Where do spammers get their names/addresses from?

I was just cleaning out my junkmail of all the usual Rolex Penis-Enhancer Orgasmic Vitamin stuff when I noticed a couple that mentioned my real name in the ‘title’.

Except it isn’t my real name now, but was my married name…way back in the dark ages before I even GOT my first computer, let alone got all savvy on the intraweb. I’ve not used that name for any purpose IRL or on the net (even having to put in a dodgy name for ‘registration’ for stuff…I always use Smith) and given that it is a very rare name, I wonder how the spammers have come by it.

Enlightenment anyone?

Good question.

Spammers certainly got my email address from the early days of the internet, when I posted freely on public newsgroups and the like.

In the last couple of years, I’ve gotten more than a few addressed to several names in particular (none of them mine - but repetitive so it’s clear the email address has gotten associated with those names on some lists). Also more than a few addressed to my true name - which I’m assuming is somehow gotten from a domain name registry for a domain I own.

I’ll be interested to hear speculations as to how they’ve associated your current email with an extinct name for you.

Probably mostly from email viruses. Most people keep all their contacts in the address book of their email client (Outlook.) Virus writers would have the virus go through the address book and send itself via email to all those people. These viruses probably also sent every name they found to their creators. The creators compile a list of a few hundred thousand confirmed names and sell the lists.

You could personally have never had the infected mail reach you. You just have to have existed in the address book of someone else who wasn’t as security savvy as you. First step is to not use Outlook.

I have also heard they get your addresses thusly:

Someone puts a joke in an email, which they send to you and other friends. Those friends forward to still other friends. And so on.

Each time, the string of addresses builds as you scroll down. Of course some of these addresses show as bigbutt73 at yahoo.com <Stephen Jones> and so on. Eventually someone forwards it to a spammer who enters the information into a data base.

Netiquette, I’m told, is such that you’re supposed to delete all that extra junk before forwarding. Another way to cut down on that is to address things via bcc (blind carbon copy).

I’ve also heard that you need to be wary of freebies IRL. Like “Just sign up for a chance to win a TV set!” when you’re going to your car in the parking lot, because on some of the forms, the fine print states that they can contact you despite the fact that you’re on the no-call list etc.

I don’t use Outlook

I’ve not been known by that name for over 16 years, and only got internet stuff about 11 yrs ago.

I’ve never used that name for any stuff on the internet. I’ve previously gotten spam in my current name, whatever, but in recent weeks have started recieving mail in my old married name…pre computer, pre internet, pre just about everything!

Still confuzzled.

Trojans on other people’s computers. Anyone who has ever sent you an email, received one from you, or has ever been copied in on an email that was also sent to you, potentially has your email address somewhere in their system. Some kinds of malware do nothing but scan the hard drive for things that look like email addresses, then collate them and phone home with them.

This is one of the main reasons I so strongly object to chain letter emails - they are a vehicle for moving huge lists of email addresses from one computer to another. Even if you received one and deleted it, everybody else it was addressed to probably got a copy of your address - and everyone they stupidly forwarded it on to, and so on.

I understand all the usual routes for email addies to get distributed, but as yet the question of WHY IT CAME VIA MY ORIGINAL MARRIED NAME, well before I ever ventured onto the internet, has not been answered.

Possibly someone signed up for something using your name, either to inconvenience you, or to protect their own identity, or something like that.

Another possibility is that someone closely related to you has been doing genealogical research online.

Another possibility is that it’s a blind random first name plus random last name hit.

Your OP had me curious as well. Did a few searches because I didn’t have a clue either.

It appears a great deal of e-mail addresses are sold through hundreds of companies selling CD’s which have millions of legitimate e-mail addresses on them. These were collected usually through newsgroups and chat lines: AOL is a particular popular for this. This link briefly covers it.
This link is more comprehensive and pretty much covers every way spammers get the e-mail addresses. It also gives you links which will track down the spammers addresses, and shows you how to bait spammers that target their mail based on web pages, by using a technique that will pollute their lists with bogus e-mail addresses when they come across your cite.


In theory, would it possible for someone with sufficient coding skills to be able to create a program whereby if anything tries to enter your computer by illicit channels, it could follow the trespasser back to its origin, and then instal a program that starts deleting all .exe files, for example?

No. Spam email is such a problem because the email protocol doesn’t verify who is sending the mail (i.e. no way to trace it back), and no one has been willing to trash the system and rebuild it with a new protocol. If you could trace it back, blocking off spammers would be considerably more easy.

Also, hacking into another computer remotely mostly relies on the target user being stupid. There might be some people who have the knowledge and skills to truly hack into any one specific computer out there, but it’s nowhere near as easy as Hollywood would make you think.

Perhaps an old aquaintance lists your current email address with your previous name? Then the association spead via one of the methods suggested above?

Unscrupulous employees with access to databases of personal info sell data to spammers and such all the time. The question in the case of the OP is what DB might have a maiden name? Possibilities include alumni/school lists, certain financial DBs, and job applications that require background checks.

Yep, but I bet someone you’ve emailed does.

I use Mozilla Thunderbird, and I have tried and failed to find any way to remove all the addresses.

So, i never forward, just copy and paste the message itself into a new email and send it.

Is there an easier way?

A lot of it is simple sales. In the USA we have an opt-OUT system as opposed to the EU which has an opt-IN system.

When you buy something you most likely will enter a good email address. After all it’s a legit buy and if something goes wonky you’d like to know. So that company has (usually in small print) a notice saying they can “share” your address with others in their “circle.”

Sometimes if you don’t agree to this, you simply can’t complete your sale. Which is fine, they have a right to not sell you things just as you have a right not to buy. This why I use a lot of Mark-1@hotmail type accounts. After six months I just change address.

The second is through groups of people with access to emails. It’s not uncommon for people to get paid to “harvest” emails. These are usually low level clerks in H/R, accounting or temp agencies. They just cut and paste emails and get paid like a penny an email for it. Considering the clerk jobs are only minimum wage, but have access to this, it’s a good deal and low risk. (Obviously harvesting SS# and CC# is a higher risk)

I’ve seen it happen before. I’ve audited places where I’ve caught H/R clerks using SS# they get off employment applications (NEVER put your SS# on an employment application till AFTER they interview you and need it for a reference/security check. If they don’t like your resume there is no need for them to have it. If they demand it, get a standard phoney and then you can always say "Ooops I wrote it down wrong)

Many of the most obvious things have been mentioned: addresses on Bulletin Boards, newsgroups, web pages, etc., e-mail harvesters (spyware put on your computer to harvest addresses).

On fairly effective way is to send a bunch of random e-mails to a domain. aaaa@domain.com, aaab@domain.com, etc. Many domains still send out notices if a recipient isn’t on the system. So if they send out a million random e-mails to a domain, they might get 999,000 bounces. They just compare that list to the list of random e-mails and have 1000 good addresses. It works even better if you use name combinations: asmith, bsmith, csmith, etc. Most domains have stopped sending out bounce messages, but a few do.

Another way is to send a phishing message to someone telling him his e-mail account is about to be closed and ask for the username and password. Some people will fall for that, and once they have the information, they can usually access your organization’s address book, as well as personal addresses for the user they spoofed.

I don’t think that polluting the lists does much good. Spam is a problem because there is pretty much no cost to sending an email. The spammers don’t really care that much if 99% of the addresses are bogus.

True - and it’s not even the spammers’ own kit that sends them - spam is sent by networks of trojan-infected computers in people’s homes, businesses, etc.