Who Sold You Out? – How to Figure out Who Leaked Your Email Address

When setting up accounts or handing out my email address, I use a catchall on a different domain I have, giving a different mailbox to each sender.  So, for instance if I give my address to Bob’s Cream Puffs to get a coupon, it might be bobscreampuffs@mydomain.com.  You can do this with a normal (non-catch-all) address too, by using the plus sign after the mailbox name.  In my case, that would be something like alex+bobscreampuffs@mydomain.com.  That trick even works with GMail and a number of other web services.


The motivation for using these tricks is that you can see how someone sending you an email got your address.  If I get an email trying to sell me cheap knockoff watches, and it was sent to bobscreampuffs@mydomain.com or alex+bobscreampuffs@mydomain.com, it is a reasonable guess that whoever sent that email got the address from Bob.

But how would they have gotten this from Bob?  Well, there are several ways email addresses leak.

  1. Bob is unscrupulous and handed out your address, probably selling it to spammers.
  2. Bob has an employee that grabbed the email list and sold it to spammers.  In huge companies, it only takes one person with access to the data to nab it for your address to get out there.
  3. Bob was hacked and his mailing list stolen.
  4. Bob made a mistake and gave your email address (probably along with other data) to a third-party service he was using for some part of his business, maybe for email marketing, for managing a program (like automated coupons), shipping or fulfillment, sales analysis, or any of many other services.  If the third-party fails in any of the ways Bob could have (see 1-3 above), your data is out there.  This also applies to anywhere Bob might make the data available unintentionally, such as to tech support working on a server or workstation, who may grab such data if they come across it and distribute it.

What to do When You Start Receiving Spam

Not much.  When you discover that you’re receiving spam at an address you should probably notify whoever let it slip.  I’ve found that most of the time they have trouble comprehending the issue, and are usually unable to do anything, but it’s still worth reporting on the off chance that others are as well.  If someone gets enough complaints, they will probably look into the matter, hopefully doing a security audit or tightening up access to data.

Who is Guilty

I’ve been doing this for a while now (roughly 10 years).  The addresses that pop up most often are those for services that make your address visible to others on purpose, like facebook or an online student directory.  There’s not much that can be done about those, and nothing really wrong with that, it’s expected to some extent.

Among those I wouldn’t have expected to be problems, but which did let my address slip were:

  • Adobe
  • ChronoPay (though that one isnt’ very surprising)
  • DynDNS
  • Equifax (which I find incredibly unsettling)
  • Freedom Gardens
  • Library Thing
  • MarketWatch by Dow Jones


Leave a Reply