Slashdot Mirror
Ask Slashdot: How To Convince a Company Their Subscriber List Is Compromised?
jetkins writes "As the owner of my own mail domain, I have the luxury of being able to create unique email addresses to use when registering with web sites and providers. So when I started to receive virus-infected emails recently, at an address that I created exclusively for use with a well-known provider of tools for the Systems Administration community (and which I have never used anywhere else), I knew immediately that either their systems or their subscriber list had been compromised. I passed my concerns on to a couple of their employees whom I know socially, and they informed me that they had passed it up the food chain. I have never received any sort of official response, nor seen any public notification or acceptance of this situation. When I received another virus-infected email at that same address this week, I posted a polite note on their Facebook page. Again, nothing. If it was a company in any other field, I might expect this degree of nonchalance, but given the fact that this company is staffed by — and primarily services — geeks, I'm a little taken aback by their apparent reticence. So, since the polite, behind-the-scenes approach appears to have no effect, I now throw it out to the group consciousness: Am I being paranoid, or are these folks being unreasonable in refusing to accept or even acknowledge that a problem might exist? What would you recommend as my next course of action?"
Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?
In my experience when situations like this arise and no action is being taken leadership either doesn't understand the problem or doesn't think it important.
I'm in a similar situation: I create a unique email address for each company I deal with, and each website I register on.
The only solution I've found to be the most effective is sending these companies threatening letters. Quote them sections from their own privacy policy; usually there will be a clause about circumstances under which they will share your subscriber information. Tell them they've breached their own privacy policy, and whatever federal privacy legislation your country has in place. While you're at it, file a complaint with your country's Privacy Commissioner, or whatever the equivalent is.
Perhaps we need some sort of "name and shame" website for companies whose subscriber lists have been either breached or sold (e.g. Dell)
What would you recommend as my next course of action?
Nothing. Seriously. You tried, they didn't listen. Typical. Now find something more deserving of your attention to spend your time on. :)
- How unusual is the username portion on the email address? There have been a lot of spammers over the years that blast random emails to commonname@yourdomain.com. Mike, John, Bob, etc. are more likely to receive spam than sdvjsdvkj@domain.com
- Is the email address in question visible to other people? e.g. registered forum members for the software in question? Sometimes people sign up for a forum just to be able to harvest the otherwise hidden addresses of other forum members
It's practically impossible to get anyone to acknowledge something like that. From their perspective they just think you are yet another ass who thinks they know more about the internet than they really do.
I don't even bother any more. I get spam/malware it goes into the block list and I don't do business with the company anymore. If you really care about it, make it public. If you have a blog make an entry about it and hope it shows up in google. Or post the info here, if it gets modded up google will probably index it.
When information is power, privacy is freedom.
If you are hiring a security related service or any service that depends on security of information, cancel it and go somewhere else. They are obviously not worried about security and have proved that they are pretty much unreachable in case of any problem.
Either way, even if the service you are hiring it is unimportant enough to allow you to live with this kind of practices, I advise you, regardless of how right you may be about their problems, to stop wasting your time trying to help those that are not interested in being helped.
I have been in the same situation with websites compromising email addresses I used uniquely with them (once a site had it happen twice). When now a days major companies get compromised with far more than just an email address and you get no notification why would you expect a mailing address to get more?
Its embarrassing, notifying people won't really do anything, and companies are under no obligation to do so. Until we have better regulation of what has to happen with personal information is compromised I won't be surprised to see it continue.
It's simple. Public Shame on likes like this and theregister.
I have to ask.....why do you care? It's not your problem. Just delete the email address and continue living your life as you normally would. You tried your best.
If you've let them know, and they ignore it, there's nothing you can do. You can't make anyone do anything.
You could publicly shame them. That runs the risk of lawsuits, and possibly being pointed to as the intruder.
All you should really do is unsubscribe from the list, and block any email coming in to that account. Unsubscribing won't stop the viruses, as the intruder as almost definitely fed it to their botnet. It may only (hopefully) keep you from being compromised in the future. The question is, do they delete unsubscribed accounts, or just change the subscription flag(s)?
It's good that you chose to use a unique account. It won't harm you when you block it. Think of all the users who used their primary account.
Serious? Seriousness is well above my pay grade.
Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.
-Arthur Conan Doyle
Have you considered the probability that perhaps they meant to send you a virus? What sort of tools are these? The system administration tools, I mean, not the people who can't properly administer their systems but expect to help you administer yours.
Even if they know the list is "compromised", what are they supposed to do about it? It's already out there. Do you expect them to go after the spammers? Because that's essentially impossible. If they're not in the United States, it really *is* impossible.
That's why you haven't got a response. They know, but there's nothing they can do.
And frankly, if you had decent spam filters on your own personal domain, you probably wouldn't be seeing these emails anyway. I doubt anyone with a Gmail or Yahoo or Outlook.com address sees this stuff.
My suggestions? Quit worrying about it, and quit running your own mail server. You may think you know what you are doing, but you almost certainly don't.
I do the same thing, and have had the same response...for each instance, all future messages to that e-mail address go straight to trash. Problem solved.
Tell them once. That's as good as you can do. I've had my email address compromised from a well known financial institution. Of course the person I spoke to didn't know anything about it or why it was their fault. Two years later they publicly admitted they were hacked.
I find that a lot of leaked addresses are from failed companies, whose websites no longer exist.
There are many websites out there that are compromised. You would be quite surprised. I wish there was an easy way to post these so others could know.
Or they knowingly sold your address.
It could just be that they sold your e-mail address but just don't want to admit it because it's in violation of the terms
I used this technique for many years (since the 90s) and one thing I've come to realize when this happens is that it's more likely that the computer used by a customer service or sales person has been infected, and that somehow your address has made it from their ERP/CRM into Outlook or another program commonly scanned by viruses like this (maybe even just the web browser cache files). So it's probably not a compromised subscriber list, just a random compromised system that happened to have a few customer email addresses accessible to the virus.
But as others have said, good luck getting anyone to admit/notice/care. Even if you can, your address is already in the spam database and it'll stay there for years. I finally gave up on custom addresses last year and just rely on Google's spam filters (esp. after finding out how few sites support plus addressing so I could do it from gmail).
This does not directly address the question, but it is topical.
I do the same thing with my domain and it was always a hassle to make sure I filled in the correct From: address on each email I sent. Then I found the Virtual Identity Plugin for thunderbird.
It automagically remembers what From: address to use with what To: address. It also makes the From: line fully editable on the fly and remembers what you used for the next time. It makes it dead simple to make sure that you never accidentally leak one of your unique addresses to the wrong person/company.
When information is power, privacy is freedom.
It's possible the list was snagged by a disgruntled (or ex) employee who sold the list. The Powers That Be may not believe the list has been compromised. A few back channel comments and/or a FB isn't actionable proof.
I'd post to their support email line (I'm assuming they have one?) and provide the unique email address you used. Provide more detail than this post. Then if they still ignore, share it on publicly as a public service to their other customers.
I had a friend that was in a similar situation. A company that handled their mass emails had an employee grab a ~ton~ of addresses when he quit. It took a few reports, but once they realized what had happened, they acted.
Agile Artisans
What would you recommend as my next course of action?
Post the the company's details to /. and hold your breath.
They either have bad security or are selling their mailing list.
Just change the one you use and drop the old one.
I use an alias file on my domain. when the spam shows up, the link in the alias file is dropped and
I give the outfit a new address.
I also remember being told that companies weed out there names from the list they sell.
That's why my email address at amazon is amazon@...
Is it at all possible that you're the one who was cracked, and that's how the email address got into the wild?
I suggest that you avoid getting into an argument with any company, as it can end in tears.
However, you are certainly entitled to create a simple web page showing the main sites at which you are publicly registered, and for each one also the count of emails received that contain spam or viruses. Let the numbers speak for themselves. A nice column of zeros with the exception of one or two domains speaks volumes without requiring written criticism.
Publishing unbiased factual information of that sort keeps you on safe ground in nearly all situations. (But not all.)
Note that the email addresses you register must be unguessable, otherwise most of your arguments lose their strength, and the suggestion above would not work either.
I've been doing that for more than ten years and I've never gotten a satisfactory response. Somebody will give your carefully-crafted letter fifteen seconds of thought and send you a form letter about phishing or clicking on sketchy links or whatever. They don't understand the dedicated email thing, or that they have a problem. So, you gave your explanation to some geeks you think will "get it", but ultimately they'll have to tell some non-geeks about it, and they'll give it fifteen seconds of consideration and dismiss it.
I've found three online flower sellers, one music equipment manufacturer, a credit reporting agency and a well-known seller of language instruction materials, and a couple I don't remember, have been compromised. Not a lot for more than a decade, but some notable failures.
No way you can win.
Same situation here with individual email addresses per recipient.
If it's SPAM - report to Spamcop. After 3 SPAM's change address of individual addressee or disable it if it's older than 3 years and not used since.
The interesting part with this game is to see how many users are putting plain email addresses in CC, so when one of the many gets compromised, everyone else on that header gets spammed.
Hi, I run my own mail domain to.
I would have re-audited my system and made really sure the leak did not come from a different attack vector before pinpointing them.
Did you parse the headers of the spam to get more clues?
Most companies won't spend time because another network administrator tells them they have something wrong. Rule one is always to prove your facts almost without a doubt otherwise they may not listen to you or take action.
Try creating another account from a clean install to see if same happens.
I always look at my own network first.
Everything I write is lies, read between the lines.
YourName+anything@gmail.com
I recommend you register that way at any domain if you have gmail.
It could very well have just been guessed, the spammers' mail servers are more than likely more than capable of shotgun blasting millions of messages to $randomstring@domain.com in less time than you'd think, and if you change the replyto address, you don't even get the bouncebacks.
I hate sigs.
The list was sold. Yes, it happens more often than you think. If the company itself didn't sell it, then somebody on the inside made an extra buck. That's why nobody will acknowledge your complaint.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
simple, use the compromised list to email them telling them so.
They're using their grammar skills there.
I've been do something like this too, only with the added twist of making it difficult for spammers to guess.
First off if you are bothering to create separate email accounts for each site you know full well the risks of giving anyone your email address. How do you think spammers get everyones email addresses? Tooth fairy?
Secondly jumping to conclusions is ususally not prudent. "knew immediately that either their systems or their subscriber list had been compromised"
For all we know your system could be hacked and you just don't know it or you've got a directory server or vrfy enabled and the account was brute forced.
The site could well be selling or sharing their customer list with others who are compromised or who are reselling it to spammers. They could be sending emails to other mailboxes where the user is compromised.
Thinking you know whats up is bad enough.
Thinking they owe you some sort of "official response" is whacked.
Make sure you are using email addresses that have a very high degree of uniqueness in the username portion. Spammers sometimes simply try the same username at different domains, try dictionary attacks, etc. The more obscure and unique the email address, the easier it will be for someone to accept that it was unlikely to have been hit those ways.
Enable logging and review the logs so that you can attest to having checked the logs for signs of a dictionary attack. Mention that you've done so or just include log snippets in your report. It corroborates headers in the full spam sample you'll be sending, communicates that you've already checked for and ruled out a dictionary attack, and demonstrates some professionalism.
Keep your client and server systems secure, carefully check them over any time you think an email address has been compromised, and briefly mention that you've done this in your reports. Hopefully, that will make the recipient(s) open their minds to the possibility that it was not a compromise on your end. Mention that the other unique email addresses you use weren't hit, which suggest that your aliases file and/or other email address databases weren't compromised on your side.
Search for others that have already publicly mentioned this happening to them. If you see such discussions, mention that you've seen this in your report. The are various ways/places an email address can be compromised and if you only have one imperfect datapoint you can't be sure of what happened. You need to determine if others have experienced the same thing. You want to get to the bottom of things so that you can address any unknown problems on your side and take any other actions you need to. You also want to assure that it is publicly discussed so that anyone else unknowingly affected can do the same thing. So make "going public, asking others if it happened to them, sharing information in an appropriate forum" part of your routine. I prefer to report it privately, give the other party a short amount of time to (hopefully) grab logs etc, then make sure it is being discussed in public. I think it is important to be careful and conservative with wording, particularly when discussing things publicly. There is no need to shout "THIS COMPANY HAS BEEN BREACHED!" when "I *think* this company or one of its subcontractor's *might* have been breached..." will do.
When reporting things, try to find a good point of contact within the company. Front line customer service people may not escalate or forward the message appropriately. If you can identify a security or privacy contact, I'd use that. Keep copies of everything... evidence, outgoing messages, incoming messages, phone calls, etc.
I used to be a member of a professional society. I started getting spam to the unique, tagged, address I'd used to register with them. I pointed this out on a mailing list. I got threatening notes from them about how they didn't appreciate me implying that they had sold addresses or been compromised...
Blizzard ignored queries from me about the sudden appearance of spam (from their servers, even) to unique, tagged, addresses. A week after they blew me off, there was an announcement that they'd been compromised, so maybe they actually did investigate, but they sure never got back to me in any way.
So basically, I don't think you can convince them unless they start out caring.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Maybe you're talking to the people that actually compromised the list in the first place....
Star Trek Online had this happen. I had an email address specific to that site and it got spammed. Heaps of other people with similar site only email addresses mentioned the same thing on the forums. Don't know if they ever publicly admitted it.
I don't need to test my programs.. I have an error correcting modem.
Otherwise he would know that geeks don't make mistakes, and it's all your own stupidity.
1 The virus is the result of a shotgun email to your domain, and your address was found because it didn't bounce.
2 Your message was forwarded up the chain to the CIO who okayed selling the email list to all comers. Nothing has happened because this is part of doing business.
If the address you used for them is the only one that has got infected emails in a small time window ...
Maybe they are affraid of their reputation.
Maybe they are the one who sold the list.
Maybe they just don't care.
It does not really matters : they failed to protect their custommers.
I also have used one email address made unique for each "service" contact for years. ... unenlighted ... enough to forward a chain mail.
I don't even bother to complain anymore when something fishy happens : I simply overwrite all the (mostly already wrong) information for the benefit of their database then delete/disable the account and delete the email address.
This also work wonders for "lesser" social contacts that may be
By the way, knowing the name of said provider would help your fellow geeks & nerds.
Irrelevant news and morons using moderation to mod down what they disagree on. 2018 resolution: so long.
Had the same problem, except with very obnoxious scammy spams and the company in question was Bank of America (overnight, the dedicated address went from BofA only, to dozens of such spams).
My personal guess was that these morons must have sold their list to somebody (or cross-marketed, or whatever other stupid idea one of their coked-up marketing exec came up with) who in turn sold it and so on, all the way to the darker recesses of the internets. A chain is only as weak as its weakest leak, so once they decide to sell the data, you can be certain it will end up everywhere.
Some mail hosts & websites support using +notation in email addresses (i.e. gmail & google apps). So rather than generating new email addresses for everything, I do something like myemail+webpage@mydomain.com. When you look at who the email was sent to it should repeat this same pattern.
It's likely that the informal communications channels just did not inform.
Publish the name of the company. State your case, what you did, what they didn't. Name and shame. Tell your inside friends to feign stupidity (lest they get fired/sued) or worse, leave a trail back to you and you get sued/your door kicked down/computers seized, you fingerprinted, strip search, declared a terrorist, federal prison, bubba who gets lonely at night and likes how you squeak like a girl, etc.
First of, I hold the idea, that the list was sold, very likely. They will never admit to that. You might want to check their privacy statement and take actions according to that (see post by nemesisrocks).
But for a self confessed geek with his/her own email domain, the OP shows shows an alarming lack of knowing the proper channels.
This is a problem with email, so maybe the OP should have send a mail to 'abuse@company.com' or even 'postmaster@company.com'. Not place something on the facebook page, that only gets read by some marketing drone.
Don't you guys ever read the RFCs that are relevant for you?
If they are geeks then how about a news article with topic "Company XXX subscriber list compromised and spämming viruses". That would probably incite a response and get the issue fixed.
I created a special email address for Starbucks several years ago, starbucks@mydomain.com, and I started getting spam on it within weeks after giving it to them. And this wasn't just "legitimate" third party spam, but was penis enlargement type spam. I set a gmail filter to always trash anything coming to that address, and every time I check the trash there are still a bunch of spam emails coming in to that address. So I don't know whether Starbucks sold the address to a third party who may or may not have sold it to someone else, or whether it was stolen from Starbucks, or what.
Or anything else for that matter.
How much money is there in them to care?
Costs: time, trouble (and possibly someone has to admit they fucked up).
Gains: nothing what so ever
So expect action thereafter. If you did expect anything else, you are either stupid or naive.
IMHO, there needs to be a list of companies that sell e-mail addresses so users can know before registering with them. I've used the same approach as the OP and have accumulated quite a blacklist over the years. Here are the companies that have spammed me recently:
There are plenty of older forums, but I figure it wouldn't be fair to list them for being hacked several years ago. Several retailers also made the list, but I blocked them for persistence rather than third party spam.
An email address travels through several systems between you and the other side. This applies to the time when you fill in your email address in a web form, and even more so when the company sends out emails to your address.
Thus, it may be premature to conclude that the fault is with the company. Eavesdropping may have occurred at any of the intermediate systems.
I also use the same system. I've had 2 notable cases. One was ft.com who just ignored the fact that their subscriberbase was hacked. The better result was from thebookdepository.com (now Amazon) 3yrs ago; they actually admitted the breach in an email to me but did nothing to notify those affected afaik. Mostly the reports I send are ignored. The Uk now has laws to force companies to disclose breaches of personal info...
First, no news is good news.
Second, You are already on that spammers list. You shouldn't expect to suddenly stop receiving spam.
Third, here are two tests to consider to take away any doubts.
1) Rule out man in the middle attack.
Its very possible for your (or any intermediate) machine to be infected and passed along your keystrokes or detected email addresses in network packets.
If you could setup a scenario where this is ruled out. Register on a different (clean) machine, using a different email address, possibly using https or VPN.
2) Confirm that the machine/list is still compromised.
Covered by test 1 actually, watching incoming email (compared to your existing spam case) this tells you that its not an old list being circulated, but that new addresses are included in the next spam batch.
Hivemind harvest in progress..
When I have reported this, every time I was told that it was my problem, that I had a virus, or that I was an idiot/a troll/etc. Never did anyone take any responsibility or take any action.
You need to find the worm your server has, (you know the one that is controlling exim, or giving enough shell to access to echo "spam" into your ~/var/mail/queue)
does the box have a firewall? have you shut off smtp and pop3 ports?
don't you have some log files to tell which server connected? (even a hacked bbs in 96 had logs)
are your exim log files turned off? Do you know which directory your exim.log is in? exim exim4 whatever. I'd killall -9 exim4 then rename that fucker to fuckexim4fuck. Lets see the mail get in now bitchez! need to reverse it, rename it back and re-test.
mcafe avira f-prot virus scan results on the box?
My GUT says your box is compromised. someone in ~/home/phpscript 777 then they uploaded a kit, libs in ~/tmp ~/var ~/etc
Could be coming in on some fucked up php scripts. scan the shit out of ~/home/~users or lower their access level! Are there some php WRITE dir's in your users scripts? I bet. looking for 777 dirs, missing .htaccess worm binaries and libs in ~/ram ~/var I'd be doing a sanity check looking at everything with mc.
What does the network light on that box look like is it glowing red? I'd grep the logs for the top 1000 attacks. Then BAN the top 100, sort, analyze, find cidr's, rinse and repeat soon you will probably have all of .cn .ar .fr .ru and all the proxies blocked. heh, ya know, go ahead, block a whole country. I would.
If the mail is hacked by the worm locally, there doesn't have to be any from: line in the email. Since I can simply copy files to your inbox like this one.
I'd be getting me a .htaccess "DENY FROM ALL" in every directory stat. checking logs, checking firewall, hosts/hosts.allow/hosts.deny kill and rename (exim/exim4 whatever)
I'd scrutinize everyone with sysad root access, it may be the box needs a wipe/format.
If you can't do this stuff, then your not really an admin and you SHOULD SHUT YOUR FUCKING BOXS OFF! don't create emergencies for people you connect to and connecting to you (e.g. other users and ISP hosts.) Be honest, that's it, go get em!
IF it's an unmanaged box, I would ftp backup the whole thing. Then call and pay to have it re-formatted. Next time you will stay up with the patching. Next time you will run nginx or modsec. Next time you won't have a mail system (exim) at all, one less service. I would go so far as to say, even with an unmanaged box, I would outsource the email to someone competent. Or build another box, and it does the email. You've always got too many ports and shit running on your system, I don't care who the fuck you are, your not disciplined to open and close ports, so KILL the services you don't use. Rename their binary executable, break them yank their ~/etc/rc.startup's
you really haven't given us enough information to torch your ass
if the blame truly is on someone else, well good luck.
I would just ban their fucking cidr. and stop paying them, find someone else, but that's me.
If these types of fuckup are not you then it's all good, I'm sorry, I'll buy the beer, however I bet there's at least one out there reading that this message is spot on for. The one that has no god damn firewall, and these ports are all open, services running and the blinking lights are glowing red on. Wire cutters is what you need.
Passing something "up the chain" is a sure fire way to ensure it gets lost. And notifying a company behind-the-scenes of a security issue has a success rate so low, it could still legally drive.
It's good to give them the chance. Once. With a short time for a reply. Make sure your tell them you expect a reply until (insert date). If they don't reply, or bullshit you, go full disclosure with names and details. Bad publicity is about the only thing you can create that gets a company into motion.
If there is applicable legislation and an official you can contact, do that as well. Many states and countries require companies to disclose known data breaches.
Assorted stuff I do sometimes: Lemuria.org
Is your mail hosted at Network Solutions?
If so, I have a friend in the same boat. They've recently switched their cheapest hosting solution to no longer filter SPAM; in order to get SPAM filtering, you have to "upgrade" to a more expensive hosting solution. They've decided that they can monetize SPAM filtering, and so they've discontinued it from the cheap accounts to incentivize you to upgrade to a more expensive account - or just switch providers to one that SPAM filters, but they figure you won't do that.
Note that my friend expected, like you, that the email addresses the SPAM started coming in on were also unknown, but they were common enough address names, and the SPAMmers tend to target entire dictionaries until they find ones that don't bounce, so even things like "movies123@" started getting the SPAM. This isn't necessarily what you're seeing, since you aren't actually giving a lot of useful diagnostic information in your question, but it's a possibility.
You're doing it wrong anyway. I do the same shit with my domains. I register AccountXTAOHEU@MySite.com if it's some one off place. Then after I've confirmed my email address I DELETE THE DAMN ADDRESS. Forward all Account*@MySite.com into /dev/null/. Oh, but what if I forget my password? Simple, I re-enable the Account*@ address, get the password reset email, and then disable it again immediately afterwards. I GET NO SPAM.
I suppose you're such a smart cookie, what with you running a damn small domain yourself and all that you obvioulsy understand that THEIR EMAIL IS SENT UNENCRYPTED AND ANYONE SNIFFING THE DAMN TRAFFIC CAN GET YOUR ADDRESS. So, Mr. Smart guy, care to tell me how you're so fucking sure that they were compromised and not some router in the middle?
Knownig just enough to be dangerous is a BAD THING. Level up, son.
and who doesn't.
Act accordingly when buying services.
1. Open up the compromizing email's headers. Locate the first ISP beyond yours -- 99% of the time it's not there's. Contact THAT company.
2. File a complaint with the FCC. They are getting more active against exploits.
3. Locate your Attorney General's office and ask if there are any state laws against spam. There is one in Maryland that is compatible with CAN SPAM, and has been tested in the courts. If you got one, lawyer up and sue the company -- some companies only respond by judicial inquiry.
4. Blacklist the company publicly.
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
There are many ways to get an email address. Having their servers compromised is only one. If you start a new account and it get spammed right away, it's a better indicating of ongoing compromise.
Ways to lose your email address to spammers:
* having the company's systems compromised.
* having local systems (your PC or email service) compromised.
* having the address sold to some scummy 3rd-party (either by the corp or an immoral employee)
* having a data-storage method containing the information lost/stolen/etc (USB stick, whatever)
* having the company "share" the data with a third-party partner, who leaks it
* having the company "share" the data with a third-party partner, who is compromised
I had definitive evidence a company had a virus on their site but they didn't seem to care. The virus was present for a few weeks until I posted the facts in their forums. They quickly remedied the problem then tried to scold me for creating a PR issue. Heck, if they responded in even a semi responsible manner (e.g. "we'll look into it, thanks") rather than telling me to pound sand they could have avoided any repercussions. I think they just didn't want to move resources from whatever they were doing to remedy the problem.
"When I received another virus-infected email at that same address this week, I posted a polite note on their Facebook page. ".
The address is now known by bad guys. You can not know whether the site has corrected its problem or not if you have not changed your email in your profile and the new address is spammed.
I use Spamex to create DEAs (Disposable Email Address).
I have been surprised when these get compromised. The biggest surprise was one for the New York Times.
I let folks know, then just turn off the snagged address.
This is a very different world from when I first started using email in the early 1980s (not Internet Email, host-based and proprietary). It comes with the territory, and I have to accept it.
"For every complex problem there is an answer that is clear, simple, and wrong."
-H. L. Mencken
Since you let them know about it, they're probably trying to pin the breach on you.
A site dealing with network devices ... alias e-mail address used for registration on the site and also receiving spam lately addressed specifically to that e-mail address. In the past 24 hours the spam filter caught 18 spam e-mails addressed to that specific e-mail alias (which also was not used anywhere else).
I have to ask ... OP - is the site in question r.....f....com ?
D.
I once had this happen to me. Two companies (foo and bar). Bought something at bar and gave them my phone number and address (had to for the type of purchase). Bought something from foo and gave them my e-mail address and physical address. Then months later, I got an e-mail to foo@mydomain.com with:
Thank you for being a customer of bar....
Checked with foo, and they give you e-mail and address to a company that tracks people moving. Foo does the same thing, and that third party company says, "Oh, we have their e-mail for you that matches the address/phone number"
And forget about it.
Nobody *cares*.
Um...
My Account -> Change Email Address
I have no idea if this is the same provider that the original poster is referring to. But I have experienced this from the provider referenced here.
http://www.dslreports.com/forum/r27660966-DynDNS-Hacked-
At that time, I found this link when I started getting phishing emails at unique addresses created for these accounts. I have a pro and some free accounts... all the same behavior. Then created new addresses and starting getting at those to. And the same response from the company. Absolutely nothing. Their twitter posts from about the same time frame were the only acknowledgment that I ever saw, and those appear to have disappeared.
What did I do about it? I renewed my pro account because just about EVERY router uses them for their built in dynamic dns client. From the beginning I've always used unique passwords besides the unique email accounts. So if passwords are compromised, either once or continuing, in addition to the email list, the only thing they can do to me is mess up my dns resolution - which I know is a big deal - but something I have not yet observed.
But isn't it obvious why they'll pretend there is no problem? To publicly acknowledge this in the geek community would destroy their business.
I can't say whether or not any of my actions did anything to help the situation. 1) I contacted the business through their website with a strict tone. 2) I reported all the parties involved to their domain or ISP. That is, the site that sold my e-mail address to spammers, the address the spam was delivered from, and the site the spam is pointing to trying to collect information. 3) I reported the business to the FTC. Best case scenario is they would fine the business for negligence. Not that I am a fan of bigger government, probably nothing will come of this. 4) The fourth party involved, I was able to trace back to http://www.fishbowl.com/. It is just like it sounds, they offer a service for mailing lists and if they were ever compromised I image the attacker would make off with a pretty nice payload. Unfortunately, there is nothing and no one governing their security practices.
once the email address is out there , nothing really they can do , but i would at least appreciate a) a thank you email for bringing this to their attention , and a public notice stating the issue and profound apologies to the community , anything less then that deserves a public shaming
Except, to be hired as an executive for a company whose entire business involves obtaining and using personal information, wouldn't someone first have to be qualified for such a leadership position? Because the qualifications for that role include such things as understanding the industry you're in and why personal information is valuable.
If the people in the leadership roles didn't understand problems like this, then they wouldn't have been hired as leaders. Ergo, they must in fact understand the problem and its importance. Ergo, they must be deliberately choosing to ignore it.
A few years ago I enabled web access to one of my bank accounts just to check the balance. Less than a day later I started receiving phishing attacks aimed at that specific bank. It quickly became 6 or more per day. I dutifully forwarded them to the eddress the bank's website listed for reporting them, but after 3 weeks I was getting pretty annoyed. So I started including a paragraph suggesting that the bank not bother trying to trace the phishers and instead focus on finding who at the bank was selling the info. Within 2 days the phishing attacks stopped. Apparently the abuse email account was being watched by the insider. With this in mind, I suggest that you directly contact more than one person with authority in their IT department, by phone.
On the one hand you take life too seriously, and on the other, you do not take playful existence seriously enough. Seth
Last year, I started to get spam to the email I signed up to http://www.astronomyforum.net/ do being a good net citizen I informed the admins of that forum about this. I found out that I wasn't the only one that was getting spam to addresses that were used specifically for that forum as there were three other users that were saying the same thing. What was the admin's response? Perma-banning my account on that forum.
Definitely not the expected response, but apparently it's typical behaviour of those running that site to do this once it's known that the email list was compromised.
Thankfully I had no real personal details in the database on that site, but it's a pity to see such a knee-jerk reaction to something that most real admins would be happy to know and then be able to do something about it.
What would you do in the same situation? I just walked away and blacklisted the email address used, as I am still receiving spam to it.
- This sig deliberately left blank. Nothing to see, move along.
Contact the company formally to report your concern not through friends or Facebook. Really?
If they don't respond, block 'em and forget 'em. Take your business elsewhere. Post warnings around not to use them and your reasons. That's business.
My situation was a little different. When Linuxworld.com launched back in '98 or so, it was it's own site and didn't redirect to networkworld.com. Not too long after launch they made user registrations available. For some reason I was screwing with the URL in the address bar and accidentally hit enter.. they had left 'directory browsing' enabled and stored the username/email/password list in clear text inside the webroot. I emailed them and didn't get a response. The next day I emailed them the list and within an hour they disabled all user registrations, the feature was completely removed from the website but still didn't ever get a response. I never visited the site that much so I have no idea if they ever went back to it, but I still can't believe someone would develop something that stored passwords, email adresses and usernames in clear text in a flat file, inside the webroot.
Fuck Ajit Pai
So, is this company Slashdot, and this is your way letting them know that you won't let go of the issue?
I have my own domain as well, and follow the same convention as OP. Within the last month, I've been getting scam email to the address I use with (and only with) Zappos. I retired the email address.
pr0n - keeping monitor glass spotless since 1981.
Make *damned* sure that it isn't your mailserver that has somehow been compromised. Occam's Razor as to most likely hypothesis: 1) The provider of the Network Tools is compromised. 2) Your mailserver (or the server it's hosted on, if you don't actually own the machine itself) has been compromised. 3) There's some kind of mailing list with this and the provider doesn't use best BCC practices. (i.e. some other machine out in the universe got ahold of your email address and now you're getting the results of it being in the wild.)
You're really sure that #2 is completely impossible? Especially since you say you own your own mail "domain" and not your own "mailserver"? I've seen many mail domains where the underlying server was hijacked, providing open access to any tables stored on the machine. And I don't think you want the world or hurt that would ensue if you accuse somebody of unsafe practices when it turns out that your systems were actually the ones compromised. So I'd go the extra mile to check and recheck it wasn't me....
Now if it is *only* that address you're getting virusspam from, I'd like to have your recipe for email privacy. But if it is, I'll give you that it is a strong indicator that probably the PC that someone uses to administer that mailing list had been compromised.
Author: Best way to deal with the issue is simply to filter out and trash all messages from that unique address and move on with your life. Done it many times myself. If they subscribe to a service such as SendGrid, MailChimp, or the like you may be able to have their mail provider ban or warn them. Just check the headers and look up the sending server. Readers: If you add a pattern of periods in your gmail account you will still receive the mail, but it becomes a fingerprint of the original receiving list (Of course this is limited by the length of your email handle, 2^(length-1) unique addresses are possible). You can also use yourname+tag@anygoogleappsdomain.com to achieve the same effect, but some overly strict (Read: invalid) mail parsers won't accept tagged addresses.
i too, run my own mail server. i also run my own dns server. the email addresses i generate for each vendor i deal with also live in their own unique mail subdomain, meaning the subdomain has its own mx record. so, for vendor X, i will give them an email address of x@x.example.com and will create an MX record for x.example.com. i never share that address with anyone except the vendor, and i rarely will ever send an email from one of those addresses. over the years this scheme has served me well in stopping spam.
since there are no other email addresses in that vendor's mail domain, if i do start getting spam i can just delete the mx record and the mail domain. and if i do start getting spam i know that the vendor has shared my info, or their systems have been compromised.
i used this scheme for several years and never received a single spam email. that was ... until 2007, when td ameritrade's systems were compromised, and most recently just a few days ago when i received spam to the account i had created for dropbox. (there have been several other cases in between.) i sent two emails to dropbox and contacted them via two separate web forms but have heard exactly zerozilchnada from them.
the major problem for me when this happens is that it's a time sink to really do anything about it. it's very easy for me to delete the subdomain and mail address and then create a new one. but getting the vendor to even acknowledge an issue (let alone getting assurance that something is being done about it) is time consuming and frustrating.
they do have some legal obligations when their systems are compromised; public shaming them into action seems to me to be the easiest for the consumer.
(for one of the instances where this happened to me, you can visit my rant blog at http://caringcostsextra.org/2011/01/20/ewiz-com-superbiiz-com-user-data-hacked-and-compromised/)
I've also been using a unique hashed email address for every webform I've filled out in the past 10 years. It is very interesting to see where the leaks come up. Here is a short list of some of the people who (willingly or unwillingly) ratted me out to spammers ....
NYTIMES.COM
LAPLINK.COM
DIRECTV.COM
ZENBE.COM
FLUKE.COM
SHAPEWAYS.COM
INTELIUS.COM
MANDARINHOTEL.COM
TRANSCEND.COM
ROKU.COM
WALLHOGS.COM
IRR.COM
NYWATERWAY.COM
TICKETMASTER.COM
REVERSEGENIE.COM
LIVEMODERN.COM
SIDEFX.COM
MORFIK.COM
SHAPEWAYS.COM
HOEMDEPOT.COM
SPEAKEASY.NET
SOLARWINDS.COM
ENDLESSPOOLS.COM
CHECKS.COM
BUYERZONE.COM
ZEVIA.COM
MAXIMHQ.COM
If you've ever given any of these people your address, then it is likely that you can thank them for some of the spams you get every day.
I used to try and tell people that they had a problem but never got any kind of positive response so I don't bother anymore.
Typically I will kill a compromised address as soon as it starts getting spam, but I often still want to keep getting the real emails from the original website so I'll go in and update my email address to a brand new hash- and then soon start getting spams on that one. Argh.
BTW, I also use a unique hash for the return address on every email I send out. You quickly find out which of your friends are virus-prone...
-josh
Stop doing business with them, and make sure they know why.
I do this too. I've had this exact same thing happen myself, although fortunately not too frequently - maybe once a year.
Easiest thing is to reset your email address in their database to a new alternative, block the old one at the server and be done, because sending them proof that you've received spam to that email address is one thing (wow, you got spam, didn't come from us) but telling them "But yes, YOU AND ONLY YOU had this email address on your records, therefore you've been compromised because I didn't sign up to Royal Jordanian Airways with the same email address I would use to sign up to Twitter"... is another matter entirely.
Founder & COO, Hayai India (hayai.in) / USA (hayaibroadband.com)