How the hell is someone getting my email address?

My OS is WinXP Pro. I use Firefox as my main browser and Eudora as my
email program. I do not keep my email program open except when I'm
reading/writing email. My internet connection is broadband cable. I
use a firewall (software) all the time, run AV software regularly,
plus Ad-Aware.

I have a primary email account that I N-E-V-E-R use. My ISP has sent
me a few notices at that address, but as I said, I do not use it
otherwise, period.

I've started getting mail at that address recently and I can't figure
out how anybody would have gotten it. It's quite random and doesn't
use any words found in the dictionary.

Is there ANY WAY a web site can lift any of my email addresses if I
visit their site? Are they stored anywhere on my computer that this
site can access? If so, how do I stop that from happening?

Thanks.

 

Possibly, but probably lifted from the site of someone who has emailed you
from that site or to whom you have sent an email from that address.

 

Are these real emails, or spam?

@+

 

The one know one has mentioned is your ISP has been breached, they may have
had their database scoured, and I suspect you may soon be getting more
garbage mail in your letter box. ISP's keep this stuff quiet as I imagine
that it would be bad for business.

So are you with Telstra?

 

I don't read email from people I do not know. Judging from the
subject lines, though, it is usually ambiguous and RE-type messages to
conversations I've never had.

 

Well maybe you should read it - that might be the first clue to how it's
getting to you, don't you think? If it turns out to be spam, then it's
mystery solved, because spambots often generate email addresses at random.
However, given that you won't make the most basic effort to sort this
yourself, I'm not going to waste any more time on this.

 

The reason I do not read the stuff is because I heard long ago that
opened mail can indicate to the sender that someone is there, which
could result in even more mail. An opened email indicates an active
account.

The subject lines on these emails are definitely fabricated topics I
have no interest in.

 

I get emails sometimes that have both my new ISP address (uses a "y") and
one I have not used at the same ISP for over 5 years now (used an "i"). Also
they sometimes include all sorts of names with the same domain name ending,
just to see what does not get rejected automatically.

 

That can be true if the email is in HTML and your email client
renders it. However, you shouldn't need to actually open an email
to be able to inspect the headers and raw message data.

I don't know how this is achieved in Eudora, but even OE makes it
trivial to do.

 

From: "Carson Estes" <cqquw549qmuvATbellsouth.net>

Send reply to: "Carson Estes" <reqt08okbATbellsouth.net>

To: bsoileauATeatel.net, charbonnetATeatel.net, psully99ATeatel.net

Subject: Hey,

Date sent: Fri, 20 May 2005 01:40:07 -0800

I think they use random character generators, See the bellsouth addresses
above? It's the only one I still had access to with multiple addresses,
usually there are lots more than that. I changed the @s to ATs.

 

It can also be true if the sender adds a Return Receipt to the message
and your mail system responds.

Craig

 

Well I hope the configuration for any receipt would be set to
ignore, or at least prompt. One shouldn't be receipting spam
where the return address will inevitably be forged.

 

In the Usenet newsgroup alt.computer.security, in article

Seeing as how they don't want "bounce" messages, they will often use
invalid address strings - often a simple random string. At other times,
they will use a valid reply address of some person they wish to harass.
For spam, you should always assume that the address is not that of the
spammer. The contents of the spam will give some indication of how to
contact the spammer (they want your business), but even that is obscure.

Two points - multiple addresses on a single spam give economy of scale.
They need only make a single connection to the mail server to deliver a
number of pieces of spam. In case you've never looked at the conversation
between sending (S) and receiving (R) mail servers, it goes something
like this:

S: Hello R, my name is sender
R: HELO sender, pleased to meet you
S: Mail from envelope_sender_name
R: Sender OK
S: Mail to envelope_recipient
R: Recipient OK
S: Mail to envelope_recipient2
R: Recipient OK
S: Mail to envelope_recipient3
R: No such mailbox
S: DATA (Here it comes!)
R: OK send it - end by sending a line containing only a dot
S: From: "Carson Estes" <cqquw549qmuvATbellsouth.net>
S: Send reply to: "Carson Estes" <reqt08okbATbellsouth.net>
S: To: bsoileauATeatel.net, charbonnetATeatel.net, psully99ATeatel.net
S: Subject: Hey,
S: Date: Fri, 20 May 2005 01:40:07 -0800
S: <--- an empty line separates what you see as headers and the body
S: Bla-bla-bla
S: . <--- only a single dot on the line - marks end of mail.
R: OK, I got it

The "envelope_sender_name" _should_ show up in the headers of the mail as
the "Return-Path:" header but it can be fake. If there is only a single
envelope_recipient, it should show up in the "Received:" header. If there
is more than one envelope_recipient, the values do not appear anywhere.
Also note that the "From:" and "To:" header is part of the data portion
of the mail, and serve no purpose in the delivery - thus, they can be
total garbage, and things still work because mail delivery is based on
those two envelope headers. Your mail-reader only shows you the stuff
between the word DATA and the dot by itself on the last line. If you
_save_ the mail, or maybe tell your mail reader to 'show headers', then
you MAY see the rest of this stuff. If you want more in details on how
mail works, see RFC0821 and it's proposed replacement RFC2821 both widely
available on the web. For additional help on decoding the headers, see
http://www.stopspam.org/email/headers.html

The other point to recall is that sending spam to nine million addresses
costs about the same as sending it to twelve million addresses. In the
conversation shown above, you may see that the third recipient's name
was rejected - compare the amount of CPU cycles between that rejection
and the preceding acceptance. That's why once a name gets onto one of
those "Ten Million Valid E-Mail Address" CDs, it tends to stay there
for years. "New" addresses are obtained several ways.

1. You posted it - mail, news, web page, whatever
2. You responded to a "Take me off this mailing list" address in a spam
3. You visited a site and used it as a password (See RFC1635)
4. Your browser handed it out to anyone who asks
5. Your box got r00ted - a worm, trojan or worm sent the name to a dropbox
6. It was captured from a friends mailing (AOLers who mail everyone they
ever heard of, buddy lists, etc.)
7. Customer list stolen from ISP or someplace you do business
8. Dictionary attack

The latter is where the spam service provider connects to a remote mail
server, and tries to send mail to "common" names, such as those found in
a dictionary or phone book. They record the success/failure messages in
the top of the server conversation shown above, and often quit without
sending mail (or sending an empty mail) after trying 50 - 100 names.
The spam service provider then sells the newly discovered names on one
of those "Millions" CDs, and you just signed up to receive thousands of
valuable offers... yeah, right.

For '1' and '2' above - DON'T DO THAT!!!. '3' and '4' are normally a
browser configuration - simple solution is to use an invalid address for
this function. See http://www.faqs.org/faqs/net-abuse-faq/munging-address/
For '5' - don't use windoze - or at least don't use outhouse express. For
'6' - get better friends. For '7' you might be able to take legal action,
but the usual answer is to get a better ISP/business/whatever. For '8' -
obfuscate; this could mean using nicknames (as long as they aren't
dictionary words), inserting numbers (though not using '1337 Sp34k' -
that is, numbers in place of similar looking letters), or go whole hog
and use a completely meaningless string of characters. Names _MUST_ begin
with a letter, and consist of case insensitive letters and numbers only
(though some providers may allow a few other characters like a dash,
underscore, or '+'), but that's it. The names are not required to be
meaningful, pronounceable, or even memorable (though you do make it hard
on your correspondents if they are not at least slightly meaningful).

Old guy

 

Thanks for all that information, Old Guy. I read that article. You
had a mention that my browswer could be handing out my email address
to anybody that asks. THAT interests me, but you did not give out
further information.

The address to which I am getting this mail is one that I have
absolutely NEVER used. It's an account that my ISP originally set up
for me when they switched me over from he old Excite broadband to this
company. A few years ago the Excite broadband went bankrupt and the
switchover to another broadband company was a bit confusing for a
while. I only use this address as a sign-in address if I have to
visit my ISP account. I have never, not even once, used it for any
other purpose.

I do not use IE.

I am alert and careful about giving out my real email addresses.

How will my browser hand out my address?

 

No I'm not. Comcast.

 

Go through your browser's settings. If you see your e-mail address
anywhere in the settings, delete it. Certain rogue scripting can
cause some browsers to report the address contained in the settings.

 

In my ancient copy of Macintosh Outlook Express, I use the "View Source"
function to view the RFC2822 source of an e-mail without triggering any
outbound HTTP requests.