E-mail address harvesting

From Wikipedia, the free encyclopedia

E-mail harvesting is the process of obtaining lists of e-mail addresses using various methods for use in bulk e-mail or other purposes usually grouped as spam.

Contents 1 Methods 2 Legality 3 Anti-harvesting Methods 4 See also 5 References 6 External links

[edit] Methods

The simplest method involves spammers purchasing or trading lists of e-mail addresses from other spammers.

Another common method is the use of special software known as "harvesting bots" or "harvesters", which spider Web pages, postings on Usenet, mailing list archives, and other online sources to obtain e-mail addresses from public data.

Spammers may also use a form of dictionary attack in order to harvest e-mail addresses, known as a directory harvest attack, where valid e-mail addresses at a specific domain are found by brute force guessing e-mail address using common usernames in email addresses at that domain. For example, trying alan@example.domain, alana@example.domain, alanb@example.domain, etc and any that are accepted for delivery by the recipient email server, instead of rejected, are added to the list of theoretically valid e-mail addresses for that domain.

Another method of e-mail address harvesting is to offer a product or service free of charge as long as the user provides a valid e-mail address, and then use the addresses collected from users as spam targets. Common products and services offered are jokes of the day, daily bible quotes, news or stock alerts, free merchandise, or even registered sex offender alerts for your area. Another technique was used in late 2007 by the company iDate, which used e-mail harvesting directed at subscribers to the Quechup website to spam the victim's friends and contacts.^[1]

[edit] Legality

In Australia, the creation or use of email-address harvesting programs (address harvesting software) is illegal according to the 2003 anti-spam legislation. [1] [2]. The legislation is intended to prohibit emails with 'an Australian connection' - spam originating in Australia being sent elsewhere, and spam being sent to an Australian address.

In The United States of America, the CAN-SPAM Act of 2003 [3] made it illegal to initiate e-mail to a recipient where the electronic mail address of the recipient was obtained:

• Using an automated means that generates possible electronic mail addresses by combining names, letters, or numbers into numerous permutations.

• Using an automated means from an Internet website or proprietary online service operated by another person, and such website or online service included, at the time the address was obtained, a notice stating that the operator of such website or online service will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.

[edit] Anti-harvesting Methods

An automated method to attack automated e-mail address harvesters involves List poisoning, a technique that may fill the harvested lists with dynamically generated fake e-mail addresses, thus theoretically rendering the harvested list useless.

On an individual level, users who post e-mail addresses on websites can obfuscate the address, for example by changing "bob@example.domain" to "bob at example dot domain" to keep the address from being harvested by simple bots. Putting email addresses in images instead of plain text is another technique.

A method that can be implemented on a website, is to provide a contact form instead of an e-mail address. The contact form provides a textarea for the message, and an input for the sender's e-mail address. The server-side script that processes the posted form data, is then responsible for sending the actual message, which means that the e-mail address of the recipient is never exposed. Note that contact forms have other drawbacks: the user cannot use his preferred e-mail client to compose the message, and insecure contact forms may be subject to other types of automated abuse.

A method that can be implemented at the recipient email server for combatting directory harvesting attacks is to reject all e-mail addresses as invalid from any sender that has specified more than one invalid recipient address.

For CAN-SPAM Act of 2003 harvesting protection, operators of web sites and online services should include a notice that the site or service will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.

[edit] See also

• Address munging
• Botnet
• List poisoning
• Spamtrap
• Stopping e-mail abuse

[edit] References

[edit] External links

• A Federal Trade Commission warning about e-mail harvesting
• Spam laws

v • d • e Spamming
General	History of spamming · Network Abuse Clearinghouse
E-mail spam	Address munging · Bulk email software · Dictionary spamming · Directory Harvest Attack · DNSBL · Spambot · Pink contract
Spam over other protocols	Autodialer · Flyposting · Messaging spam · Mobile phone spam · Newsgroup spam · Telemarketing · VoIP spam
Anti-spam techniques	Disposable e-mail address · E-mail authentication · SORBS · SpamCop · Spamhaus · List poisoning · Bayesian spam filtering
Spamdexing	Keyword stuffing · Google bomb · Scraper site · Link farm · Webring · Cloaking · Doorway page · URL redirection · Spam blogs · Sping · Forum spam · Blog spam · Referer spam
Internet fraud	Advance fee fraud · Lottery scam · Make Money Fast · Microcap stock fraud · Phishing · Vishing