SEARCH

How-To Geek

HTG Explains: How Do Spammers Get Your Email Address?

spam[3]

Spam seems to arrive in every single email account we use, no matter how careful we are. How are spammers getting all our email addresses? And can we do anything to hide our email address from spammers?

Unfortunately, there’s not a lot you can do to prevent spammers from bombarding you with emails. There are some tips that will help protect you, but spammers will probably find your email address eventually.

Leaked Account Databases

RELATED ARTICLE
How To Check If Your Account Passwords Have Been Leaked Online and Protect Yourself From Future Leaks
Security breaches and password leaks happen constantly on today’s Internet. LinkedIn, Yahoo, Last.fm, eHarmony – the list of compromised websites... [Read Article]

The easiest way for spammers to collect large lists of good, active email addresses is via leaked account databases. These password leaks happen with frightening regularity. Organizations as big as Adobe, LinkedIn, eHarmony, Gawker, Last.fm, Yahoo!, Snapchat and Sony have all been compromised in the past few years. These leaked databases are normally considered a security threat because they often show  account names and passwords. However, they generally show email addresses, too. Spammers can download these leaked databases and add the millions of email addresses to their email lists. Spammers know that the majority of these email addresses should be active, so these databases are excellent for them.

This is likely the way most spammers are currently finding email addresses to spam. There’s really not much you can do to protect yourself from a spammer getting your email address in this way.

A site like Have I been pwned? can tell you if your account information might have been leaked, but these sites won’t include every leak. You can protect yourself from password leaks by not re-using the same password everywhere, but you practically have to re-use the same email address everywhere.

check-for-leaked-account-passwords

Clicking Links or Loading Images in Spam Emails

If you do get spam emails, you should avoid clicking links in the email. If you see an “Unsubscribe” link in an email from a legitimate company, it’s probably safe to click it. A legitimate company doesn’t want to spam you and potentially run afoul of anti-spam laws, so they’ll just remove you from their list.

On the other hand, if you see an “Unsubscribe” link (or, worse yet, a “Buy Now!” link) in spam email that looks very unprofessional and scammy, the spammer won’t necessarily remove you from their lists. They’ll note your click and their systems will identify your email address as active. They know you’re there, and you may see larger amounts of spam after you click the link.

RELATED ARTICLE
HTG Explains: Learn How Websites Are Tracking You Online
Some forms of tracking are obvious – for example, websites know who you are if you’re logged in. But how... [Read Article]

The same goes for loading images in spam emails. Don’t click the “Load Images” button, or the spammers will know you’ve opened the email. Even if you don’t see an image in the email, there may be a tiny one-pixel tracking bug that allows the spammer to identify you if you load it. This is why most email clients don’t automatically load images.

spam-email-images-not-displayed

Scraping the Web For Plain-Text Addresses

Spammers have traditionally harvested email addresses by scraping the web — kind of like Google does — and look for email addresses mentioned on websites. For example, someone may post a comment like “Email me at jon@example.com”. The spammer would then add this address to their spam lists. This is why Craigslist provides a temporary email address where you can be reached rather than including your real email address. This technique is probably less common now that spammers have such large leaked account databases to feast on.

Spammers may also try to acquire valid email addresses by looking in other places they’re publicly available, such as whois records for a domain. These records display an email address associated with the person or organization who registered the domain name.

whois-records-for-google-with-email-addresses

Buying Lists of Email Addresses

Why do the work yourself when other spammers have already built up lists of email addresses for you? Unscrupulous people will sell lists of email addresses to spammers for a low price. These email addresses were often distributed on CDs in the past, and they may still be, but leaked account databases have probably taken some steam out of this marketplace. Spammers may also just trade their lists of email addresses with other spammers, ensuring more spammers will get their hands on your email address once one does.

Legitimate businesses won’t sell or buy lists of email addresses.

cd


Spammers can also get email addresses in other ways — for example, malware could harvest address book data and send it to spammers — but the above methods are some of the most common.

There’s not a lot you can do to avoid having your email address spammed. You can avoid putting your email address on the web in plain-text form and never click a link or load an image in a spam email. But your email address will still end up out there at some point — if only because you signed up to a popular website and their account database was compromised.

Thankfully, we have better spam filters these days. If you’re using an email service with a good spam filter, you shouldn’t need to care about spam beyond clicking the occasional “Report Spam” button when a spam email makes it to your inbox.

Image Credit: Arnold Gatilao on Flickr, John Liu on Flickr

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 01/24/14

Enter Your Email Here to Get Access for Free:

Go check your email!