Spammers do everything they can to get their garbage in front of you, and that means using and abusing every tool at their disposal.
One of those tools is something that’s available to you and me when we send messages as well.
You were BCC’ed on the spam.
“BCC” stands for Blind Carbon Copy1 and it’s a technique to send someone an email without their email address appearing on the message.
Typically, email programs have, in addition to the To: and Cc: fields, a Bcc: field that can be filled in as well. Here’s an example in Thunderbird:
You can see that Thunderbird allows you to specify Bcc: as one of the addressing options.
- To: is one or more direct recipients for the message.
- Cc: is one or more recipients who also get the message. While the message is not directed at them, they also receive it. Often, people use this as an FYI to others to see the message. Any Cc: recipients are displayed in the message on the Cc: line.
- Bcc: is one or more recipients who also get the message. This is exactly like Cc: except that the list of people receiving the message via Bcc is not included in the message when it is sent. Upon receipt, there’s no way to tell who, how many, or even if any Bcc: addresses were used when the message was sent.
Because this comes up time and time again, let me be clear:
Spammers use this technique to send one message to perhaps hundreds of people at a time because actually listing all of those addresses as Cc: or To: makes the message more likely to be flagged as spam. Because there’s no way to tell when you get the message that Bcc: was used, the fact that hundreds of others might be getting the same message can’t factor in to figuring out whether or not it’s spam.
And those hundreds of messages might well be what’s called a dictionary attack, meaning that they just try variations on email names with the hope that one or more will actually reach a real person. For example, they might try “leo@”, “leoa@”, “leob@”, and so on, on any of my domains. Some might work, some might not, but there’s no added cost to the spammer to try ’em all. Most might well be hidden in the Bcc: that you can’t see.
Ultimately, there’s nothing you can really do specifically about this situation. Flag it as spam, if your email program supports that, and other factors and characteristics of the message will likely be added to the database of what looks like spam to you. Maybe the next one will get flagged automatically.