How Do Spammers Find Your Email Address?

Joel Lee 02-11-2012

how spammers find email addressesSpam is the closest thing we’ll ever find to an Internet plague. No matter who you are, spam will one day find you and you’ll have no choice but to put up with its pestilence. It’s a pandemic that people have been trying to fight for decades, yet it’s still as strong as ever. But how do spammers find you in the first place?


The primary method of spamming is through email. So, logically, you might think that as long as spammers don’t grab a hold of your email address, you should be clear from its reach, right? But it’s not that simple. Spammers have had many years to innovate and perfect their techniques, and as it turns out, they have a whole bunch of ways in which they could lay hands on your email address.

As always, knowledge is power. If you know the techniques that spammers use, then you’ll be better equipped to at least hinder them. Instead of 500 spammers knowing your email address, maybe only 5 will know it. To me, that’s better than nothing.

Method #1: Mailing Lists

how spammers find email addresses

One of the oldest methods that spammers have used to harvest email addresses has been through mailing lists. It makes sense; mailing lists are basically compilations of valid email addresses already. But the specifics of it may be a surprise.

Mailing list services observe certain protocols to help prevent the leakage of their email addresses to outside sources. If a mailing list service was known for a lack of email address protection, their customer base would dwindle. Even still, spammers often make requests from mailing lists to obtain a list of all the people subscribed to that list. The services will frequently deny these requests–but sometimes it works.


Furthermore, spammers can actually request a list of all mailing lists rather than a list of all the individual email addresses. They then send spam email to the mailing lists themselves, which is then sent out to all the hidden addresses on those lists.

Method #2: Unsubscribe Links

how spammers find my email

On the topic of mailing lists, here’s another method that spammers sometimes use–and it’s a tricky one. If you’ve ever been subscribed to a newsletter or mailing list, you should know that at the bottom of every email they usually have an unsubscribe link.

Now, for most legitimate businesses, this unsubscribe link will do exactly what it’s supposed to do. If you’re receiving a newsletter from somewhere and it’s a newsletter that you purposely signed up for, then there shouldn’t be any problem with unsubscribing later.


But sometimes you’ll get spam email that poses as a newsletter and presents you with an unsubscribe option. In this case, that link could very well be deceptive.

Spammers send out these kind of emails en masse to randomly generated email addresses. By clicking on the unsubscribe link, you could actually be confirming the validity of your email addresses. This tells the spammer that your email address should be targeted with spam later.

Method #3: Brute Force

And that brings me to the next method: brute force generation. In other words, the shotgun approach to finding email addresses.

Every email address is designed with a specific structure: [name]@[domain].[com/net/org/etc]. The domain part is easy to figure out since all you have to do is look for the most popular email services and use that as a basis.


So the only important part, really, is the [name] section. At this point, the spammer can just generate a bunch of random letter-and-number combinations and send out emails to [randomly-generated-name]@[popular-domain].com. For example:


Suppose your email address was Eventually, the randomly generated email will hit your real email address and send out spam to you.

Over the course of one spam campaign, a spammer could generate millions and millions of random email addresses. If even 1% of those email addresses are legitimate, that’s still a ton of people who have to deal with spam.

Method #4: Web Crawler Bots

Another common tactic is to use bots (called crawlers) that crawl through webpages, searching for email addresses that are laid out in the open. This might sound scarier than it actually is, so let me explain.


Every time you access a certain web page, the contents of that web page are sent to you through the Internet and then your browser is responsible for displaying that data to your screen. However, spammers have coded programs that request web page data from web servers without having to use a browser.

Once the data comes in, the program can quickly read through all of its contents and determine if there are any email addresses on that web page. If there are, they’re stored away into a database. And because these programs are only requesting data (not displaying it), they can go through a ton of web pages quickly.

So what kind of web pages do they crawl? Forums are a popular target. User profiles on forums often have user email addresses out on plain display. These web bots can crawl through the entire members list of a forum and pull out tons of email addresses there.

Another popular target is social networking websites. Visit the profile of one of your friends on Facebook and chances are you’ll see their email address. If you can see it, it’s likely that a bot can see it, and if a bot can see it, that email address will be stored away for spam.

Method #5: Obtaining Email Databases

how spammers find email addresses

Lastly, sometimes all a spammer has to do is offer up some cash and they’ll land themselves a hefty list of valid email addresses. That’s right: some companies will sell their database of email addresses in exchange for a lot of money.

Any time you register on a website or sign up for a newsletter, your email address gets inputted into a server-side database. This could be for anything–online games, forum accounts, social networking services, news outlets, blogs, what have you. Whenever you enter your email address into an online form, the risk is there.

“But what about privacy policies?” you might ask. Well, not every company practices honesty and integrity. Sometimes a company will build up a large pile of email addresses then give their own privacy policy the middle finger. Most of the time, however, email address leaks are usually performed by a single rogue employee who has high-level access.

More rarely, spammers will hack into company databases and steal their email addresses without their knowledge.

Now that you know about the various ways in which spammers can obtain your email address, it’s your responsibility to be more protective over your information. Like with any piece of personal data–credit card numbers, social security numbers, home addresses and phone numbers–be diligent in keeping it off the Internet.

Image Credits: No Spam Via Shutterstock, Newsletter Via Shutterstock, Handshake Via Shutterstock

Related topics: Email Tips, Spam.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Ricky White
    December 17, 2018 at 5:12 pm

    I recently was spammed on the side of a webpage by They offered to help find people. Truth gave me info to find my long lost brother. They gave me his full name,age,address. He has no job,phone,internet,electricity,running water. Been living in a old van for 23 years. He is on somebody else’s land. If truthfinder found him nobody’s info is safe.

  2. email database
    December 4, 2016 at 9:04 am

    Hello! Thank you so much for this list, it's really helpful.

  3. Anonymous
    January 6, 2013 at 6:40 am

    Webscraping, collecting, data mining, tracking, monitoring vistors data for selling became more profitable than advertising and spamming.
    So spammers switched to providing free antispam plugins to their spying servers
    "New Trends in Spamming: Spam Fused into Antispam Protection with Spamming Visitors Instead of Web Sites"

    • Joel Lee
      January 9, 2013 at 5:06 am

      Huh, that's a pretty interesting concept... thanks for sharing!

  4. Christopher Webb
    November 15, 2012 at 9:33 am

    It's better to get a good spam filter than to worry about all the ways they get your email. Also if you get an email from Prince in Nigeria, you probably aren't going to get 100 million dollars.

  5. Catalin
    November 6, 2012 at 4:52 am

    Here are some other creative ways:

    1 (not used anymore but worth mentioning it) - Create a Facebook app/game where you ask users to give you the email address for some reason (you are taking care of a virtual pet and we need to notify you when he's hungry etc.)

    2 Create a Facebook event where you say you want to give 1000 free iPhones and 1000 iPads because "insert whatever reason gets people to believe this". Apart from joining the event you obviously have to send an e-mail in order to participate. I've seen 1,5 million people joining this type of scam.

    3 Create a series of ebooks/pdf (copy the content from different sources and then just put it together and wrap it up as a pdf) on various topics. Create a one-page website for each pdf. Offer free downloads - by just completing a form with your e-mail address. Now you have targeted e-mailing lists. Less e-mail addresses but higher list value.

    4 Based on the method above. Create an advertising services website. You already have targeted mailing lists (and create some now ones). Now all you have to do is find and charge companies some nice prices for "advertising to the right people".
    But make sure there is no connection between this website and the one-page ones. Bad for business. :)

    5 Make a website with all sorts of personality tests. Ask for an email address at the end of test so that people can receive their results. Put some non obtrusive advertising just to spice things up - an extra buck doesn't kill you.

    6 Maybe you have friends working with a CRM (client resource manager) at a company or they are in charge of the newsletter campaigns. Tell them to collect email addresses and give them to you.

    These are some creative ways I've seen over the last few years. And i present them here only as information. While information can be used for both good and bad, i hope you use it only for your knowledge.

  6. Movva Deepak
    November 5, 2012 at 7:08 am

    learned a lot...

  7. Yiz Borol
    November 4, 2012 at 12:00 am

    Very informative article

  8. Cambry
    November 3, 2012 at 8:00 pm

    Question: Are sent or forwarded emails with all recipients showing exposing those email addresses to interception by spammers, or are they simply breaking the etiquette rules of not giving everyone everyone else's email addresses?

    • Joel Lee
      November 5, 2012 at 6:42 pm

      I think exposing email addresses in a CC field are more about etiquette than safety. Spammers don't really intercept emails; if anything, they'll access your address book and use that to add to their emails database. The choice between CC and BCC is more about privacy, as far as I know.

  9. Anonymous
    November 3, 2012 at 6:42 pm

    That says we just cant get out of spam mails, just may reduce. All these Methods are needed some or the other time. Who knows, MUO could sell my email :-)

  10. josemon maliakal
    November 3, 2012 at 3:56 pm

    That is the most disgusting part about e-mail..nice one ..I have seen that, many people use their email passwords itself to subscribe for many websites..that can be very dangerous

    • Lisa Santika Onggrid
      November 3, 2012 at 4:51 pm

      Yes, you're right. Trading off convenience to security will eventually lead you to something bad. It's better to use Mailinator for such purposes.

  11. Ritwick Saikia
    November 3, 2012 at 2:53 pm

    Hackers gonna hack and spammers gonna spam. Harsh reality of life on the internet. Bayesian filters are of some help though.

  12. chathu
    November 3, 2012 at 2:34 pm

    You mention under "Method #4: Web Crawler Bots" these bots can harvest email address on "Facebook" and various online forums. They can collect email address, if they publically share? If we make display only friends (limit the email address visibility) these bots can't collect them? Am i correct?

    Thanks for this useful information.

    • Joel Lee
      November 3, 2012 at 2:58 pm

      As far as I know, a bot cannot pick up on pages that are not publicly available. However, that may or may not change in the future, so the absolute best bet would be to keep all (or as much as you can) of your private info off the Internet.

      • Lisa Santika Onggrid
        November 3, 2012 at 4:50 pm

        How about this? Do not post your email address in public forum. If you really must tell your address, do it via private/direct message to another member. At least it's not outright exposed.

  13. Led Cara
    November 3, 2012 at 10:58 am

    May I ask, why do spammers need to spam?

    • Mike Merritt
      November 3, 2012 at 2:17 pm

      Spammers send out emails in order to advertise/sell their products - like "viagra", etc. to a large number of people. They also make cash money by selling their bulk email services to others who want to sell their own products. ... sometimes legit products; mostly not.

    • Joel Lee
      November 3, 2012 at 2:56 pm

      Because people fall for it. ;)

    • Lisa Santika Onggrid
      November 3, 2012 at 4:48 pm

      1. They're bored. Similar reason to cracking for fun.
      2. It's profitable. Surprisingly large amount of people are falling to scam every year. If you're an experienced user you might be able to tell right away which message is spam and which is not, but some 'innocent' people dangerously believe in everything they stumble on net.

  14. VS Vishnu
    November 3, 2012 at 9:35 am

    hope johnsmith1/2/3@gmail are not reading this... ;-)

    • Ritwick Saikia
      November 3, 2012 at 2:55 pm

      Good one Vishnu

  15. Mac Witty
    November 3, 2012 at 7:46 am

    I also think the organized form of taking over hotmail/yahoo/facebook accounts collect addresses in the contact lists and inbox either for their own use or for selling them

  16. Achraf Almouloudi
    November 3, 2012 at 1:28 am

    New Web services and modern websites who use Cloudflare or just a separate framework have the ability to scramble the email address to some random characters if the bot is viewing and showing in plain text if the browser is viewing, by having the browser do a little decoding operation using Javascript to output the actual email address in plain text. Forums still don't use this feature but Facebook, Twitter and most modern Web services do. In Facebook particularly, it is very less likely for a bot or stranger to catch your email as most people only show it to the friends and not publi that's why Facebook is NOT targeted by Email collecting bots .

  17. Boni Oloff
    November 2, 2012 at 11:48 pm

    Where spammer get the email database from?

    • Joel Lee
      November 2, 2012 at 11:54 pm

      Did you skip over point #5?

      • Boni Oloff
        November 3, 2012 at 12:03 am

        Opps sorry, i mean hacker.. :)
        Because i have email database that i got from some forum.
        I just wondering how they got 3000 working email and share it?
        I think it is not profitable.
        p.s I am not spammer :)

        • Joel Lee
          November 3, 2012 at 12:06 am

          Hackers can obtain large email databases from a lot of places. A forum would be one such place. Another example is a company's database for newsletter or listserv registrants. If you're a spammer for a pharmaceutical product, then you might hack into a drug company's newsletter. Stuff like that.

        • Achraf Almouloudi
          November 3, 2012 at 1:22 am

          Hackers and spammers also usually make cheap dirty web and hacking (fake page) services where the user actually signup for the service, but in the background they collect all the email addresses and use them for spam .

        • Lisa Santika Onggrid
          November 3, 2012 at 4:46 pm

          In addition to Achraf's method, they can also use easier method: Google's advance search. By limiting the search to the target website and using the right query, they can easily harvest every email address ever posted to that site.

        • Chaos Emperor
          November 6, 2012 at 6:46 am

          what about fb?how did the hacker know my email?i've been hacked once