Spam Replacing Postal Junk Mail? 251
TheOtherChimeraTwin writes "I've been getting spam from mainstream companies that I do business with, which is odd because I didn't give those companies my email address. It is doubly strange because the address they are using is a special-purpose one that I wouldn't give out to any business. Apparently knotice.com ('Direct Digital Marketing Solutions') and postalconnect.net aka emsnetwork.net (an Equifax Marketing Service Product with the ironic name 'Permission!') are somehow collecting email addresses and connecting them with postal addresses, allowing companies to send email instead of postal mail. Has anyone else encountered this slimy practice or know how they are harvesting email addresses?"
have your own domain-get universal forwarding (Score:5, Informative)
I have my own domain- EVERYONE except family gets a different email address
one gets caught by spammers- the address gets killed.
I understand gmail allows using a + in the address line to sort mail in a similar fashion
googleid+identifyingstring@gmail.com and you still get it-- only you know the source.
Email honeypot traps (Score:5, Informative)
Re:Do you shop online? (Score:5, Informative)
A given site can only read cookies which have been set by the same site (well, domain). There are various exploits to get around this called Cross Site Scripting (XSS) attacks which involve somehow putting javascript onto someone else's page (such as a slashdot comment). This type of attack can be thwarted by properly escaping any dynamic content.
Allowing access to other site's cookies is a problem because most sites which allow you to log in tell users apart by giving each of them a different cookie. By stealing someone else's cookie you might be recognised as them without having to log in.
Use temporary addresses (Score:2, Informative)
Yahoo lets you create temporary addresses that you can disable at the drop of a hat.
I use those for most of my business correspondence.
Your mail provider may offer something similar.
I am a database direct & email marketer (Score:4, Informative)
What's happening here is that there are companies that aggregate profile information, and they're able to link your email to your profile information. They then sell append services so the marketing company can add that email to your existing full name and address (FNA).
It is wrong for companies to append an email address and then market to it.
Companies do a lot with their (your?) customer data, including hygienization, appends, completion, profiling, etc. Most of this happends under the sheets, and most customers don't really want to know the details.
However, I advise clients to NEVER use an email append service for a variety of marketing and spam/technical reasons. Most clients will listen, some will choose not to. However, I'm seeing that more stupid companies will forge forward like its nothing, and companies with dwindling budgets are too suckered in by the cost savings.
Its only going to get worse.
Re:have your own domain-get universal forwarding (Score:5, Informative)
Not so much that they discourage it, they just have badly coded email validators. The allowable characters in an email address is much broader than most systems' valid usernames, but the lazy just assume people will only have a username as their mailbox.
Re:have your own domain-get universal forwarding (Score:5, Informative)
I understand gmail allows using a + in the address line to sort mail in a similar fashion
googleid+identifyingstring@gmail.com and you still get it-- only you know the source.
Only until someone 'helpfully' sends you something from a postcard site, joke list, or lottery draw. Then you'll get spammed at the "root" address (sans "+") and almost never again at any "+" address.
Don't ask me how I know this.
Re:have your own domain-get universal forwarding (Score:3, Informative)
You may have a hard time telling where it came from (they could accept address+marker@gmail.com and then scrub the +marker, it isn't exactly a secret).
Re:have your own domain-get universal forwarding (Score:5, Informative)
So do I. I also have * addressing as a catch-all. When I have to provide an email address to register at a dubious site, I make one up that tells me something about where I used it; e.g., to sign up at example.com, it might be examplejunk@mydomain.com. That way, if I ever get anything sent to that email address and not clearly from example.com, I know exactly who sold my email address, and can add a filter deleting everything sent to that address. It hasn't happened, yet, but maybe I've just been lucky.
Re:have your own domain-get universal forwarding (Score:4, Informative)
No it doesn't. Using the plus sign in an email address is already specified in the RFC and has been for quite some time.
Re:E-mail is Preferable, it can be Filtered (Score:3, Informative)
Re:have your own domain-get universal forwarding (Score:5, Informative)
Which RFC, though?
821 (from 1982) does not allow it.
822 (also 1982) does.
2821 and 2822 (2001) also respectively don't and do.
Email Append (Score:3, Informative)
It's a service called an "email append", offered by the major credit reporting companies. The purchaser gives them a list of names and addresses, and the credit reporting company finds matches with email addresses. They send an opt-out mailing, and the email addresses of everyone who doesn't opt-out are returned to the purchaser.
Re:have your own domain-get universal forwarding (Score:3, Informative)
RFC 5233 [ietf.org] mentions it.
Re:have your own domain-get universal forwarding (Score:4, Informative)
While using the + in this fashion is a great idea, it breaks the specification for email addresses in the RFC.
Wrong, wrong, wrong.
RFC5321 is the relevant RFC.
Wikipedia [wikipedia.org] summarizes the permitted characters in a somewhat more human-readable fashion. The "local-part" is the part of the email address to the left of the @:
>The local-part of the e-mail address may use any of these ASCII characters:
>
> * Uppercase and lowercase English letters (a-z, A-Z)
> * Digits 0 through 9
> * Characters ! # $ % & ' * + - / = ? ^ _ ` { | } ~
> * Character . provided that it is not the first nor last character, nor may it appear two or more times consecutively.
A "+" does not break the RFC. It may break some buggy address validators. (Note that there are also other interesting possibilities for breaking non-compliant software, such as case-sensitive addresses.)
Re:have your own domain-get universal forwarding (Score:1, Informative)
And you can get around that by putting a period in your regular email address and marking where you used that particular placement of a period.
Re:Use temporary addresses (Score:3, Informative)
Re:Do you shop online? (Score:5, Informative)
Re:have your own domain-get universal forwarding (Score:2, Informative)
You can also use Spam Gourmet at http://www.spamgourmet.com/ [spamgourmet.com]. It has several features that go above and beyond what GMail has (to my knowledge).
First, it will forward the e-mails to any address, so you don't have to use GMail. Second, it lets you include an identifying string, like GMail. Finally, however, is the best feature: in the address you give you can specify the number of e-mails that you want forwarded to you before they start getting sent to /dev/null. You can also whitelist addresses if you choose. I've been using it for years, and it works very well.
identifyingstring.numtoforward.username@spamgourmet.com
Re:Do you shop online? (Score:3, Informative)
How easy is it for some Javascript or something to poke around for e-mail addresses when you are at a site?
Decent browsers don't expose data not created by the site, aside from the standard browser ID, and even that can be turned off. And if you use a browser with the security profile of swiss cheese, your email adress is not your main problem.
Also, my e-mail providers know my address - i.e. yahoo, google, aol, apple and comcast. Could they be selling that information? I wouldn't be surprised.
That's just about the only thing I trust Google not doing. If you want to know how they get it, try giving out different adresses to different sites and see which ones get what spam.
Re:E-Stamps, the only way to reduce spam (Score:5, Informative)
To understand why this won't work you have to understand how e-mail works. We start from when you hit 'send' in outlook.
Your message first goes to your ISP's or company's outgoing mail server. Let's ignore that for a moment.
That outgoing mail server looks at the recipient- user@domain.com. So it uses DNS (the thing that converts a name like www.google.com into an IP like 74.125.93.147) and asks what the MX (mail exchanger) servers are for domain.com. Domain.com has those listed in its DNS.
The outgoing mail server then connects to the domain.com MX server. It says "i have a message from person@company.com for user@domain.com". If the MX agrees to take it, your outgoing mail server transmits the message, and the MX sends a confirmation that it is accepted. They then disconnect.
If you're running your own mail server, or are using a company mail server, or a different email system, your ISP has nothing to do with this other than moving your packets around.
The point is that email is not a single system that can be changed like raising the fare on the subway. If you're the city and you want higher subway fares, you just reprogram a few thousand turnstiles (all of which you own) and you're done. Email/SMTP isn't like that, SMTP is an agreement, a protocol which millions of networks and servers have chosen to implement. Email is just another internet protocol, no different than AIM, skype, HTTP/wwww, FTP, etc. It's just one of the most widely used protocols.
There is no central authority to enforce anything like e-stamps. For this to be enforced, the domain.com MX would have to say 'please give me a tenth of a cent before I deliver your mail'. The only useful way to handle that would probably be with a 3rd-party clearinghouse for exchanging the 'stamps', so your mail server would say 'i give you stamp ID (long stamp id number)', the destination MX looks that up with the clearinghouse, approves it, then accepts the message for delivery.
For that to happen, both your SMTP server and the recipient's MX would have to be modified to deal with these payments, and optionally require them for mail delivery. There are many different mail server programs out there, this would require all of them to be updated to support payments, and then (heres the hard part) all the people who run them would have to install those updates. Then anybody who runs a mail server would have to do some financial setup to let them accept payments and send payments for email. IE, every random geek and company and IT department and ISP that runs a mail server now has to jump through a financial hoop. If I run my own mail server, does that mean i get 2/3 of the payment (the recipient fee and the ISP fee)? Does my ISP get it even though I'm not using their servers? There will be great resistance to this.
The main issue is, it would *NOT* be transparent, not to anybody. This would be a large, time-consuming and very expensive implementation.
Now let's say best case scenario, lets say you get all the major isps and webmail providers on board (msn, aol, yahoo, google, comcast, timewarner, verizon, cablevision/optimum, charter, adelphia, etc).
Let's say they immediately set up their system to start dealing with these micropayments.
What happens to the (literally) millions of companies in the US and abroad who run thier own mail servers, but whos systems are NOT updated? Can they no longer send mail to all of the above networks, or is there a break in period? If the payments are optional, what incentive does anybody have to adopt them?
Also you say approved senders can send for free. Who is an approved sender? What is the qualification? If it's difficult and expensive, some of the large bulk-mailing companies will try it anyway, and the smaller legit companies are shut out. If it's easy to get one even for a small biz, then the spammers will get them too. If extensive investigation is performed on the applicants, that money has to come from somewhere, so it'll be expensive.
Optimstic but Wrong (Score:3, Informative)
I'm assuming you didn't see the humor in Matt Perry's [slashdot.org] post [slashdot.org]. I hate to sound like such a pessimist, but your solution and response is naively optimistic. Let's examine why.
ISPs already have a lot on their plate insofar as legislation and (potential) filtration goes. Forcing them to operate as a collection agency simply won't work. I also doubt anyone would advocate or appreciate giving credit card companies (i.e. banks) even more control. They've already demonstrated a certain incompetency in recent years that has most certainly been making news!
If you have to ask this question, you don't understand the problem.
E-mail has been effectively "free" since the inception of the Internet (more on this in a moment). As it stands, spam is killing e-mail, and fees intended to kill spam will only succeed in killing both.
We should also consider those ISPs which charge their customers on a per megabyte basis. In effect, users of such services are already paying a tax on e-mails they send; it's just that e-mail is often times such a small chunk of data that it would hardly go noticed, unless of course you were about 2KiB from a threshold that would require paying a little extra and happened to send an e-mail that bumped you over. In either case, charging on a per e-mail basis simply won't be accepted by users. They'll feel they're already paying for e-mail as part of their service plan.
And let's not even mention the technical aspect of it being "mostly automatic." There is no such thing. If you forcible turn off non-payment e-mail services, you kill e-mail as we know it. Without a great deal of unprecedented international cooperation (and good luck getting those governments who are probably influenced by people making money from nefarious deeds), this sort of thing simply will not happen. In fact, I predict two things will happen before any significant change is made to e-mail: IPv6 rollout or Duke Nukem Forever's debut.
No, the semi-humorous post in reply to yours is correct. It doesn't require the cooperation of a "few big [companies]" or a "[government] project." It requires cooperation from hundreds of individual businesses, ISPs, organizations, and governmental cooperation on an international scale. You can't just simply rewrite SMTP and say "here, everyone download this. This will fix the problem with spam." For one, you're assume the new system would be impregnable to spammers and two that it is a wide-sweeping, multi-platform solution that can just be fitted in place.
Here's a hint: It won't happen.
Not if, say, several dozen European countries (rightfully) decline to participate. Then what do you do? Shut off e-mail to all of Europe?
Remember, just because someone doesn't find it fair to tax their people more doesn't mean they're a "'shady' foreign" operator. They could be mindful of the rights of their people to freely exchange information. (See my comments earlier on "free.")
Re:Do you shop online? (Score:2, Informative)
Re:E-mail is Preferable, it can be Filtered (Score:3, Informative)
if they provide a pre-paid return envelope i have the satisfaction of putting everything they sent me in that envelope, along w/ a few rusty washers (to add weight), and maybe a sunday paper glossy ad or two (more weight, and thickness) and sending it back to them on their dime.
Don't bother. Business reply envelopes that are clearly not used for their intended purposes are discarded by the Post Office as waste [straightdope.com]. So now all you've done is annoy your local letter carrier and increase the burden on the postal service. And guess what happens to postage rates when you incur extra work for the postal service without any extra payment?
Fake email (Score:2, Informative)
My standard email address for sites I dont wish to give my real details to is bill@microsoft.com
I like to use nospam@foo.com or abuse@foo.com, where "foo.com" is the actual domain of the site I am entering my info to. (For example, microsoft gets nospam@microsoft.com).
Re:E-mail is Preferable, it can be Filtered (Score:3, Informative)
Not according to what I've read, although I can't locate a cite at the moment. One of the reasons it costs less, BTW, is that much of the Post Office's work has to be done ahead of time, such as sorting out the mailing by zip code. However, just to pick a nit, if bulk mail cost .9944 the cost of first class postage, it would still "cost a fraction of what 1st class mail costs."
Re:have your own domain-get universal forwarding (Score:3, Informative)
I used to do this, but can now say that 'catchall' addresses suck.
Firstly, some spammers brute-force addresses, so you will receive spam sent to john@yourdomain, nancy@yourdomain etc.
Secondly, if you ever decide you want to kill your catchall, you'll find it impossible to find all the sites which have their own addresses.
I just use Gmail now.