The Real Story

We’ve heard this story before.

Someone gives an email address to a company. That company sends them email via an ESP for several years.
Hackers break in to the ESP and steal a bunch of email addresses.
The original address owner starts getting targeted and random spam to that email address.

The reality is rarely quite that simple. Here’s my version of this story. The names have been left in, but some of them are quite innocent.
In July 2009, I gave a unique email address to Dell as part of a purchase of some servers. Over the following two years, Dell sent me quite a lot of email, sometimes from their own systems, sometimes through their main ESP (Epsilon / Bigfoot Interactive), occasionally through a subcontractor who handles customer surveys for them.
In mid-May 2011, I started receiving spam from Intervision – a local company that does Enterprise IT integration – to that unique email address. Then, on June 3rd, I started getting a stream of spam from Russia for replica watches and viagra.
Epsilon were compromised back in October, and had a bunch of email lists stolen, and “we” started noticing spam going to some of those addresses at the end of May. It really looks like Intervision were one of the early purchasers of the stolen email addresses, and so might be able to point the finger at someone closely connected to the Epsilon breach.
Intervision were very responsive, and open about how they work. They do buy lists from list vendors – jigsaw was the name that was mentioned – and acquire them from partners, but they keep a reasonable trail of when and where. They were much more professional than many companies who are caught with their hand in the cookie jar.
They’d acquired my (unique to Dell) email address over a year ago, in March 2010, as part of a list labeled “Dell Sales Leads”. But they hadn’t had anyone in-house handling email marketing, so they hadn’t started to send “email blasts” until they hired someone to do that, this May.
So the real story doesn’t involve a data breach at Epsilon at all. A more accurate version of the story would be something like this.

Dell’s sales team or one of their sales associates is trading or selling lists of Dell customer addresses.
Intervision acquired those lists via a route that may be a bit dubious, but certainly doesn’t have the drama of hacking.
When they started sending mail to the old lists they’d acquired, either Intervision or their ESP (Jangomail) had a data leak of some sort, which lead to those old lists ending up in the hands of the usual criminal spammers with .ru domains.

It’s still an interesting story, but entirely different from what I was expecting. Some of the people I thought were probably responsible for the spam, aren’t. Some of those I thought were innocent of any bad practice are probably up to their necks in it. You just can’t tell until you find the real story.

Related Posts

Another kind of email breach

In all the recent discussions of email address thievery I’ve not seen anyone mention stealing addresses by abusing the legal system. And, yet, there’s at least one ambulance chasing lawyer that’s using email addresses that were never given to him by the recipients. Even worse, when asked about it he said that the courts told him he could use the email address and that we recipients had no recourse.
I’m not sure the spammer is necessarily wrong, but it’s a frustrating situation for both the recipient and the company that had their address list stolen.
A few years ago, law firm of Bursor and Fisher filed a host of class action lawsuits against various wireless carriers, including AT&T. At one point during the AT&T lawsuit the judge ruled that AT&T turn over their customer list, including email addresses, to Bursor and Fisher. Bursor and Fisher were then to send notices to all the AT&T subscribers notifying them of the suit.
This is not unreasonable. Contacting consumers by email to notify them of legal action makes a certain amount of sense.
But then Bursor and Fisher took it a step further. They looked at all these valid email addresses and decided they could use this for their own purposes. They started mailing advertisements to the AT&T wireless list.

Read More

MAAWG: Just keeps getting better

Last week was the 22nd meeting of the Messaging Anti-Abuse Working Group (MAAWG). While I am prohibited from talking about specifics because of the closed door nature of the group, I can say I came out of the conference exhausted (as usual) and energized (perhaps not as usual).
The folks at MAAWG work hard and play even harder.
I came away from the conference feeling more optimistic about email than I have in quite a while. Not just that email is vital and vibrant but also that the bad guys may not be winning. Multiple sessions focused on botnet and crime mitigation. I was extremely impressed with some of the presenters and with the cooperation they’re getting from various private and public entities.
Overall, this conference helped me to believe that we can at least fight “the bad guys” to a draw.
I’m also impressed with the work the Sender SIG is doing to educate and inform the groups who send bulk commercial messages. With luck, the stack of documents currently being worked on will be published not long after the next MAAWG conference and I can point out all the good parts.
There are a couple specifics I can mention. One is the new list format being published by Spamhaus and SURBL to block phishing domains at the recursive resolver. I blogged about that last Thursday. The other bit is sharing a set of security resources Steve mentioned during his session.
If your organization is fighting with any messaging type abuse (email, social, etc), this is a great place to talk with people who are fighting the same sorts of behaviour. I do encourage everyone to consider joining MAAWG. Not only do you have access to some of the best minds in email, but you have the opportunit to participate in an organization actively making email, and other types of messaging, better for everyone.
(If you can’t sell the idea of a MAAWG membership to your management or you’re not sure if it’s right for you, the MAAWG directors are sometimes open to allowing people whose companies are considering joining MAAWG to attend a conference as a guest. You can contact them through the MAAWG website, or drop me a note and I’ll make sure you talk with the right folks.)
Plus, if you join before October, you can meet up with us in Paris.

Read More

New security focused services

Steve’s been busy this week working on some new products.
You can see the first at Did Company Leak? This is a neat little hack that looks at social media reports to see if a there are reports of leaks, breaches or hacks and gives you a list of tweets that reference them. And, yes, I did really receive spam to two addresses stolen from iContact customers today.

Read More