forwarding email address compromised

General discussion re sg.

forwarding email address compromised

Postby nexis » Thu May 27, 2004 6:47 pm

Today I filled out a form to download a program. I used my spamgourmet address for the email field.

I received 2 emails that spamgourment forwarded from the company where I filled out the form. However, I then received a 3rd email DIRECTLY from the company that was sent directly to my email address. A quick look at the headers showed there was no reference to spamgourmet at all.

What's up with that? The whole reason for using spamgourment is to prevent someone from discovering your email address. My current experience has just demonstrated that spamgourmet obviously doesn't work.
nexis
 

Postby josh » Thu May 27, 2004 7:02 pm

did you reply to one of the messages? If so, did you have "reply address masking" enabled?
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Postby SysKoll » Thu May 27, 2004 8:22 pm

Nexis,

You write:

My current experience has just demonstrated that spamgourmet obviously doesn't work.


Fine, we'll give you your money back.

Seriously, I believe this broad statement is unfair. Please double-check the emails you sent to this company, make sure that:

1. your "reply address masking" option is enabled
2. Your email client does not add signatures or otherwise reveal your forwardind email address (a common problem).

What email client do you use to correspond with this company.
-- SysKoll
SysKoll
 
Posts: 893
Joined: Thu Aug 28, 2003 9:24 pm

HTML/Graphics Enabled?

Postby magik » Thu May 27, 2004 9:18 pm

Make sure you disable automatic viewing of HTML and/or Graphics in your e-mail client because there are countless scripts that can run in the 'background' of an e-mail message that can grab cookies along with other vital information possibly containing your legit e-mail address.

Don't be quick to blame spamgourmet, it's definitely the best thing since sliced bread! :P
magik
 

Postby nexis » Fri May 28, 2004 1:50 am

SysKoll wrote:Nexis,



Fine, we'll give you your money back.

Seriously, I believe this broad statement is unfair. Please double-check the emails you sent to this company, make sure that:

1. your "reply address masking" option is enabled
2. Your email client does not add signatures or otherwise reveal your forwardind email address (a common problem).

What email client do you use to correspond with this company.


Here's the kicker...I didn't use an email client. I only filled out 1 online form that took me to a download section that I didn't even use (i.e., didn't download anything).

For my client, I use Kmail in a Slackware environment. But again, that's a moot point because I didn't use a client. As for my browser, I was using FireFox .8 in that same Slackware environment.

So, here's the bottom line: I filled out 1 online form then received 3 messages from this company, 2 were forwarded from spamgourmet, the 3rd came directly from the company.

It would seem to me that spamgourment would want to know how this compromise occurred, if nothing else, just to warn others that a compromise can occur. The site I visited was journyx.com.

Now that I think about it, I got to the site by clicking an adlink on google. I wasn't googling for what the link was selling but I went there anyway, saw something, then decided to download. Be that as it may, there's no way google can know my Yahoo address and pass that on to the company (I looked at the source of the link and if there was a reference to my address, it was encoded.

FWIW (in case anyone wants to reproduce this), I googled:
guide give understand involve daily expect "proverbs 3:5-6"

Also, FWIW, in the last message, the salesman said he would give me a call to discuss my needs. After 3 (virtually instaneous) messages, I consider that to harassment. Good thing I gave him the phone number for information in Arizona. :)

Sorry this was so long but I tried to give lots of info in case anyone cared to reproduce the problem. Also, for logistic reasons, I won't be able to respond to any more messages for about a week and a half. So, don't think I'm ignoring your replies. I'll check back then and see if the convseration continued any. I really am interested to know how the address was compromised.

Can I get a cashier's check on the refund? :)
nexis
 

Re: HTML/Graphics Enabled?

Postby nexis » Fri May 28, 2004 1:53 am

magik wrote:Make sure you disable automatic viewing of HTML and/or Graphics in your e-mail client because there are countless scripts that can run in the 'background' of an e-mail message that can grab cookies along with other vital information possibly containing your legit e-mail address.

Don't be quick to blame spamgourmet, it's definitely the best thing since sliced bread! :P


I guess in my initial post, I should have stated that I didn't use an email client. I used my browser to fill out an online form.
nexis
 

Postby SysKoll » Fri May 28, 2004 2:17 am

A few questions:

1. Are you sure that this 3rd message was directly addressed to your forwarding email address?

2. Are you sure that the 3rd message wasn't a regular spam, that it was sent to you as a consequence of the initial contact?

3. Please check your browser settings. Check if your Konqueror or Mozilla is set to automatically send your email address as password for anonymous FTP login.
-- SysKoll
SysKoll
 
Posts: 893
Joined: Thu Aug 28, 2003 9:24 pm

Postby SysKoll » Fri May 28, 2004 2:19 am

Nexis,

I visited the nexis.com site. The software download page wants your name, address, company, etc. Did you fill in that info with authentic data?

If so, I am afraid that it's not too hard for a determined salesman to find your "real" email address.
-- SysKoll
SysKoll
 
Posts: 893
Joined: Thu Aug 28, 2003 9:24 pm

Postby Guest » Fri May 28, 2004 4:03 am

SysKoll wrote:Nexis,

I visited the nexis.com site. The software download page wants your name, address, company, etc. Did you fill in that info with authentic data?

If so, I am afraid that it's not too hard for a determined salesman to find your "real" email address.


I'm sure you meant "journx.com, but I'll try to answer both your posts at once.

I didn't FTP anything. Firefox does remember passwords, but the online form I filled out wasn't a registration. I wasn't logging onto the site, just filling out the questionaire.

The online form did ask for specific information, but what I gave him was all bogus except my name. BTW, I googled my name and found more than 1500 references to it with only a handful belonging to me and less than that had the email address in question (other google results had other email addresses of mine). So it's kinda doubtful that he would zero in on my address based on a google search.

I am including the headers of two of the messages I received from them, the second and third messages. In the first snippet (second message), you'll note references to spamgourmet along with my forwarded email address embedded into it (for obvious reasons). In the second snippet (3rd message), you'll note it is NOT a forward. It came directly from the company and directly to me.

To sum up:
1) I went to a site (just once)
2) I filled out an online form with bogus information (except my name)
3) I did not register or sign up for anything
4) I did not ftp.
5) I, in fact, didn't download anything. I closed the browser window at the point of download because the site only had software for Redhat which I don't use.
6) I received 2 forwarded messages from journx.com
7) I received 1 message directly from journx.com directly to my email address.
8) It would behoove us all to know how they got ahold of the email address

In the posts here, people have generously recommended that I make sure my email client was configured properly, my browser was configured properly, I didn't give traceable information, and a few other things. While I appreciate the suggestions, deep down, I don't think they get at the heart of the problem. If there's something I did to compromise my own address, I'd certainly like to know. But you can clearly see in the above list that I didn't do anything out of the ordinary. I'm half thinking about giving this guy a call to find out how he did it. Maybe his answer could benefit sites like spamgourmet.com.

Hey, try this:
Maybe someone should set up a new yahoo account (don't use a current one), search for the google query I listed in a previous post, click on the adlink, click the link for downloading the invoice program for Unix/linux, fill out the form with bogus information, except use your real name and a spamgourment.com email address. Let it take you to the download section. Then DON'T download anything.

Sit back and relax. Pretty soon you may get a visit from toothfairy. OK, I'm being silly, but I bet you get an email visit from a salesman.

Here are the header snippets (thanks for looking into this)...

=========================================
message header #2
(btw, there's a reference to a salesforce.com. Don't know who they are but I never visited them).
=========================================
X-Apparently-To: [snip - real address] via 66.218.93.47; Thu, 27 May 2004 09:53:59 -0700
Return-Path: <snip>
Received: from 63.146.199.14 (EHLO gw2.salesforce.com) (63.146.199.14) by mta179.mail.dcn.yahoo.com with SMTP; Thu, 27 May 2004 09:53:59 -0700
Received: from na0-app05 (localhost.localdomain [127.0.0.1]) by na0-app05.eng.salesforce.com (Postfix) with ESMTP id 9CD112800C for <[snip - real address]>; Thu, 27 May 2004 16:53:53 +0000 (GMT)
Received: from [66.219.41.226] by ssl.salesforce.com via HTTP; Thu, 27 May 2004 09:53:53 -0700
Message-ID: <22410455.1085676833641.JavaMail.sfdc@na0-app05>
Date: Thu, 27 May 2004 16:53:53 +0000 (GMT)
From: <snip> Add to Address Book
To: "[snip - real address]" <[snip - real address]>
Subject: Journyx Solution
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_13492_22213900.1085676833640"
X-SFDC-User: 00500000006ooFs
X-Sender: <snip>
X-mail_abuse_inquiries: http://www.salesforce.com/us/customercare/abuse.jsp
Content-Length: 21249
===================================

message header #3.
(note: no reference at all to spamgourment.)
===================================
X-Apparently-To: [snip - real address] via 66.218.93.47; Thu, 27 May 2004 09:53:59 -0700
Return-Path: <snip>
Received: from 63.146.199.14 (EHLO gw2.salesforce.com) (63.146.199.14) by mta179.mail.dcn.yahoo.com with SMTP; Thu, 27 May 2004 09:53:59 -0700
Received: from na0-app05 (localhost.localdomain [127.0.0.1]) by na0-app05.eng.salesforce.com (Postfix) with ESMTP id 9CD112800C for <[snip - real address]>; Thu, 27 May 2004 16:53:53 +0000 (GMT)
Received: from [66.219.41.226] by ssl.salesforce.com via HTTP; Thu, 27 May 2004 09:53:53 -0700
Message-ID: <22410455.1085676833641.JavaMail.sfdc@na0-app05>
Date: Thu, 27 May 2004 16:53:53 +0000 (GMT)
From: <snip> Add to Address Book
To: "[snip - real address]" <[snip - real address]>
Subject: Journyx Solution
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_13492_22213900.1085676833640"
X-SFDC-User: 00500000006ooFs
X-Sender: postmaster@salesforce.com
X-mail_abuse_inquiries: http://www.salesforce.com/us/customercare/abuse.jsp
Content-Length: 21249
=========================================
Guest
 

Postby SysKoll » Fri May 28, 2004 7:24 pm

Nexis,

1. Please post while you're logged in when putting sensitive info online, for obvious reason.
2. Redo your post. You cut-and-pasted twice the same header (apparently of your third message).
-- SysKoll
SysKoll
 
Posts: 893
Joined: Thu Aug 28, 2003 9:24 pm

Postby josh » Fri May 28, 2004 10:22 pm

Nexis,
I edited your post to remove your yahoo address -- it says [snip - real address] where it used to be (this board doesn't use AddressScrambler (yet)).

Those do appear to be from the same message -- they have the same message Id.
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Postby vsp » Sun May 30, 2004 3:43 pm

Not that it is directly applicable to nexis's situation, but one way the forwarded to address can be compromised when you send mail to a recipient through SG is the (current) inability of SG to filter the original email ID from all headers in the sent message.

Please refer to thread http://bbs.spamgourmet.com/viewtopic.php?t=148
titled "Possible bug sending emails using disposable SG address
"

A bit off topic, but a plug for an improvement I would strongly recommend.
vsp
 
Posts: 33
Joined: Thu Mar 04, 2004 3:24 pm

But this thread is unfinished.

Postby one of the many guests » Wed Aug 25, 2004 11:35 am

But this thread is unfinished. should it not be taken to its logical and consistant end? Am I missing something.

thanks for the link to the other text with a suggestion.
one of the many guests
 

Postby josh » Wed Aug 25, 2004 4:27 pm

see that other thread for "the end", and think of this post as being the end of this thread :)
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 19 guests

cron