Share

Related Links

  • Krebs on Security
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Related Stories

Top 5 Stories

News

The murky mechanics of spam harvesting and list seller operations explained

26 April 2011

If you're careful when publicising and giving out your new private email address, then you'll be surprised to see your mailbox filling up with spam. Now security researcher Brian Krebs reckons he has the answer, and it's not as clear-cut as you might think.

According to the former Washington Post security writer, some of the more prolific spammers rely on bots that crawl millions of websites, scraping email addresses as they go.

"Others turn to sellers on underground cybercrime forums. Additionally, there are a handful of open-air markets where lists of emails are sold by the millions. If you buy in bulk, you can expect to pay about a penny per 1,000 addresses", he explained.

Krebs says that one long-running, open-air bazaar for email addresses is LeadsAndMails.com, which also goes by the name BuyEmails.org. Based in New Delhi, India, the service advertises its email lists as '100% opt-in and 100% to use.'

"I can't vouch for the company's claims, but one thing seems clear: Many of its clients are from Nigeria, and many are fraudsters", he asserts in his latest security blog.

Krebs goes on to say that the site sells dozens of country-specific email lists, as well as specialist group lists, covering, as an example, a million insurance agent emails for $250.00.

$300.00 will let you reach 1.5 million farmers, whilst $400.00 closes on 4 million real estate agents, he notes.

"Need to recruit a whole mess of money mules right away? No problem: You can buy the email addresses of six million prospective work-at-home US residents for just $99.00. A list of 1,041,977 US seniors (45–70 years old) is selling for $325.00", he says.

But here's where it gets interesting from a security perspective, Infosecurity notes, as the site also has 'cheap bulk emailing solutions' with 'bulletproof hosting' capable of generating messages to 1,000 recipients in a few seconds.

Unsurprisingly, even in the face of Krebs' persistent enquiries, he was unable to track down the people behind the bulk emailing programs, but the conclusion is quite clear, namely that spam is with us for a very long time.

There is, he notes, a good chance that your email address is now a product in the underground marketplace.

"The next scam in your inbox may claim to have been sent by a banker or bureaucrat. But, the sender probably got your name from a wholesale list-seller, and not from a trusted friend. Of course, you know enough not to reply to these, don't you?", he says.

"On the other hand, if you don't care whether spammers have your address and you’re not easily spooked, you might be interested in following the folks over at 419eater.com, a group of activists who not only track the 419 scammers but attempt to turn the tables on them", he adds.

"My favourite sections of that site are the 419 Eater Hall of Shame and the Letters area."

 

This article is featured in:
Data Loss  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×