expira-mail

Email Harvesting Bots: How They Collect Your Address and How to Avoid Them

Every time your email address appears on a public website — a forum post, a comment section, a GitHub commit, a social media profile — it's being collected. Not necessarily by a human, but by an email harvesting bot.

Introduction

Every time your email address appears on a public website — a forum post, a comment section, a GitHub commit, a social media profile — it's being collected. Not necessarily by a human, but by an email harvesting bot.

These automated scripts crawl the internet 24/7, extracting email addresses from web pages, PDFs, and even images. DataDome research describes email scraping as "the process of using automated bots to collect email addresses from online sources, typically to build email lists for cyber attacks such as phishing and spam campaigns."

The addresses collected feed spam campaigns, phishing operations, and data broker lists. If your email is anywhere on the public web, it's been harvested.


How Harvesting Bots Work

Web scraping. Bots scan HTML source code looking for patterns that match email formats (anything with @ and a domain). They can read visible text, hidden fields, and even obfuscated addresses.

Forum and comment scraping. Public discussion boards are goldmines. Every post with an exposed email is collected instantly.

Directory harvesting. Online directories, professional profiles, and alumni databases are systematically crawled.

Dictionary attacks. If a bot can't find your email, it might try common patterns: firstname.lastname@domain.com. If the message doesn't bounce, the address is "confirmed."

Breach database integration. Harvesters cross-reference collected emails with known breach databases to enrich profiles with additional data.


The Economics of Email Harvesting

Email harvesting isn't random — it's a business. Collected emails are:

  • Validated for activity. Harvesters send a single pixel or test email to verify the address is monitored. Active addresses are worth 5–10x more than unverified ones.
  • Categorized by source. Emails from forum posts are labeled "high engagement." Emails from WHOIS records are labeled "business." Emails from GitHub are labeled "developer." Each category has a different price on the dark web.
  • Cross-referenced with breach data. Harvesters check each address against known breach databases. If your email appears in a breach alongside a password, the combination is significantly more valuable.
  • Sold in tiers. Freshly harvested addresses sell for a premium. Older lists are cheaper but contain more dead addresses.

The takeaway: if your email is publicly visible, it's being monetized. Probably right now.

Where Harvesters Find Your Email

  • Public social media profiles. LinkedIn, Twitter/X, Facebook, and Instagram profiles that display email addresses.
  • GitHub commits and repositories. Developer emails are frequently exposed in commit history.
  • Forum and community posts. Any public discussion board where you've included your email.
  • Company "About Us" and contact pages. Business emails are prime targets.
  • WHOIS records. Domain registration data often includes email addresses (though privacy protection services help).
  • Academic publications. Research papers and conference proceedings often include author emails.

How to Protect Yourself

Never post your primary email publicly. Use a disposable address for any public-facing communication or registration.

Use privacy services for domain registration. WHOIS privacy protection prevents your email from appearing in domain lookups.

Obfuscate email addresses in public posts. Write name[at]domain[dot]com instead of the standard format. Bots look for the @ symbol.

Use separate emails for different contexts. A disposable address for forums, another for social media, another for professional directories. When one gets harvested, the damage is contained.

Check haveibeenpwned.com regularly. If your email appears in a breach database, it's circulating on harvesting lists.


The Expira Connection

Expira is the perfect defense against harvesting. Use a disposable address for every public-facing interaction — forum registrations, comments, GitHub contributions, and contact forms. When a harvester collects that address, it's already expired or will expire soon.


Conclusion & CTA

Email harvesting bots never sleep. They collect, validate, and resell email addresses at industrial scale. The only way to stop them from harvesting your real email is to not give it out in the first place.

Don't be harvested. Use Expira for every public-facing interaction.

Sources: DataDome "What is Email Scraping?"; NordVPN Email Harvesting Glossary; "Automated Email Harvesting: Techniques, Risks and Security" (ROCYS 2024)