who would spam a sneakemail?

[Jank1887]

Use Sneakemail for almost all of my commercial email. Had one active for 2-3 years now for my long distance company. Used for nothing but signup and their online billing service. Then, 3 weeks ago, I start getting typical sleaze spam to the address. Never used outside the service, only forwards to a Gmail, so not stored anywhere on local pc as virusbait, never sent email via that address... Oh, and of course made sure all opt-in check boxes were unchecked way back when I actually signed up.

must have been sold or scraped... violation of either their privacy policy (either for marketing or 'protecting your personal information'.)

So, who would you bitch to?

Prior to this, the only spammed sneakemails I had were from webmillion and Telus Penguin Hockey

(forwarding SC reports 'for their reference' actually got me a nice email conversation (no sarcasm there) with their abuse desk, who of course claim they had nothing to do with it, and I must have gotten it scraped by a virus.)

[Miss Betsy]

(forwarding SC reports 'for their reference' actually got me a nice email conversation (no sarcasm there) with their abuse desk, who of course claim they had nothing to do with it, and I must have gotten it scraped by a virus.)

28445[/snapback]

Well, if it couldn't be scraped by a virus on your computer, then it had to be scraped by a virus on theirs, ISTM. They owe you an apology and a phone call, with repeated requests for a supervisor, might get you one - or if it is possible, an explanation of how it could have been scraped from yours.

Miss Betsy

[Jank1887]

Just for kicks, here's the spammy details:

Signed up for "Everdial Around" (www.everdial.net) long distance service back in 2002, gave them a fresh sneakemail, which forwards to my Gmail account.

They apparantly do sales/referrals for Primus Telecom (www.primustel.com), so that's who I actually get a bill from for the service.

Signed up for their Primus' online billing service, where statements and payment confirmations are sent monthly to that sneakemail address.

No problems until this May. At the beginning of the month, I get a phishing spam to that sneakemail address (Charter-One Bank phish). Then some mortgage spam, then 'enhancement' spam, etc., etc. In 3 weeks it's gone from no spam to the most of any addresses I have.

CC'd Primus abuse dept. on SC reports, results as mentioned above. No good contact for Everdial.net. SC has their reporting address listed as Rackspace, but I don't think CC'ing them would be at all productive. Samspade.org gives me a Perry Stevens at perry[at]todaytheworld.com. No response there. Website only a web contact form, no response.

Now, Primus's policy states:

"When Primus uses agents, contractors or other third parties to

perform services on its behalf,... Primus will require that those

third parties are subject to a confidentiality agreement so that your

information is protected"

Everdial seems the most likely suspect. Seems that if Primus has a contractual arrangement with Everdial (listed on my monthly bill as Sales & Referrals), that puts them in the third party category mentioned above, and I can demand some sort of investigation from Primus. (Demand likely meaning I get to blow off some steam and they'll do nothing.)

Thoughts?

[Miss Betsy]

Now, Primus's policy states:

"When Primus uses agents, contractors or other third parties to

perform services on its behalf,... Primus will require that those

third parties are subject to a confidentiality agreement so that your

information is protected"

Everdial seems the most likely suspect.  Seems that if Primus has a contractual arrangement with Everdial (listed on my monthly bill as Sales & Referrals), that puts them in the third party category mentioned above, and I can demand some sort of investigation from Primus.  (Demand likely meaning I get to blow off some steam and they'll do nothing.)

Thoughts?

28583[/snapback]

If you can't get any satisfaction by talking to the 'supervisor', then IMHO, a snail mail complaint is in order.

Miss Betsy

[Jank1887]

Actually, I just got an email from the Primus abuse desk guy saying the following:

"I just wanted to double-check that you got an email from the fellow I

turned your issue over to. He was going to contact you in reference to

our relationship with Everdial. Did he do so, or do I need to go

rattle his cage? ;-) "

Emailed him back letting me know I hadn't heard from anyone else yet. Seems that the Primus abuse-desk folks at the least have good intentions.

[Jank1887]

UPDATE: response from Primus abuse desk guy, quoted "the other fellow's" response:

"We are working with the Everdial team and our Marketing team to see what is going on."

[Miss Betsy]

Persistence is the greatest virtue a spamfighter can have.

Congratulations! I hope it is a good conclusion.

Miss Betsy

[everdialman]

Excuse me for your assumptions-but before you put up posts that assume and have no merit except for the crap you make up in your head-why don't you check it out further.

I represent Everdial and we absolutely do NOT sell your email addresses or give them out to any other organization! Primus is the only other company that has them, and they have too much to lose by spamming their own customers-that wouldn't make too much sense-would it genius?

It is very easy to contact us through our website-and if you bothered to do that-you would have been replied to and if you had a complaint it would have been investigated.

Louie D

Everdial

[shmengie]

<pilot lite on>

It wouldn't make sense to me.

But then, neither does "everdialman"s posting.

Somehow the address go nabbed by a spammer.

By the sounds of it, Jank1887 was very careful not to use that address for anything other than electronic billing.

I can't begin to fathom who is culpable for this issue.

However, I'm sure I had nothing to do with it

<pilot lite off>

[Wazoo]

Excuse me for your assumptions-but before you put up posts that assume and have no merit except for the crap you make up in your head-why don't you check it out further.

Yet you offer nothing "of substance" in this alleged/attempted rebuttal (of something) ...

I represent Everdial

in what capacity?

and we absolutely do NOT sell your email addresses or give them out to any other organization! Primus is the only other company that has them, and they have too much to lose by spamming their own customers-that wouldn't make too much sense-would it genius?

Prior to the conviction of the employee that sold millions of account names, even companies as large as AOL said the same thing (though without the name-calling)

It is very easy to contact us through our website-and if you bothered to do that-you would have been replied to and if you had a complaint it would have been investigated.

Web-site was already described as not quite the same glowing possibilities and reactions;

No good contact for Everdial.net. SC has their reporting address listed as Rackspace, but I don't think CC'ing them would be at all productive. Samspade.org gives me a Perry Stevens at perry[at]todaytheworld.com. No response there. Website only a web contact form, no response.

There seems to be quite a gap between your rhetoric and the story-line offered up by the person that stared asking questions .... yet in your (apparently heavily) biased response, it is noted that you cleared up none of the previously posted data.

So,  the next time you decide to slander an organization-maybe you should check it out a little better and more thoroughly first-or you will probably be looking at some law suits

29422[/snapback]

Hmmmm, technically, the only thing I've seen thus far 'here' is someone talking about steps taken to ask for help, ask for data, ask for research .... answers seem to be few and far between, and now there's a "representative" that wants to throw the magic words "law suits" around based on an assumed case of slander ... an unknown representative of some alleged company that uses name-calling in a publically posted response that also seems to want all "readers" to also believe that he/she is apparently licensed and registered somewhere to practice law .....

Would have been "nicer" all the way around had this post actually dealt with the real issue, perhaps dealt with the actual methods of contacting (real) staff somewhere (based on the data existing thus far that e-mail isn't getting it done) ...

Cartoony legal threats are pretty much ignored around these parts .. and those that aren't ignored find their associated IP addresses in any number of personal blacklists (and that data also has a tendency to leak also) ....

[Jank1887]

Well, I must personally thank everdialman for his message. It gave me my first laugh for the day. (aren't trolls cute.)

FYI, single contact point via Everdial.net is the webform (no email/phone). Any attempt at using webform has resulted in:

Microsoft OLE DB Provider for ODBC Drivers error '80004005' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Cannot insert the value NULL into column 'TicketID', table 'VSD_Support.dbo.Tickets'; column does not allow nulls. INSERT fails. 

/contact.asp, line 163 

Thanks for the staunch defense, but I don't actually think it's necessary here.

as you said, perry[at]todaytheworld.com=no response. Haven't tried rackspace, but they just own the IP space and no spam's been sent from there.

And the latest from Primus (again, nothing but good followup from them):

Tuesday, June 14, 2005, 8:03:01 AM, you wrote:

csc> anything new on this?

Interesting. I was told that EverDial had phoned you. I'm copying this

email to the individual in our organization who was dealing with

Everdial.

[everdialman]

Well, I must personally thank everdialman for his message.  It gave me my first laugh for the day.  (aren't trolls cute.)

FYI, single contact point via Everdial.net is the webform (no email/phone).  Any attempt at using webform has resulted in:

Microsoft OLE DB Provider for ODBC Drivers error '80004005' 

[Microsoft][ODBC SQL Server Driver][SQL Server]Cannot insert the value NULL into column 'TicketID', table 'VSD_Support.dbo.Tickets'; column does not allow nulls. INSERT fails. 

WE don't like being accused of things we didn't do. I don't think anyone does. My bad on the contact, we are fixing it. However, if you look further down the page, you would also see phone numbers. FYI.

Try the form again in a little while-we are fixing it. Anyway, all I can tell you is that we don't do that and we are checking with our mail server at rackspace to make sure that no one authenticated and sent anything through our servers. We are attending to this, thanks for your concern.

[everdialman]

Additional information update:

I have checked with rackspace (our managed hosting company) and these are the findings:

WE have hardware firewall in front of our dedicated servers Cisco PIX 501. We are using the latest antivirus software and update our definitions regularly. Here is an article that may help you:

mm.html]http://sarc.com/avcenter/venc/data/w32.mytob.fw[at]mm.html ]latest Virus info at Norton[/url]

As I have stated before: Everdial nor Primus uses your information for anything else except to send you a confirmation email of your order or biling if you signed up for online billing. You will not receive any offers from other companies, spam etc. from us.

Everdialman

[Jank1887]

Everdial was never accused of sending spam. Trust me, that would garner a different reaction.

The Sneakemail email address, never used anywhere except for the Everdial signup for which it was generated, and thus handed to Primus (and theit online billing manager if they don't run it themselves) for use of their service. Note this is a uniqe address composed of random letters and numbers, not a dictionary-able email address without a lot of other sneakemail addresses having the same problem. One day, after 3 years of using the service, and never sending anything via that address, it starts getting spam (no other sneakemail aliases getting anything). It now gets the most spam of any address I use. I hardly believe that to be a coincidence. I use webmail only, which precludes a 'virus scraping'.

Really, that leaves Primus and it's affiliates (primarily including Everdial). The spam has been very regularly formatted, 95% of it looking like the same sender (Subjects mostly looking like

Subject: re[12]

and similar. The first one was a lovely phishing scheme.

Looks very much like someone grabbed emails from a database and is using or sold them to a particular spammer. Sorry if this is casting a poor light on your company/affiliates, but that's the way it goes.

[Miss Betsy]

Subjects mostly looking like

Subject: re[12]

I have a dim memory I read that those re[4] subjects /are/ the result of a worm getting spam addresses from infected computers. I started getting them after a bout with receiving emails containing sobig, I think.

Can anyone confirm that?

Miss Betsy

PS I would hardly think the computer where the email addresses are stored, in your case, would get infected. There might be some reason why your email address was on some other computer that got infected. Businesses don't like to delete emails that are caught by spam or virus filters because legitimate mail gets caught also. And in looking through tagged email, it is inevitable that the wrong email gets chosen as legitimate (or vice versa) occasionally.

[Jeff G.]

I use webmail only, which precludes a 'virus scraping'.

29609[/snapback]

No, webmail does not preclude 'virus scraping' from your browser cache.

[latesunday]

...except for the crap you make up in your head-why don't you check it out further... I represent Everdial...

29422[/snapback]

You represent the company and you go around posting things like this? It could be time to hire a PR firm. Companies get complaints and questions all the time, going on the internet and publicly saying someones thoughts are "crap" is a pretty terrible method of handling it.

Quite frankly I don't care if you yourself did or did not sell the e-mail address, spam him or anything else. Your post speaks volumes about Everdial (after all, you DO represent them).

[Jank1887]

No, webmail does not preclude 'virus scraping' from your browser cache.

29628[/snapback]

'Tis a god point.

No computer I use has been hit with sobig, that I'm pretty sure of. Home PC clean, running VS and Firewall, and on dialup which helps certain things. Work PC rather well managed, and any infection on that would have had the entire PC quarantined, grabbed, wiped, and rebuilt by IT. Since that hasn't happened, that PC seems an unlikely case.

Now, any other PC I've used that would have been on a possibly compromised computer where I would have accessed a page showing that address. (Either sneakemail or webmail when getting a notice from Primus, which get deleted immedeately and wouldn't be sitting longer in the inbox...) hmmm... nothing obvious that comes to mind. The timing might be useful... when was the big Sobig burst making the rounds? Spams like that didn't start until about... 3(?) months ago.

Anyway... just going through the mental exercises now. Cat's out of the bag at this point. It's a great spamtrap address now, though.

[Miss Betsy]

Quite frankly I don't care if you yourself did or did not sell the e-mail address, spam him or anything else. Your post speaks volumes about Everdial (after all, you DO represent them).

29646[/snapback]

Such language makes me wonder if he really does represent them (perhaps he is another customer who was ignored?)

If he does, then my money is on an Everdial employee who got his computer infected.

Miss Betsy

[Jank1887]

Such language makes me wonder if he really does represent them (perhaps he is another customer who was ignored?)

If he does, then my money is on an Everdial employee who got his computer infected.

Miss Betsy

29689[/snapback]

I'll throw my hat in that arena too. Quick question, you mentioned the "re[]" subjects as the result of a worm getting spam addresses from infected computers. Do you mean that the worm itself was using that subject line, or that the spam you got after the sobig romp was using those subjects? If you meant the former, none of the ones I've been getting have had virus payloads attached, and no headers indicated any were stripped along the way.

[Wazoo]

brought over from the spamcop.help newsgroup ......

On the web forum thingy, there is a discussion on how a spammer could have come up with a sneakmail address.

I can not post there during the day, mainly because I can not remember my

password and lynx is a bit cumbersome with using that forum.

The original poster, a Jank1887 is stating that they are using a web mailer.

Depending on what browser that Jank1887 is using, they may be giving quite a

bit of control of their local system over to who ever sends them e-mail or spam.

The Web mail site may be listed as "Trusted", which generally means that

the content that it displays may be permitted to run scripts and even

binaries linked to or contained in the e-mail.  Some web mail providers

require this lowered security level just to log into their service because

they use a browser run scri_pt for the login process.

In addition, with the web mail services that I have seen, there is no way to

disable the automatic opening of external links, which give the spam sender a

great deal of information about the sender and their network.

And with some browers, there is a known exploit where a website can use the

internal FTP facilty of the browser to locally run network scripts against

other servers.  DSBL.ORG has a web page that if you visit it with a vulnerable

browser it will cause it to be listed on the DSBL.ORG, and it is trivial to

craft an HTML e-mail that will automatically visit that web page.  As the

browser does not realize that it is running a scri_pt, disabling scripting on

the browser is not a work-around.  The Mozilla family of browsers is reported

not to be vulnerable to this exploit.  Some others have patches available.

On the other hand, there is a claim that the systems both on the sending side

and the receiving side could not have had a virus or other malware harvest

the e-mail address because they were up to date on the virus scanners.

That is not a defense.  Any system that needs or user that depends on a

virus scanner to keep it clean can never be assumed to be clean of

infections, spyware or other malware.  Virus scanners only target discovered

viruses, and spyware scanners only target mass distributed spyware, and both

are going to be at least 4 to 8 hours behind a new variant coming out.

Neither type of scanner is going to be effective against malware that has

not yet been detected in mass distribution.  Some firewalls may block or detect

some of the activity.

And if the system containing the harvested addresses can automatically

access files from other systems through the LANMAN protocol that are

vulnerable to viruses, then the virus or malware does not have to infect

the system containg the harvested addresses for it to be able to read

the hard drive and harvest the contents.

Just having the LANMAN protocol in common can be enough if a system makes

any connection through the LANMAN protocol to a host running malware.  That

exploit is past it's 10th birthday now, and the only defense is still to

have a firewall blocking the LANMAN protocol between the two machines.

The only defense against a malware infection is to have the system locked down

so that scripts and binaries can not be installed with out a the knowledge of

the user, and that system must not be able to automatically initiate LANMAN

connections to possibly infected systems.

-John

wb8tyw <at> qsl.network

Personal Opinion Only

[Miss Betsy]

I'll throw my hat in that arena too.  Quick question, you mentioned the "re[]" subjects as the result of a worm getting spam addresses from infected computers. Do you mean that the worm itself was using that subject line, or that the spam you got after the sobig romp was using those subjects?  If you meant the former, none of the ones I've been getting have had virus payloads attached, and no headers indicated any were stripped along the way.

29698[/snapback]

No, the way I remember it is that sobig got the addresses from computers it infected sending them to the creator (?) and thus a new 'spam' mailing list was created. The spams sent to the new mailing list often used the re[] subject.

Unfortunately, as my children say, that might be a 'mystery memory' that only I remember since no one else has confirmed that.

Miss Betsy

[Jank1887]

brought over from the spamcop.help newsgroup ......

29700[/snapback]

well, can't argue much with a lot of that. While not a complete defense, my only issue is that only that one particular sneakemail address has gotten scraped. As I use a large number of sneakemail addresses, I would find it hard to believe only that one got scraped off my machine/account when so many more would have been available. But then again, no one ever claimed spammers / virus writers were smart.

I use a mix of IE/Opera, depending on the mood and what sites I'm visiting. Webmail gets a fair share of both. But, no trusted sites listed. Running software firewall, but can't recite specific port settings off the top of my head. I believe sobig sends out through 8998, and don't recall ever getting an outbound attempt on that one. Think symatec dates most sobig variants as being in the 2003 timeframe. Was running it back then. But it's been a while.

Again, the fact that one specific sneakmail out of a couple hundred, where others get used MUCH more often, seems odd. But, never say never.

[Miss Betsy]

I believe sobig sends out through 8998, and don't recall ever getting an outbound attempt on that one.

<snip>

29717[/snapback]

If it were sobig, it would have gotten it on someone else's computer where your sneakemail address was, not from your computer. And that accounts for no other email addresses being compromised and points to Everdial computers (or whoever would have that address).

The web mail vulnerabilities do seem fairly remote when only one address was scraped.

I think John was just pointing out that it is possible.

Miss Betsy

[Jank1887]

right. and to be fair, sobig does broaden the possible suspects to a few more than everdial. (primus and their billing provider (billerweb?), for starters) Either way, since the spam is fitting the scraped by sobig form, (or at least the sobig spammers have it) the finding culpability becomes moot.