How Do Spammers Find Me?

Your email address should not be considered public domain. It is your property, you are paying for it, and you should decide what you receive and don't. Unfortunately, this isn't the case. Professional spamers realize that 99.9% of their recipients do not want to hear from them, and would rather not have their email address known. Therefore, these pros employ a number of tricks to find, steal, and otherwise coerce your email address.

Webpage Harvesting
Webpage harvesting is the act of searching the html of webpages for anything resembling name@address.com. This harvesting is accomplished by small programs called "spiders" that traverse the web from page to page searching for email addresses and following any links they encounter. In this way, a single spider can harvest thousands of email addresses embedded in webpages and record them for later use by spammers.

Harvesting Newsgroups
If you participate in usenet newsgroups, or your email address has been mentioned in a newsgroup article, then your email address may have been harvested. Spammers regularly scan UseNet using programs designed to pickout email addressses from the headers and bodies articles. By listing your email address in an article on UseNet, you are notifying harvesters that your email account is active, and giving them an open invitation to spam you.

From Mailing Lists
Spammers may attempt to get the list of subscribers to legitimate mailing lists in order to steal valid and active email addresses. This can be accomplished in a number of ways. For some low security mailing list servers, the spammer can simply request a list of subscribers to a specific mailing list and be provided with this list. There are also techniques that involve modifying the header of an email to the server in such a way that it is tricked into sending a record of its recent mail deliveries (including email addresses). Yet another trick is to request a list of all mailing lists from a mailing list server (an option that some servers employ for the convenience of their legitimate users). Once a spammer has this list, they just send their spam message to each of the mailing lists and the mailing lists will automatically forward it to every subscribed email address. If you have added your email address to a mailing list on an insecure server, you may therefore receive emails that claim to be coming from your desired mailing list but are infact spam.

From Online and Paper Forms
Many websites have forms on them requesting specific information from users. If you enter your email address in a web-based form, it may become available on the internet. This can occur if the form or webpage hosting it are insecure, allowing outside individuals to view their contents. Domain name registration forms are a popular target among spammers. This is because the emails entered in them are almost always valid, and their owners pay close attention to them because they are expecting to receive important information.

Some companies and websites make a living selling lists of the email addresses they collect through their online forms and paper forms. When you give out your email address at an event, conference, or convention, it may be compiled into a list which is later sold when no longer useful. Some spammers may even go as far as to manually type out email addresses listed in professional directories and conference procedings.

Using Social Engineering
There are an infinite number of ways to convince someone to give out their email address. One common trick is to send a chain-mail letter claiming that "You will receive a (insert incredible prize here) for every person that you forward this email to." Since this offer only stipulates that you CC the original sender when forwarding, it may seem harmless to an inexperienced internet user. However, doing so gives this person not only your email address, but the email addresses of the people you forward the message to (usually your friends, family, co-workers).

By Guessing
Another common method used is to simply guess email addresses. Many addresses take on similar formats such as firstname.lastname@domain.com or a combination of first initial and last name or first name and last initial. There are also a number of standard email address prefixes that are frequently used such as: info, webmaster, root, postmaster, contact, support, just to name a few.

Spammers guess at these email addresses and send out tens of thousands of test emails. When they receive an error message in response, they know that a particular email address isn't valid. If they receive an actual live response, or nothing at all, then they can assume that this email address is valid, and add it to their list.