Categories ArticlesSecurity

How spammers harvest email addresses — and what you can do about it

If you are in any area of the IT or dev business like I am, then all of the following are probably true:

  • You send and receive lots of emails each day.
  • You’ve subscribed to many useful and informative tech sites using your email address.
  • You post to several online lists and message boards that focus on your area of tech expertise.
  • You get tons of spam in your inbox each day, most but not all of which ends up in your junk mail folder.

Sound very familiar? I know lots of people working in our profession and I’m sure if I asked them they would virtually all concur with what I’ve described above.

It’s probably made you so frustrated at times that you’ve thought of changing your email address. I know I’ve had that thought many times, but the reality, unfortunately, is that changing your email address is not a simple thing to do.

Still, the idea of changing my primary work email address from info ( ) mtit dot com to sflj87welkjfs23bn@mtit.com sounds appealing to me. Because then by diligently taking care who I send emails to and also what sites and lists and boards I subscribe to using my email address, perhaps I can avoid having my work email address leak out into the wild and get spammed out of my mind as a consequence. For example, I could start obfuscating my work email address as I did above in the first sentence of this paragraph. That would help keep my email address from being easily harvested, right?

Not at all. Obfuscating publicly visible email addresses like this poses absolutely no barrier for the determined spammer. And spammers are a very determined bunch indeed. It’s easy for them to write a script that will scrape websites and message boards for obfuscated email addresses and then automatically de-obfuscate them and populate them into their databases. And website/message board scraping is only one of numerous methods spammers use to collect the email addresses of individuals, businesses, and organizations so they can keep the tide rising in our precious inboxes.

How spammers harvest email addresses

Shutterstock

What are some of the other ways that spammers can get hold of your email address? They can subscribe to every mailing list and message board under the sun. They can query insecure LDAP servers and mail servers. They can get their hands on the email directory of the company you work at using various means ranging from injecting malware to social engineering.

They can even use a company directory of names only (no email addresses) and algorithmically generate probable email addresses for individuals who work for the company. For example:

  • mitch.tulloch@contoso.com
  • m.tulloch@contoso.com
  • mitch.t@contoso.com
  • tulloch.m@contoso.com

and so on. One of these email addresses is likely to work, and if not there are dozens more possible in a corporate world where most businesses autogenerate standardized email addresses for their workers.

They can even take a list of the 1,000 most common first and last names in the state or country where the company resides and use it to generate a million possible email addresses of the form firstname.lastname@contoso.com. Then they might send a spear-phishing email to these million addresses and get 999,976 bounces but 24 hits. And who knows? One of those employees who received the email may carelessly open the attached file or click on the embedded link and — well, you know the rest of the story.

But there are other, easier ways that spammers can get hold of people’s email addresses. There’s the Dark Web, for example, the secret online marketplace where you can buy not just malware but also email addresses in bulk. There are also ways, often illegal but sometimes legitimate, of purchasing email addresses in bulk from domain registrars, Internet service providers, web hosting companies, and so on.

And then there are the hundreds of millions of insecure PCs still present on the Internet, most of which have probably already been compromised by attackers, giving them unfettered access to the address books of email client software running on those computers.

In short, even if you create a brand-new very complex email address and use it to send email to only one other person or business or message board, you’re still likely to soon see spam piling up in the junk mail folder associated with that address.

What can you do about it

So what can you do about the problem of spam? It all depends on how you phrase the question.

For example, if you ask me “How can I prevent my fresh new virgin email address from getting harvested by spammers?” then my answer is simply, “Not a single darn thing.” There’s absolutely nothing you can do to prevent your email address from getting harvested, provided it you use it. The only way your virgin email can remain pure is total abstinence — not using it at all.

“Is there anything I can do then to prevent the flood of spam entering my inbox?” Yes, there is, provided you ask the right question. Because instead of asking how to prevent spam you can ask how you can control spam. In other words, your war against spam shouldn’t be conducted by trying to remain below the radar but by building up your defenses. By utilizing native and third-party anti-spam defenses on your organization’s routers and perimeter firewalls you can trap most of the incoming spam and prevent your business and financial assets from becoming compromised. If you run your own mail servers you can install and configure appropriate spam filters on them as well. If you use a mail hosting provider you can ask them to turn up the dial on their spam catching algorithm or configure it yourself from your company’s admin control panel. And for the small but inevitable percentage of spam that does make it past the filters at the boundary of your network and the hostile real world out there, make sure you educate your users how to identify possible phishing emails and what they should do when they identify them.

Featured image: Shutterstock

Mitch Tulloch

Mitch Tulloch is Senior Editor of both WServerNews and FitITproNews and is a widely recognized expert on Windows Server and cloud technologies. He has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press and other publishers. Mitch has also been a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management. He currently runs an IT content development business in Winnipeg, Canada.

Share
Published by
Mitch Tulloch

Recent Posts

Best of CES 2020: Products, innovations, and services

From flying Ubers to rolling robots, CES 2020 had it all — and then some. Here’s a look at some…

4 hours ago

Hardening your technology infrastructure in preparation for a DDoS attack

By establishing these 11 appropriate controls beforehand, your organization will be better positioned to withstand and survive a DDoS attack.

9 hours ago

Microsoft App-V as an application virtualization solution: Pros & cons

If your shop is considering using App-V as an application virtualization solution, read this article first and weigh the pros…

12 hours ago

Ransomware threats: Cybercriminals take their wares to the next level

As companies and individuals harden their defenses against ransomware, hackers are creating new and more virulent ransomware threats.

1 day ago

AWS vs. Google Cloud: After a big 2019, what does 2020 hold?

AWS is the public cloud market leader. But Google Cloud is catching up. One thing is sure: In the AWS-Google…

1 day ago

7 web design principles that are crucial to know for 2020

What is going to be significant in the world of web design over the course of 2020? Let’s take a…

1 day ago