Home / Blogs

The Incredible Leakyness of Commercial Mailers

Acronis is a company that sells backup software. They have been around for over a decade, and have lots of big respectable customers. The Wall Street Journal is the nation’s leading business newspaper. Equifax is one of the big three national credit bureaus. Shelfari is a book interest web site owned by Amazon. The Economist is a globally influential newsweekly. Airliners.net is a popular photosharing site for airplane enthusiasts. What do they have in common?

They all leaked my address to spammers, and none of them have ever accepted any responsibility. For a long time, over a decade now, I’ve used tagged addresses whenever I buy something online or sign up for someone’s list. If it’s the foobly company, I use an address like [email protected]

There’s two reasons for that. The original one is to remind me when I get unexpected mail that it might be someone I signed up for a long time ago. For example, about ten years ago we got a subscription to the National Wildlife Federation’s Ranger Rick, their magazine for young children. The formerly young child lost interest many years ago, but they still keep sending me pleas to renew. While this is annoying and stupid, it’s not exactly spam. The other reason for tagged addresses is so I can trace when someone really does leak addresses to spammers. And boy, do they ever.

Every one of the six organizations above had a unique tagged address, and I am now getting spam to that unique address. When I say spam, I don’t mean that, e.g., Shelfari gave it to some other part of Amazon. I mean 419s, fake drugs, money mule spam, the lowest and sleaziest of the low. Those six aren’t the only ones to have leaked my address; they were just the ones I came across first looking through spam I got in the past few weeks.

I used to write and complain, but I don’t bother any more because the response, if any, was invariably a combination of cluelessness and stonewalling along the lines of “you must have forgotten”. Well, no, I didn’t. The one exception was Orbitz, who got enough complaints from enough credible sources that to their credit, they did an internal investigation, although they didn’t find anything, and as best we can guess it was one of the ESPs who handles their weekly newsletter.

There is a perception in some circles that everybody leaks. That’s not true. There are plenty of other organizations who, so far at least, have kept their lists secure. The Economist has leaked my address, the Atlantic Monthly hasn’t. The Journal has leaked my address, the New York Times hasn’t. Shelfari has leaked my address, Audible.com and Amazon itself haven’t.

Needless to say, if a company is leaking mailing lists to spammers, it says bad things about their attitude both toward their customers and about the quality or lack thereof of their internal processes.

By John Levine, Author, Consultant & Speaker

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


From experience, I would say that the Katya Nováková  –  Jan 22, 2013 8:46 PM

From experience, I would say that the leaks are often unintentional actually - many websites have been breached at some point. E-mail address and customer data are valuable to spammers.
The operators are often unaware until they start receiving complaints from subscribers like you, that use dedicated E-mail addresses and are able to trace the origin of the ‘leak’.

More unaware than that John Levine  –  Jan 23, 2013 12:55 AM

With the notable exception of Orbitz, every place I've tried to alert about mail leakage has blown me off. TD Ameritrade blew me off repeatedly, leaking multiple addresses, which was a bad move since they subsequently found someone had installed malware on an internal server and they had a big expensive class settlement as a result.

It's funny, today I received spam to Katya Nováková  –  Jan 23, 2013 9:37 PM

It’s funny, today I received spam to my everydns.com E-mail.

Another one bites the dust…

I also suspect that Moneybookers suffered a breach in the past year.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.



Domain Management

Sponsored byMarkMonitor

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

IPv4 Markets

Sponsored byIPXO