data–credit card numbers, social security numbers, home addresses and phone numbers–be diligent in keeping it off the Internet.

Image Credits: No Spam Via Shutterstock, Newsletter Via Shutterstock, Handshake Via Shutterstock

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

30 Comments -

0 votes

Boni Oloff

Where spammer get the email database from?

0 votes

Joel Lee

Did you skip over point #5?

0 votes

Boni Oloff

Opps sorry, i mean hacker.. :)
Because i have email database that i got from some forum.
I just wondering how they got 3000 working email and share it?
I think it is not profitable.
p.s I am not spammer :)

0 votes

Joel Lee

Hackers can obtain large email databases from a lot of places. A forum would be one such place. Another example is a company’s database for newsletter or listserv registrants. If you’re a spammer for a pharmaceutical product, then you might hack into a drug company’s newsletter. Stuff like that.

0 votes

Achraf Almouloudi

Hackers and spammers also usually make cheap dirty web and hacking (fake page) services where the user actually signup for the service, but in the background they collect all the email addresses and use them for spam .

0 votes

Lisa Santika Onggrid

In addition to Achraf’s method, they can also use easier method: Google’s advance search. By limiting the search to the target website and using the right query, they can easily harvest every email address ever posted to that site.

0 votes

Chaos Emperor

what about fb?how did the hacker know my email?i’ve been hacked once

0 votes

Achraf Almouloudi

New Web services and modern websites who use Cloudflare or just a separate framework have the ability to scramble the email address to some random characters if the bot is viewing and showing in plain text if the browser is viewing, by having the browser do a little decoding operation using Javascript to output the actual email address in plain text. Forums still don’t use this feature but Facebook, Twitter and most modern Web services do. In Facebook particularly, it is very less likely for a bot or stranger to catch your email as most people only show it to the friends and not publi that’s why Facebook is NOT targeted by Email collecting bots .

0 votes

Mac Witty

I also think the organized form of taking over hotmail/yahoo/facebook accounts collect addresses in the contact lists and inbox either for their own use or for selling them

0 votes

VS Vishnu

hope johnsmith1/2/3@gmail are not reading this… ;-)

0 votes

Ritwick Saikia

Good one Vishnu

0 votes

Led Cara

May I ask, why do spammers need to spam?

0 votes

Mike Merritt

Spammers send out emails in order to advertise/sell their products – like “viagra”, etc. to a large number of people. They also make cash money by selling their bulk email services to others who want to sell their own products. … sometimes legit products; mostly not.

0 votes

Joel Lee

Because people fall for it. ;)

0 votes

Lisa Santika Onggrid

1. They’re bored. Similar reason to cracking for fun.
2. It’s profitable. Surprisingly large amount of people are falling to scam every year. If you’re an experienced user you might be able to tell right away which message is spam and which is not, but some ‘innocent’ people dangerously believe in everything they stumble on net.

0 votes

chathu

Hi!
You mention under “Method #4: Web Crawler Bots” these bots can harvest email address on “Facebook” and various online forums. They can collect email address, if they publically share? If we make display only friends (limit the email address visibility) these bots can’t collect them? Am i correct?

Thanks for this useful information.

0 votes

Joel Lee

As far as I know, a bot cannot pick up on pages that are not publicly available. However, that may or may not change in the future, so the absolute best bet would be to keep all (or as much as you can) of your private info off the Internet.

0 votes

Lisa Santika Onggrid

How about this? Do not post your email address in public forum. If you really must tell your address, do it via private/direct message to another member. At least it’s not outright exposed.

0 votes

Ritwick Saikia

Hackers gonna hack and spammers gonna spam. Harsh reality of life on the internet. Bayesian filters are of some help though.

0 votes

josemon maliakal

That is the most disgusting part about e-mail..nice one ..I have seen that, many people use their email passwords itself to subscribe for many websites..that can be very dangerous

0 votes

Lisa Santika Onggrid

Yes, you’re right. Trading off convenience to security will eventually lead you to something bad. It’s better to use Mailinator for such purposes.

0 votes

SravanG

That says we just cant get out of spam mails, just may reduce. All these Methods are needed some or the other time. Who knows, MUO could sell my email :-)

0 votes

Cambry

Question: Are sent or forwarded emails with all recipients showing exposing those email addresses to interception by spammers, or are they simply breaking the etiquette rules of not giving everyone everyone else’s email addresses?

0 votes

Joel Lee

I think exposing email addresses in a CC field are more about etiquette than safety. Spammers don’t really intercept emails; if anything, they’ll access your address book and use that to add to their emails database. The choice between CC and BCC is more about privacy, as far as I know.

0 votes

Yiz Borol

Very informative article

0 votes

Movva Deepak

learned a lot…

0 votes

Catalin

Here are some other creative ways:

1 (not used anymore but worth mentioning it) – Create a Facebook app/game where you ask users to give you the email address for some reason (you are taking care of a virtual pet and we need to notify you when he’s hungry etc.)

2 Create a Facebook event where you say you want to give 1000 free iPhones and 1000 iPads because “insert whatever reason gets people to believe this”. Apart from joining the event you obviously have to send an e-mail in order to participate. I’ve seen 1,5 million people joining this type of scam.

3 Create a series of ebooks/pdf (copy the content from different sources and then just put it together and wrap it up as a pdf) on various topics. Create a one-page website for each pdf. Offer free downloads – by just completing a form with your e-mail address. Now you have targeted e-mailing lists. Less e-mail addresses but higher list value.

4 Based on the method above. Create an advertising services website. You already have targeted mailing lists (and create some now ones). Now all you have to do is find and charge companies some nice prices for “advertising to the right people”.
But make sure there is no connection between this website and the one-page ones. Bad for business. :)

5 Make a website with all sorts of personality tests. Ask for an email address at the end of test so that people can receive their results. Put some non obtrusive advertising just to spice things up – an extra buck doesn’t kill you.

6 Maybe you have friends working with a CRM (client resource manager) at a company or they are in charge of the newsletter campaigns. Tell them to collect email addresses and give them to you.

These are some creative ways I’ve seen over the last few years. And i present them here only as information. While information can be used for both good and bad, i hope you use it only for your knowledge.

0 votes

Christopher Webb

It’s better to get a good spam filter than to worry about all the ways they get your email. Also if you get an email from Prince in Nigeria, you probably aren’t going to get 100 million dollars.

0 votes

Michael Quaquim

Webscraping, collecting, data mining, tracking, monitoring vistors data for selling became more profitable than advertising and spamming.
So spammers switched to providing free antispam plugins to their spying servers
Read:
“New Trends in Spamming: Spam Fused into Antispam Protection with Spamming Visitors Instead of Web Sites”
http://keycaptchaured.wordpress.com/2011/09/20/new-trends-in-spamming-spam-fused-into-antispam-protection-with-spamming-visitors-instead-of-web-sites/

0 votes

Joel Lee

Huh, that’s a pretty interesting concept… thanks for sharing!