Ask Slashdot: How To Convince a Company Their Subscriber List Is Compromised?

jetkins writes "As the owner of my own mail domain, I have the luxury of being able to create unique email addresses to use when registering with web sites and providers. So when I started to receive virus-infected emails recently, at an address that I created exclusively for use with a well-known provider of tools for the Systems Administration community (and which I have never used anywhere else), I knew immediately that either their systems or their subscriber list had been compromised. I passed my concerns on to a couple of their employees whom I know socially, and they informed me that they had passed it up the food chain. I have never received any sort of official response, nor seen any public notification or acceptance of this situation. When I received another virus-infected email at that same address this week, I posted a polite note on their Facebook page. Again, nothing. If it was a company in any other field, I might expect this degree of nonchalance, but given the fact that this company is staffed by — and primarily services — geeks, I'm a little taken aback by their apparent reticence. So, since the polite, behind-the-scenes approach appears to have no effect, I now throw it out to the group consciousness: Am I being paranoid, or are these folks being unreasonable in refusing to accept or even acknowledge that a problem might exist? What would you recommend as my next course of action?"

Move On

[mrtwice99]

What would you recommend as my next course of action?

Nothing. Seriously. You tried, they didn't listen. Typical. Now find something more deserving of your attention to spend your time on. :)

Depends...

[xlsior]

- How unusual is the username portion on the email address? There have been a lot of spammers over the years that blast random emails to commonname@yourdomain.com. Mike, John, Bob, etc. are more likely to receive spam than sdvjsdvkj@domain.com

- Is the email address in question visible to other people? e.g. registered forum members for the software in question? Sometimes people sign up for a forum just to be able to harvest the otherwise hidden addresses of other forum members

Re:Depends...

[plover]

- Is the email address in question visible to other people? e.g. registered forum members for the software in question? Sometimes people sign up for a forum just to be able to harvest the otherwise hidden addresses of other forum members

This is the first thing I thought of. I've seen small companies send out mass emails to blocks of people, sharing my name with the hundreds of other customers on the list. I've seen support postings with email addresses embedded as links behind the user names. Both of those are the faults of the companies that engaged in such behavior, but aren't quite the same as a "compromised" list.

Obviously, the author's intent was to leave himself in an anti-spam position, to be able to simply block the compromised address to stop further spam. I suggest he exercise that option and move on. He's notified them to the best of his ability. Further activity, such as trying to name-and-shame the company, could end up with their lawyers sending him cease-and-desist nastygrams. I'm not a lawyer so I can't tell him if those kinds of letters have legal merit, but if he has to hire a lawyer to get an answer to questions like thta, it could cost him money.

You're not helping, honestly

[realmolo]

Even if they know the list is "compromised", what are they supposed to do about it? It's already out there. Do you expect them to go after the spammers? Because that's essentially impossible. If they're not in the United States, it really *is* impossible.

That's why you haven't got a response. They know, but there's nothing they can do.

And frankly, if you had decent spam filters on your own personal domain, you probably wouldn't be seeing these emails anyway. I doubt anyone with a Gmail or Yahoo or Outlook.com address sees this stuff.

My suggestions? Quit worrying about it, and quit running your own mail server. You may think you know what you are doing, but you almost certainly don't.

Re:You're not helping, honestly

[hawguy]

Even if they know the list is "compromised", what are they supposed to do about it? It's already out there. Do you expect them to go after the spammers? Because that's essentially impossible. If they're not in the United States, it really *is* impossible.

That's why you haven't got a response. They know, but there's nothing they can do.

And frankly, if you had decent spam filters on your own personal domain, you probably wouldn't be seeing these emails anyway. I doubt anyone with a Gmail or Yahoo or Outlook.com address sees this stuff.

My suggestions? Quit worrying about it, and quit running your own mail server. You may think you know what you are doing, but you almost certainly don't.

Disclosing the data breach to everyone affected would be nice (and in some states is legally required), as well as letting customers know what data was breached..

Of course, this assumes that they actually know how the data leaked and which customers were affected and they probably don't.

Re:You're not helping, honestly

[erice]

Even if they know the list is "compromised", what are they supposed to do about it? It's already out there. Do you expect them to go after the spammers?

I expect them to plug the hole.

A compromised system is not a one-shot embarrassment. If you don't plug the hole, whoever compromised the system the first time will keep coming back for more data or will expand the breach to other systems.

1) If it an external breach, I expect back doors to be closed, vulnerabilities patched, account passwords changed, etc. This won't likely happen overnight but simply knowing that there is a breach and what kind of a data is stolen is big help providing the admins get their heads out the sand and acknowledge that there is a problem.

2) If it an unauthorized inside job, I expect the perpetrator to eventually be found and fired for cause with at least the possibility of criminal prosecution.

3) If it is an authorized inside job, I want the practice stopped permanently and I hope to see whoever approved the policy removed.

Unfortunately, all these require work and significant risk. The easiest "solution" is to deny there is a problem and, if necessary,blame the person reporting the issue. The vast majority of people, completely ignorant on how spammers harvest address and completely dependent on services like Google to filter out the bad and not lose to much of the good are not the wiser.

Re:Is it fixed?

[Jah-Wren+Ryel]

They need to at least confirm to him that they took him seriously and are at least attempting to track down the leak so that no more addresses leak out. Chances are they've got at least one PC with malware harvesting email addresses. If that's the case, they probably have other malware too.

Compromised, you sure?

[dmomo]

Or they knowingly sold your address.

Re:Is it fixed?

[Frojack123]

Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

I agree, once its out, they are as powerless as the target is.

As for his question:

What would you recommend as my next course of action?"

1) Kill the email account, such that all mail bounces.
2) Create a new subscription account.
3) Realize that you are on the internet, where not everybody plays by your rules. Install spam and virus filters, and get on with your life. You've done all that you can to help the clueless operators. Its not worth any more of your time or anguish.

Re:Use This Thunderbird Plugin

[Jah-Wren+Ryel]

How does that work when you send e-mail from half a dozen different systems, including Outlook, pine, Android mail, sendmail, and in a pinch, even telnet to port 25 or openssl to port 465/587?

You made your bed, now sleep in it.

Re:Write threatening letters

[erice]

The only solution I've found to be the most effective is sending these companies threatening letters.

It could just as likely be YOUR site that was compromised, and they found the address in something they sent to you, or some key logger in a coffee shop where you logged on.

Make sure you are outside of your pristine glass house before you start throwing stones.

This is incredibly easy to check. If it was local compromise, all addresses would be compromised, not just the one assigned to a particular company. Spam and viruses should be be pouring in to many many addresses. If it was just a single address assigned to a single company then you be pretty sure that it was their system compromised and not yours.

Re:Is it fixed?

[ghmh]

I do the same thing as the author in the article. To confirm this you need to change the email address you received the spam from at the same time you notify the company.

e.g.

thecompany@yourdomain.com localaccount

becomes

#thecompany@yourdomain.com localaccount
thecompany2@yourdomain.com localaccount

If 'thecompany2' address gets spam they're still compromised. Repeat until fixed or you lose trust in 'thecompany'.

Re:Is it fixed?

[rtfa-troll]

An please note that there are other ways of compromising email addresses; e.g. using them in plaintext on a compromised access point or a mail server between you and the company but outside their control. If you want to proove this you have to be absolutely sure about the security of the address and check that every connection is (at least) encrypted.