How Spam Works

How Spammers Get Addresses

As it turns out, there are hundreds of companies that will sell you CDs filled with millions of valid e-mail addresses. With Microsoft Word you could easily format those addresses into lines of 100 addresses each, and then cut and paste those lines into the "To:" field of any normal e-mail program. Every time you push the "Send" button, which would be about once every 5 seconds, you would make $10. You would be making something like $700 per hour.

This is the problem with spam. It is incredibly easy for you to send it. It costs you practically nothing to send it. And even with a response rate as low as one sale out of 10,000 e-mails, it can be quite lucrative for you to send it. Therefore, if you don't mind the fact that you are creating e-mail pollution for millions of people, you might decide to send e-mail messages about your grandmother's muffins all day long.

Where does a company get millions of valid e-mail addresses to put on a CD and sell to you? There are a number of primary sources.

The first is newsgroups and chat rooms, especially on big sites like AOL. People (especially first-time users) often use their screen names, or leave their actual e-mail addresses, in newsgroups. Spammers use pieces of software to extract the screen names and e-mail addresses automatically.

The second source for e-mail addresses is the Web itself. There are tens of millions of Web sites, and spammers can create search engines that spider the Web specifically looking for the telltale "@" sign that indicates an e-mail address. The programs that do the spidering are often called spambots.

The third source is sites created specifically to attract e-mail addresses. For example, a spammer creates a site that says, "Win $1 million!!! Just type your e-mail address here!" In the past, lots of large sites also sold the e-mail addresses of their members. Or the sites created "opt-in" e-mail lists by asking, "Would you like to receive e-mail newsletters from our partners?" If you answered yes, your address was then sold to a spammer.

Probably the most common source of e-mail addresses, however, is a "dictionary" search of the e-mail servers of large e-mail hosting companies like MSN, AOL or Hotmail. In the article Hotmail: A Spammer's Paradise?, the author describes the process:

A dictionary attack utilizes software that opens a connection to the target mail server and then rapidly submits millions of random e-mail addresses. Many of these addresses have slight variations, such as "" and "" The software then records which addresses are "live," and adds those addresses to the spammer's list. These lists are typically resold to many other spammers.

E-mail addresses generally are not private (just like your phone number is not private if it is listed in the phone book). Once a spammer gets a hold of your e-mail address and starts sharing it with other spammers, you are likely to get a lot of spam.