Spammers try to use many, many techniques to try to fool you into opening
and reading their message.
One of the most common is playing around with the email addresses to which
they send their spam.
I’ll review the most common approaches, and theorize a little bit as to
where they come from and why they might be used.
First, a definition: email addresses when used in email messages typically have two parts:
the actual email address like “email@example.com”
the display name that goes along with it to make it more easily identifiable to humans, like “John C. Doe”.
If you take a look at email headers, you’ll see they’re listed together:
To: John C. Doe <firstname.lastname@example.org>
Only the address is actually required. If both are present your email program may show only the display name, or it may show both.
The spam I see falls into a few different buckets:
Spam sent directly to me, with matching name and email address.
In other words, not only is the spam sent to one of my email addresses – “email@example.com” – but the name that’s displayed is mine – “Leo A. Notenboom”. This is most likely the case when my email address has been harvested from email itself, or from being sold by or stolen from some service where I provided both pieces of information.
I expect that this is the most valuable kind of target for a spammer, since the email is clearly addressed to me, increasing the chances that I’ll open it.
Spam sent directly to me, using only an email address.
When there’s no display name at all in spam, just an email address, it’s more likely that the email address came from either of two places: it was harvested from a web page – where your display name is not associated with the email – or the result of what’s called a “dictionary attack”.
Dictionary attacks are the result of just trying likely email names until one works. A spammer might send email to firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, and so on. Those that aren’t real accounts may bounce or simply disappear, but the spammer doesn’t care as it didn’t cost him anything. As long as one gets through, mission accomplished. People with just their first names as their email address often get a tad more spam because of this technique.
“Just an email address” is still valuable to a spammer, because once again the email looks like it was directed at you, specifically, and you’re hopefully likely to open it.
Spam sent to me by my email address, but with a different display name.
This is probably the most confusing.
You’ll see the display name as someone else’s, and yet the email address that appears to be associated with it is yours:
To: Groucho Marx <email@example.com>
You may only see “Groucho Marx” as the recipient, when in fact it was sent to some email address completely unrelated to Groucho (or whatever name appears) – yours.
To be honest, I’m not exactly sure why spammers do it, other than perhaps to leverage the confusion factor. “Why am I getting email for Groucho, I wonder what it says?”. There was a type of spam that actually played on this misdirection, appearing to be some kind of private message to Groucho (or whomever), attempting to entice you to visit some web site. I haven’t seen that particular type of spam for a while, though.
More common are “From” lines where the email address and display name don’t match, in a further attempt to obfuscate that origins of spam – the more confusion the better when it comes to trying to trace spam back to its source.
But regardless of why, it does happen often, in a deliberate attempt to mislead and confuse you.
Spam sent to me where my email doesn’t appear at all.
This is the result of being “BCC’ed” or “Blind Carbon Copied” on the email. This is a way to send email to someone (typically in addition to someone else) where the fact that you’re getting a copy is not displayed. In fact, when you receive the email there’s no way to tell who may have been BCC’ed on the email.
Spammers send hundreds of thousands of emails at once, but sometimes rather than sending that many individual emails they’ll send a smaller number, with perhaps 10 or 100 email addresses BCC’ed. It’s a smaller number to send (thus more likely to side step attempts to throttle the number of emails that they can send at once), and by BCC’ing it can still look like a “personal” message to only one recipient – albeit someone you’ve never heard of.
Regardless of the technique used, the goal is the same: to fool spam filters so as to end up in your email inbox, and then to entice you to open the email, and act on its contents.