Who's Trading Your E-mail Addresses?

Bennett Haselton is back with another piece on e-mail privacy. He starts "On April 14, 2007, I signed up for an AmeriTrade account using an e-mail address consisting of 16 random alphanumeric characters, which I never gave to anyone else. On May 15, I started receiving pump-and-dump stock spams sent to that e-mail address. I was hardly the first person to discover that this happens. Almost all of the top hits in a Google search for "ameritrade spam" are from people with the same story: they used a unique address for each service that they sign up with, so they could tell if any company ever leaked their address to a spammer, and the address they gave to AmeriTrade started getting stock spam. (I don't actually do that with most companies where I create accounts. But after hearing all the AmeriTrade stories, I created an account with them in April just for the purpose of entering a unique e-mail address and seeing if it would get leaked.)" Bennett continues on if you're willing to click the link.

What's surprising is that as far as I can tell, AmeriTrade has taken almost no heat in the media for letting this happen. Despite the abundant testimonials from bloggers who had their addresses leaked, the story never crossed over into the "mainstream" Internet press. In a recent Bloomberg News story, the FBI warned that E*Trade and AmeriTrade users were vulnerable to spyware installed by criminals in hotels and cybercafes to capture accounts and run pump-and-dump stock spams; no mention of the fact that all AmeriTrade e-mail addresses were apparently already in the hands of spammers anyway (although no one knows if usernames and passwords were leaked to the spammers as well).

This doesn't bode well for anyone who uses any type of online service and wants that service to keep their personal information secure. If AmeriTrade got skewered in the media for leaking customers' personal information to spammers, other companies would see that and learn the lesson. On the other hand, if AmeriTrade gets away with it with barely a whisper in the mainstream news, other companies are going to take note of that, too. Besides, spam and identity theft hurt everyone, not just the victims, because the costs are passed on to all of us in terms of higher ISP charges, higher payment processing fees, and more mail lost due to stringent spam filters.

AmeriTrade disclosed in April 2005 that a tape containing some customer information might have been stolen in February of that year, and many spam victims who blogged about their AmeriTrade addresses being stolen, referenced that incident as the likely cause. But after Bill Katz's blog post became a clearinghouse of sorts for complaints about stolen AmeriTrade addresses (probably as a result of being the first match on Google for "ameritrade spam"), several users posted that they had received spam at accounts that were only created with AmeriTrade in summer 2006. And then my e-mail address got leaked between April 14 and May 15, 2007. So it's pretty clear that some attacker has access to the AmeriTrade customer database on an ongoing basis, and the February 2005 tape theft probably had nothing to do with it.

AmeriTrade says that California law required them to notify their California customers of a potential security breach after the tapes were stolen, and that they went further and notified all of their customers anyway. Since there is now proof that their database is more or less perpetually open to some outside attacker, will they send out another notification letter to customers?

An accidental security breach can happen to any responsible company, especially if they are compromised from the inside. But the trail of blogosphere and UseNet posts indicates that several times AmeriTrade has concealed the full extent of the problem from customers who asked them about it, or has given out information that they already knew was wrong. In one thread in October 2005, a user reported that they wrote to AmeriTrade asking why their AmeriTrade-only e-mail address was getting spammed, and AmeriTrade replied that the spammer might have guessed the address using a dictionary attack, adding:

We have no reason to believe that any of our systems have been compromised. Ameritrade deploys state of the art firewalls, intrusion detection, anti-virus software as well as employs a full time staff of employee's dedicated strictly to Information Security and protecting Ameritrade's systems from unauthorized access.

But that was long after February 2005, when AmeriTrade said that tapes containing customer data were stolen. (Even if that turned out not to be the cause of the spam after all, by that point AmeriTrade knew that their customers' addresses had been leaked somehow.)

Then when my friend Art Medlar complained to AmeriTrade this year about the same thing happening, he got a response saying that even if he was getting spammed by an address that he only gave to AmeriTrade, that could be the result of hackers "implanting 'bots' that have the ability to extract e-mail addresses from your computer, even when you have protective spy software engaged". But of course this makes no sense -- if this were the source of the problem, it would affect everyone's e-mail addresses equally, and would not explain why a disproportionate number of complaints were coming from people who created addresses that they gave to AmeriTrade specifically.

When I sent AmeriTrade my own inquiry, I got a response that was identical to a forwarded message that someone else posted to news.admin.net-abuse.email in April. (To their credit, in this version of the message, AmeriTrade is acknowledging responsibility for the problem instead of attributing it to dictionary attacks or botnets. But the e-mail contains the curious piece of advice: "Please be sure to delete any spam you might receive, then empty your e-mail's trash so that it's no longer kept there, either." Huh? As one reader replied to the UseNet thread: "Cynical Translation: Please don't retain any independent evidence.") At first I didn't realize this was a boilerplate response, so I sent back some more questions, asking, for example, whether they would notify their California customers of the data security breach as required by that state's laws. The second response I got was a copy of the old boilerplate that they were sending out two years ago, blaming "dictionary attacks".

Now, compared to the 1,000 spams I already get every day (pre-filtering), the AmeriTrade spams were just a drop in the bucket, and many of their customers are probably in the same boat. And unlike most AmeriTrade customers, at least I can stop all AmeriTrade spam just by de-activating those addresses, since they aren't used for anything else. (Right now I'm keeping them open just to see what else comes in.) But AmeriTrade's database also contains much more valuable information such as names, PIN numbers (do you use the same PIN number everywhere that you sign up?), and Social Security Numbers. When I signed up for my account, informed by dire warnings that federal law required accurate information "to help the government fight the funding of terrorism and money laundering activities", I gave AmeriTrade my real SSN, address, and other personal data, figuring that if I gave them false information, I might get in more trouble than the experiment was worth. But now that the attacker has my e-mail, they might have all of my other information as well. In the coming months I'll probably start checking my credit report more often than I used to.

Probably someone inside AmeriTrade is selling customer data to an outside spammer. (It seems less likely that an attacker would keep breaking into AmeriTrade repeatedly to get updated copies of the customer list. Once you've broken in and gotten the customer database from 2006, why bother breaking in a year later, taking the risk all over again of getting caught and going to jail, just to get the updated 2007 database? Surely the 2006 list would be enough to run any pump-and-dump stock scam that you want!) Two suggestions to AmeriTrade to tighten their security: First, the number of people within the company who can access the customer database, is probably a lot larger than the number who actually need to access the customer database. Limit access to the e-mail database to people who actually need it. Second, in any cases where different employees really need to have access to the list, try giving them different versions of it, where each version is "seeded" with spamtrap addresses at Hotmail and Yahoo Mail. If the spamtrap addresses that start receiving spam are all ones that were used to seed one particular employee's copy of the list, then you've found the source of the leak. That won't stop the spam being sent to addresses that have already been stolen, but it could prevent further leaks from happening.

The SEC recently announced that they would suspend trading of companies whose stocks had been the target of spam campaigns to manipulate the price. Perhaps AmeriTrade could do something similar -- once a stock is identified as being promoted in spams sent to AmeriTrade customers, any customer attempting to buy that stock would be presented with a message saying that AmeriTrade was blocking the transaction for security reasons. (If this runs afoul of some SEC regulation that a brokerage has to let you buy any stock you want any time you want, then at least display a big warning when AmeriTrade users try to buy it through their system, saying that the stock has been the subject of a fraudulent promotion scheme and is an extremely high-risk buy.) However, while this would remove the incentive for stock spammers to target AmeriTrade customers, it's also really just covering up a symptom of the problem, rather than addressing the problem itself, which is that a spammer was able to steal the customer information from AmeriTrade's database in the first place.

But whatever they do, AmeriTrade should stop blowing off the people who complain about the spam, with messages about "dictionary attacks" and "botnets". When customers create specialized spamtrap addresses to detect if their e-mails ever get leaked, those are the tech-savvy customers who (a) know what they're doing, and (b) hate spam more than most people, and giving them misleading information is just poking a stick in their eye. Not a smart move when AmeriTrade has been leaking private customer information and is based, as their name indicates, in the most litigious country in the history of the world.

Hrm.

[grub]

I use TDWaterhouse for trading (I'm in .ca) and have never had a problem.

From what I can tell the only sites where unique addresses seem to get out are from BitTorrent trackers. Not a complete surprise I guess.

Protip: if you run your own mail server generate a whack of aliases (ie: bogus000 through bogus999) so you always have a disposable address available.

Re:Hrm.

[rherbert]

If you run your own mail server, set up a subdomain where every address goes to your inbox.... That way, it's fairly obvious when you get spam to ameritrade.com@bills.mydomain.com. I caught EmigrantDirect that way, although I was simply shocked when they never responded to my e-mail about it.

Re:Hrm.

Here's another tip: use the services of temporaryinbox.com and temporaryforwarding.com. Free, too. I have no connection with this service, beyond finding it useful.

This comment is like the captcha, unsigned.

Re:Hrm.

[grub]

I just use aliases :) That way if the spam starts to flow I just comment out that alias and that address no longer works.

Re:Hrm.

[CastrTroy]

I used to do that, but found that I got a lot of extra spam from people just sending email to random addresses at my domain. It was too much trouble so, I went back to configuring my addresses individually. That way it's easier to block certain addresses when they get too much spam, and you know who is sending you the spam.

Re:Hrm.

what's way better than creating a bunch of email aliases is to just have the catchall forward to your regular email address and then you can make up as many DESCRIPTIVE email addresses that you like and if you start getting spam on any of them then just create that account to forward to nowhere (or a spam account if you feel the need to go through them occasionally)

I use email addresses that tell me what store or website I'm giving it to, like slashdot.org@example.com or BestBuy-Charlotte@example.com. then not only can you stop it, but you can know who gave out your email address. (plus it blows people mind, I always have people ask me if I work for their company)

Re:Hrm.

[rherbert]

I just blacklist the address if spam starts to flow... anything coming in to that address gets sent directly to uce@ftc.gov.

Re:Hrm.

[omeomi]

I've used aliases with both Fidelity and E*Trade...I haven't gotten any spam from either of them yet.

Re:Hrm.

[spyrochaete]

If you create throwaway addresses, don't forget to disable any catchall address so you don't get bombarded with 50 addresses worth of spam!

Re:Hrm.

[grub]

yeah. I think catchalls are over-rated. I see so much spam that's aimed at random user names a catchall would be driving me nuts.

Re:Hrm.

[It+doesn't+come+easy]

On the other hand, I also use TDWaterhouse and I also always use a unique email address for every system where I have an account, including for TDWaterhouse. And at the same time TDWaterhouse combined with Ameritrade, I started getting pump & dump stock scams sent to my TDWaterhouse email address (which was the same email address I was using before TDWaterhhouse and Ameritrade combined). It seems to me that pretty much confirms that Ameritrade has some kind of ONGOING security problem. And since access to my TDWaterhouse (now TDAmeritrade) account means access to my money, I will be moving my accounts ASAP.

Re:Hrm.

[Overzeetop]

You too, huh? They denied it up and down to me.

Interestingly, I've also gotten garbage spam from the eVA system (electronic vendor system for the state of Virginia). You have to be registered with their extortion house and pay a 1% revenue fee to the bastards if you want to work on any Virginia contract. I always add 5% to my Virginia bids to cover the annoyance.

Re:Hrm.

[LoadStar]

I opened a TD Ameritrade account a couple of months ago, and I too started getting slammed with pump-and-dump spam. The problem for me is that I went IN PERSON to a TD Ameritrade branch and opened the account, so it's not like a "man in the middle" attack, unless this hypothetical man in the middle is actually opening up brick-and-mortar branches.

I was simply using the account to hold the relatively small stock portfolio I have, so I have no problem moving my account elsewhere.

Re:Hrm.

[nemesisj]

EmigrantDirect certainly sells addresses - this happened to me as well, and continues to happen. They hemmed and hawed about someone calling me back, but never did, and their call center seems to have caught on and is intentionally vague and will never let you speak to someone, they'll just promise callbacks.

Re:Hrm.

I create unique e-mail addresses for each place I do business with online.

The one other place that leaked my e-mail address was PC Club in Southern California. I had given them an e-mail address in-store at one time while making a purchase.

I routed that address to /dev/null, and would think twice about giving them any personal information ever again.

Re:Hrm.

[hedwards]

I did too, up until Ameritrade bought them out and changed the name. TD Ameritrade is far worse that Waterhouse was even on its worst day. The service really seemed to deteriorate afterwards.

A shame too, TD Waterhouse was a wonderful broker, if a bit on the expensive side when trading.

Re:Hrm.

In Canada they're still TD-Waterhouse (TD is the Toronto Dominion Bank) and have nothing to do with Ameritrade north of the border. Great brokers IMHO.

Re:Hrm.

On the other hand, I also use TDWaterhouse and I also always use a unique email address for every system where I have an account, including for TDWaterhouse. And at the same time TDWaterhouse combined with Ameritrade, I started getting pump & dump stock scams sent to my TDWaterhouse email address (which was the same email address I was using before TDWaterhhouse and Ameritrade combined). It seems to me that pretty much confirms that Ameritrade has some kind of ONGOING security problem. And since access to my TDWaterhouse (now TDAmeritrade) account means access to my money, I will be moving my accounts ASAP.

That merger happened in July of 2005. Your definition of "ASAP" is a lot different than mine.

Re:Hrm.

[hedwards]

You cannot imagine how lucky you are. Ameritrade may very well be the reason why I am after a couple of completely spam free years now receiving spam in my gmail account.

Not to mention their incompetent mistakes that end up costing me money. And the difficulty of ever figuring out for sure if they actually are planning on making requested changes.

I would switch my account back to waterhouse if I could do so without worrying about having all of my investment transactions occurring offshore.

Re:Hrm.

[oyenstikker]

I used to use aliases, but they got too cumbersome. Now I use a database table.

I started out following this tutorial: http://workaround.org/articles/ispmail-sarge/

Re:Hrm.

[antdude]

Is there a service that will let you customize many e-mail addresses with one domain?

Re:Hrm.

[diagonti]

I had the same thing happen with speakeasy. I run my own domain and created a unique email address for them. When I started getting spam to it (within 3 days of setting it up), I contacted their customer support. Their customer support said that spammers were randomly sending to different names at my domain and it was clearly just the only one that lined up. My mail server logs indicated otherwise -- but speakeasy wasn't interested in hearing it. They just closed the ticket again and ignored the logs proving that no name fishing was going on.

I was unimpressed and cancelled the line I was trying to get with them.

Re:Hrm.

[greed]

I had the same problem as the parent with the same config the grandparent was using. Two things helped immensely.

First, a few rules in my Postfix helo_access file:

/\.mydomain\.mytld$/ 550 You are not me.
/^mydomain\.mytld$/ 550 You are not me.
/^[\d.]+$/ 550 See RFC 2821.
/^\[my.dot.ted.quad\]$/ 550 You are not me.
/^\[10\.[\d.]+\]$/ 550 Your network is unreachable.
/^\[192\.168\.[\d.]+\]$/ 550 Your network is unreachable.

(Yes, that doesn't trap all ways of writing IP address, and leaves out 172.16/12. It's the first 3 rules that do most of the work, as it turned out.)

Second, turning on some more RFC strictness in Postfix SMTP chat:

smtpd_recipient_restrictions =
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_non_fqdn_sender,
reject_non_fqdn_hostname,
reject_invalid_hostname,
check_helo_access pcre:/etc/postfix/helo_access

And I'm thinking of moving permit_mynetworks to just above check_helo_access now that I've got SASL working nicely on all the other stations.

But it's all moot now, because pobox.com can now do MX for customer domains with wildcard addresses AND you get all of their peer-IP-address- and header-based anti-spam checks. I've been using them for _years_, so was quite happy to use that new service.

Well, I left it all there, so that no-one going directly to the A record for the domain can invent things, either.

Re:Hrm.

[Mean+Variance]

Is there a service that will let you customize many e-mail addresses with one domain?

Yahoo has something called AddressGuard if you use their premium service (about $20/year). It provides a prefix from your base account and then you create any number of suffixes to have a number of virtual email addresses.

If you use GMail, send yourself an invitation and create a unique email. In that email's configuration, forward it to your base GMail account. Tag each email address and you can tell in your base GMail account when emails are coming from your other emails.

As the comments will show, there are many ways to tackle the problem; these are two of mine.

Re:Hrm.

[bill_mcgonigle]

I used to do that, but found that I got a lot of extra spam from people just sending email to random addresses at my domain.

Did you use a subdomain like the GP suggested? I've had plenty of dictionary attacks of the form foo@example.com, but there's no way, other than a harvester, to know about foo@bar.example.com.

Re:Hrm.

[Bellum+Aeternus]

The email service I use, name of the software escapes me at the moment, allows a box to be specified in the email address. For example [username]-[box]@[domain] send the email to the correct user, and places it in the specified box.

So when ever I sign up someplace I can just give them username-ameritrade@domain.com and I know what spam comes from where. It's really handy. I guess the limitation is that you cannot have a hyphen in your username. C'est la vie.

Re:Hrm.

[pdboddy]

You know, I used my gmail account for my TDCanadaTrust account, and lately I have noticed a huge amount of pump and dump stock spams. I wonder if I switched my email for a unique gmail account, if I'd start getting those spams there. I'd certainly be pissed if that was the case... Though one would hope that the various sister companies of TDCanadaTrust would have separate email/information servers...

Re:Hrm.

[NatasRevol]

Why does everyone assume it's a security problem?

Why can't it be a revenue stream problem? ie they're selling the addresses?

Re:Hrm.

[kasperd]

people just sending email to random addresses at my domain.

There are ways to deal with that. It seems you will often see the same few addresses tried over again and again. On my own domain I am filtering info@, sales@, and webmaster@ and allowing just about everything else. For a long time I haven't seen any of those random names. In case it should happen I'll switch to a whitelist of generated addresses rather than allowing everything by default. I have a script ready, which will generate a unique address for me. Actually I have two different versions one that expires after a certain number of days, and one which does not expire.

[kasperd@hactar:pts/18:~] expires 2
4708434@expires.01.jun.2007.kasperd.net
[kaspe rd@hactar:pts/18:~]

It is as simple as this for me to get a new address, which expires in two days.

Re:Hrm.

[CastrTroy]

I missed out on that. I'll definitely have to start trying it. However, once one of your addresses (ex. foo@bar.example.com) gets on a spam list, what's to stop them from sending mail to foo2@bar.example.com,jsmith@bar.example.com and other randomly generated addresses?

Re:Hrm.

[melandy]

>> Is there a service that will let you customize many e-mail addresses with one domain?

You could register your own domain name (pretty cheap nowadays). Sounds like you may have already done so.

Set up a catch-all that forwards to a real address. Don't want to manage your own server? Use google apps for your domain. You don't need premium features, so it's "free".

Then when you give out email addresses, use addresses like these:

ebay@example.com
ameritrade@example.com

-m

Ugh. just realized how much I hate the word "nowadays".

Re:Hrm.

[Captain+Splendid]

I missed out on that. I'll definitely have to start trying it. However, once one of your addresses (ex. foo@bar.example.com) gets on a spam list, what's to stop them from sending mail to foo2@bar.example.com,jsmith@bar.example.com and other randomly generated addresses?

Probably nothing, but the subdomain created was theoretically expendable, so instead of bills.domain.com, just use accounts.domain.com or something instead. (Unless I'm also missing something.)

Re:Hrm.

[antdude]

Actually, I don't have a domain, a server, or a host. :) I was hoping there was a service that did this already with unlimited number of e-mail addresses.

Re:Hrm.

[bill_mcgonigle]

However, once one of your addresses (ex. foo@bar.example.com) gets on a spam list, what's to stop them from sending mail to foo2@bar.example.com,jsmith@bar.example.com and other randomly generated addresses?

Right, nothing, and if it's all or nothing My guess is they use WHOIS data to generate their dictionary attacks, but they could just mine their existing lists.

Another think to try would be company specific wildcard subdomains:

    foo@slashdot.org.bfccomputing.com

for instance. The only advantage there is you could reject at the DNS level, before an SMTP connection is even made.

Re:Hrm.

[Fulcrum+of+Evil]

I've had plenty of dictionary attacks of the form foo@example.com, but there's no way, other than a harvester, to know about foo@bar.example.com.

The problem is that you have to set up MX records for every subdomain, and then you can read the MX records. Better to use suffixes.

Re:Hrm.

[bill_mcgonigle]

The problem is that you have to set up MX records for every subdomain and then you can read the MX records.

How would one list the MX records?

Re:Hrm.

[Fulcrum+of+Evil]

In DNS, how else?

Re:Hrm.

[bill_mcgonigle]

How do you get a list of unknown subdomains' MX records via DNS?

Back in the day you could 'ls' a zone but that's been off forever.

Re:Hrm.

TD Waterhouse and Ameritrade merged recently. I started getting from 1 to 3 stock spams per day to the email account that they have on file. I hardly think it's a coincidence. (Note that these are the spams that are actually getting to me -- I know my email host is doing spam filtering, so I don't really know what the actual change in rate of spam sent to that account is , just that I've started actually seeing it.)

Re:Hrm.

[melandy]

If you want unlimited email addresses so that individual humans can use them, then the Google route won't work for you (unless you pay). I think the free version is just up to 25 accounts. There are plenty of hosting places that you can get "unlimited" email accounts if you buy a cheap hosting package (usually web & email hosting are bundled). In reality, you are limited by the amount of disk space and monthly bandwidth you are allocated.

Another option is to run your own server. You can do it relatively cheaply... hardware requirements are pretty low. You will have to pour copious amounts of time into the initial setup and maintenance, tho. I set up a postfix server mostly just to see if I could do it. Then I switched to Google for hosting.

If what you really want is unlimited aliases that all go to one real account, then the catch-all trick will work, and is very inexpensive. All it requires is a domain name (less than 10 USD per year) and free services from Google.

Re:Hrm.

TD Insurance sells your emails; I've caught them directly and proved it to them. They've always denied it and have done nothing about it.

Re:Hrm.

[DarkAxi0m]

with gmail, if your address is foo@gmail.com, you can send mail to foo+bar@gmail.com (it might be bar+foo@gmail.com, i can't really remember) and it will get to your account.

You can then set up a filter for it. I find it a good way to filter mailing lists.

It can become a problem where some sites wont allow + in the email address

Re:Hrm.

[It+doesn't+come+easy]

The thing is I originally accepted TD Waterhouse's explanation that the email was probably intercepted via some wayspot server forwarding the email as it traveled to my email account. However, the discussion concerning Ameritrade's issues let me reach a much more plausible explanation, that being that the difference was that I started receiving the spam once TD Waterhouse hooked up with Ameritrade. Since Ameritrade account owners are still complaining of the same issues (and I was unaware of the Ameritrade problems before now), I must assume the problem is still around, hence it's time to move the money.

Re:Hrm.

[hysterion]

Not sure but would something like

dig axfr @yournameserver.com yourdomain.com
dig axfr @ns2.gkg.net gkg.net
dig axfr @ns2.bfccomputing.com bfcomputing.com

expose the subdomains, unless blocked by an allow-transfer directive in named.conf? ("From a snoop's perspective, the difference between AXFR and normal queries is that normal queries force the snoop to guess the relevant domain names, while AXFR reveals the domain names for free.")

Re:Hrm.

[The+MAZZTer]

I turned the catchall on for my domain. I quickly realized my mistake after a few days of getting e-mails addressed to "idosuf@mzzt.net" etc and turned it off.

Re:Hrm.

[maxume]

Between TDAmeritrade trying to make $0.50 by screwing over their customers and there being a jerk somewhere in the chain of servers between TDAmeritrade and the people that are complaining, I know what I think is more likely.

Re:Hrm.

[mgv]

If you want unlimited email addresses so that individual humans can use them, then the Google route won't work for you (unless you pay). I think the free version is just up to 25 accounts. There are plenty of hosting places that you can get "unlimited" email accounts if you buy a cheap hosting package (usually web & email hosting are bundled). In reality, you are limited by the amount of disk space and monthly bandwidth you are allocated.

You can get up to 100 accounts in my experience.

But you don't need them - as you can create as many redirections as you want, feeding into one gmail account. The only problem with gmail redirections (aliases) as far as I can see is that they don't allow underscores. However, your real gmail account can redirect all its mail to any email address. Go figure - makes no sense to me why gmail treats an underscore as legal for a redirect all mail filter but won't let you put one into a mail list or alias.

Although I think gmail is sufficiently good to be the main account, so forwarding everything on makes little sense - its too easy compared to running your own mail server and dealing with all that spam. Plus, if you are using a domain for email that is highly spammed, you may well want the full 2GB of storage on that account while you keep your personal one uncluttered...

Michael

Re:Hrm.

[SRA8]

When you opened your account, did you associate the account with an email address? Where do your trade confirmations go? Perhaps the email address you associated with the account later can be queried by Ameritrade employees?

Re:Hrm.

[MicklePickle]

That's what I do and it works well. Since I have my own domain I just setup a new alias with random letters in it and use that email address to register. If I get SPAM, or I no longer want that to have anything to do with that registry, I just dump the alias.
Much easier than having to de-register for something. In fact you should try to find THAT option - you won't be able to.

Re:Hrm.

[space_in_your_face]

If your address is foo@gmail.com, you can also use the address foo+bar@gmail.com (you can put whatever you want after the "+". If the website doesn't allow the + sign, you can put some "." in your address (messages sent to f.o.o@gmail.com will also get into your inbox)

Re:Hrm.

[sumdumass]

There is a technique called geylisting where you just drop the initial connection. Most all legitimate email servers will reconect and attempt to deliver the Email while most all spam servers will just move on thinking the domain is unreachable.

You would be amazed at how much mail gets dumped that way. I'm not sure exactly how to do it on servers other then an "Office logic" interchange server. But it shouldn't be too hard. The Office logic server just has a box you checkmark in the config section.

Phew!

[CrazyTalk]

I'm as guilty as the next person for not always RTFA, but his is the first time I couldn't even make it through the posting

Re:Phew!

[99BottlesOfBeerInMyF]

I'm as guilty as the next person for not always RTFA, but his is the first time I couldn't even make it through the posting

Years of television with shorter and shorter times between cut scenes has destroyed your attention span. Why don't you go watch some TV now? Maybe there will be a 30 second blurb on the subject ala "Ameritrade implicated in SPAM delivery... incompetent or criminal... you decide!!!"

Re:Phew!

[Paradoks]

I only read through the posting because I actually complained to Ameritrade about the same thing. I blogged about it back about a year ago. Frankly, I thought Ameritrade's response was decent:

Please know that even though you provided your e-mail address only to Ameritrade, it does still sit on a server that other people can see and may gain access to. If you receive an e-mail from one of the following addresses, it is ours:

...

In the case you are speaking of, we have not yet been able to rid ourselves of the spam. The issue is still being worked on.

To view Ameritrade's privacy policy, please click the link below:

http://www.ameritrade.com/privacy.html

Terrence B.
Client Services, TD AMERITRADE
Division of TD AMERITRADE, Inc.

It's still annoying, and TDAmeritrade certainly deserves some amount of heat over this, but I'm guessing that they have slightly tighter standards over their use of social security numbers than they do with the e-mail.

At least I hope they do.

Re:Phew!

Post your email, I'll send you a summary.

Re:Phew!

I agree. People like to hear themselves talk, and apparently they also like to watch the words pop up on the screen as they type.

Re:Phew!

[snoyberg]

Years of television with shorter and shorter times between cut scenes has destroyed your attention span. Why don't you go watch some TV now? Maybe there will be a 30 second blurb on the subject ala "Ameritrade implicated in SPAM delivery... incompetent or criminal... you decide!!!"

Can't change the channel, gotta get my daily dose of science (ie, CSI)

Re:Phew!

[mythar]

well, here's the article again, so go ahead and read it. be sure to read through everything, because the last 824 pages are the best bits.

Re:Phew!

Ahh...the lament of the high /. UIN...they never suffered through the Jon Katz era.

P.S. Posting anon to avoid getting into some low UIN pissing contest...suffice it to say I've been a /. reader since 1999.

Re:Phew!

[Kadin2048]

This doesn't make a damn bit of sense. Why would customer's email address be sitting out on a server that "other people can see and may gain access to"?

There's a word for that, it's 'incompetence.'

If they're they stupid about handling email addresses, what makes you think that the rest of your personal information is being protected any better? There's absolutely no reason why this should be happening. Something is very, very wrong at Ameritrade, and as evidenced by the fact that they haven't done anything, my suspicion is that they either can't, or don't know how to. That's not a good thing.

It's inexcusable.

Re:Phew!

[David_W]

Post your email, I'll send you a summary.

postmaster@ameritrade.com

Re:Phew!

[Paradise+Pete]

Years of television with shorter and shorter times between cut scenes has destroyed your attention span. Why don't you go watch some TV now?

Or maybe the submitter could have cut down on the rambling and windy post.

Re:Phew!

[QuesarVII]

Or maybe the submitter could have cut down on the rambling and windy post.

Or maybe an editor could have actually done his job and edited it!

Solution?

[daeg]

Drop AmeriTrade. I did and couldn't be happier. I couldn't trust my stock (and thus, some of my savings and part of my future financial well-being) to a company that can't even keep an e-mail address secure.

Re:Solution?

[dbzero]

Exactly. I would never trust a brokerage with my money if they won't secure my email address. Moreover, pump and dump spam?!! WTF!

Re:Solution?

I caught Ameritrade the same way, approximately 6 months ago. I used the domain name ameritrade@(mydomain).com and the address became a spam magnet approx. 1 month after I canceled my account with Ameritrade. Given the timing, my feeling was that they sold my email address after quitting the service.

Regardless of the cause for my email address being leaked by Ameritrade, I have steered several people away from their service with my story. My hope is that others avoid their service as well, especially since I found the trading interface to be poorly designed.

I am primarily using Scottrade, but am also evaluating the following trading service:
https://www.zecco.com/trading/signin.aspx
As of yet Zecco seems ideal for small investors: 10 free trades a day, 40 free trades a month. Transaction fees only apply after the free trades are used.

Re:Solution?

[bcrowell]

I've had exactly the same problem with Ameritrade. I signed up for a new account last fall, and have been getting pump and dump spams ever since. Ameritrade has had this problem for years, as I quickly verified with a google search; it's been discussed on several of the major anti-spam boards. No, it is not a dictionary attack; my address has 13 characters before the @ sign, consisting of a mixture of letters and digits, and has no dictionary words in it; the domain is not a common one either. Yes, it is definitely a leak from ameritrade; this is a special-purpose account that I created solely for the purpose of receiving mail from ameritrade.

I would love to switch from ameritrade to somebody else, both because of their obvious cluelessness about security and because certain functionality on their site is not usable on Linux. (They only support IE on Windows, and Firefox on Windows or MacOS X. You cannot, for instance, withdraw money using their web interface on Linux, using firefox, because the Submit button will always stay inactivated. Works fine on firefox on my wife's MacOS X box.)

So here are the things stopping me from switching:

1. I don't know which companies are better in terms of security.
2. I don't know which companies support Linux.
3. I've had the misfortune of making a 5% profit on my investments since last fall. AFAIK, that means that if I sell all the stocks I own on ameritrade, I have to pay capital gains tax, which will amount to a ton of money. (It will be an especially large amount of money if I sell before fall 2008, because on investments you've owned for less than 12 months, you pay at your full income tax rate.) Is this correct, or is there some way to transfer a stock investment to another company without incurring capital gains?

If anyone can recommend a company that is better than ameritrade in terms of security and linux support, I would happily set up an account with them, and start gradually switching over to them in such a way as to avoid paying a massive tax penalty. I would also love to hear some advice from anyone about how to manage such a transition so that it's not too much work, and doesn't result in taxes. At the present moment, all I can imagine doing is selectively selling the stocks that have lost money, and then buying them on the new account.

And how would this all work for somebody who's got something like an IRA on ameritrade. Are they basically screwed?

Re:Solution?

[daeg]

Depending on your investments, you should be able to do a transfer. I personally use Scottrade now, as they have a very nice local office to me. They've helped me on numerous occasions for free, and I certainly don't have a lot of money invested compared to bigger players.

In general, actual stocks and bonds can be transferred, since you actually own them directly. Mutual funds or other investment fund types are harder or impossible to move without selling and repurchasing (and thus incurring the wrath of the capital gains tax).

It can't hurt to call around. There are so many online trading companies now most are willing to at least let you ask questions before getting an account. They want your business badly.

Re:Solution?

[daeg]

One more thing: your existing broker may have some not-so-lovely hidden penalties and fees for transferring or closing your account.

Re:Solution?

The Scottrade trading platform is Java based and thus should work well in Linux. In contrast, the set of Ameritrade trading programs were Windows based and all seemed to contain 'features' that required subscription or additional payment to use. The Ameritrade design strategy left a sour taste with me as I felt I was constantly viewing ads to subscribe to more of their 'features'. After trying both and a few others, I prefer Scottrade due to its simplicity, clarity, and cross-platform design. Can anybody else recommend a better platform for a casual investor?

Re:Solution?

[Danny+Rathjens]

You mean you got spammed at a common name @yourdomain some time(1 month plus however long you hadd the account) after you started accepting mail at that address? Try setting up a wildcard alias to catch *@yourdomain and watch how many company names @yourdomain.com you start getting spam at. :) (or more simply look at invalid user smtp errors in your logs)

Your explanation is likely correct, just pointing out a possible alternate explanation.

p.s. I don't think small investors are people making 10+ trades a day. heh :)

Re:Solution?

[Danny+Rathjens]

What are all these extra features you need if you are a casual investor? I've been using ameritrade on linux for years with no problems. (I had a datek account, and datek were bought by ameritrade.) I've never noticed any ads either, but I guess that could have been because of my ad filters. I never noticed any blank ad spaces, though.

Re:Solution?

[bcrowell]

What are all these extra features you need if you are a casual investor?
Like I said in the original post: the ability to withdraw money.

Re:Solution?

[Danny+Rathjens]

Egocentric much? ;) I wasn't asking you. I was asking the anon I replied to that said he had to pay for extra features - which in my experience I've never needed - and yet called himself a "casual investor."

Abusable fix?

[Ruprecht+the+Monkeyb]

Perhaps AmeriTrade could do something similar -- once a stock is identified as being promoted in spams sent to AmeriTrade customers, any customer attempting to buy that stock would be presented with a message saying that AmeriTrade was blocking the transaction for security reasons. (If this runs afoul of some SEC regulation that a brokerage has to let you buy any stock you want any time you want, then at least display a big warning when AmeriTrade users try to buy it through their system, saying that the stock has been the subject of a fraudulent promotion scheme and is an extremely high-risk buy.)

Wouldn't this also be abusable? Pick a stock, short it, spam the hell out of everybody, watch Ameritrade or whoever blacklist it, and watch the price drop.

Re:Abusable fix?

[UbuntuDupe]

Based on the comments on other threads on this topic, the flaw with such a plan is in "short it". To short-sell a stock, you must borrow it. To borrow it, someone must be willing and able to lend it. To be able to lend stock, you have to be a large institution, which are generally prohibited from buying (and thus holding) thinly-traded penny stocks. And it's exactly the penny stocks that are targeted by pump-and-dump schemes.

Re:Abusable fix?

[TheCarp]

Heh, and don't you think the SEC will start looking for who is shorting the stock and investigate?

Overall though, this could work. Frankly, this seems to me to be the end result of turning finances into a game. Someone will look for a loophole or other problem with the way the game works, and exploit it. So you make new rules to try to fix it, and they find new ways to game the game.

Reminds me of Magic. New edition/expansion comes out. Someone builds a deck that can hit you consistantly for 300 points on the third turn. Cards end up restricted, or banned. New edition comes out... someone builds a new deck that can hit you consistantly for 300 points on the third turn... Cards get restricted or banned...

Honestly, I really think the stock market, in general, is a corrupting influence. It encourages the use of money for no other reason than to make more money with no social responsibility or ethics... and they wonder why it attracts the attention of every crook and shady dealer with a few bucks to toss into a scam.

-Steve

Re:Abusable fix?

[jmv]

Wouldn't this also be abusable? Pick a stock, short it, spam the hell out of everybody, watch Ameritrade or whoever blacklist it, and watch the price drop.

You're forgetting a detail here. Pump&dump works because an idiot sees the spam and buys. The reverse wouldn't work because the said idiot cannot sell stocks he doesn't have. It's not like someone will see "oh, transactions are discouraged -- let's sell short".

Re:Abusable fix?

[FasterthanaWatch]

Wouldn't this also be abusable? Pick a stock, short it, spam the hell out of everybody, watch Ameritrade or whoever blacklist it, and watch the price drop. I'm pretty sure you can't short those stocks.

Re:Abusable fix?

[RingDev]

I think what the parent was trying to say is that IF there were a system in place that trading companies had to warn you that a stock had been the target of a fraudulent advertising campaign prior to selling you the stock, it would cause a lower trading rate for that stock, which could drop the price is people were trying to unload the stock while purchasers were being warned about buying the stock.

The purpose I would imagine would be to attempt to limit a competitor's financial flexibility. Even if it doesn't tank their stock, it could reduce growth possibilities.

-Rick

Re:Abusable fix?

[moderatorrater]

You could also abuse it with options and just to harm a competitor. In my opinion its absolutely wrong to let the spammer and other people with bad intentions have power over a stock's price. If people fall for these pump and dump scams a lot, contact them and let them know that doing so is really dumb. If they continue, have something in place where those people specifically cannot buy/sell as stock that's being targeted by a pump and dump.

Re:Abusable fix?

[mcrbids]

Wouldn't this also be abusable? Pick a stock, short it, spam the hell out of everybody, watch Ameritrade or whoever blacklist it, and watch the price drop.

Thoughts like this are the kind of thoughts that convince Libertarians that the marketplace will ALWAYS correct itself. Notice that a protection against one type of unscrupulous behavior becomes an enabler for another type of behavior - which is then protected against.

The net effect of this continuous spy-vs-spy type war is a balanced marketplace that does an amazingly good job of equating equity and earnings. What few Libertarians really grasp, however, is the role of infrastructure on the enablement of the marketplace.

Every American is born with almost half a million dollars in pre-existing infrastructure that is directly available to him/her. This includes roads, schools, etc. This infrastructure is what's used to generate the earnings - society usually gets about 8% return on investment for its infrastructure, based on the national average income.

But who wants to WORK for a living? Despite having the highest standard of living in human history, people would rather cheat and game the system to avoid even the pitiful 40-hour work week. And so the spy-vs-spy game continues, people try to get money for nothing, and the inherent laziness of mankind, which is our never-ending drive to resource efficiency, continues.

Was I saying something? /QUIT

Re:Abusable fix?

> Honestly, I really think the stock market, in general, is a corrupting influence.

Money is a corrupting influence. Water and oxygen are also two incredibly corrosive things, but I'm told they do have their uses.

Re:Abusable fix?

[aldousd666]

rock and roll man, I couldn't agree more.

Re:Abusable fix?

[Deliveranc3]

My understanding is you can't short crappy stocks, someone needs to accept that you're shorting and with such crap no one will accept it.

Re:Abusable fix?

[Gospodin]

Every American is born with almost half a million dollars in pre-existing infrastructure...

Source, please? By my calculations that means there is $150 trillion in infrastructure in the US that is publicly available - meaning that you can't count private buildings or land. Since annual tax revenues are under $3 trillion, and not all of this goes to infrastructure, I'm going to go ahead and significantly doubt the accuracy of your figure.

Maybe you're playing with the word "born". Since about 10 million Americans are born per year, that would cut the total value of infrastructure to $5 trillion, which is believable. But then your figure is bogus, because that infrastructure is used over a person's entire lifetime. So the value should be divided by the total population, not by the annual rate of increase.

Re:Abusable fix?

[jfengel]

I'm as curious as you about the grandparent's source, but don't forget to count state infrastructure as well as national infrastructure. Schools and roads are built with state revenue, and that's paid for via income taxes, property taxes, etc. I don't know how much that comes to; I doubt it's as much as $500k per person.

Also, don't forget about the fact that stuff accumulates. If they're spending $1 trillion a year on infrastructure, and we've accumulated the infrastructure over the last 150 years, it works out. Government spent less money in the past, so they weren't spending $1 trillion a year 150 years ago (even accounting for inflation, which we'd have to), but it suggests that we're not completely off the mark.

We can run the calculation in reverse: how much does a person pay in taxes over his or her lifetime? Back-of-the-envelope: a $50k salary, half of it going to either the feds or the state, times a 40 year working life, comes to a million bucks. Much of that is spend on non-infrastructure stuff (i.e. paying bureaucrats, feeding soldiers, subsidizing farms, etc.), but if even half of it goes to infrastructure, that would work out.

There are huge flaws in that calculation (the fact that roads have to be maintained on one side; the fact that infrastructure accumulates over time on the other) so it's at least an order of magnitude wrong either way.

But it's not a completely ludicrous suggestion. I'd still like to know where the GP got the numbers.

Re:Abusable fix?

[kinzillah]

It's pre-existing, meaning we don't build it all anew on a yearly basis. So it's more like the total expendeture ever, less the cost of infrastructure replaced and/or destroyed divided by population. This may or may not result in a figure that makes more sense.

Re:Abusable fix?

[Gospodin]

If they're spending $1 trillion a year on infrastructure, and we've accumulated the infrastructure over the last 150 years, it works out.

Well, not really: consider depreciation.

...it's at least an order of magnitude wrong either way...

I'm quite open to the possibility that the figure is an order of magnitude wrong. That's pretty wrong.

Re:Abusable fix?

[Lockejaw]

Honestly, I really think the stock market, in general, is a corrupting influence. It encourages the use of money for no other reason than to make more money with no social responsibility or ethics... and they wonder why it attracts the attention of every crook and shady dealer with a few bucks to toss into a scam.

It's because people are more interested in short-term speculation than in long-term investment.

Re:Abusable fix?

[Gospodin]

It's pre-existing, meaning we don't build it all anew on a yearly basis. So it's more like the total expendeture ever, less the cost of infrastructure replaced and/or destroyed divided by population. This may or may not result in a figure that makes more sense.

My post should have been clearer on this point. I didn't mean to directly compare $150 trillion to an annual tax revenue 50-60 times lower and just leave it at that, QED. The step I left out is that you can think of this ratio something like a P/E ratio when valuing stocks. The ratio I calculated is 50-60, meaning that the maximum annual expenditure is 50-60 times lower than the proposed current value. I think there's simply no possible way this could be a fair valuation.

First of all, we know for a fact (just look at the actual budget) that a huge percentage of tax revenue doesn't go to infrastructure, even factoring in state and local government. The actual percentage is way less than half, and probably less than 25% (I would be willing to believe figures as low as 10%). But let's say it's 1/3 for argument's sake. That makes the ratio of value to annual expenditure 150-180. If you take current public spending on infrastructure and extend it indefinitely back in time, taking a reasonable cost of money into account, and counting depreciation, I think it's highly unlikely to get a ratio greater than, perhaps, 20. So we're off by about an order of magnitude (or, if my guess than only 10% goes to infrastructure and the real ratio is more like 10, which I think are outside estimates the other way, we might be off by as much as two orders of magnitude).

Either way, the number is way off.

Re:Abusable fix?

[jfengel]

An order of magnitude is pretty wrong, but it demonstrates the parent's point: as a community, we develop really important stuff in common. Your share of it could be $50k or $500k, but the roads and other infrastructure are a huge common benefit that would be hard to replicate in a completely libertarian society.

The exact value is less important, though the half-mill figure is at least arresting. (I'm still withholding judgment on it until I see the original poster's justification.)

But it's not really making any new arguments; it's just the classic objection to libertarianism that there are commons that are best maintained communally because of the free riders. In many ways, the non-infrastructure elements of the budget (like the military) are a much better demonstration of that argument.

I'm really not trying to make that argument here; it's been well hashed out elsewhere. I was just trying to demonstrate that the number isn't completely ludicrous; there is considerable value in the infrastructure.

Re:Abusable fix?

[Lord+Ender]

Thoughts like this are the kind of thoughts that convince Libertarians that the marketplace will ALWAYS correct itself.

Do you take yourself seriously when you say stuff like that? Isn't 5,000 years of human history enough to teach you that SOME level of market regulation and trust-busting is necessary for a market to work?

The alternative is having one estate / corp person eventually owning EVERYTHING (a king). The "marketplace" corrects this in the form of a bloody revolution, but that's a pretty terrible system to live under.

Lisen, stock scams may be "fair," but they are NOT cool. Obviously, they are terrible for the person getting scammed, but they are also pretty bad for the rest of us who have to pay for the sucker's medicare and medicade after he blows his retirement account.

Re:Abusable fix?

[Alpha830RulZ]

Generally stocks selling for below $5 aren't shortable. AT least through my broker (schwab) they aren't. -Real- stocks won't be manipulable this way, the market is too generally liquid. Also, if you get caught playing games like this with -real- stocks, the SEC will have a fairly unpleasant chat with you.

Re:Abusable fix?

[ivan256]

But it's not really making any new arguments; it's just the classic objection to libertarianism that there are commons that are best maintained communally because of the free riders. In many ways, the non-infrastructure elements of the budget (like the military) are a much better demonstration of that argument.

The trouble with this whole discussion is that that the debate between philosophies is always between the fundamentalist positions. In reality most people are pretty reasonable. Most libertarians would agree that it makes perfect sense to maintain some public infrastructure and most liberals (and I use that term hesitantly, since it has self contradictory meanings) don't favor socialism. Most people recognize that a balance is appropriate and merely disagree on where to draw the line.

The value of public infrastructure could be, in fact it is considerable, yet the numbers in the original post are still ludicrous. Worse, generally people who spew such figures use it as an argument in favor of more "investment in infrastructure" regardless of type; as if all future spending will generate the same level of value no matter what the project, or worse, that any spending will generate that value even if it's not on what could be considered infrastructure, strictly speaking. Really, our infrastructure is so valuable because we were deliberate and conflicted about most of the money that was spent, and didn't go creating public projects on a whim. Far more infrastructure investments by the US government have been denied than have been approved.

Re:Abusable fix?

[onsblu]

Really, our infrastructure is so valuable because we were deliberate and conflicted about most of the money that was spent, and didn't go creating public projects on a whim. Like the Osprey. I'm all for highways and schools, but that's only a small part of the infrastructure we've built (or at least attempted to build).

Re:Abusable fix?

[ZzzzSleep]

Quoth Ruprecht the Monkeyb

Wouldn't this also be abusable? Pick a stock, short it, spam the hell out of everybody, watch Ameritrade or whoever blacklist it, and watch the price drop.

This is certainly possible. It's known as a short and distort. I think that the most well known instance of this happening was Emulex.

Re:Abusable fix?

[maxume]

Your calculation is aggressive. A nice paved road provides me with huge benefits, and at the same exact time, it provides you with huge benefits, and much of the time, we don't even notice that the other guy is using it. Buying power from the grid is a lot cheaper than buying a 1 kilowatt generator at birth and keeping it operational for your entire life(without access to oil and refined oil products) is going to cost you way the hell more than $0.15 an hour. And so on.

The gp could have phrased it 'access to' instead of tailing the fragment you quoted with 'that is directly available to him/her' and you might not have questioned the statement.

Re:Abusable fix?

[ivan256]

I think I know what your point is, but I'm confused by the line of my comment you've quoted. Are you referring to the beleaguered V-22 which we would have done well to cancel when Dick Cheney wanted to back in the '80s?

That's a good example of something we should have cut our losses on much earlier (before we started?), but somehow I don't think it's the kind of project that the original poster would be in favor of.

Re:Abusable fix?

[mgv]

First of all, we know for a fact (just look at the actual budget) that a huge percentage of tax revenue doesn't go to infrastructure, even factoring in state and local government. The actual percentage is way less than half, and probably less than 25% (I would be willing to believe figures as low as 10%). But let's say it's 1/3 for argument's sake. That makes the ratio of value to annual expenditure 150-180. If you take current public spending on infrastructure and extend it indefinitely back in time, taking a reasonable cost of money into account, and counting depreciation, I think it's highly unlikely to get a ratio greater than, perhaps, 20. So we're off by about an order of magnitude (or, if my guess than only 10% goes to infrastructure and the real ratio is more like 10, which I think are outside estimates the other way, we might be off by as much as two orders of magnitude).

Actually, much of this is a form of infrastructure too. For example, our whole legal system is one of the most important infrastructures that we have, but its quite intangible compared to a road.

It is, however, the basis of what really sets the first world from the third world.

Michael

Re:Abusable fix?

[jfengel]

Fundamentalist philosophies have the advantage of logical consistency. When you sit down and argue about them, you can't assail the logic, even though they lead to absurd situations in practice.

You can avoid the absurdities with compromise, as you say, but you lose the logical coherency. You introduce gray areas with no logical solution, only an appeal to what's practical.

Democracy is about creating these compromises, either by accumulation of cruft in laws over time as power switches, or by compromises between sides to get a law passed. Either way you end up with truly insane compromises which just (barely) happen to work, mostly-kinda.

It's more fun to argue fundamentalism on message boards, where all you have to do is be right. Real life and real politics is much messier and vastly less fun.

404 File Not Found

404 File Not Found
The requested URL (yro/07/05/30/1444236.shtml) was not found.

Baaaadddd slashcode bug, when not logged in, if a story has no comments you will consistently get a 404 error. This has been the case for some time now. Most irritating. No sense reporting it as all bug reports are summarily ignored anyway...

Re:404 File Not Found

[khedron+the+jester]

Probably to prevent the fristage postages you ACs like doling out liberally.

Re:404 File Not Found

Probably to prevent the fristage postages you ACs like doling out liberally.

I am not a frist psot troll. I post anonymously so that I cannot be gagged by the Slashdot censorship (Moderation/Karma) system. I tend to post facts unpopular with slashdot groupthink, and posting as a registered user inevitably results in an immediate gag. This is why I always find slashdot outrage at censorship so ironic and hypocritical.

[IP address changed for this post to defeat the insanely ridiculous slashdot post flood interval of 30 minutes, as I posted in a diffferent thread about 7 minuted ago.]

Ameritrade is bunk

[linzeal]

As someone who has used both Ameritrade, Etrade and Banc of America for stock trading I would say stick with a company who has more on the line than just a Web 1.0 company. Bricks and mortar Bank of America is not going to fuck over customers to get 10 bucks an email address and their security is run through a group of people who have to protect 100's of billions of dollars. It might cost more but you will sleep better at night.

Re:Ameritrade is bunk

stick with a company who has more on the line than just a Web 1.0 company

Any credibility your comment had disappeared with the use of that phrase, especially the way you used it. I'm supposed to trust a javascript heavy site more than a plain html one? Riggghhhttt. I'd only trust a stock trading site that uses plain html output from its scripts on an SSL server with a certificate signed by Entrust. I would trust nothing else.

Re:Ameritrade is bunk

uh yeah, right. that would be why BOA has spambots INSIDE THE FIREWALL sending spam - because they spend so much money on security... BOA is just as bad as the other companies, they just put a more expensive face on it.

Re:Ameritrade is bunk

[arodland]

Yeah, you're right. BoA expects to make a lot more money while they're fucking their customers over.

Re:Ameritrade is bunk

[f1055man]

No, BofA just fucks over their customers every other way. They've charged me hundreds in overdraft because it took them weeks to deposit a check. They have the worst customer service reputation in the industry.

Re:Ameritrade is bunk

[mpapet]

Bank of America is not going to fuck over customers

You must be new here.

Please, examine carefully BofA's role in the U.S. financial system before making such a careless statement. Look carefully at who controls Visa and Mastercard.

Among other important things to understand is that BofA profits quite handsomely while consumers bear increased costs for everything purchased at retailers that accepts card payments.

"Despite merchant discontent, card issuers have incentives to maintain or increase interchange fees. Issuers are marketing credit cards with reward or loyalty programs that encourage greater card use and reinforce customer loyalty to the brand. An estimated 12 to 24 percent of cards held by consumers have rewards associated with them,26 and in 2003 an estimated 60 percent of credit card spending was attributed to cards with rewards.27 Card issuers are funding these increasingly popular reward programs through interchange fees."

http://www.fdic.gov/bank/analytical/banking/2005no v/article2.html

I would argue that this one excerpt alone is enough to be concerned about BofA's impact on our economy.

Re:Ameritrade is bunk

[drinkypoo]

Bricks and mortar Bank of America is not going to fuck over customers to get 10 bucks an email address

Bank of America is pure, concentrated evil. Not only do they have some of the worst customer service on the planet (especially if they feel you are in the wrong) but they were one of the last corporations to pull out of their investments in Apartheid.

Re:Ameritrade is bunk

[YrWrstNtmr]

Bricks and mortar Bank of America is not going to fuck over customers

Now THAT is funny.
Bank of America hit Gloria Carlo, 51, a single mom from the South Bronx, with a lawsuit demanding $23,312.04. It's money the bank claims she overdrew in a two-month home-shopping spending spree after already exhausting $38,000 from her own savings.

Bank of America Corp. and Wachovia Corp. are among the big banks notifying more than 670,000 customers that account information was stolen in what may the biggest security breach to hit the banking industry.

Users of the Bank of America's Visa Buxx prepaid debit cards are being warned that they may have had sensitive information compromised following the theft of an unencrypted laptop computer.

Re:Ameritrade is bunk

[Nate+Fox]

wanna bet? I set up a "bofa@[mydomain]" address when I first signed up with them. that address still gets spam to this day.
they specifically said that they traded email addresses with 'trusted partners'. apparently the trusted partners are where the address got sold off from.

bofa2@mydomain has yet to get any spam since then.

Re:Ameritrade is bunk

[sogoodsofarsowhat]

Funny i use BoA and run an international business with a plant here in the USA and one in Thailand. I have nothing but praise for BoA. Maybe you should keep money in your account and not depend on a single check clearing. See sometimes checks from some sources takes week to clear the bank they are drawn on. This is done because a lot of these types of checks are forgeries. So the next time you make a large deposit with somebody elses check dont count on the money being credited right away....UNLESS you have enough funds on deposit to cover it. I never have this problem as i keep a very good chunk of money in BoA. Again Banks take care of customers that pay the bills. You obviously are not paying the bills for them as a customer.

Re:Ameritrade is bunk

[uniqueCondition]

Ameritrade is 40% owned by TD bank. TD has $50b (mkt cap) worth of bricks & mortar. Granted it's 1/4 the size of BofA but certainly far from just a website

Re:Ameritrade is bunk

[operagost]

Maybe you should keep money in your account and not depend on a single check clearing. See sometimes checks from some sources takes week to clear the bank they are drawn on. This is done because a lot of these types of checks are forgeries. So the next time you make a large deposit with somebody elses check dont count on the money being credited right away....UNLESS you have enough funds on deposit to cover it.

I find your elitist attitude both distasteful and ignorant.

American Banks, being financial institutions, basically get to set their own policy within the limits imposed by the FDIC and other government agencies. The policy regarding checks is clearly stated, and is usually "funds become available within X number of days of deposit". Note that the parent poster did not mention whether the check was drawn on a foreign bank. Regardless, the policy should be clearly stated regarding those checks if it differs from domestic policy. If the bank cannot honor their own policy, they are liable in the same manner that I would be liable if I entered into an agreement with another party to render payment for goods or services by a certain date. Just shrugging and saying, "Oh well, they're a special case because X bank suffers a lot of forgeries" doesn't cut it unless that policy is clearly stated. Some people do live from paycheck to paycheck, and it's usually not by choice. They shouldn't expect the bank to give them a break if they are truly responsible for an overdraft. They do have an expectation as a customer (write that down: expectation), established by the financial institution, to have their funds available when agreed upon through an agreement. The bank has other recourses, such as notifying the customer of a problem. What they do not have is the right to penalize the customer for the issues they encounter during regular business.

There are costs associated with doing business, and sometimes the business can recover these from their customer but this must be done in a fair and consistent manner, within the confines of the agreement.

Re:Ameritrade is bunk

[el+americano]

You obviously are not paying the bills for them as a customer.

This is a DEFENSE of BofA? Thanks for the warning. I'll avoid them like the plague.

Re:Ameritrade is bunk

[DogDude]

I agree with the first half of your argument, but suggesting Bank of America is not such a good idea. Bank of America has one of the worst track records for private banks in the US, as far as customer service goes. I did business with them once.... Never again.

Re:Ameritrade is bunk

Amen!

Just wanted to second your assertion as someone who spent months resolving a CC issue with them. Their support is a mixture of stupidity, incompetence, asinine limitations (even for managers) and overall uncaring attitude designed to frustrate you as much as possible.

I'm not sure how I would word it, but somehow "pure, concentrated evil" just doesn't capture how truly vile they can be.

Re:Ameritrade is bunk

Has BofA stopped beating it's wife yet?

Re:Ameritrade is bunk

[Danny+Rathjens]

Yeah, a separate company called "banc of america" so that people confusingly think it is "bank of america" is such an aboveboard and honest thing. BoA has also been becoming increasingly sleazy and money hungry. For example, to activate a new card they force you to listen to advertisements before confirming the activation. Also forced interstitial ads when logging in to website and "accidentally" modifying your account settings to opt you in for stuff. They also bought the quite shady credit card company MBNA a couple years ago. (which was frustrating for me because I had fled MBNA to BoA due to their sleazy practices), ah, here they are delineated (the changing due dates were most frustrating for me)

MBNA was one of the companies mentioned on a 2004 Frontline PBS special about unfair business practices by credit card companies [4]. Reported practices included changing aspects of the contract without the consent of the customer, doubling or tripling fees and interest rates, changing billing due dates monthly, and invoking universal default on first offenders whose payments were a single day late.

Now I use ingdirect for checking(4% to 5.3%apr checking! with caveat of no physical bank to withdraw from), but apparently the entire credit card industry is a bit sleazy so I've yet to move my cc account from BoA yet.(I prefer to save *then* spend, but a cc is required to generate a good credit rating)

Re:Ameritrade is bunk

[Danny+Rathjens]

I forgot to mention my problems with e-trade, too. :) I was one of the "open source" people to get the special offer to be able to purchase redhat shares at its IPO. But to do so I had to create an e-trade account, send in the money, fail their net-worth requirement, then there was that the whole uproar about hardly any of us actually passing the questionnaire and getting the shares set aside for us, so they told us to redo it, and the guy was telling me to add more to the totals so I could pass, but I would not lie as he was suggesting so I failed again, but then e-trade refused to give my money back for a couple weeks due to "policy".

Re:Why is this on the frontpage?

[Skadet]

Are you 12 years old, or just have the attention span of one?

May be related to TD Waterhouse merger

[hksld99]

I have been a long time AmeriTrade customer and, like the author, used a unique email address for my AmeriTrade account. I never received any spam on that email address until a few weeks after the TD Waterhouse merger last year. Suddenly I started getting tons of pump&dump spam on that address.

Checking the "privacy" settings in my account revealed that somehow my account had been changed from "opt-out everything" to "opt-in everything" -- certainly not by me. I changed everything back to opt-out, assigned a new email address and have not received any spam on that new address since then. The old email address keeps getting spam, so I am hard-filtering it on my SMTP server now.

To me it looks like the TD Waterhouse merger triggered a change in their privacy policy or account handling that caused "opt-in" to be set on at least some accounts.

Re:May be related to TD Waterhouse merger

[bugnuts]

it looks like the TD Waterhouse merger triggered a change in their privacy policy or account handling that caused "opt-in" to be set on at least some accounts Nevertheless, stock brokers should not be in the business of assisting fraudulent schemes. This is almost certainly illegal, but ianasb.

No, more likely their database was compromised, possibly from the inside, and continues to have a mole or hole.

Re:May be related to TD Waterhouse merger

[omeomi]

The old email address keeps getting spam, so I am hard-filtering it on my SMTP server now.

Me too...I receive 0% of my email from my SMTP server...

;-)

Re: May be related to TD Waterhouse merger

[Pooch+Bushey]

"what hksid99 said" ... i'm in the same boat ... i've been a long time customer and never had a problem until after the merger.

i have my own domain and host my own mail and dns servers, so when i sign up for something from a vendor i (a) create a unique mx record for some .my.domain mail domain, and then i (b) create a random email address at that random mail domain (e.g., .my.domain. (actually, scripts do all the creating.) i only ever give that address to the one vendor, and i almost never use a public computer (certainly not in the case of td ameritrade). the vendor-specific email addresses i dole out are terribly difficult to guess, so disclosure by the vendor is about the only way they would get distributed.

after i started getting spam to the address which i only ever gave to ameritrade, i called ameritrade on the 19th of this month, to ask where was their privacy policy governing email addresses (and other personal information). i spoke with a guy named kumba. i explained what happened and what i wanted. he told me they never shared email addresses and then he put me on hold. he came back about ten minutes later and pointed me to a document that had nothing to do with email addresses or privacy. he seemed a bit anxious to get rid of me. he put me on hold again. i was on hold again for over 30 minutes before i got tired of waiting for him to return. so i hung up.

i created a new address and made the change on the ameritrade website. then i deleted the old mx record and mail domain, which stops the spam where it should be stopped, at the source. that's been 11 days and i've received no new spam, but only time will tell.

i'm sure ameritrade has 3rd party marketing agreements in place with other companies, and that allows them to share email addresses, etc. i guess what yanks my chain is that i'm getting penny-stock spam that effectively originated from ameritrade.

Re:May be related to TD Waterhouse merger

Me too...I receive 0% of my email from my SMTP server... ;-) You *do* realize that your mail is almost certainly delivered to your account via SMTP, don't you? Whether you use IMAP, POP3, or less to retrieve it has no bearing on the transport by which it was delivered.

Re:May be related to TD Waterhouse merger

Maybe the GP meant SpaMTraP ;)

Re:May be related to TD Waterhouse merger

[CrazyLegs]

I work for TD. There is a TD Waterhouse Canada, and there used to be TD Waterhouse USA. The later was recently mergered into Ameritrade, which then became TD Ameritrade. TD Waterhouse Canada remains a separate subsidiary.

Re: May be related to TD Waterhouse merger

[Culture20]

i'm getting penny-stock spam that effectively originated from ameritrade.
That sounds like a job for the FTC, not Kumba the phone-jockey.

Re:May be related to TD Waterhouse merger

[blueskies]

How do you filter your mail? On the imap or pop3 side? Or you use outlook and client side rules, yuck!

Re:May be related to TD Waterhouse merger

[omeomi]

You *do* realize that your mail is almost certainly delivered to your account via SMTP, don't you?

It may be delivered by the Send Mail Transfer Protocol, but it's not delivered to me by *my* SMTP server, unless, I suppose, I send myself mail. But I don't see any particular reason to filter mail from myself. I rarely send myself spam.

Re:May be related to TD Waterhouse merger

[worldcitizen]

After you're opted-in to "offers" it doesn't have to be Ameritrade cooperating with the pump'n'dumpers. Once Ameritrade provides the email to a legitimate partner (e.g., someone doing "free" seminars for customers, or "discounted golf clubs" or whatever) then the address is no longer protected by Ameritrade's security (and desire to maintain the necessary trust in a financial service) but the partner's "security" (and greed). There may be a confidentiality clause in the agreement between Ameritrade and the partner but information security gets more and more difficult to enforce as it travels further away from the core business and there is less at stake.

Re:May be related to TD Waterhouse merger

Wow, that was dumb. Just admit your ignorance and move on.

In related news

[eebra82]

I am shocked to say that after signing up to a news letter on a few porn sites, I am now receiving non-porn content e-mails.

Re:In related news

[Builder]

I don't believe you. What sites were these ? ;)

Re:In related news

The horror of it all. Who wants non-porn email. Hell I require all of my relatives and acquaintances to include porn along with all of their communications with me or I refuse to read it!

I doubt email addresses

[sholden]

count as a big enough leak to trigger disclosure laws. If they are just selling email addresses without any other personal details they may be violating there privacy policy but probably not disclosure laws.

My vote goes to spyware!

[isa-kuruption]

All of these "tech savvy" people who think they know all there is to know are probably also too arrogant to think they can get infected with spyware, so have absolutely no way to detect and remove it. So, what happens? Ooops, spyware on their PC figured out their AmeriTrade email address and they started getting spammed.

And, no, it's not AmeriTrade's fault you got spyware on your PC after visiting that black on blond porno site.

Re:My vote goes to spyware!

[lixee]

You must have "tech savvy" confused with "using IE on Windows".

Re:My vote goes to spyware!

[Billosaur]

Another culprit would certainly be if any of these folks used public terminals to log in and check their portfolios, or even Wi-Fi in public places that a hacker could sniff out. Trading needs to be done in the privacy of your own home, behind an excellent firewall, through a physical connection or encrypted Wi-Fi.

Re:My vote goes to spyware!

If you've got spyware on your PC that is sniffing your Ameritrade account info, you've got a much bigger problem to worry about than spam.

Re:My vote goes to spyware!

[JeffL]

A virus and spyware is certainly a possibility for leaking an address, and I know I've had my address leaked when somebody elses computer, who has received an e-mail from me, gets infected with spyware.

In this case though, both a friend and myself started getting spam to our unique Ameritrade addresses at the same time. Both of us use Linux for our primary desktop OS (no e-mail reading from a Windows vmware session, etc.) Neither of us received spam to our many other unique addresses. If it had been spyware infecting one of our machines and stealing our e-mail list, then I would have expected spam to my e-trade, amazon, newegg, etc. unique addresses, but only the ameritrade address received the spam.

It could still be a spyware or virus infection at a machine at Ameritrade. Somebody keeps the full list of e-mail addresses on their laptop, which goes outside all the fancy firewalls and IT oversite and gets infected, and has the data stolen.

Re:My vote goes to spyware!

[omeomi]

Another culprit would certainly be if any of these folks used public terminals to log in and check their portfolios, or even Wi-Fi in public places that a hacker could sniff out.

With a public terminal, it is possible that there's a keylogger installed on the computer, but since all of the online trading companies that I've seen use SSL, I don't think there's much chance your email address could fall into the hands of a hacker via a public wifi connection just because you logged in to check your portfolio. Now, if you checked your email, that's a different story...

Re:My vote goes to spyware!

Trading needs to be done in the privacy of your own home, behind an excellent firewall, through a physical connection or encrypted Wi-Fi.,

...In the basement in a disused lavatory in a locked filing cabinet bearing a sign saying "beware of the leopard".

If it requires all that, then what is the advantage of doing it online again?

Re:My vote goes to spyware!

[Radical+Moderate]

"And, no, it's not AmeriTrade's fault you got spyware on your PC after visiting that black on blond porno site.

Link please? :-)

Re:Why is this on the frontpage?

[aabxx]

Fuck. I'm found out :(

gmail mail tracking trick

[TheGreatOrangePeel]

Gmail has got a neat trick you can use to learn who sells your email address...

If your email is xyz@gmail.com and you're registering at site ABC, you can register at that site with the email address xyz+ABC@gmail.com. Gmail still delivers it to you and at the same time allows you to see who sold your email information.

Re:gmail mail tracking trick

[UbuntuDupe]

Couldn't spammers circumvent this by purging +-type suffixes, (i.e., converting "xyz+ABC@gmail.com" to "xyz@gmail.com") since the email will still get to you?

Re:gmail mail tracking trick

[Monsieur+Canard]

That trick only works sometimes.

I tried it with one site (Amazon IIRC) and got back an error message saying "No no you ninny, we said enter a VALID e-mail address. What are you, an idiot?" or something French like that. Apparenlty some forms are smart enough to check for invalid characters.

Re:gmail mail tracking trick

That is actually a standard feature of many (most?) mail systems.
Any clever spammer will remove the part between + and @ before using the address...

But then, are there any clever spammers?

Re:gmail mail tracking trick

[TheThiefMaster]

You're assuming that said site knows that email addresses containing a + are valid.

Lots of places check for alphanumerics, dot and @ and reject anything else.

Re:gmail mail tracking trick

[Tronster]

A similar feature is offered to users of Spamcop accounts. Unfortunately I've had mixed results...

The official RFC for e-mail addresses say that a plus symbol is valid; but roughly half of the web-forms I've interacted with do not consider a plus in a name to be a valid address. Some bigger web-sites (i.e., Xbox Live) don't allow this, and those that do may break if the e-mails they sent are from a listserv. (e.g., unable to unsubscribe, change passwords over e-mail, etc...)

Re:gmail mail tracking trick

[Fred_A]

Except it's not invalid. It's just their form that's broken.

Re:gmail mail tracking trick

[theTrueMikeBrown]

That could come in handy, Thanks! -Mike

Re:gmail mail tracking trick

[horatio]

You're right, and that works great except for most sites that I've come across use a regex which disallows the use of a '+' sign in the email address.

What I've done instead is to create a catch-all email address in a subdomain and sign up as, ie amazon@subdomain.domain.com. I suppose I could first create a unique 16-character string for each one and add a new address before creating any accounts, but a) that requires additional effort and management and b) when you call, for example, amazon customer support they ask for your email address to identify your account. Good luck communicating 16 random letters and numbers over the phone to level-1 customer support.

Eventually a "dictionary" attack might end up forcing me to shut down the catch-all and be explicit.

Re:gmail mail tracking trick

[JM78]

He isn't assuming anything at all! All he did was post an interesting feature about GMail. It's retarded programmers who don't know how to properly check for valid email addresses who are to blame. Good grief; don't kill the friggin' messenger - especially when his reports are educational and completely unbiased.

My thanks to TheGreatOrangePeel for informing those of us who were unaware about this pretty neat feature.

Re:gmail mail tracking trick

[AshPattern]

Uh, sendmail and postfix do to. This is a very common MTA feature (in the *NIX world, anyway :)

Re:gmail mail tracking trick

[swillden]

Apparenlty some forms are smart enough to check for invalid characters.

You mean: Apperently some forms are dumb enough to deny valid characters.

Re:gmail mail tracking trick

The problem with this is most sites won't allow '+' in the email address because it is considered invalid by their email validation scripts. This is highly annoying as that is how I use my labels in gmail.

Re:gmail mail tracking trick

[ReekRend]

Um, couldn't you abuse this "feature" to screw your competitors?

Scan for + in email, replace after + with competitor name.
Sell for profit AND f your competitor.

Re:gmail mail tracking trick

[nuzak]

Using a tagged address is for your convenience in tracking a leak. It's hardly presentable as ironclad evidence. Most spammers strip tagged addresses anyway, so this trick will only catch the dumbest mainsleaze e-penders.

Re:gmail mail tracking trick

[FuzzyDaddy]

But then, are there any clever spammers?

Tons, unfortunately. That's the problem.

Re:gmail mail tracking trick

[egypt_jimbob]

...invalid characters. Read the rfc. Specifically sections 3.2.4 and 3.4.1; "+" is an atext character that is valid in the local-part (the junk before "@") of an address.

And to the grandparent: gmail is not the only mail client that allows this. Mutt and pine definitely do and I am sure there are others, since the use of "+" is perfectly valid. In fact, the ones that don't are non-compliant.

Re:gmail mail tracking trick

[banana+fiend]

Couldn't customers circumvent the circumvention if gmail allowed + characters in the name, then when the spammers stripped it out, it would no longer get to you?

Re:gmail mail tracking trick

[spikedvodka]

Good luck communicating 16 random letters and numbers over the phone to level-1 customer support. Thats why I almost always use a phonetic alphabet when I'm on the phone http://en.wikipedia.org/wiki/NATO_phonetic_alphabe t

it makes life so much easier

Re:gmail mail tracking trick

Use xyz+secret@gmail for your personal email

Re:gmail mail tracking trick

[romcabrera]

How could the mails not get to me?

Re:gmail mail tracking trick

[Builder]

Actually, I don't think the MUA (client) matters as much as the MTA (server). If your mail server doesn't allow for the + notation to be delivered to the left hand side (before the plus), then it's never going to get near pine, mutt or anything else.

I've got the + notation disabled on the mail servers that I run for people because it's too easy to abuse. Just strip everything after the + out and you've got the real account. I just created a simple web form for my users to create and delete aliases.

Re:gmail mail tracking trick

[dagnabit]

Except for the 90%+ of sites that don't let you put any "funny" symbols like + in your email address...

Re:gmail mail tracking trick

[kalugen]

Actually, that's not a Gmail specific trick... it's standard email addressing as defined in the relevant RFCs (start with RFC2822 if you are interested). Lots of SMTP servers accepts and correctly parse addresses containing "+", basically routing the message to the mailbox matching the left part of the string - ie everything before the "+" sign, but keeping the whole string in the email headers. Try with your own SMTP service, not only with Gmail. Good chances it will work.

Re:gmail mail tracking trick

[SpeedyBandito]

Make sure you use something like my.address+personal@gmail.com, and then set gmail to automatically filter anything without a +suffix.

Re:gmail mail tracking trick

[Slightly+Askew]

Read it again.

email: bobsmith@gmail.com
i use: TDWH+bobsmith@gmail.com
result: I get my mail

email: Jonah+JJameson@gmail.com
I use: Jonah+JJameson@gmail.com
result: all the investment emails of a successful newspaper editor are now forwarded to an adult film star.

Re:gmail mail tracking trick

My personal favorite is Spamgourmet.com an eaasy to use disposable e-mails service.

For example: you get an account with user name "Joe" -> Joe@spamgourmet.com and you can start using it like so:

Ameritrade.10.joe@spamgourmet.com
Where: Ameritrade is the source (culprit) and 10 is the number of time this addy can be used.

You can always loggin to reset any account, and check statistics. Add a sender to a whitelist, and a few other features that I never use.

They have extra domains, like Ameritrade.10.joe@neverbox.com is the same account.

Since I started using it (2003?) I had 100 disposable addresses, 400 forwarded e-mails, but 41,000 eaten mails. Thats 41K spam not received!

Surprisingly 90% of the mails created are not used for spam. And I use this as a "last resort" since I also have a few domains with fall-thru mail servers.

Re:gmail mail tracking trick

[Ziwcam]

it makes life so much easier Sometimes...
Other times, I get asked to slow down, because apparently they're writing it out:
ZuluIndiaWhiskeyCharleyAlphaMike...

Re:gmail mail tracking trick

[jfengel]

That works nicely, though you still lose when your true address+personal email address leaks out. Your friends will insist on sending you e-greeting cards, mailing you articles from newspapers, including you on large mailings that get forwarded to some jackass spammer... and once your name leaks out to one, it's leaked out to all of them.

Or maybe I just need smarter friends.

Re:gmail mail tracking trick

[alanjstr]

Is this actually documented by the gmail team anywhere?

Re:gmail mail tracking trick

[Proteus]

What I've done instead is to create a catch-all email address in a subdomain and sign up as, ie amazon@subdomain.domain.com. ... Good luck communicating 16 random letters and numbers over the phone to level-1 customer support.

This also has the advantage of not needing to establish the alias first, which is a boon when asked for e-mail addresses on paperwork or while away from your computer. I use this same system, and it works very well.

One downside, however, is customer-support confusion. Explaining your 16-char random local-part over the phone pales in comparison to peoples reaction when they see their company (or domain name) in your mail address.

Case in point, when I signed up for a Onlzbag hotel (rot-13 to protect the guilty) frequent guest card, I was told that e-mail address was required. I used onlzbag.com@{mydomain}. The response was a very angry hostess screaming "that's not your e-mail address, that's ours."

Granted, demanding a supervisor and equally-loudly explaining the hostess' stupidity while insisting that they explain why they were accusing me of fraud did net me a couple nights of free hotel, but YMMV. :)

Re:gmail mail tracking trick

[bill_mcgonigle]

Thats why I almost always use a phonetic alphabet when I'm on the phone

Hey, not all of us have the luxury of only talking to ex-military and boy scouts on the phone!

Re:gmail mail tracking trick

[keytoe]

On the last two pages of my copy of Mastering Regular Expressions is an example of a regular expression that matches valid email addresses.

• It is two full pages with no 'noise' whitespace.
• It is considered 'inaccurate, but close enough'

What is considered a 'valid' email address is not an easy thing to sniff. Large chunks of MTA code go into figuring out validity, and they have it much easier since they can do it procedurally instead of in a single match. Expecting every single web site out there to apply this level of accuracy to their address validity check is flat out asking for too much.

Yeah, it'd be nice if the whole rest of the world was pedantic and accurate. It's not, though, so get over it.

Re:gmail mail tracking trick

[Rambo]

I might add that the old trick of having a catch-all address and signing up as (business_name)@(your_personal_domain) is actually kind of dangerous. Some freaks at a particular (unknown) site I created an account on noticed the address for what it was and began joe-jobbing me for spite: I became the return domain with random email addresses for all their stock scams and spamming. Forced me to actually whitelist important accounts and dump the rest straight into the trash. Pretty frustrating, and good luck finding out the losers who did it.

Larry

Re:gmail mail tracking trick

[gnu-sucks]

I think you're exactly right. This will only last for a short while.

For those of you still confused:

you give address: kilo+tdw@gmail.com
And the evil spam people automatically remove everything after and including the "+" sign, and send spam to: kilo@gmail.com.

Afterall, EVERY gmail user account works this way...

Re:gmail mail tracking trick

[swillden]

Who's asking for perfect accuracy? The general guideline for implemention of Internet technologies is "be liberal in what you accept, strict in what you produce". If you can't write a simple RE that accurately validates e-mail addresses, it's better to accept some invalid ones -- especially since there many, many perfectly well-formed e-mail addresses that are, in fact, invalid anyway. The only real way to validate an address is to send e-mail to it, any other validity checking is just testing to make sure the address looks valid-ish, so there's no point in being excessively strict.

Further, I dispute your claim that a RE for an STMP e-mail address is so hard to write. RFC 2822 defines the allowable structure in terms of a fairly simple grammar, and most of the complexity in the grammar is to accomodate addresses with names (e.g. "Foo Bar <foo@bar.com>") or lists of addresses, neither of which are relevant for most forms where an e-mail address is entered. Any structure expressible as a grammar can be expressed as a regular expression, and the mapping is straightforward.

I suspect that your two-page RE for mailing addresses tries to also accomodate bang paths, X.400 addresses and other archaic addressing formats that are no longer relevant, as well as supporting STMP address lists, angle addresses, route specifications, obsolete SMTP formats and other obscure structures that can be safely ignored -- some of which probably wouldn't be accepted by an SMTP server anyway.

Re:gmail mail tracking trick

[sys_mast]

This trick doesn't work. 9 out of 10 websites that I feel NEED to use something like this will NOT accept the + character in an email address. Now my opinion is that if it works at all it must be a valid email address character, can any email junkies comment? Presuming that it is part of the email spec it really should work in any form requiring the entry of an email address. Yes, I have tried to contact some of those sites and get them to fix it. NONE of them have bothered to reply. My solution is a different email address that is a spam collector, which I don't get on my mobile nor do I constantly monitor like my primary account.

Re:gmail mail tracking trick

[keytoe]

I suspect that your two-page RE for mailing addresses tries to also accomodate bang paths, X.400 addresses and other archaic addressing formats that are no longer relevant, as well as supporting STMP address lists, angle addresses, route specifications, obsolete SMTP formats and other obscure structures that can be safely ignored -- some of which probably wouldn't be accepted by an SMTP server anyway.

You're absolutely correct. My post was merely an attempt to harp on the seemingly inflexible position of 'accept all valid email addresses' by pointing out that being pedantic works in both directions. Thanks for helping!

Re:gmail mail tracking trick

[kasperd]

Now my opinion is that if it works at all it must be a valid email address character, can any email junkies comment?

It is a valid character in the local part of an email address. The original RFC allowed all 7-bit ascii characters (yes all 128 of them including such things as the NUL character and newline), though some of them had to be escaped, and escaping was generally discouraged. A later revision did reduce the set of allowed characters slightly. But it is still very liberal (ascii 32-126 is allowed). + is a valid character in the local part of the address. And it is generally up to the individual domain how the local part is interpreted. An implementation is allowed to impose restrictions on its own local part, but not the ones it communicate with. So a mail provider could decide that they would only allow usernames which are exactly 8 characters long and consist of letters from the range a-y, but they'd still have to allow you to communicate with addresses looking differently in order to conform with the RFC.

Re:gmail mail tracking trick

[ccoder]

ummm

if s/gmail.com/  then s/+.*@/@/

?  Strip it out in code?

I don't think something so obvious for everyone would be of any benefit, but certainly for the majority it might, but there will be spam that gets through.

Re:gmail mail tracking trick

[imgunby]

ah, plussed email addresses... like user-created aliases only much neater. Used to be quite a few ISP's and other web mail providers supported that, but not so much any more. Yahoo! Mail just recently ended support for that when they redid mail.yahoo.com. If your current ISP doesn't support it, give them a call and ask about it. I agree with the GP on this one... Being able to create an on-the-fly email address is incredibly helpful.

Re:gmail mail tracking trick

[toddestan]

That works nicely, though you still lose when your true address+personal email address leaks out. Your friends will insist on sending you e-greeting cards, mailing you articles from newspapers, including you on large mailings that get forwarded to some jackass spammer... and once your name leaks out to one, it's leaked out to all of them.

Or maybe I just need smarter friends.

Well, you could extend the idea to your friends too. Give each friend their own +suffix email address to email you with, and when the spam starts pouring in, you'll see who your real friends are.

Re:gmail mail tracking trick

[slimey_limey]

In fact, I did an experiment on this particular topic, using a catchall on a subdomain. (Actually it's about spamcrawlers' regexes, but whatever.) The results are somewhat interesting.

Re:gmail mail tracking trick

[swillden]

Nice save.

Re:gmail mail tracking trick

[japa]

Yeah, catch-alls are great. That is up to the minute someone starts dictionary attack on your domain.

Re:gmail mail tracking trick

[nzhavok]

I had exactly the same thing happen to me. It forced me to abandon the catchall and dig through all my old mails to find out which email addresses I had used, then add them as aliases. This and greylisting together has cut the spam down from a few hundred to 1 or 2 per day. In hindsight I wouldn't bother using a catchall address anymore, it was interesting to see who leaked your address, but in the end the bounce-spam has killed the idea. Also every now and then I get a message like this one:

Stop sending me these. I don't know what they are or how
you began sending them to me. I will seek legal action if
you don't stop.

Thank-You,

Re:gmail mail tracking trick

[spikedvodka]

I'm not a Boy Scout, and I'm not ex-military... How does Son of a Ham sound?

That and it's a skill everybody should know

Re:gmail mail tracking trick

[bill_mcgonigle]

I'm not a Boy Scout, and I'm not ex-military... How does Son of a Ham sound?

Fair enough, including 'Hams and family' would complete the group.

That and it's a skill everybody should know

Oh, sure, but we're careful to avoid teaching any useful skills in school. You'll probably read half of Shakespeare's plays in high school but never learn a thing about investing in the markets, filing your taxes, or how to manage a 401(k). And, girls absolutely aren't allowed to learn how to change their car's oil!

Good parents help - second-generation clueless parents can't. Boy Scouts is one just one way to help fill some gaps.

Other explanations

[Craig+Ringer]

The test you did is not conclusive by any means. You must also prove that the address was never exposed in any other way (stolen by malware on your machine, leaked through other communications, sold by a corrupt mail server administrator, etc), OR you need to find conclusive evidence that the leaked address came from the company's end.

I've seen addresses turn up in spam that I wouldn't have believed if I hadn't seen it.

Now, if you are able to confirm that several addreses created by different people & never shared get similar scams that addresses not given to the company DO NOT get, then that might be something interesting.

Who's trading e-mail addresses? Everyone!

[TheWoozle]

I always assume that any business that I give my e-mail address to will sell it; that's why I don't give it out. Surprisingly enough, I don't get any spam.

This is why many pundits are saying "email is broken"; and it makes sense if you think about it. The setting up of different accounts for each company/person you interact with goes against the whole point of having an e-mail *address* (i.e., a not-too-frequently-changing place to find you).

Really, the spam problem is a symptom of human nature (look up "tragedy of the commons"), and if any of you think you have the secret of changing *that*, then please share...

It's not always the company --

[foolinator]

There's a lot of danger with providing an email address.

1) Companies have partnerships with marketing firms. Often, it's these marketing firms that are the evil ones.
2) Spammers setup sniffers on networks to sniff incoming and outgoing email. often times they sniff a router close to the source of where the marketing emails are sent out and then they have all the email addys.

Email sent out today is NOT encrypted. ANYONE can read it, including the email addys.

Just because it's unique to the website does not always mean that the company had a lone person who stole the addys.

Re:It's not always the company --

[mulvane]

Just because it's unique to the website does not always mean that the company had a lone person who stole the addys. You think the company had 2 or 3, maybe even more people stealing addys? The pure deviousness of it is to much to contemplate even...

Devil's advocate

[Orig_Club_Soda]

Could it be that they store the account info online and it isnt secure and a crawler go it? Such as tech support or something?

A way to kill the competition!

[DoohickeyJones]

From the article:
The SEC recently announced that they would suspend trading of companies whose stocks had been the target of spam campaigns to manipulate the price.

Does anyone else see the problem with that?
If I want to kill my competitor's stock, all I have to do is launch a pump and dump scam using it as the target?

Re:A way to kill the competition!

[nelsonal]

Pump and dumps are for little bitty companies that don't really do anything (most aren't operating) think Infinium Labs (maker of the Phantom console). It would take billions to pump and dump a listed stock.

CORRECTION

[UbuntuDupe]

Okay, maybe I should take that back. While spammers pick thinly-traded penny stocks, you, as an architect of such a plan, wouldn't necessarily be constrained to do so. But nevertheless, the higher the volume of the stock, the more wrongdoing you need to halt trading. You think someone could halt trading in ExxonMobil just by spamming people to buy it?

Re:CORRECTION

[Rolgar]

There would be too much risk and not enough reward in trying to run a scam on a big stock. The reason scams are run on really small stocks is because the scam moves the stock price in a controlled manner, by artificially creating demand where there wasn't any before. Since almost nobody owns the stock, almost nobody is selling it, and the scammer knows that he'll be the one selling at the inflated price at a 30-1000% profit. On the big stocks, there are hundreds of sellers for each stock or option at every moment which basically caps how fast and high the stock can go up, and likewise, hundreds of buyers with bids out in case the price starts to drop, so the price just won't change enough or give the scammer a big enough price move to make scamming worth it. They'd be just another trader trading on the market if they were playing in large stocks.

Strangely enough

[zappepcs]

I met someone not long ago that wanted some DB work. They were wanting to organize and sell phone numbers, street addresses, email addresses, and they attempt to collect/gather as much meta information as possible. Various relationships tell them whether you are a good target for any given spam type email or direct mail campaign.

Someone with your address on their list will try to sell it for $.50 or up to $5/10 if they can get it providing it is a valid address. There is money in selling such information. THAT is why you get spam. If they could figure out how to make all drivers of any vehicle made before 2000 as they drive down the highway, people would sell that to autodealers... Its all about Ad revenues, and your email address is just another pageview sort of thing for people buying the lists.

There is no method to prevent this. If one person at company X illegally sells a list of clients of that company, it will be out in the wild, nothing to stop it from being resold dozens of times.

Re:Strangely enough

There are ways to prevent and limit information leaks:

1) Post as AC (hehehe)

2) More seriously: READ PRIVACY AGREEMENTS. If you don't like what you read, give false information or surf elsewhere. If you actually want to buy, then use a prepaid card.

3) Opt out of everything: all credit card offers (select the permanent removal by mail), all junk mail, etc. So long as they don't compile a list of people who love to opt out, I should be in the clear.

4) Call the spammer. Seriously. Many "reputable" companies use irreputable marketing techniques. Often, a phone call is the best way to get off a list.

5) My land-line has the ringer turned off and even I don't know the number.

I almost always do this

[Yaksha42]

Since I own my own domain, whenever I sign up for a site, I usually put the site name in the e-mail address. I have all of my domain mail forwarded to my Yahoo account.

So if I were to sign up for SA, I would use yaksha_sa@domain.com. Now if I ever get any mail from someone sending to yaksha_sa@domain.com, I know where they got my e-mail from.

Re:I almost always do this

Since I own my own domain, whenever I sign up for a site, I usually put the site name in the e-mail address.
I do the same thing.

At the beginning I would simply say "My address is "YourName"@mydomaine.com, but everyone would then write to "yourname@mydomaine.com".

Now when I am ask for my e-mail I ask "What is your name or business?", then I tell them my e-mail is TheirName@mydomaine.com

20% of the time I get a reply "Your name is also ABC?" or "Your busineess has the same name as mine?"

My answwer depends on how much time I have.

Who says they are trading your email address?

Is it not possible that other websites are exploiting your browser and grabbing cookies set finding that email address?

long time customer

[hb253]

Lone anecdotal datapoint: I'm a long time TD Ameritrade customer. I don't get any spam to the email address I've registered with them.

Re:long time customer

[Danny+Rathjens]

I'll contribute my anecdotal evidence. I had a datek account which ameritrade bought many years ago. Started getting spam some time after that to datek@mydomain, so I switched it to ameritrade@mydomain. About 2 years ago I starting noticing spam to ameritrade@mydomain so I switched to dkr+ameritrade@mydomain and logged into the site and changed the options which had been mysteriously reset for opting in for spam after the interface redesign. I don't think I've seen spam to the new address since then although it could just be that my spam filters are effective enough that I haven't noticed any slip through. :)
I simply attribute it to bureaucratic mistakes rather than purposefully selling off our contact info. "Do not attribute to malice ..." and all. :)

There's another possibility

[drgroove]

AmeriTrade is simply selling your information to third parties.

Dell does this. I know this for a fact - I gave Dell my information while setting up a business account for a small consultancy that I was running a few years back out of my house. I hadn't yet formalized the business legally, but gave Dell the name that I was going to use for my business. Within weeks, I began to receive snail-mail spam using the business address that I had only given to Dell. No one within Dell was stealing my information - Dell sells information about their customers to make a buck.

AmeriTrade very likely does the same thing. After you give your email, snail mail, phone, etc info to them, they turn around and earn a buck or two by selling your information to other companies.

Re:There's another possibility

Ameritrade might have sold addresses to other companies, but I highly doubt it sold them directly to those who sent stock spams. The difference between your Dell story and this one is that stock spamming is illegal.

Re:There's another possibility

[CowboyBob500]

I had almost the same thing happen when I started my company. In my case we caught Dell buying direct mailing addresses from another company. My secretary got on the case and demanded that Dell take our details off their database (in the UK we have a law called the Data Protection Act which makes it illegal for a company to keep your details on a database if you request that it be removed). In the face of a DPA request they had to 'fess up and told my secretary that they couldn't remove our address as if they did, they'd only re-buy it again the next month. The only way to get our address permanently off Dell's database was to get in touch with the 3rd party and get them to remove it - which they did, to be fair. But, what Dell is doing is a breach of the DPA as they cannot permanently remove an address from their database thus making it illegal. It is also proof that they are in the bussines of at least buying addresses, and most likely in the business of trading addresses between themselves and other companies.

Bob

Re:There's another possibility

[ikioi]

The list of newly registered companies and their addresses is public information obtainable on most state government websites. Sales people regularly check these lists for new customers to cold call or send junk mail. Even if you don't give you new company's name or address to anyone, you are likely to at least start receiving junk mail there from people who regularly check the state lists or newly registered organizations.

So, if you started getting junk mail before you officially registered with the state, then it probably was Dell, but if you started getting it after incorporating, then all bets are off as to how people found you.

Re:There's another possibility

[drgroove]

I incorporated /after/ contact with Dell, and ended up using a completely different name. Only Dell received the company name, and it still appears on junk mail from every possible vendor you could imagine, from shipping supplies to credit cards to health insurance to whatever. Dell sold my contact information to the world.

Never attribute to malice...

[JoeD]

...what can be explained by stupidity.

It's possible that Ameritrade itself is selling the email addresses. What's their privacy policy?

In large companies, it's very easy for someone in one division to do something that people in other divisions don't know about.

note to self:

time to cancel my Ameritrade account...

Seems to be a consistent problem

[chrisgagne]

This isn't limited to Ameritrade, either. I've had similar experiences with eMusic, eBay, and AccuChat (a decently-sized telco).

It seems to me that there are three possibilities here:

a) They sold/traded/gave away my email address in violation of their privacy policy
b) They got h4x0red (what other data about me got compromised, huh)?
c) The email was seen in transit by some malevolent ISP and had the envelope-to captured

The first two possibilities are the ones that we're looking at the most, but what is the likelihood of the third possibility?

Re:Who's trading e-mail addresses? Everyone!

[UbuntuDupe]

No no no, you're hastily attributing the problem to the wrong market failure story! I think the one you're looking for is path dependence: that is, we could convert an email system in which you can't forge sender information, but the costs are too great and the market participants too uncoordinated to make the transition.

Oh, and as a bonus, I'm going to repeat the myth about the Dvorak keyboard as proof of the harms of path dependence.

Re:Who's trading e-mail addresses? Everyone!

[DavidTC]

Yes, but the story here is that Ameritrade is not only spamming, they are spamming stock tips, or at least they are causing that to happen.

A brokerage firm that randomly gives stock tips with the intent of buying the the stock low beforehand, and selling it after a bunch of people purchase it, thus passing the loss on to their customers, is in violation of half a dozen laws and can be subject to large fines and lose its ability to trade stock, which, considering that's all Ameritrade does, would kill it. A firm that lets someone at that firm do it is, instead of the firm itself, is just as culpable.

Screw involving Ameritrade or the media in this, someone needs to inform the SEC of what's going on.

Domain.

[MoOsEb0y]

This is why I have my own domain, and sign up every new account setting the email address to the domain @ my domain e.g.:
slashdot_org@mydomain.com
Naturally, all the mail @ mydomain.com forwards to my real email account which is elsewhere. Thus, if someone is sleazy and starts spamming my account, I can easily setup a filter to get rid of it. This is akin to andy rooney's use of creative misspellings of his own name in the 70s to track down junk mail.

Who's spamming me

[genecutl]

I use a different email address for each company I ever give an email to. So far, I have had three email addresses end up as spam targets. These were used for the following companies:

MacMall
NetBank
21st Century Insurance

The 21st Century Insurance one I only just now noticed while checking my logs. The other two I have contacted about this matter, MacMall several times, with never a response. Regardless of whether they purposely gave/sold my address to untrustworthy parties or had them stolen through lax security, I have no plans to ever do business with them again.

Re:Who's spamming me

Parent, please let 21st know. Inbound e-mail is read by real people after the auto-respond. Or call and escalate to a supervisor or even a manager. That's not supposed to happen, and it needs to be fixed.

- AC that works there.

there is another possibility

[SaberTaylor]

which is that in poorer parts of the world, selling email addresses is more profitable than Internet network integrity.
That is to say, sniffing email addresses off the routers with no collusion on the part of your paid services.
Or the email servers that you are communicating with.

instantspam09319467@hotmail.com

As you can see...

[BandwidthHog]

I do similar stuff with a catchall address, and for places like slashdot I also change them monthly. Seems a Japanese spam shop did some harvesting here in November, 2006 and that list is still seeing heavy use. It generally takes a few months after using an address on slashdot comments for the spam to start flowing.

The good news is I haven’t seen any spam from any of the other addresses I’ve used, meaning that of the hundred or more distinct entities I’ve given an email address to, only public discussion boards have generated any spam, and the vast majority of that has been from slashdot. So the problem is not nearly as bad as I imagined it would be.

Inside Job

[interstellar_donkey]

Probably someone inside AmeriTrade is selling customer data to an outside spammer

That would be my guess. There's probably not a whole lot Ameritrade (or any company) can do about it other than figure out a way to deeply restrict access to the email addresses. But when you need customer service/marketing/administration departments to have access to customer's email addresses, it can get a little hairy.

I can remember back in '99 going to work for a rather large ISP. My first day there they created an email account for me. After four days of orientation and I started to actually do work, I checked my email and found it loaded with spam. This account had been on no mass mailings, has had nothing sent out, and had received no communication from within the company. The name wasn't anything close to what you'd find in a dictionary. As far as I could tell, the only way spammers could have gotten their fingers on the address was if someone inside the company was selling the address out.

Re:Inside Job

[nuzak]

The spam was probably not going directly to you, but to distribution lists you were a member of. Perhaps back in '99, email address lists were worth something to sell, so I'm not ruling it out, just applying Occam's Razor is all.

Re:Inside Job

But when you need customer service/marketing/administration departments to have access to customer's email addresses, it can get a little hairy.

No, not necessarily. See, there is difference between interactive one-by-one access, and bulk access. Former is usually not a problem -- it's not profitable to copy these by hand. And that's kind of access support folks can have. Access via sql is another matter; just query thousands (... millions) email addresses to a file and you are done. Thereby, it's good to limit that access, most support workers have on use for such access. Customer contacts are pretty much always on per-customer basis. So you should rather restrict direct access; make all access via individual (per app/individual) accounts and so on. That's what big companies generally have to do to be SOX compatible.

Of course it's all about relative ease or lack thereof: it is possible to start scripting other interfaces. But the goal is never to eliminate possibility per se, but to make it hard enough not to be worth the trouble. Same as with armies: you don't need to win the war against big enemy, just make it expensive enough to not be worth their time to attack you.

And yes, any bank worth your business does have security limitations on database access. If not, they shouldn't be in the business.

Was this a rigorous test?

[ReekRend]

I feel like there needs to be more information about the "test". Did the Ameritrade-unique addresses *only* get stock spam, or spam in general (including stocks)? The former would of course be highly suspicious, but the latter would indicate all possibilities should be fairly examined.

Another example, this logic seems flawed...

he got a response saying that even if he was getting spammed by an address that he only gave to AmeriTrade, that could be the result of hackers "implanting 'bots' that have the ability to extract e-mail addresses from your computer, even when you have protective spy software engaged". But of course this makes no sense -- if this were the source of the problem, it would affect everyone's e-mail addresses equally, and would not explain why a disproportionate number of complaints were coming from people who created addresses that they gave to AmeriTrade specifically.
How would anyone know if or how much other email was affected? Most likely it would be trashed by a spam filter anyway, and even if it wasn't how could they compare "everyone's" email spam to see who gets what?! And obviously the "explanation" of the Ameritrade complaints being prominent is because those people were specifically looking for spam on those accounts to complain about. That says nothing else about which other email addresses also got spam or even the same spam.

Furthermore why is a large company like Ameritrade any more suspect of selling out (or having a leak) than any given email provider? Was there a control group of email addresses created and not being given out to at all?

I'm not saying TFA is wrong, but if they wanted to publicly prove guilt they need to provide more thorough evidence.

Re:Was this a rigorous test?

I think you are misinterpretting the article. The writer says they use a unique address with everyone. This means that if a piece of malware infected his system, that it would have multiple addresses to choose from. Why did it pick only the address he used with Ameritrade? Why did it not pick up all the different unique e-mail addresses and try to use them all (including his 'normal' e-mail address)? The fact that only the Ameritrade unique address and not the unique addresses provided to everyone else were used for spam would tend to indicate the problem is at the remote Ameritrade side, not the local subscriber side.

Customers have no recourse

[HangingChad]

Anyone signing up for an Ameritrade account has to sign away their right to sue the company for damages. They're all like that now. So, who cares if customer data slips out? It's not like you can sue them for the actual cost of the loss or credit monitoring.

It's just a big yawner to Ameritrade. You can't do anything and they know it. So they can BS, soft shoe, deny and all you can do is have a passive-aggressive little snit fit.

Re:Customers have no recourse

[ambrosen]

Yes, but that's not a legal contract term.

Re:Customers have no recourse

[HangingChad]

It's legal here. Just last night there was a local news story about shoddy home construction and the owner was prevented from suing the developer by the very same type of arbitration agreement. In his case the arbitrator sided with the home owner and the builder basically thumbed their nose at the process and the owner was still prevented from suing.

Millions of people are signing those agreements...Best Buy employees have to sign one, or used to. Car dealerships, brokers, businesses of all types. Credit card companies are trying to slide them into agreements...now that's not always successful, depending on how they go about it.

But you better believe they're legal if you're signing one.

No

[MagicM]

No, he's not. He's on first, though.

Somewhat common problem. Dell.com, too.

[spazoid12]

I use Thunderbird, and before that I used Eudora, both of which allow me to manage dozens of email address "personalities" into a single inbox. On the mail server side of things I configure things in virtualmailrc and a few scripts to help automate stuff. So, when I bought a DVD drive for my PC years ago from Dell.com and then was surprised to see that, within a couple weeks, my largest influx of spam was addressed to the unique address I provided to Dell... Well, I complained a couple times but knew it wouldn't help. So, I changed my config to direct all incoming mail addressed to that address back to cs@dell.com. I never see it. I don't log it. I don't care... their problem. I'm sure they don't care either. Too bad there isn't a simple way to make them feel some pain.

Re:Somewhat common problem. Dell.com, too.

[Brit_in_the_USA]

Mod this guy up.
 
Group pressure could change some of these companies policies. What if lots of affected people started forwarding their problem spam to the companies who had sold their emails addresses, perhaps with a cover letter of ":Dear sir, I have received this spam, please see to it I stop receiving these messages form your affiliates".

If every time a million spam messages went out say 10% were forwarded went to a single customer service address at the company responsible - they might just do something about it.

How about spam fighting Microsoft carrying a web page of shame for companies that do that?

How about if IE or Mozilla's fishing filters pooped up to warn you not to give this multi-billion dollar company your email address?

Things would start changing when the average Joe saw that their browser warned them about these companies.

Go back to digg...

please.

Edited for the time impaired

[rueger]

1. Signs up for an Ameritrade account using a unique e-mail address.
2. Gets pump and dump spam at that address.
3. Profit!

The balance of the article:

a) outlines a variety of conspiratorial possibilities
b) finds that other Ameritrade customers get pump and dump spam
c) makes repeated reference to a lost customer data tape from 2005.
d) Ameritrade has poor customer service.

I reported this to the SEC, but not much happened

[JeffL]

The first time I received spam, not ads for "partner" companies, but pump-and-dump image spam, and such, I reported Ameritrade to the SEC. After contacting Ameritrade and receiving a big "so what" from them, I filled in the SEC's online complaint form, detailing the problem. A week or two later I received a letter (on paper) from them asking me to e-mail them more information and any additional evidence. I sent them a detailed explanation of the problem, along with information about why it was extremely unlikely that the e-mail address was stolen from my end (none of my other unique addresses were receiving spam), and a copy of all of the spam messages that had been sent to my ameritrade address.

Since that time I've not heard anything back from the SEC. I didn't really expect to, but I was hoping that if 10-20 people complained about the same thing, and provided evidence, they might actually start an investigation. That was August, 2006, so maybe they really are doing something, and I should just be more patient.

A friend who was also receiving the ameritrade spam convinced ameritrade to waive the account transfer fee, and moved all of his stuff to Scottrade. I changed my ameritrade e-mail address, and haven't received spam to the new address, so I thought perhaps the leak had been fixed. Now that I see the problem is still occurring, I'll take the time to move my accounts.

MOD PARENT UP!

[Derling+Whirvish]

This is the really outrageous part of the story and I'm amazed that it took this long for someone to point it out. Surely the SEC would be interested in a brokerage house being involved in a "pump-and-dump" scheme.

BofA's Agressively Anti-Competitive

[mpapet]

This excerpt will probably have more impact.

"... when Visa and MasterCard were building their dominant credit card networks, they imposed exclusionary rules and restrictions on other parties to credit card transactions. In two cases, whose outcomes are described in this section, merchants and the U.S. Department of Justice (DOJ) successfully challenged some of these practices. The decisions in the two cases29 weakened some barriers to competition and reduced the control exercised by the card associations, thus influencing the future of the credit card industry. In fact, the aftereffects of the decisions have already begun appearing."

http://www.fdic.gov/bank/analytical/banking/2005no v/article2.html

I wish more people understood how badly de-regulation has screwed the average American banking/stock trading customer.

Assume the worst...

[wowbagger]

Assume the worst:

• Assume that any business to which you give an email will immediately sell it to every spammer on the planet.
• Assume that any individual to whom you give your email will be trojan'ed and harvested by spammers.
• Assume that any web site to which you give an email will be scraped by spammers.
• Assume that every mailing list to which you sign up will be scraped by spammers.

In other words, for any email address you use, assume that it will at some point fall into the hands of spammers.

So, given these assumptions, what are you to do?

1. Never get too attached to any given email address. Be prepared to drop any address like a hot rock.
2. Thus, try to have one address for each role in your life: one for friends, one for close friends, one for work, one for each mailing list, one for each business with which you do business, etc. Use sites like SneakEmail or SpamGourmet as needed.
3. Refuse to give your email where-ever possible. Most places that want it don't need it, but ask for it so that they can spam it. Ask yourself "Do they REALLY need to be able to email me?" If you cannot think of a good reason why they should, refuse.
4. For entities which will NOT allow you to refuse to give your email, give them a disposable email, and revoke it as soon as possible. Alternatively, use an email which has become compromised and is now worthless.
5. Make up a list of disposable emails, print it out, and carry it with you, to deal with those Big Blue Room incidents where you need to fork over an email. Make the print-out have 2 parts — one to tear off and hand to the requester, one to keep for yourself (with a space below the email into which you enter the entity assigned to it.)
6. Use email hosts which have the best possible spam filtering. I suggest setting up an account with Spamcop and using them.
7. Don't use the email assigned by your ISP for anything if at all possible: that way if you need to change ISPs you can do so without any big issue.
8. When creating an email address, don't use your name or any other unique identifying information (e.g. a ham radio call sign) - those are too easy to guess.

Yes, this may sound paranoid. But unfortunately until the technology is changed to allow tracking spammers down, and the laws are changed to allow dealing with spammers effectively (.30-06 is effective), these are the sorts of measures needed to keep your inbox relatively clean.

Re:Assume the worst...

[joh]

Another way to deal with this is to just use one address and filter the spam. I'm doing it this way: I have exactly two addresses (one for professional use, one for private use) which I have not changed for more than 10 years now. I don't protect them in any way, I post with these addresses to Usenet, to mailing lists, use them for newsletters and use them without even thinking of spam just everywhere.

Effect: Yeah, these two addresses are very likely to be found in every single spam database in the solar system and beyond. So what? Filtering works good enough to allow only about a dozen spam mails get past my filters daily. Nothing to be afraid of. On the other hand I don't have to deal with a myriad of addresses which may or may not receive legitimate mail, I have not to waste any thought over what address I give out to whom and every single person who wants to send me mail can do so, even if he finds my address in some dusty mailing list archive from a decade ago -- it's still the same address and it works.

Don't take it personally but your strategy is really flawed. Take an address (make sure it is your own and register a domain) and stick to it. Everything else makes the solution worse than the problem, since you not only receive spam on several addresses but also have to carefully track which address may still receive legitimate mail.

Yes, this may sound paranoid. But unfortunately until the technology is changed to allow tracking spammers down, and the laws are changed to allow dealing with spammers effectively (.30-06 is effective), these are the sorts of measures needed to keep your inbox relatively clean.

My inbox *is* relatively clean.

Re:Assume the worst...

[JimB]

Good advice, with one exception. You cannot use a 30-ought-6 on a spammer. It won't work well enough. What you want is something that can make them suffer a measurable percentage of the grief they have 'spawned'. "The death of a thousand cuts" springs to mind. Or a .22 short working from the extremities inward, but stopping before you get to the torso or head. Stuff like that. :>D
I cannot think of anything or anyone that I HATE. But spammers have a special place in my heart.
When I remember what email, and Usenet, was like in the eighties and early nineties, I realize that the punishment they deserve is far beyond my ability to mete out. :>D

Re:Assume the worst...

[bcrowell]

Your advice misses the point. I have followed every single piece of advice on your list. I am getting pump and dump spam to the disposable e-mail address I set up solely for my ameritrade account. I couldn't care less about spam being sent to that address, because it's all going to the bitbucket. The problem is that (a) I have the vast majority of my life savings entrusted to these idiots, and they're apparently completely clueless about security, and (b) it's not clear to me that I have any way of bailing on them without incurring massive capital gains taxes.

Re:Assume the worst...

Perhaps Ameritrade is doing it on purpose, what better way to know when the stock rises if you can get your customers to dump money in your scam, then monitor purchases and if it looks like the scam is working buy first then put their order in. Then sell your stock at a profit. Its could just as easily be an inside job, not a scraper or selling the emails. But you will never know unless the FBI jumps in there and does full check of the systems in question.

mailinator.com The solution to 90 percent of your needs.

Use dots/periods with gmail addresses

[dmeranda]

Another gmail trick that is more friendly to dumb sites that
use broken regexes is to just insert extra periods in your
mailbox name. Then you can filter based on that. If your
gmail address is johndoe@gmail.com, then you can also use
things like jo.hnd.oe@gmail.com, joh.n.do.e@gmail.com, etc.

Re:Use dots/periods with gmail addresses

[Yewbert]

Well, I'll be damned. My *real* Gmail address has a dot in it (for stupid reasons, the main being that they wouldn't create a username with fewer than six characters in it when I signed up, and my standard e-handle has only five, so I dotted and added my last initial, creating a Frankensteinian address that I've spent painful amounts of time spelling out to various people,...)

I've never known about this trick - and just verified that sending to variations of the same username WITHOUT the one dot - and with lots o'dots, etc. - comes through just fine as well.

It would have been elegantly dumb-lucky if having an intentional dot in a username meant that spam sent to that username sans dots *wouldn't* get delivered, but I guess that woulda been too much to hope for. I can still filter based on that feature, at least.

Good point

[paladinwannabe2]

It seems that Ameritrade has been specifically targeted, though, so odds are it's someone specifically monitoring them, either an insider or someone working for Ameritrade's ISP.

Comment removed

[account_deleted]

Comment removed based on user account deletion

You're a liar. There are no privacy settings.

I hope you're enjoying your karma boost... does it it make up for the dirty feeling you get from telling such a lie?

There are no privacy settings in the ameritrade account. The only way to opt out of anything is emailing an unsubscribe address to quit getting their site update emails.

Re:You're a liar. There are no privacy settings.

[hksld99]

There ARE settings for that. Actually their settings seem to change over time -- probably a marketing thing...

Right now there seems to be only one such setting, under "Portfolio & Accounts" -> "My Profile" -> "News and Benefits". A year ago they had another one (for partners IIRC). I had to disable two such options and have never sent any email to an unsubscription address.

You may want to be more careful before calling someone a liar next time...

OT: Retail Stock Trading

[asphaltjesus]

The second thing I learned in my finance class is that the individual investor loses the most and simultaneously bears most costs of trading stocks.

-The individual investor is _always_ the last to know and has no control over the average publicly traded company.

-Getting above-average payouts on mergers and Google-like stock stories are improbable.

The most likely path to above-average returns in real dollars is:
1. Buying and holding top-2 competitors in a given stock segment.
2. Set a hard range for the stock to buy and sell at. This is important for many reasons. You need to be able to walk away with gains in share price and just let the losers go.

I'm not opposed to taking chances on stocks, but the pool of money used to take these chances should be very small with gains split between the risk pool and a low-risk pool so there is definite growth.

It's good advice, and worth every penny you paid!

Re:OT: Retail Stock Trading

[Guido+von+Guido]

Don't most people tend to buy a stock on the way down, too?

"Ah, Enron is finally back in the buy range! I'll buy a thousand shares."

Re:OT: Retail Stock Trading

[russotto]

Wouldn't have worked with Enron, but how about Worldcom?

Re:OT: Retail Stock Trading

[durdur]

Also, you are taking chances when you buy an individual stock or a small number of stocks.

Even if it's not a pump and dump penny stock.

Pick up a copy of a financial publication like Barron's. Every week there is a list of top gainers and losers. The losers drop abruptly for any number of reasons, frequently ones you couldn't have known about beforehand. If you can pick winners consistently and avoid blowups like these, and make enough to cover your trading costs and taxes, then you are either very lucky or very talented. If you're not in either category (and you're probably not - even if you think you are) then you are better off hiring a professional money manager (directly or through a mutual fund) or buying and holding a highly diversified index fund or ETF.

Same thing I found out two years ago

[Starwanderer]

I've always used targeted addresses of random letters and numbers with Ameritrade and I ran into this same thing two years ago. I let them know and I got the same excuse of a dictionary attack. When I complained that such a long address of random letters and numbers was expressly designed to avoid a dictionary attack, and that I strongly suspected that someone on the inside was selling/using email addresses for the pump and dump spam, I suddenly stopped receiving any replies to my emails. I can only conclude that TDAmeritrade is aware of this problem, but just doesn't care. I wish I could say I'm surprised, but I'm not.

mailto:bennett@peacefire.org

[athloi]

I just made 12 bucks selling the OP's address to pump-and-dumpers, porners, viagraists, and the entire internet cafe population of Nigeria. I feel somewhat guilty about this, but that 12 bucks is going right into my kid's college fund.

Why are you still a customer?

[Colin+Smith]

If you want Ameritrade to take notice then dump them.

Re:Why are you still a customer?

[joelgriffiths]

There are several reasons not to do this.

1) If you simply move to another provider, you have no leverage with Ameritrade to get them to fix the problem. Since you can assume other, more sensitive information was dissemintaed as well, your highest priority should be to get the problem resolved. The longer you remain a customer, the more incriminating evidence you can gather and the more pressure you can exert on Ameritrade (especially if you know what you're doing). I have a ton.

2) Take the issue public: I'm sure Ameritrade does not want this issue made public, but are they hurting enough to take the steps necessary to correct the problem? The answer is obviously 'No' since I first reported this to them over a year ago and every email address I have given them up to two weeks ago hasd been compromised. If I were to guess, the issue will require strict controls on the email addresses at Ameritrade (access restrictions and parter terminations). That could cost Ameritrade quite a bit of money to implement. A few people moving to a different account is not going to hurt them enough to make changes. A large reduction of new customer resulting from the bad press would be.

3) I fight spam for a living and I think the people responsible for selling information to organized crime should be sitting in jail. I would like to do everything I can to help them find their way. The longer I remain a customer and gather information, the more likely it is that I can get my way.

Re:Why are you still a customer?

[AeroIllini]

Shouldn't we pump them first?

People don't ...

[SlashDev]

...realize that spammers don't have to harvest email addresses anymore, they just use an email address generator that tries every single permutation, so for people who think companies are leaking their email address, they're wrong. Example: the generator will send to 1111-11-111@domain DOT com then 1111-11-112@domain DOT com and will eventually hit yours.

Re:People don't ...

You're wrong. Have you calculated the number of combinations of 16 number and/or letters there are? It's 7,958,661,109,946,400,884,391,936. Considering they would have to send that many emails to each domain, it simply isn't feasible. The only conclusion to draw is that companies are leaking email addresses and insiders in companies are stealing and selling them.

Re:Who's trading e-mail addresses? Everyone!

[BenSchuarmer]

It would be pretty difficult to prove that Ameritrade *causing* the spam. It sounds more like they have a security problem.

A fourth option

[gr8_phk]

d) your own machine has malware on it that intercepted the address.
Don't assume that because you know about malware and run a couple programs to prevent or eradicate it, that you don't have any. Now if you're not running an MS operating system, the likelihood of this is nearly zero, but no matter what you do it's never actually zero. Just very close.

Re:A fourth option

[chrisgagne]

Well, I'm running a MacOS box with LittleSnitch (outbound firewall), so it's a pretty damn limited possibility. But agreed, a possibility none-the-less.

Re:A fourth option

[John+Jamieson]

And if you are running Knoppix or similar, and keep your sessions short(less than 12 hours), it may still be a theretical possibility, but the chance is 99.9999999% that you are secure as a average user. (my guess)

Re:A fourth option

[gorbachev]

The person who wrote the article is not your average joe with malware up the wazoo, but someone who does research on spyware and malware related issues. I think your fourth option is pretty damn unlikely.

Re:A fourth option

[808140]

I'm pretty sure that there are some circumstances where the likelihood is zero. Running OpenVMS, for example.

MOD PARENT UP

[Builder]

It's easy to blame the company that you registered with, but what's to stop your ISP looking at their logs and selling addresses that have successful deliveries? They have the means to match the account that it is delivered to with the user details.

Even if you run your own SMTP server but use your ISP to relay, they could still sell From addresses from your domain that they gather from logs when you send mail through them.

That's just one example... the guy who does secondary MX for you could sell the stuff on. An ISP upstream from you could sniff all port 25 traffic outbound from you and sell addresses harvested there.

If there's money in it (and history shows that there is), people will find a way to get your e-mail address.

Re:MOD PARENT UP

[blueskies]

Who says anyone uses the receive-only email address to send with? I know i don't. So they can't sniff the from address. They are probably setting up their account over SSL, so their ISP can't see you type your new random email address into the form. So if you start getting spam emails first you know there is no way the ISP is involved unless you didn't verify the SSL cert and they man-in-the-middle attacked you.

Re:MOD PARENT UP

[Builder]

For some services, you have to send mail to them with the address you are registered or it won't be responded to. This is tre for lists as well. So it is still possible for the ISP to sniff SMTP traffic.

Secondly, some services identify you by your e-mail address or display it somewhere in the page. Not all of these pages are SSL encrypted - generally only login pages or very sensitive pages are encrypted due to cost issues. So this still provides an attack vector.

Re:MOD PARENT UP

[blueskies]

The financial sites, i've used do not trust email for verification of anything--and they give you the choice of account names. It's more of a convenience to the user to get informed of news, but not send anything sensitive. And they use SSL for all of their pages.

Any site that doesn't encrypt all of your data isn't worth trusting with much.

Re:MOD PARENT UP

[Builder]

So Amazon aren't worth trusting then ?

Re:MOD PARENT UP

[blueskies]

You are correct. They aren't worth trusting with your money. They are worth trusting with your credit card however, because you have limited liability with your credit card and get other protections.

But you didn't really want a real answer, since you are reduced to trolling at this point.

Re:MOD PARENT UP

[Builder]

Hardly trolling.

My original point (and the discussion I was responding to) weren't about who to trust with your money - it was about who to trust with your e-mail address.

Your response said that any website that didn't encrypt all of your shared data was not worth trusting. In the context of protecting e-mail addresses (the specific attribute we were discussing), Amazon do have this visible in many pages or interactions with their site. For one easy example, go to the site, login, then return to the non-secure area of the site. Now click the 'Contact us' button at the bottom of the page. Your e-mail address is then transfered in clear text as part of the form they display.

The context of the original discussion was about the ability of an ISP or someone else up the wire from you to gather e-mail addresses without having to be on your SMTP path or require you to share data with them.

I hope that's a little clearer now, but I believe that my point stands. Just because someone gets the address I use with Amazon, that doesn't mean that Amazon leaked it. There are multiple attack vectors for a hostile party to get this. And if they can get a botnet into Thomson Financial (note the lack of a P there - I wish people would get that right :)) then chances are that they can get one into a firewall with the ability to sniff the web traffic of several thousand people.

Re:MOD PARENT UP

[blueskies]

I was under the impression we were discussing the OP which said:

The test you did is not conclusive by any means. You must also prove that the address was never exposed in any other way (stolen by malware on your machine, leaked through other communications, sold by a corrupt mail server administrator, etc), OR you need to find conclusive evidence that the leaked address came from the company's end.

Which I thought meant we are talking about the original article/post. I agree with him that it's not a 100% certainty, but I don't know if i could call it inconclusive.

I agree that most other forms of signing up with an email address are not secure. Which is why i run my own email server and use a unique email address for each company (ie: ameritrade@[mydomain].com and have a wildcard dump all *@[mydomain].com into a folder). This is how i know companies like microcenter.com and a cheap photo company i bought stuff from sold my email address. I know have serverside rules rejecting those emails. I don't trust any of those companies with my real email address. I ended up using my real email address for my emigrantdirect online savings account because i didn't want to miss any emails from them. I would expect online banks to NOT sell email address.

Works both ways

By using unique email addresses, not only can you identify the people who have sold your email address to spammers, but you can also identify the people who got your email address from spammers. For instance, I get plenty of "press releases" from BMN.com. If I didn't use unique email addresses, I would have assumed that they got my email address through a related company. But as it turns out, they trolled unrelated Usenet groups for email addresses (no, posting to comp.lang.javascript does not mean I am interested in Biomedical newsletters).

Same Problem This Month - Ameritrade's Response

I had the same problem this month with Ameritrade. It initially started 4 or 5 email addresses ago. The first time it occurred, I found that my cellphone number had also been sold (probably by an Ameritrade insider or partner). Since I have a very unique cellphone number, I have been unwilling to change it, but I continue to receve stock spam on it regularly. I have sinced changed my Ameritrade email address several times (using a catchall account); each time the stock spam has followed the email address. The last two times, I used a random string of digits to identify Ameritrade. I have received spam to both of the addresses. The last time (this month), it took less than a week; I changed my address on Thursday (5/10) and recieved the first stock spam on Wednesday (5/16).

It has surprised me that the Main Stream media hasn't picked up this story yet since stock spam is often tied to organizae crime. What kind of headlines do you think the media can make with that news?

Ameritrade said this -after- telling me I should look over ways to improve MY security knowledge. Since I fight spam for a living, I was a little perturbed by the response so I asked them if the people who had access to my email address also had access to my Social Security number. This is their response:

XXX. XXXXXXXX,

Thank you for contacting us. We understand your concern and
frustration over the spam e-mail you?ve received, and we want you to
know that we take your privacy and security seriously. We will
continue to do all we can to protect both.

Our investigation into this issue is ongoing. We?ve recently expanded
the directions in which we?re investigating, and have doubled our
efforts in both internal and external investigations. We?re looking at
our own systems, and working closely with our vendors to examine
theirs.

We continue to make progress and work very hard at investigating this
issue, but unfortunately we still don?t have an update we can share
with you at this time. We hope you understand that sharing details of
exactly what we have learned so far can compromise the ongoing
investigation.

If you haven?t done so yet, there?s some information you could provide
us that can help us try to get to the source of this spam. That
includes:

The date the e-mail was received
The address the spam was sent to (your e-mail address)
The e-mail source (the ?from? address)
Whether this was the first occurrence
And most importantly, the header information

Please be sure to delete any spam you might receive, then empty your
e-mail?s trash so that it?s no longer kept there either.

If you haven?t lately, you might want to review the Security Center
online, which has details about spam, and also about the Asset
Protection Guarantee. It protects you if you lose cash or securities
from your account due to unauthorized activity. If that happens, we
can guarantee we?ll reimburse you if you work with us in three ways:
1) keep your account information secure and confidential, 2)
frequently check your account and report any suspicious activity to us
immediately, and 3) take steps we request if your account is ever
compromised.

We understand that this issue is a nuisance and that it?s troubling.
And we thank you for your cooperation and patience as we get to the
bottom of it.

If you have any additional questions, please log on to your account
and click the "Contact Us" link or call Apex Client Services 24/7 at
888-871-9007(excluding market holidays).

Have a wonderful day!

XXXXXXXX X.
Apex Client Services, TD AMERITRADE
Division of TD AMERITRADE, Inc.

Same strategy

I do the same thing and give everybody a different email. So far pcmall. is the only offender, with Nigerian scams and phising emails (log on to you paypal etc) coming daily, ie a lot worse than penny stock mail.
Of course no response from their abuse department.

Same story here...

[urlgrey]

I notified Ameritrade of this at *least* three times and was met with varying degrees of incompetence, stiff resistance and unaccountability to there even being a problem.

I finally gave up trying because it was so obvious they just didn't care. In my view if they were willing to let this breach go un-addressed, what others would also have the same fate?

Thus, I canceled my account and moved to another brokerage.

Sure, it's a little like closing the barn door after the horse has gotten out, but I just couldn't stand by and do nothing.

Personally, I believe this has got to be either:
1.) an inside job (not "lost" tapes) or
2.) an inside job carried out at a company tasked with doing work on Ameritrade's behalf (like issuing the shareholder voting statements).

Re:Same story here...

[khodsden]

I'm on my seventh different (Ameritrade-only) email address with Ameritrade. Rather than doing nothing, however, I both forwarded the spams I received to my Ameritrade-only email account to Ameritrade's contact-us-with-security-issues email address, and filed a report/complaint with the SEC.

After the first complaint of Ameritrade's privacy breach to the SEC, Ameritrade starting responding with more than just the boiler-plate "It's not our problem, it's yours" responses. I received feedback from the SEC and someone at Ameritrade with more than just a "customer service rep" title.

A little satisfaction. Not a lot.

Unfortunately, I still receive the spam. The address change to spam delay has increased to about 4 months, up from about 2 months a year ago.

I R Sp@m3r

THANKS!!!!!

Fighting the pig

[hysterion]

Commendable effort, yet is the knowledge gained worth it? Somehow it brings to mind this observation:

"I got addicted to trying to identify spam features myself, as if I were playing some kind of competitive game with the spammers."

"Norbert Wiener said if you compete with slaves you become a slave, and there is something similarly degrading about competing with spammers. To recognize individual spam features you have to try to get into the mind of the spammer, and frankly I want to spend as little time inside the minds of spammers as possible."

The key is internal data security

[atomic777]

and proper use of privileges, views, etc. to limit access to data is almost a non-existent thing in a lot of companies I've worked for. All it takes is one "power user" with access to all columns in a customer table to have this problem.

Any DBA interested in keeping his job would go out of his way to design an HR database to prevent only key users from accessing the column 'employee.salary'. Qualified email addresses, a valuable commodity when sold on the spam black market, need to be treated the same way.

Security is always a low concern.

[Kryai]

Back in 2003 I found an exploit due to java and cookies that allowed me to access ANY account number on a popular online stock broker. It took me over 30 minutes just to convince them over the phone they had to hear me out. After I demanded multiple times for them to give me a random account number they had control of, I read off their stocks and quantities the manager has a profound moment of silence. Considering I had the ability to wreck financial havoc, and if I wanted to get life in prison I could have bankrupt their company, disrupted the financial markets and liquidated/bought out stocks on all their accounts (given enough time and if their auditing procedures were lax) From this experience I've essentially treated everything as if there was no security and simply rely on auditing of my records and financials and any important other accounts/information. I would LOVE to have great security everywhere in software applications, but I know it not happen any time too, while I try to follow safe guidelines on what is risky, honestly we are at the mercy of others. The only solace I have is that generally most people are not criminals, and those that are are usually caught from their own stupidity. If AmeriTrade decides to do an independent audit, I think they have a very good chance of finding the culprit. Will they actually do it? I hope so. While in my adventure I wondered if at the end I'd get a reward for reporting this immediately, (I didn't) the fact that a novice like myself, at the time, could find a flaw so immense was a turning point in removing what was left of my naivety in this world. That night though I think like anyone else the fantasy of selling the information to some russian hackers was very humorous. The flaw was not fixed for over 4 days from when I reported it. Sometimes it is very nice not to see your name in the newspaper...

Make it scientific: add a control!

[noidentity]

"[...] he got a response saying that even if he was getting spammed by an address that he only gave to AmeriTrade, that could be the result of hackers "implanting 'bots' that have the ability to extract e-mail addresses from your computer, even when you have protective spy software engaged". [...] if this were the source of the problem, it would affect everyone's e-mail addresses equally [...]"

This is why you should have done a scientific experiment, where you had at the very least two e-mail addresses of similar random makeup, and only made one available to AmeriTrade. The one you didn't give would be the control. Then you compare the SPAM received between the two, rather than between your single submitted address and an imaginary address that receives none. Perhaps you have a third that you submit to a trusted server you know does not share it (like one you set up yourself with a trusted bandwidth provider).

Re:Make it scientific: add a control!

[joelgriffiths]

In my case, I was using a catch-all so I had exactly 'infinite' controls. Still they followed my random email address at least 5 times.

Re:Make it scientific: add a control!

I was using a catch-all so I had exactly 'infinite' controls. I'll grant that you had a huge number of controls, but not 'infinite'. According to RFC 2821, the local part of the address is at most 64 characters (from a limited character set) and the domain name is at most 255 characters. That works out to a huge but finite number. I'm not sure what the number is, but I'm pretty sure the spammers have sent at least one email to each of them on my domain.

Spamgourmet is even easier.

[Kadin2048]

Protip: if you run your own mail server generate a whack of aliases (ie: bogus000 through bogus999) so you always have a disposable address available.

Even easier: just go to Spamgourmet.com and set up an account there (takes about 15 seconds, seriously), and then you can use all the addresses you want of the form [someword].youremail@spamgourmet.com.

E.g., if you're signing up for Ameritrade, you could use the address "ameritradesucks.kadin@spamgourmet.com" (or any other of about 10 different domains, it's not just limited to spamgourmet).

After each address has forwarded a set number of emails through to your real, hidden address, it will shut off and all further messages will be "eaten." (You can re-activate emails if you want, or set up whitelists so that all email from ameritrade.com gets through.)

It's a pretty brilliant system, and it's completely free. If you set up an account and use Spamgourmet dummy addresses everywhere, you can almost totally prevent spam arriving directly to your inbox. Also, you can go in later and see which addresses have been flooded with spam (some of mine have received thousands of messages) and see exactly what services are selling out out. Very cool.

Re:Spamgourmet is even easier.

[yoyodyne]

++ I've been using Spamgourmet for years, it is an amazingly good service!

Re:Spamgourmet is even easier.

[ericferris]

There is even a spamgourmet user who created a unique address for ameritrade and received spam, thus confirming the trend. See http://www.spamgourmet.com/bbs/viewtopic.php?t=81& postdays=0&postorder=asc&start=60. The user complained and got the same kind of letter as everyone else.

Re:Spamgourmet is even easier.

Easier yet, to avoid most spam, is to use an address that *looks* like either a spamtrap or an abuse address, but is in fact valid.

E.g. if you have your own domain, give your email address as "abuse@mydomain.com" or "spam@mydomain.com".

I posted on Usenet in 2000-2001 using those addresses, un-obfuscated, and got nearly zero spam to either one.

Re:Spamgourmet is even easier.

[vic-traill]

Even easier: just go to Spamgourmet.com and set up an account there (takes about 15 seconds, seriously), and then you can use all the addresses you want of the form [someword].youremail@spamgourmet.com.

Sounds cool. Gmail gives you a similar mechanism; myaddress@gmail.com can be amended to any form of myaddress+somesignupstring@gmail.com.

The downside is that I've run into numerous forms that evaluate the '+' character as invalid in form checking on entered e-mail addresses. My read of RFC [2]822 is that the '+' char is explictly included as atext, so these forms are either written by boneheads or by pricks who don't want to be tracked back to. Either way, it's a Bad Sign of Things to Come from whatever you're signing up for.

This doesn't appear to be a problem for Spamgourmet.com. Cool. Thanks for the tip.

Click 2 Spam

[Doc+Ruby]

Bennett continues on if you're willing to click the link.

Clicking a link doesn't send your email address to anyone (unless you're already infected with spyware), unless perhaps it's an FTP URL and you gave your browser your email address to use as your FTP username (very unusual). If you don't send your email address, the server can't use it to spam you (with email; IM spam can use your IP# from clicking an HTTP URL).

So why do so many porn sites offer thumbnails that just lead to yet another porn thumbnail page? I could see them pushing some mutual advertising, but most of the clicks are to other sites, which doesn't seem to advertise anything well. Why do they spend so much resources just redirecting to other redirect pages?

Re:Click 2 Spam

[DogDude]

So why do so many porn sites offer thumbnails that just lead to yet another porn thumbnail page? I could see them pushing some mutual advertising, but most of the clicks are to other sites, which doesn't seem to advertise anything well. Why do they spend so much resources just redirecting to other redirect pages?

It's a very, very precise way of funneling users to various sites. It has to do with 1. multiple attempts to sell various things ($40/month pay site, free pay site trial, and finally, give up an email for "free" porn), 2. Search engine optimization and 3. Getting a more accurate handle on what you like and what you're likely to buy.

Re:Click 2 Spam

[Doc+Ruby]

Ah, the SEO angle seems most compelling. I don't think the low-end porn sites I've seen get as much return from more precise selection history, because they're not responding with more precise or accurate offers. And the multiple attempts to sell blur into an experience where the offers blend together and become more easily ignored, not less. But the SEO from multiple interconnects increases the chances that their site will be the one where you finally break down and buy something, wandering around in their hall of mirrors rather than starting a new search.

Re:Click 2 Spam

[DogDude]

But the SEO from multiple interconnects increases the chances that their site will be the one where you finally break down and buy something, wandering around in their hall of mirrors rather than starting a new search.

Exactly. If you're like the regular online porn consumer, you're gonna keep clicking until you find something that gets you off for free (hard to do), or you're going to buy some really good content. These "halls of mirrors" ensure that whether you know it or not, you stay within one person's network of sites until you buy something. Even if you're not seeing referring ID's in the querystrings doesn't mean that it's not happening (many sites pay based on referring URL from the headers). The porn industry has always been, and probably will always be at the leading edge of Web technology.

Why should they care?

Brokerages profit from pump & dump schemes, so why should they do anything about this?

Other Companies

[fozzmeister]

Misco leaked mine, pee'd me off, and they don't even respond when I asked them.

Avoid Bank of America

When I was in Europe, my ATM card didn't work, leaving me broke. So I sent a letter closing my savings account (no checks to clear) two weeks ago and still no check from them.

Re:Avoid Bank of America

When I was in Europe, my ATM card didn't work, leaving me broke.

Did you tell them you were traveling so the activity would not look suspicious and trigger a fraud prevention lockdown? I've had no problem using BofA ATM cards in western and eastern Europe.

I am chortling darkly

[gelfling]

Most of you are the same people who think it's no big deal if MySpace mistakenly calls you a sex offender. Now all of a sudden a little bit of spam gets your dander up? I guess the free hand of commerce is massaging your prostate.

Use unique, traceable addys that I can ...

[whizbowl]

... redirect to the culprit if they're misused. I own my own domain, and the MX points to a service provider that supports unlimited forwarding addresses as well as default forwarding (if I want it). I use a unique address for each business I deal with, and if they misuse it, I can block, drop, or redirect mail to that address.

If I was dealing with AmeriTrade, e.g., I'd give them "ameritrade.com@mydomain.tld". I'd automatically get mail to that address w/o having to set up anything else. BUT, if I start getting spammed at that address, I can drop all mail to that address, or configure it to automatically forward to, e.g., abuse@ameritrade.com.

Works like a charm

I set up email aliases

[youbiquitous]

I set up a new email alias for every org I deal with online so I know exactly who is responsible for the spam I receive. Aliases always identify the organization, e.g., aolsuckage@mydomain.com for my AIM account. Easy to delete an alias, no disruption of my legit addresses. I receive a minimal amount of spam and, based on the to: address I know exactly who I won't do business with in the future.

Naiivete

[clang_jangle]

It's discouraging to me to see that people are still so naiive as to be surprised by stuff like this. We all know spam could be history with a few simple changes in the way we do smtp, therefore we should all know the reason it doesn't happen is that big business profits from spam.

Employee theft most likely cause ...

The most likely cause is rouge employees that have access to the companies database. Several years ago I created a Hotmail account to test incoming email at my company email address. The only thing I ever did with that account was send myself test messages. Within a few days I noticed the account started getting spam, so I notified MS. I tried many times but NEVER could get thru to those idiots what I was trying to report. They only responded with the canned "spam comes from lots of sources" crap. Although there are a couple other potential causes, I believe most of these cases are caused by a greedy/dumb/both person with admin rights to the host systems. I'm not sure how much such espionage could bring in, but it must be perceived to be worth the risk.

healthy skepticism, but this is real

[HappyEngineer]

Your skepticism is good, but no one here can offer anything beyond anecdotal evidence. In any case, this really does seem real to me. I have accounts at several brokers/banks. I have never had a problem with spam with the other ones. I get fake email that pretends to be from citibank, but it never arrives at the email address I gave to citibank.

I used a unique address at ameritrade and it was fine for quite a while (years?). I started receiving pump and dump email at the address (perhaps a couple years ago, maybe a little more recent). I was annoyed, but shrugged it off. It happens sometimes when a company sells email addresses to third parties who eventually sell the addresses to disreputable people. I went and changed my address at ameritrade and, amazingly, it only took a couple of weeks before I started receiving two of the same pump and dump messages (one at each ameritrade address).

I emailed them and got back a form letter. I haven't withdrawn my stocks from ameritrade, but I have also not used them to invest in anything new since this happened. I also haven't changed my address again since it would just mean that I'd get another copy of the same scam at a new address.

To be fair, the pump and dump messages don't arrive very often. I'd have to check, but I'll bet they don't arrive more than once or twice a month, so I'm not really upset about the spam itself. I'm primarily upset about having information like this leaked from a financial institution that should have a tremendous motivation to ensure that their customers feel that their money is safe with them.

Yahoo! Mail is doing it -- I get spammed on new

Yahoo! Mail is doing it -- I get spammed in a few days on NEW email addresses when I send anything to a Yahoo! account.

Definitely happening to me as well

[BillBrasky]

I also run my own domain, and have seen many dictionary attacks come through. Like many here, when I signed up for Ameritrade, I created the alias [myname]-ameritrade@[mydomain].com. (this was in early 2006). Shortly afterwards, I started receiving stock spam to the ameritrade address, and ONLY stock spam. I eventually got fed up with it and changed the email address to another unique alias. Again, shortly afterwards the stock spam started up again.

Either someone inside Ameritrade is leaking their customers' addresses or they're selling the information to a 3rd party who is compromised. What's worse is Ameritrade's ignoring the problem and allowing it to continue. I hate the fact that they know my SSN, but if they're compromised, it's already too late...

Prefix with initials?

[6Yankee]

One thing I'm thinking of trying on my next change of email address: Prefixing with my initials, and shitcanning anything that doesn't start with those characters. Bye-bye vladimir.rodriguez and all the other unlikely names!

They might guess ebay@mydomain.com, slashdot@mydomain.com - but what are their chances of getting 6.y.slashdot? (Not my real initials :P )

Anyone out there who's used this approach, and can say whether it's worthwhile?

Throwaway email addresses

[deblau]

Use spam gourmet. It's quick, easy, and you only have to give out your real email to one company. If they leak it, you know who did it. I've been using it forever, and it works great.

This isn't new....

[queenb**ch]

Register a domain. Misspell something and register it. Use something that you can track back specifically to site you signed up with. I caught Best Buy doing exactly this 3 years ago. I ordered on line from their web site and used bestbuy@mydomain.com.

Their claims went in cycles...

1) We don't know what you're talking about.
2) We're not sending you anything. We don't sell email addresses.
3) You must have used that email address somewhere else. Yeah, I love your company so much that it's my email address. NOT!

After a lot of persistence and shouting, they finally admitted that one of their employees had sold me out to the spammer.

2 cents,

QueenB.

Spamex does this to

[george14215]

I am not affiliated with spamex but I am a happy customer.

HMMM

[hurfy]

I wonder what happens if you tell them to CHANGE your email address ??

Will the spam stop at the old one?
They are selling the info then no doubt.

Get spam at both?

How about signing up around the 5th and change it or delete before the end of the month? If they sell the info it is probably on the 1st or something.

For those that actually have an account

[phogster]

https://wwws.ameritrade.com/cgi-bin/apps/u/Privacy OptOut

Drop Expensive Ameritrade and Join Zecco

Zecco.com lets you trade up to 40 times per month (up to 10 per day) for free. I just transferred my accounts there (and my wifes) and have not had any kind of problem with spam. Given how cheap it is compared to Ameritrade, why even bother with Ameritrade? It is like paying for spam!

Big companies, small employees

[billcopc]

What's probably happening here isn't AmeriTrade selling your email address, it's far more likely that some untrustworthy employee is doing this on the side for extra cash. How hard would it be for a sysadmin to take a few backup tapes home for "offsite storage", compile a list of valuable data and sell it to spammers, collection agencies and any other dirty company ? It's extremely difficult to trace and given the size of some of these companies, there could be literally thousands of suspects.

Lord knows, he could even be in cahoots with a competitor to smear AmeriTrade's reputation. Or maybe it's just some idiot exec with spyware on his PC, letting all of Korea in.

The auto-replies are burying me though.

[Lanboy]

Since I tell legitimate mailers that all of the email addresses on my domain are there, then they inform me about spam target's vacations, whitelists , mailbox deletions and whatnot.

The BASENAME-ADDITION@xxx.xxx is working a lot nicer for me, and I am just about ready to put the kibbosh on the catchall.

They aren't hacked....

[retro77]

They are selling the info! lol!!!

Also getting the Ameritrate-SPAM ...

I also have an Ameritrade account and have been getting SPAM at the email-address that I gave only to them. After I started getting the Ameritrade-SPAM (in ~2006), I changed my email-address with Ameritrade to another unique email-address that wouldn't be subject to a dictionary-attack. Yet, again, within a few days, I started receiving SPAM at my new Ameritrade email-address. They have a problem. I wouldn't be surprised if it bears some relation to outsourcing their customer support to India.
-R

What about people?

What about people?
People ask for my email address. In person. It seems rude to give them an obvious spam catcher email.
Later, they may send me a greeting card they found on the web. And I'll get spam.

This hasn't happened to me yet, but I worry about it since I like the address I have and many of my friends might send something like that.

Any tips?

ford sold me out

[v1]

well probably not but it had the same effect. I was shopping for an escape and gave ford my email address, made just for them. v1ford at myipdotcom. That is the only web site in the world that ever got my email, and no viruses on this mac thank you. Five dealers in my area contacted me and I did business with them. SIX MONTHS LATER I start getting spam, one per day, to v1ford. I wrote ford a nastygram but they cried innocient.

I later deduced that one of the five (or probably more) dealers that ford forwarded my address to got his PC 0wned and it harvested my address from them.

So they are not guily, but they are certainly not innocent. I wager they care very little or consider themselves totally innocent in such events. I, however, hold them responsible for letting my private data get stolen, regardless of the circumstances.

Fortunately I just remove that alias off my account on my server and the spam just goes away. I bet there are a lot of people out there that wish they could do the same thing. If it were up to me, I'd send a separate address to everyone I email, everyone. Addresses like "v1fromjoesmith@" etc. You never know when a friend's PC will get owned by a spammer's virus and get you on their list.

Even with this, I somehow get a sad letter from the wife of a deceased nigerian prince about once every other month. I have no idea where it's coming from but it's addressed to my primary email address, so it's probably the result of a friend's PC having been had. But I can tolerate one a month. (beats your 30/day!)

Much to my surprise, I have had to clear an alias only maybe 10 times, and none of them from reputable businesses. (most were forum email addresses, "we don't show your registration address to the public"... ya, but what about the hackers and the viruses?)

couldn't agree more

[ClioCJS]

I've had the same email address for 14 years, and I get fewer than 5 spams in my inbox daily. It's all over usenet and has been googleable since, well.. since before google :) GP is paranoid and has too much free time to devote.

Re:couldn't agree more

[ShaunC]

I've had the same email address for 14 years, and I get fewer than 5 spams in my inbox daily. It's all over usenet and has been googleable since, well.. since before google :)

Those are the ones that hit your inbox... Post-filtering. To say that spam isn't a problem simply because you don't see it is, well, pretending. I'm in a similar boat in terms of address longevity and their availability in unmunged form on Usenet. I don't see a lot of spam either, but that's only after 1000+ per day (to one mbox) are killed by SpamAssassin. I might not see the spam but I still have to subsidize the bandwidth, disk space, time to maintain SA, etc. to receive those messages before they're filtered out.

Scams Target Newbies Most

[LordWill]

Scams are most effective against people who have not been scammed before. Most of the few victims I've spoken to were new to being online, or new to being online in a particular area when they were tricked. Knowing this, scammers really long to find the newbies.

I'm sure that they do everything possible to get them including:
- manipulating ISP employees to get new accounts and/or addresses as soon as created
- scanning net traffic at all possible points to see email going by (like that "welcome to Ameritrade" message)
    - think infected zombie computers in homes and in ISP offices or your offices
- scanning address books of infected computers (yours and your friends')

I once made up a new address to see how long it would take to get spam on its own. After a few months of no spam, I gave the address to a friend so he could send a file to me. Our computers on both ends were Mac OS X machines. Within 1 day of receiving his message, I got a pile of spam of all sorts. Presuming that neither of us had some unknown virus and that he had not put my address into a PC somehow, that only leaves ISP problems or traffic-sniffing to lose the address.

i have been complaining for a few months

[emptybody]

they ignored me the first time.
with a standard reply that spammers brute force addresses and thats how they got it.
WRONG.
I maintain the server. there were no brute force attempts.
so I changed the address.
within less than a month they started to the new address.
i complained again and now they seem to be interested but want me to send them all the spam i got.
well, thats not gonna help them because they are coming from all over the place.
idiots.
they also charged my account fees when a stock i own did a reverse split.
they charged a transaction fee for a change that I did not initiate.
that is completely bogus.

Excellent Article

[JagsLive]

Excellent Article...I salute to the writer...

Now we need to find ways to keep this story alive in mainstream media for awhile

They're not the only one

[Solandri]

I do the different email addresses on signup thing too. I don't have an Ameritrade account, but the two email addresses that get the most spam are addresses that I gave to Godaddy and Microsoft. Together I'd say spam to those email addresses account for about 60% of my spam. If I delete addresses I use on mailing lists (where the recipients can give your email address to spammers if their computer gets infected by a virus that harvests their address book), Godaddy and Microsoft account for about 80% of my spam.

capital gains? why?

[tacokill]

You do realize you can transfer your account - in full - without trading out of positions, don't you?

Whoever your new broker is, will have an account transfer form. There is a box for "move everything". Check it. Mail form.

No capital gains. :)

But it's not my problem.

[ClioCJS]

But it's not my problem. The SpamAssassin pre-filtering on my unix account, prior to replication of email to gmail, happens (as I just asid) at my shell account. I don't pay any bandwidth fees or any additional fees, it's not my machine, and it's not my problem. What goes to gmail includes about 100 messages that hit my spam filter, but only about 5 a day (tops) that hits my inbox.

Really, I should waste REAL LIFE TIME chasing down ways to save a tiny bit of bandwidth, which only wastes A COMPUTER'S time? I should just valiantly fight for a utopia that can and will never exist instead of getting on with my life?

Re:But it's not my problem.

[ShaunC]

I don't pay any bandwidth fees or any additional fees, it's not my machine, and it's not my problem.

That's a lucky setup on your behalf. Not all of us are so fortunate. I have a dedicated server that I pay monthly fees on. It's my machine, so long as I pay the rent, but I do have to watch my bandwidth and disk space. I'm allocated a finite amount of each.

Really, I should waste REAL LIFE TIME chasing down ways to save a tiny bit of bandwidth, which only wastes A COMPUTER'S time?

Not if you're in a sweet situation where the wasted bandwidth isn't your concern, no. I wonder if you could hook me up with a machine on your network where bandwidth is not the user's responsibility?

Same with NetBank

[dazzla_2000]

I only give out unique email addresses to each site that asks for one. I get drug and penis enlargement spam emails to the one I only gave to NetBank. Kind of worrying since that's who I bank with.

I did try and contact them about this but I just got the standard we'll remove you from our 3rd party lists response. I didn't manage to get them to understand that it can only be from them and that drug and penis enlargement emails are probably not on their 3rd party lists.... I hope.

Tagged addresses

[wastholm]

Did you use a subdomain like the GP suggested?

Or simply use addresses that contain a "tag," like, say, ameritrade.mytag@example.com, and throw everything away that doesn't contain this tag. I've been doing this for years, and it works great. Makes for funny-looking addresses, though, but signup web forms don't seem to care.

Re:Who's trading e-mail addresses? Everyone!

[j-beda]

It would be pretty difficult to prove that Ameritrade *causing* the spam. It sounds more like they have a security problem.

But such a security problem, for a financial institution involved in stock transactions, would seem to be a serious one, and thus of interest to the SEC and the media.

Re:I reported this to the SEC, but not much happen

[GISGEOLOGYGEEK]

informative?

right.

You can't prove that your spam wasn't simply from a random address generator that happened to hit on you, rather than ameritrade selling it etc.

Let me guess, you opened the first spam email, the uniquely named image in the spam in their html based email loaded up from the spammer's server, and confirmed to the spammer that your email address was valid ... and he went to work on you big time, while you blamed ameritrade.

Way to go Sherlock.

Re:i have been complaining for a few months? Why?

I started using the old stingy-email-address-strategy years ago for the purpose of spotting the bullshit business of internet scammers. Everyone should have known that scams would be played in a relatively anonymous world wide web just after the universal language of sex was first communicated electronically. Anyway, my policy has always been, if I discover the spammer I discover the scammer. It'd be nice to change the scammers but I'd rather just evade and move on. No one listens to me anyway so I sleep good at night.

A slightly less technical solution

[mgcarley]

One thing thats bad about the USA: Frivolous Litigation. If there is one thing good about the USA: Frivolous Litigation. Ok, well, its not necessarily good, and whatever I had lined up for the "good" aspect left my head shortly before it made it to my fingers to be typed.

Anyway, a less technical solution: Scour the Ameritrade site for Privacy Policies, SPAM Policies and tick-boxes which say "we will not divulge or sell your email address" etc. If they exist: class action (for negligence or false advertising or something). Throwaway/unique addresses make it easy to prove that Ameritrade is somehow at fault here.

I know, I know... I'm usually the first guy to say how moronic the system in "the States" is with said litigation being so frivolous and all, but there are some times when such things can be used for the purpose for which they were intended, and which may not be considered frivolous (as opposed to suing McDonalds because their burgers are making you too fat and so on.)

Anyway, if the "usual" policies don't exist... well... who in their right mind would sign up for a service like that (especially one that deals with your money) where there is no such privacy policy?

Re:A slightly less technical solution

[mgcarley]

...and then your filtering solutions (SpamGourmet, Filtering by unique email address at the server etc) would be the next step. I used to use Mailwasher (mailwasher.net) but I got lazy, so now I just use Thunderbird and filtering at the server.

Recent culprit email addresses that have been in some way compromised include the email addresses I used for TechRepublic and the osCommerce forums, so now I block the old email addresses, and I updated the addresses at TR and osC, so we will see if that helps. But I get almost no spam.

My corporate email address is (was) a bit harder: I don't do the aliasing so much (for example staff at banks have looked at me weird when I give them [theirbankname]@[mydomain].com, but I just explain the spam thing and they understand usually), but once I put the word out for investments on some entrepeneurs forum, and for months have gotten nothing but 419 scams to that email address. ...So then I used Thunderbird filters to send a reply saying something to the effect of "Due to the volume of Nigerian 419 scams received to this email address, your email has been deleted. If you are a genuine investor, please visit our website and phone us". For a while, I had it set up wrong (it was replying from my normal email address, rather than the one used at the forum), but now its set up to reply properly, and I've curbed the amount of spam significantly (to a couple a day). Now to completely eradicate the scourge!

BY the way, a common thing for Finnish companies on their websites is to, for example, on the contact page, put the name(s) of any relevant people to be contacted, and then tell people that the email address to contact these people should be in the form of "etunimi.sukunimi@toimi.fi" (firstname.lastname@company.fi) or whatever.

Spam-bots will pick up the email address and spam a non-existent (almost like a decoy) address, and most people are apt enough to just find the name of the person they want to contact and compose an email to that.person@thecompany.fi

Works for smaller companies very well, I think... which is the majority here, but it might be a method for some individuals if you have to publish your email address somewhere.

Mathew

What risk of getting caught?

[LordWill]

Once you've broken in and gotten the customer database from 2006, why bother breaking in a year later, taking the risk all over again of getting caught and going to jail, just to get the updated 2007 database?

Is there a lot of risk? Especially if you're a cracker in China or Nigeria? What's the FBI or the FTC going to be able to do? Also, you're not thinking like a crook. They probably worry more about DETECTION, because then the victim can close up the vulnerabilities and prevent further theft. They will be back as often as they can to get more as long as they think they can pull it off.

Buy a domain

[sallgeud]

Seriously, it's cheap. Then, every time you register for a site... use a unique email address. I've done this for a good decade now, and many of my security industry friends do the same, for the simplitude of tracking spam, intrusions or sold data from sites we frequent.

I had been with Ameritrade for years before I got my first spam. I immediately contact them and got a similar response about dictionary... obvious bullshit since I didn't get it to any address other than my ameritrade@one-of-my-domains.com. My first step was to immediately change my ameritrade email address to tdameritrade@o-o-m-d.com [with their recent name change it worked], and then blacklist all email to the original. Since that change, I have yet to get spam to the new address.

My bigger concern is that there is a rogue employee selling this data. More often than not security issues like sold data come from insiders who feel underpaid or underappreciated, either trying to get back at the company or make some more dough on their backs.

Re:Who's trading e-mail addresses? Everyone!

[DavidTC]

And I'm sure that would be a useful defense at all the trials.

hehe... unix shell account

[ClioCJS]

It's a unix shell account with the ACM organization at my school (Virginia Tech Computer Science Class of 1997). It's $20/year. I also get UNLIMITED webspace, which I use... :D

Another way

[pontifier]

Email is sent unencrypted in plain text, and any compromised machine used to route info between Ameritrade and and your email service provider could have sniffed your addresses from outside the company. Email is not secure.

My ameritrade email is being spammed too

[TheJavaGuy]

I'm glad you bring up the Ameritrade case. When I set up an Ameritrade account, I also gave them a unique email address (i.e. ameritrade@my-domain-name.com). I don't recall when the spamming to that email started, but it's been a for a while already.

I too can cofirm this

[WhipArtist]

I wound up with an Ameritrade account after they bought Bidwell a few years ago. Last summer, I started getting pump & dump spam at my unique Ameritrade email address. I changed the address and notified Ameritrade. On April 14, I started getting pump & dump spam at my new Ameritrade address. Lather, rinse, repeat, and I got the same letter as the other people. Thus far, the third address has been spared. I monitor incoming spam pretty carefully, so I have a really good idea of what addresses are being targeted. I also have wildcard email delivery, so anything @ mydomain shows up in my mailbox. I've never seen a dictionary attack against my domain, and I would know. Likewise, malware on my computer is not the issue. I'm a luddite-- I use linux command-line email tools via ssh, so PC-based malware just isn't in the mix. My money is on a disgruntled employee. I'm very close to moving my account elsewhere, but I would love to see Ameritrade crucified for this.

Definitions and Experimental Method

[abb3w]

Why does everyone assume it's a security problem?

Well, for a very broad definition of "security", it certainly is. To wit, information getting to the hands of Bad People using it for Evil Purposes. However, your question raises a good point: is the security issue a technological exploit, or a social or legal loophole that's being used for wandering in and out of the database.

Why can't it be a revenue stream problem? ie they're selling the addresses?

Because that looks like a direct violation of Ameritrade's Privacy policies.

However, it's possible that there may be an "affiliate" with a leak. The next test should be for someone (ideally in California or Vermont) to set up another such account, immediately send the requisite email to optout@tdameritrade.com, and see if the stock spam again comes through. (As a control, another account should be set up without the email to insure initial conditions remain unchanged.) If the spam arrives to the new account, the problem is internal to Ameritrade's operations; if no, then the problem is with an Ameritrade partner. In the latter situation, you might try contacting Ameritrade and asking for a list of their current partners, affiliates, and whatnots; however, I'd not expect to get much response from them.

On the other hand, such stock spams have been alleged linked to scams for sucking dry retirement investment accounts and the like. The FBI was investigating those last I heard. While J. Random Slashdotter may have trouble getting a response out of a big company, J. Edgar Feebie, Special Agent can convincingly incant words like "accessory after the fact" to become much harder to ignore whilst asking for that list, and might possibly appreciate being informed of the results of this particular experiment.

Re:I reported this to the SEC, but not much happen

[JeffL]

This thread is old, but I've been away, so I'm just seeing it now (a couple of weeks later).

Gosh yes, that must be exactly what happened. less is known for downloading image bugs, that must be what tipped off the spammers.

Remember, some people aren't noobs. All evidence points to Ameritrade (or one of their employees) releasing (deliberately or unintentionally) the e-mail addresses of some or all of their customers. I think it unlikely that Ameritrade themselves are the spammers, but I would believe (though I have no evidence) that an Ameritrade employee with access to their e-mail list is responsible for sending the pump and dump spams.

Regardless, it is a serious security problem, and not what I expect from an organization I'm expected to trust to hold my money.

I'M GONNA SUE! No, really-in fact I ALREADY HAVE.

[elvey]

Well, I was in the same boat as everyone else, but I bit the bullet, contacted and retained a lawyer. A class action claim has been filed against TD Ameritrade in my name. Others just started signing on as well. Join the fight! (and please mod this up!)
I had no idea how long this had been going on. There's some info and a form you can fill out if you might want to join the suit. The laws are such that it makes sense to join the claim if you reside in Alabama, Kansas, Illinois, Florida, Michigan, Missouri, New Jersey, Washington, Wisconsin, and/or West Virginia. It's my understanding that in these states you can't sign away your right to be part of a class action suit - i.e. any agreement to do so is unenforceable. Looks like there are dozens of folks who have also noticed the problem and have used disposable email addresses and could join, like Seth Breidbart (of Breidbart Index fame). Mention your slashdot handle if you fill out the form.

Oh, and as for the poster who mentioned spam to jsmith@bar.example.com being an issue: The email addresses I gave to Ameritrade were of the form jsmith@bar.example.com. The checksum is something based on jsmith, that I can calculate in my head, and have written a sieve script to calculate. Only when the checksum verifies is the mail allowed in. Otherwise I log it as a DHA attempt. I started giving out these email addresses a several years ago, and only relatively recently had to write the sieve code. 6Yankee: it's worthwhile! Oh, and yes, there were multiple controls in the experiment. The addresses were valid for years before I gave 'em to Ameritrade, and received no mail in that time. Many other valid addresses have also received no mail to date.

Oh and I got malware? I don't think so. Mac OS X with nothing extra on it but mozilla apps, used for nothing but my TD Ameritrade account. After they provided my address to the pump 'n dump crew the first time, I made sure there were no excuses left to point to on my end.

Ameritrade initiated the spam by providing my address, and the addresses of the other complainants on this thread and others, to the system that fed the botnet that executed the requisite SMTP commands. And all the spam to date is stock spam. Kryai's right; it's sad that efforts like his (I've done the same) to responsibly report security flaws are routinely ignored.