Feb 18, 2008

How Fast Can Spammers Harvest Your Emails?

FTC Spam Summit Harvested Emails

Reading through the FTC Spam Summit Report (472k PDF), I came across an interesting study they did, buried way back in the Appendix.

To determine how effective ISP spam filters are, they created 150 fresh new email addresses, and posted them at 50 locations around the Internet:

"The 50 Internet locations included websites controlled by the FTC and several popular message boards, blogs, chat rooms, social networking sites, video posting sites, and sites with user-generated content that had high hit/visit rates."

Then they measured how much spam they got, how fast, and how much their ISPs’ spam filters blocked…

"At the conclusion of the two week study period, the 50 Unfiltered Addresses had received a total of 718 pieces of spam. At the conclusion of the five week study period, these same addresses had received 3,045 pieces of spam. The total weekly amount of spam sent to the Unfiltered Addresses more than doubled from weeks one and two to weeks three through five."

Wow. The ISP that had no spam filters got over 3,000 pieces of spam in a little over one month. The two ISPs that had built-in spam filters blocked spam pretty good: 93% at one ISP, and 78% at another.

Most Email is Harvested from Websites, Not Blogs, Forums, etc.

Ever wonder where the spambots harvest email addresses the most?

"At the conclusion of the two week study period,  86% percent of the total amount of spam messages received at Unfiltered Addresses were from addresses that had been posted on the FTC’s website pages, and only 14% percent of the spam messages had been received from addresses posted elsewhere."

Spam Traps

To conduct the study, the FTC setup 150 fresh new email addresses that were used strictly to trap spam. These are called "spamtraps." ISPs and anti-spam companies setup spamtraps all the time. If an email marketer buys a list from a disreputable source (who probably bought their list from yet another disreputable source who harvested addresses from websites), chances are high that list has a spamtrap on it that could get you instantly blacklisted. Some ISPs even turn very old email addresses (from closed customer accounts) into spam traps, and post them around the Internet. That’s why email marketers should never send campaigns to very old lists.

The Importance of Authentication to the FTC
One more random tidbit from the report (from their "Next Steps" section, pg 26):

"Staff will…urge ISPs to further implement negative scoring for non-authenticated email…"

Clearly, the FTC is concerned with the impact of Phishing, and they feel authentication is an effective technological weapon against it. This is a sign that they intend to push ISPs to penalize non-authenticated emails. On a related note, check out this interview with Yahoo: Will Yahoo block messages that aren’t authenticated?