Researchers' Typosquatting Stole 20 GB of E-Mail

← Back to Stories (view on slashdot.org)

Researchers' Typosquatting Stole 20 GB of E-Mail

Posted by Soulskill on Friday September 9, 2011 @04:58AM from the of-tips-and-icebergs dept.

NeverVotedBush writes "Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months. The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions."

11 of 204 comments (clear)

Min score:

Reason:

Sort:

Good test. by 140Mandak262Jamuna · 2011-09-09 05:01 · Score: 2

Every damn email they suctioned up has stern boilerplate warning: "This email is intended for XYZ only. If you are not XYZ and you got this email, and if you don't delete it and forget what you have read immediately we are going to pretend we could come after you like gangbusters". Let us see if that stupid boilerplate text has any legal standing.
Anyway, of the 20 Gig they collected, I am sure 19.9 Gig was this boilerplate text.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
1. Re:Good test. by bmo · 2011-09-09 05:09 · Score: 3, Informative
  
  >Let us see if that stupid boilerplate text has any legal standing
  It doesn't. It didn't work for real mail so why should it work for email?
  You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases.
  --
  BMO
2. Re:Good test. by tomhudson · 2011-09-09 05:10 · Score: 3, Informative
  
  The boilerplate has no legal force. First, it's like someone sending you unsolicited snail mail - anyone who sends you, say, an unsolicited book by snailmail can't then send you a demand to pay for it - it's already yours.
  Additionally, boilerplate "contracts", even ones you agree to, are governed by different laws than regular contracts (search for "contract of adhesion" or "standard form contract").
3. Re:Good test. by duguk · 2011-09-09 05:15 · Score: 2, Informative
  
  >Let us see if that stupid boilerplate text has any legal standing
  It doesn't. It didn't work for real mail so why should it work for email?
  You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases.
  -- BMO
  
  Not true, at least in the UK:
  
  Interfering with mail - Postal Services Act 2000 Section 84
  Triable Summarily (Magistrates court)
  6 Months and or a fine (Max)
  
  A person commits an offence if they without reasonable excuse intentionally delay or open a postal packet in the course of transmission by post or intentionally opens a mail bag.
  
  A person commits an offence if, intending to act to a person's detriment and without reasonable excuse, opens a postal packet which they know or suspect to have been delivered incorrectly.
  
  If you work for the Post service you could commit other offences under Section 83 triable either way (Magistrates or Crown court) and get a sentence of 2 years and or a fine.
4. Re:Good test. by Anonymous Coward · 2011-09-09 05:18 · Score: 2, Interesting
  
  "Delivered incorrectly" is different from "addressed incorrectly". One is an error of the Postal Service, the other is an error of the sender.
5. Re:Good test. by Medievalist · 2011-09-09 06:19 · Score: 2
  
  that is addressed to someone else.
  It was addressed to me; I own the address that received it, it is mine. According to the laws you've quoted, anyway, which strictly forbid opening mail addressed to other people. Only I may legally open it; it is mine.
  I get a dozen emails a month on my gmail account that are intended for a person with a name very similar to mine.
  These emails are all addressed to me, although that's not who they should have been sent to. The person sending intentionally sent it to me - they typed my address and pressed 'send' - so under the laws you've quoted nobody else may open it, only me.
  I try and try to get these people (who are mostly British real estate salesmen) to stop sending me these emails which sometimes contain confidential information relating to their clients. The tossers apologize and promise never to do it again (and occasionally do stop for a week or two, then start up again). It appears that many British land brokers are not just poor typists, but also idiots.
6. Re:Good test. by _0xd0ad · 2011-09-09 06:29 · Score: 2
  
  You're supposed to mark it "no longer at this address - return to sender", black out the barcode at the bottom with a marker, and put it in the outgoing mail.
7. Re:Good test. by gstoddart · 2011-09-09 06:37 · Score: 3, Interesting
  
  It doesn't. It didn't work for real mail so why should it work for email?
  You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases.
  Well, in this case, you have to make the explicit step of setting up an alternate site, and having something there to get email. So you've explicitly put stuff in place to catch these messages.
  Under normal circumstances, the user would get a bounce-back of the message ... so, someone might be able to argue that it's not like something was delivered to you out of the blue. You've actually created the thing that it gets delivered to, and made it look as close as you could to the intended one.
  At a minimum, this might get into a gray area, and might be full on illegal, even if you were only passively receiving the mis-directed stuff thereafter.
  I don't think you can make the claim that you just happened to be receiving these emails.
  
  --
  Lost at C:>. Found at C.
Stolen email? by bmo · 2011-09-09 05:13 · Score: 4, Insightful

No mail was stolen. It was delivered exactly where it was addresst.
It's the fault of the monkey behind the keyboard and nobody else.
--
BMO
Re:People are dumb, so... by jandrese · 2011-09-09 05:21 · Score: 2

Also, chances are 99% of that was spam.

--

I read the internet for the articles.
Re:Self funding research by Riceballsan · 2011-09-09 05:29 · Score: 3, Interesting

Better question, why are high end companies sending top secrete confidential data over normal unencrypted e-mail. Even your bottom of the line MMORPG sends a note to it's users saying a GM will never ask for or send your password via e-mail, but our fortune 500 companies can't match that level of security? Typical e-mail passes unencrypted past so many hands it isn't funny, the typical e-mail from home to work, passes unencrypted across a wifi network, that may or may not be compromised if it was even bothered to be secured, to your ISP where low wage monkeys may or may not have access, accross the cloud where it will pass through unknown number of nodes, to the entery mailservers at said company, that may or may not be managed by medium wage contractors that know they only have the job for a few months at best anyway, finally to the person who it is intended to go to. Yeah I see no reason to think twice before sending my SSN CC# and confidential data through an e-mail.