Many organizations publicly list contact information to help consumers reach out for help when needed. This may be general contact information or a full public directory of staff. It seems obvious that having any kind of publicly available information will increase the liklihood that these accounts will receive spam or phishing emails. To help understand a bit of this, I set up a brand new domain with a very basic website and collected email using Amazon SES [1] for a couple of weeks. The website contained email addresses in a variety of formats:
email@domain
email (at) domain
email@domain (hidden in HTML comments)
web form
The site was made live on 1/21/2024 and within a few hours started receiving scans.
Email Address / Source
Number of Emails Received
Time to Receive 1st Email (Days)
Web Form
4
2
email@domain
7
5
email@domain (HTML Comments)
1
9
email (at) domain
0
N/A
The time to receive an initial email was much longer than I suspected. While scanning of the website happened within the first few hours of the website being publicly available, incoming emails took a couple of days. The web form was also the first method used to submit any content.
Common themes of the emails received included:
Website redesign
Android app development
Marketing /sales
Email Subjects:
FYI- Redesign your website ?
What is the next for <domain>
Price List
Revealed: Hiring Freelancers Save You Time & Money in 2024
Re: Delayed Payment – 2024/1/30 8:00:00
Android App Development !!
Re: Call to update your website $
your Sales Funnel…?
_Re:_Pay_attention_to_Google=E2=80=99s_guidelines_-_SEO_settings
Re: Uncompleted Payment – 2024/1/30 5:25:28
Sending domains:
hotmail[.]com
nwjgc[.]biz
lcs.yqp.mybluehost[.]me
ssspay[.]com
At the time of this writing, there were no emails received for an address in this domain that was not listed on the website. There is definitely an impact on spam received when an email address is made publicly available. As more data is collected, more patterns may emerge from source domains and networks.
Consider limiting data accessible on public resources to help combat spam messaging including contact pages and forums.
[1] https://aws.amazon.com/ses/
—
Jesse La Grew
Handler
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.