Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.

Avenue4 LLCRead Message Promoted Post

Home / Blogs

The Incredible Leakyness of Commercial Mailers (Cont'd)

John Levine

Last week I blogged about the way that lots of otherwise legitimate companies leak e-mail addresses to spammers. Here's a few more thoughts.

One person asked how I knew that these were leaks, and not dictionary attacks, since the addresses I use are fairly obvious, the name of an often well known company @ my domain. It's a reasonable question, but the answer is simple: the spam comes to addresses I've given to the companies, not to addresses I haven't. There's a trickle of spam to truly made up addresses, but they're easy to recognize.

Another perhaps surprising fact is that leaks tend to be small scale. For example, a friend noted that Aeroplan (Air Canada's spun off frequent flyer program) had leaked his address, but they haven't leaked mine, even though we've both been members for over a decade. I've been trying to think of mechanisms that would lead to small leaks, and it's not pretty. Database security failures tend to be all or nothing, so although one can imagine a situation where the bad guys started downloading all of the email addresses and the connection failed, that doesn't explain multiple small leaks. But if I were a crooked employee at an ESP, spammers paid me for known good addresses, and I figured a level that would stay under the radar, well then, ...

It would be very interesting to track the ESPs used by firms whose lists have leaked. As far as I know, nobody's done that yet.

By John Levine, Author, Consultant & Speaker
Related topics: Spam
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

If all used tagged addresses, there would be more data... Alessandro Vesely  –  Feb 07, 2013 8:18 AM PST

There are mail client extensions, e.g. Virtual Identity, that can lend themselves to using tagged addresses, albeit they are not so popular to grant stability.  However, those who don't use a catchall mailbox would need to synchronize their server settings with the new identity generated by the client.  That would be trivial if new identities were generated on writing mail messages, but they are usually written on web forms.

Lazy and messy as I am, I wonder how can people remember when they created which address.  Also, wouldn't it be better to use random local parts?  That crooked employee of Foobly Inc. (or its ESP) would get suspicious of all those *foobly*@something addresses, no?  With a script (or web form) that handles tagged-address creation, tracking which ESPs mail to each of them seems to be a useful application of authentication tokens.  Thanks John, I think I now know enough to go and implement this thing at mines… except a good name for it.

Maybe my point of view is biased but ... Benjamin Billon  –  Feb 21, 2013 6:11 PM PST

I see other people in your picture that might be responsible for the leak.
There is no reasons that the ESP company of the "otherwise legitimate company" (OLC) is the only one that might have crooked employees. You might have some right in the OLC too. Or maybe not crooked but naives, clueless or money-driven.
As an ESP, I know that some, many, a lot of companies have marketing teams that tries to increase their performances at short term to reach their goal, and selling/renting/whatever whole or part of the internal database might not seem a bad solution to them. Or it is, but nobody will know, you know.
OR, it could be the same team, thinking that doing this is border-line but that if that might bring a lot of money, then we should give it a try. And they do, and a part of the database is handed over some other company, but not necessarily the whole data.

John, if you find out that some ESPs' names often occur in your research, then your position is likely to be valid. But maybe there are other reasons!

To post comments, please login or create an account.

Related

Topics

Mobile Internet

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Promoted Post

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.