Acronis is a company that sells backup software. They have been around for over a decade, and have lots of big respectable customers. The Wall Street Journal is the nation’s leading business newspaper. Equifax is one of the big three national credit bureaus. Shelfari is a book interest web site owned by Amazon. The Economist is a globally influential newsweekly. Airliners.net is a popular photosharing site for airplane enthusiasts. What do they have in common?

They all leaked my address to spammers, and none of them have ever accepted any responsibility. For a long time, over a decade now, I’ve used tagged addresses whenever I buy something online or sign up for someone’s list. If it’s the foobly company, I use an address like [email protected].

There’s two reasons for that. The original one is to remind me when I get unexpected mail that it might be someone I signed up for a long time ago. For example, about ten years ago we got a subscription to the National Wildlife Federation’s Ranger Rick, their magazine for young children. The formerly young child lost interest many years ago, but they still keep sending me pleas to renew. While this is annoying and stupid, it’s not exactly spam. The other reason for tagged addresses is so I can trace when someone really does leak addresses to spammers. And boy, do they ever.

Every one of the six organizations above had a unique tagged address, and I am now getting spam to that unique address. When I say spam, I don’t mean that, e.g., Shelfari gave it to some other part of Amazon. I mean 419s, fake drugs, money mule spam, the lowest and sleaziest of the low. Those six aren’t the only ones to have leaked my address; they were just the ones I came across first looking through spam I got in the past few weeks.

I used to write and complain, but I don’t bother any more because the response, if any, was invariably a combination of cluelessness and stonewalling along the lines of “you must have forgotten”. Well, no, I didn’t. The one exception was Orbitz, who got enough complaints from enough credible sources that to their credit, they did an internal investigation, although they didn’t find anything, and as best we can guess it was one of the ESPs who handles their weekly newsletter.

There is a perception in some circles that everybody leaks. That’s not true. There are plenty of other organizations who, so far at least, have kept their lists secure. The Economist has leaked my address, the Atlantic Monthly hasn’t. The Journal has leaked my address, the New York Times hasn’t. Shelfari has leaked my address, Audible.com and Amazon itself haven’t.

Needless to say, if a company is leaking mailing lists to spammers, it says bad things about their attitude both toward their customers and about the quality or lack thereof of their internal processes.