SPAM to an address I've only given to the DEVON company

Looks like you’ve either sold my email address or have an internal leak. I give a different email address to every company I deal with to help find the source of leaks. This has happened with only two companies over the last 10 years of me using this strategy.

This is a serious issue. How would you like to proceed? I see in your privacy policy that if you were going to give my email address out you would have provided me the opportunity to “opt out”. I never had such an opportunity.

I can provide a copy of the email received and the email address used.

The DEVONtechnologies privacy policy is definite. We will never sell email addresses, nor “leak” them.

Spammers are a plague to everyone and we detest them. Some of them go to great lengths to add ‘live’ email addresses to their databases, and sell addresses to others. Some use algorithms to generate possible email addresses and send out large numbers of messages to potential addresses in hopes of getting some response, which indicates a real address. One of their tricks is to send out messages that have an invisible graphic included. If the recipient has their email application set to download images automatically, the spammer has confirmed that this is a ‘live’ address.

There have been cases of spammers illegally gaining access to ISP servers to harvest messages for email addresses. Some of them routinely scan through forum messages and similar public postings to harvest email addresses.

I’m quite certain that DEVONtechnologies was not responsible for your receipt of a spam message. But you should be aware that anything you do on the Internet may reside, for a short term or indefinitely, on multiple servers. In short, there is no such thing as absolute privacy or security on the Internet, for good or ill.

Personally, I’m not paranoid about that. I’ve got one old email account that is more than 20 years old, that contains about 99% spam messages. That address was published in books and journals, and was quickly picked up by spammers. I keep it active because once in a while I get a legitimate message related to international environmental science exchanges in which I participated, so that it still has value to me. The ISP for that account provides a spam filter, but it was overloaded years ago, and the spam pours in.

I use my main email address, however, for all purposes and don’t have a significant spam problem even though it has been in use for 12 years. I have automatic download of images switched off. I never publish it in print or online. I don’t use a spam filter on that account, and don’t need one.

I’ve made many purchases via the Internet over the years, using credit cards. I limit such transactions to “trusted” merchants. Not once have I been charged for a purchase I didn’t make. I monitor my accounts, and I pay a small insurance premium to take care of possible problems. On more than one occasion, however, I’ve had spurious charges resulting from ‘face to face’ credit card transactions at a restaurant or department store. Those charges were reversed.

Thanks for the reply. I appreciate the sentiments and general thoughts.

I’ve also received a quick email reply from another employee. I’m impressed by the quick response. I’d like to keep digging a bit further.

So far the suggestion has been that my email address has been scraped from this forum site. Any idea how that is possible? I’d like to prevent that. I have allowed emails to be sent to me from this sight but I don’t see my email address exposed. It is not even exposed when I cc the sender of the email.

Am I missing something? I’m sure in the end I’ll feel like an idiot. Though it seems the default settings should protect idiots rather than expose their email addresses.

Sorry…

Is the feedback section on the forum being monitored by employees or only users? If this is only a user forum I apologize for the noise. I can take the conversation to a different channel if that is the case.

What a coincidence your message was at the top of the active topics listing to easily catch my attention …

Be prepared for it to possibly happen with more of your supposedly “private” address. In just the past week maybe 3-4 unrelated addresses, each given to only one trusted recipient, have unexpected started being spam victims; this misusage is easily spotted in daily logs from my trusted mail service provider. Previously it’s been a rare occurrence so I suspect there’s a new type of vulnerability recently being exploited by spammers. Since the unwanted messages are rejected by the mail provider it’s mostly a low-level nuisance, though disturbing that it’s happening without knowing the specific cause/reason (yet, if ever) and being left to speculate, e.g.:

My hunch is that a “significant enough” number of ISP servers are currently unprotected from a new type of attack. If true, maybe I’ll notice something about security-related news fairly soon but I’m not actively seeking it. Most I feel I can do is notify the admins of sites with my compromised addresses to make sure they’re aware of the issue. And eventually change those addresses, which I could do soon to see if they’ll also become compromised or hold off to give enough time for the cause to hopefully be fixed.

With one address “leak” a few years ago my hunch was that traffic sniffing was involved, randomly plucking the address a relatively brief window of opportunity.

I use the internet with the assumption that all unencrypted traffic (at least!) is fair game to anyone who wants it enough; all intended privacy risks being compromised.

I’ve struggled to think of any other service/system (virtual or physical) that could successfully survive with the amount of misuse and abuse that email gets. None of us would risk driving if we knew we’d be involved in an accident every 8-9 out of ten times on the road. I suppose you could say the internet as a whole manages to survive and even thrive in spite of the ongoing stream of nefarious traffic that pollutes it. But obviously that doesn’t mean it’s a healthy way for it to be operating.

Both are able and welcome to read anything here. To say it’s “monitored” is a bit inaccurate; there’s no guarantee every post will be read, and plenty will never get responses even if they are.

Please don’t; I appreciate it being a public discussion up to now.

I’ve had the same – very public – email address, since roughly the dawn of time (well, since @ signs started being used for routing instead of !bang!paths). Unfiltered, I’d get an average of 50-70K pieces of junk mail, every 24 hours.

I guess I could just change my email address, and I have a few that are less-published, but at the end of the day, I’m just at: f**k 'em, I’m not gonna move email because hordes of idiots send spam.

“Tracking” the origins of spam, or complaining about it, is ultimately kinda pointless. It accomplishes nothing except wasting hours of your time and putting you in a bad mood. It’s not like anybody is ever gonna find anything, 'cept zombie Windoze boxes, or some botnet in Korea or China.

We have a load-balanced firewall of OpenBSD servers that do nothing but deflect or destroy 99% of all the crap aimed at our domains. It utilizes white-listing, black-listing, grey-listing, tarpitting, everything + the kitchen sync. It works really well. I get maybe 5-10 pieces of junk mail a day, which Mail.app’s mail filter deals with.

On a really bad day, I see perhaps 1 piece of spam.

A very cheap, do-it-yourself method of cleaning up your email, without controlling your own domain or servers, is: just run everything through gmail. While Google can and will, save every bit of information it possibly can about you, if you don’t care about that aspect, they do a surprisingly good job of killing probably 98% of all spam, while letting the material you want get through. Google requires: no knowledge on your part, no complex-interlocking open source *nix software to compile + configure, no hardware, no … nothing actually, except giving away all the information contained within your email to Google in perpetuity, because they love you, lots and lots, forever n’ ever.

google.jpg850×680 157 KB

Having very briefly had the responsibility of overseeing a mid-size corporation’s email system, I am very grateful that this is the past and hopefully not something I ever need to deal with again.

Doing a lookup on one of your domains, the mindvox one, you have OpenBSD which doesn’t register as being there at all, in front of hardened gentoo. Great, the two operating systems of choice for paranoids, you couldn’t decide on one, so you picked both.

I know enough about linux to know that gentoo is an OS that “comes with a hazing instead of a installer” and OpenBSD is off somewhere in paranoid encrypted securityland.

Try finding people that know how to work with something other than Ubuntu server or RedHat, and cost less then $100,000 a year. Good luck with that in a corporate environment. It’s not that the tools don’t work, they are very powerful if you understand all this, most unix admin’s do not. Doing as much as loading the OpenBSD website I am still greeted by a angry armor plated blowfish with machine guns and some kind of laser cannon mounted on it and the copy of the site goes downhill from there.

Try selling OpenBSD in a corporate environment. One look at just the website and it will be turned down.

In the current group I’m with, we long ago made the choice to outsource all email and attendant headaches.

Personally I’ve found your second suggestion golden. I have my email address published on a variety of lists which are publicly archived and the few times I click on the spam folder to make sure something I need isn’t in there, it’s full of junk that Google has automatically caught. Most of the time I use Apple’s mail to IMAP the account and I’m golden. No more problems. Yes I do have Google trying to sell me something on every page, but its by far the lesser of two evils.

Thanks for the Google cartoon, that’s about the feeling I get when Google tells me it will do no evil, but I don’t really send a lot of email plotting to kill anyone and if Google is that interested in my personal email, they must be very bored.

True, though it doesn’t make me any less curious to know exactly how certain exploited addresses have gotten there.

That’s hilarious!

If you want something powerful that works on simpler setups, try POPFile. It’s pretty robust. Ubuntu can do a click-install (or apt-get) and you configure it by going to hostname:7070 (by default).

getpopfile.org/

Even if you don’t run a Unix mail server, it runs directly on Mac. Or even Windows if you’re that desperate