Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Email

30 Jan 2013

The incredible leakyness of commercial mailers (cont'd) Email

Last week I blogged about the way that lots of otherwise legitimate companies leak e-mail addresses to spammers. Here's a few more thoughts.

One person asked how I knew that these were leaks, and not dictionary attacks, since the addresses I use are fairly obvious, the name of an often well known company @ my domain. It's a reasonable question, but the answer is simple: the spam comes to addresses I've given to the companies, not to addresses I haven't. There's a trickle of spam to truly made up addresses, but they're easy to recognize.

Another perhaps surprising fact is that leaks tend to be small scale. For example, a friend noted that Aeroplan (Air Canada's spun off frequent flyer program) had leaked his address, but they haven't leaked mine, even even though we've both been members for over a decade. I've been trying to think of mechanisms that would lead to small leaks, and it's not pretty. Database security failures tend to be all or nothing, so although one can imagine a situation where the bad guys started downloading all of the email addresses and the connection failed, that doesn't explain multiple small leaks. But if I were a crooked employee at an ESP, spammers paid me for known good addresses, and I figured a level that would stay under the radar, well then, ...

It would be very interesting to track the ESPs used by firms whose lists have leaked. As far as I know, nobody's done that yet.

  posted at: 01:51 :: permanent link to this entry :: 1 comments
Stable link is


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

It turns out you don’t need a license to hunt for spam.
62 days ago

A keen grasp of the obvious
Italian Apple Cake
620 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

My Mastodon feed

© 2005-2024 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.