Companies that spam or sell your address!

General discussion re sg.

Re: Verizon sells your email address to Cheetahmail

Postby SysKoll » Fri Dec 16, 2005 4:48 pm

theq wrote:Just because VZEMPL knows how to write a reasonable-sounding email doesn't change the fact his employer spams.

Spams. Got it? Spams.
Verizon sucks. SUCKS. SUCKITY-SUCK-SUCK-SUCKS.
(although, perhaps not as badly as Comcast)


They aren't that bad. For instance, they did take me off that list. I think it was mostly cluelessness, not evil.

The real issue is that thanks to successive mergers amoung US phone companies (made possible, if I understand correctly, by the Telecom Acts passed in the late 1990s), there is no more competition in the land-based phone market. Judge Green split AT&T 20 years ago, and the resulting baby Bells are now merged up in two monsters.

This means that phone companies can charge whatever they want for their DSL, and have only to compete against the IP-through-cable TV services, instead of fighting against incumbants. This doesn't encourage good service.

And note that they are paying people to google for "Verizon sucks" and take time to answer forums. Which means they actually care about their image.

So yes, they are quite clueless, but they are willing to improve, and that's more than what can be said for a lot of telcos out there. After all, remember that there is now a duopoly of land-based telcos in the US, thanks to successive mergers undoing the AT&T split that occured 20 years ago. Which means that you don't have much choice for DSL. So I'm counting my blessings: Verizon could be much, much worse and still get away with it.
Last edited by SysKoll on Fri Dec 16, 2005 4:57 pm, edited 1 time in total.
-- SysKoll
SysKoll
 
Posts: 889
Joined: Thu Aug 28, 2003 9:24 pm

Re: Ameritrade leaks addresses

Postby jgombos » Sat Dec 17, 2005 12:03 am

SysKoll wrote:The obvious would be to suspect they sold your address. Especially if you're getting stock spam and not the usual dugs and 419 spam. This would be particularly bad, since Ameritrade has a lot of info on their customers.

It's possible they sold it, but they outright deny sharing information, and claim that if my email was compromized that it was not from them. So I tend to trust their intent, and I also think the money they could get for the email isn't much for them, nor is it worth their risk. Reputation is very important to businesses that handle peoples money. So I'm more inclined to think they are not careful enough, and employees most likely harvested the email addresses from the inside.
SysKoll wrote:However, before we put the blame on them, we need to eliminate other possibilities. Can you be totally, absolutely sure your own machine isn't leaking email addresses? If you are running Windows, you might have an email-address-scrapiing Trojan. Please check your machine very carefully. Ask for advice if needed. Let us know.

My email system is composed of mutt, procmail, and sendmail, all on a linux box. There is a Windows machine on the LAN for gaming (which is all Windows is good for), so I really doubt it was harvested from my machine. I have thousands of email addresses in my mail archive, and this would have to be very selective for the attacker to only target my ameritrade address (which I may not even have on my system.. I'm not even sure that Ameritrade ever used the email address themselves).. if they did, it's also possible that my ISP snagged it.
jgombos
 
Posts: 53
Joined: Wed Dec 14, 2005 3:28 am

Crest Sprinbrush Pro

Postby sgopal2 » Sun Dec 18, 2005 8:09 pm

Signed up for an online coupon from Crest Spinbrush Pro about a year ago (approx 12/2004). This morning I got a spam that was directed at my spinbrush spamgourmet account.

I set the counter on the spinbrush SG account to only 3 mails, but this got thru because the spammer figured out somehow that all mails from expedia.com is a trusted sender of mine. Also note on the CC line there are several other SG users that the spammer is aware of. Here is the email:
Code: Select all
                                                                                                                                                                                                                                                               
Received: by 10.48.224.6 with SMTP id w6cs48428nfg;
        Sun, 18 Dec 2005 06:50:46 -0800 (PST)
Received: by 10.65.183.7 with SMTP id k7mr1868795qbp;
        Sun, 18 Dec 2005 06:50:45 -0800 (PST)
Return-Path: <+spinbrush2+sgopal2+788569f44d.nfhggdaau?expedia.com@spamgourmet.com>
Received: from mta274.mail.mud.yahoo.com (mta274.mail.mud.yahoo.com [68.142.202.222])
        by mx.gmail.com with SMTP id e19si1886727qbe.2005.12.18.06.50.45;
        Sun, 18 Dec 2005 06:50:45 -0800 (PST)
Received-SPF: neutral (gmail.com: 68.142.202.222 is neither permitted nor denied by best guess record for domain of +spinbrush2+sgopal2+788569f44d.nfhggdaau#expedia.com@spamgourmet.com)
X-Rocket-Track: cat=UK; info=ip:NN<ip=216.218.230.146,policy=n-w0,n100,g0>;sv:UK<ip=68.142.202.224>;sg:UK<size=toosmall>
X-Originating-IP: [216.218.230.146]
Authentication-Results: mta274.mail.mud.yahoo.com
  from=spamgourmet.com; domainkeys=neutral (no sig)
Received: from 216.218.230.146  (EHLO gourmet.spamgourmet.com) (216.218.230.146)
  by mta274.mail.mud.yahoo.com with SMTP; Sun, 18 Dec 2005 06:50:44 -0800
Received: from gourmet.spamgourmet.com (localhost [127.0.0.1])
   by gourmet.spamgourmet.com (8.12.11/8.12.11) with ESMTP id jBIEqNON029374
   for <sgopal2@XXXX.com>; Sun, 18 Dec 2005 06:52:23 -0800
Received: (from jqh1@localhost)
   by gourmet.spamgourmet.com (8.12.11/8.12.11/Submit) id jBIEqMT9029371
   for sgopal2@XXXX.com; Sun, 18 Dec 2005 06:52:22 -0800
Received: from eu100-209-179.clientes.euskaltel.es (eu100-209-179.clientes.euskaltel.es [82.130.209.179])
   by gourmet.spamgourmet.com (8.12.11/8.12.11) with SMTP id jBIEqFW1029303;
   Sun, 18 Dec 2005 06:52:17 -0800
Received: from [62.40.192.106] (HELO  roentgen-wallon.be)
  by coup.net (CommuniGate Pro SMTP 3.5.9)
  with SMTP id 300663 for MacOSXServer@westinghouse.net; Sun, 18 Dec 2005 09:45:31 -0500
Date: Sun, 18 Dec 2005 15:44:31 +0100
From: "Mrs Massey - nfhggdaau@expedia.com" <+spinbrush2+sgopal2+788569f44d.nfhggdaau#expedia.com@spamgourmet.com>
Message-Id: <CFE0A9E2-AA79-11D6-9A51-003070398B8C@mac.com>
X-Accept-Language: en,zh-TW,zh-CN,zh,ja,ko,tr,ru
To: spider.3.frs99 AT SG
Cc: spinbrush2.3.sgopal2AT SG,
  spmtst4freetnvd.2.iridos AT SG, spud.1.starfire68 AT SG
Subject: his birthday? (expedia.com: trusted sender for your account)
Date: Sun, 18 Dec 2005 10:43:31 -0400
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Disposition: inline

hand made rolx immitation
as good as the original
make a perfect xmas present

feoyb.thereplicasonline.com/?smgukv

heyy, objectivity lindafirecrackercompressordoltishprosopopoeiagauntlet
repellingbudgetauthoritativehecktumponderous
wknkelarlhqe unmyy bnuzeecfc %RND_


Now Proctor & Gamble is quite a big company and I doubt that they'd use targeted emails from Crest to start spamming their patrons. How did a spammer get a hold of this?

Edit by syskoll: Neutralized addresses by replacing @spamgourmt.com with AT SG.
sgopal2
 
Posts: 3
Joined: Tue Oct 25, 2005 12:03 pm

Re: Ameritrade leaks addresses

Postby SysKoll » Tue Dec 20, 2005 4:25 am

jgombos wrote:My email system is composed of mutt, procmail, and sendmail, all on a linux box. There is a Windows machine on the LAN for gaming (which is all Windows is good for), so I really doubt it was harvested from my machine. I have thousands of email addresses in my mail archive, and this would have to be very selective for the attacker to only target my ameritrade address (which I may not even have on my system).


I take it that you never emailed Ameritrade, so that the address could NOT have been captured on your system, even if you were running an owned Windows box (aren't they all).

Indeed, I agree with your analysis. Linux machines are immune to email-collecting bots. So this means Ameritrade has either a system that leaks like a sieve, or more likely some underpaid temps collecting email addresses to sell to stock scammers.

Either case is rather disquieting. I'd contact the security and fraud dept at Ameritrade ( 800-669-3900 during business hours, ask for a security specialist), get a guy who knows what Linux is, explain the situation to him, and see what's the answer. Make sure to mention that you're not running Windows, that the address is Ameritrade-specific and that the address has been sold only to stock scammers, indicating a targetted address theft.

Please post the answer here. If Ameritrade is unresponsive and you need to push things, I can involve security-oriented web site. Why, it would even make a juicy Slashdot story.

Please let us know if you managed to get Ameritrade's attention.

Looking forward to hearing from you.
-- SysKoll
SysKoll
 
Posts: 889
Joined: Thu Aug 28, 2003 9:24 pm

Re: Crest Sprinbrush Pro

Postby SysKoll » Tue Dec 20, 2005 4:49 am

sgopal2 wrote:Now Proctor & Gamble is quite a big company and I doubt that they'd use targeted emails from Crest to start spamming their patrons. How did a spammer get a hold of this?


First, the expedia part:

The spambot (apparently running on an owned Windows box in Spain) just selected a random "from" address with a random real domain, maybe selected from the outgoing email box from the victim. The fact that it picked expedia.com, which happens to be a trusted domail for you, is pure coincidence.

Now the sad part: email addresses of the promotion participants were probably, at one point, transfered to some marketing department's machine, most obviously a Windows box, which promptly got Trojaned (or was already owned) and sent to a collector spamserver all the addresses it found in its list.

The sad fact is that countless corporations are unwillingly feeding collector spambots by letting employees hold corporate data on Windows machines. Sometimes, it's a biggy, such as the CardSystems credit card processor that put millions of card numbers on an owned Windows laptop and had these CC number stollen. The badly shaken CardSystems has been recently acquired for less than $50 millions by Pay By Touch, a small payment systems company.

Now that I think of it, there have been another 2 cases of firms almost going under because of Windows security flaws just recently: Diebold (using Windows for voting system security, really smart) and OneSuite Corp (Windows billing server going down for a week, costing the company a fortune).
-- SysKoll
SysKoll
 
Posts: 889
Joined: Thu Aug 28, 2003 9:24 pm

Applebee's restaurant

Postby tcgraham » Mon Jan 02, 2006 1:33 am

Entered a contest sponsored by Applebees restaurant. Used unique email address. In 20 months have received 4000 emails to this address. Called Applebees and complained. They denied knowing anything about this. Thank goodness for Spamgourmet.
tcgraham
 
Posts: 16
Joined: Mon Oct 27, 2003 7:51 pm
Location: Florida

Re: Applebee's restaurant

Postby SysKoll » Mon Jan 02, 2006 5:19 am

tcgraham wrote:Entered a contest sponsored by Applebees restaurant. Used unique email address. In 20 months have received 4000 emails to this address. Called Applebees and complained. They denied knowing anything about this. Thank goodness for Spamgourmet.


So Applebee's serves you spam and denies it, eh? That might even be true, you know. The culprit could be the subcontractor that they hired for running the contest and processing the emails. Or maybe the subcontractor was honest, and they gave the list of registered address (including yours) to Applebee's marketing department, which promptly copied the file to a Windows PC infested by 17 different spambot address collectors.

Remember, folks, evil actually takes work and planning, and comes back to haunt you. Cluelessness is a side effect of doing your job with a minimum of effort, and it keeps the culprits oblivious so that they sleep at night, too. And the effects are pretty much the same. I should know, I goofed a few times.

SysKoll's First Law (apologies to Clarke): "Any sufficiently retarded stupidity is indistinguishable from evil."
-- SysKoll
SysKoll
 
Posts: 889
Joined: Thu Aug 28, 2003 9:24 pm

Re: Ameritrade leaks addresses

Postby jgombos » Tue Jan 10, 2006 2:06 am

SysKoll wrote:I take it that you never emailed Ameritrade, so that the address could NOT have been captured on your system, even if you were running an owned Windows box (aren't they all).

I just ran grepmail on my mutt archive. I notice that for 6 weeks prior to the first spam on 10/31, Ameritrade had sent me 30 legitimate messages, two of which I replied to.

I still don't believe anyone has penetrated my linux box to harvest anything. The only reasonable explanation (other than Ameritrades negligence) would be that my ISP, or any node between myself and ameritrade, sniffed out the email address. It's probably just enough of a possibility that Ameritrade can deny leaking it. It would really be interesting to know whether other spamgourmet users have had the same situation - and even more interesting if they could compare spam with me to see if they received the same ones.
jgombos
 
Posts: 53
Joined: Wed Dec 14, 2005 3:28 am

Re: Ameritrade leaks addresses

Postby SysKoll » Tue Jan 10, 2006 3:55 am

jgombos wrote:I just ran grepmail on my mutt archive. I notice that for 6 weeks prior to the first spam on 10/31, Ameritrade had sent me 30 legitimate messages, two of which I replied to.


Interesting... Can you grab one of these old messages from Ameritrade and post the header (with your address replaced by XXXX of course)? That would help me determine how likely interception was.
-- SysKoll
SysKoll
 
Posts: 889
Joined: Thu Aug 28, 2003 9:24 pm

Re: Ameritrade leaks addresses

Postby jgombos » Thu Jan 12, 2006 12:52 am

SysKoll wrote:Interesting... Can you grab one of these old messages from Ameritrade and post the header (with your address replaced by XXXX of course)? That would help me determine how likely interception was.

Code: Select all
From starting@ameritrade.com  Tue Aug 16 20:56:26 2005
Return-Path: <starting@ameritrade.com>
Received: from localhost (localhost.localdomain [127.0.0.1])
   by tango.mindfuq.org (8.12.8/8.12.8) with ESMTP id j7H0uP75023630
   for <xxx@localhost>; Tue, 16 Aug 2005 20:56:26 -0400
Received: from mail.plexicomm.net
   by localhost with POP3 (fetchmail-6.2.5)
   for xxx@localhost (single-drop); Tue, 16 Aug 2005 18:56:26 -0600 (MDT)
Received: from gourmet.spamgourmet.com ([216.218.230.146])
        by mail.plexicomm.net (Merak 7.6.4) with ESMTP id KMA74788
        for <xxx@binghamtonwireless.com>; Tue, 16 Aug 2005 20:31:41 -0400
Received: from gourmet.spamgourmet.com (localhost [127.0.0.1])
   by gourmet.spamgourmet.com (8.12.11/8.12.11) with ESMTP id j7H0WIpw014464
   for <xxx@binghamtonwireless.com>; Tue, 16 Aug 2005 17:32:18 -0700
Received: (from jqh1@localhost)
   by gourmet.spamgourmet.com (8.12.11/8.12.11/Submit) id j7H0WIEk014463
   for xxx@binghamtonwireless.com; Tue, 16 Aug 2005 17:32:18 -0700
Received: from kcmailoutext1.ameritrade.com (kcmailoutext1.ameritrade.com [198.200.171.236])
   by gourmet.spamgourmet.com (8.12.11/8.12.11) with ESMTP id j7H0WInU014459
   for <ameritrade.xxx.xxx@spamgourmet.com>; Tue, 16 Aug 2005 17:32:18 -0700
Message-ID: <2483059.1124238695379.JavaMail.SYSTEM@kscdckana1>
Date: Tue, 16 Aug 2005 19:31:34 -0500 (CDT)
From: Ameritrade New Accounts <starting@ameritrade.com>
To: xxx <ameritrade.xxx.xxx@spamgourmet.com>
Subject: E-mail Inquiry Received - Thank You  (KMM28031117I20725L0KM) (ameritrade: message 1 of 2)
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
x-mailer: KANA Response 7.6.0.17.8.1
Status: RO
Content-Length: 529
Lines: 7

Thank you for contacting Ameritrade!  This is an automated message acknowledging that your e-mail message was received. 

The case number for your inquiry is xxx.  Please refer to this number in future correspondence regarding this issue.

It is our goal to provide you with unsurpassed e-mail support.  An Ameritrade representative will attend to your message shortly.  For urgent inquiries you may reach us by phone at 800-454-9272 or 402-970-5805, 24 hours a day, 7 days a week (excluding market holidays).

Thank you.
jgombos
 
Posts: 53
Joined: Wed Dec 14, 2005 3:28 am

Postby SysKoll » Thu Jan 12, 2006 3:31 pm

The headers indicate that the email went straight from their server to the SG server. Which makes it unlikely that your email address was intercepted in a sniffed message.

That leave only 2 possible places for your address to have leaked: their systems and your machine.

Since your machine is a pretty much watertight Linux no-nonsense client, the source of the leak is theirs. Intern collecting addresses maybe?

I would DEFINITELY call their fraud department and explain the problem. The fact that you got spam targetting financial activities seems to indicate it wasn't a random spambot, but a deliberate address theft.

What were the nature of the spam you received? Were they investment spam, such as pump-and-dump penny stock scams?
-- SysKoll
SysKoll
 
Posts: 889
Joined: Thu Aug 28, 2003 9:24 pm

Postby SysKoll » Thu Jan 12, 2006 3:38 pm

Correction: plexicomm.net, the destination for the email you posted, is running Windows 2000. So they are conceivably a source of leaks. However, if their machines were infested by spambots that had captured your address, you'd now get random spam at the disposable you gave to Ameritrade. Can you please confirm you got financial spam only?
-- SysKoll
SysKoll
 
Posts: 889
Joined: Thu Aug 28, 2003 9:24 pm

Postby jgombos » Thu Jan 12, 2006 5:33 pm

SysKoll wrote:Can you please confirm you got financial spam only?

Yes, it's all stock related spam.
jgombos
 
Posts: 53
Joined: Wed Dec 14, 2005 3:28 am

Re: Ameritrade leaks addresses

Postby jgombos » Fri Jan 13, 2006 11:23 pm

SysKoll wrote:Either case is rather disquieting. I'd contact the security and fraud dept at Ameritrade ( 800-669-3900 during business hours, ask for a security specialist), get a guy who knows what Linux is, explain the situation to him, and see what's the answer. Make sure to mention that you're not running Windows, that the address is Ameritrade-specific and that the address has been sold only to stock scammers, indicating a targetted address theft.

It was difficult to get a security specialist on the phone, because the general operator had to run me through a series of questions and advice designed for common dumb Windows users. I finally got to speak to a security rep, who offered to put locks on my account (in case I'm worried about other information being compromized). She then made a report and said it would be investigated. I hope the response will be better than Ameritrade's response to my email complaint, where they simply re-iterated all possibilities other than Ameritrade leaking the email address.
jgombos
 
Posts: 53
Joined: Wed Dec 14, 2005 3:28 am

Postby SysKoll » Sat Jan 14, 2006 3:07 pm

Great. It takes persistence indeed to pass the mandatory script-reading level 1 phone support. Please let us know the outcome of this.
-- SysKoll
SysKoll
 
Posts: 889
Joined: Thu Aug 28, 2003 9:24 pm

PreviousNext

Return to General Discussion

Who is online

Users browsing this forum: Google [Bot] and 3 guests