How do spammers harvest email addresses?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Ever wondered how your inbox fills up with emails from people who have never heard of you? It's not random luck on their end. Spammers build lists at scale, and there are a few well-worn paths they take to get there.

Web scraping is probably the oldest trick. Automated bots crawl public pages and pull out any email address they can find. Forum posts, blog comment sections, directory listings, social profiles, even the "contact us" pages on business websites. If your address appears anywhere in plain text on the public web, it can be scraped.

Data breaches are a massive source too. When a service gets hacked and its user database leaks, millions of addresses end up on underground markets. These addresses were never publicly visible, but now they're bundled up and sold for pennies per thousand. You may have been on one of these lists for years without knowing it. Sites like Have I Been Pwned let you check if your address appeared in a known breach.

Dictionary attacks involve guessing. Spammers generate combinations of common names and popular domains (think john.smith@, jsmith@, j.smith@) and try sending to all of them. Some will bounce. The ones that don't are flagged as valid and kept for future campaigns.

Malware and browser hijacking can harvest addresses from your device directly. If someone in your contact list installs a sketchy app or gets infected, every address in their contacts is at risk of being exported.

Unethical list sales also happen. Some shady data brokers sell contact lists scraped from opt-in forms, co-registration schemes, or old purchased databases. These lists change hands multiple times, each time picking up more addresses from different sources. By the time a spammer sends to your address, it may have traveled through four or five different hands.

The uncomfortable truth is that you don't need to have done anything wrong to end up on one of these lists. One breach at a company you signed up with years ago, one mutual contact whose device was compromised, one comment you left on a public forum in 2009. That's often all it takes. (Spam bots are specifically designed to run these collection tasks at inhuman speed, which is part of why the volume never seems to slow down.)

And if you're a sender rather than a recipient worrying about this, the flip side is worth understanding. A list that came through scraping or a breach is full of addresses with no consent, stale inboxes, and spam traps. Sending to one is not just ineffective, it's reputation-destroying. Not sure if your list has collected some of this over time? We can clean it for you at RME Clean.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a ranked breakdown of how your address was likely harvested

My email address ended up in a spam list even though I've been careful. Based on how spammers harvest addresses (scraping, breaches, dictionary attacks, malware, and list resales), can you rank the most likely ways my address was collected given this context about me: [describe what services you use, whether you post publicly online, how old the address is, and whether you've ever seen it in a breach check]? Then tell me which of those risks I can actually reduce.

Edit the yellow boxes, then send to the AI of your choice.