Where does spam come from?

Most (technical) people by now know that it's not a good idea to give your real email address to websites when you register your account. But how much of a difference does that really make?

I have one email account for work, another that I give to family and friends, another that I post (obfuscated) on glaak.com, another that is posted in plain text on a university webpage, and one that I use to register for websites. All of them (other than my work email) forward to my "family and friends" email account, and all get spammed in their own special ways.

A few stats:

8000 spam per month: Generate-able Email Address ([First Name] @ [a common domain.com] )
This email address has a (remotely) common name + a common domain. It has never been posted anywhere, or been used to register for another service.

4000 spam per month: Plain Text Email Account
This email address was posted in plain text on a university webpage

1000 spam per month: Less Easily Generate-able Email Address ([First Name + Last Initial] @ [a common domain.com])
This email address has also never been posted or used to register, but is easy to generate.

100 spam per month: Registration Email Address
This email address would be difficult to generate, but is always used to register for services. Of course, the number of "legitimate" mailings this email address receives is a bit higher.

13 spam per month: Obfuscated Email Address
This email address is posted on this website, but is obfuscated with javascript. Yes, yes, it appears in plain text when the page is rendered, but in the source it's in javascript.

Of course, this wasn't a totally fair experiment. Not all email addresses have existed for the same amount of time, some are posted in more places than others, and there's overlap between some figures (for example, I'd guess that some of the spam going to the obfuscated email address is actually from people generating the address).

Conclusions:

  • Don't have an email address that you can easily generate (or make sure you have a good spam filter)
  • Don't post your email address online in plain text

Registering for a website with your real email address? You're probably ok. (Still, I recommend a secondary gmail account which auto-forwards to your real email account).

Luckily for me, Gmail's spam filter gets nearly all of the 13,000 montly pieces of spam (missing maybe 10 or so per month). Not bad.