I’m confident you won’t spam me Leo, however the fact is that I
still get spam addressed to this disposable email address that I set up
solely for your newsletter. What I don’t understand is, since you are
the only one I’ve told the address, and you don’t pass it on, how come
I’m getting spam?
In all honesty, this is a legitimate newsletter publisher’s worst
nightmare. You go through all the effort of playing by all the rules,
not selling or sharing your subscribers’ email addresses with anyone,
anywhere, any time, and by making sure to use only industry leading and
trusted service providers …
Only to find out a subscriber of yours is getting spam on an email
address they use only to subscribe to your newsletter, and nowhere
else.
I know, because as you can see it’s happened to me.
Become a Patron of Ask Leo! and go ad-free!
It’s very common to sign up to newsletters or on-line stores with a
unique email address that’s used nowhere else, specifically to detect
this case. For example, a user named Fred might create a new email
address “fred-askleo@example.com” and use that only to
subscribe to my newsletter, and taking extra care to make sure it never
appears anywhere else – especially anywhere on the web.
In theory, that means if he gets anything else on that email address
it’s because I or my service provider did something bad – like share
the email address with someone else, accidentally or otherwise.
In theory.
And the theory is correct most of the time.
identify and capture valid, working email addresses.”
Unfortunately, “most of the time” isn’t “100% of the time”.
If we examine the path(s) that email relating to, say, a newsletter
subscription can take, we’ll see that there are other opportunities for
that email address to be captured by spammers.
-
Spyware – the few reports I’ve gotten have been
from people I trust are on top of this, but it needs to be included. If
you have spyware or some kind of virus on your machine all bets are
off. Anything you do could be monitored and data could be captured.
From the moment you fill in a subscribe form, to every time you read an
email, spyware could be watching for anything that looks like an email
address and sending it off to some kind of spammer central. We often
hear of viruses that routinely collect the contents of address books,
and it’s not at all uncommon for email programs to automatically add
some recipients to address books, perhaps as a side effect of your
saying “it’s ok to display images from this person”. -
Social Media Tools – one of the most frightening
new “features” I’ve seen of late are social media sites that offer to
connect you to all of your friends. In order to determine who your
friends are, they ask you to upload or provide access to your contacts
list or email address book, even if it’s on some other service.
Unfortunately, they don’t know which addresses are “real” and which are
single-purpose addresses. What these sites do with those addresses,
real or not, is totally unknown. You’re trusting that they
won’t also end up in the hands of spammers. You could be wrong. -
The Network – email is typically sent completely
unencrypted, over unencrypted connections. I’m not talking about WiFi
connections here, I mean the entire internet. Everything from the DSL
connection to your ISP, to the ISP-to-ISP connections that make up the
internet itself. Anyone with access to a router or hub in the right
place could be sniffing for and collecting anything that looks like an
email address – or worse. It’s infrequent, but possible, be it in the
email stream itself, or the sequence of web page fetches that occur
when you sign up or manage a subscription. -
Open WiFi – have you downloaded email without
taking any extra precautions using an open WiFi hotspot? Then it’s
possible that anyone in range of that hotspot could see and capture
your email traffic. As I mentioned in the previous point, email by
default is not encrypted – and that includes not only your email
account username and password, but the very contents of the email you
send and receive. -
Mail Servers – as email travels along the path from
sender to receiver, it typically touches at least two mail servers: the
sending server and the mail server to which you connect to download
your email. If either of these servers is compromised in any way, the
traffic through them could be captured. -
Your ISP – since everything is typically
unencrypted, your ISP can see everything you do. Usually that’s not a
problem in the least, but it is another point of access into the email
you send and receive and the email addresses that you use. -
Mailing List Providers – I hesitate to even mention
this, since I have a tremendous amount of respect and trust in the
service that I use, but again, for completeness it must be mentioned.
Not all mass mailing service providers are as secure and ethical as
others. Some are sloppy, either technically or with their personnel,
others are actively unethical – using the information you as a mailing
list owner give them for other purposes. I have absolute faith and
trust in AWeber, the service I
use – but others may not be as trustworthy.
In most of the points above I make it sound like spammers are
looking for email addresses.
They are.
Spammers work one of two ways: they blast their spam to millions and
millions of email addresses, not knowing whether or not they are valid.
Most are not, but enough are to make it worth their while. The other
approach is to blast only to known good email addresses. These are much
more valuable because the spammer doesn’t need to send nearly as much
spam in order to reach “real people”.
As a result, spammers are always on the lookout for new ways to
identify and capture valid, working email addresses.
Now, I also need to say that the long list above looks pretty dire.
It makes it seem like there’s no way to even send an email without
getting your email address snagged and starting to get spam on it.
It’s not nearly that bad. Possible, yes, but highly unlikely.
As I write this I have 40,000 subscribers to my newsletter. I’ve
sent out something like 144 issues over nearly three years. (I’ll
estimate that as having sent somewhere over 2,000,000 emails accounting
for the growth over that time).
I’ve had exactly two complaints of this form.
Email addresses are much more commonly harvested by things like being
published on web pages (do a Google search on your own, you may be surprised.)
So the real point of all this is to show that there really are no
absolutes. You, and I, and our ISPs and our service providers, we all
do the best we can to keep things as secure and as private as is
possible.
But 100% security just doesn’t exist.
Thanks to this article i found out why my kids e-mail was getting spam her e-mail was published. in her help forum profile. now that i had her change that i hope to see a drastic reduce in amount of spam. Thanks Leo and thanks Google
22-Sep-2008
Sadly, Anthony, you probably won’t as the e-mail address is in some spammer’s database somewhere. Sad, but true.
Leo, you forgot to list dumb luck. Spammers send mail to likely but not known if working addresses. Even unlikely addresses. I once made a throw-away hotmail address that I never used. Random letters for the most part. It got one spam.
Yeah, like Dan mentioned, it’s also likely that they could have just used random word generators to try and mail to every possible e-mail your provider could give out. One thing that’s unfortunate about e-mails vice regular mail (at least in a spammer perspective) is that there is effectiely no cost from the spammer’s view to send an e-mail, even if they send it to a hundred, a thousand, or even a million addresses at once. The cost only gets applied on the recipients’ mail servers, who need to handle the flood of spam coming for their members.
Thanks for that Leo. I’m going to conduct a wee experiment. What I’ll do is create another new disposable email address and sign up to your newsletter again with it, and see whether the spammers find it again. If they do I’ll let you know.
It’s only that one firm of spammers, btw, that I mentioned in my previous comment on the subject.
The experiment continues. I’ve re-subscribed using (as Leo can see) a new but similar disposable email address. I shall check in my Trash folder over the next few days to see whether any spam arrives addressed to the new address.
Incidentally, I’m also glad to have re-subscribed for another reason, as it means I get a copy of Leo’s e-book on Internet Safety, which I am looking forward to perusing.
Leo,
All good explanations. I also like the “dumb luck” and “random” explanation, though hardly dumb luck or random. When I was on Earthlink, about once a week I’d be cc’d on an e-mail with a nonsensical message in the body. The sender wasn’t even shy about hiding the cc list:
aaaaaa@earthlink.com; aaaaab@earthlink.com; aaaaac@earthlink.com; aaaaad@earthlink.com; …
or some similar progressive block of 20 to 30 addresses that happened to contain mine. Earthlink could have easily blocked such “fishing” expeditions (at the time they were running an expensive TV ad complain touting their anti-spam team) but refused to do so even after repeated complaints.
Don’t get me started on free WiFi increasingly common in hotels and airports. They routinely harvest information such as e-mail addresses, legally if you agree to their TOS.
Leo, what is AWeber and what user information do you share with them?
23-Sep-2008
And spam can already be directed to the address.
As in: someone already had it, did something stupid, got plenty spam, closed the account, then you get the account, and the spam is still coming……
I have 4 email accounts. My main one is at Yahoo, for my web site. I have an Hotmail one because my relatives started using MSN Messenger. I have a Gmail account – reason still unknown – it seemed like a good idea at the time. I also have my email from my ISP.
I have never given or used the Gmail account but when I log in the Spam folder has currently 1283 emails. Amazingly, the spam in the other accounts have dropped considerabily.
I use to average between 150 to 200 emails daily. That has dropped to about 30 – I take no credit for it :-).
Thanks Leo! I was just wondering.
I have gotten spam through my GMail account. I’d used Google Checkout and it turned out the merchant’s computer was infected. Google doesn’t scan checkout related mail for spam. Fortunately, you can elect not to receive e-mail from checkout merchants, which solve that problem.
As I explained elsewhere, through my own domain I’ve created a primary e-mail account whose address I give to friends and relatives. For everyone else I create a individual custom domain forward to my primary account. If I ever start getting spam through a forward, I’ll just delete it and create a new one for the merchant or organization.
Since setting up about four months ago, the amount of spam I receive has went from over a hundred a day to zero. Of course this method can’t be used by e-mail accounts that must accept messages from arbitrary senders.
On Sept 23rd I wrote “I’m going to conduct a wee experiment. What I’ll do is create another new disposable email address and sign up to your newsletter again with it, and see whether the spammers find it again. If they do I’ll let you know.” Well, it seems to have worked, as I am no longer receiving the spam.