SPAM - Real case

Posted by Norberto Herz on July 30, 2015

Those who understand about technology (and maybe a little more than “understand”), are used to warning, explaining, or scolding our friends and family about misusing the e-mail. There is a particular concept that is usually disregarded despite of being a simple one (mostly because of lack of knowledge or attention. It could happens to anyone).

For rookies

When we send an e-mail, we need to specify the receivers addresses. There are 3 ways of doing this:

  • To: To whom this e-mail is targeted. All receivers can see the addresses typed in this field.
  • Carbon Copy: People that, despite not being the main target, we want notify about something. All receivers can see the addresses typed in this field.
  • Blind Carbon Copy: People we want to read the e-mail, but we don’t want other people notice. Nobody excepting the sender and the receiver can see the addresses typed in this field.

This last option is the one we recommend/beg to use when you can’t help sending that PPT with a background sound and pictures of volcanoes or puppies being saved by volunteer firefighters. Thus, if sending to a bunch of people anyway, at least avoid publishing/sharing everyone else email addresses. Personally I got great results by explaining why sharing the addresses is that bad. When we send the addresses publicly to anyone, the receiver can use these for sending back to me content I am not interested in (which in high volumes, turns to be a really annoying waste of time). Even worse: Many of your trusted contacts will forward your email (since they think it’s worthy) and following, their contacts will forward the thread that might propagate until all of us have received that e-mail (maybe, even more than once).
At some point, there will probably be at least one link of this chain dedicated to collecting email addresses for creating email databases. Databases are really valuable for companies that advertise their products and/or services via internet, and therefore, are willing to pay for these. At the end of the road, what happens is that you start receiving spam. A lot of spam.

Real case

This morning, an employee working at a company dedicated to investment projects, sent some news and images about a building wrecking for a new entrepreneurship. Congratulations to them, by the way. I don’t know this person so I’m assuming that he got my email address thanks to some previous carelessly forwarded thread. But the funny thing: He placed all the receivers into the “To” field. Yes, that mistake typically committed by friends and family and that we warn, explain or scold because of, was committed this time by a spam sending industry professional (probably certified by the National e-mail sending and other highly profitable competences institute A.K.A NESaOHPCI). And obviously, if I blame a relative when doing this, how not to lash out at such lack of professionalism. I replied his email moving the other receivers from the “To” to the “BCC” field (avoiding any possible “reply to all” related problem). I put in “CC” as an escalation, and wrote my answer:

I would appreciate if next time you send a spam message you could use the BCC option so my contact information is not shared with everyone, the same way I shouldn’t be seeing the contact information of all these people receiving this message.

So, evil was done. People tend to understate these issues with thoughts like “well, it’s not a big deal. At most you will receive some SPAM”. But when I placed the other victims in (B)CC some things happened. Things that we usually overlook.


  • Many of the addresses were work email addresses. This means that this people will probably start receiving SPAM at work.
  • July 30: At least on this region, lot of people are out for vacations. Lot of people had configured the automatic response “I’m out for vacations until some date”. This means that, any of these 400 persons might know first and last name of someone that is out of home for the next days. And let me say that, getting the home address and other personal information with just the person name, is not exactly rocket science.
  • Non-existing or invalid addresses are informed by getting the “Undelivered email”. Because of that, I can assume that the other ones are valid and use these with commercial purposes.

In my case, the options I’ve just mentioned are not inside the set of activities I usually perform, which only assures the ones that know me and trust me. The rest of you are allowed to have second thougts. But there are other 399 persons on that thread. 399 persons that have my e-mail address. 399 that might have your e-mail address.

We live in an era where we can do more and more critical and sensitive tasks from our desks. We can transfer money, share our routine, publish our mood, show pictures, share our thoughts and opinions, among others. But every move we make can be watched by others. Thoughtful usage of information tools is the only real way of making sure that these others, are our intended audience and nobody else.