Large companies (un?)knowingly hire spammers

This morning, CSO and MacKeeper published joint articles on a massive data leak from a marketing company. (Update: 2019: both articles are gone, a cached version of the CSOnline link is at https://hackerfall.com/story/the-fall-of-an-empire-spammers-expose-their-entire)  This company, River City Media (RCM), failed to put a password on their online backups sometime. This leaked all of the company’s data out to the Internet at large. MacKeeper Security Researcher, Chris Vickery discovered the breach back in December and shared the information with Spamhaus and CSO online.
The group has spent months going through the data from this spammer. As of this morning, the existence of the breach and an overview of the extent of their operation were revealed by CSO and MacKeeper. Additionally, Spamhaus listed the network on the Register of Known Spamming Operations (ROKSO).


There are a couple interesting pieces of this story relevant to legitimate marketers.
The biggest issue is the number of brands who are paying spammers to send mail from them. The CSO article lists just some of the brands that were buying mail services from RCM:

[…] Nike, LifeLock, Liberty Mutual, Fidelity, MetLife, Victoria’s Secret, Kitchen Aide, Yankee Candle, Bath & Body Works, Gillette, Match.com, Dollar Shave Club, Dewalt, DirecTV, Covergirl, Clinique, Maybelline, Terminix, and AT&T.

This shouldn’t be a surprise to anyone who has been paying attention to the industry. We described this many years ago in a series of articles about mainstream spam. (Note: the organization in the article has cleaned up their act and no longer uses affiliates).
Addresses were collected through many ways, including the use of co-reg. Chris Vickery explains:

Well-informed individuals did not choose to sign up for bulk advertisements over a billion times. The most likely scenario is a combination of techniques. One is called co-registration. That’s when you click on the “Submit” or “I agree” box next to all the small text on a website. Without knowing it, you have potentially agreed your personal details can be shared with affiliates of the site.
You are never told who the affiliates are and groups like River City Media capitalize on that aspect. One line of the leaked chat logs explains it all very succinctly:
“The key is sincerity.  Once you can fake that…”

Legitimate companies do buy co-reg data, still. The problem is that there’s no real permission associated with the address. In the absolute best case scenario, permission is taken by the co-reg provider rather than given by the recipient. All too many co-reg vendors go out of their way to hide the fact that they will sell the addresses in their privacy policies. This isn’t transparent. This isn’t real permission.
One argument I’ve heard over and over about laws, particularly CASL, is that it’s targeting the wrong companies. As the argument goes, the real problem with spam is spammers, not legitimate companies. But CASL and other laws target legitimate companies. I never really bought into that argument as it’s clear to me a lot of the money supporting spammers comes from the legitimate companies spending real marketing funds.
Legitimate companies are paying third parties to send spam on their behalf and are profiting. For a long time brands have pretended they’re not responsible for the mail. This recent breach shows that they are paying spammers to send mail on their behalf.
Looks like maybe the laws are targeting the right companies.

After this was posted, River City Media sued Chris Vickery and others. https://www.courtlistener.com/docket/4685667/1/river-city-media-llc-v-kromtech-alliance-corporation/. The case was settled in September 2018. 

February 2017: The Month In Email
Verizon changes but no time line

Related Posts

CBL issues

I started seeing some folks complain about false CBL listings a few hours ago. I’m now seeing the same folks saying the listings are being removed.
The symptoms look similar to what happened in November (mentioned here), but it appears the CBL team are on top of things and are working to rectify things quickly.

Read More

Another kind of email breach

In all the recent discussions of email address thievery I’ve not seen anyone mention stealing addresses by abusing the legal system. And, yet, there’s at least one ambulance chasing lawyer that’s using email addresses that were never given to him by the recipients. Even worse, when asked about it he said that the courts told him he could use the email address and that we recipients had no recourse.
I’m not sure the spammer is necessarily wrong, but it’s a frustrating situation for both the recipient and the company that had their address list stolen.
A few years ago, law firm of Bursor and Fisher filed a host of class action lawsuits against various wireless carriers, including AT&T. At one point during the AT&T lawsuit the judge ruled that AT&T turn over their customer list, including email addresses, to Bursor and Fisher. Bursor and Fisher were then to send notices to all the AT&T subscribers notifying them of the suit.
This is not unreasonable. Contacting consumers by email to notify them of legal action makes a certain amount of sense.
But then Bursor and Fisher took it a step further. They looked at all these valid email addresses and decided they could use this for their own purposes. They started mailing advertisements to the AT&T wireless list.

Read More

ROKSO lawsuit settled

Earlier this year Ken Magill reported that a judge in the UK was allowing a libel case against Spamhaus to go forward. I thought for sure I’d blogged about the case at the time, but apparently I didn’t.
The short version is that today Spamhaus announced the lawsuit was settled and the complainants paid for Spamhaus’ legal fees.
As with most legal cases the details are complex and convoluted.  Let me try to sum up.

Read More