| Subscribe via RSS

Where does spam come from?

Most (technical) people by now know that it's not a good idea to give your real email address to websites when you register your account. But how much of a difference does that really make?

I have one email account for work, another that I give to family and friends, another that I post (obfuscated) on glaak.com, another that is posted in plain text on a university webpage, and one that I use to register for websites. All of them (other than my work email) forward to my "family and friends" email account, and all get spammed in their own special ways.

A few stats:

8000 spam per month: Generate-able Email Address ([First Name] @ [a common domain.com] )
This email address has a (remotely) common name + a common domain. It has never been posted anywhere, or been used to register for another service.

4000 spam per month: Plain Text Email Account
This email address was posted in plain text on a university webpage

1000 spam per month: Less Easily Generate-able Email Address ([First Name + Last Initial] @ [a common domain.com])
This email address has also never been posted or used to register, but is easy to generate.

100 spam per month: Registration Email Address
This email address would be difficult to generate, but is always used to register for services. Of course, the number of "legitimate" mailings this email address receives is a bit higher.

13 spam per month: Obfuscated Email Address
This email address is posted on this website, but is obfuscated with javascript. Yes, yes, it appears in plain text when the page is rendered, but in the source it's in javascript.

Of course, this wasn't a totally fair experiment. Not all email addresses have existed for the same amount of time, some are posted in more places than others, and there's overlap between some figures (for example, I'd guess that some of the spam going to the obfuscated email address is actually from people generating the address).

Conclusions:
  • Don't have an email address that you can easily generate (or make sure you have a good spam filter)
  • Don't post your email address online in plain text
Registering for a website with your real email address? You're probably ok. (Still, I recommend a secondary gmail account which auto-forwards to your real email account).

Luckily for me, Gmail's spam filter gets nearly all of the 13,000 montly pieces of spam (missing maybe 10 or so per month). Not bad.

1 comments:

Sean Harding said...

This matches pretty well with my experience. However, I think each person draws the line between "legitimate mail" and "spam" in a slightly different place. I get quite a bit of mail from various sites I've registered for over the years. I'm fine with a lot of it, but I'm sure some people would call it all "spam."

BTW, a few years ago I did some research on how addresses are harvested from web pages and used for spam. I generated a unique email address for every hit on my site, and logged it along with all of the information about the hit. If one of the addresses received spam, I could go back and see exactly when and how it was harvested. The most interesting thing was that the addresses which were spammed would tend to receive one spam message fairly quickly (within a week or two) and then be abandoned or left along for a long time. During the time I was collecting the data, no single address began receiving a large volume of spam. I'm sure the tactics have changed a bit by now, though...