Wednesday, February 20, 2008

SPAM - Finding the culprit who sold your e-mail address

One of the (very many) things that annoys me in the IT world is spam. Even more annoying is working out which of the multitude of Web forms I've filled in has then either had its mailing list stolen or sold.

Most of the time I don't bother - I add my Gmail account as the e-mail address to the forms. However there are those Web forms that don't accept hosted e-mail accounts and want you to use your corporate or personal e-mail address.

If you can easily add e-mail aliases to your corporate or personal e-mail address then you might be interested in the following technique.

I run my own mail server, so I've recently taken the step of adding a suffix of ".spamtrack.source.<website>" to my business e-mail address to create a new alias, where <website> is the site that wants my business e-mail address.

So if my e-mail address is me@example.com, then my new alias for a Microsoft Web form becomes me.spamtrack.source.microsoft@example.com.

It's a bit longwinded and fancy looking - I wanted something that looked like an automated system handles it. It also means I can add that later if I bother scripting something to take care of it and auto-mail abuse@ to tell them that my e-mail address has either been stolen or sold. I could possibly even extend it to be something like me.spamtrack.source.microsoft-dont-sell-my-email-you-sods@example.com.

So now I'm able to see who's selling my e-mail address or who has had their mailing lists stolen. And if the spam levels climb up, then I can simply kill the alias.

1 comment:

Anonymous said...

qeI too started a similar system many years ago. I happened to build and run an ISP turned phone company throughout the first 7 years of the 00's.

While working there, I was fortunate enough to be forced to analyze mail delivery systems, and spam in general. I started doing what you described for my own domain, and I was really surprised at how many organizations DID NOT share or sell my information. In fact, it was shocking.

The more I thought about it, the harder it was for me to believe... until it hit me. Being an IT professional, and a security conscious one at that... I'm more discerning discerning than the average web user, regarding which sites I choose to share my information with (specifically my real email address).

The few things that did come through (to my specially crafted aliases, setup specifically for each company I was registering with, were from companies or organizations that I EXPECTED IT TO COME FROM. If my memory serves me, one time my girlfriend signed up for one of those free cruises at the mall, and for a car giveaway (it was early on in our relationship, and WAY before she had the fortune of hearing me rant endlessly about spam and security and privacy and identities)... so she didn't know better. However, when she asked which email address to use, I gave her one with the date in the name. Wouldn't you know, that's the one that pulled in more spam, from the widest variety of senders / marketers. It goes to show that it's not just websites that are abusing trust. It's also physical-world organizations. Of course, I would hope that most people would know better than to give out information for a random raffle or whatever... but I know that's not true.