Home / Blogs

The Incredible Leakyness of Commercial Mailers (Cont'd)

John Levine

Last week I blogged about the way that lots of otherwise legitimate companies leak e-mail addresses to spammers. Here's a few more thoughts.

One person asked how I knew that these were leaks, and not dictionary attacks, since the addresses I use are fairly obvious, the name of an often well known company @ my domain. It's a reasonable question, but the answer is simple: the spam comes to addresses I've given to the companies, not to addresses I haven't. There's a trickle of spam to truly made up addresses, but they're easy to recognize.

Another perhaps surprising fact is that leaks tend to be small scale. For example, a friend noted that Aeroplan (Air Canada's spun off frequent flyer program) had leaked his address, but they haven't leaked mine, even though we've both been members for over a decade. I've been trying to think of mechanisms that would lead to small leaks, and it's not pretty. Database security failures tend to be all or nothing, so although one can imagine a situation where the bad guys started downloading all of the email addresses and the connection failed, that doesn't explain multiple small leaks. But if I were a crooked employee at an ESP, spammers paid me for known good addresses, and I figured a level that would stay under the radar, well then, ...

It would be very interesting to track the ESPs used by firms whose lists have leaked. As far as I know, nobody's done that yet.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

If all used tagged addresses, there would be more data... Alessandro Vesely  –  Feb 07, 2013 8:18 AM PST

There are mail client extensions, e.g. Virtual Identity, that can lend themselves to using tagged addresses, albeit they are not so popular to grant stability.  However, those who don't use a catchall mailbox would need to synchronize their server settings with the new identity generated by the client.  That would be trivial if new identities were generated on writing mail messages, but they are usually written on web forms.

Lazy and messy as I am, I wonder how can people remember when they created which address.  Also, wouldn't it be better to use random local parts?  That crooked employee of Foobly Inc. (or its ESP) would get suspicious of all those *foobly*@something addresses, no?  With a script (or web form) that handles tagged-address creation, tracking which ESPs mail to each of them seems to be a useful application of authentication tokens.  Thanks John, I think I now know enough to go and implement this thing at mines… except a good name for it.

Maybe my point of view is biased but ... Benjamin Billon  –  Feb 21, 2013 6:11 PM PST

I see other people in your picture that might be responsible for the leak.
There is no reasons that the ESP company of the "otherwise legitimate company" (OLC) is the only one that might have crooked employees. You might have some right in the OLC too. Or maybe not crooked but naives, clueless or money-driven.
As an ESP, I know that some, many, a lot of companies have marketing teams that tries to increase their performances at short term to reach their goal, and selling/renting/whatever whole or part of the internal database might not seem a bad solution to them. Or it is, but nobody will know, you know.
OR, it could be the same team, thinking that doing this is border-line but that if that might bring a lot of money, then we should give it a try. And they do, and a part of the database is handed over some other company, but not necessarily the whole data.

John, if you find out that some ESPs' names often occur in your research, then your position is likely to be valid. But maybe there are other reasons!

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Nominum Launches Comprehensive Suite of DNS-Based Security Solutions for Russian Service Providers

Nominum Sets New Record for Network Speed and Efficiency

DNS on Defense, DNS on Offense

Managing Outbound Spam: A New DNS-based Approach For Stopping Abuse (Webinar)

MarkMonitor Fraud Intelligence Report, Q4 2011

MarkMonitor Fraud Intelligence Report Released for Q2 2011

The Botnet-Counterfeit Drugs Connection

New Monthly Fraud Intelligence Report Now Available

MarkMonitor to Highlight Importance of Cross-Functional Approach to Brand Protection

Paid Search Ads Can Lead to Fake Goods

Open Phishing Season

.ORG Highlighted for Success in Fighting Phishing

Latest Brandjacking Index Examines How Fraudsters Abuse Financial Brands

New Report Shows .INFO Domain Safest from Phishing Attacks

MarkMonitor AntiFraud Solutions Combine Proven Antiphishing and Expert Antimalware Capabalities

COCC Partners with MarkMonitor for Anti-Phishing Services

ICANN Mexico City Meeting Brings a Significant Shift in Direction for Brand Rights Holder Issues

MarkMonitor Year-in-Review Report Finds Online Abuse of Major Brands Was a Growth Industry for Fraud

Committed to Keeping the Internet a Safe Place

Spam Arrest Chooses UltraDNS to Enhance Service Delivery

Sponsored Topics

Verisign

Security

Sponsored by
Verisign
Afilias

DNSSEC

Sponsored by
Afilias
dotMobi

Mobile

Sponsored by
dotMobi
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines