How Did They Get My Address!

Ever wonder how spammers get your email address? In this article we'll review the top 10 common activities that can land you on a spammer's list.

We've ranked each activity with a 1 to 5 risk level. 1 is relatively safe. 5 is almost a guaranteed way to get spam.

By avoiding these behaviors or following our tips to reduce your risk you're well on your way to reducing your spam.

Posting to Usenet - Risk Level 5

Spammers use automated tools to scan virtually every post made to Usenet. Some tools only look at the headers of the message to capture From: and Reply-To: addresses, while others will scan the entire message for anything that looks like an address.

If you post to Usenet you can expect to begin receiving spam in a matter of days or weeks.

Solutions:

1. Don't post

The most effective remedy is not to post at all. Find a mailing list or private bulletin board that covers the same topic and ask your question there.

2. "Munge" your address

Many regular posters to Usenet and related forums have started to modify or "munge" their email addresses to thwart spammers. For example they may convert "johnsmith@example.com" into "john_nospam_smith@example.com" The assumption being that humans are smart enough to remove the "_nospam_" but automated address scanners aren't.

Unfortunately recent evidence suggests that spammers are starting to detect and clean some of the more common munging techniques.

3. Use a sacrificial address

If you have multiple email accounts, or you have access to a domain VPO, you may want to set aside an email address to use for high-risk behavior like Usenet posting. You'll still get spam of course, but having it all in one place may make it easier to manage.

Signing up for Online Contests - Risk Level 5

Why is a company giving away a free car, cash prizes, free software, etc? To get your email address of course.

Lotteries, casinos, sweepstakes, and any other "something for nothing" offers are all prime address harvesting tools.

Solutions:

1. Don't sign up

Just stay away from anything that looks too good to be true. There's no free lunch and that goes double online.

Participating in Chat Rooms, IRC and Instant Messaging - Risk Level 4

Many IRC and instant messaging clients will provide your email address to anyone who asks. Similarly many chat rooms, including AOL's, will make lists of usernames available.

These addresses are popular with spammers because they're "fresh" and have a good chance of still being valid.

Solutions:

1. Check your settings

Many chat programs and services offer settings that limit the amount of information that you broadcast to the group. Look for settings that hide screen names and email addresses.

Registering a Domain Name - Risk Level 4

If you ever register a domain name then your email address is available to anyone who wants it.

Each domain is required to have an administrative, technical, and billing contact. These contact addresses are published via the "whois" system to allow network administrators to track down the owners of a domain.

Unfortunately this also allows anyone who knows your domain name to look up your email address.

Solutions:

1. Use a dedicated address

Every time you register a domain use the same address. "hostmaster" is a common choice. This will at least keep spam out of your personal account.

Make sure that the address you use is valid. If you can't send and receive mail at that address you may have problems managing your domain.

Replying to Spam or Chain Letters - Risk Level 4

Spammers will often use social engineering to get you to send them your address.

A good example is the "Free CDs" chain letter that circulated a year or so ago. The sender claimed that Amazon.com and Music Blvd would send free CDs to everyone who forwarded the chain letter. The stipulation was that you had to CC the original sender.

Of course the sender was just a spammer collecting email addresses.

Solutions:

1. Don't reply to spam

You should almost never reply to a spam message. Not even to ask to be removed from their list. Any reply will confirm your address as being legitimate and therefore a good target for further spam.

2. Don't forward chain letters

Chain letters range from harmless but annoying junk mail to dangerous scams. Don't inflict them on your friends.

Choosing a Common Email Address - Risk Level 4

Spammers will often use a technique called "guess and clean" to build up large lists of addresses. First they will generate a large list of common usernames like "bill," "sandra_smith," or "sales". They will then send spam to all of these usernames at a given domain name. Any recipients that aren't bounced by the mail server as being invalid are kept on the list for future spam campaigns.

Solutions:

1. Don't choose a common address

Any address that includes a common first or last name is likely to be guessed. You'll have to weigh the benefits of an easy to remember address vs. one that's hard to guess.

Publishing a Web Page - Risk Level 3

Specialized web robots are constantly searching for new web pages that contain email addresses. If your email address is listed on a web page it will be picked up eventually.

Some of these robots look for any available address while others search for particular types of pages. This is why you may get spam with customized subjects like "I saw your resume online" and a link to your home page.

Solutions:

1. Limit how many pages contain your address

Think twice before using your private email address on a web page. Does it really need to be there? Using role-based addresses like "webmaster@<yourdomain>" may be a better bet.

2. Install poison scripts

Poison scripts generate an infinite number of web pages filled with fake email addresses. Sending spam to these fake addresses wastes a spammer's resources. The scripts may or may not help your spam problem, but they make scanning web pages less attractive to spammers.

There are a number of poison scripts available, but WPoison seems to be one of the most popular.

Getting Listed in an Online Directory - Risk Level 2

Many companies publish their employee's email addresses and other contact information in an online directory. There are also large public directories like bigfoot.com that try to list the general public.

While most of these directories make an attempt to keep spammers out they are still an attractive target.

Solutions:

1. Don't get listed

Don't join any directories and ask your employer to keep your email address private.

Joining a Mailing List - Risk Level 1

At one time many mailing list programs would provide a list of subscribers to anyone who asked. In recent years most reputable mailing list administrators have tightened their security to restrict access to subscriber addresses.

As a result, subscribing to a mailing list is now a fairly low-risk activity.

However, you should always make sure you trust the owners of the list. Even if the software is configured correctly, the owners themselves could sell your address.

Browsing the Web - Risk Level 1

If your web browser isn't correctly configured it may be possible to end up on a spammer's list just by browsing the web.

Older browser versions could often be tricked into giving out your address by web pages that served an image via anonymous FTP. The browser would log into the FTP server using your email address as a password.

Other tricks included using Javascript to silently send email from your browser to the spammer.

Solutions:

1. Upgrade your browser

Most current browsers have much better privacy and security than their predecessors.

2. See what your browser is saying about you

Your web browser may be sending out more than you think. You can run the free privacy scanner set up by PestPatrol.com to find out exactly how much information your browser is leaking.

Unfortunately spammers are always on the lookout for new ways to get your address, so you'll probably end up on a spammer's list eventually even if you avoid high risk behavior. However, by being careful you can limit your exposure.

If you do begin to get spam the best action you can take is to block it. Filter services like MailArmory can make sure that even if spammers get your address they won't get to you.