Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Email

20 Jan 2013

The incredible leakyness of commercial mailers Email

Acronis is a company that sells backup software. They have been around for over a decade, and have lots of big respectable customers. The Wall Street Journal is the nation's leading business newspaper. Equifax is one of the big three national credit bureaus. Shelfari is a book interest web site owned by Amazon. The Economist is a globally influential newsweekly. is a popular photosharing site for airplane enthusiasts. What do they have in common?

They all leaked my address to spammers, and none of them have ever accepted any responsibility.

For a long time, over a decade now, I've used tagged addresses whenever I buy something online or sign up for someone's list. If it's the foobly company, I use an address like

There's two reasons for that. The original one is to remind me when I get unexpected mail that it might be someone I signed up for a long time ago. For example, about ten years ago we got a subscription to the National Wildlife Federation's Ranger Rick, their magazine for young children. The formerly young child lost interest many years ago, but they still keep sending me pleas to renew. While this is annoying and stupid, it's not exactly spam. The other reason for tagged addresses is so I can trace when someone really does leak addresses to spammers. And boy, do they ever.

Every one of the six organizations above had a unique tagged address, and I am now getting spam to that unique address. When I say spam, I don't mean that, e.g., Shelfari gave it to some other part of Amazon. I mean 419s, fake drugs, money mule spam, the lowest and sleaziest of the low. Those six aren't the only ones to have leaked my address; they were just the ones I came across first looking through spam I got in the past few weeks.

I used to write and complain, but I don't bother any more because the response, if any, was invariably a combination of cluelessness and stonewalling along the lines of "you must have forgotten". Well, no, I didn't. The one exception was Orbitz, who got enough complaints from enough credible sources that to their credit, they did an internal investigation, although they didn't find anything, and as best we can guess it was one of the ESPs who handles their weekly newsletter.

There is a perception in some circles that everybody leaks. That's not true. There are plenty of other organizations who, so far at least, have kept their lists secure. The Economist has leaked my address, the Atlantic Monthly hasn't. The Journal has leaked my address, the New York Times hasn't. Shelfari has leaked my address, and Amazon itself haven't.

Needless to say, if a company is leaking mailing lists to spammers, it says bad things about their attitude both toward their customers and about the quality or lack thereof of their internal processes.

posted at: 01:04 :: permanent link to this entry :: 8 comments
posted at: 01:04 ::
permanent link to this entry :: 8 comments

comments...        (Jump to the end to add your own comment)

Possible explanation?
Not to excuse leakers or spammers, but I have heard that some spammers create addresses by combining every username with every domain name from their files. Might this have happened -- that is, might they have created the addresses that you used?

(by Margy Levine Young 20 Jan 2013 08:58)

they leaked
Dictionary attacks certainly happen, but in these cases I'm sure they leaked. I don't see much spam to made up addresses that look like leaked ones.

(by John L 20 Jan 2013 11:59)

I can add Filemaker and British law firm Pinsent Masons 'Outlaw' newsletter to this list of 'leaked, never acknowledged nor apologized'.

Also, Maytag Canada, Air Canada's AEROPLAN, and now-defunct site Security Search

(by Neil Schwartzman 21 Jan 2013 09:40)

Acronis' leak explained
Acronis' leak was explained in July 2012 via an email sent out by Acronis. Apparently, they either lost a 'spreadsheet' or their Knowledge Base site began giving out more data to indexing sites than it should have. The article below describes both scenarios. The gist of it is that Acronis lost email addresses at that time. For how long this has been going on, only Acronis knows.



Not that this lets Acronis off the hook for this problem, but it does show that email addresses had been leaked and also that Acronis acknowledged the leak. Have other leaks occurred? Who knows? That Acronis was slow to respond to the threat, that's also of concern. No idea if your email address was among those leaked.

(by Brian Wright 23 Jan 2013 01:51)

Not that Acronis leak
Acronis leaked my address no later than 2009, probably more like 2007. Looks like they're a serial leaker.

(by John L 23 Jan 2013 10:10)

thanks for piping up about this …

me too — i've been uniquely coding most of my sign-up email addresses for over a decade, and there is a litany of leakers, including the Denver Public Library, AT&T Wireless, Intuit,, Northwest Airlines, Java Developer Connection, Club Mac and Federal Express (among others)

i have had the same experience trying to bring attention to the leaks: usually silent, incredulous or blaming the victim, rarely understanding how i could have given a unique email address

(i get some dictionary attacks too, but they are easy to distinguish)

(by steve 23 Jan 2013 14:41)

Marketing Director
It is a known fact that most security issues/leaks come from inside the enterprise, disgruntled employees or those who have moved to other companies. More than 50% of companies do not have a secure email/archiving policy, so perhaps that can explain some of your issues. Not to mention business continuity plans!

(by Gill Borniche 24 Jan 2013 13:32)

Your opinion on local trojans
In the past it has been my experience that the majority of outsourced messaging systems will 'cross streams' of email lists as some point. A laptop will be lost or the wrong email list is set up for the ETL process. On 3 occasions however we have had a great interest in how something like this happens and with the help of the customers in question, were able to confirm or deny the presense of a trojan gathering email addresses.

I absolutely think that an on-premise messaging solution is the best way to manage email lists (though not human-proof), I do wonder about the general security of the customer's computer and it's own feeding of data back to a spammer. Excellent topic and one that should not be forgotten.

(by JR 18 Mar 2013 10:01)

Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

Email: you@wherever (required, for confirmation)
Title: (optional)
Show my Email address
Save my Name and Email for next time


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

It turns out you don’t need a license to hunt for spam.
62 days ago

A keen grasp of the obvious
Italian Apple Cake
620 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.