Tuesday, September 22, 2009

How come I get email (Spam) that's not addressed to me?

I've been asked about this so often that I thought I'd compile some info on the subject to clarify

How come I get email (Spam) that's not addressed to me?

*Spammers *are doing everything they can to get their garbage in front of you. And that means using and abusing every tool at their disposal. One of those tools is something that's available to you and me* (*actually I just used it in this email*) *when we send messages as well.

You were "BCC'ed" on the spam.

"BCC" for "Blind Carbon Copy" is a technique to send someone an email without their email address appearing on the message.

Typically, email programs like Outlook or Thunderbird have, in addition to the "To:" and "Cc:" fields, a "Bcc:" field that can be filled in as well.
"Spammers are doing everything the can to get their garbage in front of you and use BCC all the time"

Although you likely know this already here is a quick primer:

*To:* is one or more direct recipients for the message.

*Cc:* is one or more recipients who also get the message. While
the message is not directed "at" them, they also receive it.
Often people use this as an "FYI" to others to see the message.
Any Cc: recipients are displayed in the message on the Cc: line.

*Bcc:* is one or more recipients who also get the message. This
is exactly like Cc: except that the list of people receiving the
message via Bcc is *not* included in the message when it is
sent. Upon receipt there's no way to tell who, how many, or even
if any Bcc: addresses were used when the message was sent.

Because this comes up time and time again, let me be clear about this fact:

Upon receipt there's no way to tell who, how many, or even if any Bcc: addresses were used when a message was sent.

*Spammers* use this technique to send one message to perhaps* hundreds of thousands of people at a time* because actually listing all those addresses as Cc: or To: makes the message more likely to be flagged as spam. Since there's no way to tell when you get the message that Bcc: was used, the fact that it might have been can't factor in to figuring out whether or not it's spam.

And those hundreds of messages might well be what's called a *"dictionary attack" or the like*, meaning that they just try variations on email names with the hope that one or more will actually reach a real person. For example they might try "johnny@", "jkessel@", "johnny@", and so on, on any of my domains. Some might work, some might not, but there's no added cost to the spammer to try 'em all. Most might well be hidden in the Bcc: that you can't see.

Ultimately, there's nothing you can really do specifically about this situation. Flag it as spam, if your email program supports that, and other factors and characteristics of the message will likely be added to the database of what looks like spam to you, and maybe the next one will get flagged automatically. Remember these are professional Spammers using massive custom built email servers that churn out millions of emails a day. Instead of BCC'ing their contact lists from Outlook they have a large SQL database of millions of records running behind custom software culling opt-in lists, marketing contest and all other FREE concept harvesting tools. Remember this the next time you sign up for a Facebook app, free downloads or take a quiz for a free magazine subscription! Scary? ..kinda but very effective!

Should I "reply to remove"?

As you may have noticed with much of the spam messages you receive, the "From", "Reply-To" and "To" headers point to addresses that are obviously fake. In many cases, trying to respond to the address in the "From" header results in your message being "bounced" back to you as undeliverable.

In other cases, you may discover that you are able to reply to an unwanted message. In fact, the message may actually give you "removal instructions" or invite you to "reply to be removed" from the spammer's mailing list. However, replying to spam, or even following the sender's instructions for "removal," may actually /increase/ the amount of spam you get in the long run. By letting the spammer know that you've received the message, even though you are expressing disapproval at receiving it, you are confirming for them that your e-mail address is valid and that you read messages sent to that address. Unfortunately, many spammers do track which addresses write them back (regardless of the content of the reply) and use this information to update their mailing lists. Some even then turn around and sell these lists to other spammers.

/*In short, avoid attempting to reply to or contact the spammer by e-mail*. /