Companies that spam or sell your address!

General discussion re sg.

Re: SysKoll's First Law

Postby A_Guest » Wed Aug 09, 2006 6:16 pm


SysKoll's First Law (apologies to Clarke): "Any sufficiently retarded stupidity is indistinguishable from evil."


I LOVE this!! Would it be okay with you for me to use it in my email sig?
A_Guest
 
Posts: 3
Joined: Wed Aug 09, 2006 5:56 pm

Postby SysKoll » Thu Aug 10, 2006 12:23 am

Feel free! I write open source code, the least I could do is open-source my cynical one-liners.
-- SysKoll
SysKoll
 
Posts: 884
Joined: Thu Aug 28, 2003 9:24 pm

Postby A_Guest » Thu Aug 10, 2006 7:40 pm

Thanks! You wouldn't happen to have a second law and a third law lying around somewhere, would you? I'm always up for a good piece of snark.

To include something almost on topic, I did get one phishing email sent to the exclusive sg email address I used when I ordered something from GardensAlive.com. Unfortunately I didn't realize that you guys were collecting this sort of information, and I trashed it after complaining to the company about it. Their response was to provide me with a generic link explaining how one's email address could end up in a phisher's hands, and I let the whole thing drop. That was about a year ago, and no more unwanted emails have been sent to that address since then.
A_Guest
 
Posts: 3
Joined: Wed Aug 09, 2006 5:56 pm

Postby SysKoll » Fri Aug 11, 2006 1:55 pm

According to Netcraft, GardensAlive.com runs on Windows2000:

OS: Windows 2000 Web server: Microsoft-IIS/5.0 IP:64.14.24.14

See http://uptime.netcraft.com/up/graph?sit ... salive.com.

Now, it's not too much a stretch to imagine that their IIS (or any other Windows service) has been compromised and that someone stole their email address DB. I am curious: is this method explained in the email about how addresses can get compromised? Or are they simply blaming users?
-- SysKoll
SysKoll
 
Posts: 884
Joined: Thu Aug 28, 2003 9:24 pm

Postby A_Guest » Sun Aug 13, 2006 6:16 pm

SysKoll wrote:Now, it's not too much a stretch to imagine that their IIS (or any other Windows service) has been compromised and that someone stole their email address DB. I am curious: is this method explained in the email about how addresses can get compromised? Or are they simply blaming users?


That's a really good question. Due to what was said in the email, I assumed that they were simply blaming users, and I hit the delete button without ever clicking the link.
A_Guest
 
Posts: 3
Joined: Wed Aug 09, 2006 5:56 pm

Re: Ameritrade settlement

Postby jgombos » Wed Aug 30, 2006 4:10 am

SysKoll wrote:Any news on their [Ameritrade's] "investigation"?

No, haven't heard back from them. I still get spam - and it's no longer purely stock spam.

My next experiment is to periodically change my Ameritrade email address to alternate domain names, or a different 2nd field, to see if the attacker is still harvesting the database regularly.
jgombos
 
Posts: 53
Joined: Wed Dec 14, 2005 3:28 am

Postby burnt » Fri Sep 01, 2006 4:22 am

Here is a confirmed case of this type of occurrence:
http://www.workforce.com/
Title: Workforce Management: information on employment law, human resource development and human resource management.

A very good resource when I needed to research some labor law issues. The price: spam
The remedy: spamgourment
It works!
burnt
 
Posts: 6
Joined: Tue Nov 01, 2005 5:22 pm

Postby SysKoll » Sun Sep 03, 2006 3:23 am

burnt wrote:Here is a confirmed case of this type of occurrence:
http://www.workforce.com/


Can you detail what you mean by that? Got some spam from them?
-- SysKoll
SysKoll
 
Posts: 884
Joined: Thu Aug 28, 2003 9:24 pm

TD Ameritrade sells your address.

Postby jlseagull » Tue Nov 28, 2006 11:44 pm

A month after I signed up for a brokerage account, I started getting stock pump-and-dump spam on a unique address given only to them. Their customer service at first tried to blame me, then blamed "brute-force" generated email addresses. They insist it's not them.

I'm considering closing my account there.
jlseagull
 
Posts: 2
Joined: Sun Nov 27, 2005 9:28 pm

Postby SysKoll » Wed Nov 29, 2006 11:35 pm

jlseagull,

Is it still Ameritrade? Do you have a header that you could PM me?

Also, the problem is that if you are running Windows, the customer service will always be able to invoke the excuse that "the clueless user got an address slurping virus and blames us". Even if it's not the case here, this is such a common occurence that it's their first reaction.

jgombos, jlseagull, I'd like you to PM me the disposable address you gave to Ameritrade. If it's OK with you, I'll anomize the info and contact a security researcher about this issue.
-- SysKoll
SysKoll
 
Posts: 884
Joined: Thu Aug 28, 2003 9:24 pm

Postby jlseagull » Thu Nov 30, 2006 6:31 pm

SysKoll,

Ameritrade is now TD Ameritrade.

PM sent with header.
jlseagull
 
Posts: 2
Joined: Sun Nov 27, 2005 9:28 pm

Postby tcgraham » Wed Dec 27, 2006 12:44 am

SPAM received. SG disposable address used only once with each site.

Applebees - 11330 in 31 months 365 per month
Woot.com - 8864 in 4.5 months 2000 per month

Woot.com is a retail site. Their gimmick is that they sell only one product each day. I confronted/accused them. They denied spamming.
tcgraham
 
Posts: 16
Joined: Mon Oct 27, 2003 7:51 pm
Location: Florida

Postby SysKoll » Wed Jan 03, 2007 6:49 pm

Netcraft reveals that woot.com is running Microsoft-IIS/6.0 under Windows Server 2003. So for all we know, their server might be infected with spambot viruses collecting email addresses.
-- SysKoll
SysKoll
 
Posts: 884
Joined: Thu Aug 28, 2003 9:24 pm

Postby boomschtick » Sat Feb 10, 2007 4:28 pm

YourGiftCards.com 1215 blocked since account created 2/14/06
allofmp3.com 573 blocked since account created 5/26/06 (all porn spam)

Both used exclusively on their sites.
boomschtick
 
Posts: 15
Joined: Fri Feb 09, 2007 10:14 pm

Postby Elvey » Sun Jun 24, 2007 3:26 am

I'M GONNA SUE! No, really-in fact I ALREADY HAVE.

Ok, put up or shut up, folks. :oops: You said you wanted a lawyer who was interested? :x I found one, and he's taken the case, on contingency. So grab a torch and pitchfork and join me! :twisted:

Well, I was in the same boat as everyone else, but I bit the bullet, contacted and retained a lawyer. A class action claim has been filed against TD Ameritrade in my name. You can sign on as well. Join the fight!
I had no idea how long this had been going on. There's some info and a FORM-CLICK HERE you can fill out if you might want to join the suit. The laws are such that class representatives are needed who reside in Alabama, Kansas, Illinois, Florida, Michigan, Missouri, New Jersey, Washington, Wisconsin, and/or West Virginia. It's my understanding that in these states, only, you can't sign away your right to be part of a class action suit - i.e. agreements to do so are unenforceable. Looks like there are dozens of folks who have also noticed the problem and have used disposable email addresses and could join, like Seth Breidbart (of Breidbart Index fame). Mention your handle here if you fill out the form.

Oh, and if spamgourmet itself is interested, that would be great!!!

The email addresses I gave to Ameritrade were of the form of spamgourmet's high security addresses. The addresses were valid for years before I gave 'em to Ameritrade, and I received no mail in that time. Many other valid addresses have also received no mail to date.

Oh and I got malware? I don't think so. Mac OS X with nothing extra on it but mozilla apps, used for nothing but my TD Ameritrade account. After they provided my address to the pump 'n dump crew the first time, I made sure there were no excuses left to point to on my end.

Ameritrade initiated the spam by providing my address, and the addresses of the other complainants on this thread and others, to the system that fed the botnet that executed the requisite SMTP commands. And all the spam to date is stock spam. Kryai's right; it's sad that efforts like his (I've done the same) to responsibly report security flaws are routinely ignored.

Why do they deserve this?
I think Ameritrade has repeatedly lied to their customers about the problem for years, instead of fixing it. That's the kind of gross negligence that merits legal action. And that's assuming ameritrade even has a security problem, as opposed to a lack-of-ethics problem. Perhaps Ameritrade didn't send the spam, the logic being that they make serious money already, and hence wouldn't be so stupid as to set themselves up for such a huge liability. I somewhat buy the argument, however Skilling and Fastow et. al of Enron were dumb enough to set themselves up! Smart people do incredibly stupid things with great regularity. (There's even a book with approximately that title about it!)
Elvey
 
Posts: 17
Joined: Wed Jun 13, 2007 2:17 am

PreviousNext

Return to General Discussion

Who is online

Users browsing this forum: No registered users and 4 guests

cron