Investigate email address leak source

Question

I receive SPAM to my private Gmail email address which have never been publicly available and is not googlable at all.

How could I receive SPAM on it? I saw this question, but in my case BCC is not the point, as in the to: field exactly my address is specified. No randomly-generated list of addresses, but literally single address of mine.

Can I investigate the source of leakage? I.e. from what site/resource the spammer was able to obtain my address? I do not believe the spammer just randomly generated it.

What is the format of your Gmail "private" address? Are you using the "+suffix" feature or have any dots `.` in your address? (see "Gmail dots-dont-matter"). Are you asserting you've never sent or received email from this address? If you've ever sent or received from an address then someone else will have it... and from there it could be leaked - which is why I question the alleged "privacy" of your address. After all, the whole point of email is to be reachable. — Dai, Apr 12 '18 at 10:02
`Are you using the "+suffix" feature or have any dots .` I do not use `+`, but it has one dot. — Suncatcher, Apr 12 '18 at 10:21
`Are you asserting you've never sent or received email from this address?` Of course I used this email for mailing, but only to my private contacts and very rarely for business needs. Hence is my question: how to find out who screwed and leaked it :) — Suncatcher, Apr 12 '18 at 10:23
@Suncatcher: could it be that any of your private contacts was compromised and thus your address leaked from there to spammers? Could it be that your address could easily constructed from common words or names, i.e. spammers just guessing names and trying if they succeed? — Steffen Ullrich, Apr 12 '18 at 10:49
`could it be that any of your private contacts was compromised and thus your address leaked from there to spammers?` probably, but how to detect which one? My aim is not punish them, but to close the hole and prevent further leaks and spamming — Suncatcher, Apr 12 '18 at 11:29
`Could it be that your address could easily constructed from common words or names, i.e. spammers just guessing names and trying if they succeed?` unlikely. This word is rather rare and non-typical for English — Suncatcher, Apr 12 '18 at 11:30
`My aim is not punish them, but to close the hole and prevent further leaks and spamming`, You're very likely on a list already. I don't think you can prevent further spamming. — Nomad, Apr 12 '18 at 11:46
"how could I receive spam on it" isn't really the question; that's more of a question of how POP/SMTP works. I think your question is "how did the spammer know to send it to this address?" is what you're really asking. — baldPrussian, Apr 12 '18 at 13:41

ConcernedUser · Accepted Answer · 2018-04-12T15:51:48.193

2

You can check if one of the websites you login to with your private email was compromised as this has happened to people I know.

https://haveibeenpwned.com/ can be used to check.

It's made by a Microsoft Director as a public service.

For more information see this answer Is "Have I Been Pwned's" Pwned Passwords List really that useful?

The original purpose of HIBP was to enable people to discover where their email address had been exposed in data breaches. That remains the primary use case for the service today and there's almost 5B records in there to help people do that.

edited Apr 12 '18 at 15:51

answered Apr 12 '18 at 14:10

ConcernedUser

46
8

Troy Hunt is not employed by Microsoft, but pointing out HiBP isn't a bad idea. – AndrolGenhald Apr 12 '18 at 14:58
@AndrolGenhald "I'm Troy Hunt, a Microsoft Regional Director " https://haveibeenpwned.com/About – ConcernedUser Apr 12 '18 at 15:44
"I don't work for Microsoft, but they're kind enough to recognise my community contributions by way of their award programs" https://www.troyhunt.com/about/ – AndrolGenhald Apr 12 '18 at 15:48
@AndrolGenhald ah well Microsoft Regional Director sure sounded like an position at a company. I'll go ahead and revise my answer. – ConcernedUser Apr 12 '18 at 15:52
Cool. It showed `Oh no — pwned!`, but where how can I find out *how* I was pwned? It don't give any info about breach – Suncatcher Apr 12 '18 at 16:18
@Suncatcher It really wont tell you. You'd have to figure that out by looking at what places you've logged into and then googling which place was compromised. If you can't find info on google you could report it to you the places you login to that they may have been breached. – ConcernedUser Apr 12 '18 at 16:26

score 1 · Answer 2 · answered Apr 12 '18 at 13:52

Can you investigate the source of the leakage? No. Others have your e-mail address and you have no control of their systems or historical knowledge of their use of the address. You don't know, as a whole, where their address lists are kept and whether those have been compromised or not. You don't know if one of your friends was at a coffee shop and their traffic was being sniffed. You don't know all possible usages/occurrences of your e-mail address and over whose architecture that address went.

Let's say that you find out that Bob somehow wound up giving your e-mail address to a spammer. It doesn't matter whether it was deliberate or accidental - a spammer now has your e-mail address. Those lists are bought and sold between spammers and the only real variable is whether you have confirmed that your e-mail is read and acted upon or not. You have no control over the sale of these lists, and Bob does not either. Additionally: what would you do with Bob? Tell a friend to lose your e-mail address? Either way, that bell can't be un-rung.

Investigate email address leak source

2 Answers2