There are a variety of methods spammers use to find email addresses. The most common method is harvesting the addresses from the newsgroups or webpages. There are a variety of programs out there that will sift through the newsfeed or crawl around the web and look for all instances of text with the format <blah>@<blah>. When the program spots text of this format, it saves it to a database. So if you're posting to the newsgroups under your real email address or if you've got a "mailto" link on your website, it's possible (and probable, if you're posting to Usenet) that a harvest-bot will grab your address and add it to some spammer's database somewhere.In other cases, spammers have databases of real names and common words that they use, assuming that people will pick those names and words for their email address. If you pick the email address of, for example, sarah@erols.com, I can guarantee you that you will get spam almost immediately, even if you've never done anything at all on the Internet.
Other methods of obtaining email addresses include, but are not limited to:
You should also note that many otherwise legitimate companies will assume that if you give them your email address for any reason (e.g. ordering a product on line, having them search for a particular product, etc), you're giving them permission to send ads to that address.
- Web-based surveys
- Web-based order forms
- Sifting through mailing list addresses
- Checking your "email address" field on IRC
Recently, we've also seen "phone book" attacks, where the spammer will send email like so:
smith@erols.com
smitha@erols.com
smithb@erols.com
.
.
.
smithz@erols.com
smith0@erols.com
smith1@erols.com
.
.
.
smith99@erols.comThen they'll start over with the letters and numbers in front of "smith". Then they'll replace "smith" with all the other common last names and first names in the phone book. This is the reason that many folks are getting spam now that have never received spam before.