Process of collecting email addresses, typically for email spam
Email harvesting or scraping is the process of obtaining lists ofemail addresses using various methods. Typically these are then used forbulk email orspam.
Spammers may also use a form ofdictionary attack in order to harvest email addresses, known as adirectory harvest attack, where valid email addresses at a specific domain are found by guessing email address using common usernames in email addresses at that domain. For example, trying alan@example.com, alana@example.com, alanb@example.com, etc. and any others that are accepted for delivery by the recipient email server, instead of being rejected, are added to the list of theoretically valid email addresses for that domain.
Another method of email address harvesting is to offer a product or service free of charge as long as the user provides a valid email address, and then use the addresses collected from users as spam targets. Common products and services offered are jokes of the day, daily bible quotes, news or stock alerts, free merchandise, or even registered sex offender alerts for one's area. Another technique was used in late 2007 by the company iDate, which used email harvesting directed at subscribers to theQuechup website to spam the victim's friends and contacts.[1]
Spammers may harvest email addresses from a number of sources. A popular method uses email addresses which their owners have published for other purposes.Usenet posts, especially those in archives such asGoogle Groups, frequently yield addresses. Simply searching the Web for pages with addresses — such as corporate staff directories or membership lists of professional societies — usingspambots can yield thousands of addresses, most of them deliverable. Spammers have also subscribed to discussionmailing lists for the purpose of gathering the addresses of posters. TheDNS andWHOIS systems require the publication of technical contact information for all Internet domains; spammers have illegally trawled these resources for email addresses. Spammers have also concluded that generally, for the domain names of businesses, all of the email addresses will follow the same basic pattern and thus are able to accurately guess the email addresses of employees whose addresses they have not harvested. Many spammers use programs calledweb spiders to find email addresses on web pages. Usenet article message-IDs often look enough like email addresses that they are harvested as well. Spammers have also harvested email addresses directly fromGoogle search results, without actually spidering the websites found in the search.[original research?]
Spammer viruses may include a function which scans the victimized computer's disk drives (and possibly its network interfaces) for email addresses. These scanners discover email addresses which have never been exposed on the Web or in Whois. A compromised computer located on a sharednetwork segment may capture email addresses from traffic addressed to its network neighbors. The harvested addresses are then returned to the spammer through the bot-net created by the virus. In addition, sometime the addresses may be appended with other information and cross referenced to extract financial and personal data.[original research?]
A recent, controversial tactic, called"e-pending", involves theappending ofemail addresses to direct-marketing databases. Direct marketers normally obtain lists of prospects from sources such asmagazine subscriptions and customer lists. By searching the Web and other resources for email addresses corresponding to the names and street addresses in their records, direct marketers can send targeted spam email. However, as with most spammer "targeting", this is imprecise; users have reported, for instance, receiving solicitations tomortgage their house at a specific street address — with the address being clearly a business address including mail stop and office number.[original research?]
Spammers sometimes use various means to confirm addresses as deliverable. For instance, including a hiddenWeb bug in a spam message written inHTML may cause the recipient's mail client to transmit the recipient's address, or any other unique key, to the spammer's Web site.[2] Users can defend against such abuses by turning off their mail program's option to display images, or by reading email as plain-text rather than formatted.[original research?]
Likewise, spammers sometimes operate Web pages which purport to remove submitted addresses from spam lists. In several cases, these have been found to subscribe the entered addresses to receive more spam.[3]
When persons fill out a form, it is often sold to a spammer using a web service or http post to transfer the data. This is immediate and will drop the email in various spammer databases. The revenue made from the spammer is shared with the source. For instance, if someone applies online for a mortgage, the owner of this site may have made a deal with a spammer to sell the address. These are considered the best emails by spammers, because they are fresh and the user has just signed up for a product or service that often is marketed by spam.
In Australia, the creation or use of email-address harvesting programs (address harvesting software) is illegal, according to the 2003 anti-spam legislation, only if it is intended to use the email-address harvesting programs to send unsolicited commercial email.[4][5] The legislation is intended to prohibit emails with 'an Australian connection' - spam originating in Australia being sent elsewhere, and spam being sent to an Australian address.
New Zealand has similar restrictions contained in its Unsolicited Electronic Messages Act 2007.[6]In The United States of America, theCAN-SPAM Act of 2003[7] made it illegal to initiate commercial email to a recipient where the email address of the recipient was obtained by:
Using an automated means that generates possible electronic mail addresses by combining names, letters, or numbers into numerous permutations.
Using an automated means to extract electronic mail addresses from an Internet website or proprietary online service operated by another person, and such website or online service included, at the time the address was obtained, a notice stating that the operator of such website or online service will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.
Furthermore, website operators may not distribute their legitimately collected lists. The CAN-SPAM Act of 2003 requires that operators of web sites and online services should include a notice that the site or service will not give, sell, or otherwise transfer addresses, maintained by such website or online service, to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.
Address munging—e.g., changing "bob@example.com" to "bob at example dot com"—is a common technique to make harvesting email addresses more difficult. Though relatively easy to overcome, it is still effective.[8][9] It is somewhat inconvenient to users, who must examine the address and manually correct it.
Images
Using images to display part or all of an email address is a very effective harvesting countermeasure. The processing required to automatically extract text from images is not economically viable for spammers. It is very inconvenient for users, who type the address in manually.
Contact forms
Email contactforms which send an email but do not reveal the recipient's address avoid publishing an email address in the first place. However, this method prevents users from composing in their preferred email client, limits message content to plain text - and does not automatically leave the user with a record of what they've said in their "sent" mail folder.
JavaScript obfuscation
JavaScript emailobfuscation produces a normal, clickable email link for users while obscuring the address from spiders. In the source code seen by harvesters, the email address is scrambled, encoded, or otherwise obfuscated.[8] While very convenient for most users, it does reduceaccessibility, e.g. for text-based browsers and screen readers, or for those not using a JavaScript-enabled browser.[10]
HTML obfuscation
In HTML, email addresses may be obfuscated in many ways, such as inserting hidden elements within the address or listing parts out of order and using CSS to restore the correct order. Each has the benefit of being transparent to most users, but none support clickable email links and none are accessible to text-based browsers and screen readers.
CAPTCHA
Requiring users to complete aCAPTCHA before giving out an email address is an effective harvesting countermeasure. A popular solution is thereCAPTCHA Mailhide service. (Note, 12.9.18: Mailhide is no longer supported.)[11]
CAN-SPAM Notice
To enable prosecution of spammers under the CAN-SPAM Act of 2003, a website operator must post a notice that "the site or service will not give, sell, or otherwise transfer addresses maintained by such website or online service to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages."[12]
Mail Server Monitoring
Email servers use a variety of methods to combat directory harvesting attacks, including to refuse to communicate with remote senders that have specified more than one invalid recipient address within a short time, but most such measures carry the risk of legitimate email being disrupted.
Spider Traps
Aspider trap is a part of a website which is ahoneypot designed to combat email harvesting spiders.[13] Well-behaved spiders are unaffected, as the website'srobots.txt file will warn spiders to stay away from that area—a warning that malicious spiders do not heed. Some traps block access from the client's IP as soon as the trap is accessed.[14][15][16] Others, like a networktarpit, are designed to waste the time and resources of malicious spiders by slowly and endlessly feeding the spider useless information.[17] The "bait" content may contain large numbers of fake addresses, a technique known aslist poisoning; though some consider this practice harmful.[18][19][20][21]
^Hohlfeld, Oliver; Graf, Thomas; Ciucu, Florin (2012).Longtime Behavior of Harvesting Spam Bots(PDF). ACM Internet Measurement Conference.Archived(PDF) from the original on 2014-07-25. Retrieved2014-07-18.
^SEO GlossaryArchived 2010-12-28 at theWayback Machine: "A spider trap refers to either a continuous loop where spiders are requesting pages and the server is requesting data to render the page or an intentional scheme designed to identify (and "ban") spiders that do not respect robots.txt."
^Ralf D. Kloth,Fight SPAM, catch Bad BotsArchived 2006-06-01 at theWayback Machine: "Generating web pages with long lists of fake addresses to spoil the spam bot's address data base is not encouraged, because it is unknown if the spammers really care and on the other hand, the use of those addresses by spammers will cause additional traffic load on network links and involved innocent third party servers."
^Harvester Killer: generates fake emails and traps spiders in an endless loop.
^robotcop.orgArchived 2019-10-20 at theWayback Machine: "Webmasters can respond to misbehaving spiders by trapping them, poisoning their databases of harvested e-mail addresses, or simply block them."
