How Spammers Get Your EMail ID And What You Can Do If Spammed
Mail Spam
Every day we get spam mails from unknown persons. Sometimes we delete them without reading, and at best we report these messages as spam to the respective email providers. Have you ever wondered from where these people get your mail ids? How do they manage to harvest our email ids?
Well, there are innumerable ways to get the addresses. I will try to outline a few of them below.
1. Mailing Lists
There are a lot of websites that sell email ids that are harvested using many of the methods detailed below. There are companies who get the email addresses legitimately and sells the list for some extra income. An example would be a magazine that asks subscribers for their email in order to keep in touch and send updates. These email addresses may include the ones that a company receives through other means as well. For example, people who just emailed the company with any inquiries or complaints.
Spammers regularly try to get the lists of subscribers to mailing lists, knowing that the email addresses will be live and that only a few of the addresses are likely to be invalid. Some mail servers will even provide these ids upon request. When mail servers refuse such requests,spammers useanother trick to get the lists. They will send an email to the mailing list with the headers Return-Receipt-To: or X-Confirm-Reading-To: Those headers would cause some mail transfer agents and programs to send back emails saying that it was delivered or read at a given email address, disclosing it to spammers. Another technique used by spammers is to request mailing list servers to send back a list of all mailing lists they carry. This is an option implemented by some mailing list servers for the convenience of legitimate users. They then send the spam to the mailing list's address, leaving the server to do the hard work of forwarding a copy to each subscribed email address.
Some sites request various details for their guest books and registration forms. Spammers can get email addresses from those either because the forms are available on the net, or because the site sells or gives the email list to others. Some companies would sell or give email lists on paper forms. For instance, event organizers make lists of participants' email addresses then sell the lists once the event is over. Some spammers actually type email addresses from professional directories and other printed materials available. Domain name registration forms are another favorite source of the spamers. Addresses are most usually correct and updated, and people actually open the emails sent to them expecting important messages.
2. Web Pages
Spammers use software programs that spider through web pages, looking for email addresses, for example, email addresses contained in mailto: HTML tags that you can click on and get a mail window opened.
3. Previous Owner Of The Email Address
People sometimes dispose their email address after using it for some time for a variety of reasons. This might happen with dialup usernames at an Internet Service Provider. Someone signs up for an ISP, has his or her email address harvested by spammers, then cancels their account. When someone else signs up with the same ISP with the same username, spammers already know of it. Similar things can happen with AOL screen names - somebody uses a screen name, gets tired of it and cancels it. Later on someone else might take the same screen name. Sometimes email accounts are created for some specific purpose and later discarded.
4. Yahoo People Search
Yahoo people search will show results with email addresses which can later be extracted using email extractor softwares easily.
Spam Kings
5. Hacking
Sites that supply free email addresses are sometimes hacked in order to get the list of email addresses, similar to e-commerce sites being hacked to get a list of credit cards.
6. Accessing Same Computer
If a spammer access a computer, they can get a list of valid usernames and email addresses from that computer.
7. Address Book And Emails On Computers
Some viruses and worms spread by emailing themselves to all the email addresses they can find in the address book present in the computer they infect. Some people forward jokes or anything that they find interesting by email to their friends, putting their friends' email addresses on either the To: or CC: fields, rather than the BCC: field. These worms and viruses scan the mail folders too for email addresses that are not in the address book. Such viruses, malwares and spywares will not only spam copies of itself, but also send the extracted list of email addresses to it's creator.
8. Guessing
Spammers sometimes guess email addresses and send a test message to those ids. Then they wait for either a confirmation or an error message to return by email, indicating the status of the ids. A confirmation could be obtained by inserting mail headers requesting the delivery system or mail client to send a confirmation of delivery or reading. Another method of confirming valid email addresses is sending HTML in the email's body, and embedding an image. Mail clients like Outlook and Eudora decode the HTML by trying to fetch the image. Some spammers put the recipient's email address in the image's URL, and check the web server's log for the email addresses of recipients who viewed the spam. So it's good advice to set the mail client to *not* preview rich media emails, which would protect the recipient from both accidentally confirming their email addresses to spammers and viruses. Guessing could be done based on the fact that email addresses are based on people's names.
9. Web Browsers
Some sites use various tricks to extract a surfer's email address from the web browser, sometimes without the surfer noticing it. Those techniques include :
(a) Making the browser fetch one of the page's images through an anonymous FTP connection to the site. Some browsers would give the email address the user has configured into the browser as the password for the anonymous FTP account. A surfer not aware of this technique will not notice that the email address has leaked.
(b) Using JavaScript to make the browser send an email to a chosen email address with the email address configured into the browser. Some browsers would allow email to be sent when the mouse passes over some part of a page. Unless the browser is properly configured, no warning will be issued.
(c) Using the HTTP_FROM header that browsers send to the server. Some browsers pass a header with your email address to every web server you visit. When somebody reads email in a browser they should be aware of active contents like Java applets, Javascript, VB, etc and web bugs. An email containing HTML may include a script that when opened automatically sends email to any email address. Melissa virus is a good example of this. Scripts like this could send the spammer all the addresses on the reader's address book.
10. AOL Profiles
AOL being the choice service provider of new users, who might not know how to recognize scams or know how to handle spam. Spammers use these profiles to harvest email addresses.
11. Internet Relay Chat and Other Chat Rooms
Some IRC clients will give a user's email address to anyone who requests it. Many spammers harvest these live email addresses from IRC, and send spam to those ids.
12. Social Engineering
Spammers sometimes use a hoax to lure people into giving them valid email addresses.
Richard's "Free CD's" chain letter will be a good example of this method. The letter promises a free CD for every person to whom the letter is forwarded to as long as it is sent to Richard too.
[Hi. My name is Richard. I am the president of the Cyber Promotions for Columbia House. We are in a fierce competition with companies such as Amazon.com and Music Blvd, among many others. Because of this, I have been authorized to offer 10+ free CD's of your choice to any person who participates in our promotion. All you have to do is send this message on to your friends! Yes, it is that simple. Now you are wondering how many CDs you get, and how to get them. It all depends on how many people you send this message to. You are required to send this email to the following address to receive your first 10 CDs : Cyberpromotions@n2music.com In addition, you get another CD for every person you forward this to. For example, if you send this to Cyber Promotions, along with 10 of your friends, you would receive a total of 20 CDs.]
All the author of the hoax wanted was to get people to mail valid email addresses to him so that he can build a list of addresses to spam or sell later.
14. Domain Contact Points
All domains have one to three contact points: administration, technical, and billing. The contact point includes the email address of the contact person. Since the contact points are freely available spammers harvest the email addresses from the contact points for lists of domains. This is a tempting method for spammers, as those email addresses are most usually valid and mail sent to it is read regularly.
15. White Pages And Yellow Pages
There are various sites that function as white pages, sometimes called people search sites. Yellow pages have an email directory on the web.Those white and yellow pages contain addresses from various sources. For example, HotMail will add email addresses to BigFoot by default, making new addresses available to the public.
16. Finger Daemons
Finger Deamon is a service that normally runs on port 79 and was originally intended as a digital businesscard for people.Some finger daemons are set to be very friendly. A finger query asking for joe@host will bring out a list info including login names for all people named Joe on that host. A query for @host will produce a list of all currently logged-on users. Spammers use this information to get extensive users list from hosts.
I am sure there will be many more ways by which spammers try to harvest your email addresses. If the readers could contribute to this list it will be very useful for all.
Some Legal Resources
Now lets have a look at what we can possibly do prevent it or things we can do if spammed.
As invisible email addresses can't be harvested, it will be a good idea to have the email addresesses of recipients of forwarded emails on BCC:. If forwarded from somebody else, remove all the email addresses inserted by the previous sender from the email's body.
If your email is harvested by somebody and you get spammed, the following links will help you to track the spammer down.
I hope this compilation of links and resources are useful to all.
