Slashdot Mirror
Ask Slashdot: How To Convince a Company Their Subscriber List Is Compromised?
jetkins writes "As the owner of my own mail domain, I have the luxury of being able to create unique email addresses to use when registering with web sites and providers. So when I started to receive virus-infected emails recently, at an address that I created exclusively for use with a well-known provider of tools for the Systems Administration community (and which I have never used anywhere else), I knew immediately that either their systems or their subscriber list had been compromised. I passed my concerns on to a couple of their employees whom I know socially, and they informed me that they had passed it up the food chain. I have never received any sort of official response, nor seen any public notification or acceptance of this situation. When I received another virus-infected email at that same address this week, I posted a polite note on their Facebook page. Again, nothing. If it was a company in any other field, I might expect this degree of nonchalance, but given the fact that this company is staffed by — and primarily services — geeks, I'm a little taken aback by their apparent reticence. So, since the polite, behind-the-scenes approach appears to have no effect, I now throw it out to the group consciousness: Am I being paranoid, or are these folks being unreasonable in refusing to accept or even acknowledge that a problem might exist? What would you recommend as my next course of action?"
Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?
In my experience when situations like this arise and no action is being taken leadership either doesn't understand the problem or doesn't think it important.
I'm in a similar situation: I create a unique email address for each company I deal with, and each website I register on.
The only solution I've found to be the most effective is sending these companies threatening letters. Quote them sections from their own privacy policy; usually there will be a clause about circumstances under which they will share your subscriber information. Tell them they've breached their own privacy policy, and whatever federal privacy legislation your country has in place. While you're at it, file a complaint with your country's Privacy Commissioner, or whatever the equivalent is.
Perhaps we need some sort of "name and shame" website for companies whose subscriber lists have been either breached or sold (e.g. Dell)
What would you recommend as my next course of action?
Nothing. Seriously. You tried, they didn't listen. Typical. Now find something more deserving of your attention to spend your time on. :)
- How unusual is the username portion on the email address? There have been a lot of spammers over the years that blast random emails to commonname@yourdomain.com. Mike, John, Bob, etc. are more likely to receive spam than sdvjsdvkj@domain.com
- Is the email address in question visible to other people? e.g. registered forum members for the software in question? Sometimes people sign up for a forum just to be able to harvest the otherwise hidden addresses of other forum members
It's practically impossible to get anyone to acknowledge something like that. From their perspective they just think you are yet another ass who thinks they know more about the internet than they really do.
I don't even bother any more. I get spam/malware it goes into the block list and I don't do business with the company anymore. If you really care about it, make it public. If you have a blog make an entry about it and hope it shows up in google. Or post the info here, if it gets modded up google will probably index it.
When information is power, privacy is freedom.
If you are hiring a security related service or any service that depends on security of information, cancel it and go somewhere else. They are obviously not worried about security and have proved that they are pretty much unreachable in case of any problem.
Either way, even if the service you are hiring it is unimportant enough to allow you to live with this kind of practices, I advise you, regardless of how right you may be about their problems, to stop wasting your time trying to help those that are not interested in being helped.
It's simple. Public Shame on likes like this and theregister.
I have to ask.....why do you care? It's not your problem. Just delete the email address and continue living your life as you normally would. You tried your best.
If you've let them know, and they ignore it, there's nothing you can do. You can't make anyone do anything.
You could publicly shame them. That runs the risk of lawsuits, and possibly being pointed to as the intruder.
All you should really do is unsubscribe from the list, and block any email coming in to that account. Unsubscribing won't stop the viruses, as the intruder as almost definitely fed it to their botnet. It may only (hopefully) keep you from being compromised in the future. The question is, do they delete unsubscribed accounts, or just change the subscription flag(s)?
It's good that you chose to use a unique account. It won't harm you when you block it. Think of all the users who used their primary account.
Serious? Seriousness is well above my pay grade.
Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.
-Arthur Conan Doyle
Have you considered the probability that perhaps they meant to send you a virus? What sort of tools are these? The system administration tools, I mean, not the people who can't properly administer their systems but expect to help you administer yours.
Even if they know the list is "compromised", what are they supposed to do about it? It's already out there. Do you expect them to go after the spammers? Because that's essentially impossible. If they're not in the United States, it really *is* impossible.
That's why you haven't got a response. They know, but there's nothing they can do.
And frankly, if you had decent spam filters on your own personal domain, you probably wouldn't be seeing these emails anyway. I doubt anyone with a Gmail or Yahoo or Outlook.com address sees this stuff.
My suggestions? Quit worrying about it, and quit running your own mail server. You may think you know what you are doing, but you almost certainly don't.
I do the same thing, and have had the same response...for each instance, all future messages to that e-mail address go straight to trash. Problem solved.
Tell them once. That's as good as you can do. I've had my email address compromised from a well known financial institution. Of course the person I spoke to didn't know anything about it or why it was their fault. Two years later they publicly admitted they were hacked.
I find that a lot of leaked addresses are from failed companies, whose websites no longer exist.
There are many websites out there that are compromised. You would be quite surprised. I wish there was an easy way to post these so others could know.
Or they knowingly sold your address.
I used this technique for many years (since the 90s) and one thing I've come to realize when this happens is that it's more likely that the computer used by a customer service or sales person has been infected, and that somehow your address has made it from their ERP/CRM into Outlook or another program commonly scanned by viruses like this (maybe even just the web browser cache files). So it's probably not a compromised subscriber list, just a random compromised system that happened to have a few customer email addresses accessible to the virus.
But as others have said, good luck getting anyone to admit/notice/care. Even if you can, your address is already in the spam database and it'll stay there for years. I finally gave up on custom addresses last year and just rely on Google's spam filters (esp. after finding out how few sites support plus addressing so I could do it from gmail).
This does not directly address the question, but it is topical.
I do the same thing with my domain and it was always a hassle to make sure I filled in the correct From: address on each email I sent. Then I found the Virtual Identity Plugin for thunderbird.
It automagically remembers what From: address to use with what To: address. It also makes the From: line fully editable on the fly and remembers what you used for the next time. It makes it dead simple to make sure that you never accidentally leak one of your unique addresses to the wrong person/company.
When information is power, privacy is freedom.
It's possible the list was snagged by a disgruntled (or ex) employee who sold the list. The Powers That Be may not believe the list has been compromised. A few back channel comments and/or a FB isn't actionable proof.
I'd post to their support email line (I'm assuming they have one?) and provide the unique email address you used. Provide more detail than this post. Then if they still ignore, share it on publicly as a public service to their other customers.
I had a friend that was in a similar situation. A company that handled their mass emails had an employee grab a ~ton~ of addresses when he quit. It took a few reports, but once they realized what had happened, they acted.
Agile Artisans
What would you recommend as my next course of action?
Post the the company's details to /. and hold your breath.
Is it at all possible that you're the one who was cracked, and that's how the email address got into the wild?
I've been doing that for more than ten years and I've never gotten a satisfactory response. Somebody will give your carefully-crafted letter fifteen seconds of thought and send you a form letter about phishing or clicking on sketchy links or whatever. They don't understand the dedicated email thing, or that they have a problem. So, you gave your explanation to some geeks you think will "get it", but ultimately they'll have to tell some non-geeks about it, and they'll give it fifteen seconds of consideration and dismiss it.
I've found three online flower sellers, one music equipment manufacturer, a credit reporting agency and a well-known seller of language instruction materials, and a couple I don't remember, have been compromised. Not a lot for more than a decade, but some notable failures.
No way you can win.
Same situation here with individual email addresses per recipient.
If it's SPAM - report to Spamcop. After 3 SPAM's change address of individual addressee or disable it if it's older than 3 years and not used since.
The interesting part with this game is to see how many users are putting plain email addresses in CC, so when one of the many gets compromised, everyone else on that header gets spammed.
Hi, I run my own mail domain to.
I would have re-audited my system and made really sure the leak did not come from a different attack vector before pinpointing them.
Did you parse the headers of the spam to get more clues?
Most companies won't spend time because another network administrator tells them they have something wrong. Rule one is always to prove your facts almost without a doubt otherwise they may not listen to you or take action.
Try creating another account from a clean install to see if same happens.
I always look at my own network first.
Everything I write is lies, read between the lines.
It could very well have just been guessed, the spammers' mail servers are more than likely more than capable of shotgun blasting millions of messages to $randomstring@domain.com in less time than you'd think, and if you change the replyto address, you don't even get the bouncebacks.
I hate sigs.
The list was sold. Yes, it happens more often than you think. If the company itself didn't sell it, then somebody on the inside made an extra buck. That's why nobody will acknowledge your complaint.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
simple, use the compromised list to email them telling them so.
They're using their grammar skills there.
Trivially easy to canonicalize that to YourName@gmail.com, and since that approach is so well-known, any competent spammer (not a self-contradiction, nice though it would be; there's a lot of money to be made) will be able to strip such "custom" addresses to the real address. If you want this approach to actually work, you need to blacklist the root address (yourname@) using filters (I'm assuming Gmail filters cna handle that) and only accept mail that has the identifying tag.
There's no place I could be, since I've found Serenity...
First off if you are bothering to create separate email accounts for each site you know full well the risks of giving anyone your email address. How do you think spammers get everyones email addresses? Tooth fairy?
Secondly jumping to conclusions is ususally not prudent. "knew immediately that either their systems or their subscriber list had been compromised"
For all we know your system could be hacked and you just don't know it or you've got a directory server or vrfy enabled and the account was brute forced.
The site could well be selling or sharing their customer list with others who are compromised or who are reselling it to spammers. They could be sending emails to other mailboxes where the user is compromised.
Thinking you know whats up is bad enough.
Thinking they owe you some sort of "official response" is whacked.
I used to be a member of a professional society. I started getting spam to the unique, tagged, address I'd used to register with them. I pointed this out on a mailing list. I got threatening notes from them about how they didn't appreciate me implying that they had sold addresses or been compromised...
Blizzard ignored queries from me about the sudden appearance of spam (from their servers, even) to unique, tagged, addresses. A week after they blew me off, there was an announcement that they'd been compromised, so maybe they actually did investigate, but they sure never got back to me in any way.
So basically, I don't think you can convince them unless they start out caring.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Star Trek Online had this happen. I had an email address specific to that site and it got spammed. Heaps of other people with similar site only email addresses mentioned the same thing on the forums. Don't know if they ever publicly admitted it.
I don't need to test my programs.. I have an error correcting modem.
Otherwise he would know that geeks don't make mistakes, and it's all your own stupidity.
If the address you used for them is the only one that has got infected emails in a small time window ...
Maybe they are affraid of their reputation.
Maybe they are the one who sold the list.
Maybe they just don't care.
It does not really matters : they failed to protect their custommers.
I also have used one email address made unique for each "service" contact for years. ... unenlighted ... enough to forward a chain mail.
I don't even bother to complain anymore when something fishy happens : I simply overwrite all the (mostly already wrong) information for the benefit of their database then delete/disable the account and delete the email address.
This also work wonders for "lesser" social contacts that may be
By the way, knowing the name of said provider would help your fellow geeks & nerds.
Irrelevant news and morons using moderation to mod down what they disagree on. 2018 resolution: so long.
Had the same problem, except with very obnoxious scammy spams and the company in question was Bank of America (overnight, the dedicated address went from BofA only, to dozens of such spams).
My personal guess was that these morons must have sold their list to somebody (or cross-marketed, or whatever other stupid idea one of their coked-up marketing exec came up with) who in turn sold it and so on, all the way to the darker recesses of the internets. A chain is only as weak as its weakest leak, so once they decide to sell the data, you can be certain it will end up everywhere.
Some mail hosts & websites support using +notation in email addresses (i.e. gmail & google apps). So rather than generating new email addresses for everything, I do something like myemail+webpage@mydomain.com. When you look at who the email was sent to it should repeat this same pattern.
It's likely that the informal communications channels just did not inform.
First of, I hold the idea, that the list was sold, very likely. They will never admit to that. You might want to check their privacy statement and take actions according to that (see post by nemesisrocks).
But for a self confessed geek with his/her own email domain, the OP shows shows an alarming lack of knowing the proper channels.
This is a problem with email, so maybe the OP should have send a mail to 'abuse@company.com' or even 'postmaster@company.com'. Not place something on the facebook page, that only gets read by some marketing drone.
Don't you guys ever read the RFCs that are relevant for you?
I created a special email address for Starbucks several years ago, starbucks@mydomain.com, and I started getting spam on it within weeks after giving it to them. And this wasn't just "legitimate" third party spam, but was penis enlargement type spam. I set a gmail filter to always trash anything coming to that address, and every time I check the trash there are still a bunch of spam emails coming in to that address. So I don't know whether Starbucks sold the address to a third party who may or may not have sold it to someone else, or whether it was stolen from Starbucks, or what.
Or anything else for that matter.
An email address travels through several systems between you and the other side. This applies to the time when you fill in your email address in a web form, and even more so when the company sends out emails to your address.
Thus, it may be premature to conclude that the fault is with the company. Eavesdropping may have occurred at any of the intermediate systems.
First, no news is good news.
Second, You are already on that spammers list. You shouldn't expect to suddenly stop receiving spam.
Third, here are two tests to consider to take away any doubts.
1) Rule out man in the middle attack.
Its very possible for your (or any intermediate) machine to be infected and passed along your keystrokes or detected email addresses in network packets.
If you could setup a scenario where this is ruled out. Register on a different (clean) machine, using a different email address, possibly using https or VPN.
2) Confirm that the machine/list is still compromised.
Covered by test 1 actually, watching incoming email (compared to your existing spam case) this tells you that its not an old list being circulated, but that new addresses are included in the next spam batch.
Hivemind harvest in progress..
When I have reported this, every time I was told that it was my problem, that I had a virus, or that I was an idiot/a troll/etc. Never did anyone take any responsibility or take any action.
Passing something "up the chain" is a sure fire way to ensure it gets lost. And notifying a company behind-the-scenes of a security issue has a success rate so low, it could still legally drive.
It's good to give them the chance. Once. With a short time for a reply. Make sure your tell them you expect a reply until (insert date). If they don't reply, or bullshit you, go full disclosure with names and details. Bad publicity is about the only thing you can create that gets a company into motion.
If there is applicable legislation and an official you can contact, do that as well. Many states and countries require companies to disclose known data breaches.
Assorted stuff I do sometimes: Lemuria.org
Is your mail hosted at Network Solutions?
If so, I have a friend in the same boat. They've recently switched their cheapest hosting solution to no longer filter SPAM; in order to get SPAM filtering, you have to "upgrade" to a more expensive hosting solution. They've decided that they can monetize SPAM filtering, and so they've discontinued it from the cheap accounts to incentivize you to upgrade to a more expensive account - or just switch providers to one that SPAM filters, but they figure you won't do that.
Note that my friend expected, like you, that the email addresses the SPAM started coming in on were also unknown, but they were common enough address names, and the SPAMmers tend to target entire dictionaries until they find ones that don't bounce, so even things like "movies123@" started getting the SPAM. This isn't necessarily what you're seeing, since you aren't actually giving a lot of useful diagnostic information in your question, but it's a possibility.
and who doesn't.
Act accordingly when buying services.
1. Open up the compromizing email's headers. Locate the first ISP beyond yours -- 99% of the time it's not there's. Contact THAT company.
2. File a complaint with the FCC. They are getting more active against exploits.
3. Locate your Attorney General's office and ask if there are any state laws against spam. There is one in Maryland that is compatible with CAN SPAM, and has been tested in the courts. If you got one, lawyer up and sue the company -- some companies only respond by judicial inquiry.
4. Blacklist the company publicly.
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
There are many ways to get an email address. Having their servers compromised is only one. If you start a new account and it get spammed right away, it's a better indicating of ongoing compromise.
Ways to lose your email address to spammers:
* having the company's systems compromised.
* having local systems (your PC or email service) compromised.
* having the address sold to some scummy 3rd-party (either by the corp or an immoral employee)
* having a data-storage method containing the information lost/stolen/etc (USB stick, whatever)
* having the company "share" the data with a third-party partner, who leaks it
* having the company "share" the data with a third-party partner, who is compromised
I had definitive evidence a company had a virus on their site but they didn't seem to care. The virus was present for a few weeks until I posted the facts in their forums. They quickly remedied the problem then tried to scold me for creating a PR issue. Heck, if they responded in even a semi responsible manner (e.g. "we'll look into it, thanks") rather than telling me to pound sand they could have avoided any repercussions. I think they just didn't want to move resources from whatever they were doing to remedy the problem.
"When I received another virus-infected email at that same address this week, I posted a polite note on their Facebook page. ".
The address is now known by bad guys. You can not know whether the site has corrected its problem or not if you have not changed your email in your profile and the new address is spammed.
I use Spamex to create DEAs (Disposable Email Address).
I have been surprised when these get compromised. The biggest surprise was one for the New York Times.
I let folks know, then just turn off the snagged address.
This is a very different world from when I first started using email in the early 1980s (not Internet Email, host-based and proprietary). It comes with the territory, and I have to accept it.
"For every complex problem there is an answer that is clear, simple, and wrong."
-H. L. Mencken
Since you let them know about it, they're probably trying to pin the breach on you.
A site dealing with network devices ... alias e-mail address used for registration on the site and also receiving spam lately addressed specifically to that e-mail address. In the past 24 hours the spam filter caught 18 spam e-mails addressed to that specific e-mail alias (which also was not used anywhere else).
I have to ask ... OP - is the site in question r.....f....com ?
D.
Um...
My Account -> Change Email Address
I have no idea if this is the same provider that the original poster is referring to. But I have experienced this from the provider referenced here.
http://www.dslreports.com/forum/r27660966-DynDNS-Hacked-
At that time, I found this link when I started getting phishing emails at unique addresses created for these accounts. I have a pro and some free accounts... all the same behavior. Then created new addresses and starting getting at those to. And the same response from the company. Absolutely nothing. Their twitter posts from about the same time frame were the only acknowledgment that I ever saw, and those appear to have disappeared.
What did I do about it? I renewed my pro account because just about EVERY router uses them for their built in dynamic dns client. From the beginning I've always used unique passwords besides the unique email accounts. So if passwords are compromised, either once or continuing, in addition to the email list, the only thing they can do to me is mess up my dns resolution - which I know is a big deal - but something I have not yet observed.
But isn't it obvious why they'll pretend there is no problem? To publicly acknowledge this in the geek community would destroy their business.
I can't say whether or not any of my actions did anything to help the situation. 1) I contacted the business through their website with a strict tone. 2) I reported all the parties involved to their domain or ISP. That is, the site that sold my e-mail address to spammers, the address the spam was delivered from, and the site the spam is pointing to trying to collect information. 3) I reported the business to the FTC. Best case scenario is they would fine the business for negligence. Not that I am a fan of bigger government, probably nothing will come of this. 4) The fourth party involved, I was able to trace back to http://www.fishbowl.com/. It is just like it sounds, they offer a service for mailing lists and if they were ever compromised I image the attacker would make off with a pretty nice payload. Unfortunately, there is nothing and no one governing their security practices.
A few years ago I enabled web access to one of my bank accounts just to check the balance. Less than a day later I started receiving phishing attacks aimed at that specific bank. It quickly became 6 or more per day. I dutifully forwarded them to the eddress the bank's website listed for reporting them, but after 3 weeks I was getting pretty annoyed. So I started including a paragraph suggesting that the bank not bother trying to trace the phishers and instead focus on finding who at the bank was selling the info. Within 2 days the phishing attacks stopped. Apparently the abuse email account was being watched by the insider. With this in mind, I suggest that you directly contact more than one person with authority in their IT department, by phone.
On the one hand you take life too seriously, and on the other, you do not take playful existence seriously enough. Seth
Last year, I started to get spam to the email I signed up to http://www.astronomyforum.net/ do being a good net citizen I informed the admins of that forum about this. I found out that I wasn't the only one that was getting spam to addresses that were used specifically for that forum as there were three other users that were saying the same thing. What was the admin's response? Perma-banning my account on that forum.
Definitely not the expected response, but apparently it's typical behaviour of those running that site to do this once it's known that the email list was compromised.
Thankfully I had no real personal details in the database on that site, but it's a pity to see such a knee-jerk reaction to something that most real admins would be happy to know and then be able to do something about it.
What would you do in the same situation? I just walked away and blacklisted the email address used, as I am still receiving spam to it.
- This sig deliberately left blank. Nothing to see, move along.
If they don't respond, block 'em and forget 'em. Take your business elsewhere. Post warnings around not to use them and your reasons. That's business.
My situation was a little different. When Linuxworld.com launched back in '98 or so, it was it's own site and didn't redirect to networkworld.com. Not too long after launch they made user registrations available. For some reason I was screwing with the URL in the address bar and accidentally hit enter.. they had left 'directory browsing' enabled and stored the username/email/password list in clear text inside the webroot. I emailed them and didn't get a response. The next day I emailed them the list and within an hour they disabled all user registrations, the feature was completely removed from the website but still didn't ever get a response. I never visited the site that much so I have no idea if they ever went back to it, but I still can't believe someone would develop something that stored passwords, email adresses and usernames in clear text in a flat file, inside the webroot.
Fuck Ajit Pai
I have my own domain as well, and follow the same convention as OP. Within the last month, I've been getting scam email to the address I use with (and only with) Zappos. I retired the email address.
pr0n - keeping monitor glass spotless since 1981.
Author: Best way to deal with the issue is simply to filter out and trash all messages from that unique address and move on with your life. Done it many times myself. If they subscribe to a service such as SendGrid, MailChimp, or the like you may be able to have their mail provider ban or warn them. Just check the headers and look up the sending server. Readers: If you add a pattern of periods in your gmail account you will still receive the mail, but it becomes a fingerprint of the original receiving list (Of course this is limited by the length of your email handle, 2^(length-1) unique addresses are possible). You can also use yourname+tag@anygoogleappsdomain.com to achieve the same effect, but some overly strict (Read: invalid) mail parsers won't accept tagged addresses.
i too, run my own mail server. i also run my own dns server. the email addresses i generate for each vendor i deal with also live in their own unique mail subdomain, meaning the subdomain has its own mx record. so, for vendor X, i will give them an email address of x@x.example.com and will create an MX record for x.example.com. i never share that address with anyone except the vendor, and i rarely will ever send an email from one of those addresses. over the years this scheme has served me well in stopping spam.
since there are no other email addresses in that vendor's mail domain, if i do start getting spam i can just delete the mx record and the mail domain. and if i do start getting spam i know that the vendor has shared my info, or their systems have been compromised.
i used this scheme for several years and never received a single spam email. that was ... until 2007, when td ameritrade's systems were compromised, and most recently just a few days ago when i received spam to the account i had created for dropbox. (there have been several other cases in between.) i sent two emails to dropbox and contacted them via two separate web forms but have heard exactly zerozilchnada from them.
the major problem for me when this happens is that it's a time sink to really do anything about it. it's very easy for me to delete the subdomain and mail address and then create a new one. but getting the vendor to even acknowledge an issue (let alone getting assurance that something is being done about it) is time consuming and frustrating.
they do have some legal obligations when their systems are compromised; public shaming them into action seems to me to be the easiest for the consumer.
(for one of the instances where this happened to me, you can visit my rant blog at http://caringcostsextra.org/2011/01/20/ewiz-com-superbiiz-com-user-data-hacked-and-compromised/)
I've also been using a unique hashed email address for every webform I've filled out in the past 10 years. It is very interesting to see where the leaks come up. Here is a short list of some of the people who (willingly or unwillingly) ratted me out to spammers ....
NYTIMES.COM
LAPLINK.COM
DIRECTV.COM
ZENBE.COM
FLUKE.COM
SHAPEWAYS.COM
INTELIUS.COM
MANDARINHOTEL.COM
TRANSCEND.COM
ROKU.COM
WALLHOGS.COM
IRR.COM
NYWATERWAY.COM
TICKETMASTER.COM
REVERSEGENIE.COM
LIVEMODERN.COM
SIDEFX.COM
MORFIK.COM
SHAPEWAYS.COM
HOEMDEPOT.COM
SPEAKEASY.NET
SOLARWINDS.COM
ENDLESSPOOLS.COM
CHECKS.COM
BUYERZONE.COM
ZEVIA.COM
MAXIMHQ.COM
If you've ever given any of these people your address, then it is likely that you can thank them for some of the spams you get every day.
I used to try and tell people that they had a problem but never got any kind of positive response so I don't bother anymore.
Typically I will kill a compromised address as soon as it starts getting spam, but I often still want to keep getting the real emails from the original website so I'll go in and update my email address to a brand new hash- and then soon start getting spams on that one. Argh.
BTW, I also use a unique hash for the return address on every email I send out. You quickly find out which of your friends are virus-prone...
-josh
Stop doing business with them, and make sure they know why.
I do this too. I've had this exact same thing happen myself, although fortunately not too frequently - maybe once a year.
Easiest thing is to reset your email address in their database to a new alternative, block the old one at the server and be done, because sending them proof that you've received spam to that email address is one thing (wow, you got spam, didn't come from us) but telling them "But yes, YOU AND ONLY YOU had this email address on your records, therefore you've been compromised because I didn't sign up to Royal Jordanian Airways with the same email address I would use to sign up to Twitter"... is another matter entirely.
Founder & COO, Hayai India (hayai.in) / USA (hayaibroadband.com)