Slashdot Mirror
Spam Replacing Postal Junk Mail?
TheOtherChimeraTwin writes "I've been getting spam from mainstream companies that I do business with, which is odd because I didn't give those companies my email address. It is doubly strange because the address they are using is a special-purpose one that I wouldn't give out to any business. Apparently knotice.com ('Direct Digital Marketing Solutions') and postalconnect.net aka emsnetwork.net (an Equifax Marketing Service Product with the ironic name 'Permission!') are somehow collecting email addresses and connecting them with postal addresses, allowing companies to send email instead of postal mail. Has anyone else encountered this slimy practice or know how they are harvesting email addresses?"
I have my own domain- EVERYONE except family gets a different email address
one gets caught by spammers- the address gets killed.
I understand gmail allows using a + in the address line to sort mail in a similar fashion
googleid+identifyingstring@gmail.com and you still get it-- only you know the source.
every day http://en.wikipedia.org/wiki/Special:Random
I use a special domain name which maps all aliases (*) to my mail box. Nearly every email I use for online purchases or registrations is custom for that site so when I receive email from an unexpected source I can trace it back to where I originally used it. I also always opt out of companies sharing info. I recently caught out SCE having passed my email to a government energy program and called them out on it. If I get spammed on one 'channel', I can reroute it to the /dev/null mailbox.
A given site can only read cookies which have been set by the same site (well, domain). There are various exploits to get around this called Cross Site Scripting (XSS) attacks which involve somehow putting javascript onto someone else's page (such as a slashdot comment). This type of attack can be thwarted by properly escaping any dynamic content.
Allowing access to other site's cookies is a problem because most sites which allow you to log in tell users apart by giving each of them a different cookie. By stealing someone else's cookie you might be recognised as them without having to log in.
I wish to remain anomalous
Yahoo lets you create temporary addresses that you can disable at the drop of a hat.
I use those for most of my business correspondence.
Your mail provider may offer something similar.
What's happening here is that there are companies that aggregate profile information, and they're able to link your email to your profile information. They then sell append services so the marketing company can add that email to your existing full name and address (FNA).
It is wrong for companies to append an email address and then market to it.
Companies do a lot with their (your?) customer data, including hygienization, appends, completion, profiling, etc. Most of this happends under the sheets, and most customers don't really want to know the details.
However, I advise clients to NEVER use an email append service for a variety of marketing and spam/technical reasons. Most clients will listen, some will choose not to. However, I'm seeing that more stupid companies will forge forward like its nothing, and companies with dwindling budgets are too suckered in by the cost savings.
Its only going to get worse.
Not only that, they have to pay to have the material designed, printed and mailed so it's not exactly free for them as it is with spam. Not only that, but even though they're using the bulk mail rate, all that junk mail stuffing your mail box each day is helping subsidize the cost of first class postage. In the case of spam, the spammers are being subsidized by the rest of us which is what makes it so bad.
Good, inexpensive web hosting
It's a service called an "email append", offered by the major credit reporting companies. The purchaser gives them a list of names and addresses, and the credit reporting company finds matches with email addresses. They send an opt-out mailing, and the email addresses of everyone who doesn't opt-out are returned to the purchaser.
Just a clarification. A site can only see cookies set *TO* that domain. Sub-domains can see cookies set to the parent domain as well. Beyond this, any site can *SET* a cookie *FOR* another domain, they just can't read it.
Michael J. Ryan - tracker1.info
How easy is it for some Javascript or something to poke around for e-mail addresses when you are at a site?
Decent browsers don't expose data not created by the site, aside from the standard browser ID, and even that can be turned off. And if you use a browser with the security profile of swiss cheese, your email adress is not your main problem.
Also, my e-mail providers know my address - i.e. yahoo, google, aol, apple and comcast. Could they be selling that information? I wouldn't be surprised.
That's just about the only thing I trust Google not doing. If you want to know how they get it, try giving out different adresses to different sites and see which ones get what spam.
To understand why this won't work you have to understand how e-mail works. We start from when you hit 'send' in outlook.
Your message first goes to your ISP's or company's outgoing mail server. Let's ignore that for a moment.
That outgoing mail server looks at the recipient- user@domain.com. So it uses DNS (the thing that converts a name like www.google.com into an IP like 74.125.93.147) and asks what the MX (mail exchanger) servers are for domain.com. Domain.com has those listed in its DNS.
The outgoing mail server then connects to the domain.com MX server. It says "i have a message from person@company.com for user@domain.com". If the MX agrees to take it, your outgoing mail server transmits the message, and the MX sends a confirmation that it is accepted. They then disconnect.
If you're running your own mail server, or are using a company mail server, or a different email system, your ISP has nothing to do with this other than moving your packets around.
The point is that email is not a single system that can be changed like raising the fare on the subway. If you're the city and you want higher subway fares, you just reprogram a few thousand turnstiles (all of which you own) and you're done. Email/SMTP isn't like that, SMTP is an agreement, a protocol which millions of networks and servers have chosen to implement. Email is just another internet protocol, no different than AIM, skype, HTTP/wwww, FTP, etc. It's just one of the most widely used protocols.
There is no central authority to enforce anything like e-stamps. For this to be enforced, the domain.com MX would have to say 'please give me a tenth of a cent before I deliver your mail'. The only useful way to handle that would probably be with a 3rd-party clearinghouse for exchanging the 'stamps', so your mail server would say 'i give you stamp ID (long stamp id number)', the destination MX looks that up with the clearinghouse, approves it, then accepts the message for delivery.
For that to happen, both your SMTP server and the recipient's MX would have to be modified to deal with these payments, and optionally require them for mail delivery. There are many different mail server programs out there, this would require all of them to be updated to support payments, and then (heres the hard part) all the people who run them would have to install those updates. Then anybody who runs a mail server would have to do some financial setup to let them accept payments and send payments for email. IE, every random geek and company and IT department and ISP that runs a mail server now has to jump through a financial hoop. If I run my own mail server, does that mean i get 2/3 of the payment (the recipient fee and the ISP fee)? Does my ISP get it even though I'm not using their servers? There will be great resistance to this.
The main issue is, it would *NOT* be transparent, not to anybody. This would be a large, time-consuming and very expensive implementation.
Now let's say best case scenario, lets say you get all the major isps and webmail providers on board (msn, aol, yahoo, google, comcast, timewarner, verizon, cablevision/optimum, charter, adelphia, etc).
Let's say they immediately set up their system to start dealing with these micropayments.
What happens to the (literally) millions of companies in the US and abroad who run thier own mail servers, but whos systems are NOT updated? Can they no longer send mail to all of the above networks, or is there a break in period? If the payments are optional, what incentive does anybody have to adopt them?
Also you say approved senders can send for free. Who is an approved sender? What is the qualification? If it's difficult and expensive, some of the large bulk-mailing companies will try it anyway, and the smaller legit companies are shut out. If it's easy to get one even for a small biz, then the spammers will get them too. If extensive investigation is performed on the applicants, that money has to come from somewhere, so it'll be expensive.
--IronHelix
I'm assuming you didn't see the humor in Matt Perry's post. I hate to sound like such a pessimist, but your solution and response is naively optimistic. Let's examine why.
ISPs already have a lot on their plate insofar as legislation and (potential) filtration goes. Forcing them to operate as a collection agency simply won't work. I also doubt anyone would advocate or appreciate giving credit card companies (i.e. banks) even more control. They've already demonstrated a certain incompetency in recent years that has most certainly been making news!
If you have to ask this question, you don't understand the problem.
E-mail has been effectively "free" since the inception of the Internet (more on this in a moment). As it stands, spam is killing e-mail, and fees intended to kill spam will only succeed in killing both.
We should also consider those ISPs which charge their customers on a per megabyte basis. In effect, users of such services are already paying a tax on e-mails they send; it's just that e-mail is often times such a small chunk of data that it would hardly go noticed, unless of course you were about 2KiB from a threshold that would require paying a little extra and happened to send an e-mail that bumped you over. In either case, charging on a per e-mail basis simply won't be accepted by users. They'll feel they're already paying for e-mail as part of their service plan.
And let's not even mention the technical aspect of it being "mostly automatic." There is no such thing. If you forcible turn off non-payment e-mail services, you kill e-mail as we know it. Without a great deal of unprecedented international cooperation (and good luck getting those governments who are probably influenced by people making money from nefarious deeds), this sort of thing simply will not happen. In fact, I predict two things will happen before any significant change is made to e-mail: IPv6 rollout or Duke Nukem Forever's debut.
No, the semi-humorous post in reply to yours is correct. It doesn't require the cooperation of a "few big [companies]" or a "[government] project." It requires cooperation from hundreds of individual businesses, ISPs, organizations, and governmental cooperation on an international scale. You can't just simply rewrite SMTP and say "here, everyone download this. This will fix the problem with spam." For one, you're assume the new system would be impregnable to spammers and two that it is a wide-sweeping, multi-platform solution that can just be fitted in place.
Here's a hint: It won't happen.
Not if, say, several dozen European countries (rightfully) decline to participate. Then what do you do? Shut off e-mail to all of Europe?
Remember, just because someone doesn't find it fair to tax their people more doesn't mean they're a "'shady' foreign" operator. They could be mindful of the rights of their people to freely exchange information. (See my comments earlier on "free.")
He who has no
Javascript can indeed "poke around" for email addresses or any other information you provide while on a given site as well as non-personally identifiable information such as connection speed, browser, etc. The main thing to understand is javascript can only access that which you provide. It cannot (at least not alone in a client-side environment) actively coerce such information. It can actively record just about anything you do on a page but state information (information between sessions on a site) is very limited to the size of a cookie file. Javascript can be linked with other scripting environments that could though.
Time flies like an arrow. Fruit flies like a banana.
if they provide a pre-paid return envelope i have the satisfaction of putting everything they sent me in that envelope, along w/ a few rusty washers (to add weight), and maybe a sunday paper glossy ad or two (more weight, and thickness) and sending it back to them on their dime.
Don't bother. Business reply envelopes that are clearly not used for their intended purposes are discarded by the Post Office as waste. So now all you've done is annoy your local letter carrier and increase the burden on the postal service. And guess what happens to postage rates when you incur extra work for the postal service without any extra payment?
My standard email address for sites I dont wish to give my real details to is bill@microsoft.com
I like to use nospam@foo.com or abuse@foo.com, where "foo.com" is the actual domain of the site I am entering my info to. (For example, microsoft gets nospam@microsoft.com).
Knowledge != Intelligence
Not according to what I've read, although I can't locate a cite at the moment. One of the reasons it costs less, BTW, is that much of the Post Office's work has to be done ahead of time, such as sorting out the mailing by zip code. However, just to pick a nit, if bulk mail cost .9944 the cost of first class postage, it would still "cost a fraction of what 1st class mail costs."
Good, inexpensive web hosting