Categories ArticlesSecurity

How spammers harvest email addresses — and what you can do about it

If you are in any area of the IT or dev business like I am, then all of the following are probably true:

  • You send and receive lots of emails each day.
  • You’ve subscribed to many useful and informative tech sites using your email address.
  • You post to several online lists and message boards that focus on your area of tech expertise.
  • You get tons of spam in your inbox each day, most but not all of which ends up in your junk mail folder.

Sound very familiar? I know lots of people working in our profession and I’m sure if I asked them they would virtually all concur with what I’ve described above.

It’s probably made you so frustrated at times that you’ve thought of changing your email address. I know I’ve had that thought many times, but the reality, unfortunately, is that changing your email address is not a simple thing to do.

Still, the idea of changing my primary work email address from info ( ) mtit dot com to sounds appealing to me. Because then by diligently taking care who I send emails to and also what sites and lists and boards I subscribe to using my email address, perhaps I can avoid having my work email address leak out into the wild and get spammed out of my mind as a consequence. For example, I could start obfuscating my work email address as I did above in the first sentence of this paragraph. That would help keep my email address from being easily harvested, right?

Not at all. Obfuscating publicly visible email addresses like this poses absolutely no barrier for the determined spammer. And spammers are a very determined bunch indeed. It’s easy for them to write a script that will scrape websites and message boards for obfuscated email addresses and then automatically de-obfuscate them and populate them into their databases. And website/message board scraping is only one of numerous methods spammers use to collect the email addresses of individuals, businesses, and organizations so they can keep the tide rising in our precious inboxes.

How spammers harvest email addresses


What are some of the other ways that spammers can get hold of your email address? They can subscribe to every mailing list and message board under the sun. They can query insecure LDAP servers and mail servers. They can get their hands on the email directory of the company you work at using various means ranging from injecting malware to social engineering.

They can even use a company directory of names only (no email addresses) and algorithmically generate probable email addresses for individuals who work for the company. For example:


and so on. One of these email addresses is likely to work, and if not there are dozens more possible in a corporate world where most businesses autogenerate standardized email addresses for their workers.

They can even take a list of the 1,000 most common first and last names in the state or country where the company resides and use it to generate a million possible email addresses of the form Then they might send a spear-phishing email to these million addresses and get 999,976 bounces but 24 hits. And who knows? One of those employees who received the email may carelessly open the attached file or click on the embedded link and — well, you know the rest of the story.

But there are other, easier ways that spammers can get hold of people’s email addresses. There’s the Dark Web, for example, the secret online marketplace where you can buy not just malware but also email addresses in bulk. There are also ways, often illegal but sometimes legitimate, of purchasing email addresses in bulk from domain registrars, Internet service providers, web hosting companies, and so on.

And then there are the hundreds of millions of insecure PCs still present on the Internet, most of which have probably already been compromised by attackers, giving them unfettered access to the address books of email client software running on those computers.

In short, even if you create a brand-new very complex email address and use it to send email to only one other person or business or message board, you’re still likely to soon see spam piling up in the junk mail folder associated with that address.

What can you do about it

So what can you do about the problem of spam? It all depends on how you phrase the question.

For example, if you ask me “How can I prevent my fresh new virgin email address from getting harvested by spammers?” then my answer is simply, “Not a single darn thing.” There’s absolutely nothing you can do to prevent your email address from getting harvested, provided it you use it. The only way your virgin email can remain pure is total abstinence — not using it at all.

“Is there anything I can do then to prevent the flood of spam entering my inbox?” Yes, there is, provided you ask the right question. Because instead of asking how to prevent spam you can ask how you can control spam. In other words, your war against spam shouldn’t be conducted by trying to remain below the radar but by building up your defenses. By utilizing native and third-party anti-spam defenses on your organization’s routers and perimeter firewalls you can trap most of the incoming spam and prevent your business and financial assets from becoming compromised. If you run your own mail servers you can install and configure appropriate spam filters on them as well. If you use a mail hosting provider you can ask them to turn up the dial on their spam catching algorithm or configure it yourself from your company’s admin control panel. And for the small but inevitable percentage of spam that does make it past the filters at the boundary of your network and the hostile real world out there, make sure you educate your users how to identify possible phishing emails and what they should do when they identify them.

Featured image: Shutterstock

Mitch Tulloch

Mitch Tulloch is Senior Editor of both WServerNews and FitITproNews and is a widely recognized expert on Windows Server and cloud technologies. He has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press and other publishers. Mitch has also been a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management. He currently runs an IT content development business in Winnipeg, Canada.

Published by
Mitch Tulloch

Recent Posts

Review: Identity verification solution Specops Secure Service Desk

Specops Secure Service Desk is an innovative solution for positively identifying a user who calls…

9 hours ago

Apple Silicon: What it means for the world of personal computing

Apple is moving away from Intel processors to use its own Apple Silicon processors to…

12 hours ago

RAID 0 vs. RAID 1: When to use each level and why

Two of the most popular RAID levels for improving performance are RAID 0 and RAID…

15 hours ago

Got cybersecurity tools? Good. Got too many? That may be a problem

Strength in numbers may not apply to cybersecurity tools. In fact, using too many tools…

1 day ago

Getting started with System Center Operations Manager

System Center Operations Manager can monitor your IT resources, but the tool is only as…

2 days ago

Microsoft 365 administration: Creating DNS records for email security

Microsoft 365 administration has many facets, but none is more important than configuring email. Here’s…

2 days ago