After receiving complaints from HotMail users about junk mail in accounts that had never been “publicized” anywhere, we found that HotMail was sharing its member email addresses with InfoSpace.com, which makes the addresses available on its Web site where they can be “harvested” by third parties, including spammers. The statement on the InfoSpace Web site — “For privacy, we don’t show the full email addresses of people listed in our directories” — turned out not to be correct, since HotMail provides its users with a search interface that allows them to harvest the email addresses of users listed on InfoSpace, including other HotMail users.
and clicking on the “Send Email” link takes the user to a new page with the message:
For privacy, we don’t show the full email addresses of people listed in our directories. You may use the form below to send a message, and your recipient may reply if he or she chooses.
But, if you are logged in to your HotMail account, you can click on the “Directories” link from your Inbox page and follow the “Email Search” link, which points to the InfoSpace “HotMail Email Search” form at
By default, InfoSpace lists only 5 member email addresses at a time, but you can list up to 100 addresses per page by taking the URL for the search results:
InfoSpace also provides a form where users can enter an email address and find a person’s location:
(go to the form at the bottom of the page)
At various times, the HotMail member signup page has asked new members to either their city and state of residence, or only their state (currently, only the state of residence is requested). But the form also requests a zip code, and the user is prompted to re-enter their information if the city/state and zip code don’t match. So the location information associated with most HotMail users is correct, since the only way for a new user to enter incorrect information when they sign up, would be to look up a valid zip code for another city, and most users don’t bother.
Most HotMail users might assume that a person corresponding with them over the Internet can’t determine their location based on their address, but this isn’t true if their address is listed at InfoSpace.
Why publicize it
Publishing this report does raise the issue of whether it is ethical to reveal this information, including the details of how to collect the email addresses of HotMail members that HotMail shares with InfoSpace. However, the amount of spam received by HotMail users who never published their email addresses, suggests that many spammers had already discovered how and where HotMail makes its members’ email addresses available. Since HotMail and InfoSpace will probably stop publishing member email addresses immediately after this report is brought to light, the window of opportunity for any new spammers to exploit this loophole is too short to be of any use, and the end result should be less spam for HotMail users in the long run.
How we found out about this
In January 2001, we publicized that HotMail had been silently blocking their users from sending us mail (as part of a private boycott against our service provider), returning the messages to the sender with a bogus “Returned Mail” error. Most of our members with HotMail addresses were outraged to find out that HotMail had been blocking their outgoing mail to Peacefire.
HotMail immediately stopped blocking outgoing mail, but defended the boycott as a “spam-fighting” tactic. (Our ISP refuses to host spammers, but was targeted for the boycott anyway because of the content of some hosted sites including ListSorcerer.com and BulkISP.com, which do business with spammers located on other providers. This “boycott blocking” is of course different from the far more common practice of blocking actual spam, which ISP’s do to protect their user’s accounts, usually with their approval, and not for any boycott-related reasons.)
Our members with HotMail addresses, in addition to being outraged to find out that they had been co-opted into this “boycott” without their permission, said in some cases that the “spam-fighting” excuse was ironic, given that they had been receiving spam in HotMail accounts that they had never publicized anywhere. We began investigating whether HotMail had made its member addresses available to third parties where spammers might have harvested them, and found the connection to InfoSpace.
Bennett Haselton, 3/5/2001