Many organizations publicly list contact information to help consumers reach out for help when needed. This may be general contact information or a full public directory of staff. It seems obvious that having any kind of publicly available information will increase the liklihood that these accounts will receive spam or phishing emails. To help understand a bit of this, I set up a brand new domain with a very basic website and collected email using Amazon SES [1] for a couple of weeks. The website contained email addresses in a variety of formats:
The site was made live on 1/21/2024 and within a few hours started receiving scans.
Email Address / Source | Number of Emails Received | Time to Receive 1st Email (Days) |
Web Form | 4 | 2 |
email@domain | 7 | 5 |
email@domain (HTML Comments) | 1 | 9 |
email (at) domain | 0 | N/A |
The time to receive an initial email was much longer than I suspected. While scanning of the website happened within the first few hours of the website being publicly available, incoming emails took a couple of days. The web form was also the first method used to submit any content.
Common themes of the emails received included:
Email Subjects:
Sending domains:
At the time of this writing, there were no emails received for an address in this domain that was not listed on the website. There is definitely an impact on spam received when an email address is made publicly available. As more data is collected, more patterns may emerge from source domains and networks.
Consider limiting data accessible on public resources to help combat spam messaging including contact pages and forums.
[1] https://aws.amazon.com/ses/
--
Jesse La Grew
Handler