The great spam experiment by Phil Bradley: How do we get spam?
I thought this article was really cool; take a look at it. Since I get so many spam emails every day, I decided that it was about time to look up where exactly spam comes from.
Where do we get spam from?
In common with about everyone else on the net I get spam emails flooding into my email box every day. In a dizzyingly short period of time I have the opportunity of achieving a larger penis along with enormous breasts, I can become a millionaire overnight, presumably the day after fixing my credit rating, I can take viagra to last longer with the woman that I hypnotised into bed, while watching nubile young ladies perform for me on webcam by paying them via the credit card that I've just been guaranteed. Spam is that amazing creation that allows all the crackpots, the fraudsters and the cheats to not only knock on our doors but to walk right in and make themselves at home.
I've read a lot about how to stop spam - how to filter it out, how to report the people who do it, how to blacklist the people who send it to you, and how to track them down to real accounts - and all very interesting it is too. However, despite having spent some time looking around on the Web, I've not really seen anything that looks at how you actually get it in the first place. Yes, I know that spammers get your email address, which then gets added to lists and sold onto other disreputable people who fill your mailbox with junk, but I was interested in seeing how they got the email address in the first place. How widely spread would your address need to be in order to catch the attention of the spammers? As it turns out, not very widely spread at all, as we shall see.
How I went looking for spam, and how spam found me
I decided to create some email accounts, and then publicise this at various places on the web. I chose to use Hotmail for this purpose for a number of reasons - it was quick and easy to create accounts, Hotmail accounts are very common (who doesn't have one?), I could inspect them whenever and wherever I chose and it also meant that I wouldn't be getting any more spam than necessary in my own email box.
I created a number of accounts that would be used for different purposes:
- A 'control' account that wouldn't be published anywhere
- I felt that this was important since I wanted to be able to discount any emails that had been sent out to addresses that had been created by a computer program. Consequently all my accounts were a variant on my name, with a numeric value after them. Any email that came into the control account could then be ignored in all the other accounts, since it had not originated from one of the accounts I was publicising.
- An account that was only publicised in the Hotmail directory and Internet White pages.
- I suspect that many people do not think to untag that option when they create an account, and I wanted to see if I got any spam as a result.
- Putting the address on a webpage, in an HTML mailto: link.
- I used my own website at http://www.philb.com/ for this purpose. Granted that it's not the largest site in the world, but I like to think that it gets enough visitors to warrant its use for that purpose, and the site is also to be found by in most of the search engine indexes as well.
- Posting to a mailing list
- I joined, and then posted to a Library and Information Science related mailing list (LIS-LINK) at JISCMail This isn't a particularly high volume list, but it does have its moments, and all the postings are publically archived for anyone to view.
- Posting to a newsgroup
- I registered another email account at Google groups and posted once there. I wasn't sure quite which group to post to, since I wanted to post to a fairly well known one, which had a lot of postings, but I also wanted to try and ensure that I didn't skew the results by posting to a group with a very specific interest; if I'd posted to a sex group for example I wouldn't have been sure if any pornographic spam was just being targetted at posters to that newsgroup. Eventually I played safe and posted to alt.test which as the name suggests, is for posting test messages.
- A pornographic organisation
- Obviously I knew that by requested pornography in my inbox, that was exactly what I was going to get. However, what really interested me here was to see if my address would be harvested as spam and sold onto other organisations who would use it for their own mailings.
- An opt-out list
- In my early days on the Internet I once emailed back somone who had sent something to a nonsense address at one of my accounts to tell them that 'niko.hk' wasn't to be found there, and to take that name off whatever list they had. From that day to this, I've received email for this rather strangely named individual, so I had my suspicions that this probably wasn't going to be a good idea. I chose one of the spam emails that I get in my normal account and visited the website address as suggested and input the address of my next email account. I was gratified to read that my name had been taken off their list and I wouldn't get any more mail from them - this was obviously going to be a quiet account!
- A Yahoo! group
- This final one was an afterthought, but a couple of people suggested to me that it might be a good idea, since they had received spam as a result of posting to various Yahoo! groups, so I duly created another account and joined a business related newsgroup and posted.
I could have chosen many other places to publicise different addresses - there are plenty of other groups other than those provided by Yahoo! for example, and I also wasn't taking into account the spam that arises as a result of visiting particular websites. However, odd though it may seem, I do have a life and I wanted to make the most of the short summer months in England. Besides, I have clients who need work to be done for them, so I drew a halt at that point.
Having set up the accounts, registered with the various services mentioned, and posted one single copy of each email address I then sat back and waited to see if my spam traps would work. I didn't have long to wait...
Spam, spam, glorious spam!
I had my first spam message inside a couple of hours, and it was to the email account I used to opt-out of mailings. To be honest, this wasn't exactly a surprise to me, and I was soon to discover opting out of a mailing list is like wandering into the rapids just wearing a small life protector - you're going to get swept along very quickly and end up drowning! Initially I was quite fascinated to see how much spam I was getting, and checked the accounts a couple of times a day, but after a while the thrill began to pall - after all it does get a bit depressing to realise that so many people think I've got a small penis and no money in my bank account! Eventually I ended up checking them once every couple of weeks, just to make sure that they were still active.
I was also very wryly amused at how many of the spam emails assured me that I was only getting their messages because I'd visited their sites and requested to be kept informed about their various products - in fact once or twice I almost doubted myself and thought about checking to see if there was anything like sleep-computing! However, I was fairly convinced that even if I had been computing in my sleep I wouldn't be visiting sites about septic tanks, of which I seemed to get a lot of emails, entreating me to purchase one and improve my lifestyle. Quite how a septic tank is going to improve my lifestyle I'm none too sure - after all, 'Come up and see my septic tank' isn't exactly going to work wonders is it.
Spam winners, spam losers
Eventually however all good things must come to an end. Summer began to fade and autumn decided it was time to come out and romp and play, and I too decided that after about 10 weeks it was time to draw my spam experiment to an end. I was then faced with the enormity of going through each account in turn and adding up columns of figures.
Rather than simply add up the number of emails I had received it had been suggested to me that it would be interesting to to classify them somehow. This appealed to me - after all, my background is that of a librarian, so a little bit of classification couldn't come amiss. It didn't take long to work out some major categories - I just had to look at the titles of the emails that I'd been sent. Regretfully I decided that I didn't have enough time to open each one in turn to read the contents - I would simply have to assign a category based either on the subject of the email or if that wasn't always clear, on the name of the sender, which usually was. Faced with an email with the subject 'come and see my website' wasn't necessarily very clear, but when it had been sent by 'SexySuzie' it didn't take too much working out! However, in cases where it really wasn't clear the email was assigned to the wonderful 'miscellaneous' category.
The categories that I used were as follows:
- Financial
- Anything offering to repair my credit, make me a millionaire, find me a cheaper mortgage and so on went here
- Pornographic
- Fairly self explanatory I'd have thought.
- Health
- This was a slightly more difficult category, since many (most) of them related to sex in one form or another, but since they were not in and of themselves pornographic in nature I felt they should be elsewhere, and this seemed an appropriate place.
- Hardware/software related
- This covered everything from cell phones to virus checking software and all points in between.
- Attract a partner
- Several of these were related to hypnotising a woman into bed (though 'you're getting very sleepy' would seem to be a little self defeating, I would have thought), while others were about using scent, chat up lines and so on.
- Earn a degree
- Or a diploma. Or a Masters. Or a doctorate. Or... you get the idea.
- Holidays
- In the sun. Or the snow. Or in the far east, or anywhere at all apparently.
- Miscellaneous
- A complete lucky bag of the strange and downright wierd. Back to septic tanks again.
Of course, I could have broken these categories down even further, but as I said earlier, I have a life. They're good enough for me, and if you don't like them you're more than welcome to try your own spam experiment.
For those of you without a morbid interest in figures, the two outright 'winners' are money and sex. No big surprise there, but if you'd been expecting one I have to tell you that you don't know much about humankind. The actual breakdown is as follows:
Financial | 231 |
Pornographic | 185 |
Health | 108 |
Misc. | 57 |
Hardware/ software |
41 |
Attracting a partner | 40 |
Getting a degree | 40 |
Holidays | 6 |
I was slightly surprised at the results, since I'd always assumed that I got more pornographic spam than anything else (who knows - maybe I do!) but clearly this wasn't the case here - financial spam came way out on top of the list. What I did find interesting was that I didn't get a single 'Nigerian letter' offering me a share of $50,000,000, yet I often get several of these a day in my usual email account. So quite where these come from (and don't say 'Nigeria') I have no clue at all.
So where did the spam come from?
At last I was in a position to find out. The weeks of waiting, tossing and turning in bed, and counting spam emails instead of sheep was coming to an end. Eagerly I added up my columns of figures, desperate to reach a conclusion. Alright - it's not amazingly exciting, but I'm doing my best, ok? Actually, it was rather surprising.
Opt-out | 350 |
LIS-LINK mailing list |
244 |
Porn company | 36 |
My website | 26 |
Hotmail Directory | 18 |
Newsgroup | 17 |
Yahoo! group | 0 |
Control account | 0 |
By far and away the most spam came as a result of requesting not to receive anymore! This wasn’t actually that surprising, since I had a feeling that would be the case. However, the fact that a single posting to LIS-LINK resulted in 244 spam emails quite astonished me; almost 7 times the amount that I got from the pornographic site. (I should point out here that to be fair I discounted all the actual pornographic emails that I was sent, since I had in a way requested them – I just counted as spam anything that wasn’t pornography, ironically enough.) I was also surprised that my single posting to the Yahoo! group didn't result in any spam at all - perhaps I was just fortunate with the group that I chose.
I’m not going to pretend that my experiment was particularly scientific, but then it wasn’t really intended to be. However, I think it was rigorous enough to draw some interesting conclusions from it. Firstly, under no circumstances should you respond to a spam email and ask to be taken off a list. While you may get taken off that specific list it’s quite clear that you’re going to be added to plenty of others! Secondly, and perhaps rather worryingly, it does appear (from a spam standpoint) to be a very bad idea to post to mailing lists; certainly not those that have publically available archives. I don’t image that a spammer has actually bothered to join the list, but I think it’s more than possible that they send software to crawl through the archives and collect email addresses which are then added to their lists. Consequently, the more that you post, the more likely it is that you’re going to get spam – and quite a lot of it!
So who are the spam winners and losers?
Well, that's a question that I can give a very quick and easy answer to; we're the losers. Anyone with an email address that is publically available on the Internet is almost certainly going to get spam at some point. Probably sooner rather than later I'm afraid to say. And the winners? Anyone who has managed to sell a septic tank across the Internet I should imagine!
About Phil Bradley
Phil has been an Internet consultant for 7 years and is widely known in the UK and abroad as a result of his teaching sessions, talks and the books and articles he has published about (and on) the Internet. He is also a web designer and is also very cheerfully addicted to the Internet as a whole. When Phil isn't using the Internet for work purposes he uses it for leisure, which is terribly sad, but there you have it.
If you wish to email Phil, his email address is: philb at philb dot com (sorry about that, but I don't need any more spam than I usually get!
You are welcome to copy this article and put it onto your own website as long as you adhere to the following conditions:
- The article should be published exactly as is, with no editing
- The title on any linking text to it should read "The great spam experiment by Phil Bradley" (with or without quote marks)
- My copyright notice should appear at the bottom of the article (as shown below)
- A link to my website at http://www.philb.com/ should appear
- These conditions should appear at the bottom of the page.
© Phil Bradley 2002 This article was written on 10th October 2002.
Thanks for reading my post! If you enjoyed it or it helped you, please consider liking/tweeting this page, commenting, or following me on GitHub or Twitter!