Â鶹ÒùÔº

Researchers at the Virginia Tech National Security Institute recently used active open-source intelligence techniques to gain a better understanding of how presidential campaigns use email addresses.

The team within the institute's Spectrum Dominance Division found the emails sent during the 2024 primary elections generally focused on donors, as opposed to issues. They also found that user donations resulted in an increased volume of future emails.

"Across all the candidates we looked at, regardless of political party, if we had one account that donated and other accounts that didn't donate, we found that the donor was actually treated a lot differently," said Jared Byers, research associate at Virginia Tech National Security Institute. "We found that those who donated received about two and a half times as many emails as a nondonor and they also received more requests for more donations than a nondonor."

Using artificially created IDs, the team hosted email accounts and phone numbers, signed up for candidate mailing lists, and studied the interaction from November 2023 to April 2025. They found it would take on average 50 hours to read all of the content sent to each account.

The team presented these findings at , a cybersecurity-focused research conference held in Las Vegas in August.

This research is just one aspect of the institute's Use and Abuse Project, a multi-year effort that includes both faculty and students investigating how personal information propagates during online transactions, which began in 2020. Abuse of personal information typically comes in the form of sharing the email address without express permission or sending excessive numbers of spam emails.

"We all know that when we go online, we do all kinds of transactions requiring information exchange. Even just going to a website is a type of transaction," said Alan Michaels, director of the Spectrum Dominance Division. "But it's really difficult to look back at all the transactions a person makes and determine which of those led to the spam email or malware they're receiving now."

Originally, Michaels and his team created fake IDs and email addresses and used each exactly once. As a result, when the researchers received spam emails at one of the fake email addresses, they knew it only could have come from that one online transaction.

"It's almost like taking your digital identity, breaking it into fractured pieces so that you can separate out which of those now led to future consequences," Michaels said.

The first year, the team experimented with almost 300 fake identities. The fake email addresses interacted with corporations, political candidates, news sites, and more, with the goal of determining if the groups would share the information and how many emails each fake email address would receive.

"Our original method of creating the fake IDs ourselves was very brute force, but it still got us some interesting results," said Michaels, who is also a professor in the Bradley Department of Electrical and Computer Engineering. "In the past couple of years, we've been able to develop an underlying infrastructure that makes it very easy to sign up for accounts."

Today, the team has an engine that creates realistic fake IDs by following demographic averages from the Census Bureau, as well as a sign-up engine that uses the fake identities for website transactions and tracks where each identity has been used.

A future goal of the project is to develop an ethics framework for the type of open source intelligence (OSINT) research—collection and analysis of publicly available information—encompassed in the Use and Abuse Project. This aspect of the program is engaging student researchers. The project has engaged 130 students from 22 majors over the five years.

"While OSINT is a very common research tool, there's not a lot of definition around what it is and especially how it should be used," said Annabelle Lu, a sophomore in the Pamplin School of Business and an undergraduate researcher assistant on the Use and Abuse Project.

The team plans to fill that by creating both qualitative and quantitative ways to analyze and evaluate ethics in such research projects, including guidance for incorporating emerging technologies, such as artificial intelligence.