ALICE IN WONDERLAND
MAD COW DISEASE
BLUE MAN GROUP
LI'L RED HEN
NET MEDIA TUNER
HA HA LOUNGE
And now some information about SPAM.......
There are many ways in which spammers can get your email
address. The ones I know of are :
1. From posts to UseNet with your email address.
Spammers regularly scan UseNet for email
address, using ready made programs designed
to do so. Some programs just look at articles headers which contain email address (From:,
Reply-To:, etc), while other programs check
the articles' bodies, starting with programs that look at signatures, through programs
that take everything that contain a '@'
character and attempt to demunge munged email addresses.
There have been reports of spammers
demunging email addresses on occasions,
ranging from demunging a single address for purposes of revenge spamming to automatic methods
that try to unmunge email addresses that
were munged in some common ways.
As people who where spammed frequently
report that spam frequency to their mailbox
dropped sharply after a period in which they did not post to UseNet, as well as evidence to
spammers' chase after 'fresh' and 'live'
addresses, this technique seems to be the primary source of email addresses for
2. From mailing lists.
Spammers regularly attempt to get the
lists of subscribers to mailing lists [some
mail servers will give those upon request], knowing that the email addresses are unmunged and that only a few
of the addresses are invalid.
A different technique used by spammers is
to request a mailing lists server to give
him the list of all mailing lists it carries (an option implemented by some mailing list
servers for the convenience of legitimate
users), and then send the spam to the mailing list's address, leaving the server to do the hard work
of forwarding a copy to each subscribed
[I know spammers use this trick from bad
experience - some spammer used this trick
on the list server of the company for which I work, easily covering most of the employees,
including employees working well under a
month and who's email addresses would be hard to find in other ways.]
3. From web pages.
Spammers have programs which spider through
web pages, looking for email addresses,
e.g. email addresses contained in mailto: HTML tags [those you can click on and get a mail
Some spammers even target their mail based
on web pages.
I've discovered a web page of mine appeared
in Yahoo as some spammer harvested email
addresses from each new page appearing in Yahoo and sent me a spam regarding that web page.
4. From various web and paper forms.
Some sites request various details via
forms, e.g. guest books ®istrations
forms. Spammers can get email addresses from those either because the form becomes available
on the world wide web, or because the site
sells / gives the emails list to others.
Some companies would sell / give email
lists filled in on paper forms, e.g.
organizers of conventions would make a list of participants' email addresses, and sell it
when it's no longer needed.
Domain name registration forms are a favorite
as well - addresses are most
usually correct and updated, and people read the emails sent to them expecting important messages.
5. Via an Ident daemon.
Many unix computers run a daemon (a program
which runs in the background,
initiated by the system administrator), intended to allow other computers to identify people
who connect to them.
When a person surfs from such a computer
connects to a web site or news server, the
site or server can connect the person's computer back and ask that daemon's for the person's
Some chat clients on PCs behave similarly,
so using IRC can cause an email address to
be given out to spammers.
6. From a web browser.
Some sites use various tricks to extract a
surfer's email address from the web
browser, sometimes without the surfer noticing it. Those techniques include :
1. Making the browser fetch one of the
page's images through an anonymous FTP
connection to the site.
Some browsers would
give the email address the user has
configured into the browser as the password for the anonymous FTP account. A
surfer not aware of this technique will not notice that the
email address has leaked.
send an email to a chosen email address with
the email address configured into the browser.
Some browsers would
allow email to be sent when the mouse
passes over some part of a page. Unless the browser is properly configured, no
warning will be issued.
3. Using the HTTP FROM header that browsers
send to the server.
Some browsers pass
a header with your email address to every web server you visit.
To check if your browser simply gives your email address to
everybody this way, visit
7. From IRC and chat rooms.
Some IRC clients will give a user's email
address to anyone who cares to ask it. Many
spammers harvest email addresses from IRC, knowing that those are 'live' addresses and send spam to
those email addresses.
This method is used beside the annoying IRC
bots that send messages interactively to
IRC and chat rooms without attempting to recognize who is participating in the first place.
This is another major source of email
addresses for spammers, especially as this
is one of the first public activities newbies join, making it easy for spammers to harvest 'fresh'
addresses of people who might have very
little experience dealing with spam.
AOL chat rooms are the most popular of
those - according to reports there's a
utility that can get the screen names of participants in AOL chat rooms. The utility is reported to
be specialized for AOL due to
two main reasons - AOL makes the list of the actively participating users' screen names available and AOL users
are considered prime targets by spammers
due to the reputation of AOL as being the ISP of choice by newbies.
8. From finger daemons.
Some finger daemons are set to be very
friendly - a finger query asking for
john@host will produce list info including login names for all people named John on that host. A
query for @host will produce a list of all
currently logged-on users.
Spammers use this information to get
extensive users list from hosts, and of
active accounts - ones which are 'live' and will read their
mail soon enough to be really attractive spam targets.
9. AOL profiles.
Spammers harvest AOL names from user
profiles lists, as it allows them to
'target' their mailing lists. Also, AOL has a name being the choice
ISP of newbies, who might not know how to recognize scams or know how
to handle spam.
10. By guessing & cleaning.
Some spammers guess email addresses, send a
test message (or a real spam) to a list
which includes the guessed addresses. Then they wait for either an error message to return
by email, indicating that the email address
is correct, or for a confirmation. A confirmation could be solicited by inserting
non-standard but commonly used mail headers
requesting that the delivery system and/or mail client send a confirmation of delivery or reading.
No news is, of course, good news for the spammer.
Specifically, the headers are -
Send a delivery confirmation X-Confirm-Reading-To: <email-address> Send a reading
Guessing could be done based on the fact
that email addresses are based on people's
names, usually in commonly used ways
(first.last@domain or an initial of one
name followed / preceded by the other
Also, some email addresses are standard -
postmaster is mandated by the RFCs for
internet mail. Other common email addresses are postmaster, hostmaster, root [for unix
11. From white & yellow pages.
There are various sites that serve as white
pages, sometimes named people finders web
sites. Yellow pages now have an email directory on the web.
Spammers go through those directories in
order to get email addresses. Most
directories prohibit email address harvesting by spammers, but as those databases have a large databases of
email addresses + names, it's a tempting
target for spammers.
12. From a previous owner of the email address.
An email address might have been owned by
someone else, who disposed of it. This
might happen with dialup usernames at ISPs - somebody signs up for an ISP, has his/her email
address harvested by spammers, and cancel
the account. When somebody else signs up with the same ISP with the same username, spammers already
know of it.
Similar things can happen with AOL screen
names - somebody uses a screen name, gets
tired of it, releases it. Later on somebody else might take the same screen name.
As spammers not caring too much for invalid
addresses, and with lists of email
addresses burned on CDs and sold, this scenario is probable.
If your address was harvested and you get spammed, the following pages
could assist you in tracking the spammer down :
2. Cabal (There is no Cabal)
3. MindSpring's page explaining how to get an email's headers http://help.mindspring.com/features/emailheaders/extended.htm
4. The spam FAQ, maintained by Ken Hollis.
5. The Reporting Spam page, an excellent resource.
6. Reading Mail headers.
7. Julian Haight's Spam Cop page.
8. Chris Hibbert's Junk Mail FAQ.
9. UXN Spam Combat page.
10. Sam Spade, Spam hunter.
11. Penn's Page of Spam.
X. Fight Spam on the Internet site.
Y. A CNET feature - how to stop spam.
The Netizen's Guide to Spam, Abuse, and Internet
Several sites on the web will help in tracing spam :
1. Sam Bretheim's list of trace route gateways
To find traceroute gateways in any country, visit here.
To run trace route from several places to one, visit
Specific traceroute pages
2. Allwhois.com gates to whois on any domain world-wide
3. A list of whois servers, collected by Matt Power
4. DNS lookup pages
5. IP Networks Index
6. Alldomains.com site - links to NICs worldwide.
A similar page can be found at