Forgot your password?
typodupeerror
Security IT

Ask Slashdot: How To Convince a Company Their Subscriber List Is Compromised? 247

Posted by Soulskill
from the you-can-lead-a-horse-to-water dept.
jetkins writes "As the owner of my own mail domain, I have the luxury of being able to create unique email addresses to use when registering with web sites and providers. So when I started to receive virus-infected emails recently, at an address that I created exclusively for use with a well-known provider of tools for the Systems Administration community (and which I have never used anywhere else), I knew immediately that either their systems or their subscriber list had been compromised. I passed my concerns on to a couple of their employees whom I know socially, and they informed me that they had passed it up the food chain. I have never received any sort of official response, nor seen any public notification or acceptance of this situation. When I received another virus-infected email at that same address this week, I posted a polite note on their Facebook page. Again, nothing. If it was a company in any other field, I might expect this degree of nonchalance, but given the fact that this company is staffed by — and primarily services — geeks, I'm a little taken aback by their apparent reticence. So, since the polite, behind-the-scenes approach appears to have no effect, I now throw it out to the group consciousness: Am I being paranoid, or are these folks being unreasonable in refusing to accept or even acknowledge that a problem might exist? What would you recommend as my next course of action?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: How To Convince a Company Their Subscriber List Is Compromised?

Comments Filter:
  • Is it fixed? (Score:5, Interesting)

    by CncRobot (2849261) on Sunday February 24, 2013 @11:10PM (#42999979)

    Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it.

      I was about to grab the pitchforks when I read this and thought it was actually a reasonable explanation. Mod parent up.

      • Re:Is it fixed? (Score:5, Insightful)

        by ghmh (73679) on Monday February 25, 2013 @03:05AM (#43000975)

        I do the same thing as the author in the article. To confirm this you need to change the email address you received the spam from at the same time you notify the company.

        e.g.

        thecompany@yourdomain.com localaccount

        becomes

        #thecompany@yourdomain.com localaccount
        thecompany2@yourdomain.com localaccount

        If 'thecompany2' address gets spam they're still compromised. Repeat until fixed or you lose trust in 'thecompany'.

        • Re:Is it fixed? (Score:4, Insightful)

          by rtfa-troll (1340807) on Monday February 25, 2013 @03:37AM (#43001063)
          An please note that there are other ways of compromising email addresses; e.g. using them in plaintext on a compromised access point or a mail server between you and the company but outside their control. If you want to proove this you have to be absolutely sure about the security of the address and check that every connection is (at least) encrypted.
          • by Quirkz (1206400)
            Also, is the email address sufficiently non-obvious that spammers aren't just guessing it? I received one complaint from a user accusing me of selling his email to spammers. I investigated and found he'd used a two-letter username at his domain for the address, which I'm betting a spammer just guessed. When I used to have a catchall going I'd see a stream of spam come in for a@domain, adam@domain, alice@domain, b@domain, bill@domain ... etc. Any address that's very short or a common name is likely to just b
        • by Skewray (896393)

          I do the same thing as the author in the article. To confirm this you need to change the email address you received the spam from at the same time you notify the company.

          e.g.

          thecompany@yourdomain.com localaccount

          becomes

          #thecompany@yourdomain.com localaccount thecompany2@yourdomain.com localaccount

          If 'thecompany2' address gets spam they're still compromised. Repeat until fixed or you lose trust in 'thecompany'.

          Personal admission: I am already at amazon5@yadayada.

    • by hawguy (1600213)

      Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

      If they don't acknowledge that there was even a problem, how would he know if it's "fixed"? Besides, if a customer list was stolen, it's likely more than just email addresses, and some states [wikipedia.org] require public disclosure if personal data is stolen.

      • Re:Is it fixed? (Score:5, Interesting)

        by hedwards (940851) on Sunday February 24, 2013 @11:55PM (#43000221)

        If they do acknowledge the problem, how would he know if it's fixed? Once the data is out there, it's out there. Acknowledging it is likely to be against the advice of the company's attorneys whether or not it really is their fault.

        • Re:Is it fixed? (Score:5, Informative)

          by t4ng* (1092951) on Monday February 25, 2013 @12:44AM (#43000431)

          Acknowledging it is likely to be against the advice of the company's attorneys whether or not it really is their fault.

          Exactly. Datek or Ameritrade or TD Ameritrade, I forget at which point in their many buy-outs, has been repeatedly compromised in the past. At first they denied it and claimed that spammers had just guessed by email account. So each time I would create a new email account in my own domain consisting of a random collection of 12 letters, numbers, and punctuation marks. And each time they were compromised I would point out to them the impossibility of a spammer guessing my email account.

          Finally, they just started a policy of sending me an email saying they are investigating it but their company policy does not allow them to give me any details of their findings or what, if anything, they did to fix it.

    • Re:Is it fixed? (Score:5, Interesting)

      by codegen (103601) on Sunday February 24, 2013 @11:21PM (#43000075) Journal

      Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

      Maybe notify members of the list that the list has been compromised and they might be getting virus loaded emails?

    • Re:Is it fixed? (Score:5, Insightful)

      by Jah-Wren Ryel (80510) on Sunday February 24, 2013 @11:21PM (#43000079)

      They need to at least confirm to him that they took him seriously and are at least attempting to track down the leak so that no more addresses leak out. Chances are they've got at least one PC with malware harvesting email addresses. If that's the case, they probably have other malware too.

    • Re:Is it fixed? (Score:5, Interesting)

      by Zaelath (2588189) on Monday February 25, 2013 @12:27AM (#43000373)

      I'd bet my left nut "a well-known provider of tools for the Systems Administration community" is Atlassian, and they claim there's no issue.

      • by RMingin (985478)

        Ok, I'm shocked, and now in a completely different mindspace. We've been using Jira here at work for the last few months, and since approximately that same time frame, we've been getting spam, and everyone swears to me that they never got spam before. I never linked the two in my mind, but now I'm looking into it.

    • by Z00L00K (682162)

      Looking into the headers of the mails would provide enough information to reveal if the infected mails originates from the company or from another source.

      Changing your mail address to another for the company may be another way around it.

    • Re:Is it fixed? (Score:5, Insightful)

      by Frojack123 (2606639) on Monday February 25, 2013 @12:52AM (#43000483)

      Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

      I agree, once its out, they are as powerless as the target is.

      As for his question:

      What would you recommend as my next course of action?"

      1) Kill the email account, such that all mail bounces.
      2) Create a new subscription account.
      3) Realize that you are on the internet, where not everybody plays by your rules. Install spam and virus filters, and get on with your life. You've done all that you can to help the clueless operators. Its not worth any more of your time or anguish.

      • by Rigrig (922033)

        2) Create a new subscription account.
        3) Realize that you are on the internet, where not everybody plays by your rules. Install spam and virus filters, and get on with your life. You've done all that you can to help the clueless operators. Its not worth any more of your time or anguish.

        Possibly skip 2) though, as "clueless operators" might not be the best choice to obtain your "tools for the Systems Administration community" from?

      • by Cederic (9623)

        1) Kill the email account, such that all mail bounces.

        No. Kill the email account, such that all mail goes to /dev/null

        Don't flood the world with bounce messages. Especially if your email address is used as the 'from' address and you get 1200 bounces from other people (been there, had that).

    • They should at least respond, better yet warn the users.

      I'm on my third or fourth linkedin email despite having it non-visible. They never responded to any messages.

    • Exactly,
      Besides most companies don't like saying what they did wrong so they probably fix the problem, then tried to keep it quiet. Being that social media now adays spreads and exadurates every bad news, there is no insentive to make their problems public, unless they really have too.

    • Well, they could at least publically acknowledge the breach...

  • by Anonymous Coward

    In my experience when situations like this arise and no action is being taken leadership either doesn't understand the problem or doesn't think it important.

    • by JWSmythe (446288)

      ^ ^ ^ ^ This too. It's a sysadmin list, so I'd hope they understand the problem, but there are plenty of PHB that get in the way.

      • by arth1 (260657) on Sunday February 24, 2013 @11:20PM (#43000059) Homepage Journal

        I just wonder what kind of System Administration list has a facebook page. The mind boggles.

        • Re: (Score:3, Funny)

          by Gothmolly (148874)

          One of these things is not like the other.

        • by Z00L00K (682162)

          And Facebook is the primary channel today of spreading malware. Social engineering combined with trojans are quite effective.

          • by adolf (21054)

            And Facebook is the primary channel today of spreading malware. Social engineering combined with trojans are quite effective.

            ...except against competent system administrators.

            Yeah, I've got a Facebook account. So what? I'd be more than happy to tell you all about the last time that I was social-engineered into doing something with a computer, but it simply hasn't ever happened.

  • by nemesisrocks (1464705) on Sunday February 24, 2013 @11:11PM (#42999989) Homepage

    I'm in a similar situation: I create a unique email address for each company I deal with, and each website I register on.

    The only solution I've found to be the most effective is sending these companies threatening letters. Quote them sections from their own privacy policy; usually there will be a clause about circumstances under which they will share your subscriber information. Tell them they've breached their own privacy policy, and whatever federal privacy legislation your country has in place. While you're at it, file a complaint with your country's Privacy Commissioner, or whatever the equivalent is.

    Perhaps we need some sort of "name and shame" website for companies whose subscriber lists have been either breached or sold (e.g. Dell)

    • by robbo (4388) <slashdot@simra . n et> on Monday February 25, 2013 @12:09AM (#43000295)

      +1. You have no reason to expect an acknowledgement if you just pass it 'up the food chain'. Put it in clear legalese and look forward to a reply from their lawyer. Most likely someone on the inside sold the list for chump change.

      btw did you consider that maybe it's you that's compromised? 8-)

      • btw did you consider that maybe it's you that's compromised? 8-)

        If he were, then he would get the same viruspam sent to many, if not all, of his email addresses instead of just one.

      • by dissy (172727)

        Most likely someone on the inside sold the list for chump change.

        Another possibility is one of their desktop computers got infected with malware that grabbed the Outlook global address book and email contact history and sent it back to the mothership.

        These things were notorious a couple years back. If the domain does not use SPF records (and even some times if it does) using the address book for forged From addresses while sending to the addresses found in the Sent box and contact lists, it has a decent chance of hitting a white-list and getting by more spam filters tha

    • The only solution I've found to be the most effective is sending these companies threatening letters.

      It could just as likely be YOUR site that was compromised, and they found the address in something they sent to you, or some key logger in a coffee shop where you logged on.

      Make sure you are outside of your pristine glass house before you start throwing stones.

      • by erice (13380) on Monday February 25, 2013 @01:21AM (#43000595) Homepage

        The only solution I've found to be the most effective is sending these companies threatening letters.

        It could just as likely be YOUR site that was compromised, and they found the address in something they sent to you, or some key logger in a coffee shop where you logged on.

        Make sure you are outside of your pristine glass house before you start throwing stones.

        This is incredibly easy to check. If it was local compromise, all addresses would be compromised, not just the one assigned to a particular company. Spam and viruses should be be pouring in to many many addresses. If it was just a single address assigned to a single company then you be pretty sure that it was their system compromised and not yours.

        • There are many ways that an email address can get compromised that are not the direct fault of the company you gave it to.

          Since emails are sent in plain text, over the open internet, all it takes is someone sniffing somewhere along the line and collecting email addresses.

          Your original "subscription" may have been over SSL, but the subsequent emails they send out are not.

          • by AK Marc (707885) on Monday February 25, 2013 @03:12AM (#43000987)
            Has there ever, in the history of the modern Internet, been a proven case of someone "sniffing" something from "the Internet" (defined for this to be beyond the first provider and not as a part of the last provider), aside from government nodes? You might as well be afraid that the aliens are reading your thoughts from orbit.
            • by faedle (114018)

              As someone who has spent his entire life working at various ISPs, the answer is "yes."

        • by SeaFox (739806)

          It could just as likely be YOUR site that was compromised, and they found the address in something they sent to you, or some key logger in a coffee shop where you logged on.

          Make sure you are outside of your pristine glass house before you start throwing stones.

          This is incredibly easy to check. If it was local compromise, all addresses would be compromised, not just the one assigned to a particular company. Spam and viruses should be be pouring in to many many addresses. If it was just a single address assigned to a single company then you be pretty sure that it was their system compromised and not yours.

          Unless the spammers know that he knows that he only gave the address to one company, so they only used one of the many addresses they harvested to spam him, casting suspicion on that company so he wont think to check his own PC, allowing them to collect a nice list of other email addresses from people he is affiliated with. That way, they get 100 addresses from 100 people, instead of 100 addresses from one guy with his own domain. /paranoia

    • It's likely that the informal communications channels just did not inform.
    • by pepsikid (2226416)

      I create unique email addresses too. I run a catch-all mailbox, so my scheme doesn't do much to prevent me getting spam. It tells me who has been compromised and I can be a good citizen and let them know. I give them one fair chance, and if they don't respond, or if they're retaliatory towards me, then feck 'em. Nobody ever gets my "real" email address. Most websites simply never respond to my information. If it's a blogger, they infrequently respond, but just to express doubt, and interrogate me about my

      • by julesh (229690)

        How long have you had your domain? I've had mine for 10 years now, and I get a really weird combination of addresses. They've built up slowly over time. Some of them are pretty bizarre and totally unrelated to any address I've ever used. Some appear to derive from corrupted address lists that have been copied over and over (my normal address is myname@mydomain, I regular receive stuff to: mynamemyname@mydomain, myname.mydomain@mydomain, yname@mydomain, etc.) Some appear to be guesses of address I might

  • Move On (Score:5, Insightful)

    by mrtwice99 (1435899) on Sunday February 24, 2013 @11:11PM (#42999993)

    What would you recommend as my next course of action?

    Nothing. Seriously. You tried, they didn't listen. Typical. Now find something more deserving of your attention to spend your time on. :)

    • by Rinnon (1474161)

      Nothing. Seriously. You tried, they didn't listen. Typical. Now find someone more deserving of your business to spend your money on. :)

      There, fixed that for you. =)

  • Depends... (Score:5, Insightful)

    by xlsior (524145) on Sunday February 24, 2013 @11:11PM (#42999995) Homepage
    - How unusual is the username portion on the email address? There have been a lot of spammers over the years that blast random emails to commonname@yourdomain.com. Mike, John, Bob, etc. are more likely to receive spam than sdvjsdvkj@domain.com

    - Is the email address in question visible to other people? e.g. registered forum members for the software in question? Sometimes people sign up for a forum just to be able to harvest the otherwise hidden addresses of other forum members
    • Re:Depends... (Score:5, Interesting)

      by ssfire (1416107) on Sunday February 24, 2013 @11:42PM (#43000167)
      Yup. When I set up an account with Ameritrade, I initially created an email address ameritrade@mydomain.com. Then I started getting spam on it. But the spammers might have guessed that email address. So I created a new non-guessable email address ameritrade_29478763@mydomain.com. But then I started getting spam on that. So I notified Ameritrade. No response, so I closed my account. A few months later, there was a news item that a trojan running on the Ameritrade servers had compromised 6.3 million email addresses.
    • by whoever57 (658626)
      I (not the submittor) frequently use <myname>+<site name>@<mydomain>. It is quite clear that at least one site where I registered has let their subscriber list escape. But what is funny is that the scripts or programs that the spammers use frequently don't process the "+" addresses properly. So my mailserver rejects lots of emails that are sent to non-existent addresses in the form: <site name>@<my domain>.
      • by nabsltd (1313397)

        I (not the submittor) frequently use <myname>+<site name>@<mydomain>.

        One of the issues with this is that <myname>@<mydomain> will be delivered, too. And, if that's your "real" e-mail address, then it's now out there for spammers to hit.

        If you instead use something that doesn't rely on special address parsing (like <myname><site name>@<mydomain> or <myname>@<site name>.<mydomain>), you can just ditch the e-mail address once it is compromised. There are a couple of companies that I had to do this to simply because their "you've

        • by whoever57 (658626)

          Another problem with using "plus addressing" as I describe above is that I have come across legitimate companies who use a website for unsubscribe requests, but their website will not process the address I used.

          How to unsubscribe then?

    • Re:Depends... (Score:4, Insightful)

      by plover (150551) on Monday February 25, 2013 @12:10AM (#43000299) Homepage Journal

      - Is the email address in question visible to other people? e.g. registered forum members for the software in question? Sometimes people sign up for a forum just to be able to harvest the otherwise hidden addresses of other forum members

      This is the first thing I thought of. I've seen small companies send out mass emails to blocks of people, sharing my name with the hundreds of other customers on the list. I've seen support postings with email addresses embedded as links behind the user names. Both of those are the faults of the companies that engaged in such behavior, but aren't quite the same as a "compromised" list.

      Obviously, the author's intent was to leave himself in an anti-spam position, to be able to simply block the compromised address to stop further spam. I suggest he exercise that option and move on. He's notified them to the best of his ability. Further activity, such as trying to name-and-shame the company, could end up with their lawyers sending him cease-and-desist nastygrams. I'm not a lawyer so I can't tell him if those kinds of letters have legal merit, but if he has to hire a lawyer to get an answer to questions like thta, it could cost him money.

    • by gregmac (629064)

      Many, many years ago when I got my first domain, I set up *@domain.com to forward to me. And about 5 minutes and several spams/garbage from the owner of the domain before me later, I turned it off.

      However, I did end up making a subdomain and forwarding everything (*@sub.mydomain.com), and I've been using it exclusively for signing up to sites ever since (I've probably been using it for ~13 years). I can think of about two occasions where I have actually got spam to any of the addresses I used, both were fro

  • Public Shaming (Score:5, Interesting)

    by Jah-Wren Ryel (80510) on Sunday February 24, 2013 @11:12PM (#42999997)

    It's practically impossible to get anyone to acknowledge something like that. From their perspective they just think you are yet another ass who thinks they know more about the internet than they really do.

    I don't even bother any more. I get spam/malware it goes into the block list and I don't do business with the company anymore. If you really care about it, make it public. If you have a blog make an entry about it and hope it shows up in google. Or post the info here, if it gets modded up google will probably index it.

    • by binarybum (468664)

      I do the same thing with email and my domain name. I suspect that while sometimes the lists are being compromised, other times the companies are selling the lists to spammers for extra cash. I do address the companies when this occurs, and usually the response is something along the lines of ' you have no idea what you are talking about, spammers use random generators and word lists - your experience is likely purely coincidental' (I call total BS on this since you would clearly be receiving all kinds of

  • by fredprado (2569351) on Sunday February 24, 2013 @11:12PM (#42999999)
    If you are hiring a security related service or any service that depends on security of information, cancel it and go somewhere else. They are obviously not worried about security and have proved that they are pretty much unreachable in case of any problem.

    Either way, even if the service you are hiring it is unimportant enough to allow you to live with this kind of practices, I advise you, regardless of how right you may be about their problems, to stop wasting your time trying to help those that are not interested in being helped.
  • If you've let them know, and they ignore it, there's nothing you can do. You can't make anyone do anything.

    You could publicly shame them. That runs the risk of lawsuits, and possibly being pointed to as the intruder.

    All you should really do is unsubscribe from the list, and block any email coming in to that account. Unsubscribing won't stop the viruses, as the intruder as almost definitely fed it to their botnet. It may only (hopefully) keep you from being

  • by guttentag (313541) on Sunday February 24, 2013 @11:17PM (#43000041) Journal

    Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.
    -Arthur Conan Doyle

    Have you considered the probability that perhaps they meant to send you a virus? What sort of tools are these? The system administration tools, I mean, not the people who can't properly administer their systems but expect to help you administer yours.

  • by realmolo (574068) on Sunday February 24, 2013 @11:21PM (#43000073)

    Even if they know the list is "compromised", what are they supposed to do about it? It's already out there. Do you expect them to go after the spammers? Because that's essentially impossible. If they're not in the United States, it really *is* impossible.

    That's why you haven't got a response. They know, but there's nothing they can do.

    And frankly, if you had decent spam filters on your own personal domain, you probably wouldn't be seeing these emails anyway. I doubt anyone with a Gmail or Yahoo or Outlook.com address sees this stuff.

    My suggestions? Quit worrying about it, and quit running your own mail server. You may think you know what you are doing, but you almost certainly don't.

    • by hawguy (1600213) on Sunday February 24, 2013 @11:27PM (#43000099)

      Even if they know the list is "compromised", what are they supposed to do about it? It's already out there. Do you expect them to go after the spammers? Because that's essentially impossible. If they're not in the United States, it really *is* impossible.

      That's why you haven't got a response. They know, but there's nothing they can do.

      And frankly, if you had decent spam filters on your own personal domain, you probably wouldn't be seeing these emails anyway. I doubt anyone with a Gmail or Yahoo or Outlook.com address sees this stuff.

      My suggestions? Quit worrying about it, and quit running your own mail server. You may think you know what you are doing, but you almost certainly don't.

      Disclosing the data breach to everyone affected would be nice (and in some states is legally required), as well as letting customers know what data was breached..

      Of course, this assumes that they actually know how the data leaked and which customers were affected and they probably don't.

    • by erice (13380) on Monday February 25, 2013 @01:56AM (#43000737) Homepage

      Even if they know the list is "compromised", what are they supposed to do about it? It's already out there. Do you expect them to go after the spammers?

      I expect them to plug the hole.

      A compromised system is not a one-shot embarrassment. If you don't plug the hole, whoever compromised the system the first time will keep coming back for more data or will expand the breach to other systems.

      1) If it an external breach, I expect back doors to be closed, vulnerabilities patched, account passwords changed, etc. This won't likely happen overnight but simply knowing that there is a breach and what kind of a data is stolen is big help providing the admins get their heads out the sand and acknowledge that there is a problem.

      2) If it an unauthorized inside job, I expect the perpetrator to eventually be found and fired for cause with at least the possibility of criminal prosecution.

      3) If it is an authorized inside job, I want the practice stopped permanently and I hope to see whoever approved the policy removed.

      Unfortunately, all these require work and significant risk. The easiest "solution" is to deny there is a problem and, if necessary,blame the person reporting the issue. The vast majority of people, completely ignorant on how spammers harvest address and completely dependent on services like Google to filter out the bad and not lose to much of the good are not the wiser.

    • And frankly, if you had decent spam filters on your own personal domain, you probably wouldn't be seeing these emails anyway. I doubt anyone with a Gmail or Yahoo or Outlook.com address sees this stuff.

      My suggestions? Quit worrying about it, and quit running your own mail server. You may think you know what you are doing, but you almost certainly don't.

      Being aware of attempts to get past your security is a sign of incompetence?

  • by dmomo (256005) on Sunday February 24, 2013 @11:28PM (#43000101) Homepage

    Or they knowingly sold your address.

  • by Jah-Wren Ryel (80510) on Sunday February 24, 2013 @11:33PM (#43000121)

    This does not directly address the question, but it is topical.

    I do the same thing with my domain and it was always a hassle to make sure I filled in the correct From: address on each email I sent. Then I found the Virtual Identity Plugin [absorb.it] for thunderbird.

    It automagically remembers what From: address to use with what To: address. It also makes the From: line fully editable on the fly and remembers what you used for the next time. It makes it dead simple to make sure that you never accidentally leak one of your unique addresses to the wrong person/company.

    • by arth1 (260657)

      How does that work when you send e-mail from half a dozen different systems, including Outlook, pine, Android mail, sendmail, and in a pinch, even telnet to port 25 or openssl to port 465/587?

      Solutions that require a particular piece of software aren't. They're short-lived workarounds at best, and fetters you at worst.

      • Re: (Score:3, Insightful)

        by Jah-Wren Ryel (80510)

        How does that work when you send e-mail from half a dozen different systems, including Outlook, pine, Android mail, sendmail, and in a pinch, even telnet to port 25 or openssl to port 465/587?

        You made your bed, now sleep in it.

      • by nabsltd (1313397)

        How does that work when you send e-mail from half a dozen different systems, including Outlook, pine, Android mail, sendmail, and in a pinch, even telnet to port 25 or openssl to port 465/587?

        These are one-off addresses tied to each company and are used for preventing spam to a personal e-mail address, and most of them aren't ever used to send e-mail. The few times you need to, it's also usually not critical that the e-mail be answered right now (unlike a business e-mail), so you can wait a bit until you are at one of your machines with the correct software (because you aren't going to be doing this from random machines, ever, as it's still your personal e-mail).

        If you are really desperate, tho

  • It's possible the list was snagged by a disgruntled (or ex) employee who sold the list. The Powers That Be may not believe the list has been compromised. A few back channel comments and/or a FB isn't actionable proof.

    I'd post to their support email line (I'm assuming they have one?) and provide the unique email address you used. Provide more detail than this post. Then if they still ignore, share it on publicly as a public service to their other customers.

    I had a friend that was in a similar situation. A co

  • Is it at all possible that you're the one who was cracked, and that's how the email address got into the wild?

  • I've been doing that for more than ten years and I've never gotten a satisfactory response. Somebody will give your carefully-crafted letter fifteen seconds of thought and send you a form letter about phishing or clicking on sketchy links or whatever. They don't understand the dedicated email thing, or that they have a problem. So, you gave your explanation to some geeks you think will "get it", but ultimately they'll have to tell some non-geeks about it, and they'll give it fifteen seconds of consideration

  • No way you can win.
    Same situation here with individual email addresses per recipient.

    If it's SPAM - report to Spamcop. After 3 SPAM's change address of individual addressee or disable it if it's older than 3 years and not used since.

    The interesting part with this game is to see how many users are putting plain email addresses in CC, so when one of the many gets compromised, everyone else on that header gets spammed.
  • Hi, I run my own mail domain to.

    I would have re-audited my system and made really sure the leak did not come from a different attack vector before pinpointing them.

    Did you parse the headers of the spam to get more clues?

    Most companies won't spend time because another network administrator tells them they have something wrong. Rule one is always to prove your facts almost without a doubt otherwise they may not listen to you or take action.

    Try creating another account from a clean install to see if same happe

  • It could very well have just been guessed, the spammers' mail servers are more than likely more than capable of shotgun blasting millions of messages to $randomstring@domain.com in less time than you'd think, and if you change the replyto address, you don't even get the bouncebacks.
    • by seebs (15766)

      People keep suggesting this, but time and again we find that the reason that highly specific tagged addresses are getting spammed is that someone leaked or compromised a list.

      • I'd actually love to see a citation on this, I could google it but maybe you have an article handy. I generally err on the side of brute force or social engineering rather than out and out "hack" or system compromise.
  • The list was sold. Yes, it happens more often than you think. If the company itself didn't sell it, then somebody on the inside made an extra buck. That's why nobody will acknowledge your complaint.

  • simple, use the compromised list to email them telling them so.

  • First off if you are bothering to create separate email accounts for each site you know full well the risks of giving anyone your email address. How do you think spammers get everyones email addresses? Tooth fairy?

    Secondly jumping to conclusions is ususally not prudent. "knew immediately that either their systems or their subscriber list had been compromised"

    For all we know your system could be hacked and you just don't know it or you've got a directory server or vrfy enabled and the account was brute fo

  • I used to be a member of a professional society. I started getting spam to the unique, tagged, address I'd used to register with them. I pointed this out on a mailing list. I got threatening notes from them about how they didn't appreciate me implying that they had sold addresses or been compromised...

    Blizzard ignored queries from me about the sudden appearance of spam (from their servers, even) to unique, tagged, addresses. A week after they blew me off, there was an announcement that they'd been compromis

  • Star Trek Online had this happen. I had an email address specific to that site and it got spammed. Heaps of other people [perfectworld.com] with similar site only email addresses mentioned the same thing on the forums. Don't know if they ever publicly admitted it.
  • Had the same problem, except with very obnoxious scammy spams and the company in question was Bank of America (overnight, the dedicated address went from BofA only, to dozens of such spams).

    My personal guess was that these morons must have sold their list to somebody (or cross-marketed, or whatever other stupid idea one of their coked-up marketing exec came up with) who in turn sold it and so on, all the way to the darker recesses of the internets. A chain is only as weak as its weakest leak, so once the
  • First of, I hold the idea, that the list was sold, very likely. They will never admit to that. You might want to check their privacy statement and take actions according to that (see post by nemesisrocks).

    But for a self confessed geek with his/her own email domain, the OP shows shows an alarming lack of knowing the proper channels.

    This is a problem with email, so maybe the OP should have send a mail to 'abuse@company.com' or even 'postmaster@company.com'. Not place something on the facebook page, that only

  • I created a special email address for Starbucks several years ago, starbucks@mydomain.com, and I started getting spam on it within weeks after giving it to them. And this wasn't just "legitimate" third party spam, but was penis enlargement type spam. I set a gmail filter to always trash anything coming to that address, and every time I check the trash there are still a bunch of spam emails coming in to that address. So I don't know whether Starbucks sold the address to a third party who may or may not have

  • Or anything else for that matter.
  • First, no news is good news.
    Second, You are already on that spammers list. You shouldn't expect to suddenly stop receiving spam.
    Third, here are two tests to consider to take away any doubts.

    1) Rule out man in the middle attack.
    Its very possible for your (or any intermediate) machine to be infected and passed along your keystrokes or detected email addresses in network packets.
    If you could setup a scenario where this is ruled out. Register on a different (clean) machine, using a different email address, poss

  • by 1u3hr (530656)
    Since most people don't use unique addresses, they won't be aware of the source of the spam, so they don't report it. The few of us who do are treated as troublemakers.

    When I have reported this, every time I was told that it was my problem, that I had a virus, or that I was an idiot/a troll/etc. Never did anyone take any responsibility or take any action.

  • by Tom (822) on Monday February 25, 2013 @05:09AM (#43001275) Homepage Journal

    Passing something "up the chain" is a sure fire way to ensure it gets lost. And notifying a company behind-the-scenes of a security issue has a success rate so low, it could still legally drive.

    It's good to give them the chance. Once. With a short time for a reply. Make sure your tell them you expect a reply until (insert date). If they don't reply, or bullshit you, go full disclosure with names and details. Bad publicity is about the only thing you can create that gets a company into motion.

    If there is applicable legislation and an official you can contact, do that as well. Many states and countries require companies to disclose known data breaches.

  • Is your mail hosted at Network Solutions?

    If so, I have a friend in the same boat. They've recently switched their cheapest hosting solution to no longer filter SPAM; in order to get SPAM filtering, you have to "upgrade" to a more expensive hosting solution. They've decided that they can monetize SPAM filtering, and so they've discontinued it from the cheap accounts to incentivize you to upgrade to a more expensive account - or just switch providers to one that SPAM filters, but they figure you won't do th

  • 1. Open up the compromizing email's headers. Locate the first ISP beyond yours -- 99% of the time it's not there's. Contact THAT company.
    2. File a complaint with the FCC. They are getting more active against exploits.
    3. Locate your Attorney General's office and ask if there are any state laws against spam. There is one in Maryland that is compatible with CAN SPAM, and has been tested in the courts. If you got one, lawyer up and sue the company -- some companies only respond by judicial inquiry.
    4. B

  • I had definitive evidence a company had a virus on their site but they didn't seem to care. The virus was present for a few weeks until I posted the facts in their forums. They quickly remedied the problem then tried to scold me for creating a PR issue. Heck, if they responded in even a semi responsible manner (e.g. "we'll look into it, thanks") rather than telling me to pound sand they could have avoided any repercussions. I think they just didn't want to move resources from whatever they were doing to
  • by e70838 (976799)
    "When I received another virus-infected email at that same address this week, I posted a polite note on their Facebook page. ".
    The address is now known by bad guys. You can not know whether the site has corrected its problem or not if you have not changed your email in your profile and the new address is spammed.
  • I use Spamex [spamex.com] to create DEAs (Disposable Email Address).

    I have been surprised when these get compromised. The biggest surprise was one for the New York Times.

    I let folks know, then just turn off the snagged address.

    This is a very different world from when I first started using email in the early 1980s (not Internet Email, host-based and proprietary). It comes with the territory, and I have to accept it.

Nothing will dispel enthusiasm like a small admission fee. -- Kim Hubbard

Working...