Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

wickline (135)

  (email not shown publicly)

Journal of wickline (135)

Tuesday September 17, 2002
01:02 PM

How to get spam without even trying.

[ #7781 ]

Sometimes folks ask why I don't want to be forwarded jokes unless I'm on BCC. ...or they ask why I use such funny email addresses. I end up explaining this frequently, so I thought I would put it in the journal.

This was prompted by Matt's observation that many hotmail users complain about getting spam even though they never give out their email address.

If you truely never give the email addie out (ie: never use the account to send mail or give it to anyone any other way), then you probalby won't get spam unless your username can be guessed. (Brute force username guesses against SMTP hosts are on the rise.)

However, if you phone your girlfriend and give her the address the day it was assigned to you, then you might never log in to the account at all and find out when you do so for the first time a year later that it is full of spam.

Suppose your girlfriend sent you only one message once she had your address.

She sent this hillarious story about a kitten which she knew you would appreicate. She also include her co-worker in the recipient list.

That co-worker had a great laugh, and forwarded it to five friends who like to share 'funny stuff' via email. One of those friends is on a mailing list where folks exchange 'funny stuff'. That friend forwards the message to the list.

Now, if these folks all just hit the forward button, then all of the original recpients' addresses are included in this post to the mailing list.

That list may have an address harvester subscribed.

That list may be accessible via NNTP where havesters lurk in abundance.

That list may be archived on the web, where harvesters are probably more common than on usenet these days.

Subscribers to the list may re-foward, further increasing chances of exposure.

It is possible that by telling your girlfriend your email address, you allowed that address to be exposed to spammers. ...and once exposed, it's probably doomed. Spammers are an incestuous lot who constantly buy one anothers' lists, combine them and try to sell the new larger list for more money. I'm sure you've had plenty of spam trying to sell you email addresses, right? Once you get on one list, you have decent odds of being on oodles of lists.

If you use an address, it may get spam through no fault of your own. You can try to educate folks to use BCC when sending that kind of content (and don't send it yourself). ...but the problem is that you just don't have control.

The only certain solution is to never use or advertise your email address.

A decent second-best is to use an infinite number of addresses. Try to use addresses specific to each contact/occasion/date/etc so that if the address ever gets spam, you can route it to the big bit bucket.

An interesting example: I once sent mail to Simon Cozens which he forwarded to a perl list. That address started getting spam, and in addition related addresses started getting spam, revealing a bug in some common spam address-processing software I suppose:

This series came from part of a Message-ID header:


None of the above addresses will get to me... they all get auto-trashed because they've been tainted and now receive spam. I could claim that I never used that simon_cozens address but the truth is that I did use it. One time. Now it gets spam. (and so do some releated addresses!)

When hotmail users say they never give out their address, I bet that they've at least used it once.


The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • I wrote:
    > The only certain solution is to never
    > use or advertise your email address.

    That's not true. That's not a certain solution. It still
    leaves you vulnerable to dictionary attacks, accidents
    (someone typing a 'bogus' address which just happens to
    be your address), and history-based problems (previous
    address holder got spam or something).

    The only certain solution is to never have an email address.