Home / Blogs

The Incredible Leakyness of Commercial Mailers (Cont’d)

Last week I blogged about the way that lots of otherwise legitimate companies leak e-mail addresses to spammers. Here’s a few more thoughts.

One person asked how I knew that these were leaks, and not dictionary attacks, since the addresses I use are fairly obvious, the name of an often well known company @ my domain. It’s a reasonable question, but the answer is simple: the spam comes to addresses I’ve given to the companies, not to addresses I haven’t. There’s a trickle of spam to truly made up addresses, but they’re easy to recognize.

Another perhaps surprising fact is that leaks tend to be small scale. For example, a friend noted that Aeroplan (Air Canada’s spun off frequent flyer program) had leaked his address, but they haven’t leaked mine, even though we’ve both been members for over a decade. I’ve been trying to think of mechanisms that would lead to small leaks, and it’s not pretty. Database security failures tend to be all or nothing, so although one can imagine a situation where the bad guys started downloading all of the email addresses and the connection failed, that doesn’t explain multiple small leaks. But if I were a crooked employee at an ESP, spammers paid me for known good addresses, and I figured a level that would stay under the radar, well then, ...

It would be very interesting to track the ESPs used by firms whose lists have leaked. As far as I know, nobody’s done that yet.

By John Levine, Author, Consultant & Speaker

Filed Under


If all used tagged addresses, there would be more data... Alessandro Vesely  –  Feb 7, 2013 4:18 PM

There are mail client extensions, e.g. Virtual Identity, that can lend themselves to using tagged addresses, albeit they are not so popular to grant stability.  However, those who don’t use a catchall mailbox would need to synchronize their server settings with the new identity generated by the client.  That would be trivial if new identities were generated on writing mail messages, but they are usually written on web forms.

Lazy and messy as I am, I wonder how can people remember when they created which address.  Also, wouldn’t it be better to use random local parts?  That crooked employee of Foobly Inc. (or its ESP) would get suspicious of all those *foobly*@something addresses, no?  With a script (or web form) that handles tagged-address creation, tracking which ESPs mail to each of them seems to be a useful application of authentication tokens.  Thanks John, I think I now know enough to go and implement this thing at mines… except a good name for it.

Maybe my point of view is biased but ... Benjamin Billon  –  Feb 22, 2013 2:11 AM

I see other people in your picture that might be responsible for the leak.
There is no reasons that the ESP company of the “otherwise legitimate company” (OLC) is the only one that might have crooked employees. You might have some right in the OLC too. Or maybe not crooked but naives, clueless or money-driven.
As an ESP, I know that some, many, a lot of companies have marketing teams that tries to increase their performances at short term to reach their goal, and selling/renting/whatever whole or part of the internal database might not seem a bad solution to them. Or it is, but nobody will know, you know.
OR, it could be the same team, thinking that doing this is border-line but that if that might bring a lot of money, then we should give it a try. And they do, and a part of the database is handed over some other company, but not necessarily the whole data.

John, if you find out that some ESPs’ names often occur in your research, then your position is likely to be valid. But maybe there are other reasons!

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com