Is Amazon.Com Selling E-mail Addresses? 21
A worried Anonymous Coward asks: "I recently used Amazon(.co.uk)'s refer-a-friend scheme to refer a member of my family. I set up a new e-mail address for this purpose, and it had been used for nothing else. A few days after receiving the refer-a-friend voucher, the address started to receive spam mail. Only Amazon ever knew about this address? How did the address get on junk mail lists? The address was too obscure to have been guessed! Has anyone else had a similar experience?" You may think most eCommerce places won't stoop as low enough to sell addresses to potential spammers, but it always pays to read the fine print, first. More below.
According to Amazon.Co.Uk's Privacy Policy: "Amazon.co.uk does not sell, trade or rent your personal information to others. We may choose to do so in the future with trustworthy third parties, but you can tell us not to by sending a blank e-mail message to never@amazon.co.uk. (If you use more than one e-mail address to shop with us, send this message from each e-mail account you use.) Also, Amazon.co.uk may provide aggregate statistics about our customers, sales, traffic patterns and related site information to reputable third-party vendors, but these statistics will include no personally identifying information."
Re:Not necessarily Amazon's fault (Score:1)
All five letter accounts (and still using only lowercase - no uppercase letters, no numburs) will take 4 GB.
Read my lips: Your Idea WILL NOT WORK. This can't be done.
Re:Not necessarily Amazon's fault (Score:1)
Even if you only take uppercase letters and no numbers into your scheme, all four letter combinations will sum to nearly fivehundredthousand addresses. And you really thought this could be done with 12 or 24 letter long accounts?
I don't get why people who write such nonsens always (ab-)use their +1 score bonus. Please: Only use your bonus if you are rock solid about what you wrote and if you think it is appropiate to use it.
Dictionary attack (Score:1)
Re:Not necessarily Amazon's fault (Score:1)
What I'm saying is that ideas like this -- a crude incremental search, name by name, or a more clever search that sticks to just dictionary words, with at most minor variations (3733T haXXorspeak, doodz!), is profitable and therefore will be attempted, and indeed is attempted and, to a limited extent, used.
Much as you'd like to out-pedant me here, we're basically talking about a password cracking scheme, and password cracking schemes are not as computationally complex as the travelling salesman problem. Sorry, but you just made that up -- admit it. Indeed, these things get used pretty regularly -- just ask Randal [lightlink.com] Schwartz [rahul.net].
The fact of the matter is, you guys are belittling this strategy for the list generation aspect of it, when in fact that could be done once and the result can be dumped into a file for future usage. Is there some work involved in getting that? Of course there is -- just look at the everyicon [numeral.com] project. But you can take steps that control the complexity of the work involved, and cause the total execution time to be Not That Bad. Once you've done it once and dumped the result to disc somewhere, you never have to do it again. Then just start sending out the spam as per usual and Mr Marketer is happy.
Is this hard? Is this complex? Yes and yes. But keep in mind that how hard it is to legitimately harvest a large pool of targets^H^H^H^H^H^H^Haddresses. It is also hard and complex, and arguably its a lot more expensive. (Anything that costs a lot is more expensive than something that possibly cannot be done, or at least not completely...). Given the choice, I don't see why it's such a mystery to you guys why a lot of people would want to try this, and indeed, why a lot of people do try it.
DOn't turn your vitriol against me, turn it to the boneheaded managers & marketers that are having people do this stuff. Question the theory if you want to, but it's being done, and I'm just reporting that fact. Back off.
Re:Not necessarily Amazon's fault (Score:1)
So what, four letter combinations works out to 500,000 permutations: a modern PC should be able to generate that list in a matter of seconds. I would think an enterprising spammer would be willing to leave the program running long enough to get a longer list than this, and wouldn't be bothered flooding the networks by trying to send mail to some large subset of these names. If it generates enough sales leads, they're doing their job -- they're happy. Ways to do it faster are appreciated but sort of beside the point, because they're going to try it anyway...
Re:Not necessarily Amazon's fault (Score:1)
All five letter accounts (and still using only lowercase - no uppercase letters, no numburs) will take 4 GB.
Read my lips: Your Idea WILL NOT WORK. This can't be done.
Read my lips: 4GB IS NOTHING. To a user on dialup it may seem like alot, but for a spamer colocated on a oc3 it is no big deal.
echo $email | sed s/[A-Z]//g | rot13
how spammers get address w/o your help (Score:1)
Missing the point... (Score:1)
-Josh
Re:Not necessarily Amazon's fault (Score:1)
It's not that it won't work really. It's more that you'd need the computing resources of the entire planet to acheive it. It would work the algorithm is simple but the cost would bankrupt Bill Gates.
OK I'll stop being a pedant now... :)
Ian
I've been thinking about this... (Score:1)
Re:I've been thinking about this... (Score:1)
needless to say, there are a bajillion ways to accomplish what I'm talking about, but the idea i've just had is so good sounding right now, I think I'll actually go begin this project instead of talking about it. I believe I can script a means to auto monitor the popular web sites, watching for this rude behavior. I'll give you a hint: it involves lots and lots of yahoo and hotmail addresses, mysql and a modified slash/nuke front end.
You betcha (Score:1)
C:\
C:\Dos
C:\dos\run
Re: (Score:1)
Amazon a house of cards? (Score:1)
Let me share a reason. I worked for a publishing company a year and a half ago. I contacted Amazon to arrange to upload our backlist into their system. I found their system for constructing the package ambiguous, poorly documented and poorly thought out.
But wait. It got worse. When I contacted them to get a userid to upload to their server, they gave out a very obvious userid, and a very obvious password. This is the killer. Every publisher shared the same userid and password!
See also: http://catless.ncl.ac.uk/Risks/20.20.html#subj10.1
http://catless.ncl.ac.uk/Risks/20.81.html#subj13.1
It was me - I confess (Score:2)
I picked up your secret email address by sniffing the connection. Since you were only using SSH1 and WEP on your wireless segment, it was an easy crack.
I'll forward the $0.37 check I received from the Spam lord later today via PayPal
How could you even ask such a thing? (Score:2)
Of course not.
They're selling copies of those addresses.
Over and over again.
Re:Dictionary attack (Score:2)
If you look at my post [slashdot.org] below, I created a spam catcher account with the name uni_21_bow_eton@feckless.co.uk (its dead now, probably too swamped with spam)
That address doesn't appear in any dictionary I know of, and it isn't likely to just magically appear on spammers lists. A number of other addresses of similar length never received any messages, except for a handful of test messages I sent back and forth.
the AC
Not necessarily Amazon's fault (Score:2)
Repeat the cycle with all AOL addresses and already you have tens of millions of addresses. Send a message to each of 'em and the mail systems will "courtesously" let you know which ones don't actually exist; take that abbreviated list as a starting point for round two. Anyone that angrily replies "no spam!" is a target, because you know that person both reads & pays attention to their email account. The no replies are trickier -- they're either dormant or crafty enough not to nibble. No matter, keeping them on the list is cheap and potentially profitable, so they all get spammed too.
About the only real way I know of to keep off the lists is to have an unusual domain name that you don't publicize anywhere that it could end up being harvested this way -- friends & family get to use the obscure one, and a public address goes on mailing lists, web sites, etc as the necessary target for spammers. You still don't avoid spam, but you can at least minimize &/or ignore it that way...
Interestingly, my unobfuscated Slashdot address gets basically no spam. It seems that this site isn't worth the effort to trawl for addresses, because I for one never get any Slashdot themed spam. *shrug*.
Anyway, to come back to the original point, if you had some obscure address ("myxtylpl1x@nevergonnaguessthis.net") and started getting spam, then Amazon is suspect. If however it was with an at all common domain, you may have just been an innocent target here.
Re:Not necessarily Amazon's fault (Score:2)
My dare to you sir (Original Poster) is to write a quick program for the traveling salesman problem. Its quiet easy to write on that does an exhuastive search. Start with say 5 cities, and move up to say 13, you will be very very suprized by how few cities a "modern pc" can really handle!
Wow, me too! (Score:3)
Interestingly enough, I had the exact same thing happen, except with the 'wish list' thing -- and, in this case, I was trying to catch them in the act.
I made a 12-character random username on *my* mail server (the one I run for me and me alone). Obviously, this address was never published as I made the account just for this purpose). I then sent my wish list to that address and waited.
And about 36 hours later, I think you can guess what happened! Spam, Spam! Glorious Spam! They say they'll only give the addresses away to "trusted thrid parties" -- I guess they consider a Mortgage refinance corporation to be "trusted".
Amazon isn't spamming (Score:4)
I've done the exact same thing as Worried Anonymous Coward (WAnCo?), where I set up a number of lengthy and obfuscated email addresses on a free mail service (let them deal with the spam). One of the addresses was used for amazon.co.uk's reference list, the others were never given out. Within hours the amazon account started receiving spam, the others have never received a message. I sent an email to never@amazon.co.uk from that account, but it hasn't stemmed the flow of spam.
Various "approved" amazon business partners include
Regular amazon marketing promotions
Instant diplomas for cash
Home mortgages
Make money fast with Internet Marketing (perfectly legal, it says so)
Various pr0n sites
One guy shopping his miserable resume around
:-)
I contacted the last guy from a separate account, asking him for more info and if he would like to come to work for a huge amount of money, since we needed workers in his area. When queried about how he managed to find our address, he wrote about buying a CDROM with 300,000 good, valid business addresses, all of whom had opted-in to the database. He realised after sending his resume to the first 50,000 that 90% of them bounced, and the remainder mostly generated hate mail and death threats. He was overjoyed to find a company actually interested in his spamming talents. I wonder if he is still waiting for the follow-up interview
So now that address is burned onto CDs being sold to spammers everywhere. And only amazon.co.uk had ever been given the address. Its life on the internet, get used to it, information wants to be free.
the AC