How did the spammers get my e-mail address? - it depends!
Harvesting of publically viewable Web pages (or Newsgroups/Forums)
If you have your e-mail address displayed in 'plain text' on any web site
you will have already have been harvested. In simple terms there are hundreds
(if not thousands!) of robots on PCs which spend 24 hours a day, 7 days a
week looking at every page on the Web looking for anything which 'looks like'
an e-mail address.
In this decade (2000-9) this is by far the most prolific method
of acquisition it is usually the first thing to check and correct.
You can try typing in THE FIRST PART OF your e-mail ADDRESS
(up to but excluding the '@' sign) on Google
but obviously there is a very remote possibility that if you typed in your
whole e-mail address it would be a security exposure, see:
Search for JohnSmith13 and you will see the search phrase in your
browser address bar - just choose a likely site!
As another example of how easy it is to find addresses take a look at this search:
Hiding e-mail addresses is not difficult for a technical person with
appropriate skills and we offer a tool to allow a wide range of customers
to make the change in a safe, secure and disabilities-compliant method.
Extracting addresses from the Address Book (or e-mail text!) of your friends
If you are not familiar with Trojan Horse Robots which infect your
PC then please read:
Article in the Guardian
This is a more serious threat for the majority of personal users of the
Web because (1) it is growing virally by nature, (2) you can be 'caught'
without having anything to do with Web sites or their content and
(3) it doesn't matter how careful YOU are in protecting your OWN PC
because the problem is most usually on a friend's PC.
We provide a free service to all customers which allows us to register
each of their PCs for our Trojan tracking service, the activation is a
simple e-mail that they will be sent.
It isn't guaranteed to trap all Trojans but it consumes no customer resources
and is free to become registered. Obviously I am not going to explain the
details of what and how this tool works on this public web site.
Web sites wanting you to register with (or at least divulge) an e-mail address
The vast majority of these sites are well-intentioned and make SOME attempt
to keep your e-mail addresses secure but there are many ways in which your
address can then get compromised:
- Employees often have access to large numbers of e-mail addresses
and can make a lot of money by selling them!
- Less than adequately competent I.T. staff or their management /
organisation when targetted by a determined hacker
Bear in mind that SOME sites will deliberately use your e-mail for Spam so
do not give an e-mail address whenever in any doubt.
Hopefully it goes without saying that you should never divulge the e-mail
address of anyone you know unless the owner has given you explicit permission.
Having said that it is an obvious tool in the hands of anyone who has a reason
to cause frustration and pain to the recipient.
Directory and algorithmic guessing
98% of providers of Internet access will offer a 'free' e-mail Service
(hence the acronym ISP) and it was normally the case that the the
account name would also be your e-mail address and *their*
domain will be part of YOUR address.
Using an ISP for e-mail services has the problem that it is
a large and lucrative source of e-mail addresses. If JohnSmith93 is a valid
account name then it is almost certainly a valid e-mail address and worse
still - there is a high probability that using the numbers 1-92 will also
be a valid account and therefore address.
An interesting twist is that having compromised a large number of
addresses the Spammers have a list of user names that they can try
at other domains and/or ISPs.
Do you use the same user name at your bank as well as eBay or Amazon?!
Malicious Web sites - worms, beacons, anonymous FTP et. al.
Microsoft Internet Explorer
One critical exposure that has caused more devastation than most is
the exploitation of Microsoft Internet Explorer's Active-X.
MS have effectively acknowledged this 5+ year flaw by changing the default
setting of this feature in the latest version of MS IE (v7 as of Nov'06).
Any web site can create malicious tools which can exploit this flaw
and run their programs of your PC and accessing whatever data is on it!
- IF you let them!
Another exposure is the default setting for FTP (File Transfer Protocol)
which can send your e-mail address to a web site that requires an
Beacons or Web bugs - confirming your e-mail to hackers
Another item in the hacker's toolkit is the Beacon which allows an
e-mail to confirm that it has been received and read by sending a 'call home'
request to the hackers with a code to identify that it is your e-mail
address which has resulted in an item being read!
Is that enough to stop you being curious about Spam???
Bear in mind that these beacons are activated even when an e-mail
is simply previewed, not just opened!.
Purchasing e-mail addresses - a CD for less than 50 dollars - 50 MILLION+!
Bear in mind that the criminal community who want to exploit e-mail
addresses may simply leave it up to many other communities of people to
do their 'dirty work' collecting addresses.
There may well be thousands of relatively innocent people who simply
see this as a way of earning a few dollars to pay for their upkeep at college
or even food when that is scarce.
The quality of the e-mail addresses available on a CD will be very poor but
will still cause significant disruption to tens of thousands of people as well
as the economic and technical effects on the infrastructure of the Internet.
Is there a solution to the (Spam/e-mail) problem - short and long term?
We believe that we have one of the best solutions in the marketplace but
do not want to market it TOO widely because that would attract the attention
of the hackers who are often extremely bright and they have an army of
(virtual! - YOUR PCs!) resources to target our facilities.
Again it is inappropriate to go into the details of our solution on a
public web site but a 'phone call from anyone who's identity I can verify
in some way will always be welcome.
In the short term there will always be significant pain as the
existing e-mail addresses which are attracting Spam will need to be kept active
while you as a customer migrate your contacts to use your new e-mail address.
There have been many users of a variety of the techniques that we use
over many years. What we have done is to pull together several techniques
into a single architecture and design and then to add the automated
management of activities that are needed by non-technical users of it.