Like HowStuffWorks on Facebook!

How Spam Works


How Spammers Get Addresses

As it turns out, there are hundreds of companies that will sell you CDs filled with millions of valid e-mail addresses. With Microsoft Word you could easily format those addresses into lines of 100 addresses each, and then cut and paste those lines into the "To:" field of any normal e-mail program. Every time you push the "Send" button, which would be about once every 5 seconds, you would make $10. You would be making something like $700 per hour.

This is the problem with spam. It is incredibly easy for you to send it. It costs you practically nothing to send it. And even with a response rate as low as one sale out of 10,000 e-mails, it can be quite lucrative for you to send it. Therefore, if you don't mind the fact that you are creating e-mail pollution for millions of people, you might decide to send e-mail messages about your grandmother's muffins all day long.

Where does a company get millions of valid e-mail addresses to put on a CD and sell to you? There are a number of primary sources.

The first is newsgroups and chat rooms, especially on big sites like AOL. People (especially first-time users) often use their screen names, or leave their actual e-mail addresses, in newsgroups. Spammers use pieces of software to extract the screen names and e-mail addresses automatically.

The second source for e-mail addresses is the Web itself. There are tens of millions of Web sites, and spammers can create search engines that spider the Web specifically looking for the telltale "@" sign that indicates an e-mail address. The programs that do the spidering are often called spambots.

The third source is sites created specifically to attract e-mail addresses. For example, a spammer creates a site that says, "Win $1 million!!! Just type your e-mail address here!" In the past, lots of large sites also sold the e-mail addresses of their members. Or the sites created "opt-in" e-mail lists by asking, "Would you like to receive e-mail newsletters from our partners?" If you answered yes, your address was then sold to a spammer.

Probably the most common source of e-mail addresses, however, is a "dictionary" search of the e-mail servers of large e-mail hosting companies like MSN, AOL or Hotmail. In the article Hotmail: A Spammer's Paradise?, the author describes the process:

A dictionary attack utilizes software that opens a connection to the target mail server and then rapidly submits millions of random e-mail addresses. Many of these addresses have slight variations, such as "jdoe1abc@hotmail.com" and "jdoe2def@hotmail.com." The software then records which addresses are "live," and adds those addresses to the spammer's list. These lists are typically resold to many other spammers.

E-mail addresses generally are not private (just like your phone number is not private if it is listed in the phone book). Once a spammer gets a hold of your e-mail address and starts sharing it with other spammers, you are likely to get a lot of spam.