Over at CircleID Aviram Jenik posts about using email addresses as identification and how that can go horribly wrong if the website does no verification. In his case, the problem is a user who has made a purchase using Aviram’s gmail address and Aviram now has access to the other users personal information. As he explains it:
Most of this misguided email ranges from boring to funny, but today I got a purchase confirmation with the order number, amount and last 4 digits of the CC number. Since I “own” the email that is associated with this account, what prevents me from logging in to this guy’s account (have the e-commerce site send the password to “my” email due to my temporary amnesia) and redirecting the order to another zip code that happens to be my house?
I have recently been going through a very similar situation. It appears that someone in the UK signed up at an address harvesting website with my email address. This Mr. Laura Corbishley gave win4now.co.uk full authority to sell my email address to all and sundry, and they have. Emailinform got my address first and has been sending me email “because [I] opted in at win4now.co.uk. In the process of trying to track down this spam, I did “recover” my password at win4now.co.uk and took over the account.
I am suspicious of the signup at win4now.co.uk for a couple reasons.
- “Mr.” Laura. Sure, it is possible someone missed a pulldown window. Possible but unlikely.
- The postal address is Solihull, Warwickshire. But, according to Royal Mail Solihull is no longer in Warwickshire for purposes of mail delivery. The correct address is West Midlands. Another possible error, but how many people do not know their snail mail address.
- I have never received any mail from win4now.co.uk. I have only received mail from emailinform.
I know this is fairly common, people sign up bad addresses at website, either maliciously or accidentally. Even more frustrating is the inability to contact a real human at win4now.
I checked out their privacy policy. At the very top of their privacy policy it says:
This Privacy Policy Statement explains the data processing practices of win4now.co.uk. If you have any requests concerning your personal information or any queries with regard to these practices please contact our Privacy Officer by e-mail at privacy@win4now.co.uk) and sent mail to privacy@win4now.co.uk.
Fair enough. I sent email to their Privacy Officer. In the email I explained that one of their users had fraudulently used my email address to signup and I was now receiving spam. I requested that they remove my email address and notify everyone that they had sold my address to that there was no permission with that address and to remove it from their list as well.
Win4now sent me an email back that had the following at the very top:
IMPORTANT NOTE: Please do not respond to this email, it is auto-generated and replies are not monitored.
They provided a short FAQ and no indication that there is any human actually reading the privacy mail. Having an unmonitored privacy address is bad, but the auto-ignore goes out of its way to ignore privacy questions. The text of the message answers some questions, none of which seem to address their privacy policy.
- Q: I have a problem using my Win4now password
- Q: I do not want to receive any more new competition emails
- Q: I would like to update my details
- Q: I would like to unsubscribe from Win4Now
- Q: I am having problems viewing the website
- Q: I would like to know if I am a competition winner
None of those questions relate to privacy. At the bottom of the email there is another address I can send mail to, but at this point it is clear to me that win4now is exhibiting all the signs of spammers and scammers. They are avoiding email to privacy@, they do no form of confirmation not even a welcome message giving me the chance to inform them this registration is fraudulent, they are selling my address around but there is no way for me to stop them from doing that. I have gone in and changed the preferences on that account, but given win4now’s sloppy system I do not actually believe that will have an effect.
Thanks to some helpful folks over at a large ISP, I have been contacted by people at emailinform. They have unsubscribed me from their list. They are also looking into the address purchase. I am expecting they will return with some IP address “confirming” that I signed up at win4now and that therefore their mail is not spam.
Let me be clear, an IP address is not consent. It may help jog a memory, or remind a user they did sign up. In this case, however, I can categorically say this was not me as I always use tagged addresses to sign up for mail. Furthermore, I am not a UK resident and am not eligible for any benefits of the signup at win4now or the products being marketed by emailinform.
Both of these situations speak to the importance of any group collecting email addresses, for any reason, to incorporate some sort of confirmation into the signup process. While my preference is for positive confirmation (click here if this is you), even the bare minimum of negative confirmation (click here if this is not you) would have made win4now look slightly legitimate. As it is, they do not seem any different from any other spammers collecting email addresses and selling them to all and sundry.
My specific situation also speaks to the importance of being contactable by people. Do not make it hard for your recipients to contact a person inside your organization. These are your customers there is no reason to avoid them. The dodging and weaving looks suspiciously like you are a spammer.
Yes, I’ve received a number of win4now.co.uk mails in recent days. Having checked more closely I see that I also have mail from emailinform.com as well now.
Might be interesting to try and trace back /this/ signup too…
Amen! When I used jay@aol.com as my daily e-mail address (this was cool once; trust me), about 2/3 of my inbox was “misguided” e-mail. It was very helpful in making decisions about which web sites had good e-mail hygiene. If nothing else, you could expect a form letter from me pointing that out. It led to some very productive discussions (and taught me a lot about UI design).
My favorite misguided e-mail was the reservation confirmation for the fly-in hooker… sadly, several thousand miles away, or I might have met the “other Jay” at the airport to have a little chat.
I tend to use the “joe@aol.com” example to clients of reasons that you need to verify addresses. I think I’m going to have to use jay and the hooker from now on.
I have this feeling we crossed path years ago (back when I was abuse@) but I can’t pinpoint where.
Laura,how does one get a hold of you? do you have an email address? Thks.
Hi, Jennifer, wordtothewise
I emailed you directly, but I can be reached at laura-blog
Hi Laura,
I’ve stumpled accross this site and read your concerns about win4now.
I’m sorry this is a long time after the problem but i’d like to help solve your problem if i can?
Our privacy email address gets forwarded onto our customer services department. Please email me at adele @ win4now co uk and i’ll ensure someone helps you.
Adele at Win4now
Having personally received spam this morning from netflip.co.uk AKA smartspend.co.uk AKA submissiontechnology.co.uk, who after being SBL’d for sending it tell me they acquired my email address from win4now.co.uk, I see that win4now.co.uk is still running an open list.
Checking our database I find that win4now.co.uk’s 213.86.174.170 is currently still on the SBL for spamming from Colt.net, win4now.co.uk appears in an SBL listing of customermails.com SBL’d for spamming from Clara.net, and was involved in spam sent by emailinform.ccemails.com spamming from Cogento.com.
I think carrots may have failed and its probably time for a rather large stick…
Steve Linford
Chief Stick Wielder
The Spamhaus Project
Thankfully BT diverts the vast majority of the spam I receive to a separate folder which I check occasionally in case of the odd genuine post.
They also facilitate the use of temporary/disposable email address which I’ve now realised are a real boon.
BT is oft maligned but I for one reckon you only get what you pay for and have never had a problem.