Email Harvesting

Posted by on May 20, 2005

Ya know, I’ve seen some pretty interesting methods of protecting one’s email address from being harvested by spammers.

For the “Coppertops” in the crowd, email harvesting is the act of gathering email addresses from websites for the purposes of spamming them later. Usually folks will write a neat little program that scans websites for a pattern such as xxx@xxx.yyy where xxx is anything and yyy is a known root level domain such as com, net, org, edu, etc.

Common attempts, by example, are:


This hides the @ symbol and the period but many spam scripts know to look for that.

This protects the email address pretty well especially if you change around the “deletethis” to “removethis”, “takethisout”, etc. When the spammer sends this it will bounce. BUT, if you are expecting a coppertop to send you mail, that mail will also bounce because they won’t know to correct the obvious problem.

george at hotmail dot com

Same as the first really but scripts have a harder time with this.

And now for some award winners…

Mike Poor is a regular Handler d’jour at The Internet Storm Center. He has used the following as his email on webpages:

echo "mikepoorhandlerondutyisageek" | sed -e s/poor/\@/g -e s/isageek/\.com/g -e s/handleronduty/intelguardians/g

Now THAT takes some serious effort by a spam script! If you have the sed programyou can simply dump the line at a prompt and you get his email address. Regex is your friend.

Sed is included with every *nix distro but for windoze users you can get it here. Sed is a part of this SWEET little group of utilities.

Mike’s anti-spammer technique used to be my all-time award winner…until now.

Johannes Ullrich, another Handler at ISC and CTO for SANS now gets the all time Hormel Award for this BRILLIANT technique:

jullrich@';drop table email;''

You see…he is including alittle SQL injection in his email address. There’s alittle luck in there but still. Again…for the coppertops…let’s look at this in detail…


This is all right and proper but then we see…


The apostrophe followed by the semi-colon tells the sql database server(whether it’s MySql or M$ Sql Server is irrelavent) that we are finished assigning a value and the rest of the STATEMENT is to follow. Then we see the next statement:

drop table email;

Here’s the little bit of luck that’s involved. This statement tells the sql database server to delete the table called “email”. If the spammer is stupid enough to give his tables proper names then he just lost ALL his hard work. Brilliant…simply brilliant. Kudo’s to you Dr. Ullrich! Have a Hormel Product of your choice on us!

Now, if you know that the ';drop table email;' bit isn’t supposed to be in there you would simply remove it and be left with his email address…which is as it should be. You would think someone as talented as Joel would also be Ãœber Clever in his email address…hmmm….

Last modified on May 20, 2005

Categories: InfoSec
Comments Off on Email Harvesting

« | Home | »

Comments are closed.

%d bloggers like this: