How Do Spammers Get Your Email Address?

Illustration of a new email notification popping out of a laptop

Spam often feels like a never-ending plague for which there is no permanent cure. All it takes to get on the mailing lists used by spammers is an email address. There is no need to sign up for anything or ask for emails. It just starts coming. What's really frustrating is that spammers find your mailbox when good friends do not.

Dictionary Attack

Big, free email providers like Windows Live Hotmail or Yahoo! Mail are a spammer's paradise, at least when it comes to finding spammable addresses.

Millions of users share one common domain name, so you already know that ("" in the case of Hotmail). Try to sign up for a new account and you will discover that guessing an existing username is not difficult either. Most short and good names are taken.

So, to find email addresses at a large ISP, it's enough to combine the domain name with a random username. Chances are both "asdf1@hotmailcom" and "" exist.

To beat this kind of spammer attack use long and difficult addresses.

Brute Searching Force

Another tactic employed by spammers to discover email addresses is to search common sources for email addresses. They have robots scanning web pages and following links.

These address harvesting bots work a lot like the search engines' robots, only they're not after the page content at all. Strings with '@' somewhere in the middle and a top-level domain at the end are all the spammers are interested in.

While not picky, the pages the spammers are particularly keen to visit are web forums, chat rooms, and web-based interfaces like Usenet because lots of email addresses are likely to be found there.

This is why you should disguise your email address when you use it on the net or, better yet, use disposable email addresses. If you post your address on your own web page or blog, you can encode it so visitors who want to send you an email can see and use it, but spambots cannot. Again, using a disposable address provides a very effective and at the same time convenient alternative.

Worms Turning Infested PCs Into Spam Zombies

To avoid being detected and filtered, spammers seek to send their emails from a distributed network of computers. Ideally, these computers are not even their own but those of unsuspecting users.

To build such a distributed network of spam zombies, spammers cooperate with virus authors who equip their worms with small programs that can send bulk emails.

Additionally, these spam-sending engines will often scan the user's address book, web cache, and files for email addresses. That's another chance for spammers to catch your address, and this one is particularly difficult to avoid.

The best anyone can do is:

  • Keep your email program updated and patched.
  • Be wary of any attachments you did not request.
  • Run regular antivirus scans with a free, up-to-date scanner.