How do spammers get our names and our email IDs of "me and my friend"?

[Frodo]

TL;DR Summary

How do spammers get our names and our email IDs of "me and my friend" so they can send an email to me purporting to be from my friend?

I often receive a spam email sent to me, Frodo <me@example.com>, and purporting to come from a friend of mine, Tom Thumb, whose ID is Tom <my_friend@anymail.com>.

I am sure it isn't random chance as I don't get similar emails from people I don't know.

How does the spammer work out that

• Frodo and Tom know each other,
• Tom's surname is Thumb, and
• get both their email IDs?

The only way I can think is if the spammer has access to an email server and watches the emails passing through the server. He can then see an email from Frodo <me@example.com> sent to my nickname Tom Thumb <my_friend@anymail.com>. He now has our two names, Tom's surname, and our two email ID's to work with.

Is this possible? Probable? Or is there another way? I have changed the names below to protect the innocent.

 

[Stephen Tashi]

The only way I can think is if the spammer has access to an email server and watches the emails passing through the server.

Someone who can hack into one email account can look at addresses of the emails it sent and received , and assume many of the people involved know each other.

 

[Keith_McClary]

Someone who can hack into one email account can look at addresses of the emails it sent and recieved

If they can hack someone's personal computer they can see those CC lists of third parties' names and emails (people should use BCC ("blind CC")).

 

[anorlunda]

If they can hack someone's personal computer they can see those CC lists of third parties' names and emails (people should use BCC ("blind CC")).

Good point, but they don't need to hack your PC. All they need to do is to hack your email account. Therefore, things like your google account info can be more important than local safeguards on your PC. You should change those online account passwords frequently.

Frequent pw changes I think are a better defense than hard-to-guess passwords. If your password is stolen, then it can be misused only until the date when you change it. Stolen passwords can be sold on the dark net, but if you change every 30 days, and it takes more than 30 days for a bad guy to buy your password and try to exploit it, then the bad guy will be wasting his time.

I use a password manager that not only remembers my passwords, but it also partially automates changing passwords. That makes it a little less troublesome to change them often.

 

[jack action]

Good point, but they don't need to hack your PC. All they need to do is to hack your email account. Therefore, things like your google account info can be more important than local safeguards on your PC.

Apparently not. From TrickBooster – TrickBot’s Email-Based Infection Module:

The module is employed to harvest Email credentials and contacts from a victim’s address book, inbox, outbox, it can send out malicious spam Emails from the victim’s compromised account, and finally delete the sent messages from both outbox and the trash folder, so as to remain hidden from the user. We believe this module is used by Trickbot for several purposes; prorogation and infection, spreading spam for monetization purposes, and harvesting email accounts which can then be traded and used by other campaigns.

Following initial deployment of the malware on the victim machine, the implant left behind by the malware, after it finishes initial execution and clean-up goes successfully undetected.

This clean-up is thorough and involves deleting the original infecting executable file, which is a very common practice employed by many malware families. The result is that it is missed by nearly all scanning security vendors, an impressive stealth factor that is much desired among malware operators.

This file, whose main functionality appears to be an e-mail collector targeting OUTLOOK.exe, begins its execution by creating an additional thread where this module is looking for an OUTLOOK.exe window by using “FindWindow” function with “rctrl_renwnd32” as class name (an identifier of the OUTLOOK.exe window).

On the other thread – this module is using COM objects to interact with OUTLOOK.exe. It starts doing so by initializing a COM object (CoInitializeEx) and continuing to interact with it by creating an instance of “Microsoft.Office.Interop.Outlook” with “CoCreateInstance”. It then tries to start OUTLOOK.exe by using “OleRun” function.

When OUTLOOK.exe is executed – this module knows to start interacting with it by using Microsoft Outlook Messaging API (MAPI).

MAPI provides the messaging architecture for Microsoft Outlook 2013 and Outlook 2016. It provides a set of interfaces, functions, and other data types to facilitate the development of Outlook messaging applications. Applications use MAPI to manipulate email data, to create email messages and the folders to store them in, and to support notifications of changes to existing MAPI-related data.

 

[FactChecker]

Good point, but they don't need to hack your PC. All they need to do is to hack your email account. Therefore, things like your google account info can be more important than local safeguards on your PC.

Your email password is probably the most important. If someone gets that, he can change it to lock you out. Then he can quickly tell each of your financial institutions that your password with them is forgotten and ask them to reset it. The institutions will send a new password to your email account and the hacker will have access to everything of yours.

 

[Keith_McClary]

Frequent pw changes

For this particular issue, it just takes one person on the CC list to get hacked.

 

[anorlunda]

For this particular issue, it just takes one person on the CC list to get hacked.

Good point.

Years ago, I changed my email address. I wanted to inform all my friends of the change, so I wrote a script that parsed my entire email history and extracted every email address I could find there. cc lists were included. I sent notification to all those.

I got one angry reply from a man I don't know saying, "How did you get this email address? It is supposed to be secure."

 

[Stephen Tashi]

For this particular issue, it just takes one person on the CC list to get hacked.

Which brings up a non-hacking technique. A spammer can join various mailing lists of small organizations and get email addresses from incoming mail that is sent in an unsophisticated manner - i.e. in a way that reveals the email addresses of all recipients.

 

[harborsparrow]

Most people's emails are stolen is one of two ways:

1) You willingly share your Contacts list with some third-party app (such as Facebook Messenger) and then THAT gets hacked and the email list is stolen from the third party,

OR

2) Your email appears somewhere in a web page and gets "harvested" by a bot. The email-harvesting bots scrape web pages looking for somename@somecarrier.net or .com etc. If your email needs to appear on a web page, make sure it appears as a Javascript program which only renders the full email address locally in the browser.

 

[rcgldr]

I have received emails with names of people I know, but with the wrong email address. Sometimes the name is not quite correct (doesn't match the name actually used by that person for emails). I also get emails from people I don't know, usually related to some type of click bait or scam.

Depending on what web sites you use, a third party can get names, but not actual email accounts, from a contact or friend list on those web sites. I suspect this is possible on LinkedIn. On Facebook, looking at comments to your posts would also allow a third party to collect names, but not actual email account info.

On rare occasions, I've seen other's Facebook accounts get hacked. My guess is that they were duped by click bait type links that Facebook didn't filter out.

If I get a link that I don't trust, I use a Virtual PC in Windows XP mode to check the link. If the link is harmful, it will only affect the virtual machine hard disk image file. If that were to happen, I would just shut down the virtual machine and restore a known clean backup of the hard disk image file.

 

[harborsparrow]

Apps regularly ask, and trick, people into willingly sharing their Contacts lists, which get stored on the app server and are then often sold or hacked. I think this is the main way.

 

[Frodo]

All answers seem to assume hacking of an email or similar account, or gathering email IDs (scraping from the web does not account for how the spammer knows my friend).

No-one has commented on the method I wondered about, namely

The only way I can think is if the spammer has access to an email server and watches the emails passing through the server. He can then see an email from Frodo <me@example.com> sent to my nickname Tom Thumb <my_friend@anymail.com>. He now has our two names, Tom's surname, and our two email ID's to work with.​

Is that a feasible method? Can a spammer gain access to a mail server to read passing traffic?

 

[jack action]

the spammer has access to an email server and watches the emails passing through the server.

If I would gain access to a mail server (keyword: access), I would simply read the mail folder and wouldn't waste my time watching the traffic. Watching the traffic (which doesn't require access to the spied server) is a whole other animal. Not a specialist, but with secure connections (https), it is something pretty hard to do, probably harder than accessing a server, certainly harder than accessing an email account or harvesting public info on the web.

gathering email IDs (scraping from the web does not account for how the spammer knows my friend)

You could be surprised. In a recent discussion on PF, the subject is a program call GT3- P that, basically, once fed text about a certain subject, can write a text about that subject that seems to be written by a human. It doesn't blindly copy & paste, it understands the language structure. Is there a program like that that reads a web page with your friend's email and his surname, and is able to link the two together? Really not far fetched.

GPT-3 was trained on hundreds of billions of words and is capable of coding in CSS, JSX, Python, among others. [...]

[...] According to one user, who had access to a private early release of the OpenAI GPT-3 API, GPT-3 was "eerily good" at writing "amazingly coherent text" with only a few simple prompts.

Because GPT-3 can "generate news articles which human evaluators have difficulty distinguishing from articles written by humans," GPT-3 has the "potential to advance both the beneficial and harmful applications of language models." In their May 28, 2020 paper, the researchers described in detail the potential "harmful effects of GPT-3" which include "misinformation, spam, phishing, abuse of legal and governmental processes, fraudulent academic essay writing and social engineering pretexting".

 

[harborsparrow]

@jack action is right that it is trivially easy to run an email address scraper on the web and harvest email addresses that way. In fact, many people allow their emails to be placed on web pages in harvestable form (anything of the format x@y.com for example) instead of x AT y.com or else a Javascript program that only renders the actual address once the page has reached the browser.

You don't even have to code your own scraper. You can probably just Google and find one. It won't necessarily get names, only emails, but that's bad enough.

 

[OCR]

My email address and, literally, thousands of others are exposed for the public view. . .

Right here on this site. . . U.S. Forest Service - Business Operations -I don't totally love this, but it's just a fact when doing business with the

government. .

.

 

[russ_watters]

It looks to me like almost none of the discussion here answers the OP's question properly. Hacking and phishing are crimes, and it would be a lot easier to shut down spam if that's how most originated, but it isn't.

Most of the spam you get comes from people you willingly give your email address to legally selling it to marketers.

 

[harborsparrow]

My email address and, literally, thousands of others are exposed for the public view. . .

Right here on this site. . . U.S. Forest Service - Business Operations -

I don't totally love this, but it's just a fact when doing business with the

government. .
.

I took a quick tour of the Forest Service site and did not see any exposed email addresses. Did I miss something? There are forms to send email with which do not expose the actual addresses.

 

[jack action]

It looks to me like almost none of the discussion here answers the OP's question properly. Hacking and phishing are crimes, and it would be a lot easier to shut down spam if that's how most originated, but it isn't.

Most of the spam you get comes from people you willingly give your email address to legally selling it to marketers.

If you get a spam email with the proper corresponding surname to the email of one of your contact as the sender, it is most likely an email account that was hacked where this information (and yours) was available and retrieved. There are bots that can do that, going from one email account to another. In the OP spam email, if you click on the link, you'll probably end up with a virus or a phishing scam to get access to your email account and further propagate the spam.

Less likely but possible, an entire email server was compromised and all of its emails were downloaded by the hackers.

But I don't believe that there are people watching internet traffic and retrieving email addresses as they passed by like the OP is suggesting. (Except maybe the NSA or the like, but they certainly don't do it to send spam.)

 

[russ_watters]

If you get a spam email with the proper corresponding surname to the email of one of your contact as the sender, it is most likely an email account that was hacked where this information (and yours) was available and retrieved...

In the OP spam email, if you click on the link, you'll probably end up with a virus or a phishing scam to get access to your email account and further propagate the spam.

Hacking, phishing or trojan attempts, are not just/typical spam. They aren't trying to sell you something, they are trying to steal your info. That's a big difference. Basic spam is annoying, but largely benign. Those other things are crimes/attacks that cause potentially serious damage.

I'm not trying to split hairs here; it's pretty rare that I get attempted attacks (maybe a couple a month), and these are serious, to be reported to my IT department and maybe even alert the spoofed source. One I got a couple of months ago was an actual email thread that got hijacked by the hacker. Meaning, the subject line had a project name and discussion topic in it that I recognized.

Also, I don't know if gmail is blocking true spam, but I'm actually seeing very little, if any. My "spam" folder has 35 items in it going back two weeks. I see one phishing attempt and two pieces of true spam. All the rest are senders I recognize I gave my email address to willingly. My gmail also has a "social" folder which appears to be one instagram notification per day and "promotions" which is about 10 ads per day -- only one of the last 50 I don't recognize. Those aren't technically spam either, since I (perhaps unknowingly) agreed to receive them.

[edit] Er...well...ops, the OP seems to be asking was specific to spoofed emails, not just emails in general.

 

[harborsparrow]

Re: this statement: " If you get a spam email with the proper corresponding surname to the email of one of your contact as the sender, it is most likely an email account that was hacked where this information (and yours) was available and retrieved "

Not sure I can agree with that. As I mentioned in a previous post, many people willingly share their Contact list with third parties, who then EITHER SELL them OR ARE HACKED. In my opinion, it is rarely a case of an individual's computer having been invaded or their email password stolen. Many apps entice people to share their Contacts list with a server, and people are heedless and unaware of what they are risking when they do so. If their list is then sold or stolen by the third party they have given it to, everybody conveniently forgets how often people share the Contacts lists, and starts worrying that they have personally been hacked. Which *could* happen of course, but much more often, these things are deliberately shared among companies who have obtained them legally (if sneakily); and, the motive is profit. In the U. S., unfortunately, there is little legal protection. Companies have to disclose their information handling policies, but in practice, almost no one ever reads it.

Recently, I fully read Verizon's information sharing policy. I spent several hours calling several phone numbers and waiting on hold, and went to several websites, just to opt out of all their "sharing" policies. In one case, I even had to print out a form, fill it out, and snail mail it somewhere. There were 8 different places I had to go just to guarantee, hopefully, that Verizon will not share any information from me with others except as absolutely necessary to do business with me. Just one example.

Facebook Messenger, for example, for several months would only let people sign up IF they shared their Contacts list. I held out for a long time until they finally changed the app not to do that.

 

[OCR]

Did I miss something?

Yeah, you did. . .

Most info (like my real name, company name, phone numbers, physical address, fax number, and email address) is hard to find if a person isn't really familiar navigating the site, and. . . there are links everywhere.Just as. . .

We know working with your Government can be challenging.

Lol. . . and they're pretty much right. .

.