How did the spammers get my e-mail address? - it depends!

Harvesting of publically viewable Web pages (or Newsgroups/Forums)

If you have your e-mail address displayed in 'plain text' on any web site you will have already have been harvested. In simple terms there are hundreds (if not thousands!) of robots on PCs which spend 24 hours a day, 7 days a week looking at every page on the Web looking for anything which 'looks like' an e-mail address.

In this decade (2000-9) this is by far the most prolific method of acquisition it is usually the first thing to check and correct. You can try typing in THE FIRST PART OF your e-mail ADDRESS (up to but excluding the '@' sign) on Google but obviously there is a very remote possibility that if you typed in your whole e-mail address it would be a security exposure, see: Search for JohnSmith13 and you will see the search phrase in your browser address bar - just choose a likely site! As another example of how easy it is to find addresses take a look at this search: "smith@btinternet.com"

Hiding e-mail addresses is not difficult for a technical person with appropriate skills and we offer a tool to allow a wide range of customers to make the change in a safe, secure and disabilities-compliant method.

Extracting addresses from the Address Book (or e-mail text!) of your friends

If you are not familiar with Trojan Horse Robots which infect your PC then please read: Article in the Guardian

This is a more serious threat for the majority of personal users of the Web because (1) it is growing virally by nature, (2) you can be 'caught' without having anything to do with Web sites or their content and (3) it doesn't matter how careful YOU are in protecting your OWN PC because the problem is most usually on a friend's PC.

We provide a free service to all customers which allows us to register each of their PCs for our Trojan tracking service, the activation is a simple e-mail that they will be sent. It isn't guaranteed to trap all Trojans but it consumes no customer resources and is free to become registered. Obviously I am not going to explain the details of what and how this tool works on this public web site.

Web sites wanting you to register with (or at least divulge) an e-mail address

The vast majority of these sites are well-intentioned and make SOME attempt to keep your e-mail addresses secure but there are many ways in which your address can then get compromised:

• Employees often have access to large numbers of e-mail addresses and can make a lot of money by selling them!
• Less than adequately competent I.T. staff or their management / organisation when targetted by a determined hacker

Bear in mind that SOME sites will deliberately use your e-mail for Spam so do not give an e-mail address whenever in any doubt. Hopefully it goes without saying that you should never divulge the e-mail address of anyone you know unless the owner has given you explicit permission. Having said that it is an obvious tool in the hands of anyone who has a reason to cause frustration and pain to the recipient.

Directory and algorithmic guessing

98% of providers of Internet access will offer a 'free' e-mail Service (hence the acronym ISP) and it was normally the case that the the account name would also be your e-mail address and *their* domain will be part of YOUR address.

Using an ISP for e-mail services has the problem that it is a large and lucrative source of e-mail addresses. If JohnSmith93 is a valid account name then it is almost certainly a valid e-mail address and worse still - there is a high probability that using the numbers 1-92 will also be a valid account and therefore address.

An interesting twist is that having compromised a large number of addresses the Spammers have a list of user names that they can try at other domains and/or ISPs. Do you use the same user name at your bank as well as eBay or Amazon?!

Malicious Web sites - worms, beacons, anonymous FTP et. al.

Microsoft Internet Explorer

One critical exposure that has caused more devastation than most is the exploitation of Microsoft Internet Explorer's Active-X. MS have effectively acknowledged this 5+ year flaw by changing the default setting of this feature in the latest version of MS IE (v7 as of Nov'06). Any web site can create malicious tools which can exploit this flaw and run their programs of your PC and accessing whatever data is on it! - IF you let them!

Another exposure is the default setting for FTP (File Transfer Protocol) which can send your e-mail address to a web site that requires an anonymous login.

Beacons or Web bugs - confirming your e-mail to hackers

Another item in the hacker's toolkit is the Beacon which allows an e-mail to confirm that it has been received and read by sending a 'call home' request to the hackers with a code to identify that it is your e-mail address which has resulted in an item being read! Is that enough to stop you being curious about Spam???

Bear in mind that these beacons are activated even when an e-mail is simply previewed, not just opened!.

Purchasing e-mail addresses - a CD for less than 50 dollars - 50 MILLION+!

Bear in mind that the criminal community who want to exploit e-mail addresses may simply leave it up to many other communities of people to do their 'dirty work' collecting addresses. There may well be thousands of relatively innocent people who simply see this as a way of earning a few dollars to pay for their upkeep at college or even food when that is scarce.

The quality of the e-mail addresses available on a CD will be very poor but will still cause significant disruption to tens of thousands of people as well as the economic and technical effects on the infrastructure of the Internet.

Is there a solution to the (Spam/e-mail) problem - short and long term?

We believe that we have one of the best solutions in the marketplace but do not want to market it TOO widely because that would attract the attention of the hackers who are often extremely bright and they have an army of (virtual! - YOUR PCs!) resources to target our facilities.

Again it is inappropriate to go into the details of our solution on a public web site but a 'phone call from anyone who's identity I can verify in some way will always be welcome.

In the short term there will always be significant pain as the existing e-mail addresses which are attracting Spam will need to be kept active while you as a customer migrate your contacts to use your new e-mail address.

There have been many users of a variety of the techniques that we use over many years. What we have done is to pull together several techniques into a single architecture and design and then to add the automated management of activities that are needed by non-technical users of it.