Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why am I getting spam on this email address I use only for one newsletter?

Question:

I’m confident you won’t spam me Leo, however the fact is that I
still get spam addressed to this disposable email address that I set up
solely for your newsletter. What I don’t understand is, since you are
the only one I’ve told the address, and you don’t pass it on, how come
I’m getting spam?

In all honesty, this is a legitimate newsletter publisher’s worst
nightmare. You go through all the effort of playing by all the rules,
not selling or sharing your subscribers’ email addresses with anyone,
anywhere, any time, and by making sure to use only industry leading and
trusted service providers …

Only to find out a subscriber of yours is getting spam on an email
address they use only to subscribe to your newsletter, and nowhere
else.

I know, because as you can see it’s happened to me.

Become a Patron of Ask Leo! and go ad-free!

It’s very common to sign up to newsletters or on-line stores with a
unique email address that’s used nowhere else, specifically to detect
this case. For example, a user named Fred might create a new email
address “fred-askleo@example.com” and use that only to
subscribe to my newsletter, and taking extra care to make sure it never
appears anywhere else – especially anywhere on the web.

In theory, that means if he gets anything else on that email address
it’s because I or my service provider did something bad – like share
the email address with someone else, accidentally or otherwise.

In theory.

And the theory is correct most of the time.

“… spammers are always on the lookout for new ways to
identify and capture valid, working email addresses.”

Unfortunately, “most of the time” isn’t “100% of the time”.

If we examine the path(s) that email relating to, say, a newsletter
subscription can take, we’ll see that there are other opportunities for
that email address to be captured by spammers.

  • Spyware – the few reports I’ve gotten have been
    from people I trust are on top of this, but it needs to be included. If
    you have spyware or some kind of virus on your machine all bets are
    off. Anything you do could be monitored and data could be captured.
    From the moment you fill in a subscribe form, to every time you read an
    email, spyware could be watching for anything that looks like an email
    address and sending it off to some kind of spammer central. We often
    hear of viruses that routinely collect the contents of address books,
    and it’s not at all uncommon for email programs to automatically add
    some recipients to address books, perhaps as a side effect of your
    saying “it’s ok to display images from this person”.

  • Social Media Tools – one of the most frightening
    new “features” I’ve seen of late are social media sites that offer to
    connect you to all of your friends. In order to determine who your
    friends are, they ask you to upload or provide access to your contacts
    list or email address book, even if it’s on some other service.
    Unfortunately, they don’t know which addresses are “real” and which are
    single-purpose addresses. What these sites do with those addresses,
    real or not, is totally unknown. You’re trusting that they
    won’t also end up in the hands of spammers. You could be wrong.

  • The Network – email is typically sent completely
    unencrypted, over unencrypted connections. I’m not talking about WiFi
    connections here, I mean the entire internet. Everything from the DSL
    connection to your ISP, to the ISP-to-ISP connections that make up the
    internet itself. Anyone with access to a router or hub in the right
    place could be sniffing for and collecting anything that looks like an
    email address – or worse. It’s infrequent, but possible, be it in the
    email stream itself, or the sequence of web page fetches that occur
    when you sign up or manage a subscription.

  • Open WiFi – have you downloaded email without
    taking any extra precautions using an open WiFi hotspot? Then it’s
    possible that anyone in range of that hotspot could see and capture
    your email traffic. As I mentioned in the previous point, email by
    default is not encrypted – and that includes not only your email
    account username and password, but the very contents of the email you
    send and receive.

  • Mail Servers – as email travels along the path from
    sender to receiver, it typically touches at least two mail servers: the
    sending server and the mail server to which you connect to download
    your email. If either of these servers is compromised in any way, the
    traffic through them could be captured.

  • Your ISP – since everything is typically
    unencrypted, your ISP can see everything you do. Usually that’s not a
    problem in the least, but it is another point of access into the email
    you send and receive and the email addresses that you use.

  • Mailing List Providers – I hesitate to even mention
    this, since I have a tremendous amount of respect and trust in the
    service that I use, but again, for completeness it must be mentioned.
    Not all mass mailing service providers are as secure and ethical as
    others. Some are sloppy, either technically or with their personnel,
    others are actively unethical – using the information you as a mailing
    list owner give them for other purposes. I have absolute faith and
    trust in AWeber, the service I
    use – but others may not be as trustworthy.

In most of the points above I make it sound like spammers are
looking for email addresses.

They are.

Spammers work one of two ways: they blast their spam to millions and
millions of email addresses, not knowing whether or not they are valid.
Most are not, but enough are to make it worth their while. The other
approach is to blast only to known good email addresses. These are much
more valuable because the spammer doesn’t need to send nearly as much
spam in order to reach “real people”.

As a result, spammers are always on the lookout for new ways to
identify and capture valid, working email addresses.

Now, I also need to say that the long list above looks pretty dire.
It makes it seem like there’s no way to even send an email without
getting your email address snagged and starting to get spam on it.

It’s not nearly that bad. Possible, yes, but highly unlikely.

As I write this I have 40,000 subscribers to my newsletter. I’ve
sent out something like 144 issues over nearly three years. (I’ll
estimate that as having sent somewhere over 2,000,000 emails accounting
for the growth over that time).

I’ve had exactly two complaints of this form.

Email addresses are much more commonly harvested by things like being
published on web pages (do a Google search on your own, you may be surprised.)

So the real point of all this is to show that there really are no
absolutes. You, and I, and our ISPs and our service providers, we all
do the best we can to keep things as secure and as private as is
possible.

But 100% security just doesn’t exist.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

11 comments on “Why am I getting spam on this email address I use only for one newsletter?”

  1. Thanks to this article i found out why my kids e-mail was getting spam her e-mail was published. in her help forum profile. now that i had her change that i hope to see a drastic reduce in amount of spam. Thanks Leo and thanks Google

    You’ll probably not see a reduction, since that email address has already been harvested by spammers. :-(

    – Leo
    22-Sep-2008
    Reply
  2. Leo, you forgot to list dumb luck. Spammers send mail to likely but not known if working addresses. Even unlikely addresses. I once made a throw-away hotmail address that I never used. Random letters for the most part. It got one spam.

    Reply
  3. Yeah, like Dan mentioned, it’s also likely that they could have just used random word generators to try and mail to every possible e-mail your provider could give out. One thing that’s unfortunate about e-mails vice regular mail (at least in a spammer perspective) is that there is effectiely no cost from the spammer’s view to send an e-mail, even if they send it to a hundred, a thousand, or even a million addresses at once. The cost only gets applied on the recipients’ mail servers, who need to handle the flood of spam coming for their members.

    Reply
  4. Thanks for that Leo. I’m going to conduct a wee experiment. What I’ll do is create another new disposable email address and sign up to your newsletter again with it, and see whether the spammers find it again. If they do I’ll let you know.

    It’s only that one firm of spammers, btw, that I mentioned in my previous comment on the subject.

    Reply
  5. The experiment continues. I’ve re-subscribed using (as Leo can see) a new but similar disposable email address. I shall check in my Trash folder over the next few days to see whether any spam arrives addressed to the new address.

    Incidentally, I’m also glad to have re-subscribed for another reason, as it means I get a copy of Leo’s e-book on Internet Safety, which I am looking forward to perusing.

    Reply
  6. Leo,

    All good explanations. I also like the “dumb luck” and “random” explanation, though hardly dumb luck or random. When I was on Earthlink, about once a week I’d be cc’d on an e-mail with a nonsensical message in the body. The sender wasn’t even shy about hiding the cc list:

    aaaaaa@earthlink.com; aaaaab@earthlink.com; aaaaac@earthlink.com; aaaaad@earthlink.com; …

    or some similar progressive block of 20 to 30 addresses that happened to contain mine. Earthlink could have easily blocked such “fishing” expeditions (at the time they were running an expensive TV ad complain touting their anti-spam team) but refused to do so even after repeated complaints.

    Don’t get me started on free WiFi increasingly common in hotels and airports. They routinely harvest information such as e-mail addresses, legally if you agree to their TOS.

    Leo, what is AWeber and what user information do you share with them?

    AWeber is the service I use to send my weekly newsletter. When you sign up for that they’re the one’s collecting your email address and confirmation, and then once a week they’re the ones who actually send the email. They’re perhaps the most respected email service provider in the industry.

    – Leo
    23-Sep-2008
    Reply
  7. And spam can already be directed to the address.
    As in: someone already had it, did something stupid, got plenty spam, closed the account, then you get the account, and the spam is still coming……

    Reply
  8. I have 4 email accounts. My main one is at Yahoo, for my web site. I have an Hotmail one because my relatives started using MSN Messenger. I have a Gmail account – reason still unknown – it seemed like a good idea at the time. I also have my email from my ISP.

    I have never given or used the Gmail account but when I log in the Spam folder has currently 1283 emails. Amazingly, the spam in the other accounts have dropped considerabily.

    I use to average between 150 to 200 emails daily. That has dropped to about 30 – I take no credit for it :-).

    Reply
  9. Thanks Leo! I was just wondering.

    I have gotten spam through my GMail account. I’d used Google Checkout and it turned out the merchant’s computer was infected. Google doesn’t scan checkout related mail for spam. Fortunately, you can elect not to receive e-mail from checkout merchants, which solve that problem.

    As I explained elsewhere, through my own domain I’ve created a primary e-mail account whose address I give to friends and relatives. For everyone else I create a individual custom domain forward to my primary account. If I ever start getting spam through a forward, I’ll just delete it and create a new one for the merchant or organization.

    Since setting up about four months ago, the amount of spam I receive has went from over a hundred a day to zero. Of course this method can’t be used by e-mail accounts that must accept messages from arbitrary senders.

    Reply
  10. On Sept 23rd I wrote “I’m going to conduct a wee experiment. What I’ll do is create another new disposable email address and sign up to your newsletter again with it, and see whether the spammers find it again. If they do I’ll let you know.” Well, it seems to have worked, as I am no longer receiving the spam.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.