How Do Spammers Get My Email Address?
Wednesday, 15th May 2013, 18:03

Last September, I wrote about how I finally retired my work email address, having used it for 13 years. The spam to it got too much, even after the hundreds a day our mail server rejected, I was fed up with the daily 30 or so getting through and clogging up my inbox.

Since then, I started using a unique email address for every different website. Yes, that's a lot of email addresses but it has three added bonuses:

• If I start getting spam to that address I can retire it for a new one and know I only have to update one website
• I know where the spammers got my address from
• Even if I use the same password for two sites, the login for the sites are different

So, it's now mid May and 7 months with the new email addresses. And I'm getting spam again, in fact I have been for a few months. It's not bad, just a tiny handful a week in fact, but I'm definitely getting them again. Only this time, I know where from.

eBay and PayPal

Before you reel back in shock, no, I do not believe for one moment eBay and their financial arm are giving my address to dodgy dealers. But there is no doubt these are the email addresses which the spam is being sent to, and I have only used these addresses for those sites.

How do they get them then? Well the answer is pretty easy, I buy things on eBay and I pay with PayPal, so any seller who I have interacted with will have those email addresses.

Some of the spam I've had has actually been from websites run by the sellers, which is something eBay really ought to stamp on. If you buy something through eBay, then you are buying it through eBay, not the shop of the seller so you don't get any option of not being added to their spam list, they just do it.

Other spam is of the more typical get rich quick or pump and dump stock affair. It's possible that some big sellers on eBay abuse the position of having a large throughput of customers and sell on lists of them to third parties. I really wouldn't put it past some of them to do this, especially those from China.

Alas until I can specify a unique email address for every single transaction (there's an idea for you eBay!) I'll never know if someone sold my email address on.

The other equally likely possibility is a seller with a compromised computer, filled with back-doors and trojans harvesting everything in sight. There are millions of them out there, to think that this isn't a major source of harvesting spam addresses would be folly.

A Solution to Spam

Currently, there is no real solution to the problem with spam emails. Which is a shame, it's really not an easy problem to solve, even if you enforced SPF or similar technologies.

What there needs to be is a replacement for email, a new technology which is an open standard. You could have one that puts a huge burden on the sender and very little on the receiver. It needs to be expensive to send a lot of emails, but even then a spammer could distribute their CPU load across botnets and get around it.

So perhaps the real answer is some sort of permission token system, where whenever I give someone my email address they have the right to reply to it for a set amount of time only. You could make that time weeks for eBay purchases, months for friends, and hours for anything dodgy.

With a system that let you renew these rights easily yet revoke them at anytime, and simple automated interfaces to do it all for you, perhaps no different to the way things like Facebook let you know someone wants to be your friend.

Perhaps we just need a new header tag in emails to do all this for us, and then Microsoft, Google, Apple and Mozilla, to bring it in all at the same time. Then everything without the tag can go to the junk box and be damned. But that is never likely to happen, so the only real solution is your own domain name and an infinite supply of email addresses.