According to the former Washington Post security writer, some of the more prolific spammers rely on bots that crawl millions of websites, scraping email addresses as they go.
"Others turn to sellers on underground cybercrime forums. Additionally, there are a handful of open-air markets where lists of emails are sold by the millions. If you buy in bulk, you can expect to pay about a penny per 1,000 addresses", he explained.
Krebs says that one long-running, open-air bazaar for email addresses is LeadsAndMails.com, which also goes by the name BuyEmails.org. Based in New Delhi, India, the service advertises its email lists as '100% opt-in and 100% to use.'
"I can't vouch for the company's claims, but one thing seems clear: Many of its clients are from Nigeria, and many are fraudsters", he asserts in his latest security blog.
Krebs goes on to say that the site sells dozens of country-specific email lists, as well as specialist group lists, covering, as an example, a million insurance agent emails for $250.00.
$300.00 will let you reach 1.5 million farmers, whilst $400.00 closes on 4 million real estate agents, he notes.
"Need to recruit a whole mess of money mules right away? No problem: You can buy the email addresses of six million prospective work-at-home US residents for just $99.00. A list of 1,041,977 US seniors (45–70 years old) is selling for $325.00", he says.
But here's where it gets interesting from a security perspective, Infosecurity notes, as the site also has 'cheap bulk emailing solutions' with 'bulletproof hosting' capable of generating messages to 1,000 recipients in a few seconds.
Unsurprisingly, even in the face of Krebs' persistent enquiries, he was unable to track down the people behind the bulk emailing programs, but the conclusion is quite clear, namely that spam is with us for a very long time.
There is, he notes, a good chance that your email address is now a product in the underground marketplace.
"The next scam in your inbox may claim to have been sent by a banker or bureaucrat. But, the sender probably got your name from a wholesale list-seller, and not from a trusted friend. Of course, you know enough not to reply to these, don't you?", he says.
"On the other hand, if you don't care whether spammers have your address and you’re not easily spooked, you might be interested in following the folks over at 419eater.com, a group of activists who not only track the 419 scammers but attempt to turn the tables on them", he adds.
"My favourite sections of that site are the 419 Eater Hall of Shame and the Letters area."