Surprising Spam

Have you ever wondered how a SPAM sender got your email address?

For the past 15 years, I’ve used a different email address every time I filled out a webform . This way, whenever I get a SPAM I can look at the address the SPAM was sent to and know how the sender found out about me.

It is interesting to see where the leaks come up. Here is a short list of some of the people who (willingly or unwillingly) ratted me out to spammers…. (11/3/2019)
AA.COM (added 2/19/2021) (added 4/11/2018) (added 5/15/2019)
AUDIOGO.COM (added 5/6/2015)
BARCODE-US.COM (11/28/2018)
BMWMOA.ORG (added 4/11/2018) (from newsletter, added 5/23/2021)
BUYERZONE.COM (9/6/2023) (added 3/24/2020)
CHECKS.COM (added 6/12/2019)*
DERMSTORE.COM (1/18/2013)
E-COUNTERS.COM (1/9/2014)
ELMSOFT.COM (11/5/2019) (10/19/10)
ESUPPORT.COM (4/2/2019)
FOSCAM.US (added 4/28/2015) (4/10/2019)
FRIENDSTER.COM (added 6/23/2014)
HELLODIRECT.COM (added 3/4/2019)
INFOQ.COM (3/1/2016)
IRR.COM (added 11/24/2022)
LENS.COM (5/10/2019)
LEXUSOFENGLEWOOD.COM (added 4/25/2014)
LPNY.ORG (added 11/3/2022)
MASALAMAC.COM (added 11/7/2022 - restaurant that went out of business long ago)
MYSPACE.COM (3/19/2016)
PLOTLY.COM (added 4/5/2022 [8 year sleeper!])
SHAPESHOT.COM (12/27/2015)
SHEIN.COM (10/5/2019)
SIMPLE.COM (3/8/2016) (added 12/30/2020 [11 year sleeper!])
SMITHMICRO.COM (added 4/9/2014)
SPEAKEASY.NET (added 10/14/2020)
STARBOOTH.COM (added 9/17/2020) (added 3/25/2022 [7 year sleeper!])
SUPERMAGNETMAN.NET (added 2/2/2015)
TUMBLR.COM (12/31/2018)
VAADIN.COM (2/28/2023)
WALLHOGS.COM (added 11/7/2010)
WEWORK.COM (added 10/20/2020)
WSJ.COM (added 2/8/2014)

If you’ve ever given your email address to any of these websites, then it is likely that you can thank them for some of the spams you now get every day. I am talking about hardcore SPAM like offers for Viagra, porn, or African money transfers and not just unwanted emails that might be semi-related to the website that you originally gave your address to.

Some of these sites might intentionally sell or give their email lists to SPAMers, but I suspect that many had their lists hacked or got a virus on a machine that has access to their list. Either way, it makes it hard to trust the company that let it happen.

I typically kill a compromised address as soon as it starts getting spam, but sometimes I want to keep getting the real emails from the original website so I’ll go in and update my account with a brand new, unique email address. Sadly, I often soon start getting spams on the new email address, indicating that the leak was not a one-time event.

BTW, I also use a unique hash for the return address on every email I send out. This lets me know instantly whenever anyone I know gets a virus, uploads their contacts to a website that then sends out splash emails, or falls for a Facebook/GMAIL phishing scam. It happens way too often.

*I signed up for updates on DailyMotion on 6/20/2008(!) and then never clicked the opt-link and so never got a single email on this address for more than a decade before getting a standard “I recorded you watching porn” spam. Talk about sleeper cell address!


  1. Dan

    Your list is quite surprising. Especially Lifelock, who claim to guard your Identity. Thanks for posting!

    • bigjosh2

      Yep. I think LifeLock leaked email addresses during the class action suit in 2010. The settlement was on 4/30/2010 and the first spam was on 6/30/2010.

      They probably gave a list of all their customers to a law firm and someone at there had a virus or sold the list.

  2. Josh

    >>BTW, I also use a unique hash for the return address on every email I send out.

    How do you do this thing?

    • bigjosh2

      Right now it is a combination of some code on running on my local machine and some scripts of the email server, but it would easily be made into a general purpose product where you would just set your outbound SMTP server to point to my service and I do all the work for you. I should have made this decades ago. I can’t believe GMAIL has not done it yet!

    • bigjosh2

      Some more (comically dated!) info on how this works…

      My system has evolved to be overly complicated, but it works so I do not mess with it. Today you could easily recreate this using one of the many fine Node-based SMTP servers and give it a nice web interface. LMK if you do build it because someday I will have to retire my current system!

      • John B

        Hi Josh, you are way ahead of me on internet savvy, but I am surprised by our post about how to eliminate spam. I think you are the one who wrote that you create a different e-mail address each time you sign up, allowing you to trace new spam. I am curious what you are doing that brings in so much spam. I use gmail and get hardly any spam. It does not bother me. Perhaps it is because you might get 100’s of e-mails per day. I get relatively few (under 30 per day).

        • bigjosh2

          Everyone gets lots of spam, and GMAIL does a great job filtering it so you never see it. Unfortunately it also does a great job filtering non-spam, and sometimes even does so completely silently. If you depend on receiving emails in a timely fashion (or even just getting all your emails at all), then GMAIL sadly is not a viable option. This is such a shame because GMAIL is so huge that they could effectively eliminate all SPAM if they wanted to but instead they choose to do what they do now, likely for strategic reasons. Right now the only reliable way to get an email delivered to a GMAIL account is to send it from a GMAIL account, so this nudges people who are sick of their real emails getting filtered into switching to GMAIL just to reduce their pain. I myself have a GMAIL account for no other reason than to send emails that start with “Looks like you did not get the email I send you a week ago because GMAIL filtered it, so I have pasted it below. Please reply back to my non-GMAIL address.” Causing pain to the world for strategic reasons is evil, but unfortunately Google has made a habit of it. :(

  3. mia

    Holy shit…Dude, I thought I was the only one. I use Spamgourmet and I got spam 1-3 years ago with the very unique “simple” email address I created. The email contained a malicious javascript (.js) file attached. I called Simple telling them they were hacked and that the same thing has happened in the past with other companies (dropbox). They forwarded my email to their security dept who analyzed and confirmed it was malware but said the spammers might have “guessed” the email (sigh). They said they had no other reports. Your report sheds some serious spotlight back on their email database being hacked.

    The reason it’s just come up now is I got an obvious Dropbox phishing attempt and malicious PHP redirect from my simple address. I google hacked and found your post.

    • bigjosh2

      I’ve gotten the same response from companies when I’ve tried to tell them that they’ve had a breach – and my addresses are extremely unlikely to have been “guessed”. If I was CEO of a company, I’d set up a bunch of gmail addresses and secretly use them to sign up for stuff with my own company. If I ever got a spam or unexpected email on one of those addresses, send to my security people and tell them someone reported a breach on that address. If they said, “Oh that’s just a crackpot reporting that, we have no breach” then I’d fire those security people.

    • bigjosh2

      Looks like we’ve been basically using the strategy, and I also started back in 1996! :)

      Do you maintain a public list anywhere of all the people who ratted out your addresses? It would be interesting to see the overlap!

Leave a Reply