How Spammers Get Your Email Address
by Kaitlin Duck SherwoodNote: the Center for Democracy and Technology wrote an article that did a systematic study of spam sources. You might enjoy it.
You're all sick of it -- email messages about good deals on toner cartridges, make-money-quick deals, underage minors eager to do unmentionable things, Viagra, and on and on and on. And, alas, you may have discovered that it's essentially impossible to get off of spammer's lists once you get on them.
How can you keep them from getting your address in the first place? To explain that, you need to understand where they get your email address from in the first place.
Spammers get your email address from at least five different places:
From You
Many organizations ask for your email address so they can keep in touch with you. For example, if you order a book from Amazon, Amazon wants to be able to send you order confirmation information.You have essentially no control over what they do with your email address. Even if they have a privacy policy that says that they won't sell your email address, that might not still be true if the company goes out of business. Their list of email addresses is an asset that perhaps they are legally obliged to sell in order to pay off their creditors.
There are no legal precedents in the U.S. for such a situation, so it's unclear what will happen to those email addresses in the U.S. (European countries have much stricter privacy laws, and I don't have information about the rest of the world.)
At a minimum, however, any time you think about giving someone your email address, look to see if there is a place where you can state your marketing preferences (i.e. "Please send me email updates.")
You might also want to get a free email account just for dealing with retailers. Check it when you're curious about an order, but infrequently otherwise.
From Postings on Usenet or the Web
If your email address is anywhere on the Web, Usenet, or sometimes even on mailing lists, you will get spam. Period. There are software programs that do nothing but scour the Internet for email addresses.There isn't anything you can do about this except to set up a "public" email account, as discussed before.
From Your Friends
Your friends can also leak your email address out. Presumably they don't do this intentionally, but there are several ways that they can be enticed to give someone your email address.One way to get someone else's email address is through "free offers." A company might tell your friend that if he or she refers a friend, he or she will get $10 off of some product and you will get $20 off! All your friend has to do is give the company your email address, and they will send you everything you needs to know to take advantage of that offer.
What a great offer for your friend! Except that now the company has your email address.
Another way that a company could get your email address is through electronic greeting cards. Your friend composes an electronic greeting card and tells the card company to send it to your email address. Bingo! The greeting card company now has your address. While I don't know that any of the major greeting card companies do sell their list of email addresses, an unscrupulous one certainly could. (This is one of the reasons Why I Don't Like Electronic Greeting Cards.)
You can't control completely what your friends do, but when you give out your email address, you can ask your friends (loudly and clearly) to keep that email address private.
From the Dictionary
But wait, it gets worse. Spammers have started guessing email addresses. For Internet Service Providers that have millions of subscribers -- like AOL, Yahoo, or MSN -- the chances are that if they start guessing email IDs based on common names or words in the dictionary, they will get a lot of matches.Thus, next time you get a new email address, choose an Internet Service Provider that is relatively small and choose an email ID that is harder to guess. For example, choose j37wilson instead of jwilson.
By Stealing It
Even if you only give your email address to reputable companies that promise not to give it away, if their computers are not secure, your email address is not secure.My husband has his own domain name, so creates a different email address every time someone asks him for his email address. A major car rental company asked for an email address (on a paper form) when he picked up a car, so he gave them a new, made-up address. Several months later, he got some spam to the account that he'd made up. Because he had only used the address once (on paper!), the only place that it could have come from was inside the major car rental company.
He fired off an angry message to the major car rental company, and they wrote back that they were launching a big investigation to find out how his email address had leaked out.
So who knows how the spammers got his email address? Perhaps an employee sold a copy of the database to spammers. Perhaps spammers hacked into the major car rental company's system. In some sense, it doesn't really matter: it got out.
Update: a second one of my husband's email addresses leaked out a few years later.
What Can You Do?
As mentioned before, you can get a second email account for public use. You can change to a small Internet Service Provider to make the address harder to guess.Unfortunately, you can't guarantee that your main address will stay private forever. (And, the smaller the Internet Service Provider, the more likely that they will go out of business and you'll have to change your email account.)
Something else you can do is get your own domain. Domains cost $35/year or less, and most places can set things up so that you get all messages to that domain. Then, by creating one-time-use email addresses (like my husband did with the major car rental company), you can track where the spam comes from. If you find that an address is getting a lot of spam, you can easily set up filters to discard messages to that address.
Another thing that you can do is run your email through filters.
- You can get an email account that has spam filtering built in. For example, pobox.com filters spam before you see it.
- You can get an open source spam filter. SpamBayes is a good one.
- If you use Windows, you can buy a commercial spam filtering product.
While I don't use one, the one that looks best to me is
SpamKiller. Other people
have strongly recommended MailWasher.
Commercial mail filtering programs do have some limitations and require some setup.
- You can use your email program's built-in filters. This requires a lot of configuration, but it is probably the safest thing to do. If you use Eudora or Outlook, you can read one of my books online to help walk you through the process.
I'm sorry that I can't be more encouraging, but email is a very immature medium. Its tools for dealing with spam are quite primitive. The good news, however, is that I am sure that future email programs will make it much easier to combat spam.
Good luck!
Updated 12 June 2002.
