Public Information and Email Spam

Published: 2024-02-05. Last Updated: 2024-02-05 16:05:03 UTC
by Jesse La Grew (Version: 1)
3 comment(s)

Many organizations publicly list contact information to help consumers reach out for help when needed. This may be general contact information or a full public directory of staff. It seems obvious that having any kind of publicly available information will increase the liklihood that these accounts will receive spam or phishing emails. To help understand a bit of this, I set up a brand new domain with a very basic website and collected email using Amazon SES [1] for a couple of weeks. The website contained email addresses in a variety of formats:

  • email@domain
  • email (at) domain
  • email@domain (hidden in HTML comments)
  • web form

The site was made live on 1/21/2024 and within a few hours started receiving scans. 

Email Address /  Source Number of Emails Received Time to Receive 1st Email (Days)
Web Form 4 2
email@domain 7 5
email@domain (HTML Comments) 1 9
email (at) domain 0 N/A

The time to receive an initial email was much longer than I suspected. While scanning of the website happened within the first few hours of the website being publicly available, incoming emails took a couple of days. The web form was also the first method used to submit any content. 

Common themes of the emails received included:

  • Website redesign
  • Android app development
  • Marketing /sales

Email Subjects:

  • FYI- Redesign your website ? 
  • What is the next for <domain>
  • Price List
  • Revealed: Hiring Freelancers Save You Time & Money in 2024
  • Re: Delayed Payment - 2024/1/30 8:00:00
  • Android App Development !! 
  • Re: Call to update your website $
  • your Sales Funnel...? 
  • _Re:_Pay_attention_to_Google=E2=80=99s_guidelines_-_SEO_settings
  • Re: Uncompleted Payment - 2024/1/30 5:25:28

Sending domains:

  • hotmail[.]com
  • nwjgc[.]biz
  • lcs.yqp.mybluehost[.]me
  • ssspay[.]com

At the time of this writing, there were no emails received for an address in this domain that was not listed on the website. There is definitely an impact on spam received when an email address is made publicly available. As more data is collected, more patterns may emerge from source domains and networks. 

Consider limiting data accessible on public resources to help combat spam messaging including contact pages and forums. 

[1] https://aws.amazon.com/ses/

--
Jesse La Grew
Handler

3 comment(s)

Comments

It might be interesting to see how this changes over time. Is your intention to keep this running for any length of time? It might be interesting to see monthly or quarterly updates on this project.
Also, some other ideas...
Use an unlisted email from the domain to register for forums, newsletters, or at businesses.
Use an unlisted email to communicate about the project. So you use it as an "official" correspondence for the domain. Send an email a day for some length of time and how long does it take to get spam.
Thanks for reading, jc! I'm hoping to keep this running for a bit, but currently working on some modifications. Appreciate the ideas!

Diary Archives