They have so many.
To be clear, it's rarely individuals. These days, spam is more likely to be sent by organizations that specialize in it.
Spam is big business, and we all get spam sooner or later.
Usually sooner.
Become a Patron of Ask Leo! and go ad-free!
How spammers get you
Spammers get email addresses through data breaches, purchased lists, website and social media harvesting, guessing common formats, phishing attempts, public records, and malware. With so many sources available, spam is inevitable. There's no perfect solution. Just mark it as spam and move on.
There are many ways spammers harvest email addresses. These are perhaps the most common.
1. Data breaches
This might be the most common way your email address gets into spammers' databases. A company or service you use that has your email address as a legitimate part of their records suffers an intrusion and data breach. Hackers collect the information and either turn it over or sell it to spammers.
Given all the worry about the various kinds of information exposed in data breaches, email addresses are probably the most common. And the most common result?
You get more spam -- sometimes crafted to look like it came from the breached organization.
2. Buying or renting lists
Although frowned upon, lists of email addresses can be purchased. A company with a collection of email addresses for whatever reason can sell that list and make a few bucks.
Marketers generally know better, but some do not. Especially when they're starting with nothing, purchasing a list is often a place spammers start.
3. Website harvesting
I've talked about this in the past: posting your email address anywhere public means it's available for spammers to copy. Automated tools scan websites, automatically detect email addresses, and add them to the spammer's list.
4. Social media harvesting
This is like website harvesting because social media platforms are essentially just websites, but it deserves special notice. We often think our information on social media is private, but all too often we discover it's not. Occasionally, email addresses leak, and spammers harvest them.
5. Guessing
Seriously. Guessing. If you have a sometimes-coveted first-name@ email address (like leo@), you're going to get more spam. Spammers just grab a list of common names and start sending spam to them whether or not they actually exist.
Similarly, first-initial-last-name is also a common email address construction (like msmith@), so even if only your name is visible somewhere, spammers may try that construct to send you spam.
And of course, much like passwords, if they've seen an email address in the form "somethingodd@somerandomservice.com", they'll try "somethingodd@" all the popular email services as well.
6. Phishing
If you fall for a phishing attempt by clicking on a link in a fraudulent email that takes you to a fake sign-in screen, you might hand over not only your password but your email address as well. Regardless of what you do about the potential password compromise, your email address is now on their lists.
7. Public records
I think this surprises many people, but many public records these days are online and often contain the email addresses of the individuals involved. This is much like website harvesting above, but it's tailored to extracting information from the interface of public records portals and databases.
8. Malware
It's not as common as it once was, but it's still a threat. Malware can, of course, do anything.
- It could examine your email account configuration, log your keystrokes, or many other things to capture the email addresses you use.
- Someone else could have malware that examines their address book and finds your email address.
Do this
Spammers have so many sources of email addresses at their disposal that it's no wonder there's so much spam.
Unfortunately, there's no magic bullet. My advice remains the same as it's always been.
- If spam lands in your spam folder, that's the system working as it should.
- If spam lands in your inbox, mark it as spam and move on.
No spam here! How about subscribing to Confident Computing? Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
i get phone calls from places i`ve never heard of, when i ask them how they got my number, they tell me they have a random dialer, even though my number is unlisted it still gets dialed. i`ve read there is an equivalent of an email phone book, they can just try every email in the book.
30 years ago, when email was becoming popular someone I knew had an emai address which was her lastname plus 4 digits @aol.com. She said it was to avoid junk email by making it harder to guess an address. That was before spam was called spam. I thought she was crazy, but she was right.
I taught at a university that posted our email addresses on their website. We got lots of spam from book companies who thought it was their right to send us spam. I marked those emails as spam to hopefully penalize them for sending unwanted, unsolicited email whih is the definition of spam. Posting our addresses opened us up to more spam from professional spammers. They used the format name [at] university’s domain .de. Duh! spammers’ bots are sophisticated enough and can easily reconstruct the email address.
How are spammer able to send spam that looks like it came from me?
That’s explained in this article:
“From” Spoofing: How Spammers Send Email that Looks Like It Came from You
#9. Email addresses (and mailing addresses, phone numbers, etc.) harvested by apps that ask you to share your contacts. Don’t do it!
If you need to supply an email address to sign up for a website or download an app, etc., get a throwaway email address. I use Yahoo for that and their spam filter is so good, I almost never see spam in my inbox. Yahoo almost negates the need for a throwaway email address. Gmail’s spam filter is even better.