Telstra Denies Selling BigPond Customers' Data

Red Wolf writes "The Age reports that allegations that Telstra sells email addresses of BigPond customers have been denied by the telco. Melbourne-based IT worker Mark Edwards had doubts in this direction when he began receiving unusually large amounts of spam at his bigpond email address. Edwards grew suspicious because some of the spam being issued to him was also addressed only to a number of users within the bigpond.com domain, indicating that the unsolicited mass emailings were being sent to lists of BigPond users."

Dictionary Attack

[wukie]

Hello, I get these all the time on accounts with my first name.

Re:Dictionary Attack

[NerdENerd]

Yes, when I used a common name on my Telstra cable account it was spammed continually, but since I have changed it to something obscure I don't get anymore spam at all.

It would not be BigPond/Telestras first spam issue

[Facekhan]

I remember reading recently that Bigpond was gonna be blacklisted for allowing spammers on their service.

Telsta's ADSL Monopoly

[Michael's+a+Jerk!]

Telstra have a history of standover tactics (see Here, for instance).

I really hope they get busted under our new privacy laws. I have a telstra email address that I've never used that gets spammed constantly. If telstra didn't sell my details, then something very fishy is going on.

Re:Telstra is Crap

[sk0pe]

I know what you mean... at my workplace, we implemented Telstra's ADSL the first week it was available at our exchange... for about 14 months, there was no alternative either. But now we're with iiNet. Same speed, but cheaper and 6 times the download allowance. One other major reason we swapped was the spam the account's email address was receiving. Interesting to note, that since we have our own domain, this email address was NEVER, and I mean NEVER, submitted to a mailing list, a newsgroup or anywhere it may be gathered by spammers. The account name was also random enough that a dictionary attack shouldn't have worked. The address was never used to send mail, or reply to spam, but by the end of our 18 month contract, we were recieving about 6-10 spam emails per day. I realise this is not a lot for an active email address, but this wasn't used at all. The only reason I even looked at the mail box was to get Telstra mailouts regarding outages, updates etc. Not selling customer details eh? ---- All extremists should be taken out and shot.

read the privacy statement...

[-=SteelRat=-]

I have read the telcos privacy (a few months back) statement and it makes ti clear they can give out any information they want about you to anyone they want. I think they called it partners and business associates.

I think thatâ(TM)s plain enough... don't you!

Steel

Re:Telstra is Crap

[Michael's+a+Jerk!]

Bitching about poor service doesn't hit a company nearly as hard as taking your business elsewhere.

Agreed. However, did you read the Whirlpool link I posted?

Telstra makes it *very* difficult to change to a different service. This is a typical case. It's happened to people I know .

Even if that doesn't happen, there's a delay of 2 or 3 weeks without net access while you change. It's annoying, but I will change.

Re:Evidence??

[beoch]

I've got a bigpond email account that I only ever put on my CV. I've used this for two years and I have never once received spam on this account. If Telstra are selling email addresses then they are only selling some of them.

My yahoo account however.....

Re:Telstra is Crap - PRON is worse ;)

This has nothing to do with selling email addresses. I'm a Bigpond user. When I surf porn sites I get DELUGED with spam, without having to provide any identifying information.

The Bigpond referrer details identify your user name. You have a default eMail account which is username@bigpond.com. Therefore, any site which analyses its visitor logs can identify a pool of valid Bigpond eMail addresses.

Mate, if you don't want the junk mail, stop wanking so much!

Re:doesn't mean anything

[kinko]

yes. it's one of spam assassin's signs of spam. It's worth 3.9 points out of 5.0:

SORTED_RECIPS (3.9 points) Recipient list is sorted by address

Re:doesn't mean anything

[kinko]

Uh, I don't live in America, where it seems everything is for sale. In New Zealand, and indeed the rest of the "Western world", we have privacy acts that say data may only be used for the purpose it was explicitly collected for.

This university had an internal web search thing where you could find people's email addresses given a surname (only accessible from within the university), and they decided that since they didn't mention anything about this on the enrolment form, they had to take it down to comply with our privacy act.

I sincerely doubt any university in New Zealand, or even Australia or Europe, would ever consider selling its users email addresses to spammers. Especially since NZ internet users have to pay for international traffic. Why sell addresses that will result in you paying 5 to 8 cents per megabyte of data received?

I learned a lot from customer experiences

[leonbrooks]

iiNet used to be great, then the other Michael left, they went on a buying spree (Wantree, Omen, Networx, dozens of other smallish ISPs) and their tech support fell in a hole (due, I suspect to the high turnover rate of competent technicians, he says, waving to Brett, a prime example).

If you want a large ISP in WA, I recommend WestNet. They're a bit too big to still be really caring, but their reliability is a notch above iiNet's.

If you want an excellent quality smaller ISP in WA, choose ArachNet. They also have excellent colocation terms, and this bloke can sell you a dandy little rack box to colocate with (review coming soon). I use ArachNet myself. There are others.

If you want reliable DSL in Oz and damn the cost, try Request or Optus (nice picture). Everyone else has to go through Telstra to get their DSL (and these two will also if they have no DSLAM in the exchange), which costs you a big reliability hit.

Telstra account for your data as the sum of both directions. Most Oz ISPs will bill you for the max of in and out, or just bill you for in, but no, not Telstra. As a 'phone company, they're not too bad (their service actually works). As a "competitive" ISP, they suck.

SPAM 101 - HOWTO:

Seriously, less than a few hours ago I met a guy (in person) who helps another guy spam overseas. He reckons a simple perl script (much like a link verification tool), a modified version of procmail (to become a mega mass-mailer), and an open relay, and they're in business. Sometimes they stick their own open relay (configured to remove original IP of sender) on a particular broadband ISP and spam using it as a relay. When asked by ISP, they then say "whoops I didn't know it was an open relay". A few of these warnings, and then a boot, and then they move to another ISP.

Anyways, their personal spider can obtain 300,000 email addresses in a day. It will also do a lookup of the domain to verify if valid, and other clever things.

I wanted to choke the guy!

Solution:
As soon as ISP's email servers BLOCK emails that have the original IP address removed (easy to do), then this type of spam will stop (if all ISP's will do this). They should also instantly boot users with open relays that have been spammed from, no questions asked. Networks that harbor spammers and their relays, should be blacklisted at the ISP. Emails should be bounced. If a GENUINE email is blocked, the bounce message could show how to contact ISP for remedy.

Re:Telstra is Crap

Telstra certainly IS crap, and ALL the CHEAPER resellers use the Layer2 offering which relies on Telstra DSLAMS and hence Telstra's support and reliability of same. Doh. The only other major DSLAM-level provider is XYZ/Optus, also used by Connect and RequestDSL, and that pricing is as business grade as the service, which is extremely good - it's just not affordable for a lot of people. Pricing start at around $300/mth for a 1.5Mbps connection, with a couple of gigs of data ( 2-3Gb ). Add extra data at 10-15c/MB and you're talking mega-dollars even for small business, and it's definately out of home user territory.
Then there's those Layer2-based providers. They're great, but suffer greatly at Telstra's hand - when support is required, Telstra services their own retail customers before the Layer2 providers' wholesale business.

One word: Monopoly.

I wish there was an uglier-sounding word that means the same thing, 'cause it sure would apply in this case.

Poorly configured mail servers

[DrSkwid]

If your mail server follows the early SMTP RFCs it might well do this :

%telnet bastardface.com 25
RCPT TO: <aardvark@bastardface.com>
550 Address unknown locally
RCPT TO: <andrew@bastardface.com>
250 Recipient ok. [andrew@bastardface.com]
RCPT TO: <apple@bastardface.com>
550 Address unknown locally

[... do your whole dictionary]

QUIT

all usually without ever hitting the logs

you get a nice big list of valid addresses all at the same domain and no-one is any the wiser until it stats filling up their inboxes

I know this because it happened to us when someone followed the wrong RFC

Re:Poorly configured mail servers

[statusbar]

Exact same thing happened to me. At one point I changed to use the courier smtp server for a bit, and then mailq showed 1000 messages bouncing because of a dictionary attack. I noticed immediately because it clogged my mail server so nothing was coming through.

--jeff++

They DO sell their regular customer details

I signed up, and their database entry took my middle name as my last. From a month or two later, I've gotten spam addressed specifically to a man with the last name of my middle name, and to my house address. It never stops.

This is regular dead tree spam I'm talking about.

it's crappy servers - no mailice here (maybe)

[DrSkwid]

%echo matt@bigpond.com.au | /www/bin/get_mx
extmail.bigpond.com

%telnet extmail.bigpond.com 25
Trying 144.135.24.8...
Connected to extmail.bigpond.com.
Escape character is '^]'.
220 bigpond.com service ready (identifier 29/4290323)
helo numpty
250 bigpond.com
MAIL FROM:
250 ok
RCPT TO:
550 recipient unknown

so you run your dictionary attack against the server

MAIL FROM:
250 ok
RCPT TO:
550 recipient unknown
RCPT TO:
550 recipient unknown

until you some 250s

Re:Telstra is Crap

Not Always - The fibre belongs to telstra, however there are other DSL providers, notably Nextep and RequestDSL that have their own DSLAM's - This allows for much faster and better troubleshooting when network issues occur.
They also take into account things like overheads in their speeds, so a 1.5M/256k connection is actually data rate, not line rate. Telstra calculates on the line rate, then there are whetever low level protocol overheads are used, then telstra's PPPoE layer - Eurgh.

I work for D2P - we sell/lease managed network servers, and also resell Nextep broadband. With Linux powering our servers, and Nextep providing our network, we managed to win ATUG SME provider of the year. Good stuff :)

What's the big deal?

[deunan_k]

Well, everyone did it.. Credit Card companies, Insurance, Finance, and why not ISPs?

A Colleague of mind, who is very paranoid when giving out his cell phone number got really pissed off when he received a call from some banks offering him credit card services. Recently he signed up for one and had no intention of signing for more. It seems that these people shared information within the industry..

I'm not trolling.. Just lamenting on the alarming trend of the marketplace.

Re:The _REAL_ story...

[thirdrock]

Look at these are two days in Australian politics and think, are Australians governed by morons?

Short answer: Yes and No.

Long answer:
Q:Is the Government of Australia staffed with morons?
A:Not entirely.
Q:Are the elected officials of Australia our best and brightest?
A:Not even close.

I doubt it

[srn_test]

I have a Telstra Bigpond address (from having a cable modem).

I never get any mail at it at all, except for official notices from Telstra.

I've had it for about 4 years. I've mailed from it or given it out.