Spam Replacing Postal Junk Mail?

TheOtherChimeraTwin writes "I've been getting spam from mainstream companies that I do business with, which is odd because I didn't give those companies my email address. It is doubly strange because the address they are using is a special-purpose one that I wouldn't give out to any business. Apparently knotice.com ('Direct Digital Marketing Solutions') and postalconnect.net aka emsnetwork.net (an Equifax Marketing Service Product with the ironic name 'Permission!') are somehow collecting email addresses and connecting them with postal addresses, allowing companies to send email instead of postal mail. Has anyone else encountered this slimy practice or know how they are harvesting email addresses?"

Do you shop online?

[Old97]

Every time I buy something on-line I have to provide my billing address so now the e-mail address I use and possibly more (can it read cookies?) is known to the vendor who can turn around and sell that information to others. How easy is it for some Javascript or something to poke around for e-mail addresses when you are at a site? Also, my e-mail providers know my address - i.e. yahoo, google, aol, apple and comcast. Could they be selling that information? I wouldn't be surprised.

Re:Do you shop online?

[aj50]

A given site can only read cookies which have been set by the same site (well, domain). There are various exploits to get around this called Cross Site Scripting (XSS) attacks which involve somehow putting javascript onto someone else's page (such as a slashdot comment). This type of attack can be thwarted by properly escaping any dynamic content.

Allowing access to other site's cookies is a problem because most sites which allow you to log in tell users apart by giving each of them a different cookie. By stealing someone else's cookie you might be recognised as them without having to log in.

Re:Do you shop online?

[aztracker1]

Just a clarification. A site can only see cookies set *TO* that domain. Sub-domains can see cookies set to the parent domain as well. Beyond this, any site can *SET* a cookie *FOR* another domain, they just can't read it.

have your own domain-get universal forwarding

[way2trivial]

I have my own domain- EVERYONE except family gets a different email address
one gets caught by spammers- the address gets killed.

I understand gmail allows using a + in the address line to sort mail in a similar fashion
googleid+identifyingstring@gmail.com and you still get it-- only you know the source.

Re:have your own domain-get universal forwarding

[Zerth]

Not so much that they discourage it, they just have badly coded email validators. The allowable characters in an email address is much broader than most systems' valid usernames, but the lazy just assume people will only have a username as their mailbox.

Re:have your own domain-get universal forwarding

[AnalPerfume]

If I need to reply to an email to join a site I'm dubious about, in other words actually receive it, I use the Trashmail addon for Firefox. It expires after a couple of emails. If they turn out to be OK, I can then change the email to a more permanent one in the options.

Re:have your own domain-get universal forwarding

[KlaymenDK]

I understand gmail allows using a + in the address line to sort mail in a similar fashion
googleid+identifyingstring@gmail.com and you still get it-- only you know the source.

Only until someone 'helpfully' sends you something from a postcard site, joke list, or lottery draw. Then you'll get spammed at the "root" address (sans "+") and almost never again at any "+" address.

Don't ask me how I know this.

Re:have your own domain-get universal forwarding

[techno-vampire]

I have my own domain

So do I. I also have * addressing as a catch-all. When I have to provide an email address to register at a dubious site, I make one up that tells me something about where I used it; e.g., to sign up at example.com, it might be examplejunk@mydomain.com. That way, if I ever get anything sent to that email address and not clearly from example.com, I know exactly who sold my email address, and can add a filter deleting everything sent to that address. It hasn't happened, yet, but maybe I've just been lucky.

Re:have your own domain-get universal forwarding

[KlaymenDK]

Which RFC, though?

821 (from 1982) does not allow it.
822 (also 1982) does.
2821 and 2822 (2001) also respectively don't and do.

What I do...

[Mr.+Conrad]

I just handle electronic spam like normal junk mail. Hit Ctrl+P and then throw the damn thing away. Good riddance.

Email honeypot traps

[peterofoz]

I use a special domain name which maps all aliases (*) to my mail box. Nearly every email I use for online purchases or registrations is custom for that site so when I receive email from an unexpected source I can trace it back to where I originally used it. I also always opt out of companies sharing info. I recently caught out SCE having passed my email to a government energy program and called them out on it. If I get spammed on one 'channel', I can reroute it to the /dev/null mailbox.

I am a database direct & email marketer

What's happening here is that there are companies that aggregate profile information, and they're able to link your email to your profile information. They then sell append services so the marketing company can add that email to your existing full name and address (FNA).

It is wrong for companies to append an email address and then market to it.

Companies do a lot with their (your?) customer data, including hygienization, appends, completion, profiling, etc. Most of this happends under the sheets, and most customers don't really want to know the details.

However, I advise clients to NEVER use an email append service for a variety of marketing and spam/technical reasons. Most clients will listen, some will choose not to. However, I'm seeing that more stupid companies will forge forward like its nothing, and companies with dwindling budgets are too suckered in by the cost savings.

Its only going to get worse.

GMail

[Aladrin]

Once again, GMail is my solution to this. Prior to GMail, I used spamgourmet to keep my inbox clean. The oldest email I have used to get 30,000 emails per month that were all SPAM. Right now, it's getting about 11,000. (I haven't really used that address in a long time.

I have had maybe 10 SPAM emails in the last year make it to that inbox. (It's hosted under Google Apps.)

So once I found out how well Google's SPAM filters work, I quit caring about giving out my main email address. I give it to everything now, and if a company SPAMs me, I just mark it as SPAM. When enough people do that, it seriously hinders their ability to contact their legit customers, and they learn a valuable lesson.

There's a little bit of fallout from people who use the SPAM button incorrectly, but I think Google does its best to account for that, too.

Re:I had enough

[Tubal-Cain]

I use 2 emails, one for spam and one for private mails. Now both my emails are full of junk...

It should be:
One for email from IT persons.
One for registration confirmation and chainmail-forwarders.

Re:E-mail is Preferable, it can be Filtered

[fl!ptop]

if they are going to continue annoying us then I would prefer that it be through email and not postal mail

i disagree, with postal spam at least if they provide a pre-paid return envelope i have the satisfaction of putting everything they sent me in that envelope, along w/ a few rusty washers (to add weight), and maybe a sunday paper glossy ad or two (more weight, and thickness) and sending it back to them on their dime.

Re:E-Stamps, the only way to reduce spam

[Matt+Perry]

E-stamps are the only effective way to reduce spam. Bulk spammers will go from paying something like 0.1 cents per message to say 25-cents, making it uneconomical, and more trace-able. When you buy an e-stamp, 1/3 of the amount goes to the recipient (usually as credit), 1/3 to the ISP, and 1/3 to a monitoring agency. "Approved" recipients could send for free.

Your post advocates a

( ) technical ( ) legislative (X) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(X) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(X) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(X) Jurisdictional problems
(X) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(X) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
(X) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:I wish spam replaced postal junk mail

[RoboRay]

There is a trash can right next to my mailbox, which enables me to deal with paper spam about as easily as the electronic kind.

I do keep the little response cards with "return postage guaranteed" stamps, though. Those are great for gluing to bricks or other heavy objects you want to dispose of. Drop them in a mail box, and they not only get wind up in a mailbox at the company that spammed you, but that company gets billed for the postage, by weight. The heavier the object, the better!

Re:I had enough

[nomadic]

I have 13 e-mail addresses. E-mail the public one, and you get sent a riddle, which if you answer correctly gets you the next e-mail address. Each riddle is more fiendish than the last, and nobody has reached the 13th e-mail address.

Egham is "spam capital" of UK

[David+Gerard]

Email filtering company MessageLabs reports that Egham, Surrey, on the suburban outskirts of London, is the town that receives the most spam in Britain.

"It's not like there's much else to do," said Boris Busybody, 77 (IQ), of Egham Hythe, idly whirling his four-foot penis around his head in a desultory fashion. "Expanding your manhood, growing your breasts, increasing your sperm ... the Lib Dem phone calls get a bit much. That's Doctor Busybody, by the way. My Ph.D arrived last week."

Spam has revitalised the local economy. Mr Busybody has given up cab driving and is now working a lucrative job processing payments from home after he sent them his bank details in response to an urgent security message. "I had that King Otumfuo Opoku Ware II in the back of my cab once. Very generous and helpful fellow."

The Egham Tourist Board has seized the day, with plans for a 50 foot tall penis sculpture at Junction 13 of the M25 on the exit ramp to the town. The sculpture will be encircled by a genuine imitation Rolex and spray a fountain of Spermamax, obtained at a very reasonable rate from a Canadian pharmacy. "You will search an hour for your underwear in the ocean of our spam!" is to become the new town motto.

"I did get a good one the other day," says Busybody. "Barrister Matthew Sergeant Busybody of MessageLabs said we could promote our town to millions of people just by sending them an advance fee to process our incoming email. The stuff they try! 'Scuse me, V!k@grk@ kicking in, got to go have sex again. Sorry."

Re:Email Append - BINGO!

[TheOtherChimeraTwin]

Yes, I think you've hit the nail on the head. Experian eMail Append overlays deliverable email addresses onto your active customer file and contacts customers via email on your behalf to obtain permission to communicate with them online.

By "permission" they mean they send you email until you complain. If they happen to pick an email address that is normally not read by a person, they don't get any complaints. (Not that I opt-out of spam; I block it.)

Further on, they state Retain your customers by keeping your brand top-of-mind through consistent, relevant and interactive email communications. Yeah, good luck with that. I know four companies that have just lost my repeat business.

Thanks to all for an excellent discussion.

Re:E-Stamps, the only way to reduce spam

[Helix150]

To understand why this won't work you have to understand how e-mail works. We start from when you hit 'send' in outlook.

Your message first goes to your ISP's or company's outgoing mail server. Let's ignore that for a moment.

That outgoing mail server looks at the recipient- user@domain.com. So it uses DNS (the thing that converts a name like www.google.com into an IP like 74.125.93.147) and asks what the MX (mail exchanger) servers are for domain.com. Domain.com has those listed in its DNS.

The outgoing mail server then connects to the domain.com MX server. It says "i have a message from person@company.com for user@domain.com". If the MX agrees to take it, your outgoing mail server transmits the message, and the MX sends a confirmation that it is accepted. They then disconnect.

If you're running your own mail server, or are using a company mail server, or a different email system, your ISP has nothing to do with this other than moving your packets around.

The point is that email is not a single system that can be changed like raising the fare on the subway. If you're the city and you want higher subway fares, you just reprogram a few thousand turnstiles (all of which you own) and you're done. Email/SMTP isn't like that, SMTP is an agreement, a protocol which millions of networks and servers have chosen to implement. Email is just another internet protocol, no different than AIM, skype, HTTP/wwww, FTP, etc. It's just one of the most widely used protocols.
There is no central authority to enforce anything like e-stamps. For this to be enforced, the domain.com MX would have to say 'please give me a tenth of a cent before I deliver your mail'. The only useful way to handle that would probably be with a 3rd-party clearinghouse for exchanging the 'stamps', so your mail server would say 'i give you stamp ID (long stamp id number)', the destination MX looks that up with the clearinghouse, approves it, then accepts the message for delivery.

For that to happen, both your SMTP server and the recipient's MX would have to be modified to deal with these payments, and optionally require them for mail delivery. There are many different mail server programs out there, this would require all of them to be updated to support payments, and then (heres the hard part) all the people who run them would have to install those updates. Then anybody who runs a mail server would have to do some financial setup to let them accept payments and send payments for email. IE, every random geek and company and IT department and ISP that runs a mail server now has to jump through a financial hoop. If I run my own mail server, does that mean i get 2/3 of the payment (the recipient fee and the ISP fee)? Does my ISP get it even though I'm not using their servers? There will be great resistance to this.

The main issue is, it would *NOT* be transparent, not to anybody. This would be a large, time-consuming and very expensive implementation.

Now let's say best case scenario, lets say you get all the major isps and webmail providers on board (msn, aol, yahoo, google, comcast, timewarner, verizon, cablevision/optimum, charter, adelphia, etc).
Let's say they immediately set up their system to start dealing with these micropayments.
What happens to the (literally) millions of companies in the US and abroad who run thier own mail servers, but whos systems are NOT updated? Can they no longer send mail to all of the above networks, or is there a break in period? If the payments are optional, what incentive does anybody have to adopt them?

Also you say approved senders can send for free. Who is an approved sender? What is the qualification? If it's difficult and expensive, some of the large bulk-mailing companies will try it anyway, and the smaller legit companies are shut out. If it's easy to get one even for a small biz, then the spammers will get them too. If extensive investigation is performed on the applicants, that money has to come from somewhere, so it'll be expensive.