27

Spam is everywhere and everyone gets it (especially professors), but I noticed that my personal email does not get much spam. How can I get more?

What are the most common ways of getting spam? Not just by forgetting to unsubscribe from a mailing list, but also how do hackers get access to email addresses?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Marcus
  • 1,145
  • 1
  • 8
  • 12
  • 11
    @Marcus Assuming hackers and spammers are "similar types of people", when in reality, they couldn't be more different. –  Apr 29 '21 at 13:36
  • 9
    Post your email address as part of the body text of this question. It should get picked up by scrapers as it is a publicly accessible page. – user1270949 Apr 29 '21 at 22:24
  • 5
    @user1270949 the advice should be creating a new email account, not exposing his personal email – bradbury9 Apr 30 '21 at 08:13
  • 22
    Post your email address on 4Chan. This may be more effective than you require. – J... Apr 30 '21 at 12:21
  • 12
    Calling "Forgetting to unsubscribe from a mailing list" is NOT spam. Calling and marking it as spam is an insult to the owners and participants of the mailing list, as it may cause the lists to get blocked from reaching users that WANT the mailing list mail. – Lenne May 01 '21 at 00:00
  • @Lenne OP might have meant the opt-out button you get "spammed" on so many pages when you buy something, post their or register an account. Luckily nowadays it is often opt-in, but it's still something that arguably is just there to trick people to somehow get it wrong - or at least I would expect the number of people ending up on such newsletter lists by accident are about as high as those who clearly want that "service" in most cases. Or OP might not have meant that, in that case: what you said;) – Frank Hopkins May 01 '21 at 05:47
  • 2
    Hah, one of the few questions where an OP might actually want to include their email. – Nat May 01 '21 at 17:12
  • 2
    Please be very sure you want to do this, as you won't be able to undo it.  I still get quite a bit of spam to an address I haven't used for 17 years… – gidds May 01 '21 at 19:29
  • Maybe I'm being naive rn but what exactly would be the applications/purposes of a spam honeypot? – Hashim Aziz Feb 03 '22 at 01:38

6 Answers6

37

Spammers will "scrape" the internet for email addresses and use programs to collect millions of addresses. Or just download them.

If you want your email address to be picked up by spammers, you need to expose your email in multiple different places. The common targets for spammers are social media sites and places like pastebin.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 3
    So to make an email spam honeypot, I just need to post it in a public place? Are there any precautions, the spammer or the honeypot, have to take to avoid spam detection? – Marcus Apr 29 '21 at 14:56
  • @Marcus given how cheap it is to send emails I'd suppose none to very little – Hobbamok Apr 30 '21 at 07:50
  • 2
    @Marcus there are lots of ways to detect spam, and lots of ways to avoid being detected. But that's a completely separate topic, and not security-related. – schroeder Apr 30 '21 at 08:16
  • 5
    I seriously doubt if scraping the internet for e-mail addresses is still a thing. I can easily download one of the breach databases with millions and millions of addresses. Why bother with scraping? Very few websites still show e-mail addresses other then generic info@, support@ or sales@ – Jeff Apr 30 '21 at 12:37
  • 4
    @Jeff having run a spam honeypot, I can tell you that scraping is still a thing. My honey addresses were not involved in any breaches, but I did expose them in the right places to get "picked up". – schroeder Apr 30 '21 at 12:46
  • 3
    That's some fine google-fu! – Michael Apr 30 '21 at 20:14
19

Besides the other good answers, I suggest setting up a catch-all email address. You'll find that a lot of spam goes to info@, webmaster@, postmaster@, abuse@ and so on. This typically requires that you register a domain.

Thomas Weller
  • 3,246
  • 3
  • 21
  • 39
11

I have been using unique email addresses for each site and service for the past 15 years. So a simple grep lets me calculate how much spam is coming to each address.

While anecdotal and only applicable to my usage patterns, this at least gives some common sources from where email addresses are harvested:

  • 24%: Domain registration WHOIS database
  • 22%: IRC hostname
  • 19%: Various services/websites I've registered to
  • 18%: Addresses listed on personal webpages
  • 9%: Paypal account, visible to e.g. eBay sellers
  • 6%: Git commit address
  • 2%: Addresses on public mailing lists
jpa
  • 951
  • 6
  • 11
7

There are as many ways of harvesting emails for malicious use as there are villains on the internet.

IMPORTANT: most of these methods are outright illegal in most jurisdictions; and some will put you in contact with dangerous people. All of these involve risk, including financial risk, risk of jail or other legal consequences, and/or risk of personal violence. I DO NOT CONDONE OR RECOMMEND PERFORMING ANY OF THESE ACTIVITIES.

Email addresses are easy for a program to recognize, as they all follow a standardized format. So web site scraping becomes an easy way, assuming you can find a site listing a bunch of email addresses. Fortunately for all of us, such irresponsible sites are becoming fewer and fewer.

Chain letters used to be a good source of spam: "send this email to 23 of your closest friends and angels will bring you spaghetti and beer, and be sure to include evilspammer@example.com" will result in lots of valid email addresses on the To: and Cc: lines. Chain letters are especially valuable because the recipients are already 'real' addresses, and the people who re-send them are often the kind of people that are taken in by trickery.

Some people post their chain letters on facebook, google groups, reddit, or other public place, where scammers greedily scoop them up. However, I believe that practice has dwindled as of late, because there are easier sources of addresses to harvest.

If you are criminally inclined, and if you have the right connections, and you can get an introduction from the wrong kind of person, you can find all kinds of malicious resources on the dark web:

  • Email addresses are available in bulk; these are often available as tested addresses, guaranteed not to bounce. The sellers even use customer service agents to honor their guarantees, and for every address that bounces they will send you a different address as a replacement.
  • You can hire "spam as a service", where a criminal who keeps his own list of email addresses will send your message out using his resources, such as a bulletproof hosting server, or botnet, or other system. These might be a fixed rate, such as $1.00 per thousand spams; or they might agree to take a cut of the profits, such as 50% of each bottle of pills (or whatever) sold. They enforce this by including their own referral links in the spam message.
  • You might decide to bypass the spamming stage entirely. On the dark web you can purchase credentials to access already compromised systems. Why send out your own phish when someone else has already done the hard work for you?

But if you simply want large volumes of email addresses, breaching a site yourself may be the cheapest path to take. There are many, many ways sites are vulnerable and can be breached, but the most common of them all is an attack called "SQL injection". The nice thing about SQL injection attacks is that they result in some kind of access to the database behind the site; and those databases often hold customer email addresses. If you find a way to exfiltrate the email addresses from the server, you'll have plenty of spam victims.

The latest 500m Facebook breach was another way to acquire lots of emails: abuse the API of a service that holds email addresses. The Facebook attack was demonstrated by a researcher who made up a random 10-digit phone number, asked Facebook to find his friend with that number, and then repeated it for every other 10 digit number. Facebook happily connected his account to every other account that had a phone number, providing him with their email addressses.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • 26
    From a comment on my answer: the OP is looking to receive more spam, so the question is not how to gather emails, but how to get on spammer's radar. – schroeder Apr 29 '21 at 15:36
  • 2
    "but also how do hackers get access to email addresses?" was the last line of his question. I took his question to mean "what are the things I might be doing that are exposing me to extra spam?" with the implication that by knowing how addresses are harvested he will learn tactics and practices to avoid giving up his own address. – John Deters Apr 29 '21 at 15:40
  • I know, that's why I wanted to point you to the real motivation behind the question. – schroeder Apr 29 '21 at 15:41
  • 1
    @schroeder, I see now from his reply that he is looking to set up a honeypot. Yes, that's slightly different, but I still answered what was asked. – John Deters Apr 29 '21 at 15:42
  • 10
    This is a fairly thorough answer to the wrong question. – shoover Apr 30 '21 at 20:18
5

I worked on the past on anti spam solutions and the process that we used to do where access with ToR to the deep web and subscribe to nasty places and subscribe to forums all over the place.

camp0
  • 2,172
  • 1
  • 10
  • 10
3

Another way for hackers to get your email is if they compromised an website you are registered on and they downloaded the database and just separated the emails & usernames columns, so this is how they may know your name and email as in some phishing campaign you can see they may know your real name and your private email address, or other way is just to buy it off someone who is selling it.

mrSotirow
  • 152
  • 1
  • 3
  • So what do you suggest OP should do in their situation? Tell some black-hats how to compromise a website they registered on? Or try to find someone to sell their own email address to? The content of this answer is not wrong, but it doesn't provide any actionable advise for the question author. – Philipp Apr 30 '21 at 14:27
  • along @Philipp s comment: a natural extension of the answer would be: register accounts with your honeypot mail address on as many pages as possible. With a little luck that ties in with camp0's answer and you hit a page that doesn't need to be broken, because it itself has collecting mail addresses as a primary purpose^^ – Frank Hopkins May 01 '21 at 05:49