Analysis of traffic logs of email received by a large UK ISP shows considerable disparity between the proportions of spam received by addresses with different first characters. This disparity is quite marked when only email addresses that appear to be ?real? are considered. The root cause is likely to be spammers using ?dictionary? or ?Rumpelstiltskin? attacks to guess valid email addresses. There is limited evidence for these attacks taking place in real-time, suggesting that most ?fake? email addresses were constructed sometime in the past and are now immortalised within spammer databases.