Spam can be pretty confusing. I doubt that very many people actually ask to receive Viagra advertisements by email, yet they just start to appear. Did they make up my email address? Or did they get it from another website that I gave it to?
There are basically five reasons why we get spam.
1. We give our email address to a website, and they send us email we didn't expect
2. We give our email address to a website, and they sell it to other websites
3. We give our email address to a website, and they get hacked
4. Someone's computer gets a virus, and we get spam because we are in their address book
5. We post our email address on a website somewhere, and spammers "harvest" it off the web
It's always one of these reasons. If you create a new email address and don't ever use it to sign up for anything or post it anywhere, you won't receive any spam. We get spam as a result of using the email address to buy things, sign up for newsletters, and email other people. For every spam email message we receive, there was an action we took that caused it.
The first three are probably the most common. The last two happen less frequently but when they do, your email address is pretty much hosed. When you only have one email address, it's a Pandora's Box. Once the box is open and your email address gets into the hands of spammers, you can't take it back. Lets look at each case in more detail:
We give our email address to a website, and they send us email we didn't expect
Probably the most common reason for getting spam is that we just don't realize what it is we're signing up for. Every website has a Privacy Policy and there is usually a page or more of "fine print" that nobody ever reads. For example, most people would never think that signing up for Wired Magazine would cause them to receive emails about other magazines such as Glamour and Style. It's not that Wired readers are likely to be interested in Glamour - its just that Glamour and Wired are both run by the same company - Conde Naste.
Like many other conglomerates, Conde Naste cross-markets one magazine to the readers of the other magazines. Legally this is perfectly fine and their privacy policy explicitly gives them the right to do this. But its not what we expect. When the email message arrives promoting Glamour Magazine, we don't realize that the reason why we received the Glamour email message is because we signed up for Wired. Even if we unsubscribe from Wired, we might continue to receive email messages about other magazines. In order to stop these emails, we need to unsubscribe from Conde Naste as a whole. But that's very unlikely because we don't really know who Conde Naste is to begin with. So we have to unsubscribe from each brand individually and wonder why we keep receiving email messages about different magazines that we have never signed up for. It's pretty confusing!
We give our email address to a website, and they sell it to other websites
Most people would be amazed at how much our personal information is bought and sold without our knowledge. Credit card companies make a lot of money from interest payments and fees, but they make more money from tracking our purchase behavior and selling this information to other companies. Sometimes this is called "Lead Generation" and other times it is called "Data Append". Whatever you call it, there are mature and sophisticated industries built around the buying and selling of personal information.
Some companies have whole business models built on this concept. An example of a company with pretty good practices is LendingTree.com. We sign up at LendingTree.com if we're interested in refinancing our home. Their pitch is that by telling them all about the loan you need, they will find the best rate for you among multiple lenders. They way they accomplish this is by selling your information to lenders as a "lead". Lending Tree doesn't show you loans that would save you money unless the lender is willing to pay them for the lead. This is a "good" example because its pretty clear what's going on. We know that when we sign up at LendingTree.com, we're going to receive emails about loan offers. The only problem comes after we decide on a lender - all of the other lenders still have our email address and there is a good chance we'll be receiving email messages with loan offers for years to come.
The bad examples are when this happens without us knowing it. The most notorious example of this is called "co-registration" and is also an industry of its own. Depending on how good your spam filter is, you may have seen email messages with subject lines such as "Win a free iPod", "Do you like Coke or Pepsi?", or "Party with a star!". These promotions are designed to draw us into a website where we are presented with a series of offers to refinance our house, get a new credit card, get an online educational degree or to get free DVD's from Columbia House. In order to win our free iPod, we have to register for a certain number of the other promotional offers. For every promotional offer that we fill out, the website gets paid a bounty. They pay for your free iPod out of the bounties they collect. Most people that sign up want the free iPod, but aren't interested in the promotional offers.
There are a zillion other variations of this model that fall somewhere between the "pretty good" practices of LendingTree.com and the "bad" practices of the site offering you a free iPod.
We give our email address to a website, and they get hacked
We don't hear about this much, but it happens much more than most people realize. You register at a website and then that website gets hacked and their customer list is stolen by spammers. Or maybe an employee gets fired and steals a copy of the customer list on his way out.
This happens a lot. We just never hear about it. Why? First of all most of the time no actually knows about it. Without OtherInbox, they have no way of knowing what caused the spam or which list is being abused. Most companies wouldn't know if their own customer list was stolen.
Second, when it does happen, they don't want to tell us about it! They don't want anyone to know that they were the cause of the security breach and they try to just "make it go away".
Someone's computer gets a virus, and we get spam because we are in their address book
In this example, someone accidentally downloads a virus or other malware that infects their personal computer. It looks through their email address book for valid email addresses to spam.
We post our email address on a website somewhere, and spammers "harvest" it off the web
As much as we try to avoid it, there are certain times where we have to post our email address publicly on a web page. For example, some message boards and email lists will cause our email address to be displayed publicly in the archives. Another example is the email address listed in the Whois DNS record when we register a domain name. Posting an email address on a web page is a guaranteed way to attract spam. Harvesting email addresses of web pages is illegal, but it is still a common practice.
What else?
Can you think of other causes of spam that I'm missing?
(reposted from the OtherInbox blog)
"Can you think of other causes of spam that I'm missing?"
Yup. Dictionary attacks.
http://www.sophos.com/security/spam-glossary.html#dictionaryattack
"A program that bombards a mail server with millions of alphabetically generated email addresses in the hope that some addresses will be guessed correctly. This technique is also used to crack passwords."
Posted by: spamfighter | September 14, 2008 at 06:42 AM
"Someone's computer gets a virus, and we get spam because we are in their address book"
This happens more often than you care to know. We changed a mail alias at work a while back, because the old one was getting so much spam (among other reasons). It took two days, and yep, we started getting spam to that, because it is mentioned in general client communications (outbound email).
Posted by: spamfighter | September 14, 2008 at 06:45 AM
- you give a website an address and they sell that address to other mailers, despite the fact that the privacy policy says they will not sell the address.
- a vendor steals email addresses from a company you gave an email address to. This is different than the company is hacked, it is more they are using questionable vendors. I had this happen in the last 6 months with one of my clients. I was testing their COI system and started getting hundreds of emails a day to the address. The client tells me that the address should not have been mailed by anyone but them and that any emails were a violation of the contract between customer and vendor. They stopped using that vendor and the next test was clean. Other people have reported addresses leaking from large companies (united airlines comes to mind).
- spammers create addresses. Similar to dictionary attacks, but slightly different. I have more than 20 addresses that were created by spammers. All of these are tagged addresses where the spammers have modified or changed the tag.
- someone maliciously signs up your address to mailing lists.
- someone accidently signs up your address to a mailing list.
Posted by: Laura Atkins | September 14, 2008 at 05:46 PM
A variation on 5: spam sent to the email address on domain name registrations. This isn't displayed anywhere, but shows up on whois database queries, for example.
On the other hand, commercial inquiries using the domain's whois address and not the contact address available on the associated website tells me all I need to know about the sender ;-)
Posted by: Mark Brownlow | September 15, 2008 at 06:24 AM