Who’s selling your e-mail address?

by ·0 Comments

Over the last two decades, I have used my own domain names with catch-all email accounts. The obvious way to track a given address was to include the company name or website address -or part of it. For example, at ebay.com I would register as ‘ebay@example.com’ (I being the owner of example.com).

I took that as a habit, and it was somewhat interesting to see what unrelated e-mails I got for every address. I advice everyone that has some technical knowledge to use a catch-all mailbox, or a poor man version that helps to distinguish the sender, like using + on gmail (even though that can be easily filtered out, most spammers wouldn’t care to).

Now, the reasons that I can think for receiving third-party spam to those ‘per-website’ addresses are:

  • The company sold the email address.
  • Somebody in the company ‘lost’ it. For example, by sending an email to multiple addresses (and not using bcc) including the affected one.
  • Someone from the company illegally retrieved them and sold it.
  • An outsider illegally stole it (i.e. hacking).
  • The information is somehow available and retrievable. For example, shown in the company’s website and webscraped.
  • The system makes your email available to another user (on interaction) without warning you.

All of them pose serious security/design problems or some kind of illegality.

Now, obviously I wouldn’t really expect sleazy companies like Avid Life Media not to profit through selling email addresses. To receive spam at the addresses given to websites or companies that have been always exploiting the lack of enforcement of privacy or anti-fraud laws meant no surprise.

I’ve had a few of them that were quite high-profile cases. Companies that were supposed to really care about customer’s privacy:

One of the big ones was vueling.com, an airline company from Spain. I started receiving such a massive quantity of spam at that address that I had to manually block it. That was ten years ago, but I was greatly disappointed with that company. What could I do though? Where would I report that? Really, nobody would do anything.

Well, the list kept growing over the next years. But it wasn’t too bad. Most of the relatively surprising leaked addresses were from places like flurry.com. Whatever.

But the last one today was the one motivating me to write this post: TradeKing. Being so clearly related to money and financial operations, it is somewhat scary to realize that (willingly or not) they leak e-mails. And I think they’d better be off investigating what happened. I have contacted them about it yet but I don’t really expect them to do anything (unless it becomes an issue to them).

The spam that I received on that ‘tradeking.com@’ account doesn’t make me think that the spammers have any other personal information, not even my name. But how did they get the e-mail on the first place when only TradeKing should have it? I think it may be time to close the account there.

Leave a Reply

Your email address will not be published. Required fields are marked *