There are many ways in which spammers can get your e-mail address.
The ones I know of are :
From Posts to UseNet with your E-mail Address
Spammers regularily scan UseNet for e-mail address, using ready made
programs designed to do so. Some programs just look at articles headers which contain
email address (From:, Reply-To:, etc), while other
programs check the articles' bodies, starting with programs that look at signatures,
through programs that take everything that contain a '@' character and
attempt to demunge munged email addresses.
There have been reports of spammers demunging e-mail addresses on
occasions, ranging from demunging a single address for purposes of revenge spamming to
automatic methods that try to unmunge e-mail addresses that were munged in some common
ways, e.g. remove such strings as 'nospam' from e-mail addresses.
As people who where spammed frequently report that spam frequency to
their mailbox dropped sharply after a period in which they did not post to UseNet, as well
as evidence to spammers' chase after 'fresh' and 'live' addresses, this
technique seems to be the primary source of email addresses for spammers.
From Mailing Lists
Spammers regularily attempt to get the lists of subscribers to
mailing lists [some mail servers will give those upon request], knowing that the e-mail
addresses are unmunged and that only a few of the addresses are invalid.
When mail servers are configured to refuse such requests, another
trick might be used - spammers might send an email to the mailing list with the headers
Return-Receipt-To: <e-mail address> or X-Confirm-Reading-To: <e-mail address>.
Those headers would cause some mail transfer agents and reading programs to send email
back to the <e-mail address> saying that the email was delivered to / read at
a given email address, divulging it to spammers.
A different technique used by spammers is to request a mailing lists
server to give him the list of all mailing lists it carries (an option implemented by some
mailing list servers for the convenience of legitimate users), and then send the spam to
the mailing list's address, leaving the server to do the hard work of forwarding a copy to
each subscribed email address.
[I know spammers use this trick from bad experience - some spammer
used this trick on the list server of the company for which I work, easily covering most
of the employees, including employees working well under a month and who's email addresses
would be hard to find in other ways.]
From Web Pages
Spammers have programs which spider through web pages, looking for e-mail
addresses, e.g. e-mail addresses contained in mailto: HTML tags [those you can
click on and get a mail window opened]
Some spammers even target their mail based on web pages. I've
discovered a web page of mine appeared in Yahoo as some spammer harvested e-mail addresses
from each new page appearing in Yahoo and sent me a spam regarding that web page.
A widely used technique to fight this technique is the 'poison'
CGI script. The script creates a page with several bogus e-mail addresses and a link to
itself. Spammers' software visiting the page would harvest the bogus email addresses and
follow up the link, entering an infinite loop polluting their lists with bogus e-mail
addresses.
From Various Web and Paper Forms
Some sites request various details via forms, e.g. guest books &
registrations forms. Spammers can get email addresses from those either because the form
becomes available on the world wide web, or because the site sells / gives the e-mails
list to others.
Some companies would sell / give e-mail lists filled in on paper
forms, e.g. organizers of conventions would make a list of participants' e-mail addresses,
and sell it when it's no longer needed.
Some spammers would actually type e-mail addresses from printed
material, e.g. professional directories & conference proceedings.
Domain name registration forms are a favourite as well - addresses
are most usually correct and updated, and people read the e-mails sent to them expecting
important messages.
Via an Ident Daemon
Many unix computers run a daemon (a program which runs in the
background, initiated by the system administrator), intended to allow other
computers to identify people who connect to them.
When a person surfs from such a computer connects to a web site or
news server, the site or server can connect the person's computer back and ask that
daemon's for the person's email address.
Some chat clients on PCs behave similarily, so using IRC can cause
an e-mail address to be given out to spammers.
From a Web Browser
Some sites use various tricks to extract a surfer's e-mail address
from the web browser, sometimes without the surfer noticing it. Those techniques include :
Making the browser fetch one of the page's images
through an anonymous FTP connection to the site.
Some browsers would give the email address the user has configured into the browser as the
password for the anonymous FTP account. A surfer not aware of this technique will not
notice that the e-mail address has leaked.
Using JavaScript to make the browser send an e-mail
to a chosen email address with the e-mail address configured into the browser.
Some browsers would allow e-mail to be sent when the mouse passes over some part of a
page. Unless the browser is properly configured, no warning will be issued.
Using the HTTP_FROM header that browsers send to the
server.
Some browsers pass a header with your e-mail address to every web server you visit. To
check if your browser simply gives your e-mail address to everybody this way, visit http://www.helie.com/BrowserCheck/
From IRC and Chat Rooms
Some IRC clients will give a user's email address to anyone who
cares to ask it. Many spammers harvest e-mail addresses from IRC, knowing that those are 'live'
addresses and send spam to those e-mail addresses.
This method is used beside the annoying IRCbots that send messages
interactively to IRC and chat rooms without attempting to recognize who is participating
in the first place.
This is another major source of e-mail addresses for spammers, especially as this is one
of the first public activities newbies join, making it easy for spammers to harvest 'fresh'
addresses of people who might have very little experience dealing with spam.
AOL chat rooms are the most popular of those - according to reports
there's a utility that can get the screen names of participants in AOL chat rooms. The
utility is reported to be specialized for AOL due to two main reasons - AOL makes
the list of the actively participating users' screen names available and AOL users are
considered prime targets by spammers due to the reputation of AOL as being the ISP of
choice by newbies.
From Finger Daemons
Some finger daemons are set to be very friendly - a finger query
asking for john@host will produce list info including login names for all people
named John on that host. A query for @host will produce a list of all currently logged-on
users.
Spammers use this information to get extensive users list from
hosts, and of active accounts - ones which are 'live' and will read their mail soon
enough to be really attractive spam targets.
AOL Profiles
Spammers harvest AOL names from user profiles lists, as it allows
them to 'target' their mailing lists. Also, AOL has a name being the choice ISP
of newbies, who might not know how to recognize scams or know how to handle spam.
From Domain Contact Points
Every domain has one to three contact points - administration,
technical, and billing. The contact point includes the email address of the contact
person.
As the contact points are freely available, e.g. using the 'whois'
command, spammers harvest the email addresses from the contact points for lists of domains
(the list of domain is usually made available to the public by the domain registries).
This is a tempting methods for spammers, as those e-mail addresses are most usually valid
and mail sent to it is being read regularily.
By Guessing & Cleaning
Some spammers guess e-mail addresses, send a test message (or a
real spam) to a list which includes the guessed addresses. Then they wait for either an
error message to return by e-mail, indicating that the e-mail address is correct, or for a
confirmation. A confirmation could be solicited by inserting non-standard but commonly
used mail headers requesting that the delivery system and/or mail client send a
confirmation of delivery or reading. No news are, of coures, good news for the spammer.
Specifically, the headers are -
Return-Receipt-To: <email-address> Send a delivery
confirmation
X-Confirm-Reading-To: <email-address> Send a reading confirmation
Guessing could be done based on the fact that email addresses are
based on people's names, usually in commonly used ways (first.last@domain or an initial of
one name followed / preceded by the other @domain)
Also, some e-mail addresses are standard - postmaster is mandated by
the RFCs for internet mail. Other common e-mail addresses are postmaster, hostmaster, root
[for unix hosts], etc.
From White & Yellow Pages
There are various sites that serve as white pages, sometimes named
people finders web sites. Yellow pages now have an email directory on the web.
Those white/yellow pages contain addresses from various sources,
e.g. from UseNet, but sometimes your e-mail address will be registered for you.
Example - HotMail will add e-mail addresses to BigFoot by default, making new addresses
available to the public.
Spammers go through those directories in order to get e-mail
addresses. Most directories prohibit e-mail address harvesting by spammers, but as those
databases have a large databases of e-mail addresses + names, it's a tempting target for
spammers.
By Having Access To The Same Computer
If a spammer has an access to a computer, he can usually get a list
of valid usernames (and therefore email addresses) on that computer.
On unix computers the users file (/etc/passwd) is commonly world readable, and the list of currently logged-in users is
listed via the 'who' command.
From a Previous Owner of the E-mail Address
An e-mail address might have been owned by someone else, who
disposed of it. This might happen with dial-up usernames at ISPs - somebody signs up for
an ISP, has his/her e-mail address harvested by spammers, and cancel the account. When
somebody else signs up with the same ISP with the same username, spammers already know of
it.
Similar things can happen with AOL screen names - somebody uses a
screen name, gets tired of it, releases it. Later on somebody else might take the same
screen name.
Notice that there is a trade in lists of e-mail addresses - people
harvest email addresses and then buy, sell, and trade those lists. Some even sell those
lists on CD-ROMs. Such lists are many times long lasting, leading to multiple spams from
various sources to be sent to the email address.
If your address was harvested and you get spammed, the following
pages could assist you in tracking the spammer down :
