This week, I’m going to cover the most important things that you can do to prevent spammers from finding the valid e-mail addresses at your organization, also known as e-mail address harvesting. Preferably, these measures will be implemented at the same time that your organization gets on the Internet and starts using e-mail to have the best chance of actually stopping your organization from ever having a spam problem. However, it’s never too late too start, in order to prevent your spam problem from getting worse.

Active e-mail address harvesting methods used by spammers

Although many anti-spam organizations don’t have spies in spam organizations, there is anectdotal evidence that shows some of the methods that spammers use to gather e-mail addresses for their mailings.

I’m going to talk about the methods that spammers use in chronological order, following the life of an e-mail address.

When you register a domain name, the part of your e-mail address after the commercial at symbol (@), spammers are watching. Spammers are known to keep track of new domain name registrations and look in the whois database, where public information for domain name registrants is stored, for any e-mail addresses that may be in the database. You can expect any e-mail addresss used when registering a new domain name to quickly start getting spam.

Spammers are also known to quickly visit the web site for any new domain names, looking for any e-mail addresses published on the site either in plain text, mailto anchor tags, or hidden form fields on contact forms. Spammers also periodically spider existing web sites, much like the popular search engines, looking for e-mail addresses in the same way that they do for new web sites.

Once your e-mail address starts being given to organizations and individuals, spammers find your e-mail address by infecting computers with viruses which steal any e-mail addresses that may be stored on those computers. These e-mail addresses can also be stolen by hacking into the computers where e-mail addresses are stored or by compromising network security and eavesdropping on network traffic. Spammers can also make lucrative offers to organizations that may be willing to sell customer information, or bribe an employee of the company to leak the information.

Spammers set up their own e-mail trap web sites, and ask you to provide your e-mail address or the e-mail addresses of others to them in exchange for some perceived value, such as entry into a free sweepstakes, the sending of an electronic greeting card, receipt of daily jokes or horoscopes, or even e-mail alerts on registered sex offenders moving into your neighborhood. In theory, this may not be considered spam if there is actually a privacy policy which says that you will be getting e-mail offers, as the offers won’t be unsolicited.

Spammers also try brute force methods, such as using dictionary attacks, against a specific domain name to try to find all of the valid e-mail addresses at that domain. For example, the spammers may try sending an e-mail to adam@example.com, alan,@example.com, bob@example.com, and so on and see which e-mail addresses accept e-mail. These attacks can be as sophisticated as trying jdoe@example.com, doej@example.com, j.doe@example.com, and the attacks can be targeted enough to be seeded by lists of employees on your organization’s web site. When searching for valid e-mail addresses in this manner, a blank or otherwise short random e-mail message will be used for testing, so as not to trigger any anti-spam filters that might have actually been triggered by a spam payload.

Finally, spammers often sell their e-mail lists to other spammers, trade their lists, or otherwise barter with them. Selling e-mail addresses to other spammers is likely to provide a large percentage of a spammer’s profits. This is unfortunate, because once one spammer gets your e-mail address, it won’t be long before almost every single spammer has it.

Tomorrow’s post is going to be about some countermeasures to use against some of these directory harvesting methods.