I’m pretty sure we have all become numb to the unsolicited bulk email (aka Spam) we receive. Well, I should qualify that. There are a few dumbasses out there that still click links, still think Microsoft is giving away 400 million dollars, or that some Prince in Uzbeki-beki-stan wants to leave their fortune to a stranger in a different country.
For the educated masses, it’s an inconvenience; the price of doing business, or pleasure, on the Internet. One aspect that is not written about as often as the amount sent, or where it is sent from, is the services that are leaking or selling our email addresses to spammers. There are a handful of tech-literate people that take measures to track this. By providing a truly unique email address to each service or web site you sign up to, you can easily determine if the site has lost or shared your information with a third party. If that unique email address receives mail from anyone other than the site you used it on, potential problem.
In some cases, the fine print we all quickly agree to without reading will say the site can share the information with commercial partners. Such mails are infrequent, but usually easy to spot. Over the last few years, I have had an interesting number of sites result in pure Spam. Not partner emails, not ‘legit’ third parties that purchased the email address for unrelated business offers. I’m talking about the usual penis enlargement pills or offers of untold millions from Captain John in Iraq who needs help moving 50 million in gold back to the states.
When such a leak happens, it typically means the email addresses were harvested (e.g. enumeration vulnerability, remote information disclosure), or a full on compromise (e.g. system hacked, all information taken including the list of addresses). Either way, it isn’t good for the business, and ultimately you either. Keep that in mind when you consider a few of the sites / domains that had a leak.
- order.store.yahoo.net – spam received Jul 9, 2011
- seenon.com – spam received on Feb 8, 2013
- denverlibrary.org (Denver Public Library) – spam received Oct 7 / 8, 2012 and Jan 21, 2013
- Tastes Wine Bar (local business) – spam received to first email address, and again on second address on Jul 3, 2011.
- celebratethemacallan.com / eventbrite.com – spam received Jul 11, 2011 (not sure which leaked)
- investorshub.com – spam received Jan 13, 2013
- ameinfo.com – spam received May 29, 2012
It would be interesting if more people could use unique email addresses to track such breaches.