Is Amazon.Com Selling E-mail Addresses?

A worried Anonymous Coward asks: "I recently used Amazon(.co.uk)'s refer-a-friend scheme to refer a member of my family. I set up a new e-mail address for this purpose, and it had been used for nothing else. A few days after receiving the refer-a-friend voucher, the address started to receive spam mail. Only Amazon ever knew about this address? How did the address get on junk mail lists? The address was too obscure to have been guessed! Has anyone else had a similar experience?" You may think most eCommerce places won't stoop as low enough to sell addresses to potential spammers, but it always pays to read the fine print, first. More below.

According to Amazon.Co.Uk's Privacy Policy: "Amazon.co.uk does not sell, trade or rent your personal information to others. We may choose to do so in the future with trustworthy third parties, but you can tell us not to by sending a blank e-mail message to never@amazon.co.uk. (If you use more than one e-mail address to shop with us, send this message from each e-mail account you use.) Also, Amazon.co.uk may provide aggregate statistics about our customers, sales, traffic patterns and related site information to reputable third-party vendors, but these statistics will include no personally identifying information."

It was me - I confess

[Chang]

I'm the one who sold your email address.

I picked up your secret email address by sniffing the connection. Since you were only using SSH1 and WEP on your wireless segment, it was an easy crack.

I'll forward the $0.37 check I received from the Spam lord later today via PayPal ;)

How could you even ask such a thing?

[unitron]

"Is Amazon.Com Selling E-mail Addresses?"

Of course not.

They're selling copies of those addresses.

Over and over again.

Re:Dictionary attack

[anticypher]

Some of us don't jump to conclusions, we test them. It is so we know what to avoid on the big, dangerous internet.

If you look at my post below, I created a spam catcher account with the name uni_21_bow_eton@feckless.co.uk (its dead now, probably too swamped with spam)

That address doesn't appear in any dictionary I know of, and it isn't likely to just magically appear on spammers lists. A number of other addresses of similar length never received any messages, except for a handful of test messages I sent back and forth.

the AC

Not necessarily Amazon's fault

[babbage]

What was the email's domain name? I'm curious because a lot of spammers can independently come up with addresses without resorting to buying the lists from Amazon or anyone else. Basically, just send a message to

a@hotmail.com, b@hotmail.com, c@hotmail.com, .... z@hotmail.com, A@hotmail.com, B@hotmail.com, .... 1@hotmail.com, 2@hotmail.com, .... a1@hotmail.com, etc

...up through all combinations of 12 characters or 24 characters or whatever the upper limit is there. Kind of a pain, but nothing that half a dozen lines of Perl code couldn't generate pretty quickly.

Repeat the cycle with all AOL addresses and already you have tens of millions of addresses. Send a message to each of 'em and the mail systems will "courtesously" let you know which ones don't actually exist; take that abbreviated list as a starting point for round two. Anyone that angrily replies "no spam!" is a target, because you know that person both reads & pays attention to their email account. The no replies are trickier -- they're either dormant or crafty enough not to nibble. No matter, keeping them on the list is cheap and potentially profitable, so they all get spammed too.

About the only real way I know of to keep off the lists is to have an unusual domain name that you don't publicize anywhere that it could end up being harvested this way -- friends & family get to use the obscure one, and a public address goes on mailing lists, web sites, etc as the necessary target for spammers. You still don't avoid spam, but you can at least minimize &/or ignore it that way...

Interestingly, my unobfuscated Slashdot address gets basically no spam. It seems that this site isn't worth the effort to trawl for addresses, because I for one never get any Slashdot themed spam. *shrug*.

Anyway, to come back to the original point, if you had some obscure address ("myxtylpl1x@nevergonnaguessthis.net") and started getting spam, then Amazon is suspect. If however it was with an at all common domain, you may have just been an innocent target here.

Re:Not necessarily Amazon's fault

[ndfa]

you can teach anyone to code.... but can you teach them theory of computation is the real question.

My dare to you sir (Original Poster) is to write a quick program for the traveling salesman problem. Its quiet easy to write on that does an exhuastive search. Start with say 5 cities, and move up to say 13, you will be very very suprized by how few cities a "modern pc" can really handle!

Wow, me too!

[Xunker]

As a Dot.Com'er, I find your trust in Web Sites amusing.

Interestingly enough, I had the exact same thing happen, except with the 'wish list' thing -- and, in this case, I was trying to catch them in the act.

I made a 12-character random username on *my* mail server (the one I run for me and me alone). Obviously, this address was never published as I made the account just for this purpose). I then sent my wish list to that address and waited.

And about 36 hours later, I think you can guess what happened! Spam, Spam! Glorious Spam! They say they'll only give the addresses away to "trusted thrid parties" -- I guess they consider a Mortgage refinance corporation to be "trusted".

Amazon isn't spamming

[anticypher]

It is merely selling your address to "approved" business partners, you agreed to that by accessing their site. Its those partners who are increasing their revenue by selling your address to spam lists. See, any marketing genius could spot the difference :-|

I've done the exact same thing as Worried Anonymous Coward (WAnCo?), where I set up a number of lengthy and obfuscated email addresses on a free mail service (let them deal with the spam). One of the addresses was used for amazon.co.uk's reference list, the others were never given out. Within hours the amazon account started receiving spam, the others have never received a message. I sent an email to never@amazon.co.uk from that account, but it hasn't stemmed the flow of spam.

Various "approved" amazon business partners include

Regular amazon marketing promotions

Instant diplomas for cash

Home mortgages

Make money fast with Internet Marketing (perfectly legal, it says so)

Various pr0n sites

One guy shopping his miserable resume around

I contacted the last guy from a separate account, asking him for more info and if he would like to come to work for a huge amount of money, since we needed workers in his area. When queried about how he managed to find our address, he wrote about buying a CDROM with 300,000 good, valid business addresses, all of whom had opted-in to the database. He realised after sending his resume to the first 50,000 that 90% of them bounced, and the remainder mostly generated hate mail and death threats. He was overjoyed to find a company actually interested in his spamming talents. I wonder if he is still waiting for the follow-up interview :-)

So now that address is burned onto CDs being sold to spammers everywhere. And only amazon.co.uk had ever been given the address. Its life on the internet, get used to it, information wants to be free.

the AC