Many small organizations now have websites and provide an email address for customers to contact them. A simple HTML link of the form mailto:user@domain.com is easy to implement (all popular HTML editors allow you to create this), and the results are easy to retrieve—they arrive in the user's mailbox.

The alternative to a mailto: link in a web page is to have a web form where the customer enters an email address and a message, and then submits the form. The data is processed by the web server and forwarded to the recipient. This is less flexible than an email—for example, attachments cannot be added. Additionally, the web form relies on the customer to enter their email address correctly. If this is typed incorrectly, then the customer contact will be lost.

From an early time in the history of the Internet, automated computer programs have tried to download web pages and follow links to other web pages. Typically, these spiders walk the Web to generate indexes for search engines...

Usenet is also called network news, NNTP, or just news. It can be likened to a distributed bulletin board, where messages posted on one board (or server) are forwarded to other boards (or servers) in a network. There are many specialized newsgroups and news servers. An ISP will often provide a news server for its customers, and large corporations occasionally provide them for use by staff. Commercial Usenet providers are in operation, and an archive of Usenet posts is available at http://groups.google.com/.

The first spammers collected their email addresses from Usenet. Even today, it is the second greatest source of email addresses.

Most news servers do not require a user to provide an email address to read posts on newsgroups. However, most require a user to provide an email address when posting messages. If a user only reads newsgroups, their email address will not be collected by spammers from Usenet. Some mailing lists are also echoed to Usenet and subscribers to it are at risk...

A large quantity of spam is now sent from standard PCs infected with spamming software. This software sends out spam emails under control of the spammer, without the PC user's knowledge or consent. Such software can also collect email addresses from the user's contact list, and also their incoming and outgoing email archive. Anti-virus and anti-malware software can detect Trojans.

Mailing lists are a useful tool for commerce and recreation. They allow a user to send emails to a single address, and the email is then forwarded to all the members of the list in a broadcast fashion. Spammers used to send messages to a mailing list, and they would be forwarded to all the recipients. To prevent this, most mailing lists require users to authenticate themselves in some way. This is a manual process that deters spammers who rely on automated processing.

Often, mailing lists are archived on the Internet for reference. If a spammer's web spider reaches a mailing list archive, it will have access to the email addresses of all the people who have posted on the list. Consequently, the latest versions of all the popular mailing list management software disguise or munge email addresses when archiving them on the Web.

Some mailing lists are moderated, which means that submissions have to be approved by a moderator before they will be forwarded to list members...

Many websites enforce registration before they can be used. Sometimes only limited access is available to unregistered users. If users want to use all the functionality of the site, then they have to register and provide their email addresses.

In the past, some websites used to sell the email addresses of their users. Now, most reputable sites publish email policies allowing users to opt out of any email marketing. If a user registers for a website, they should ensure that they read the policy thoroughly and choose the appropriate response on the sign-up form of the website.

Some websites state that their policy is not to sell or give out user's email addresses, but marketing information from other companies is still received. The email is sent from the website on behalf of the third party, and so the policy is not being broken. The only consolation is that the marketing emails received are usually inoffensive and even possibly of interest.

For a corporation, the employees can be a source of spam. They may accidentally reveal email addresses at unsafe locations on the Web in any of the ways mentioned in this chapter.

It is important, therefore, to create a policy for email usage that employees must adhere to. To minimize spam, it should cover guidelines on:

Another risk is that of a rogue employee, who may take an employee directory, a client list, or a collection of email addresses, and sell them. Often, this happens when the employee leaves the organization.

This is a crime in most countries. Unfortunately, it is difficult to detect and harder to prove. A company should protect its customer list and limit access to only those who need to use this information. Ideally, there should be a log of when email...

There is no evidence that spammers collect email addresses from business cards or from promotional material.

If email addresses are published as part of a promotional campaign, it is worthwhile using a different email address created specifically for each campaign. If a spammer gains control over a third-party computer through Trojan software and the user of such a computer responds to such a promotional campaign, there is a possibility that the Trojan software will pass the promotional email address back to the spammer's central database. By changing email addresses for each campaign, the accounts can be suspended once the campaign has finished.

Spammers can verify email addresses in three ways: by receiving replies, providing an opt-out web link, and by using web bugs. Web bugs are small images that secretly track information about the spam recipient. The following section describes a web bug in detail. A recipient of spam may occasionally reply to a spammer's email. This is a futile gesture. Often, the spam email is sent from a fictional email address, and the reply will be returned, undelivered. Spam can also be sent from a real, but hijacked address. Hijacking occurs when the spammer chooses a bona-fide email address to use in the mail headers of his or her spam, either the From: header or the Reply-To: header. The unfortunate victim will receive thousands of bounced messages from undelivered emails, as well as the occasional irate reply.

Email is occasionally sent from an account set up by the spammer. If...

Spammers use a variety of techniques to collect email addresses. The main sources of email addresses are web pages and Usenet postings.

Providing email addresses on websites is useful, but it will attract spam. They can be disguised from spammers using alternative character representations or JavaScript.

Spammers use a variety of techniques to validate email addresses. By choosing not to reply to opt-out links and spam emails, and refraining from viewing email as HTML, users can limit the tracking of their email addresses.