Surprising Spam

Have you ever wondered how a SPAM sender got your email address?

For the past 15 years, I’ve used a different email address every time I filled out a webform . This way, whenever I get a SPAM I can look at the address the SPAM was sent to and know how the sender found out about me.

It is interesting to see where the leaks come up. Here is a short list of some of the people who (willingly or unwillingly) ratted me out to spammers….

2BRIGHTSPARKS.COM (added 4/11/2018)
AUDIOGO.COM (added 5/6/2015)
BARCODE-US.COM (11/28/2018)
BMWMOA.ORG (added 4/11/2018)
E-COUNTERS.COM (1/9/2014)
FOSCAM.US (added 4/28/2015)
FRIENDSTER.COM (added 6/23/2014)
HELLODIRECT.COM (added 3/4/2019)
INFOQ.COM (3/1/2016)
LEXUSOFENGLEWOOD.COM (added 4/25/2014)
MYSPACE.COM (3/19/2016)
SHAPESHOT.COM (12/27/2015)
SIMPLE.COM (3/8/2016)
SMITHMICRO.COM (added 4/9/2014)
SUPERMAGNETMAN.NET (added 2/2/2015)
WSJ.COM (added 2/8/2014)

If you’ve ever given your email address to any of these websites, then it is likely that you can thank them for some of the spams you now get every day. I am talking about hardcore SPAM like offers for Viagra, porn, or African money transfers and not just unwanted emails that might be semi-related to the website that you originally gave your address to.

Some of these sites might intentionally sell or give their email lists to SPAMers, but I suspect that many had their lists hacked or got a virus on a machine that has access to their list. Either way, it makes it hard to trust the company that let it happen.

I typically kill a compromised address as soon as it starts getting spam, but sometimes I want to keep getting the real emails from the original website so I’ll go in and update my account with a brand new, unique email address. Sadly, I often soon start getting spams on the new email address, indicating that the leak was not a one-time event.

BTW, I also use a unique hash for the return address on every email I send out. This lets me know instantly whenever anyone I know gets a virus, uploads their contacts to a website that then sends out splash emails, or falls for a Facebook/GMAIL phishing scam. It happens way too often.


    • bigjosh2

      Yep. I think LifeLock leaked email addresses during the class action suit in 2010. The settlement was on 4/30/2010 and the first spam was on 6/30/2010.

      They probably gave a list of all their customers to a law firm and someone at there had a virus or sold the list.

  1. Josh

    >>BTW, I also use a unique hash for the return address on every email I send out.

    How do you do this thing?

    • bigjosh2

      Right now it is a combination of some code on running on my local machine and some scripts of the email server, but it would easily be made into a general purpose product where you would just set your outbound SMTP server to point to my service and I do all the work for you. I should have made this decades ago. I can’t believe GMAIL has not done it yet!

  2. mia

    Holy shit…Dude, I thought I was the only one. I use Spamgourmet and I got spam 1-3 years ago with the very unique “simple” email address I created. The email contained a malicious javascript (.js) file attached. I called Simple telling them they were hacked and that the same thing has happened in the past with other companies (dropbox). They forwarded my email to their security dept who analyzed and confirmed it was malware but said the spammers might have “guessed” the email (sigh). They said they had no other reports. Your report sheds some serious spotlight back on their email database being hacked.

    The reason it’s just come up now is I got an obvious Dropbox phishing attempt and malicious PHP redirect from my simple address. I google hacked and found your post.

    • bigjosh2

      I’ve gotten the same response from companies when I’ve tried to tell them that they’ve had a breach – and my addresses are extremely unlikely to have been “guessed”. If I was CEO of a company, I’d set up a bunch of gmail addresses and secretly use them to sign up for stuff with my own company. If I ever got a spam or unexpected email on one of those addresses, send to my security people and tell them someone reported a breach on that address. If they said, “Oh that’s just a crackpot reporting that, we have no breach” then I’d fire those security people.

    • bigjosh2

      Looks like we’ve been basically using the strategy, and I also started back in 1996! :)

      Do you maintain a public list anywhere of all the people who ratted out your addresses? It would be interesting to see the overlap!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.