How Do Spammers Get My Email Address?

Category: Spam

Spammers seem to have supernatural powers of divination that enable them to guess email addresses accurately and quickly. But in reality, spammers harvest email addresses by pretty mundane means. You may even be contributing to the problem without realizing it. Here's the scoop on how spammers get email addresses, and steps you can take to protect your inbox...

Is Your Email Address Vulnerable to Spammers?

It can be maddening when your email inbox gets a fresh load of spam dumped into it. Equally frustrating is when spammers spoof your address as the sender, and your friends all start asking why you're sending them unwanted sales pitches for dubious products. Understanding how spammers get ahold of your email address can help to prevent both of these problems.

Using web-crawling "spider" programs (not unlike the ones Google uses to index Web pages) spammers hunt down email addresses by looking for the telltale "@" symbol. Working swiftly and ceaselessly, spiders can harvest millions of email addresses automatically. To avoid being bitten by a spider, avoid putting your email address on the Web. If you must make your email address visible in public, you can obscure your address by avoiding the "@" symbol, i.e., use "joe at blow dot com" instead, or create an image with the address instead.
How Do Spammers Get My Email Address?

"Dictionary attacks" are another standard way to collect email addresses. Spammers generate emails to made-up addresses, accepting millions of bounce-backs in exchange for a handful of replies from valid addresses. That's why the first rule of dealing with spam is "don't reply to it." Doing so just tells the spammer that you are a "live one" and worth hitting with more spam.

You can make it harder for a dictionary attacker to guess your address by NOT choosing any combination of dictionary words, common first or last names, and a string of numbers. If your email address is or I can guarantee that you'll get loads of spam, no matter how careful you are. Those addresses are just easy targets, because they're so easy to guess.

Margaritaville? Huh?

With apologies to Jimmy Buffett, some people claim that there's a hacker to blame, but you know, it's your own damn fault sometimes. Many people simply hand over their email addresses, no questions asked, just to get access to a contest, some free program, a ringtone, or other supposed "valuable prize." It's a good idea to have a "throwaway" email address that you can enter into Web forms, rather than using your everyday address.

And if you have an email password that's easily guessable, spammers may hack into the email account and steal all of the contacts stored there. If your computer is not adequately protected from viruses, spyware and phishing attacks, all of the people in your email address book are vulnerable to spam attacks as well. See my article Is Your Password Hacker Proof? for help picking a secure password.

Some people believe that email forwards play into the hands of spammers, because they accumulate a large number of addresses as the message spreads from one person to another. I'm not so sure this actually works, because there's no mechanism for the bloated messages to return to the spammer. But I will certainly agree that blindly forwarding every silly story doesn't contribute anything positive to the Internet. Cambodian midgets fighting lions? Nigerian prince wants your help transferring money? Really?? If you're tempted to forward something that seems dubious, check it out on before hitting the Send button.

Hacking into a major company's databases can yield millions of high-quality email addresses at once, not to mention even more valuable data such as credit card numbers, Social Security Numbers, etc. Not long ago, the online shoe store Zappos was hacked, and 24 million email addresses were exposed. And in April of 2011, Epsilon, which provides email marketing services to over 2000 large companies, was hacked. This resulted in about 100 million email addresses being published on underground websites. There's not much you can do to prevent this, except hope that the companies you do business with have good security protocols in place.

Spammers also trade in lists of email addresses. A list of a million addresses goes for as little as $100. Some online crooks don't even mail spam, but make their living harvesting and trading email addresses.

Your supposedly legitimate business associates (or any website where you hand out your email address) may be selling you out to spammers, though they may think of the spammers as "trusted partners." Before signing up to any mailing list, make sure you know what the email privacy policy is. Opt out of allowing your email address to be shared with third parties for any reason, if possible.

It's almost impossible to hide your email address from spammers completely. At the least, you'll probably get a blind dictionary attack spam, eventually. But think before you give your email address to any website. The fewer entities that have your email address, the less spam you will receive. Keeping your own computer secured, and encouraging your friends and family to do likewise will also help.

Got any additional tips for keeping your email address safe? Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 8 Feb 2012

For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 07 February 2012

The Top Twenty
Next Article:
Free Firewall Protection

Most recent comments on "How Do Spammers Get My Email Address?"

Posted by:

08 Feb 2012

I have a hotmail account that i use only for orders with a small company. In seven years it has NEVER received a single spam email. In contrast to the other hotmail, gmail and ISP accounts that I use and are bombarded.
I blame email forwards from people who don't know how to BCC (Blind Carbon Copy) and I have long suspected devious activity from an acquaintance who seems to "sign me up" on the rare occasions I used to send him an email!!!

Posted by:

Joe Hathaway
08 Feb 2012

I recently received over 100 "bounced" emails back that I never sent. Analysis of the obsolete addresses showed that a hacker or virus had visited and harvested addresses from my laptop's Thunderbird "Sent" file, which goes back for many years. With AT&T-supplied McAfee security on guard, how would that have been done, and how should it have been prevented?

I have changed my ATT/Yahoo log-in password, but that seems to be closing the barn door after the horse is gone--I doubt the spammer would use my outgoing email account again, if he ever actually did--he has the list now.

EDITOR'S NOTE: What makes you think that a hacker or virus harvested addresses from the Sent file?

Posted by:

08 Feb 2012

At my academic institution, some departments send out e-vites to parties thereby releasing all of our email addresses to an outside company. They also use Doodle to survey meeting times. My institution has an online directory of all faculty and staff that is open to the public. It can be search and harvested 100 names at a time. Fortunately, though the institution also scans all emails for spam using a commercial product from Cisco. It's pretty good. I mainly receive notices like "Ask Bob" that I have signed up for.

Posted by:

Joe Hathaway
08 Feb 2012

In reply: The obsolete-address emails that bounced had been sent to addresses not now in my Address Book, and some that had never been there, going back years to (in some cases) single emails sent to businesses, one-time replies, etc. Perhaps somewhere in the Address Book's "Collected Addresses" files, the spider (or whatever) found old addresses, but I try to delete all that junk fairly often.

EDITOR'S NOTE: It could be worse if the horse was locked INSIDE the barn. I suggest a thorough scan with MBAM. See

Posted by:

08 Feb 2012

I get a lot of spam but, somehow, I just don't care. I just click the UNDELETE box on anything I deem spam and go on with my bad self. This only takes three or four minutes out of my ever-so-busy schedule .I know what I expect and anyhing else is spam.

Posted by:

Bob K
08 Feb 2012

It's too bad you can't control what other people do. I had an email address, that was 100% spam-free, destroyed by a friend (hah!) that just had to send me an electronic greeting card. The outfit they used had a name very similar to a nationally-known greeting card company -- but wasn't! Exactly 2 weeks later the spam flood started, finally to the point where I had to shut down that email address. This was after my signature line had (for a couple years) asked people not to use my email address for such things. I even provided an alternate address they could use.

Posted by:

08 Feb 2012

I use numbers to begin my email address rather than beginning with the customary alpha letters followed by numbers. No spam problems yet. However, now that I have posted this, most likely spammers will change they way they look for email addresses. (Ugh)

Posted by:

08 Feb 2012

Using your name in your email address will not increase the amount of spam you receive. My work and personal email addresses include my first and last names, and I rarely receive spam.

Posted by:

08 Feb 2012

A timely reminder Bob, as always.

My provider offers throwaway e-mail addresses and I use different ones for any online purchases etc. Each one easily identifiable to me to know to whom I gave the address.

I am getting spam, it goes directly to my spam folder and I delete it without opening any of the messages.

I would like to learn which throwaways have been "leaked" but have been too nervous to open the spam to see what address it was sent to. Am I being overcautious? Should I open the messages so I can actually throw away the "throwaway" address that is compromised?

Thanks in advance Bob.

Posted by:

08 Feb 2012

Wanted to hip you to our first Official Annual Spam Carving Contest/ Pot-Luck Dinner here in sunny northeast Ohio. First Prize for our main event will be the incredible 377 page "Spam-ish Gourmet for Dummies" Cookbook/ back-scratcher, an entire years worth of Spam to familiarize yourself with all those mouth-watering recipies and 4 cases of the finest woven European Toilette Tissue. I know it doesn't sound like much but, it isn't. That's why we mixed it up a little with our Second Prize which will be a fabulous 6 month membership to "Around-the-World in Potted Meats and Annoying Emails" Sampler Club for the winner and 9 of his or her friends.
Don't forget, Thuednesday, Feb. 31st at the Kiwani's Club in Mount Cherselff -around 8-ish. Maybe closer to 9. We'll see.

Posted by:

08 Feb 2012

Since I use Gmail (since 6 or 7 yrs) I NEVER got spam in my mailbox. Also : I NEVER missed a legimate email... Why can't other ISP's use the same (or similar) algorithm to get rid of spam. I bet if Yahoo and Hotmail would use a good (gmail-like) spamfilter, spam would be banned out of this world soon.
Or maybe yahoo and hotmail just don't WANT to filter because they have interests in spam ...

Posted by:

09 Feb 2012

I consider myself quite computer literate but before I read Greg's post above, I must admit that I did not know what BCC actually stood for or did! So thanks to Greg, I've learned something new today :-)

Bob's articles and advice are invariably informative and helpful, but I think he should have suggested setting up your spam filters, to catch most of the junk?

Posted by:

Callie Jordan
09 Feb 2012

Does it help to type your address like this:

someone (at) somewhere (dot) com


Or are they sophisticated enough to pick that up?

Posted by:

09 Feb 2012

Unfortunatly, we can either surf the net...or hide from it. There are so many ways to eploit a Windows OS that you'll never be truly safe (not that other OS's can't be exploited. They can.). Keep an address long enough and it will go to spam. I try to use the same address to register all websites. A good firewall and AV,and programs like 'Peerblock' can be helpful. Utilize their entire default list (requires very little resources). Don't be fooled by '.edu'addresses. It's easy to tell yourself that they should be safe and well protected from malicious attacks or harbor attackers even, but they aren't. I've chased down a lot of emails and many of them wind up resolving their i.p.'s to to schools. Many of those to prestigious U.S. school servers.
That's just considering malicious content. We, in fact, have no gaurantee that every time we register with a site our addresses aren't being sold, either openly or by an employee (I doubt many employers actively seek out employees selling their mailing lists. The only sure fire metheod is not to register(or visit for that matter).

Posted by:

09 Feb 2012

Contests, coupons and rebates! You know those boxes in stores, at the mall, etc. with a slot so you can enter a small card or paper with your name, address and email address - in order to win a "Caribbean Vacation?" Aside from the possibility that the whole thing's a scam and no one ever leaves our shores, consider that you are giving your email address to some entity, no matter how legit, who will bombard you with ads from here to eternity. Same with coupons. If they come in the mail, there's a chance that they're coded so that cashing them in results in more of same mail. Rebate forms ask for your snail mail and email addresses - so you get a double dose. Think about that - you are going to be opening emails and and envelopes for the rest of your life, possibly hours and hours of work (calculate the cost using your hourly wage) - so do you really want to do that for $1.50? Or even $20 off on a $100 item? Better to just pay full fare and keep your personal info to yourself.

Posted by:

09 Feb 2012

I use Sneakemail to generate email addresses that forward to my real email addresses without exposing my real address. I generate a new email address for every task type of task like a specific forum (I'm using one right now for this). If it gets spam, not only do I know which forum it was harvested from (or which was hacked), I can easily delete that address and never get another spam again. It costs $24 a year (I pay $2 a month) but it's so worth it. I hardly get any spam.

Posted by:

09 Feb 2012

I have three email accounts. One for work, one for personal, and one for internt exposure. And I learned to NOT keep an address book in the one for exposure as it was hijacked once. I change my passwords regularly, and I insist folks Blind CC to me for any group fowards. That was actually the hardest part- it took multiple reminders. I think BCC can help -but most address acquisition probably doesn't happen this way. Still if someone sends/receives group email and has an automatic add names to their address book- my address might be picked up if they get picked up. So BCC just another precaution- not really solution.
As expected I get no spam in personal (yes-gmail!)- some at work because of others, and LOTS at my account for exposure. I just spend a few minutes designating spam & deleting. I almost got taken in by that delivery one going around- you wrote about it recently-since I happened to have just sent something- but remembered before I opened it that I hadn't given my email out!
oh- and it helps that- at home - we only have MACs

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.

Article information: AskBobRankin -- How Do Spammers Get My Email Address? (Posted: 8 Feb 2012)
Copyright © 2005 - Bob Rankin - All Rights Reserved