Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spam Replacing Postal Junk Mail?

Posted by kdawson on from the connecting-the-dots dept.

TheOtherChimeraTwin writes "I've been getting spam from mainstream companies that I do business with, which is odd because I didn't give those companies my email address. It is doubly strange because the address they are using is a special-purpose one that I wouldn't give out to any business. Apparently knotice.com ('Direct Digital Marketing Solutions') and postalconnect.net aka emsnetwork.net (an Equifax Marketing Service Product with the ironic name 'Permission!') are somehow collecting email addresses and connecting them with postal addresses, allowing companies to send email instead of postal mail. Has anyone else encountered this slimy practice or know how they are harvesting email addresses?"

10 of 251 comments (clear)

  1. have your own domain-get universal forwarding by way2trivial · · Score: 4, Informative

    I have my own domain- EVERYONE except family gets a different email address
    one gets caught by spammers- the address gets killed.

    I understand gmail allows using a + in the address line to sort mail in a similar fashion
    googleid+identifyingstring@gmail.com and you still get it-- only you know the source.

    --
    every day http://en.wikipedia.org/wiki/Special:Random
    1. Re:have your own domain-get universal forwarding by Zerth · · Score: 4, Informative

      Not so much that they discourage it, they just have badly coded email validators. The allowable characters in an email address is much broader than most systems' valid usernames, but the lazy just assume people will only have a username as their mailbox.

    2. Re:have your own domain-get universal forwarding by KlaymenDK · · Score: 4, Informative

      I understand gmail allows using a + in the address line to sort mail in a similar fashion
      googleid+identifyingstring@gmail.com and you still get it-- only you know the source.

      Only until someone 'helpfully' sends you something from a postcard site, joke list, or lottery draw. Then you'll get spammed at the "root" address (sans "+") and almost never again at any "+" address.

      Don't ask me how I know this.

      --
      "Good news, everyone!"
    3. Re:have your own domain-get universal forwarding by techno-vampire · · Score: 4, Informative
      I have my own domain

      So do I. I also have * addressing as a catch-all. When I have to provide an email address to register at a dubious site, I make one up that tells me something about where I used it; e.g., to sign up at example.com, it might be examplejunk@mydomain.com. That way, if I ever get anything sent to that email address and not clearly from example.com, I know exactly who sold my email address, and can add a filter deleting everything sent to that address. It hasn't happened, yet, but maybe I've just been lucky.

      --
      Good, inexpensive web hosting
    4. Re:have your own domain-get universal forwarding by KlaymenDK · · Score: 4, Informative

      Which RFC, though?

      821 (from 1982) does not allow it.
      822 (also 1982) does.
      2821 and 2822 (2001) also respectively don't and do.

      --
      "Good news, everyone!"
  2. Email honeypot traps by peterofoz · · Score: 4, Informative

    I use a special domain name which maps all aliases (*) to my mail box. Nearly every email I use for online purchases or registrations is custom for that site so when I receive email from an unexpected source I can trace it back to where I originally used it. I also always opt out of companies sharing info. I recently caught out SCE having passed my email to a government energy program and called them out on it. If I get spammed on one 'channel', I can reroute it to the /dev/null mailbox.

  3. Re:Do you shop online? by aj50 · · Score: 4, Informative

    A given site can only read cookies which have been set by the same site (well, domain). There are various exploits to get around this called Cross Site Scripting (XSS) attacks which involve somehow putting javascript onto someone else's page (such as a slashdot comment). This type of attack can be thwarted by properly escaping any dynamic content.

    Allowing access to other site's cookies is a problem because most sites which allow you to log in tell users apart by giving each of them a different cookie. By stealing someone else's cookie you might be recognised as them without having to log in.

    --
    I wish to remain anomalous
  4. I am a database direct & email marketer by Anonymous Coward · · Score: 4, Informative

    What's happening here is that there are companies that aggregate profile information, and they're able to link your email to your profile information. They then sell append services so the marketing company can add that email to your existing full name and address (FNA).

    It is wrong for companies to append an email address and then market to it.

    Companies do a lot with their (your?) customer data, including hygienization, appends, completion, profiling, etc. Most of this happends under the sheets, and most customers don't really want to know the details.

    However, I advise clients to NEVER use an email append service for a variety of marketing and spam/technical reasons. Most clients will listen, some will choose not to. However, I'm seeing that more stupid companies will forge forward like its nothing, and companies with dwindling budgets are too suckered in by the cost savings.

    Its only going to get worse.

  5. Re:Do you shop online? by aztracker1 · · Score: 4, Informative

    Just a clarification. A site can only see cookies set *TO* that domain. Sub-domains can see cookies set to the parent domain as well. Beyond this, any site can *SET* a cookie *FOR* another domain, they just can't read it.

    --
    Michael J. Ryan - tracker1.info
  6. Re:E-Stamps, the only way to reduce spam by Helix150 · · Score: 4, Informative

    To understand why this won't work you have to understand how e-mail works. We start from when you hit 'send' in outlook.

    Your message first goes to your ISP's or company's outgoing mail server. Let's ignore that for a moment.

    That outgoing mail server looks at the recipient- user@domain.com. So it uses DNS (the thing that converts a name like www.google.com into an IP like 74.125.93.147) and asks what the MX (mail exchanger) servers are for domain.com. Domain.com has those listed in its DNS.

    The outgoing mail server then connects to the domain.com MX server. It says "i have a message from person@company.com for user@domain.com". If the MX agrees to take it, your outgoing mail server transmits the message, and the MX sends a confirmation that it is accepted. They then disconnect.

    If you're running your own mail server, or are using a company mail server, or a different email system, your ISP has nothing to do with this other than moving your packets around.

    The point is that email is not a single system that can be changed like raising the fare on the subway. If you're the city and you want higher subway fares, you just reprogram a few thousand turnstiles (all of which you own) and you're done. Email/SMTP isn't like that, SMTP is an agreement, a protocol which millions of networks and servers have chosen to implement. Email is just another internet protocol, no different than AIM, skype, HTTP/wwww, FTP, etc. It's just one of the most widely used protocols.
    There is no central authority to enforce anything like e-stamps. For this to be enforced, the domain.com MX would have to say 'please give me a tenth of a cent before I deliver your mail'. The only useful way to handle that would probably be with a 3rd-party clearinghouse for exchanging the 'stamps', so your mail server would say 'i give you stamp ID (long stamp id number)', the destination MX looks that up with the clearinghouse, approves it, then accepts the message for delivery.

    For that to happen, both your SMTP server and the recipient's MX would have to be modified to deal with these payments, and optionally require them for mail delivery. There are many different mail server programs out there, this would require all of them to be updated to support payments, and then (heres the hard part) all the people who run them would have to install those updates. Then anybody who runs a mail server would have to do some financial setup to let them accept payments and send payments for email. IE, every random geek and company and IT department and ISP that runs a mail server now has to jump through a financial hoop. If I run my own mail server, does that mean i get 2/3 of the payment (the recipient fee and the ISP fee)? Does my ISP get it even though I'm not using their servers? There will be great resistance to this.

    The main issue is, it would *NOT* be transparent, not to anybody. This would be a large, time-consuming and very expensive implementation.

    Now let's say best case scenario, lets say you get all the major isps and webmail providers on board (msn, aol, yahoo, google, comcast, timewarner, verizon, cablevision/optimum, charter, adelphia, etc).
    Let's say they immediately set up their system to start dealing with these micropayments.
    What happens to the (literally) millions of companies in the US and abroad who run thier own mail servers, but whos systems are NOT updated? Can they no longer send mail to all of the above networks, or is there a break in period? If the payments are optional, what incentive does anybody have to adopt them?

    Also you say approved senders can send for free. Who is an approved sender? What is the qualification? If it's difficult and expensive, some of the large bulk-mailing companies will try it anyway, and the smaller legit companies are shut out. If it's easy to get one even for a small biz, then the spammers will get them too. If extensive investigation is performed on the applicants, that money has to come from somewhere, so it'll be expensive.

    --
    --IronHelix