|
||
|
||
Acronis is a company that sells backup software. They have been around for over a decade, and have lots of big respectable customers. The Wall Street Journal is the nation’s leading business newspaper. Equifax is one of the big three national credit bureaus. Shelfari is a book interest web site owned by Amazon. The Economist is a globally influential newsweekly. Airliners.net is a popular photosharing site for airplane enthusiasts. What do they have in common?
They all leaked my address to spammers, and none of them have ever accepted any responsibility. For a long time, over a decade now, I’ve used tagged addresses whenever I buy something online or sign up for someone’s list. If it’s the foobly company, I use an address like [email protected].
There’s two reasons for that. The original one is to remind me when I get unexpected mail that it might be someone I signed up for a long time ago. For example, about ten years ago we got a subscription to the National Wildlife Federation’s Ranger Rick, their magazine for young children. The formerly young child lost interest many years ago, but they still keep sending me pleas to renew. While this is annoying and stupid, it’s not exactly spam. The other reason for tagged addresses is so I can trace when someone really does leak addresses to spammers. And boy, do they ever.
Every one of the six organizations above had a unique tagged address, and I am now getting spam to that unique address. When I say spam, I don’t mean that, e.g., Shelfari gave it to some other part of Amazon. I mean 419s, fake drugs, money mule spam, the lowest and sleaziest of the low. Those six aren’t the only ones to have leaked my address; they were just the ones I came across first looking through spam I got in the past few weeks.
I used to write and complain, but I don’t bother any more because the response, if any, was invariably a combination of cluelessness and stonewalling along the lines of “you must have forgotten”. Well, no, I didn’t. The one exception was Orbitz, who got enough complaints from enough credible sources that to their credit, they did an internal investigation, although they didn’t find anything, and as best we can guess it was one of the ESPs who handles their weekly newsletter.
There is a perception in some circles that everybody leaks. That’s not true. There are plenty of other organizations who, so far at least, have kept their lists secure. The Economist has leaked my address, the Atlantic Monthly hasn’t. The Journal has leaked my address, the New York Times hasn’t. Shelfari has leaked my address, Audible.com and Amazon itself haven’t.
Needless to say, if a company is leaking mailing lists to spammers, it says bad things about their attitude both toward their customers and about the quality or lack thereof of their internal processes.
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byVerisign
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byWhoisXML API
A World-Renowned Source for Internet Developments. Serving Since 2002.
From experience, I would say that the leaks are often unintentional actually - many websites have been breached at some point. E-mail address and customer data are valuable to spammers.
The operators are often unaware until they start receiving complaints from subscribers like you, that use dedicated E-mail addresses and are able to trace the origin of the ‘leak’.
With the notable exception of Orbitz, every place I've tried to alert about mail leakage has blown me off. TD Ameritrade blew me off repeatedly, leaking multiple addresses, which was a bad move since they subsequently found someone had installed malware on an internal server and they had a big expensive class settlement as a result.
It’s funny, today I received spam to my everydns.com E-mail.
Another one bites the dust…
I also suspect that Moneybookers suffered a breach in the past year.