Once of the most common questions I get asked by users is: How do these spammers get my e-mail address? There are a number or methods that these spammers use, and I will focus in one of the methods, in today’s blog post: The “Rumplestiltskin” attack.

A dictionary or Rumplestiltskin attack is an attack where the spammer floods e-mail servers with usernames selected from a dictionary.It comes from the old Grimm’s fairy story, Rumplestiltskin.

A couple of decades back, when the university’s e-mail system was still very primitive and e-mail addresses were limited to 8 characters, most personnel at the university had simple names like ab@sun.ac.za, aa1@sun.ac.za, bv@sun.ac.za. It is relatively easy to make up a list of common letter combinations and just add @sun.ac.za onto it to create a e-mail list. Add to that common  role-based accounts, such as admin, help and support, as well as adding the latest Baby Names list and you have a list that can be used to launch a Rumplestiltskin attack.

If you send  E-mail to Unknown Users or address that do not exist, Why bother?

Firstly rather than spammers buying a list from other spammers, they can just spam to any possible name they can generate. It might seem rather inefficient but sending email is cheap.

The second reason – which is far more sinister – is that spammers use these techniques to generate lists of valid email accounts. They first send to a generated list and when they do get a response or the receiving mail server doesn’t answer back and say “unknown e-mail address”. This allows them to either sell these lists of “verified” emails or be more accurate in their other spamming activities.

With this second reason in mind, you should be able to see the danger of replying to these mails or filling in the “opt-out” option, that is commonly included in such mails, or by setting your “Send delivery receipt” to automatic on your e-mail. As soon as these spammers realize that there is a real person at the other end of the e-mail, they will increase their spam. They get paid to send out the mail, not for how many people respond to them.