Categories ArticlesSecurity

How spammers harvest email addresses — and what you can do about it

If you are in any area of the IT or dev business like I am, then all of the following are probably true:

  • You send and receive lots of emails each day.
  • You’ve subscribed to many useful and informative tech sites using your email address.
  • You post to several online lists and message boards that focus on your area of tech expertise.
  • You get tons of spam in your inbox each day, most but not all of which ends up in your junk mail folder.

Sound very familiar? I know lots of people working in our profession and I’m sure if I asked them they would virtually all concur with what I’ve described above.

It’s probably made you so frustrated at times that you’ve thought of changing your email address. I know I’ve had that thought many times, but the reality, unfortunately, is that changing your email address is not a simple thing to do.

Still, the idea of changing my primary work email address from info ( ) mtit dot com to sflj87welkjfs23bn@mtit.com sounds appealing to me. Because then by diligently taking care who I send emails to and also what sites and lists and boards I subscribe to using my email address, perhaps I can avoid having my work email address leak out into the wild and get spammed out of my mind as a consequence. For example, I could start obfuscating my work email address as I did above in the first sentence of this paragraph. That would help keep my email address from being easily harvested, right?

Not at all. Obfuscating publicly visible email addresses like this poses absolutely no barrier for the determined spammer. And spammers are a very determined bunch indeed. It’s easy for them to write a script that will scrape websites and message boards for obfuscated email addresses and then automatically de-obfuscate them and populate them into their databases. And website/message board scraping is only one of numerous methods spammers use to collect the email addresses of individuals, businesses, and organizations so they can keep the tide rising in our precious inboxes.

How spammers harvest email addresses

Shutterstock

What are some of the other ways that spammers can get hold of your email address? They can subscribe to every mailing list and message board under the sun. They can query insecure LDAP servers and mail servers. They can get their hands on the email directory of the company you work at using various means ranging from injecting malware to social engineering.

They can even use a company directory of names only (no email addresses) and algorithmically generate probable email addresses for individuals who work for the company. For example:

  • mitch.tulloch@contoso.com
  • m.tulloch@contoso.com
  • mitch.t@contoso.com
  • tulloch.m@contoso.com

and so on. One of these email addresses is likely to work, and if not there are dozens more possible in a corporate world where most businesses autogenerate standardized email addresses for their workers.

They can even take a list of the 1,000 most common first and last names in the state or country where the company resides and use it to generate a million possible email addresses of the form firstname.lastname@contoso.com. Then they might send a spear-phishing email to these million addresses and get 999,976 bounces but 24 hits. And who knows? One of those employees who received the email may carelessly open the attached file or click on the embedded link and — well, you know the rest of the story.

But there are other, easier ways that spammers can get hold of people’s email addresses. There’s the Dark Web, for example, the secret online marketplace where you can buy not just malware but also email addresses in bulk. There are also ways, often illegal but sometimes legitimate, of purchasing email addresses in bulk from domain registrars, Internet service providers, web hosting companies, and so on.

And then there are the hundreds of millions of insecure PCs still present on the Internet, most of which have probably already been compromised by attackers, giving them unfettered access to the address books of email client software running on those computers.

In short, even if you create a brand-new very complex email address and use it to send email to only one other person or business or message board, you’re still likely to soon see spam piling up in the junk mail folder associated with that address.

What can you do about it

So what can you do about the problem of spam? It all depends on how you phrase the question.

For example, if you ask me “How can I prevent my fresh new virgin email address from getting harvested by spammers?” then my answer is simply, “Not a single darn thing.” There’s absolutely nothing you can do to prevent your email address from getting harvested, provided it you use it. The only way your virgin email can remain pure is total abstinence — not using it at all.

“Is there anything I can do then to prevent the flood of spam entering my inbox?” Yes, there is, provided you ask the right question. Because instead of asking how to prevent spam you can ask how you can control spam. In other words, your war against spam shouldn’t be conducted by trying to remain below the radar but by building up your defenses. By utilizing native and third-party anti-spam defenses on your organization’s routers and perimeter firewalls you can trap most of the incoming spam and prevent your business and financial assets from becoming compromised. If you run your own mail servers you can install and configure appropriate spam filters on them as well. If you use a mail hosting provider you can ask them to turn up the dial on their spam catching algorithm or configure it yourself from your company’s admin control panel. And for the small but inevitable percentage of spam that does make it past the filters at the boundary of your network and the hostile real world out there, make sure you educate your users how to identify possible phishing emails and what they should do when they identify them.

Featured image: Shutterstock

Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows Server and cloud technologies who has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press. He is a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management.

Share
Published by
Mitch Tulloch

Recent Posts

IFA 2019: All the top smartphone announcements and unveilings

IFA 2019, this year’s version of the annual consumer electronics trade show, did not disappoint. Is one of these smartphones…

35 mins ago

Outlook connectivity: Troubleshooting and solving common issues

IT professionals all dread getting this fevered message from employees and clients: “I’m having Outlook connectivity issues!” Here’s what you…

5 hours ago

Using tags with Azure runbook automation to control your costs

Here’s a script designed to start and stop virtual machines based on tags associated at the resource group level. It…

8 hours ago

Software-defined perimeter solutions: Why this is the future of security

Traditional VPNs are showing their age in the modern cloud-powered workplace. That’s why software-defined perimeter solutions are in your future.

3 days ago

Why you need to check your virtualization host’s NUMA configuration

Should you disallow NUMA spanning in your Hyper-V architecture? There are two sides to this story, and you’ll get both…

3 days ago

Getting started with Visual Studio Code and integrating with Azure DevOps

Coding may not be the No. 1 job duty for cloud admins, but it is often a part of the…

3 days ago