|
Last week I blogged about the way that lots of otherwise legitimate companies leak e-mail addresses to spammers. Here’s a few more thoughts.
One person asked how I knew that these were leaks, and not dictionary attacks, since the addresses I use are fairly obvious, the name of an often well known company @ my domain. It’s a reasonable question, but the answer is simple: the spam comes to addresses I’ve given to the companies, not to addresses I haven’t. There’s a trickle of spam to truly made up addresses, but they’re easy to recognize.
Another perhaps surprising fact is that leaks tend to be small scale. For example, a friend noted that Aeroplan (Air Canada’s spun off frequent flyer program) had leaked his address, but they haven’t leaked mine, even though we’ve both been members for over a decade. I’ve been trying to think of mechanisms that would lead to small leaks, and it’s not pretty. Database security failures tend to be all or nothing, so although one can imagine a situation where the bad guys started downloading all of the email addresses and the connection failed, that doesn’t explain multiple small leaks. But if I were a crooked employee at an ESP, spammers paid me for known good addresses, and I figured a level that would stay under the radar, well then, ...
It would be very interesting to track the ESPs used by firms whose lists have leaked. As far as I know, nobody’s done that yet.
Sponsored byVerisign
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byVerisign
There are mail client extensions, e.g. Virtual Identity, that can lend themselves to using tagged addresses, albeit they are not so popular to grant stability. However, those who don’t use a catchall mailbox would need to synchronize their server settings with the new identity generated by the client. That would be trivial if new identities were generated on writing mail messages, but they are usually written on web forms.
Lazy and messy as I am, I wonder how can people remember when they created which address. Also, wouldn’t it be better to use random local parts? That crooked employee of Foobly Inc. (or its ESP) would get suspicious of all those *foobly*@something addresses, no? With a script (or web form) that handles tagged-address creation, tracking which ESPs mail to each of them seems to be a useful application of authentication tokens. Thanks John, I think I now know enough to go and implement this thing at mines… except a good name for it.
I see other people in your picture that might be responsible for the leak.
There is no reasons that the ESP company of the “otherwise legitimate company” (OLC) is the only one that might have crooked employees. You might have some right in the OLC too. Or maybe not crooked but naives, clueless or money-driven.
As an ESP, I know that some, many, a lot of companies have marketing teams that tries to increase their performances at short term to reach their goal, and selling/renting/whatever whole or part of the internal database might not seem a bad solution to them. Or it is, but nobody will know, you know.
OR, it could be the same team, thinking that doing this is border-line but that if that might bring a lot of money, then we should give it a try. And they do, and a part of the database is handed over some other company, but not necessarily the whole data.
John, if you find out that some ESPs’ names often occur in your research, then your position is likely to be valid. But maybe there are other reasons!