My Spam Trap Caught A Company - How Legitimate Is Their Response?

9

3

I have my own domain (lets call it MyDomain.com), and my email account is set up such that all mails sent to @MyDomain.com will end up in the same mailbox.

So, think of a word, put it in front of @MyDomain.com, send me an email, and I will get it.

When I sign up for SomeService.com, the email address I will give them is ‘someservice@MyDomain.com’.

This means that if I get a spam email sent 'To' someservice@MyDomain.com, I can identify 'someservice' as having compromised my email address...Or so I thought.

When catching a company (a pharmacy from whom I'd bought earplugs), as far as I was concerned, red-handed, I sought them out, and got the following response:

I am one of the webmasters of the [SomeService] commerce portal. We take user data security very seriously as our business depends on this.

We have been PCI certified by 2 independent agencies who routinely scan our systems for security flaws.

Emails can leak out at multiple levels including the users computer or in transit due to network sniffers that are increasing being employed by professional spammers.

We not only keep our systems behind a firewall but also encrypt user data to ensure privacy even from our own staff.

I reiterate this is not something we condone and we will do an internal investigation to ensure our systems are clean. Kind Regards [administrator]

What do you folks make of this? Some questions I'm asking are

  • What is PCI certification and can I take this seriously/is is credible?
  • Is the 'email-leaking' and 'network sniffer' claims credible?

And any thoughts in general. Let's just say I'm learning.

Thanks, James

James Wiseman

Posted 2010-09-20T18:20:32.680

Reputation: 366

Question was closed 2015-08-01T19:12:19.803

I have done this for years and have never yet received a single spam which might indicate that a company had sold my address to a third party (pretty disappointing, in a way ;-) – Mawg says reinstate Monica – 2015-07-31T08:02:02.840

How do you mean you can identify 'someservice' as having compromised your email address? Do you keep a record of every 'someservice@' email address you have used? – Connor W – 2010-09-20T18:34:48.343

Yes, I do. I'm currently up to about 20. And even if I didn't, receiving an email like this would jog my memory. :-) – James Wiseman – 2010-09-20T18:43:17.487

2@ Connor Surely the record is in the 'someservice' part. One would sign up to "stackoverflow" with an address of "stackoverflow@mydomain.com" and use that email address for nothing else. The question is, if one gets spam addressed to "stackoverflow@mydomain.com" where has the spammer got the address from if not from "stackoverflow"? – Neal – 2010-09-20T18:47:32.673

2Some spammers look for registered domains and then try to make up addresses from dictionaries so there is another way to get spam. Still, if that was the case, it would have been envious is setup such as the one OP described. – AndrejaKo – 2010-09-20T18:55:04.920

1I do this too and it works great. I have only had one instance of a third party actively giving an address to spammers. It was apparently a result of sending in rebate forms for a popular electronics store. That address is now blocked. – Chris Nava – 2010-09-20T19:03:18.023

Answers

7

PCI certification probably relates to PCI Security Standards Council, which is mostly about Payment Application Data Security, rather than email security. In short: No relation to your request.

As regarding sniffers on your local network, I really don't think that anybody went to trouble of connecting to your home in order to get your email addresses. So again: Not related to your question.

A firewall is not an ultimate protection, since it may have unplugged security holes, and it anyway passes emails which may convince employees to install spyware behind it on the internal network, which then becomes wide open to the hacker.

Encrypting user data is nice, but a virus can always intercept the email before it was encoded.

Conclusion: This is a high-and-mighty blah-blah whose purpose is to hide that the guy doesn't have a clue as regarding security. Don't trust them, they might be full of viruses and still naively fully confident of their firewall.

For protecting your email, I suggest to have a look at e4ward. It has free or paid accounts (only $10 a year) and allows much better control of your email, since it lets you cut-off such guys.

harrymc

Posted 2010-09-20T18:20:32.680

Reputation: 306 093

3

PCI compliance is a data security standard used by those who handle credit card data. It is certainly possible to harvest email addresses in a variety of ways. Whether and how often this is done over the wire is the question. The response doesn't address whether they sell their email addresses. You should be able to obtain their privacy policy on their web site or by request and it should cover this issue. Also, it might be possible for an insider to harvest addresses (I don't know how PCI deals with this possibility).

Paused until further notice.

Posted 2010-09-20T18:20:32.680

Reputation: 86 075

4PCI has nothing to do with email security. I was manager at a POS vendor dealing with a LOT of PCI issues until earlier this year, and I have (unfortunately for me) read the docs and standards pretty thoroughly. – JNK – 2010-09-20T18:53:11.240

I should have also noted that pharmacies in the US are subject to data privacy regulations that have nothing to do with PCI. I know they apply to prescriptions but I don't know if they apply to other business dealings. – Paused until further notice. – 2010-09-20T20:35:00.747

3

As the other answers have said, PCI is all about security of the server / service, and not about personal data.

I think the most likely answer is that you are simply unlucky.

I also run a catchall email address on my server and I get thousands of spam each day - these people simply guess combinations of addresses. It is nothing special and the longer you own the domain, the more spam will come your way.

Although, that being said, you can't rule out that this place gave your email address away, but if it is a big place you have to ask yourself, is it really in their best interest to do so.

If it is genuine bulk, unsolicited spam such as garbage email with one attachment or Viagra adverts, it is unlikely to have come from a sold list.

William Hilsum

Posted 2010-09-20T18:20:32.680

Reputation: 111 572

Cheers Wil. I've owned the domain for 8 years now, and get a large quantity of spam, virtually all of which is diverted into my spam folder. I'm actually delighted that a method I have used has worked. It's not a big place, and I wouldn't be surprised if this made it a nice extra revenue stream. – James Wiseman – 2010-09-21T07:36:12.793

Asked: 2010-09-20T18:20:32.680

Viewed: 836 times

Active: 2010-09-20T19:00:33.143