Spammers usually get addresses by “harvesting” them from web sites, including forums and discussion boards, blogs, or your own site. If you can find your address in a search engine, so can a spammer.
So obviously, the first tip is to keep your address off the web. But even if you’ve been careful never to use your address on any public site, even a web page, and even if your computer has never been compromised, you will likely still get spam! There are three main ways this happens:
- Your address was included in a “CC” that was sent to a lot of people — including a spammer. Have you noticed that when friends send you a joke or a link to a fun video, they put everyone’s name in the To: or CC: (“Courtesy Copy”) line? You can see those names and addresses. If that message ever gets forwarded to a spammer (believe it or not, they have friends too), they can see those names and addresses too, and they’re likely to be added to their list of addresses. That’s what BCC: is for: the “Blind” Courtesy Copy, where “blind” means your name and address isn’t shown to others.
- Your address used to belong to someone else. For instance, a webmail account on a popular service such as Hotmail or Yahoo mail. You may have felt lucky to get a great username there — how could no one have already taken such a great name?! They did, long ago. Then they abandoned it because of all the spam they were getting. Guess what? The spam never stopped! Now you are getting it.
- A “dictionary” attack. Spammers will connect to a server and ask to deliver mail to mailbox “A”. If the server says OK, that address goes on their list. They then proceed to “AA”, or “B”, or any word or combination of letters that’s in their “dictionary” — and it’s all automated. Even though the address has never been listed anywhere and isn’t on any web sites, suddenly that address is getting spam. And it doesn’t just happen at big, well-known sites, like Hotmail. Even tiny personal sites have been subjected to such attacks. Of course, common user names (bob@, sales@, admin@, jerry@, marlene@, etc.) are easy guesses. Any that work will get spam.
So the next tip is to keep your address “non-obvious” — simple dictionary words or names (like Bob@) will almost certainly get spammed, even if you never give the address out to anyone.
Other sources for addresses include open email discussion lists and, ironically, web pages that say “put your address here if you want to be on a ‘do not mail’ list”; often, these lists are sold to the very advertisers you want to avoid!
Next Topic: Why Spammers Don’t Honor “Unsubscribe” Requests