Home / Blogs

The Incredible Leakyness of Commercial Mailers

John Levine

Acronis is a company that sells backup software. They have been around for over a decade, and have lots of big respectable customers. The Wall Street Journal is the nation's leading business newspaper. Equifax is one of the big three national credit bureaus. Shelfari is a book interest web site owned by Amazon. The Economist is a globally influential newsweekly. Airliners.net is a popular photosharing site for airplane enthusiasts. What do they have in common?

They all leaked my address to spammers, and none of them have ever accepted any responsibility. For a long time, over a decade now, I've used tagged addresses whenever I buy something online or sign up for someone's list. If it's the foobly company, I use an address like foobly@taugh.com.

There's two reasons for that. The original one is to remind me when I get unexpected mail that it might be someone I signed up for a long time ago. For example, about ten years ago we got a subscription to the National Wildlife Federation's Ranger Rick, their magazine for young children. The formerly young child lost interest many years ago, but they still keep sending me pleas to renew. While this is annoying and stupid, it's not exactly spam. The other reason for tagged addresses is so I can trace when someone really does leak addresses to spammers. And boy, do they ever.

Every one of the six organizations above had a unique tagged address, and I am now getting spam to that unique address. When I say spam, I don't mean that, e.g., Shelfari gave it to some other part of Amazon. I mean 419s, fake drugs, money mule spam, the lowest and sleaziest of the low. Those six aren't the only ones to have leaked my address; they were just the ones I came across first looking through spam I got in the past few weeks.

I used to write and complain, but I don't bother any more because the response, if any, was invariably a combination of cluelessness and stonewalling along the lines of "you must have forgotten". Well, no, I didn't. The one exception was Orbitz, who got enough complaints from enough credible sources that to their credit, they did an internal investigation, although they didn't find anything, and as best we can guess it was one of the ESPs who handles their weekly newsletter.

There is a perception in some circles that everybody leaks. That's not true. There are plenty of other organizations who, so far at least, have kept their lists secure. The Economist has leaked my address, the Atlantic Monthly hasn't. The Journal has leaked my address, the New York Times hasn't. Shelfari has leaked my address, Audible.com and Amazon itself haven't.

Needless to say, if a company is leaking mailing lists to spammers, it says bad things about their attitude both toward their customers and about the quality or lack thereof of their internal processes.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Spam


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


From experience, I would say that the Katya Nováková  –  Jan 22, 2013 1:46 PM PDT

From experience, I would say that the leaks are often unintentional actually - many websites have been breached at some point. E-mail address and customer data are valuable to spammers.
The operators are often unaware until they start receiving complaints from subscribers like you, that use dedicated E-mail addresses and are able to trace the origin of the 'leak'.

More unaware than that John Levine  –  Jan 22, 2013 5:55 PM PDT

With the notable exception of Orbitz, every place I've tried to alert about mail leakage has blown me off. 

TD Ameritrade blew me off repeatedly, leaking multiple addresses, which was a bad move since they subsequently found someone had installed malware on an internal server and they had a big expensive class settlement as a result.

It's funny, today I received spam to Katya Nováková  –  Jan 23, 2013 2:37 PM PDT

It's funny, today I received spam to my everydns.com E-mail.

Another one bites the dust…

I also suspect that Moneybookers suffered a breach in the past year.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

IP Addressing

Sponsored by Avenue4 LLC


Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

DNS Security

Sponsored by Afilias

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Government Guidance for Email Authentication Has Arrived in USA and UK

Nominum Launches Comprehensive Suite of DNS-Based Security Solutions for Russian Service Providers

Nominum Sets New Record for Network Speed and Efficiency

DNS on Defense, DNS on Offense

Managing Outbound Spam: A New DNS-based Approach For Stopping Abuse (Webinar)

MarkMonitor Fraud Intelligence Report, Q4 2011

MarkMonitor Fraud Intelligence Report Released for Q2 2011

The Botnet-Counterfeit Drugs Connection

New Monthly Fraud Intelligence Report Now Available

MarkMonitor to Highlight Importance of Cross-Functional Approach to Brand Protection

Paid Search Ads Can Lead to Fake Goods

Open Phishing Season

.ORG Highlighted for Success in Fighting Phishing

Latest Brandjacking Index Examines How Fraudsters Abuse Financial Brands

New Report Shows .INFO Domain Safest from Phishing Attacks

MarkMonitor AntiFraud Solutions Combine Proven Antiphishing and Expert Antimalware Capabalities

COCC Partners with MarkMonitor for Anti-Phishing Services

ICANN Mexico City Meeting Brings a Significant Shift in Direction for Brand Rights Holder Issues

MarkMonitor Year-in-Review Report Finds Online Abuse of Major Brands Was a Growth Industry for Fraud

Committed to Keeping the Internet a Safe Place