Many organizations publicly list contact information to help consumers reach out for help when needed. This may be general contact information or a full public directory of staff. It seems obvious that having any kind of publicly available information will increase the liklihood that these accounts will receive spam or phishing emails. To help understand a bit of this, I set up a brand new domain with a very basic website and collected email using Amazon SES  for a couple of weeks. The website contained email addresses in a variety of formats:
email (at) domain
email@domain (hidden in HTML comments)
The site was made live on 1/21/2024 and within a few hours started receiving scans.
Email Address / Source
Number of Emails Received
Time to Receive 1st Email (Days)
email@domain (HTML Comments)
email (at) domain
The time to receive an initial email was much longer than I suspected. While scanning of the website happened within the first few hours of the website being publicly available, incoming emails took a couple of days. The web form was also the first method used to submit any content.
Common themes of the emails received included:
Android app development
FYI- Redesign your website ?
What is the next for <domain>
Revealed: Hiring Freelancers Save You Time & Money in 2024
Re: Delayed Payment – 2024/1/30 8:00:00
Android App Development !!
Re: Call to update your website $
your Sales Funnel…?
Re: Uncompleted Payment – 2024/1/30 5:25:28
At the time of this writing, there were no emails received for an address in this domain that was not listed on the website. There is definitely an impact on spam received when an email address is made publicly available. As more data is collected, more patterns may emerge from source domains and networks.
Consider limiting data accessible on public resources to help combat spam messaging including contact pages and forums.
Jesse La Grew
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.