UPDATE [2013-02-13]: According to this article on Craigslist, as of February 10, 2013, they have implemented and are testing the idea I described below for fixing the problem described in this posting.
I recently placed a for-sale ad on Craigslist. I anonymized my email address in the ad, which means that the published email address was a random one at craigslist.org, and any responses sent to that address would be forwarded on to me.
Within 24 hours of placing the ad, someone responded to it, but the response contained nothing but the standard Craigslist boilerplate and a copy of the first line of the ad.
I thought perhaps the sender had made a mistake, or perhaps Craiglist’s mail gateway had corrupted the response, so I sent back a reply: “Are you interested in the [item]? You don’t seem to have said so in your email.”
Within 24 hours of sending my reply, I started to receive supposed responses to my ad, sent directly to my real email address, not through the anonymous address at craigslist.org. Some of these responses even used my real name in them. I received six such emails in three days. Yikes!
All of them had essentially the same structure. First, they claimed to be interested in my ad but then proceeded to indicate that the sender was actually interested in “getting to know me better” or some such thing. I was encouraged me to visit the sender’s private profile on some sort of adult dating site at an included link, whose text was something like “www.nice4p.org” or “www.2bzq.org” but whose actual link contents were different; if I had clicked (which I did not!), I would have actually been sent to “http://respectnsa.net/” or “http://humblefun.net/”. Finally, all of the replies but one had two pornographic or semi-pornographic photos attached to them. These were supposedly photos of the sender, but one of them was clearly messed up; not only were the two photos of different people, but one was a man and the other a woman. D’oh!
These were obviously phishing messages trying to get me to click on the links. However, although I noticed that right away, it took me a few days to realize that these were being sent directly to my email address rather than through Craigslist, and using my full name which wasn’t visible in my ad. My first reaction upon realizing this was, “Ohmigod, somebody has broken into Craigslist! How else would they know my real name and private email address and the fact that they’re associated with this particular ad?” However, after calming down and taking a few deep breaths, I realized what had really happened: the first response I received, to which I responded from my personal email address with my real name in the header, was a (successful) attempt to obtain my email address and name, which were then used by the miscreants in their subsequent phishing messages.
There are three reasons why they do this: (1) evade Craigslist’s spam / scam filters; (2) trick people’s personal spam filters by using their real names in the emails, usually a good sign that a message is not spam; (3) make the messages look more legitimate to people at a subconscious or barely conscious level through the use of a real email address and real name and the lack of the boilerplate warnings inserted at the top and bottom of every message that gets sent through an anonymized Craigslist address.
I don’t use Craigslist that often, but I’ve never had this problem with any of my prior Craigslist postings, so either this particular scam has been increasing in frequency, or I’ve just been lucky not to encounter it in the past.
Here’s the thing, though… Why does Craigslist let this happen? There is a very simple way they could prevent it, and that is by anonymizing emails in both directions. In other words, what should happen when someone sends me a response to an ad is that their email address should be replaced with an anonymized craigslist.org address. Then, when I reply to them, my reply goes through craigslist.org, which masks my email address in the reply. Etc. Once both sides of the transaction are satisfied that they are legit, they can exchange real contact information as needed in the body of their emails; before then, they won’t have to worry about such information being inadvertently disclosed.
I have no idea why Craigslist doesn’t do things this way; there are certainly other sites that do. I wish they did, because now I’m going to have to go setup a throwaway email address somewhere every time I want to post an ad on Craigslist. And that’s just yucky.