Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How To Convince a Company Their Subscriber List Is Compromised?

Posted by Soulskill on from the you-can-lead-a-horse-to-water dept.

jetkins writes "As the owner of my own mail domain, I have the luxury of being able to create unique email addresses to use when registering with web sites and providers. So when I started to receive virus-infected emails recently, at an address that I created exclusively for use with a well-known provider of tools for the Systems Administration community (and which I have never used anywhere else), I knew immediately that either their systems or their subscriber list had been compromised. I passed my concerns on to a couple of their employees whom I know socially, and they informed me that they had passed it up the food chain. I have never received any sort of official response, nor seen any public notification or acceptance of this situation. When I received another virus-infected email at that same address this week, I posted a polite note on their Facebook page. Again, nothing. If it was a company in any other field, I might expect this degree of nonchalance, but given the fact that this company is staffed by — and primarily services — geeks, I'm a little taken aback by their apparent reticence. So, since the polite, behind-the-scenes approach appears to have no effect, I now throw it out to the group consciousness: Am I being paranoid, or are these folks being unreasonable in refusing to accept or even acknowledge that a problem might exist? What would you recommend as my next course of action?"

57 of 247 comments (clear)

  1. Is it fixed? by CncRobot · · Score: 5, Interesting

    Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

    1. Re:Is it fixed? by Anonymous Coward · · Score: 2, Interesting

      Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it.

      I was about to grab the pitchforks when I read this and thought it was actually a reasonable explanation. Mod parent up.

    2. Re:Is it fixed? by hawguy · · Score: 2

      Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

      If they don't acknowledge that there was even a problem, how would he know if it's "fixed"? Besides, if a customer list was stolen, it's likely more than just email addresses, and some states require public disclosure if personal data is stolen.

    3. Re:Is it fixed? by codegen · · Score: 4, Interesting

      Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

      Maybe notify members of the list that the list has been compromised and they might be getting virus loaded emails?

      --
      Atlas stands on the earth and carries the celestial sphere on his shoulders.
    4. Re:Is it fixed? by Jah-Wren+Ryel · · Score: 4, Insightful

      They need to at least confirm to him that they took him seriously and are at least attempting to track down the leak so that no more addresses leak out. Chances are they've got at least one PC with malware harvesting email addresses. If that's the case, they probably have other malware too.

      --
      When information is power, privacy is freedom.
    5. Re:Is it fixed? by hedwards · · Score: 4, Interesting

      If they do acknowledge the problem, how would he know if it's fixed? Once the data is out there, it's out there. Acknowledging it is likely to be against the advice of the company's attorneys whether or not it really is their fault.

    6. Re:Is it fixed? by Zaelath · · Score: 4, Interesting

      I'd bet my left nut "a well-known provider of tools for the Systems Administration community" is Atlassian, and they claim there's no issue.

    7. Re:Is it fixed? by t4ng* · · Score: 5, Informative

      Acknowledging it is likely to be against the advice of the company's attorneys whether or not it really is their fault.

      Exactly. Datek or Ameritrade or TD Ameritrade, I forget at which point in their many buy-outs, has been repeatedly compromised in the past. At first they denied it and claimed that spammers had just guessed by email account. So each time I would create a new email account in my own domain consisting of a random collection of 12 letters, numbers, and punctuation marks. And each time they were compromised I would point out to them the impossibility of a spammer guessing my email account.

      Finally, they just started a policy of sending me an email saying they are investigating it but their company policy does not allow them to give me any details of their findings or what, if anything, they did to fix it.

    8. Re:Is it fixed? by Frojack123 · · Score: 5, Insightful

      Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

      I agree, once its out, they are as powerless as the target is.

      As for his question:

      What would you recommend as my next course of action?"

      1) Kill the email account, such that all mail bounces.
      2) Create a new subscription account.
      3) Realize that you are on the internet, where not everybody plays by your rules. Install spam and virus filters, and get on with your life. You've done all that you can to help the clueless operators. Its not worth any more of your time or anguish.

      --
      F. Robert Jack
    9. Re:Is it fixed? by Mattcelt · · Score: 4, Interesting

      I had exactly the same issue as the OP this past week, but with a Fortune 1000 company whose business model revolves around collecting and selling information about people.

      I contacted their information security department, and sent them the emails and headers at their request. I haven't heard from them since.

      The problem is that not only did I get emails to an address that only that company has; my social security number was also in the emails. So whoever got the emails got much more personal information as well. It's clearly a case where the company should be disclosing that they had a breach. If they don't, I'm going public with what I've got.

      These companies have a responsibility to the people whose information they hold.

    10. Re:Is it fixed? by CaptQuark · · Score: 3, Informative

      One problem with publicly acknowledging the compromise is the bad guys realize they have been detected and stop connecting to the system. Our security team requires us to leave any compromised machine "as is" so they can monitor what the computer does, who it contacts, who connects to it, and how the infection is spread on the network. They will purposefully leave the machine running and letting the infection spread so they can gather the maximum information about it before they pull the systems for further forensic analysis. This is standard practice at many large companies, even if they don't tell everyone about it for obvious reasons. Just because they don't reply to you doesn't mean they aren't working 16-hour days trying to stop or catch the perpetrators. Even sending you a simple e-mail saying they are reviewing the situation might be enough to scare off the bad guys if they have compromised the email system farther than just harvesting contacts.

    11. Re:Is it fixed? by Anonymous Coward · · Score: 3, Funny

      "And they may not even have any real reason to believe it happened as "some guy on facebook" says."

      Nobody reads the facebook page in the company besides the marketing slime who have no clue.
      And perhaps their astroturfers who post loving reviews of their product.
      That's about it.

    12. Re:Is it fixed? by Mattcelt · · Score: 3, Interesting

      I spoke with one of their InfoSec guys on the phone. They have my phone number, and they know that I know that my personal information was compromised. There's no excuse for not keeping me apprised, at the very least.

    13. Re:Is it fixed? by Rigrig · · Score: 2

      2) Create a new subscription account.
      3) Realize that you are on the internet, where not everybody plays by your rules. Install spam and virus filters, and get on with your life. You've done all that you can to help the clueless operators. Its not worth any more of your time or anguish.

      Possibly skip 2) though, as "clueless operators" might not be the best choice to obtain your "tools for the Systems Administration community" from?

      --
      **TODO** [X] Steal someone elses sig.
    14. Re:Is it fixed? by ghmh · · Score: 5, Insightful

      I do the same thing as the author in the article. To confirm this you need to change the email address you received the spam from at the same time you notify the company.

      e.g.

      thecompany@yourdomain.com localaccount

      becomes

      #thecompany@yourdomain.com localaccount
      thecompany2@yourdomain.com localaccount

      If 'thecompany2' address gets spam they're still compromised. Repeat until fixed or you lose trust in 'thecompany'.

    15. Re:Is it fixed? by rtfa-troll · · Score: 4, Insightful

      An please note that there are other ways of compromising email addresses; e.g. using them in plaintext on a compromised access point or a mail server between you and the company but outside their control. If you want to proove this you have to be absolutely sure about the security of the address and check that every connection is (at least) encrypted.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    16. Re:Is it fixed? by Cederic · · Score: 2

      1) Kill the email account, such that all mail bounces.

      No. Kill the email account, such that all mail goes to /dev/null

      Don't flood the world with bounce messages. Especially if your email address is used as the 'from' address and you get 1200 bounces from other people (been there, had that).

    17. Re:Is it fixed? by Mattcelt · · Score: 2

      Filed, thanks very much for the link.

      It's funny (in a sad way) - three or four of the initial questions in the report asked if I had contacted a credit reporting agency to let them know my data had been compromised. At the top of every list was Equifax.

      And the company who was breached? The ones who leaked my SSN?

      Equifax.

    18. Re:Is it fixed? by Skewray · · Score: 2

      I do the same thing as the author in the article. To confirm this you need to change the email address you received the spam from at the same time you notify the company.

      e.g.

      thecompany@yourdomain.com localaccount

      becomes

      #thecompany@yourdomain.com localaccount thecompany2@yourdomain.com localaccount

      If 'thecompany2' address gets spam they're still compromised. Repeat until fixed or you lose trust in 'thecompany'.

      Personal admission: I am already at amazon5@yadayada.

    19. Re:Is it fixed? by RMingin · · Score: 2

      Ok, I'm shocked, and now in a completely different mindspace. We've been using Jira here at work for the last few months, and since approximately that same time frame, we've been getting spam, and everyone swears to me that they never got spam before. I never linked the two in my mind, but now I'm looking into it.

      --
      The preceding comment is my own, and in no way construes an opinon of the Emperor of Mankind.
    20. Re:Is it fixed? by Quirkz · · Score: 2

      Also, is the email address sufficiently non-obvious that spammers aren't just guessing it? I received one complaint from a user accusing me of selling his email to spammers. I investigated and found he'd used a two-letter username at his domain for the address, which I'm betting a spammer just guessed. When I used to have a catchall going I'd see a stream of spam come in for a@domain, adam@domain, alice@domain, b@domain, bill@domain ... etc. Any address that's very short or a common name is likely to just be guessed at some point.

      --
      The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
    21. Re:Is it fixed? by A+Non-MS+Coward · · Score: 2

      The SMTP "RCPT TO" command (AKA the envelope To, and what PlusFiveTroll was most likely referring to with "MAIL TO") is different than the "To:" header inside the email. It is always your address, as that's how the mail actually gets routed to and accepted by the receiving mail server. The headers that address might show up in are "X-Original-To", and one of the Received headers.

      The best action to take if a unique address falls into the wrong hands is to set the receiving mail server to give a 500-level SMTP response code when that address is given to RCPT TO. This is not the same as writing a bounce message. For legitimate senders, their sending server will give them the undeliverable notice, and it will know them as an authorized user and not be sending backscatter to some random third party.

      Most spam doesn't go through real SMTP servers, it's zombie/botnet PCs throwing scripted SMTP commands at the MX servers for a list of email addresses. They ignore SMTP response codes and just move on anyway. No delivery, and no backscatter, in that case.

      What's left is spam that is sent through compromised/open-relay mail servers. People can either chose to ignore these and let the situation get worse, or draw attention to the fact there's a mail server that needs to be fixed. If everyone who gets spam from these says /dev/null it, the problem is going ignored. If you reject it with a 5xx response code, you or your mail server still isn't generating a bounce message to an unverified address. But the the server it gave the 5xx code to might. And it will be traceable to the that server which needs to be fixed. And that's not yours to deal with. That backscatter-creating server will likely get on blacklists if it isn't already. And then that server is likely to either be fixed or largely ignored. And overall the bigger problem gets more dealt with.

      The trick is, the SMTP response code has to be given during the SMTP session, preferably before the DATA command. If you're accepting the message and then doing content/header analysis, it's probably too late to properly reject it. If you do so at that time, you will likely be creating backscatter. Content/header analysis should be the last line of defense, not the line of defense. There are many things that can be done at SMTP time to determine what's bad, where false positives won't go to oblivion, and backscatter will be reduced to cases where a 3rd party mail server needs to be fixed.

      Also, backscatter does not normally go to the "From" header in the email (content analysis in the user mail client might do it that way, but that would be a very bad idea). It generally goes back to the SMTP "MAIL FROM:" value (AKA the envelope From), which is usually prepended to the email content as the Return-Path header. If you don't want your domain name to be a tempting pawn as a forged MAIL FROM, it doesn't hurt to set an SPF record for it, and be diligent about setting any email software you use to use the right outbound mail server for it.

    22. Re:Is it fixed? by Andhesaidtome · · Score: 2

      ASIC actually likes to think it's qualified to advise on security too - it's a joke.

      I think you're confusing Security with security. ASIC do not generally concern themselves with the latter.

  2. Geeks rarely rule the roost by Anonymous Coward · · Score: 2, Interesting

    In my experience when situations like this arise and no action is being taken leadership either doesn't understand the problem or doesn't think it important.

    1. Re:Geeks rarely rule the roost by arth1 · · Score: 4, Funny

      I just wonder what kind of System Administration list has a facebook page. The mind boggles.

    2. Re:Geeks rarely rule the roost by Gothmolly · · Score: 2, Funny

      One of these things is not like the other.

      --
      I want to delete my account but Slashdot doesn't allow it.
  3. Write threatening letters by nemesisrocks · · Score: 5, Interesting

    I'm in a similar situation: I create a unique email address for each company I deal with, and each website I register on.

    The only solution I've found to be the most effective is sending these companies threatening letters. Quote them sections from their own privacy policy; usually there will be a clause about circumstances under which they will share your subscriber information. Tell them they've breached their own privacy policy, and whatever federal privacy legislation your country has in place. While you're at it, file a complaint with your country's Privacy Commissioner, or whatever the equivalent is.

    Perhaps we need some sort of "name and shame" website for companies whose subscriber lists have been either breached or sold (e.g. Dell)

    1. Re:Write threatening letters by robbo · · Score: 4, Interesting

      +1. You have no reason to expect an acknowledgement if you just pass it 'up the food chain'. Put it in clear legalese and look forward to a reply from their lawyer. Most likely someone on the inside sold the list for chump change.

      btw did you consider that maybe it's you that's compromised? 8-)

      --
      So long, and thanks for all the Phish
    2. Re:Write threatening letters by Frojack123 · · Score: 2

      The only solution I've found to be the most effective is sending these companies threatening letters.

      It could just as likely be YOUR site that was compromised, and they found the address in something they sent to you, or some key logger in a coffee shop where you logged on.

      Make sure you are outside of your pristine glass house before you start throwing stones.

      --
      F. Robert Jack
    3. Re:Write threatening letters by erice · · Score: 4, Insightful

      The only solution I've found to be the most effective is sending these companies threatening letters.

      It could just as likely be YOUR site that was compromised, and they found the address in something they sent to you, or some key logger in a coffee shop where you logged on.

      Make sure you are outside of your pristine glass house before you start throwing stones.

      This is incredibly easy to check. If it was local compromise, all addresses would be compromised, not just the one assigned to a particular company. Spam and viruses should be be pouring in to many many addresses. If it was just a single address assigned to a single company then you be pretty sure that it was their system compromised and not yours.

    4. Re:Write threatening letters by Jah-Wren+Ryel · · Score: 2

      btw did you consider that maybe it's you that's compromised? 8-)

      If he were, then he would get the same viruspam sent to many, if not all, of his email addresses instead of just one.

      --
      When information is power, privacy is freedom.
    5. Re:Write threatening letters by nemesisrocks · · Score: 2

      "I create a unique email address for each company I deal with, and each website I register on."

      Why on earth would someone create a mailaddress just to register to a website when mailinator with their gazillion aliases exists?

      $ mysql maildb -e "INSERT INTO aliases VALUES ('mythrowawaylogin@mydomain.com', 'mylogin')"

      Ah, the joys of postfix+mysql and your own domain. Someone spams you, and you don't click the unsubscribe, you just drop the alias

      I even have an alias on my phone to do it for me when I'm out in meatspace.

    6. Re:Write threatening letters by pepsikid · · Score: 2

      I create unique email addresses too. I run a catch-all mailbox, so my scheme doesn't do much to prevent me getting spam. It tells me who has been compromised and I can be a good citizen and let them know. I give them one fair chance, and if they don't respond, or if they're retaliatory towards me, then feck 'em. Nobody ever gets my "real" email address. Most websites simply never respond to my information. If it's a blogger, they infrequently respond, but just to express doubt, and interrogate me about my unique email policy on the grounds that I'm violating some unwritten "real identity" rule of theirs. They can be real jerks to me, the friendly messenger. One major website swore they were secure but had been compromised once over a year before. Since my email naming convention is websitenameyeardate@mydomain, I could prove my email had been harvested much more recently. They still flat out said "didn't happen". Otherwise, almost none of my spam comes from "unique" addresses.

      There is a small handful of once-valid addresses I used as a blogger and forum commenter which continue to get email after many years, even though my email server properly rejects them as unknown mailboxes. Strangely, most spam sent to me is constructed using common names like admin@ contact@ info@ and a short list of asian firstnames@ of all things. If a particular address gets enough activity, I will add it to my blacklist. Setting the server to reject connections from unregistered email servers actually blocks far more spam than complex rules could.

      The most interesting episode was when I kept getting repeated attempts to relay an email to a particular address. I could see by that address, that the recipient was local to me and contacted him. He found his mailbox maxed out with these test emails from servers which -were- relaying. He'd registered at websites using that email address and used the same password everywhere, so when one website was eventually compromised, they tried his password on Road Runner, and had themselves a handy mailbox to dump email relay test results into.

    7. Re:Write threatening letters by man_of_mr_e · · Score: 2

      There are many ways that an email address can get compromised that are not the direct fault of the company you gave it to.

      Since emails are sent in plain text, over the open internet, all it takes is someone sniffing somewhere along the line and collecting email addresses.

      Your original "subscription" may have been over SSL, but the subsequent emails they send out are not.

      --
      If you need web hosting, you could do worse than here
    8. Re:Write threatening letters by AK+Marc · · Score: 4, Interesting

      Has there ever, in the history of the modern Internet, been a proven case of someone "sniffing" something from "the Internet" (defined for this to be beyond the first provider and not as a part of the last provider), aside from government nodes? You might as well be afraid that the aliens are reading your thoughts from orbit.

      --
      Learn to love Alaska
    9. Re:Write threatening letters by julesh · · Score: 2

      "I create a unique email address for each company I deal with, and each website I register on."

      Does nobody of you morons know of mailinator.com?

      Why on earth would someone create a mailaddress just to register to a website when mailinator with their gazillion aliases exists?

      Just give them mythrowawaylogin@mailinator.com as email address, read it _once_ to click the confirmation link and forget it.

      Reason 1: there are plenty of people using services like this - http://www.block-disposable-email.com/cms/
      Reason 2: I may want to establish an ongoing relationship with a company (e.g. receive newsletters, etc) rather than just have a fire & forget initial contact
      Reason 3: Having email coming to my inbox is more convenient than having to open a web site to view it. (I have a regexp-based email setup that allows me to just make up addresses that match a pattern, and I can add individual addresses to my spam filter if they become compromised, so it's actually easier than using mailinator).

    10. Re:Write threatening letters by dissy · · Score: 2

      Most likely someone on the inside sold the list for chump change.

      Another possibility is one of their desktop computers got infected with malware that grabbed the Outlook global address book and email contact history and sent it back to the mothership.

      These things were notorious a couple years back. If the domain does not use SPF records (and even some times if it does) using the address book for forged From addresses while sending to the addresses found in the Sent box and contact lists, it has a decent chance of hitting a white-list and getting by more spam filters than it normally would otherwise.

      Once one PC is infected by a drive by download or something and grabs the Outlook data, the spammers have a nice list of valid addresses and names to send emails with infected attachments to, to hopefully grab other peoples contact lists and sent box items to broaden the attack.

      Unfortunately not every mail server admin has the luxury if simply blocking anything incoming matching "If the To address is not our domain, or the From address IS our domain"
      Worse, it's rare to be blessed with users who never open attachments even if the From address appears to be someone they have had contact with before.

      I can't really say which option is actually more likely than the other, but I would think both rank pretty high up there on the possibility charts.

      In both cases the situation could very well not be the fault of the company itself, but only in the case of infection would the IT staff likely discover early on what happened. If an email list was sold off by an (ex)employee they can't realistically know until reports come in telling them like the poster has sent.

      Of course that isn't to say it definitely is not the fault of the company, one way or another.
      Lax security would make matters that much worse, but as we all know Windows can quite easily destroy any attempts made at being secure. Then there is the disgruntled employee selling off the email list, yet he/she could have became disgruntled for a valid reason.

      But their complete lack of response is at best impolite and at worse indicative of not even caring.
      I can understand why they wouldn't necessarily want to confirm the problem or provide details to "some outside 3rd party", but they could have at the very least acknowledged receiving his email and stated they will look into it.

    11. Re:Write threatening letters by faedle · · Score: 2

      As someone who has spent his entire life working at various ISPs, the answer is "yes."

  4. Move On by mrtwice99 · · Score: 5, Insightful

    What would you recommend as my next course of action?

    Nothing. Seriously. You tried, they didn't listen. Typical. Now find something more deserving of your attention to spend your time on. :)

    1. Re:Move On by Rinnon · · Score: 2

      Nothing. Seriously. You tried, they didn't listen. Typical. Now find someone more deserving of your business to spend your money on. :)

      There, fixed that for you. =)

  5. Depends... by xlsior · · Score: 5, Insightful

    - How unusual is the username portion on the email address? There have been a lot of spammers over the years that blast random emails to commonname@yourdomain.com. Mike, John, Bob, etc. are more likely to receive spam than sdvjsdvkj@domain.com

    - Is the email address in question visible to other people? e.g. registered forum members for the software in question? Sometimes people sign up for a forum just to be able to harvest the otherwise hidden addresses of other forum members

    1. Re:Depends... by ssfire · · Score: 5, Interesting

      Yup. When I set up an account with Ameritrade, I initially created an email address ameritrade@mydomain.com. Then I started getting spam on it. But the spammers might have guessed that email address. So I created a new non-guessable email address ameritrade_29478763@mydomain.com. But then I started getting spam on that. So I notified Ameritrade. No response, so I closed my account. A few months later, there was a news item that a trojan running on the Ameritrade servers had compromised 6.3 million email addresses.

    2. Re:Depends... by whoever57 · · Score: 2

      I (not the submittor) frequently use +@. It is quite clear that at least one site where I registered has let their subscriber list escape. But what is funny is that the scripts or programs that the spammers use frequently don't process the "+" addresses properly. So my mailserver rejects lots of emails that are sent to non-existent addresses in the form: @.

      --
      The real "Libtards" are the Libertarians!
    3. Re:Depends... by plover · · Score: 3, Insightful

      - Is the email address in question visible to other people? e.g. registered forum members for the software in question? Sometimes people sign up for a forum just to be able to harvest the otherwise hidden addresses of other forum members

      This is the first thing I thought of. I've seen small companies send out mass emails to blocks of people, sharing my name with the hundreds of other customers on the list. I've seen support postings with email addresses embedded as links behind the user names. Both of those are the faults of the companies that engaged in such behavior, but aren't quite the same as a "compromised" list.

      Obviously, the author's intent was to leave himself in an anti-spam position, to be able to simply block the compromised address to stop further spam. I suggest he exercise that option and move on. He's notified them to the best of his ability. Further activity, such as trying to name-and-shame the company, could end up with their lawyers sending him cease-and-desist nastygrams. I'm not a lawyer so I can't tell him if those kinds of letters have legal merit, but if he has to hire a lawyer to get an answer to questions like thta, it could cost him money.

      --
      John
    4. Re:Depends... by whoever57 · · Score: 2

      Another problem with using "plus addressing" as I describe above is that I have come across legitimate companies who use a website for unsubscribe requests, but their website will not process the address I used.

      How to unsubscribe then?

      --
      The real "Libtards" are the Libertarians!
  6. Public Shaming by Jah-Wren+Ryel · · Score: 4, Interesting

    It's practically impossible to get anyone to acknowledge something like that. From their perspective they just think you are yet another ass who thinks they know more about the internet than they really do.

    I don't even bother any more. I get spam/malware it goes into the block list and I don't do business with the company anymore. If you really care about it, make it public. If you have a blog make an entry about it and hope it shows up in google. Or post the info here, if it gets modded up google will probably index it.

    --
    When information is power, privacy is freedom.
  7. That is what I would do by fredprado · · Score: 3

    If you are hiring a security related service or any service that depends on security of information, cancel it and go somewhere else. They are obviously not worried about security and have proved that they are pretty much unreachable in case of any problem.

    Either way, even if the service you are hiring it is unimportant enough to allow you to live with this kind of practices, I advise you, regardless of how right you may be about their problems, to stop wasting your time trying to help those that are not interested in being helped.

  8. Once You Eliminate The Impossible... by guttentag · · Score: 3, Interesting

    Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.
    -Arthur Conan Doyle

    Have you considered the probability that perhaps they meant to send you a virus? What sort of tools are these? The system administration tools, I mean, not the people who can't properly administer their systems but expect to help you administer yours.

  9. You're not helping, honestly by realmolo · · Score: 5, Insightful

    Even if they know the list is "compromised", what are they supposed to do about it? It's already out there. Do you expect them to go after the spammers? Because that's essentially impossible. If they're not in the United States, it really *is* impossible.

    That's why you haven't got a response. They know, but there's nothing they can do.

    And frankly, if you had decent spam filters on your own personal domain, you probably wouldn't be seeing these emails anyway. I doubt anyone with a Gmail or Yahoo or Outlook.com address sees this stuff.

    My suggestions? Quit worrying about it, and quit running your own mail server. You may think you know what you are doing, but you almost certainly don't.

    1. Re:You're not helping, honestly by hawguy · · Score: 4, Insightful

      Even if they know the list is "compromised", what are they supposed to do about it? It's already out there. Do you expect them to go after the spammers? Because that's essentially impossible. If they're not in the United States, it really *is* impossible.

      That's why you haven't got a response. They know, but there's nothing they can do.

      And frankly, if you had decent spam filters on your own personal domain, you probably wouldn't be seeing these emails anyway. I doubt anyone with a Gmail or Yahoo or Outlook.com address sees this stuff.

      My suggestions? Quit worrying about it, and quit running your own mail server. You may think you know what you are doing, but you almost certainly don't.

      Disclosing the data breach to everyone affected would be nice (and in some states is legally required), as well as letting customers know what data was breached..

      Of course, this assumes that they actually know how the data leaked and which customers were affected and they probably don't.

    2. Re:You're not helping, honestly by erice · · Score: 3, Insightful

      Even if they know the list is "compromised", what are they supposed to do about it? It's already out there. Do you expect them to go after the spammers?

      I expect them to plug the hole.

      A compromised system is not a one-shot embarrassment. If you don't plug the hole, whoever compromised the system the first time will keep coming back for more data or will expand the breach to other systems.

      1) If it an external breach, I expect back doors to be closed, vulnerabilities patched, account passwords changed, etc. This won't likely happen overnight but simply knowing that there is a breach and what kind of a data is stolen is big help providing the admins get their heads out the sand and acknowledge that there is a problem.

      2) If it an unauthorized inside job, I expect the perpetrator to eventually be found and fired for cause with at least the possibility of criminal prosecution.

      3) If it is an authorized inside job, I want the practice stopped permanently and I hope to see whoever approved the policy removed.

      Unfortunately, all these require work and significant risk. The easiest "solution" is to deny there is a problem and, if necessary,blame the person reporting the issue. The vast majority of people, completely ignorant on how spammers harvest address and completely dependent on services like Google to filter out the bad and not lose to much of the good are not the wiser.

  10. Compromised, you sure? by dmomo · · Score: 4, Insightful

    Or they knowingly sold your address.

  11. Use This Thunderbird Plugin by Jah-Wren+Ryel · · Score: 4, Informative

    This does not directly address the question, but it is topical.

    I do the same thing with my domain and it was always a hassle to make sure I filled in the correct From: address on each email I sent. Then I found the Virtual Identity Plugin for thunderbird.

    It automagically remembers what From: address to use with what To: address. It also makes the From: line fully editable on the fly and remembers what you used for the next time. It makes it dead simple to make sure that you never accidentally leak one of your unique addresses to the wrong person/company.

    --
    When information is power, privacy is freedom.
    1. Re:Use This Thunderbird Plugin by Jah-Wren+Ryel · · Score: 3, Insightful

      How does that work when you send e-mail from half a dozen different systems, including Outlook, pine, Android mail, sendmail, and in a pinch, even telnet to port 25 or openssl to port 465/587?

      You made your bed, now sleep in it.

      --
      When information is power, privacy is freedom.
  12. Re:Another possibility. by seebs · · Score: 2

    People keep suggesting this, but time and again we find that the reason that highly specific tagged addresses are getting spammed is that someone leaked or compromised a list.

    --
    My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
  13. Or even just a polite letter, or phone call by dbIII · · Score: 2

    It's likely that the informal communications channels just did not inform.

  14. Full Disclosure by Tom · · Score: 2

    Passing something "up the chain" is a sure fire way to ensure it gets lost. And notifying a company behind-the-scenes of a security issue has a success rate so low, it could still legally drive.

    It's good to give them the chance. Once. With a short time for a reply. Make sure your tell them you expect a reply until (insert date). If they don't reply, or bullshit you, go full disclosure with names and details. Bad publicity is about the only thing you can create that gets a company into motion.

    If there is applicable legislation and an official you can contact, do that as well. Many states and countries require companies to disclose known data breaches.

    --
    Assorted stuff I do sometimes: Lemuria.org