↩ Back to Blog

How Spammers Harvest Email Addresses – And What You Can Do About It

  • You send and receive lots of emails each day.
  • You’ve subscribed to many useful and informative tech sites using your email address.
  • You post to several online lists and message boards that focus on your area of tech expertise.
  • You get tons of spam in your inbox each day, most but not all of which ends up in your junk mail folder.

Sound very familiar?

It’s probably made you so frustrated at times that you’ve thought of changing your email address. I know I’ve had that thought many times, but the reality, unfortunately, is that changing your email address is not a simple thing to do.

Still, the idea of changing my primary work email address to sflj87welkjfs23bn@xyz.com sounds appealing to me. That would help keep my email address from being easily harvested, right?

Not at all. Obfuscating publicly visible email addresses like this poses absolutely no barrier for the determined spammer. And spammers are a very determined bunch indeed. It’s easy for them to write a script that will scrape websites and message boards for email addresses.  Website/message board scraping is only one of numerous methods spammers use to collect the email addresses of individuals, businesses, and organisations so they can keep the tide rising in our precious inboxes.

How spammers harvest email addresses

What are some of the other ways that spammers can get hold of your email address? They can subscribe to every mailing list and message board under the sun. They can query insecure mail servers. They can get their hands on the email directory of the company you work at using various means ranging from injecting malware to social engineering.

  • mitch.tulloch@contoso.com
  • m.tulloch@contoso.com
  • mitch.t@contoso.com
  • tulloch.m@contoso.com

and so on. One of these email addresses is likely to work, and if not there are dozens more possible in a corporate world where most businesses auto-generate standardised email addresses for their workers.

They can even take a list of the 1,000 most common first and last names in the state or country where the company resides and use it to generate a million possible email addresses of the form firstname.lastname@contoso.com. Then they might send a spear-phishing email to these million addresses and get 999,976 bounces but 24 hits. And who knows? One of those employees who received the email may carelessly open the attached file or click on the embedded link and — well, you know the rest of the story.

But there are other, easier ways that spammers can get hold of people’s email addresses. There’s the Dark Web, for example, the secret online marketplace where you can buy not just malware but also email addresses in bulk. There are also ways, often illegal but sometimes legitimate, of purchasing email addresses in bulk from domain registrars, Internet service providers, web hosting companies, and so on.

And then there are the hundreds of millions of insecure PCs still present on the Internet, most of which have probably already been compromised by attackers, giving them unfettered access to the address books of email client software running on those computers.

In short, even if you create a brand-new very complex email address and use it to send email to only one other person or business or message board, you’re still likely to soon see spam piling up in the junk mail folder associated with that address.

What can you do about it


So what can you do about the problem of spam? It all depends on how you phrase the question.

“Is there anything I can do then to prevent the flood of spam entering my inbox?” Yes, there is, provided you ask the right question. Because instead of asking how to prevent spam you can ask how you can control spam. In other words, your war against spam shouldn’t be conducted by trying to remain below the radar but by building up your defences. By utilising native and third-party anti-spam defences on your organisation’s routers and perimeter firewalls you can trap most of the incoming spam and prevent your business and financial assets from becoming compromised. If you run your own mail servers you can install and configure appropriate spam filters on them as well. If you use a mail hosting provider you can ask them to turn up the dial on their spam catching algorithm or configure it yourself from your company’s admin control panel. And for the small but inevitable percentage of spam that does make it past the filters at the boundary of your network and the hostile real world out there, make sure you educate your users how to identify possible phishing emails and what they should do when they identify them.

There is a lot of information above, which may help, but if you would like to discuss it further please contact us.

Source: TechGenix