Telstra Denies Selling BigPond Customers' Data

Red Wolf writes "The Age reports that allegations that Telstra sells email addresses of BigPond customers have been denied by the telco. Melbourne-based IT worker Mark Edwards had doubts in this direction when he began receiving unusually large amounts of spam at his bigpond email address. Edwards grew suspicious because some of the spam being issued to him was also addressed only to a number of users within the bigpond.com domain, indicating that the unsolicited mass emailings were being sent to lists of BigPond users."

Telstra is Crap

[Michael's+a+Jerk!]

I'm with testra, and have had nothing but problems. Their Privacy policy allows selling your email address to advertisers. They've also got this insane capping system, that's stopped the rollout of broadband in AU.

Read more in Whirlpool. They've got the facts.

Re:Telstra is Crap

[sk0pe]

I know what you mean... at my workplace, we implemented Telstra's ADSL the first week it was available at our exchange... for about 14 months, there was no alternative either. But now we're with iiNet. Same speed, but cheaper and 6 times the download allowance. One other major reason we swapped was the spam the account's email address was receiving. Interesting to note, that since we have our own domain, this email address was NEVER, and I mean NEVER, submitted to a mailing list, a newsgroup or anywhere it may be gathered by spammers. The account name was also random enough that a dictionary attack shouldn't have worked. The address was never used to send mail, or reply to spam, but by the end of our 18 month contract, we were recieving about 6-10 spam emails per day. I realise this is not a lot for an active email address, but this wasn't used at all. The only reason I even looked at the mail box was to get Telstra mailouts regarding outages, updates etc. Not selling customer details eh? ---- All extremists should be taken out and shot.

Re:Telstra is Crap

[Michael's+a+Jerk!]

Bitching about poor service doesn't hit a company nearly as hard as taking your business elsewhere.

Agreed. However, did you read the Whirlpool link I posted?

Telstra makes it *very* difficult to change to a different service. This is a typical case. It's happened to people I know .

Even if that doesn't happen, there's a delay of 2 or 3 weeks without net access while you change. It's annoying, but I will change.

Re:Telstra is Crap

[G-funk]

Erm, in australia, there is no elsewhere to which you can take your business. All ADSL in australia is resold from telstra.

Re:Telstra is Crap

Telstra certainly IS crap, and ALL the CHEAPER resellers use the Layer2 offering which relies on Telstra DSLAMS and hence Telstra's support and reliability of same. Doh. The only other major DSLAM-level provider is XYZ/Optus, also used by Connect and RequestDSL, and that pricing is as business grade as the service, which is extremely good - it's just not affordable for a lot of people. Pricing start at around $300/mth for a 1.5Mbps connection, with a couple of gigs of data ( 2-3Gb ). Add extra data at 10-15c/MB and you're talking mega-dollars even for small business, and it's definately out of home user territory.
Then there's those Layer2-based providers. They're great, but suffer greatly at Telstra's hand - when support is required, Telstra services their own retail customers before the Layer2 providers' wholesale business.

One word: Monopoly.

I wish there was an uglier-sounding word that means the same thing, 'cause it sure would apply in this case.

Re:Telstra is Crap

Not Always - The fibre belongs to telstra, however there are other DSL providers, notably Nextep and RequestDSL that have their own DSLAM's - This allows for much faster and better troubleshooting when network issues occur.
They also take into account things like overheads in their speeds, so a 1.5M/256k connection is actually data rate, not line rate. Telstra calculates on the line rate, then there are whetever low level protocol overheads are used, then telstra's PPPoE layer - Eurgh.

I work for D2P - we sell/lease managed network servers, and also resell Nextep broadband. With Linux powering our servers, and Nextep providing our network, we managed to win ATUG SME provider of the year. Good stuff :)

doesn't mean anything

[kinko]

I regularly get spam addressed to my address along with other users at the same domain. But I doubt my university sells addresses. It's probably just what some spam software does, since spam assassin can be set up to assign a higher score to messages where your address isn't in the To or Cc fields.

Sheesh, what's with jumping to conclusions? Like assuming if your new hotmail a/c gets spam, then MS must have immediately sold it to spammers who immediately spammed it....

Re:doesn't mean anything

[kinko]

Uh, I don't live in America, where it seems everything is for sale. In New Zealand, and indeed the rest of the "Western world", we have privacy acts that say data may only be used for the purpose it was explicitly collected for.

This university had an internal web search thing where you could find people's email addresses given a surname (only accessible from within the university), and they decided that since they didn't mention anything about this on the enrolment form, they had to take it down to comply with our privacy act.

I sincerely doubt any university in New Zealand, or even Australia or Europe, would ever consider selling its users email addresses to spammers. Especially since NZ internet users have to pay for international traffic. Why sell addresses that will result in you paying 5 to 8 cents per megabyte of data received?

Telsta's ADSL Monopoly

[Michael's+a+Jerk!]

Telstra have a history of standover tactics (see Here, for instance).

I really hope they get busted under our new privacy laws. I have a telstra email address that I've never used that gets spammed constantly. If telstra didn't sell my details, then something very fishy is going on.

another possibility

[tankdilla]

They got hacked and don't want to admit it. Instead they play dumb when their users are getting spammed.

It could be a staff member

[Narcissus]

Just because the company doesn't sell the list doesn't mean that no-one within the company does (or someone that used to work there). I know of a few people that have taken lists of thousands of email addresses from their work on their last day, just in case they wanted to sell it.

On top of that, I know I've been offered cash more than once to get a list of the addresses in our database. If you were working in a call centre, in a country that you're just visiting, knowing that you'll only be there for a month or two, and knowing you'll never go back, wouldn't it just be too tempting to nap that list for future reference?

Re:It could be a staff member

[Fizzl]

Umm... No?

How can anyone have such bad morale?
I had access to tens of thousands of credit card details as a developer for one database application.

I left the company in very disgruntled mood. Yet I never was even slightly tempted to copy the databases or details of the communications how the details are transferred around the country.
I had some company code and documentation home because I used to work remotely at times. I erased the data and returned the dead-tree docs in mail.

Althou email addys and credit card details are in totally different categories, I think of the people who own the information. It's not like it's their fault your getting shafted.

I do not have a criminal mind. I'm prolly going to die poor :(

Further info is needed

[Adam9]

I'd like to know some specifics about the alleged selling of the e-mail addresses. Telstra says this:

"The most common practice is to submit a test mail list to an ISP containing thousands of randomly generated user names. Most mail servers would qualify the names and attempt to deliver a blank message to those that have been generated/guessed correctly."

I'm wondering how random some of the addresses were. Were they being sent to asmith@telstra bsmith@telstra, etc.? If so, then Telstra's reasoning makes sense. But if addresses like chalk54923@telstra are on the spam list, then I'd say that Telstra is full of it.

OMFG, it's a conspiracy. Someone call slashdot!

[Moonwick]

Edwards grew suspicious because some of the spam being issued to him was also addressed only to a number of users within the bigpond.com domain, indicating that the unsolicited mass emailings were being sent to lists of BigPond users.

Why give them the benefit of the doubt and consider that this was simply the work of some relatively intelligent spamming software, designed to maximize its connection to bigpond's SMTP server (by sending the body of the message once with a large list of bigpond address) when you can accuse the cruel corporate ISP of selling customer data?

Now why these spams included target addresses in the headers of the e-mail (something SMTP absolutely doesn't require) is up for debate, but I think we're jumping to conclusions here...

Telstra Information Minister Denies All

[DrMrLordX]

There are no email lists being sold! There is no spam in the mailboxes of bigpond accounts! Do not believe the infidels! The glorious Telstra corporation will triumph!

Mass Spam to a Single Domain

[Goody]

This happens all of the time -- it's called a spam dictionary attack, as the article attempts to explain. Spammers simply use every possible username in the world and append @yourdomain.com hoping to nail every user with their offers of bigger appendages.

The part in this article about spammers testing for the validity of a dictionary-generated email addresses is a load of crap. They could care less if the address is valid or not. They simply let the bounce message go out into never never land.

I doubt Telstra sold any email addresses. Dealing with spam attacks isn't worth the meager revenue that would be derived from selling addresses.

Evidence??

[Cbs228]

This evidence is not credible or convincing proof that BigPond is selling customer email addresses. However, I would not put it past them.

The only way to find out for sure if an ISP sells subscriber addresses is to make a long, hard to guess address (such as jon4859493@bigpond.com) and give it to no one, just let it sit there. If you receive spam, it's a pretty good indication that your ISP is being rather loose with your contact info.

Re:Evidence??

[beoch]

I've got a bigpond email account that I only ever put on my CV. I've used this for two years and I have never once received spam on this account. If Telstra are selling email addresses then they are only selling some of them.

My yahoo account however.....

It could have been anything

[SandmanWAIX]

I dont like Telstra as much as the next guy ... but it could have been anyone with a simple bot to harvest Telstra Bigpond email addresses and then spamming. Maybe they have a grievance against the company (most people do) which is why its users were targeted .. or maybe it was because Bigpond users are traditionally the stupidest (no knowledge on broadband, computers, security etc) that they were targeted ... and perhaps spam mailers targeted Bigpond users because they obviously will buy anything no matter how reprehensible the product/pricing and treatment of customers.

Re:Telstra is Crap - PRON is worse ;)

This has nothing to do with selling email addresses. I'm a Bigpond user. When I surf porn sites I get DELUGED with spam, without having to provide any identifying information.

The Bigpond referrer details identify your user name. You have a default eMail account which is username@bigpond.com. Therefore, any site which analyses its visitor logs can identify a pool of valid Bigpond eMail addresses.

Mate, if you don't want the junk mail, stop wanking so much!

The _REAL_ story...

[SystematicPsycho]

The Australian government recently (a day ago) announced that they will be privatising the rest (remaining 51%) of telstra. I wonder if this being on slashdot has anything to do with that?

Anyway, a day before the government's annoucement the senate was going to vote for an enquiry into broadband access in Australia.

Then later on the same day (or the next day) 4 independent senators voted against it (damn bastards, technophobics afraid of technology).

Look at these are two days in Australian politics and think, are Australians governed by morons?

Broadband enquiry likely

Broadband inquiry killed

New attempt at broadband enquiry

I learned a lot from customer experiences

[leonbrooks]

iiNet used to be great, then the other Michael left, they went on a buying spree (Wantree, Omen, Networx, dozens of other smallish ISPs) and their tech support fell in a hole (due, I suspect to the high turnover rate of competent technicians, he says, waving to Brett, a prime example).

If you want a large ISP in WA, I recommend WestNet. They're a bit too big to still be really caring, but their reliability is a notch above iiNet's.

If you want an excellent quality smaller ISP in WA, choose ArachNet. They also have excellent colocation terms, and this bloke can sell you a dandy little rack box to colocate with (review coming soon). I use ArachNet myself. There are others.

If you want reliable DSL in Oz and damn the cost, try Request or Optus (nice picture). Everyone else has to go through Telstra to get their DSL (and these two will also if they have no DSLAM in the exchange), which costs you a big reliability hit.

Telstra account for your data as the sum of both directions. Most Oz ISPs will bill you for the max of in and out, or just bill you for in, but no, not Telstra. As a 'phone company, they're not too bad (their service actually works). As a "competitive" ISP, they suck.

Re:Not true anymore

Quite a lot of ISPs now re-sell Comindico's ADSL now.

Their entry into the market caused a small price war with wholesale prices, leading to the number of cheaper ADSL ISP options lately.

For those not familiar.

Telstra has a habit of raising their wholesale price to be close to or in some cases higher than their retail prices to end users, after a short delay the ACCC steps in and slaps down Telstra, who then behave for a while, then repeat.

This has the effect of discouraging competition.

So far the ACCC has not given out much more then slaps on the wrist, but this is mainly because the government is trying to sell off their share of Telstra, so they want the share price to be high.

You'll note that ACCC has been showing more teeth, and Telstra has been quiet lately, because the government has sidelined their plans to sell their shares (mainly because Telstra's share price is quite low atm).

Poorly configured mail servers

[DrSkwid]

If your mail server follows the early SMTP RFCs it might well do this :

%telnet bastardface.com 25
RCPT TO: <aardvark@bastardface.com>
550 Address unknown locally
RCPT TO: <andrew@bastardface.com>
250 Recipient ok. [andrew@bastardface.com]
RCPT TO: <apple@bastardface.com>
550 Address unknown locally

[... do your whole dictionary]

QUIT

all usually without ever hitting the logs

you get a nice big list of valid addresses all at the same domain and no-one is any the wiser until it stats filling up their inboxes

I know this because it happened to us when someone followed the wrong RFC

it's crappy servers - no mailice here (maybe)

[DrSkwid]

%echo matt@bigpond.com.au | /www/bin/get_mx
extmail.bigpond.com

%telnet extmail.bigpond.com 25
Trying 144.135.24.8...
Connected to extmail.bigpond.com.
Escape character is '^]'.
220 bigpond.com service ready (identifier 29/4290323)
helo numpty
250 bigpond.com
MAIL FROM:
250 ok
RCPT TO:
550 recipient unknown

so you run your dictionary attack against the server

MAIL FROM:
250 ok
RCPT TO:
550 recipient unknown
RCPT TO:
550 recipient unknown

until you some 250s

no malice - now with extrans

[DrSkwid]

%host -t mx bigpond.com
bigpond.com mail is handled (pri=10) by extmail.bigpond.com

so you run your dictionary attack against the server

%telnet extmail.bigpond.com 25
Trying 144.135.24.8...
Connected to extmail.bigpond.com.
Escape character is '^]'.
220 bigpond.com service ready (identifier 29/4290323)
helo numpty
250 bigpond.com
MAIL FROM: <>
250 ok
RCPT TO: <aardvark@bigpond.com>
550 recipient <aardvark@bigpond.com> unknown
RCPT TO: <apple@bigpond.com>
550 recipient <apple@bigpond.com> unknown
RCPT TO: <mr_brianpowell@bigpond.com>
250 ok

and every 250 is a valid paid up customer

and there's not a long entry in the world that's going to find you

in fact you can visit http://www.bigpond.com/home/memservices/community/ index/

to harvest email addresses like I just did while waiting to post with EXTRANS

still it's more newsworthy if you CHARGE someone for this information !

employee?

[Mark19960]

maybee an employee sold them to a spammer.
I have always wondered about inside jobs of this sort.
im sure it wouldnt be hard these days with the compact USB hard disks you can put on your keys.
simply plug it in, transfer all the email addresses, zip it up and send it to your favorite spammer, then collect.
sound easy? yeah... its scary.

I _KNOW_ Telstra sells customer data, because ...

[vandan]

When I got my phone connected here, Telstra mis-spelled my name. My name is incredibly uncommon.

About a month later, I was looking through the logs on the mail server at work ( as you do ) and saw an error about an unknown user, which just happened to be made up of my first initial, and then my last name ... mis-spelled just as Telstra had ( at my company dot com dot au ).

I immeditately called Telstra and confronted them, and they denied everything. The girl was quite rude about it and implied that I might also have stories about little green men carrying experiments out on my while I was asleep.

I absolutely INSIST that Telstra sold my details, consisting of ( but not limited to ) :

- my first and last name
- my employer

The above I can deduce from the logs on the mail server at work.