Archive for the ‘Spam’ Category

BBYO management: incompetent or merely stupid?

Thursday, October 18th, 2012

Earlier this year, my wife and two of my daughters attended CELEBR-8 U, a conference for middle school and high school girls organized by Moving Traditions, a wonderful organization for which our family has a great deal of fondness and respect.

One of the co-sponsors of the conference was BBYO. Unbeknownst to us, Moving Traditions gave BBYO and other sponsors access to the attendee list, including email addresses. Shortly after the conference, BBYO started spamming my wife.

I have now asked BBYO five separate times to stop spamming my wife:

  • On June 10, 2012, I emailed and (which bounced, despite being an email address advertised by the organization) and also clicked the unsubscribe link in the spam. Marissa Feinman <> responded to my complaint but the spam continued.
  • On September 14, I emailed,, and Casey Topol <>.
  • On September 28, I emailed,, and Sabrina Moore <>.
  • On October 4, I reported BBYO’s spam via SpamCop and clicked the unsubscribe link in the spam.
  • Today, October 18, I emailed,,,, and It is worth noting that today’s spam had no unsubscribe instructions, which means it was sent in violation of the federal CAN-SPAM Act.

About 30 years ago, when I was suffering through the worst three years of my life and my social life was nonexistent, my parents had the brilliant idea that I should give BBYO a try. I attended one meeting and was so the-opposite-of-impressed that I never went back. I’m sorry to see that management of the organization does not seem to have improved much since then.

I hope Moving Traditions will think long and hard before co-sponsoring events with BBYO in the future, or at the very least, will refrain from giving BBYO access to the email addresses of event attendees. It really wasn’t OK for Moving Traditions to give out people’s email addresses without their knowledge and consent, but it’s all the more not OK because of what BBYO has done with them.

UPDATE [2012-10-19]: I spoke to someone from Moving Traditions this morning. They apologized for the situation and indicated that they are taking steps both internally and with BBYO to ensure that something like this does not happen again. Their response reflects well upon their organization, and I am grateful for it.

New technique from the Craigslist spammers

Friday, August 31st, 2012

In June, I wrote about a technique used by spammers to harvest names and email addresses of “live” targets for their spam.

In a nutshell: you post an ad to Craigslist; the spammer sends you an automated email which makes you think that maybe the sender is interested in your ad; you send a response, “Are you interested?” thus revealing your name (if it’s configured in your email client) and real email address to the spammer; and within hours, you are deluged by spam at that address, which uses your name from your email header, thus making it more likely that you will read it and that it will make it through your spam filter.

As I noted in my earlier blog posting, the fix to this is simple: Craigslist should tweak the email headers so that the entire exchange from poster and respondent is sent through Craigslist’s proxy server, so that the poster’s name and email address is never revealed in the header of a message sent by him/her to the spammer. Given how prevalent this problem is on Craigslist, it’s a mystery why they don’t do this.

Alas, the problem has gotten worse, not better. At the bottom of every email message sent through Craigslist’s proxy server is a link that people can use to report the message as spam. People who are moderate to heavy users of Craigslist can recognize these phishing messages immediately and report them as spam, thus helping Craigslist to figure out who should be blocked from sending messages through them. Alas, the spammers have figured out how to break the flagging link at the bottom of their email messages.


Craigslist email-reply scam and what Craigslist could do to fix it

Tuesday, June 19th, 2012

UPDATE [2013-02-13]: According to this article on Craigslist, as of February 10, 2013, they have implemented and are testing the idea I described below for fixing the problem described in this posting.

I recently placed a for-sale ad on Craigslist. I anonymized my email address in the ad, which means that the published email address was a random one at, and any responses sent to that address would be forwarded on to me.

Within 24 hours of placing the ad, someone responded to it, but the response contained nothing but the standard Craigslist boilerplate and a copy of the first line of the ad.

I thought perhaps the sender had made a mistake, or perhaps Craiglist’s mail gateway had corrupted the response, so I sent back a reply: “Are you interested in the [item]? You don’t seem to have said so in your email.”

Within 24 hours of sending my reply, I started to receive supposed responses to my ad, sent directly to my real email address, not through the anonymous address at Some of these responses even used my real name in them. I received six such emails in three days. Yikes!


Honda Village fires us as a customer

Wednesday, January 18th, 2012

IMPORTANT UPDATE on Brave New Foundation and Nation of Change

Friday, August 12th, 2011

I wrote several days ago about spam I received from Nation of Change at an email address which had previously only been shared with Brave New Foundation. Earlier today, I wrote about Nation of Change apparently attempting to cover their tracks after their unauthorized use of email addresses was discovered and reported by me.

I have been in conversation about this with a high-level employee at Brave New Foundation, and I am now able to report the following important information:

  • Brave New Foundation does not sell, share or rent their email lists.
  • There is a Brave New Foundation employee with access to their lists who has a relative who works for Nation of Change.
  • Brave New Foundation believes that this Nation of Change employee made unauthorized use of his/her relative’s access to copy an as yet undetermined subset of Brave New Foundation’s email lists for Nation of Change’s use.
  • Brave New Foundation does not believe its employee was complicit in this unauthorized access. In fact, s/he was unaware that it had occurred until I brought it to Brave New Foundation’s attention.
  • Brave New Foundation considers this breach of their data to be extremely serious, and they are actively investigating it.
  • Brave New Foundation is considering legal action against Nation of Change both to prevent any further use of the copied email addresses and to obtain financial compensation for the damage to Brave New Foundation’s reputation and the time and resources spend investigating this incident.

All of this information, as well as some additional off-the-record supporting information that I cannot report here, was provided to me directly by an employee of Brave New Foundation. I have no reason to believe that employee is lying, and what s/he told me is consistent with my suspicions and impressions about Nation of Change. However, in the spirit of full disclosure, I want to be clear that I have not seen any hard evidence supporting any of Brave New Foundation’s allegations against Nation of Change.

When you combine these new allegations against Nation of Change with all the other issues I raised in my first posting about them, it seems doubtful that this is an organization which deserves anyone’s support.


Nation of Change trying to cover their tracks?

Friday, August 12th, 2011

I wrote recently about spam I received from a new, shady-seeming progressive organization called Nation of Change, sent to an email address that I had only ever used to subscribe to another organization’s mailing list.

I asked a lot of questions about Nation of Change, and thus far they’ve failed to respond to any of them. Here’s what has happened instead.


Oracle (née Sun) joins the club of companies who can’t keep their mailing lists secure

Thursday, August 11th, 2011

In September 2009, I registered as a developer at When doing so, I used a tagged email address, i.e., an email address part of which was unique to my registration at that site. I’ve never used that particular email address anywhere else or published it anywhere.

In January 2010, Oracle completed its acquisition of Sun. The Sun developer web sites were eventually decommissioned and are not active today. Since the completion of the acquisition, I’ve received no email at the tagged email address I gave to Sun. Until today, that is.

Today, I received this spam sent to that tagged email address:

Received: from ( [])
	by (8.13.8/8.13.8) with ESMTP id p7BNER5P022529
	for <[elided]>; Thu, 11 Aug 2011 19:14:27 -0400
Received: from find ([]) by with MailEnable ESMTP; Thu, 11 Aug 2011 18:14:39 -0500
MIME-Version: 1.0
From: "Tech-centric Jobs" <>
To: [elided]
Date: 11 Aug 2011 18:14:39 -0500
Subject: Technology job openings
Content-Type: text/plain; charset=us-ascii
Message-ID: <>
Content-Transfer-Encoding: 8bit


Find the latest software & programming jobs


A good programmer is someone who always looks both ways before crossing a one-way street. ~Doug Linder

The latest programming jobs are available:

If however you are not interested in exploring programming jobs at this time please optout:[elided]&token=[elided]

All the best,
The Health Medical Job Site
1350 E Flamingo Rd
Las Vegas NV, 89119

It looks like either Oracle sold the email addresses of web site users to a third party, or somebody stole them. Neither of these casts Oracle in a particularly good light.

I am, of course, going to do my best to contact someone in Oracle who might be willing and able to look into this, but I am rather skeptical that I will have any success.

“Nation of Change”, who are you and why are you spamming me?

Thursday, July 28th, 2011

IMPORTANT UPDATE: As of August 12, 2011, it appears that Brave New Foundation had nothing to do with the spam reported below and in fact they are as much a victim as I am. Please see this posting for details.

Dear Nation of Change (along with Brave New Foundation),

Let me tell you about a little strategy I use to find out who’s buying and selling my email address… When I give my email address to an organization or Web site, I “tag” it to make it unique to that site while still ending up in my inbox. So when that site decides to sell or share my address, I know who did it.

When I put my address on a petition created by Brave New Films (now the Brave New Foundation) during the 2008 presidential campaign, I did not give Brave New Films permission to give it out to others. Guess what, folks, that’s spamming, and it’s evil, and I don’t support organizations that spam or help others spam. By giving out my address and others without permission, Brave New Foundation has permanently lost my support, and by using my and others’ illicitly obtained addresses, so have you.

But that’s not the end of it. (more…)

Who’s using my email address, and why?

Thursday, June 23rd, 2011

Somebody seems to be using my email address in a weird, ongoing way that doesn’t seem to be benefiting them in any way. The fact that I can’t figure out why they’re doing it concerns me, because I have to suspect that there is some benefit to them, which I just haven’t been able to figure out. I’m worried that if it’s helping them, it’s probably hurting me, even if I don’t know it.

Therefore, I’m blogging what I know, in the hope that perhaps someone else will be able to look at the facts and point out something I missed about why this is going on.


A study in contrasts: handling stolen email lists

Monday, April 4th, 2011

I try to make a habit of giving out “tagged” email addresses to web sites when I sign up for accounts / mailing lists / whatever. For example, when creating an account at, instead of just signing up as “”, I might sign up as “”. It ends up in the same mailbox regardless, and it gives me some visibility into who is sharing or selling or allowing my email address to be stolen.

About six months ago, I started getting spam from an email address that I had only used in one place: signing up one of my kids for a Scholastic, Inc. book club through their web site back in 2007.

I contacted Scholastic and told them that either they were selling my email address and it needed to stop, or they had suffered a data breach of at least customer email addresses, if not more.

In response, Scholastic’s CISO informed me that Scholastic doesn’t sell email addresses to third parties; their children’s book club business was sold to Sandvik Publishing in 2008; the email address in question was no longer in Scholastic’s database; and I should contact Sandvik if I wished to pursue the matter further.

I sent a reply to the CISO which read as follows:

I don’t recall ever being asked whether I considered it OK for Scholastic to sell my PII to another company. This is especially disturbing since at that point I was no longer a customer of Scholastic’s for the business that was sold.

Granted, your privacy policy gives you the legal right to sell any information you collect to anyone you want. The fact that you are legally permitted to do that doesn’t make it right.

Your privacy policy also says, “Scholastic ensures that all personally and non-personally identifiable information that it receives via the Internet is secure against unauthorized access.” Alas, you apparently do not consider it your responsibility to ensure that the third parties to whom you sell PII keep it as secure as you claim to do yourselves. That is rather disappointing.

I will contact [Sandvik] as you have suggested. However, if I were in your shoes, I would be extremely concerned that a third party to whom Scholastic had sold PII allowed it to be compromised, and I would consider it my responsibility to investigate the issue myself, rather than leaving the wronged (former) Scholastic customer entirely on his own.

I received no further response from Scholastic.