I’m confident you won’t spam me Leo, however the fact is that I
still get spam addressed to this disposable email address that I set up
solely for your newsletter. What I don’t understand is, since you are
the only one I’ve told the address, and you don’t pass it on, how come
I’m getting spam?
In all honesty, this is a legitimate newsletter publisher’s worst
nightmare. You go through all the effort of playing by all the rules,
not selling or sharing your subscribers’ email addresses with anyone,
anywhere, any time, and by making sure to use only industry leading and
trusted service providers …
Only to find out a subscriber of yours is getting spam on an email
address they use only to subscribe to your newsletter, and nowhere
I know, because as you can see it’s happened to me.
Become a Patron of Ask Leo! and go ad-free!
It’s very common to sign up to newsletters or on-line stores with a
unique email address that’s used nowhere else, specifically to detect
this case. For example, a user named Fred might create a new email
address “firstname.lastname@example.org” and use that only to
subscribe to my newsletter, and taking extra care to make sure it never
appears anywhere else – especially anywhere on the web.
In theory, that means if he gets anything else on that email address
it’s because I or my service provider did something bad – like share
the email address with someone else, accidentally or otherwise.
And the theory is correct most of the time.
identify and capture valid, working email addresses.”
Unfortunately, “most of the time” isn’t “100% of the time”.
If we examine the path(s) that email relating to, say, a newsletter
subscription can take, we’ll see that there are other opportunities for
that email address to be captured by spammers.
Spyware – the few reports I’ve gotten have been
from people I trust are on top of this, but it needs to be included. If
you have spyware or some kind of virus on your machine all bets are
off. Anything you do could be monitored and data could be captured.
From the moment you fill in a subscribe form, to every time you read an
email, spyware could be watching for anything that looks like an email
address and sending it off to some kind of spammer central. We often
hear of viruses that routinely collect the contents of address books,
and it’s not at all uncommon for email programs to automatically add
some recipients to address books, perhaps as a side effect of your
saying “it’s ok to display images from this person”.
Social Media Tools – one of the most frightening
new “features” I’ve seen of late are social media sites that offer to
connect you to all of your friends. In order to determine who your
friends are, they ask you to upload or provide access to your contacts
list or email address book, even if it’s on some other service.
Unfortunately, they don’t know which addresses are “real” and which are
single-purpose addresses. What these sites do with those addresses,
real or not, is totally unknown. You’re trusting that they
won’t also end up in the hands of spammers. You could be wrong.
The Network – email is typically sent completely
unencrypted, over unencrypted connections. I’m not talking about WiFi
connections here, I mean the entire internet. Everything from the DSL
connection to your ISP, to the ISP-to-ISP connections that make up the
internet itself. Anyone with access to a router or hub in the right
place could be sniffing for and collecting anything that looks like an
email address – or worse. It’s infrequent, but possible, be it in the
email stream itself, or the sequence of web page fetches that occur
when you sign up or manage a subscription.
Open WiFi – have you downloaded email without
taking any extra precautions using an open WiFi hotspot? Then it’s
possible that anyone in range of that hotspot could see and capture
your email traffic. As I mentioned in the previous point, email by
default is not encrypted – and that includes not only your email
account username and password, but the very contents of the email you
send and receive.
Mail Servers – as email travels along the path from
sender to receiver, it typically touches at least two mail servers: the
sending server and the mail server to which you connect to download
your email. If either of these servers is compromised in any way, the
traffic through them could be captured.
Your ISP – since everything is typically
unencrypted, your ISP can see everything you do. Usually that’s not a
problem in the least, but it is another point of access into the email
you send and receive and the email addresses that you use.
Mailing List Providers – I hesitate to even mention
this, since I have a tremendous amount of respect and trust in the
service that I use, but again, for completeness it must be mentioned.
Not all mass mailing service providers are as secure and ethical as
others. Some are sloppy, either technically or with their personnel,
others are actively unethical – using the information you as a mailing
list owner give them for other purposes. I have absolute faith and
trust in AWeber, the service I
use – but others may not be as trustworthy.
In most of the points above I make it sound like spammers are
looking for email addresses.
Spammers work one of two ways: they blast their spam to millions and
millions of email addresses, not knowing whether or not they are valid.
Most are not, but enough are to make it worth their while. The other
approach is to blast only to known good email addresses. These are much
more valuable because the spammer doesn’t need to send nearly as much
spam in order to reach “real people”.
As a result, spammers are always on the lookout for new ways to
identify and capture valid, working email addresses.
Now, I also need to say that the long list above looks pretty dire.
It makes it seem like there’s no way to even send an email without
getting your email address snagged and starting to get spam on it.
It’s not nearly that bad. Possible, yes, but highly unlikely.
As I write this I have 40,000 subscribers to my newsletter. I’ve
sent out something like 144 issues over nearly three years. (I’ll
estimate that as having sent somewhere over 2,000,000 emails accounting
for the growth over that time).
I’ve had exactly two complaints of this form.
Email addresses are much more commonly harvested by things like being
published on web pages (do a Google search on your own, you may be surprised.)
So the real point of all this is to show that there really are no
absolutes. You, and I, and our ISPs and our service providers, we all
do the best we can to keep things as secure and as private as is
But 100% security just doesn’t exist.