On Mon, 27 May 1996, E. ALLEN SMITH wrote:

a (randomly-created) link to http://foo.bar.com/563.html etcetera? Or are they looking at more specific locations that couldn't be faked this way?

What they are doing is spidering the entire web looking for anything that looks like an email address, running a dictionary finger attack on the host part of any email addresses they find, and reporting things that look like lists of email addresses to humans (or the closest approximation employed by WhoWhere). Usually they do port scans for http and whois servers too. The way they bootstrapped their database was with dictionary searches on InterNIC and okra.ucr.edu, with a significant enough effect that lawsuits were considered. -rich