Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: How To Convince a Company Their Subscriber List Is Compromised?

Soulskill posted about a year and a half ago | from the you-can-lead-a-horse-to-water dept.

Security 247

jetkins writes "As the owner of my own mail domain, I have the luxury of being able to create unique email addresses to use when registering with web sites and providers. So when I started to receive virus-infected emails recently, at an address that I created exclusively for use with a well-known provider of tools for the Systems Administration community (and which I have never used anywhere else), I knew immediately that either their systems or their subscriber list had been compromised. I passed my concerns on to a couple of their employees whom I know socially, and they informed me that they had passed it up the food chain. I have never received any sort of official response, nor seen any public notification or acceptance of this situation. When I received another virus-infected email at that same address this week, I posted a polite note on their Facebook page. Again, nothing. If it was a company in any other field, I might expect this degree of nonchalance, but given the fact that this company is staffed by — and primarily services — geeks, I'm a little taken aback by their apparent reticence. So, since the polite, behind-the-scenes approach appears to have no effect, I now throw it out to the group consciousness: Am I being paranoid, or are these folks being unreasonable in refusing to accept or even acknowledge that a problem might exist? What would you recommend as my next course of action?"

cancel ×

247 comments

Sorry! There are no comments related to the filter you selected.

Is it fixed? (5, Interesting)

CncRobot (2849261) | about a year and a half ago | (#42999979)

Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

Re:Is it fixed? (2, Interesting)

Anonymous Coward | about a year and a half ago | (#43000051)

Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it.

I was about to grab the pitchforks when I read this and thought it was actually a reasonable explanation. Mod parent up.

Re:Is it fixed? (-1, Offtopic)

Anonymous Coward | about a year and a half ago | (#43000137)

The Pentagon has been hiding evidence of alien contact for decades.

Agents from the Pentagon sometimes show up at random citizens' homes, demanding that they reveal what they know about oil.

It's hard to find experts willing to speak truthfully about this.

In the year that it happened, the Anthrax scare didn't receive nearly as much media attention as it should have. the Pentagon's censors were probably behind this.

If you've got your iPhone's location services turned on, Apple will share your location with the Pentagon. It's true. They don't even try to hide it.

If you speak out about this, you are practically assured to go missing. Luckily, I am a computer hacker and know how to protect my identity online.

When in doubt, question your world view. Ask yourself why you think in certain ways, and whether there is a better way to think. You may find yourself realizing a lot more about the world around you.

Re:Is it fixed? (-1)

Anonymous Coward | about a year and a half ago | (#43000379)

I'm still waiting on the evidence for all this garbage like "homosex", "evolution", "global warming", and "set theory" that they cram down out children's thoughts and pollute the minds of our young scholars with at their nasty colleges. Fuck the pentagon and their NWO bullshit.

Re:Is it fixed? (1)

Anonymous Coward | about a year and a half ago | (#43000067)

Out of all the responses, this is the most sensible one. And first post to boot. Congratulations, sir.

Re:Is it fixed? (2)

hawguy (1600213) | about a year and a half ago | (#43000071)

Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

If they don't acknowledge that there was even a problem, how would he know if it's "fixed"? Besides, if a customer list was stolen, it's likely more than just email addresses, and some states [wikipedia.org] require public disclosure if personal data is stolen.

Re:Is it fixed? (4, Interesting)

hedwards (940851) | about a year and a half ago | (#43000221)

If they do acknowledge the problem, how would he know if it's fixed? Once the data is out there, it's out there. Acknowledging it is likely to be against the advice of the company's attorneys whether or not it really is their fault.

Re:Is it fixed? (5, Informative)

t4ng* (1092951) | about a year and a half ago | (#43000431)

Acknowledging it is likely to be against the advice of the company's attorneys whether or not it really is their fault.

Exactly. Datek or Ameritrade or TD Ameritrade, I forget at which point in their many buy-outs, has been repeatedly compromised in the past. At first they denied it and claimed that spammers had just guessed by email account. So each time I would create a new email account in my own domain consisting of a random collection of 12 letters, numbers, and punctuation marks. And each time they were compromised I would point out to them the impossibility of a spammer guessing my email account.

Finally, they just started a policy of sending me an email saying they are investigating it but their company policy does not allow them to give me any details of their findings or what, if anything, they did to fix it.

Re:Is it fixed? (4, Interesting)

codegen (103601) | about a year and a half ago | (#43000075)

Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

Maybe notify members of the list that the list has been compromised and they might be getting virus loaded emails?

Re:Is it fixed? (0)

Anonymous Coward | about a year and a half ago | (#43000237)

As far as we know they're not relaying mail with viruses attached. That's something everyone's mail service deals with silently anyway. Well, except for the guy running his own hobby mail server.

So, so far, all we know is that they have the word of someone they don't know that mentioned something through a casual acquaintance and posted on their facebook page.

Making any kind of premature announcement would be a little foolish. Particularly since it doesn't help the mail recipients at all. At that point, it's a speculative admission for the sake of... penance? To satisfy one person?

If he decides to escalate the situation, their response would probably be something like:

"We haven't seen evidence of this, but someone says they think someone got a copy of our email list. This should go without saying, but don't open emails from people you don't know and don't double-click attached executables because that would be retarded."

Re:Is it fixed? (4, Insightful)

Jah-Wren Ryel (80510) | about a year and a half ago | (#43000079)

They need to at least confirm to him that they took him seriously and are at least attempting to track down the leak so that no more addresses leak out. Chances are they've got at least one PC with malware harvesting email addresses. If that's the case, they probably have other malware too.

Re:Is it fixed? (0)

Anonymous Coward | about a year and a half ago | (#43000337)

Or they were using an in-house mailing solution with a common web interface, and it just got scraped by being insecure, either at their own fault or insecurity in the package they were using. Anyone remember the old, very common webmin+modules security issues?

Point is it might be something simple, but not as obvious as local malware. And they may not even have any real reason to believe it happened as "some guy on facebook" says.

Either way, it's better to assume they're not being conspiratorially quiet about it. Particularly since an announcement does nobody any good, except to stroke the ego of the submitter.

Re:Is it fixed? (4, Interesting)

Mattcelt (454751) | about a year and a half ago | (#43000515)

I had exactly the same issue as the OP this past week, but with a Fortune 1000 company whose business model revolves around collecting and selling information about people.

I contacted their information security department, and sent them the emails and headers at their request. I haven't heard from them since.

The problem is that not only did I get emails to an address that only that company has; my social security number was also in the emails. So whoever got the emails got much more personal information as well. It's clearly a case where the company should be disclosing that they had a breach. If they don't, I'm going public with what I've got.

These companies have a responsibility to the people whose information they hold.

Re:Is it fixed? (3, Informative)

CaptQuark (2706165) | about a year and a half ago | (#43000605)

One problem with publicly acknowledging the compromise is the bad guys realize they have been detected and stop connecting to the system. Our security team requires us to leave any compromised machine "as is" so they can monitor what the computer does, who it contacts, who connects to it, and how the infection is spread on the network. They will purposefully leave the machine running and letting the infection spread so they can gather the maximum information about it before they pull the systems for further forensic analysis. This is standard practice at many large companies, even if they don't tell everyone about it for obvious reasons. Just because they don't reply to you doesn't mean they aren't working 16-hour days trying to stop or catch the perpetrators. Even sending you a simple e-mail saying they are reviewing the situation might be enough to scare off the bad guys if they have compromised the email system farther than just harvesting contacts.

Re:Is it fixed? (3, Interesting)

Mattcelt (454751) | about a year and a half ago | (#43000701)

I spoke with one of their InfoSec guys on the phone. They have my phone number, and they know that I know that my personal information was compromised. There's no excuse for not keeping me apprised, at the very least.

Re:Is it fixed? (1)

CaptQuark (2706165) | about a year and a half ago | (#43000733)

If you are in contact with them by phone, then I agree they should at least tell you what the status is.

Re:Is it fixed? (3, Funny)

Anonymous Coward | about a year and a half ago | (#43000635)

"And they may not even have any real reason to believe it happened as "some guy on facebook" says."

Nobody reads the facebook page in the company besides the marketing slime who have no clue.
And perhaps their astroturfers who post loving reviews of their product.
That's about it.

Re:Is it fixed? (4, Interesting)

Zaelath (2588189) | about a year and a half ago | (#43000373)

I'd bet my left nut "a well-known provider of tools for the Systems Administration community" is Atlassian, and they claim there's no issue.

Re:Is it fixed? (1)

Z00L00K (682162) | about a year and a half ago | (#43000457)

Looking into the headers of the mails would provide enough information to reveal if the infected mails originates from the company or from another source.

Changing your mail address to another for the company may be another way around it.

Re:Is it fixed? (5, Insightful)

Frojack123 (2606639) | about a year and a half ago | (#43000483)

Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it. Or were you expecting them to track down the virus senders and delete the lists from those servers?

I agree, once its out, they are as powerless as the target is.

As for his question:

What would you recommend as my next course of action?"

1) Kill the email account, such that all mail bounces.
2) Create a new subscription account.
3) Realize that you are on the internet, where not everybody plays by your rules. Install spam and virus filters, and get on with your life. You've done all that you can to help the clueless operators. Its not worth any more of your time or anguish.

Re: Is it fixed? (1)

dropadrop (1057046) | about a year and a half ago | (#43000497)

They should at least respond, better yet warn the users.

I'm on my third or fourth linkedin email despite having it non-visible. They never responded to any messages.

Re:Is it fixed? (0)

Anonymous Coward | about a year and a half ago | (#43000727)

Maybe they did fix the issue, but its difficult to take away the compromised list once someone else has it.

Was in a similar position to OP once, an 'internal' non-public email address started getting all sorts of junk/virus laden email so there was an obvious leak. I tracked it down to a rather 'naïve' search function in a cgi script written by a.n.other unit of the organisation which helpfully dumped out the whole email database if you used '@' as the search term. (It was 'policy' that all active email addresses be in this list, test or otherwise).
I duly informed both my immediate superior, and the wonks in charge of said script. Several months later, the issue was fixed.

Or were you expecting them to track down the virus senders and delete the lists from those servers?

No, but confirmation that an.address@somewhere is now 'compromised' allows user of said address to both register with an.other.address@somewhere and treat all further mail to address@somewhere as suspect, to be marked as such, and dealt with by whatever filtering mechanisms they employ on their MTA.

Geeks rarely rule the roost (2, Interesting)

Anonymous Coward | about a year and a half ago | (#42999981)

In my experience when situations like this arise and no action is being taken leadership either doesn't understand the problem or doesn't think it important.

Re:Geeks rarely rule the roost (1)

JWSmythe (446288) | about a year and a half ago | (#43000043)

^ ^ ^ ^ This too. It's a sysadmin list, so I'd hope they understand the problem, but there are plenty of PHB that get in the way.

Re:Geeks rarely rule the roost (4, Funny)

arth1 (260657) | about a year and a half ago | (#43000059)

I just wonder what kind of System Administration list has a facebook page. The mind boggles.

Re:Geeks rarely rule the roost (2, Funny)

Gothmolly (148874) | about a year and a half ago | (#43000187)

One of these things is not like the other.

Re:Geeks rarely rule the roost (-1, Flamebait)

Frosty Piss (770223) | about a year and a half ago | (#43000189)

Dude. Windows Server... Says it all.

Re:Geeks rarely rule the roost (1)

Z00L00K (682162) | about a year and a half ago | (#43000479)

And Facebook is the primary channel today of spreading malware. Social engineering combined with trojans are quite effective.

Re:Geeks rarely rule the roost (0)

Anonymous Coward | about a year and a half ago | (#43000577)

In my experience when situations like this arise and no action is being taken leadership either doesn't understand the problem or doesn't think it important.

Having worked in online marketing, the "nobody cares" aspect is very true, despite my best efforts.

If you've submitted an email address anywhere, it will be sitting in a CSV file on a company-readable fileshare. The janitor or temp secretary or anyone could sell it to spammers and there's really no protocol or procedure stopping them.

Write threatening letters (5, Interesting)

nemesisrocks (1464705) | about a year and a half ago | (#42999989)

I'm in a similar situation: I create a unique email address for each company I deal with, and each website I register on.

The only solution I've found to be the most effective is sending these companies threatening letters. Quote them sections from their own privacy policy; usually there will be a clause about circumstances under which they will share your subscriber information. Tell them they've breached their own privacy policy, and whatever federal privacy legislation your country has in place. While you're at it, file a complaint with your country's Privacy Commissioner, or whatever the equivalent is.

Perhaps we need some sort of "name and shame" website for companies whose subscriber lists have been either breached or sold (e.g. Dell)

Re:Write threatening letters (4, Interesting)

robbo (4388) | about a year and a half ago | (#43000295)

+1. You have no reason to expect an acknowledgement if you just pass it 'up the food chain'. Put it in clear legalese and look forward to a reply from their lawyer. Most likely someone on the inside sold the list for chump change.

btw did you consider that maybe it's you that's compromised? 8-)

Re:Write threatening letters (2)

Jah-Wren Ryel (80510) | about a year and a half ago | (#43000619)

btw did you consider that maybe it's you that's compromised? 8-)

If he were, then he would get the same viruspam sent to many, if not all, of his email addresses instead of just one.

Re:Write threatening letters (2)

Frojack123 (2606639) | about a year and a half ago | (#43000513)

The only solution I've found to be the most effective is sending these companies threatening letters.

It could just as likely be YOUR site that was compromised, and they found the address in something they sent to you, or some key logger in a coffee shop where you logged on.

Make sure you are outside of your pristine glass house before you start throwing stones.

Re:Write threatening letters (4, Insightful)

erice (13380) | about a year and a half ago | (#43000595)

The only solution I've found to be the most effective is sending these companies threatening letters.

It could just as likely be YOUR site that was compromised, and they found the address in something they sent to you, or some key logger in a coffee shop where you logged on.

Make sure you are outside of your pristine glass house before you start throwing stones.

This is incredibly easy to check. If it was local compromise, all addresses would be compromised, not just the one assigned to a particular company. Spam and viruses should be be pouring in to many many addresses. If it was just a single address assigned to a single company then you be pretty sure that it was their system compromised and not yours.

Or even just a polite letter, or phone call (2)

dbIII (701233) | about a year and a half ago | (#43000661)

It's likely that the informal communications channels just did not inform.

Re:Write threatening letters (0, Informative)

Anonymous Coward | about a year and a half ago | (#43000663)

"I create a unique email address for each company I deal with, and each website I register on."

Does nobody of you morons know of mailinator.com?

Why on earth would someone create a mailaddress just to register to a website when mailinator with their gazillion aliases exists?

Just give them mythrowawaylogin@mailinator.com as email address, read it _once_ to click the confirmation link and forget it.

Re:Write threatening letters (2)

nemesisrocks (1464705) | about a year and a half ago | (#43000681)

"I create a unique email address for each company I deal with, and each website I register on."

Why on earth would someone create a mailaddress just to register to a website when mailinator with their gazillion aliases exists?

$ mysql maildb -e "INSERT INTO aliases VALUES ('mythrowawaylogin@mydomain.com', 'mylogin')"

Ah, the joys of postfix+mysql and your own domain. Someone spams you, and you don't click the unsubscribe, you just drop the alias

I even have an alias on my phone to do it for me when I'm out in meatspace.

Re:Write threatening letters (-1)

Anonymous Coward | about a year and a half ago | (#43000669)

whatever federal privacy legislation your country has in place

"Federal" does not mean "vaguelly scary legal mumbo-jumbo". It means the layer of government above the semi-sovereign governments of the member states in a federal state. Not all countries are federations — only 29 out of the 206 countries listed on Wikipedia are federations — so the phrase "federal privacy legislation your country has in place" is meaningless in most contexts.

Re:Write threatening letters (2)

pepsikid (2226416) | about a year and a half ago | (#43000717)

I create unique email addresses too. I run a catch-all mailbox, so my scheme doesn't do much to prevent me getting spam. It tells me who has been compromised and I can be a good citizen and let them know. I give them one fair chance, and if they don't respond, or if they're retaliatory towards me, then feck 'em. Nobody ever gets my "real" email address. Most websites simply never respond to my information. If it's a blogger, they infrequently respond, but just to express doubt, and interrogate me about my unique email policy on the grounds that I'm violating some unwritten "real identity" rule of theirs. They can be real jerks to me, the friendly messenger. One major website swore they were secure but had been compromised once over a year before. Since my email naming convention is websitenameyeardate@mydomain, I could prove my email had been harvested much more recently. They still flat out said "didn't happen". Otherwise, almost none of my spam comes from "unique" addresses.

There is a small handful of once-valid addresses I used as a blogger and forum commenter which continue to get email after many years, even though my email server properly rejects them as unknown mailboxes. Strangely, most spam sent to me is constructed using common names like admin@ contact@ info@ and a short list of asian firstnames@ of all things. If a particular address gets enough activity, I will add it to my blacklist. Setting the server to reject connections from unregistered email servers actually blocks far more spam than complex rules could.

The most interesting episode was when I kept getting repeated attempts to relay an email to a particular address. I could see by that address, that the recipient was local to me and contacted him. He found his mailbox maxed out with these test emails from servers which -were- relaying. He'd registered at websites using that email address and used the same password everywhere, so when one website was eventually compromised, they tried his password on Road Runner, and had themselves a handy mailbox to dump email relay test results into.

Move On (5, Insightful)

mrtwice99 (1435899) | about a year and a half ago | (#42999993)

What would you recommend as my next course of action?

Nothing. Seriously. You tried, they didn't listen. Typical. Now find something more deserving of your attention to spend your time on. :)

Depends... (5, Insightful)

xlsior (524145) | about a year and a half ago | (#42999995)

- How unusual is the username portion on the email address? There have been a lot of spammers over the years that blast random emails to commonname@yourdomain.com. Mike, John, Bob, etc. are more likely to receive spam than sdvjsdvkj@domain.com

- Is the email address in question visible to other people? e.g. registered forum members for the software in question? Sometimes people sign up for a forum just to be able to harvest the otherwise hidden addresses of other forum members

Re:Depends... (5, Interesting)

ssfire (1416107) | about a year and a half ago | (#43000167)

Yup. When I set up an account with Ameritrade, I initially created an email address ameritrade@mydomain.com. Then I started getting spam on it. But the spammers might have guessed that email address. So I created a new non-guessable email address ameritrade_29478763@mydomain.com. But then I started getting spam on that. So I notified Ameritrade. No response, so I closed my account. A few months later, there was a news item that a trojan running on the Ameritrade servers had compromised 6.3 million email addresses.

Re:Depends... (2)

whoever57 (658626) | about a year and a half ago | (#43000211)

I (not the submittor) frequently use <myname>+<site name>@<mydomain>. It is quite clear that at least one site where I registered has let their subscriber list escape. But what is funny is that the scripts or programs that the spammers use frequently don't process the "+" addresses properly. So my mailserver rejects lots of emails that are sent to non-existent addresses in the form: <site name>@<my domain>.

Re:Depends... (1)

nabsltd (1313397) | about a year and a half ago | (#43000569)

I (not the submittor) frequently use <myname>+<site name>@<mydomain>.

One of the issues with this is that <myname>@<mydomain> will be delivered, too. And, if that's your "real" e-mail address, then it's now out there for spammers to hit.

If you instead use something that doesn't rely on special address parsing (like <myname><site name>@<mydomain> or <myname>@<site name>.<mydomain>), you can just ditch the e-mail address once it is compromised. There are a couple of companies that I had to do this to simply because their "you've done business with us, which we consider an opt-in" mailing list has no reasonable way to unsubscribe.

Re:Depends... (3, Insightful)

plover (150551) | about a year and a half ago | (#43000299)

- Is the email address in question visible to other people? e.g. registered forum members for the software in question? Sometimes people sign up for a forum just to be able to harvest the otherwise hidden addresses of other forum members

This is the first thing I thought of. I've seen small companies send out mass emails to blocks of people, sharing my name with the hundreds of other customers on the list. I've seen support postings with email addresses embedded as links behind the user names. Both of those are the faults of the companies that engaged in such behavior, but aren't quite the same as a "compromised" list.

Obviously, the author's intent was to leave himself in an anti-spam position, to be able to simply block the compromised address to stop further spam. I suggest he exercise that option and move on. He's notified them to the best of his ability. Further activity, such as trying to name-and-shame the company, could end up with their lawyers sending him cease-and-desist nastygrams. I'm not a lawyer so I can't tell him if those kinds of letters have legal merit, but if he has to hire a lawyer to get an answer to questions like thta, it could cost him money.

Public Shaming (4, Interesting)

Jah-Wren Ryel (80510) | about a year and a half ago | (#42999997)

It's practically impossible to get anyone to acknowledge something like that. From their perspective they just think you are yet another ass who thinks they know more about the internet than they really do.

I don't even bother any more. I get spam/malware it goes into the block list and I don't do business with the company anymore. If you really care about it, make it public. If you have a blog make an entry about it and hope it shows up in google. Or post the info here, if it gets modded up google will probably index it.

Re:Public Shaming (0)

Anonymous Coward | about a year and a half ago | (#43000377)

Good to hear that you blacklist any company whose email address is copied by a spammer. It must cut down on a lot of your email.

Re:Public Shaming (1)

binarybum (468664) | about a year and a half ago | (#43000561)

I do the same thing with email and my domain name. I suspect that while sometimes the lists are being compromised, other times the companies are selling the lists to spammers for extra cash. I do address the companies when this occurs, and usually the response is something along the lines of ' you have no idea what you are talking about, spammers use random generators and word lists - your experience is likely purely coincidental' (I call total BS on this since you would clearly be receiving all kinds of spam from the exact same sources at other emails on the domain - btw, Xlsior must work in customer service for one of these companies =) Then I capitalize on the unique address and create a filter.
    Since you mentioned the idea of posting the info here, I'll get a grudge off my chest. One of the heaviest spam loads I received was years ago from J&R (jr.com). They didn't handle it well, and I still avoid orders with them despite their established reputation as a top electronics distributor. In fairness it was over 10years ago, so I'm not suggesting this is still going on there, but simply to point out that blowing off customers trying to help point out some kind of abuse in your system leaves behind a very foul taste.

That is what I would do (3)

fredprado (2569351) | about a year and a half ago | (#42999999)

If you are hiring a security related service or any service that depends on security of information, cancel it and go somewhere else. They are obviously not worried about security and have proved that they are pretty much unreachable in case of any problem.

Either way, even if the service you are hiring it is unimportant enough to allow you to live with this kind of practices, I advise you, regardless of how right you may be about their problems, to stop wasting your time trying to help those that are not interested in being helped.

What are you hoping for? (0)

Anonymous Coward | about a year and a half ago | (#43000019)

I have been in the same situation with websites compromising email addresses I used uniquely with them (once a site had it happen twice). When now a days major companies get compromised with far more than just an email address and you get no notification why would you expect a mailing address to get more?

Its embarrassing, notifying people won't really do anything, and companies are under no obligation to do so. Until we have better regulation of what has to happen with personal information is compromised I won't be surprised to see it continue.

Shame (1)

Anonymous Coward | about a year and a half ago | (#43000033)

It's simple. Public Shame on likes like this and theregister.

why care? (1)

Anonymous Coward | about a year and a half ago | (#43000035)

I have to ask.....why do you care? It's not your problem. Just delete the email address and continue living your life as you normally would. You tried your best.

Re:why care? (1)

jones_supa (887896) | about a year and a half ago | (#43000743)

I have to ask.....why do you care? It's not your problem.

Maybe he's slightly control freak and would desperately want to get that problem fixed behind the scenes in their systems.

Re:why care? (1)

brian.stinar (1104135) | about a year and a half ago | (#43000759)

Exactly! Why would this person go to so much trouble to even find a "next course of action?" Having your own mail domain is pretty cool for this kind of thing, but why spend ANY time trying to ensure the integrity of a mail list for some other company? I think a generic letter to send out when this happens is probably the extent any good Samaritan should reasonably go to.

I would recommend the "next course of action" being to delete the email address that is part of a compromised list, make a new one for communicating with the company, and then don't worry about it anymore.

Compromised, all hope is lost... (1)

JWSmythe (446288) | about a year and a half ago | (#43000037)

    If you've let them know, and they ignore it, there's nothing you can do. You can't make anyone do anything.

    You could publicly shame them. That runs the risk of lawsuits, and possibly being pointed to as the intruder.

    All you should really do is unsubscribe from the list, and block any email coming in to that account. Unsubscribing won't stop the viruses, as the intruder as almost definitely fed it to their botnet. It may only (hopefully) keep you from being compromised in the future. The question is, do they delete unsubscribed accounts, or just change the subscription flag(s)?

    It's good that you chose to use a unique account. It won't harm you when you block it. Think of all the users who used their primary account.

Once You Eliminate The Impossible... (3, Interesting)

guttentag (313541) | about a year and a half ago | (#43000041)

Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.
-Arthur Conan Doyle

Have you considered the probability that perhaps they meant to send you a virus? What sort of tools are these? The system administration tools, I mean, not the people who can't properly administer their systems but expect to help you administer yours.

You're not helping, honestly (5, Insightful)

realmolo (574068) | about a year and a half ago | (#43000073)

Even if they know the list is "compromised", what are they supposed to do about it? It's already out there. Do you expect them to go after the spammers? Because that's essentially impossible. If they're not in the United States, it really *is* impossible.

That's why you haven't got a response. They know, but there's nothing they can do.

And frankly, if you had decent spam filters on your own personal domain, you probably wouldn't be seeing these emails anyway. I doubt anyone with a Gmail or Yahoo or Outlook.com address sees this stuff.

My suggestions? Quit worrying about it, and quit running your own mail server. You may think you know what you are doing, but you almost certainly don't.

Re:You're not helping, honestly (4, Insightful)

hawguy (1600213) | about a year and a half ago | (#43000099)

Even if they know the list is "compromised", what are they supposed to do about it? It's already out there. Do you expect them to go after the spammers? Because that's essentially impossible. If they're not in the United States, it really *is* impossible.

That's why you haven't got a response. They know, but there's nothing they can do.

And frankly, if you had decent spam filters on your own personal domain, you probably wouldn't be seeing these emails anyway. I doubt anyone with a Gmail or Yahoo or Outlook.com address sees this stuff.

My suggestions? Quit worrying about it, and quit running your own mail server. You may think you know what you are doing, but you almost certainly don't.

Disclosing the data breach to everyone affected would be nice (and in some states is legally required), as well as letting customers know what data was breached..

Of course, this assumes that they actually know how the data leaked and which customers were affected and they probably don't.

Re:You're not helping, honestly (1)

Anonymous Coward | about a year and a half ago | (#43000281)

Not legally required if it doesn't have protected kinds of information like CC#'s. Legal requirements for just email addresses? That's psychotic.

Re:You're not helping, honestly (3, Insightful)

erice (13380) | about a year and a half ago | (#43000737)

Even if they know the list is "compromised", what are they supposed to do about it? It's already out there. Do you expect them to go after the spammers?

I expect them to plug the hole.

A compromised system is not a one-shot embarrassment. If you don't plug the hole, whoever compromised the system the first time will keep coming back for more data or will expand the breach to other systems.

1) If it an external breach, I expect back doors to be closed, vulnerabilities patched, account passwords changed, etc. This won't likely happen overnight but simply knowing that there is a breach and what kind of a data is stolen is big help providing the admins get their heads out the sand and acknowledge that there is a problem.

2) If it an unauthorized inside job, I expect the perpetrator to eventually be found and fired for cause with at least the possibility of criminal prosecution.

3) If it is an authorized inside job, I want the practice stopped permanently and I hope to see whoever approved the policy removed.

Unfortunately, all these require work and significant risk. The easiest "solution" is to deny there is a problem and, if necessary,blame the person reporting the issue. The vast majority of people, completely ignorant on how spammers harvest address and completely dependent on services like Google to filter out the bad and not lose to much of the good are not the wiser.

Trash (1)

wirefall (309232) | about a year and a half ago | (#43000081)

I do the same thing, and have had the same response...for each instance, all future messages to that e-mail address go straight to trash. Problem solved.

Re:Trash (0)

Anonymous Coward | about a year and a half ago | (#43000301)

Auto-forward mail that comes to your compromised address to a support address at the company that compromised it. When they start getting a stream of infected messages from you maybe they'll deign to contact you and acknowledge that there's a problem.

Re:Trash (1)

jones_supa (887896) | about a year and a half ago | (#43000761)

Wouldn't that make you look a bit desperate?

Nothing (1)

masterz (143854) | about a year and a half ago | (#43000095)

Tell them once. That's as good as you can do. I've had my email address compromised from a well known financial institution. Of course the person I spoke to didn't know anything about it or why it was their fault. Two years later they publicly admitted they were hacked.
I find that a lot of leaked addresses are from failed companies, whose websites no longer exist.
There are many websites out there that are compromised. You would be quite surprised. I wish there was an easy way to post these so others could know.

Compromised, you sure? (4, Insightful)

dmomo (256005) | about a year and a half ago | (#43000101)

Or they knowingly sold your address.

sold! (0)

Anonymous Coward | about a year and a half ago | (#43000107)

It could just be that they sold your e-mail address but just don't want to admit it because it's in violation of the terms

How can you be sure? (-1)

Anonymous Coward | about a year and a half ago | (#43000111)

Who is your email provider? Your email provider might have sold your email address.

What's your email address? You might have an easily guessed address.

Do you run your browser in something other than incognito mode? Google Chrome saves your Chrome user profile on their servers these days [google.com] to sync with your Google account (this is on by default and is enabled the moment you sign into any Google account). This profile includes things such as form entries for the purposes of auto-complete. If you want to see this in action log into any Google account (such as Gmail) on one computer then log into a third party site and select save password in Chrome when logging on. Now go onto a computer you've never used before. Log into your Google account there. Go to that third party site where you saved your password before. Notice how Chrome auto fills your login details on that computer you haven't touched before? Your Chrome profile and all the details with it aren't stored locally. Google has them.

Did you use a public network or a network where not all computers were trusted? Most online form data is sent plain text.

I'm sure there's a million other ways someone could have your email. So why are you so sure it was them?

May be less severe than a compromised list. (1)

Anonymous Coward | about a year and a half ago | (#43000115)

I used this technique for many years (since the 90s) and one thing I've come to realize when this happens is that it's more likely that the computer used by a customer service or sales person has been infected, and that somehow your address has made it from their ERP/CRM into Outlook or another program commonly scanned by viruses like this (maybe even just the web browser cache files). So it's probably not a compromised subscriber list, just a random compromised system that happened to have a few customer email addresses accessible to the virus.

But as others have said, good luck getting anyone to admit/notice/care. Even if you can, your address is already in the spam database and it'll stay there for years. I finally gave up on custom addresses last year and just rely on Google's spam filters (esp. after finding out how few sites support plus addressing so I could do it from gmail).

Use This Thunderbird Plugin (4, Informative)

Jah-Wren Ryel (80510) | about a year and a half ago | (#43000121)

This does not directly address the question, but it is topical.

I do the same thing with my domain and it was always a hassle to make sure I filled in the correct From: address on each email I sent. Then I found the Virtual Identity Plugin [absorb.it] for thunderbird.

It automagically remembers what From: address to use with what To: address. It also makes the From: line fully editable on the fly and remembers what you used for the next time. It makes it dead simple to make sure that you never accidentally leak one of your unique addresses to the wrong person/company.

Re:Use This Thunderbird Plugin (1)

arth1 (260657) | about a year and a half ago | (#43000317)

How does that work when you send e-mail from half a dozen different systems, including Outlook, pine, Android mail, sendmail, and in a pinch, even telnet to port 25 or openssl to port 465/587?

Solutions that require a particular piece of software aren't. They're short-lived workarounds at best, and fetters you at worst.

Re:Use This Thunderbird Plugin (3, Insightful)

Jah-Wren Ryel (80510) | about a year and a half ago | (#43000571)

How does that work when you send e-mail from half a dozen different systems, including Outlook, pine, Android mail, sendmail, and in a pinch, even telnet to port 25 or openssl to port 465/587?

You made your bed, now sleep in it.

Re:Use This Thunderbird Plugin (0)

Anonymous Coward | about a year and a half ago | (#43000579)

Right. You currently use several pieces of software to send mail, they all all just short-lived workarounds for paper mail!

Re:Use This Thunderbird Plugin (1)

nabsltd (1313397) | about a year and a half ago | (#43000621)

How does that work when you send e-mail from half a dozen different systems, including Outlook, pine, Android mail, sendmail, and in a pinch, even telnet to port 25 or openssl to port 465/587?

These are one-off addresses tied to each company and are used for preventing spam to a personal e-mail address, and most of them aren't ever used to send e-mail. The few times you need to, it's also usually not critical that the e-mail be answered right now (unlike a business e-mail), so you can wait a bit until you are at one of your machines with the correct software (because you aren't going to be doing this from random machines, ever, as it's still your personal e-mail).

If you are really desperate, though, you just run some remote access software to get to a machine with the right software.

They May Not Know (1)

jarich (733129) | about a year and a half ago | (#43000161)

It's possible the list was snagged by a disgruntled (or ex) employee who sold the list. The Powers That Be may not believe the list has been compromised. A few back channel comments and/or a FB isn't actionable proof.

I'd post to their support email line (I'm assuming they have one?) and provide the unique email address you used. Provide more detail than this post. Then if they still ignore, share it on publicly as a public service to their other customers.

I had a friend that was in a similar situation. A company that handled their mass emails had an employee grab a ~ton~ of addresses when he quit. It took a few reports, but once they realized what had happened, they acted.

Course of action? (1)

OhANameWhatName (2688401) | about a year and a half ago | (#43000169)

What would you recommend as my next course of action?

Post the the company's details to /. and hold your breath.

I would not worry too much about it. (0)

Anonymous Coward | about a year and a half ago | (#43000175)

They either have bad security or are selling their mailing list.
Just change the one you use and drop the old one.
I use an alias file on my domain. when the spam shows up, the link in the alias file is dropped and
I give the outfit a new address.

I also remember being told that companies weed out there names from the list they sell.
That's why my email address at amazon is amazon@...

Another possibility (1)

DoofusOfDeath (636671) | about a year and a half ago | (#43000177)

Is it at all possible that you're the one who was cracked, and that's how the email address got into the wild?

Make website of domains vs virus count (0)

Anonymous Coward | about a year and a half ago | (#43000181)

I suggest that you avoid getting into an argument with any company, as it can end in tears.

However, you are certainly entitled to create a simple web page showing the main sites at which you are publicly registered, and for each one also the count of emails received that contain spam or viruses. Let the numbers speak for themselves. A nice column of zeros with the exception of one or two domains speaks volumes without requiring written criticism.

Publishing unbiased factual information of that sort keeps you on safe ground in nearly all situations. (But not all.)

Note that the email addresses you register must be unguessable, otherwise most of your arguments lose their strength, and the suggestion above would not work either.

good luck with that (1)

anyaristow (1448609) | about a year and a half ago | (#43000203)

I've been doing that for more than ten years and I've never gotten a satisfactory response. Somebody will give your carefully-crafted letter fifteen seconds of thought and send you a form letter about phishing or clicking on sketchy links or whatever. They don't understand the dedicated email thing, or that they have a problem. So, you gave your explanation to some geeks you think will "get it", but ultimately they'll have to tell some non-geeks about it, and they'll give it fifteen seconds of consideration and dismiss it.

I've found three online flower sellers, one music equipment manufacturer, a credit reporting agency and a well-known seller of language instruction materials, and a couple I don't remember, have been compromised. Not a lot for more than a decade, but some notable failures.

Too much bother (1)

no-body (127863) | about a year and a half ago | (#43000261)

No way you can win.
Same situation here with individual email addresses per recipient.

If it's SPAM - report to Spamcop. After 3 SPAM's change address of individual addressee or disable it if it's older than 3 years and not used since.

The interesting part with this game is to see how many users are putting plain email addresses in CC, so when one of the many gets compromised, everyone else on that header gets spammed.

Did you? (1)

ls671 (1122017) | about a year and a half ago | (#43000279)

Hi, I run my own mail domain to.

I would have re-audited my system and made really sure the leak did not come from a different attack vector before pinpointing them.

Did you parse the headers of the spam to get more clues?

Most companies won't spend time because another network administrator tells them they have something wrong. Rule one is always to prove your facts almost without a doubt otherwise they may not listen to you or take action.

Try creating another account from a clean install to see if same happens.

I always look at my own network first.

Custom email addresses (0)

kwerle (39371) | about a year and a half ago | (#43000287)

YourName+anything@gmail.com

I recommend you register that way at any domain if you have gmail.

Re:Custom email addresses (1)

cbhacking (979169) | about a year and a half ago | (#43000423)

Trivially easy to canonicalize that to YourName@gmail.com, and since that approach is so well-known, any competent spammer (not a self-contradiction, nice though it would be; there's a lot of money to be made) will be able to strip such "custom" addresses to the real address. If you want this approach to actually work, you need to blacklist the root address (yourname@) using filters (I'm assuming Gmail filters cna handle that) and only accept mail that has the identifying tag.

WHITE LIGHT + BEAST & telepathic woman - WARNI (-1)

Anonymous Coward | about a year and a half ago | (#43000341)

The darkness is nothing compared to Yahweh, and flees when you kneel and pray for protection from evil.

Remember, beyond all conspiracy site reading, to "SEEK YE FIRST THE KINGDOM OF GOD."

The cowardly beasts within the 'false light' are nothing and bring nothing to humanity compared to the power of YAHWEH.

This post may be the most important you ever read, for God to break the deadly spiritual 'snare'.

The weak who made the mistake of cooperation with the 'beasts' can still claim victory over them and clear their body from the evil by turning their lives over to YAHWEH.

Know God, know peace.

Judging by the frequency of the posts containing 'alien' like photos and illustrations are likely to know what this post is all about.

++ don't be fooled by telepathic conversations from beast(s) opposite your sex or the same sex if you're gay.

these are more evil entities which YAHWEH will protect you from.

Evil hates it when you read the book of PSALMS aloud. Praise YAHWEH through the Psalms, read the verses loudly and proudly!

beware the invisible telepathic strangers who make clicking noises and lie to you by saying they are improving your body as your body feels like some sort of energy is being manipulated. avoid any food given to you suddenly out of the blue by a possible 'friend' in meat space, especially if it coincides with these telepathic communications. these beasts seek to destroy.

Trust in Yahweh, Christ Jesus, Holy Spirit - the One with Power and Glory who loves you dearly.

Don't worship created fallen beings, worship the One True God.

Another possibility. (1)

Raven42rac (448205) | about a year and a half ago | (#43000343)

It could very well have just been guessed, the spammers' mail servers are more than likely more than capable of shotgun blasting millions of messages to $randomstring@domain.com in less time than you'd think, and if you change the replyto address, you don't even get the bouncebacks.

Re:Another possibility. (2)

seebs (15766) | about a year and a half ago | (#43000499)

People keep suggesting this, but time and again we find that the reason that highly specific tagged addresses are getting spammed is that someone leaked or compromised a list.

They didn't suffer a breach buddy ... (1)

GNUALMAFUERTE (697061) | about a year and a half ago | (#43000371)

The list was sold. Yes, it happens more often than you think. If the company itself didn't sell it, then somebody on the inside made an extra buck. That's why nobody will acknowledge your complaint.

here's one way. (1)

DragonTHC (208439) | about a year and a half ago | (#43000385)

simple, use the compromised list to email them telling them so.

Lots of corporate apologists on /. tonight. (0)

Anonymous Coward | about a year and a half ago | (#43000417)

I've been do something like this too, only with the added twist of making it difficult for spammers to guess.

Where do you think spammers get their lists? (1)

WaffleMonster (969671) | about a year and a half ago | (#43000427)

First off if you are bothering to create separate email accounts for each site you know full well the risks of giving anyone your email address. How do you think spammers get everyones email addresses? Tooth fairy?

Secondly jumping to conclusions is ususally not prudent. "knew immediately that either their systems or their subscriber list had been compromised"

For all we know your system could be hacked and you just don't know it or you've got a directory server or vrfy enabled and the account was brute forced.

The site could well be selling or sharing their customer list with others who are compromised or who are reselling it to spammers. They could be sending emails to other mailboxes where the user is compromised.

Thinking you know whats up is bad enough.

Thinking they owe you some sort of "official response" is whacked.

A few thoughts (0)

Anonymous Coward | about a year and a half ago | (#43000463)

Make sure you are using email addresses that have a very high degree of uniqueness in the username portion. Spammers sometimes simply try the same username at different domains, try dictionary attacks, etc. The more obscure and unique the email address, the easier it will be for someone to accept that it was unlikely to have been hit those ways.

Enable logging and review the logs so that you can attest to having checked the logs for signs of a dictionary attack. Mention that you've done so or just include log snippets in your report. It corroborates headers in the full spam sample you'll be sending, communicates that you've already checked for and ruled out a dictionary attack, and demonstrates some professionalism.

Keep your client and server systems secure, carefully check them over any time you think an email address has been compromised, and briefly mention that you've done this in your reports. Hopefully, that will make the recipient(s) open their minds to the possibility that it was not a compromise on your end. Mention that the other unique email addresses you use weren't hit, which suggest that your aliases file and/or other email address databases weren't compromised on your side.

Search for others that have already publicly mentioned this happening to them. If you see such discussions, mention that you've seen this in your report. The are various ways/places an email address can be compromised and if you only have one imperfect datapoint you can't be sure of what happened. You need to determine if others have experienced the same thing. You want to get to the bottom of things so that you can address any unknown problems on your side and take any other actions you need to. You also want to assure that it is publicly discussed so that anyone else unknowingly affected can do the same thing. So make "going public, asking others if it happened to them, sharing information in an appropriate forum" part of your routine. I prefer to report it privately, give the other party a short amount of time to (hopefully) grab logs etc, then make sure it is being discussed in public. I think it is important to be careful and conservative with wording, particularly when discussing things publicly. There is no need to shout "THIS COMPANY HAS BEEN BREACHED!" when "I *think* this company or one of its subcontractor's *might* have been breached..." will do.

When reporting things, try to find a good point of contact within the company. Front line customer service people may not escalate or forward the message appropriately. If you can identify a security or privacy contact, I'd use that. Keep copies of everything... evidence, outgoing messages, incoming messages, phone calls, etc.

I don't think you do... (1)

seebs (15766) | about a year and a half ago | (#43000467)

I used to be a member of a professional society. I started getting spam to the unique, tagged, address I'd used to register with them. I pointed this out on a mailing list. I got threatening notes from them about how they didn't appreciate me implying that they had sold addresses or been compromised...

Blizzard ignored queries from me about the sudden appearance of spam (from their servers, even) to unique, tagged, addresses. A week after they blew me off, there was an announcement that they'd been compromised, so maybe they actually did investigate, but they sure never got back to me in any way.

So basically, I don't think you can convince them unless they start out caring.

Sleeping with the Enemy (0)

Anonymous Coward | about a year and a half ago | (#43000485)

Maybe you're talking to the people that actually compromised the list in the first place....

Happened with Star Trek Online (1)

Spikeles (972972) | about a year and a half ago | (#43000505)

Star Trek Online had this happen. I had an email address specific to that site and it got spammed. Heaps of other people [perfectworld.com] with similar site only email addresses mentioned the same thing on the forums. Don't know if they ever publicly admitted it.

Submitter has never filed a bug report. (1)

Rod Beauvex (832040) | about a year and a half ago | (#43000535)

Otherwise he would know that geeks don't make mistakes, and it's all your own stupidity.

Two possibilties: (0)

Anonymous Coward | about a year and a half ago | (#43000623)

1 The virus is the result of a shotgun email to your domain, and your address was found because it didn't bounce.
2 Your message was forwarded up the chain to the CIO who okayed selling the email list to all comers. Nothing has happened because this is part of doing business.

Maybe they did knew already. (1)

Thanatiel (445743) | about a year and a half ago | (#43000625)

If the address you used for them is the only one that has got infected emails in a small time window ...

Maybe they are affraid of their reputation.
Maybe they are the one who sold the list.
Maybe they just don't care.

It does not really matters : they failed to protect their custommers.

I also have used one email address made unique for each "service" contact for years.
I don't even bother to complain anymore when something fishy happens : I simply overwrite all the (mostly already wrong) information for the benefit of their database then delete/disable the account and delete the email address.
This also work wonders for "lesser" social contacts that may be ... unenlighted ... enough to forward a chain mail.

By the way, knowing the name of said provider would help your fellow geeks & nerds.

Are you sure it's compromised? (1)

zedrdave (1978512) | about a year and a half ago | (#43000641)

Had the same problem, except with very obnoxious scammy spams and the company in question was Bank of America (overnight, the dedicated address went from BofA only, to dozens of such spams).

My personal guess was that these morons must have sold their list to somebody (or cross-marketed, or whatever other stupid idea one of their coked-up marketing exec came up with) who in turn sold it and so on, all the way to the darker recesses of the internets. A chain is only as weak as its weakest leak, so once they decide to sell the data, you can be certain it will end up everywhere.

You don't always have to make new addresses (1)

grilled-cheese (889107) | about a year and a half ago | (#43000647)

Some mail hosts & websites support using +notation in email addresses (i.e. gmail & google apps). So rather than generating new email addresses for everything, I do something like myemail+webpage@mydomain.com. When you look at who the email was sent to it should repeat this same pattern.

Anonymously name and shame (0)

Anonymous Coward | about a year and a half ago | (#43000725)

Publish the name of the company. State your case, what you did, what they didn't. Name and shame. Tell your inside friends to feign stupidity (lest they get fired/sued) or worse, leave a trail back to you and you get sued/your door kicked down/computers seized, you fingerprinted, strip search, declared a terrorist, federal prison, bubba who gets lonely at night and likes how you squeak like a girl, etc.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>