My Discoveries on Spam

For years, I've had a simple policy - whenever I give my email address to a website, I give it a variant that includes the name of the website. So, for instance, if I am jimbob@example.com and I sign up on Zillow, the email address I would provide the service, would be jimbob_zillow@example.com

This has, over the years, been very good at showing me which companies are either actively selling my email address, or have poor security and allow their customer lists to be compromised, or otherwise will get you spammed. Some folks on this list here will claim that they never sell their mailing lists, or have outright accused me of going and signing up for spam lists with email addresses named after their stores. I certainly don't care to sign up for spam, and if they wish to think so, that's their business.

Possible Spam Vectors

Please note that I am not saying that these sites have sold my email addresses to spammers. It is entirely possible that this occurred without their malfeasance. However, since it's improbable that anyone who did sell my address would ever admit to it, we will never be able to tell how or why an address of mine, named after their store, wound up receiving all manner of spam. And we're not talking about opt-in mailings here, we're talking about viagra ads, etc - absolutely certifiable spam.

Possible causes for their lists getting out:

  • Poor security practices: If they haven't been observing good security practices, it's entirely possible that their customer database was leaked to spammers at some point or another. This could either be from a spammer hacking into their server, or an employee deciding to make a quick buck by dumping their customer database to an Excel spreadsheet and offering it to a spam company.
  • Active Malfeasance: There's more than a few companies in this category - companies which outright sell their mailing lists to spammers. When their terms of service include that they may redistribute your email address, you don't have a lot of defense other than not using that website unless you don't mind being spammed to hades and back.
  • Trusted Party Malfeasance: If you're doing business with a place which passes your email address along to a fulfillment house for order tracking, for instance, that fulfillment house may very well choose to spam the heck out of you.
  • Web Exposure: If you're on a web forum or whatnot, and it places your email address into a mailto: link somewhere, you can be guaranteed that spam-harvesting web spiders will obtain your address in very short order. Expect to be spammed forever.

The Sites

  • Christiancafe.com: This address started getting spam pretty shortly after I signed up with their site. Since it's a dating site, I very strongly doubt that web exposure was any kind of potential vector.
  • Surpluscomputers.com: I started getting regular spam on their dedicated address a few years after signing up for their legitimate opt-in mailing list.
  • More when I get around to going through my mail logs.

-- SeanNewton - 12 Mar 2008

Topic revision: r1 - 2008-03-12 - SeanNewton
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback