Help with Spam and Phishing: How They Got Your Address, What to Do

Help with Spam and Phishing
...and Other E-mail Pests
by Randy Cassingham
The basics of spam, "phishing" and other e-mail pests, how they got your address in the first place -- and what to do now that you're inundated.

What Is This Garbage?!

Executive Summary
Too busy to read this?
Catch what you must know in "The Basics"
This site is updated regularly to keep it current. Major updates are announced in This is True^®.
Last Update: October 2007.
(External links open in a new window so you don't lose your place.)

"Spam", according to various anti-spam groups (see below), is defined as "Unsolicited Commercial E-mail". That is, e-mail you didn't ask to be sent to you that is commercial in nature (e.g., an advertisement) -- even if it's not bulk mail sent to millions of people -- and you don't otherwise have a "prior business relationship" with the sender. Thus, "A Great Income Opportunity!" from someone you've never heard of is spam; a special offer from a site where you have an account is not spam, even if you aren't interested in the offer. Of course, any legitimate online retailer will stop sending you advertising mail if you ask not to receive it anymore (unlike a spammer -- more on that below), and no company should send you commercial mail unless you've gone through a "verified opt-in" process where you not only request the mail, but respond to a message sent to your address to confirm you really do want mail from them -- and that you actually own that address. That's what legitimate large e-mailers do. It's a reasonable and simple process for all parties.
Spam does not include paper "junk mail" that you get at home. Reducing that is also nice, because you're reducing the amount of natural resources that are consumed sending you ineffective advertising, but that is beyond the scope of this primer. (For excellent information on reducing your home junk mail load, as well as some information on reducing spam, see Junkbusters.)
Spam most often advertises fraudulent or low-quality services or merchandise, and you pay (with your fees to your service provider) to receive it; anyone who would use "spam" advertising to promote a business by making the customer pay to get the ad is either completely out of touch with his customers or, by definition, underhanded. To confirm or report suspected fraud, see Fraud.org.

With my well-known e-mail address, I get more spam than most. But even a little bit can be rather irritating, but more than 1,000 junk messages -- per day -- stream in to my two main addresses. If your e-mail address gets on spammer distribution lists, you will eventually start getting unsolicited junk mail clogging your e-mailbox. If you're lucky, you won't get as much as I do, but others get more! Most of the people who have been online for any length of time agree: something must be done about it.
How Did They Get My Address?
E-mail spammers do not get your address because you're on the distribution list of legitimate e-mail publications. These days, no legitimate mailing list is completely unsecured (where anyone can grab the list of subscribers). Most online publishers use high-quality distribution software that is quite secure. My own This is True, for instance, uses Lyris, which has excellent list security. Many other list services are also well secured. But if you can retrieve a list of every member of a list you're on, so can a spammer. It doesn't help to make list access "for subscribers only". What's to keep a spammer from subscribing, grabbing the list, and leaving?
Of course the key there is "legitimate" e-mail publications. If you're not sure, check the publication's web site for a privacy policy. For example, This is True's privacy policy explicitly states that we do not ever sell, rent, give, or otherwise provide our subscriber addresses to outside parties, whether or not we think they're legitimate.
So where do spammers get your address? The number one place used to be posts on Usenet newsgroups (also called "discussion groups" on some systems, "bulletin boards" on others). Newsgroups are "publicly" readable; whether you post your message on your local ISP or on a major 'net service, your message can be spread worldwide by Usenet in a matter of hours, and it -- with your posting address -- is easily sucked up by advertisers.
The current most-common place to get your address is from web pages. If your e-mail address is listed on a web page anywhere on the 'net, especially if that page is listed in a search engine or directory, spammers will find it, and fairly quickly. Tip: try searching for your own e-mail address in Google. If you can find it there, spammers can too -- easily.
Spammers "harvest" fresh addresses by going to web sites and "scanning" for e-mail addresses anywhere on the site. I've seen the scanners in operation, and it's amazing how quickly they work. The software can, for instance, ask a search engine for any page that has the word "cat" in it and grab the addresses off those pages for a "targeted" list of people with a presumed interest in cats. It takes only minutes to gather thousands of addresses. Of course, how "targeted" that list might be is a matter of opinion. A "cat" might refer to a feline animal, a tractor, an abbreviation for "category", etc. But spammers don't really care if you're interested in their message or not. The key, for them, is to blast out their nonsense to as many people as possible because a very tiny percentage of them will be stupid enough to fall for their ad and send them money. That is their only goal -- they don't care how many people they offend in the meantime.
But even if you've been careful never to use your address on any public site, even a web page, you will likely still get spam! There are two main ways this happens:
Your address used to belong to someone else. For instance, a webmail account on a popular service such as Hotmail or Yahoo mail. You may have felt lucky to get a great username there -- how could no one have already taken such a great name?! They did, long ago. Then they abandoned it because of all the spam they were getting. Guess what? The spam never stopped! Now you are getting it.
A "dictionary" attack. Spammers will connect to a server and ask to deliver mail to mailbox "A". If the server says OK, that address goes on their list. They then proceed to "AA", or "B", or any word or combination of letters that's in their "dictionary" -- and it's all automated. Even though the address has never been listed anywhere and isn't on any web sites, suddenly that address is getting spam. And it doesn't just happen at big, well-known sites, like Hotmail. Even tiny personal sites have been subjected to such attacks.

Other sources for addresses actually includes messages you sent privately to friends -- if they forward your note to a large group (which happens all the time, especially if you're telling a funny story), and a spammer happens to be a friend of a friend of a friend, your address can easily be culled from the headers. Other places include open e-mail discussion lists and, ironically, web pages that say "put your address here if you want to be on a 'do not mail' list"; often, these lists are sold to the very advertisers you want to avoid! This is another indication of the honesty of the advertisers. All they are interested in is getting your money -- they do not care about ethics or honesty. (There are legitimate anti-spam web sites that ask you to sign up in anti-spam campaigns. Such support is important, but how do you know if they're really anti-spam, or fronts for the spammers themselves? Be suspicious of any sites you aren't sure of. We are confident of the sites listed here -- they are run by very-well-known anti-spam activists. The sites they list are also very likely trustworthy.) The bottom line is, even if you are careful never to post on a discussion list, or ever to have your address listed on a web site, you can still get onto spam lists. And you cannot get off -- ever.
These resulting lists of addresses are often collected by list merchants (typically spammers themselves) who then sell (usually by using spam, of course) the lists to other spammers. Even if you manage to shut down one spammer, there are always more who already have your address -- if you are getting spam now, you will likely continue to get it for as long as you have that address.
So you can see, it's not enough that anti-spam laws just make spammers take you off their lists if you ask them. Is it really reasonable to ask every new spammer that comes along, "Pretty please, don't send me any more junk mail that I never asked for in the first place"? Heck no! Such laws do nothing but make spam legal and accepted! You would be spending all day, every day, jumping through "opt-out" hoops. Spamming is so easy that there are thousands of spammers. And what is to stop them from changing their name and starting over? Then you have to start over too. Clearly, "opt-out" is not the answer.
Continue to Page 2: So What Should I Do to Stop It?

Please pass the URL for this site to others you think could benefit from the information here. The more people that truly understand spam, the harder it will make things for spammers.
Copyright © 1996-2008 by Randy Cassingham, All Rights Reserved. All broadcast, publication, retransmission, copying or storage, including on CD-ROM, listservers, BBSs, Web sites, "FTP" archives, or anywhere else, is strictly prohibited without prior written permission (contact the author).
"This is True" is a registered trademark of ThisIsTrue.inc and is used with permission.

This page: http://www.SpamPrimer.com/index.html
About This Site and its Author
Site Map