Monday, March 18, 2013

How does an email account get hacked?


  1. Spammers will illegally buy lists of real people's email addresses.
  2. Spammers will use "harvesting" programs that scour the Internet like Google, and copy any text that contains the "@" character.
  3. Spammers will use "dictionary" (brute force) programs like hackers.
  4. You will unwittingly volunteer your email address to dishonest subscribe/unsubscribe online services.
Buying illegal lists of real people's email is surprisingly commonplace. Dishonest employees of ISP's will sometimes sell information that they take from their work servers. This can happen on eBay or on the black market. From outside the ISP, hackers can also break in and steal ISP customer lists and then sell those addresses to spammers.

Harvesting programs, aka "crawl and scrape" programs, are also commonplace. Any text on a web page that contains "@" character is fair game for these programs, and lists of thousands of addresses can be harvested within an hour via these robotic harvesting tools.

Dictionary programs (brute force programs) are the third means to get spam target addresses. Just like hacker programs, these products will generate alphabetic/numeric combinations of addresses in sequence. While many of the results are incorrect, these dictionary programs can create hundreds of thousands of addresses per hour, guaranteeing that at least some will work as targets for spam.

Lastly, dishonest subscribe/unsubscribe newsletter services will also sell your email address for a commission. A very common unsubscribe tactic is to blast millions of people with a false "you have joined a newsletter" email. When users click on the "unsubscribe" link, they are actually confirming that a real person exists at their email address.

Ques: How do I defend against spammers harvesting my email address?

Ans: There are multiple manual techniques to hide yourself from spammers:

  1. Disguise your email address using obfuscation
  2. Use a disposable email address
  3. Use an email address encoding tool for publishing your address on your website or blog
  4. Avoid confirming an "unsubscribe" request from a newsletter you do not know. Simply delete the email.
Ques: What happens when the spammer gets my email address?

Ans: Spammers feed your email address to their spamming software ("ratware") , and then will often use botnets and falsified email addresses to spam you.

Next: how spammers and ratware users will attack you...