The Email Harvest

Jun 27, 2009   //   by Hackadelic   //   Blog, Featured  //  No Comments
This entry is part of a series, The Scam Observatory»

Harvest (Summer Memories)This post is about email harvesting – a process of collecting user email addresses, mostly with the purpose of using them for spam.

The other day I’ve received a message sent to me from my contact form with this wording:

The plugin work on Internet Explorer but cause problem when view in Firefox, a blank screen appear instead.

At first sight, it looks like a normal message, especially because I do develop plugins.

What stroke me, though, were two things:

  • It did not specify what plugin it is about.
  • Displaying a blank screen in Firefox seemed just so damn unlikely a symptom.1

Then an idea came to my mind: What if this is not a true support request? What if it’s email harvesting?

Email harvesting stands for obtaining lists of email addresses for purposes unknown to the address owner. There is a flourishing market for such addresses. Similarly to street addresses in the past that were used to spam your physical mail box with unwanted advertising papers, there are companies (both dubious and “serious”) willing to pay for email addresses for the same purpose. And the most valuable asset in email harvesting are confirmed email addresses.

Dollars !These are addresses for which it has been confirmed that there is a real account behind them. Why are they so valuable? Because it is much likelier that advertising material will be viewed by a human, for whom chances are he will make a purchase eventually.

What do you think why email confirmation has been “invented” in the first place?

Regardless of spam blocking technologies, those guys follow a statistical reasoning pattern like this:2

  1. From every 1000 spam emails sent to confirmed addresses, 100 will pass anti-spam measures and acutally reach a human. (I.e.: they’ll achieve 100 reaches.)
  2. But: From every 1000 spam emails sent to random addresses (which may or may not be confirmed), only 1 will actually reach a human.
  3. From every 100 reaches, 10 will actually catch his/her interest, making them potential byers.
  4. From every 10 potential byers, 1 make a purchase.
  5. The average money spent on the purchase is $10.

Now they draw the following conclusions:

  1. We need 100 reaches to make one sale worth $10.
  2. For that we need either
    1. 1000 confirmed email addresses, or
    2. 100,000 random email addresses.
  3. A confirmed email address is worth 1000 times more than an unconfirmed address.

It is because of point #3 why confirmed email addresses are in such a high demand.

The reasoning continues:

  1. In this quarter, management demands a sales volume of $100,000.
  2. For that we need 1,000,000 (one million) reaches.
  3. For that we need either 1,000,000,000 (one billion) confirmed email addresses (I won’t bother to even name the number of random addresses necessary for this.)

We should not forget that behind every organization there are human beings. They may well have a reasoning like this:

  1. My sales provision is 10%. This makes for $1 per sale.
  2. I’d like to bye a new [you name it].
  3. Hence, next month I’d like my provision to be $1000.
  4. For that I need to make 1000 sales.
  5. Hence I need to spam 1,000,000 confirmed email addresses.3

You can’t believe all this? Google for ‘+price +”confirmed email” +address’. You’ll find places and people where these items are sold, like this one. (He offers 2,000,000 (!) confirmed email addresses.)

Simon Walter describes the background quite accurately»

Back to the message I recieved, I still don’t know whether its author was trying to harvest my email address, or he was just being negligent. Either way, his message inspired me to write this post, of which I hope it may bring some more light into the dark topic of email harvesting.

Now I’m curious:

Have you been aware of email harvesting?

What do you do to protect yourself from it?

  1. I develop my plugins in Firefox. If they ever showed any cross-browser issue, then it was in IE, not FF. []
  2. The numbers here are fiction, but the pattern is not. []
  3. Point #5 may seem to classify this as the reasoning of a low-life, but then, when your life depends on it… []

Ever wondered how people get your email address? One way is simple – they use ‘harvesting’ software to trawl the world wide web pages – find @ signs, and, hey presto, they have millions of email addresses. Some CDs of address lists are compiled in this way. These can be sold to people who like to “spam” – or send genuine unsolicited commercial email (UCE).

Since I installed Norton Personal Firewall, I have been amazed at how many emails that arrive as a “web page” are being used to collect my email address. They don’t get it from me because Norton Personal Firewall allows me to “block” sending email addresses to the requesting web site.

I wholeheartedly recommend you install Norton Personal Firewall.

One problem is that the email addresses are not confirmed, so this type of business would like you to CONFIRM that your email is correct and that it is ACTIVE. So, a company who is doing this just for the email-list business, or selling email addresses as a side-line revenue, may send you an innocuous email which ends with something like…

If you do not wish to receive this regular free report, simply reply and type REMOVE in the subject box, to

Thank you.

The only reason they want you to reply is to turn their “possible” email address they have for you, into a “confirmed and active” email address, which is much more saleable! If you don’t want them to gain from confirming your email address, simply delete the email.

Powered by Hackadelic Sliding Notes 1.6.5

Comments are closed.

Blog Categories

I have come here to chew bubblegum and kick ass...
and I'm all out of bubblegum.
-- Nada in They Live