What should be my next step?

[Cornloaf]

A few years ago I was so overwhelmed with spam coming to my primary email address (name[at]domain.com) that I created a new address (first.last[at]domain.com) only to have that compromised after just 1 month.

At this point I decided to give each vendor, contact, etc its own alias on my mail server. Soon I was cranking out email addresses such as: name.united[at]domain.com, name.bofa[at]domain.com, name.spamcop[at]domain.com, etc.

This was successul for over 3 years. Not one piece of spam came to my mailbox. About 9 months ago all of that changed. I received a piece of email for penis enlargement and another for a phishing scam. Both of them came to name.united[at]domain.com. This is the email address that was given to United Airlines. I immediately contacted United and told them that somehow my UNIQUE email address that was given to only them was now receiving spam. They told me to go to my profile and opt-out from getting 3rd party offers. I explained to them that I already had done that and this was bonafide spam. It had nothing to do with travel, vacations, United Airlines, etc. They told me that they would escalate my issue to an administrator and then they stopped answering my emails. I had forwarded them samples of the spam with headers and sent them a reminder every week for about 2 months.

It is fairly obvious that someone either hacked their mailing list or an employee sold some names (like that AOL case a couple years ago). My first name is not common, nor is my domain so I don't think a spammer would have guessed that address. If that was the case, they would have spammed name.postmaster[at]domain.com or name.webmaster[at]domain.com first.

So how do I approach this issue with United Airlines? Do I have any recourse for them either releasing my information accidentally, through an employee for their financial gains, or some other means?

(Thank you Miss Betsy... I have edited my post in accordance with Hormel's page)

[Miss Betsy]

Unfortunately since your [name] was spammed at one time, your [name] is out there on the spammers' lists. What spammers are doing now are combining different names with different domains. It is possible that someone else has used [a name].united as a user name and the spammers are now combining all the names they have with .united and with all the domains they have also. Perhaps someone who is more conversant with creating user names for domains will comment on the odds of that happening vs United getting hacked.

You might do better to phone or write United with your concerns if they are ignoring emails. I doubt that there is any recourse against United if an employee stole addresses or they were hacked. I bet it says that in some part of their privacy statement.

I have copied another regular poster's advice about the proper use of spam meaning unsolicited email. "spam" is a trademark of Hormel Corporation, so please do not use it here to refer to unsolicited e-mail (spam). Please see spam and the Internet, especially the third paragraph.

Miss Betsy

[Farelf]

...It is fairly obvious that someone either hacked their mailing list or an employee sold some names (like that AOL case a couple years ago). My first name is not common, nor is my domain so I don't think a spammer would have guessed that address. If that was the case, they would have spammed name.postmaster[at]domain.com or name.webmaster[at]domain.com first....

That is a reasonable assumption but we are not in a position to second-guess how these slime operate - clearly they are not "reasonable". I recall that the author of some fairly advanced worm (pleaded guilty just recently, case has been going on for years) was reported to be a Kiwi (NZ) kid with Asperger's syndrome. Well, there's all sorts of levels and degrees of that affliction but it seems to me something of an encapsulisation of the whole malware/botnet/spam situation - even at the the topmost, most disciplined and potentially-able-to-earn-an-honest-buck stratum, they ain't neccessarily like "us". Goodness knows what sort of pond-scum populate the bottom/user level. They are not as we are.

(And I agree with Miss Betsy on possible attack vector)

[Devilwolf]

If one owns one's own domain, and spammers are sending emails to various guesses at the domain there would be a a flood of spam to the catch all account (for example at my domain, if you send an email to anything at my domain it would end up at postmaster).

I think its much more likely, especially in these conditions, that email lists are being stolen. People are being laid off, jobs are outsourced to sleazy call centers in New Delhi, so its more likely that more companies just are not doing due diligence on who has access to these lists. Especially with smaller venders where it would be quite easy for an employee or contractor to steal and sell a list. Most companies don't have the resources to pursue a case, nor do they want to admit the theft because of the liability.

[Merlyn]

If one owns one's own domain, and spammers are sending emails to various guesses at the domain there would be a a flood of spam to the catch all account (for example at my domain, if you send an email to anything at my domain it would end up at postmaster).

I believe most people that run their own servers or have access to such properties have turned off their catch-all's

I turned off all catch-all's years ago.

What are they good for besides collecting junk?

[DavidT]

I believe most people that run their own servers or have access to such properties have turned off their catch-all's

Yes, indeed....they are a thing of the past. I turned mine off years ago.

DT

[Farelf]

I believe most people that run their own servers or have access to such properties have turned off their catch-all's

I turned off all catch-all's years ago.

What are they good for besides collecting junk?

Yes, I think individuals with the facility and the knowledge would do that. It is not so clear-cut at the corporate level however and it may not pay to make facile 'global' judgements. Hotmail rejects bad addresses, Yahoo accepts them. I don't know why there is a difference. Many (general) businesses still accept non-addresses. They may not wish to miss any possible business opportunity due to a mis-spelling and they may have the filtering options to make it workable. And they may like it that dictionary scouting (through SMTP probing) will return an indefinite result, the equivalent of a Hexillion validator "2" - hastening to add that even a "3" is far from proof positive. But it would be a hopeful start.

Anyway, I don't think this contradicts you (or David), just pointing out that the greater volume of legitimate mail (the corporate stuff) may allow for different priorities to those influencing the individual, and it will be differently resourced accordingly.

[Spamnophobic]

Cornloaf, I would suggest that you change your registered e-mail address with United etc. to something like "united2" etc. and at the same time ask them to keep an extra good eye on what they do with your new address. Once the "united" address receives only spam, i.e. United have switched to "united2", point all further mails to "united" into the spam bucket.

I use a system similar to what you describe, and that is what I do as a next step. Sorry for the late reply.