Spam Replacing Postal Junk Mail? 251
TheOtherChimeraTwin writes "I've been getting spam from mainstream companies that I do business with, which is odd because I didn't give those companies my email address. It is doubly strange because the address they are using is a special-purpose one that I wouldn't give out to any business. Apparently knotice.com ('Direct Digital Marketing Solutions') and postalconnect.net aka emsnetwork.net (an Equifax Marketing Service Product with the ironic name 'Permission!') are somehow collecting email addresses and connecting them with postal addresses, allowing companies to send email instead of postal mail. Has anyone else encountered this slimy practice or know how they are harvesting email addresses?"
Do you shop online? (Score:5, Interesting)
I had enough (Score:3, Interesting)
I use 2 emails, one for spam and one for private mails.
Now both my emails are full of junk, but while google spam option are working my old yahoo email is beyond saving.
Just keep clicking on "this is spam". It's not worth your time to understand why it's happening, and even if you do understand, you will find out it's impossible to avoid.
Hell, I can't even check my old SMS because it's full of spam.
Re:have your own domain-get universal forwarding (Score:4, Interesting)
Re:have your own domain-get universal forwarding (Score:5, Interesting)
Popular Domain? (Score:2, Interesting)
My main email address is at a university's domain. I've used it for years and give it out on any half reputable site, but I get absolutely no spam on it. I know that my university uses blacklists and some heuristics to delete spam before they get to any inbox, but I've heard it only gets about a third of incoming spam.
So, does Gmail post any new email addresses in a sort of anonymous phone book, or was my user name easy to guess (I had used the same set of letters and numbers on very many sites before I got the Gmail account)? I don't know, but in my case, the popular domain seemed to bring spam.
This doesn't address the fact that it's main stream companies that you do business with that are spamming you. Have you used the user name of your special purpose anywhere else, or attached the email address with your personal identity in any way ever?
Re:have your own domain-get universal forwarding (Score:3, Interesting)
An interesting change (Score:3, Interesting)
If that switched en-masse to email, those contracts would expire, meaning snail mail prices would increase. The Royal Mail don't have any way to transfer delivery from paper to email, so they couldn't recoup those loses. Since email is free, nobody would make any money from these mass email contracts.
On the other hand it would cut down on a LOT of wasted paper, which 99.99999999999999% people take from door to bin, bypassing the eyeballs, some people do recycle but not enough.
While email is great for most communications, snail mail is sometimes required so it can't be allowed to die. I doubt it would die if they lost the junk mail contracts.
For me, the worst offenders are the magazines and newspapers you have to pinch at the spine and shake over a bin before opening, to release all the leaflets stuffed inside. Is it not enough that for every 5 pages of a publication, 3 pages worth are adverts? If that's the state of the magazine industry, maybe it deserves to die too. The internet has already steamrolled over many business models, what's another one to add to the list?
Perhaps a solution would be a commercial / personal email distinction at an ISP level with a legal backing. Personal email is always free, commercial email costs say 1p per email. Charities / schools etc would be exempt from charge too. Make it something you have to declare with your ISP and legally stand by. Spammers using botnets wouldn't be affected since they operate illegally anyway, but it'd regulate the "normal" "legal" marketing companies. Make it a legally enforceable requirement to ONLY email people who have opted in, and fine them for ALL breaches.
Re:I wish spam replaced postal junk mail (Score:5, Interesting)
There is a trash can right next to my mailbox, which enables me to deal with paper spam about as easily as the electronic kind.
I do keep the little response cards with "return postage guaranteed" stamps, though. Those are great for gluing to bricks or other heavy objects you want to dispose of. Drop them in a mail box, and they not only get wind up in a mailbox at the company that spammed you, but that company gets billed for the postage, by weight. The heavier the object, the better!
Re:Email Append - BINGO! (Score:5, Interesting)
Yes, I think you've hit the nail on the head. Experian eMail Append [experian.com] overlays deliverable email addresses onto your active customer file and contacts customers via email on your behalf to obtain permission to communicate with them online.
By "permission" they mean they send you email until you complain. If they happen to pick an email address that is normally not read by a person, they don't get any complaints. (Not that I opt-out of spam; I block it.)
Further on, they state Retain your customers by keeping your brand top-of-mind through consistent, relevant and interactive email communications. Yeah, good luck with that. I know four companies that have just lost my repeat business.
Thanks to all for an excellent discussion.
Re:GMail (Score:3, Interesting)
Re:I had enough (Score:0, Interesting)
I've said it before- Email Certification.
Want to run a Certified Email server? Go to your ISP (or other such companies that may arise to offer the service). They check you out (Are you who you say you are? Do you have valid contact information? Etc...), then have you produce a Public/Private key pair. You give them the 'Public' key, and keep the 'Private' one to configure your email server with. Your email server must add an additional header with your Certifier's Certification Server (usually their email server), and a header that is encrypted with your Private key.
An email client that is Certification-compatible will, when it receives an email, look to see if it has those two headers. If not, it will handle it according to the user's wishes. This means NON-Certified email might be deleted, or sent to a different folder, or whatever. Whitelists/blacklists are still possible.
If the email has the headers, the email client will connect to the Certification Server listed in the one header, and download the 'Public' key to attempt to decrypt the other header. If the decrypted header is valid, the client treats the email the way it is configured to, usually by placing it in the Inbox. Again, whitelists and blacklists can still be used.
Here's the most important part: If the user receives Spam that is Certified, they can easily report it to the Certifier (email clients would have a 'Report Certified Spam' button that automatically shoots an email off to the Certifier, for instance). The Certifier can then contact the owner of the Certified Server and notify them of the spam. This gives the server owner a chance to stop the spam, in case the server was hacked or the spam was accidental. If the Server owner does not stop the spam, the Certifier simply pulls the Certification, by removing the 'Public' key on their server. From that moment forward, ALL email the Email server in question sends will be NON-certified (and quite frankly, probably deleted by the recipients).
If the Certifier refuses to do anything about the Spamming Server (because they are 'in on it', friendly to spammers, or just incompetent), then ALL Certifications from that Certifier can be marked as 'bad', either on a client-by-client basis, or thru the use of a Certifier black-list.
-There is no 'Central Authority'- your ISP Certifies you for a modest fee.
-You can still send non-certified email, so hobby mailing lists and the like are not affected- the people who receive the mailing list might just need to whitelist it.
-Legit email will (eventually, almost always) be Certified, so Certified emails can be sent straight to the Inbox. Non-certified email will (eventually, almost always) be spam, so it can be trashed.
-Any spam that is sent from a Certified server will quickly be reported by pissed-off recipients, and quick action will be needed to avoid that Certifier (and ALL the servers it has certified) from being put on a blacklist.
-Spam will dwindle as Spammers either move to 'spam-friendly' Certifiers (which are blacklisted so the spam never gets thru anyway), or will spend huge amounts of money switching ISPs every 2-3 days to get re-certified over and over. Of course, ISPs could take a clue from the Las Vegas Casinos, and keep a 'black book' of known spammers, and check new clients against them before Certifying them.
-This system does not need to be adopted all at once. Certified and non-certified emails can be handled both by email clients that are Certification aware and not.
It may not be perfect, but it'd be a good start.
Re:Email honeypot traps (Score:1, Interesting)
I use a special domain name which maps all aliases (*) to my mail box.
This problem with this is that one day your domain will get carpet spammed - a spammer will create a list with every conceivable username@your.domain.
This list will get sold to other spammers and before you know it you're getting millions of emails an hour.
We see this time and again with customer domains, so much so that the load eventually kills the mail servers. Because of this we have now taken the ability to create catchall addresses off our domain admin tools.
I love freenode (Score:2, Interesting)
Every time someone asks a question on how to stop spam, there's always some smartass expert that say's, "This is the year 200X, you should be able to filter it." Yet the reality is not everyone can lock down their exim, sendmail, etc. It is complex, and spam is still a vector for hell of problems.
A sysad could have all the orbs, dnsbl, spamhouse, etc filters in their system, and still the spam will make it through.
There's a lot of reasons the "volunteer" experts in irc on #debian, #ubuntu, #suse advice is bunk.
A user who has an exploitable web form mail script.
Outdated server software on unmanaged server. (ex: Fedora Core Version 4 running)
cPanel exploits.
Rootkits.
Broken SMTP server.
No Iptables firewall. (Don't laugh I've seen servers like this, with no firewall at all!)
Financially impossible.
Multiple binaries. killall -9 exim exposing extra binaries running.
Unless your willing to sit down 24/7 and monitor your /var/log looking for patterns, and flushing the /var/cache/mail to see what came in, searching through all your users directories for exploits, the chances are these experts advice will not work. Many hosting companies, individuals, have no idea how to deal with email servers, in fact they should just shut the port off and remove the server. Having hundreds of spam connections to your email server every second, doesn't make grepping the logs any easier. CIDR blocking networks of the top 100 spam connections, can ease it some. Blocking entire countries can help also.
I have watched spam destroy a hosting company financially. From trying to get off blacklists to forced outsourcing.
Frankly, the free advice and elitist attitudes for help isn't working.
At the same time, people should be able to send anonymous mail --IMO
And furthermore, the same volunteer experts are helpful with nearly everything else linux.
Anyway what works for you in your setup may not work for others.
CAN-SPAM has not worked. (if you ask me it's a place for a spammer to build a list)
In my final opinion here, I am not going to leave you without a potential solution.
My solution is, put your fucking unmanaged server behind a firewall. For example ipcop.
Somebody from germany hitting your FTP server every morning at cron time? iptables their ass and never see a packet again.
This goes contrary to the popular APF, BFD scripts. You could get a user complain they can't get mail from some server in china or .br but ...... You can always OPEN that back up for them, as opposed to the hundreds of hits every second, taking your entire server (with low ram) into PEGGED HIGH CPU, with the fucking exim/processing/var/mail snafu.
truth be told, I have not personally ever found a way to stop spam from a server, except by CIDR'ing their entire network's ass up until they behave. Not a fucking packet from them after that. Yeah hundreds of thousands of other piddly ass fucking servers IP from countries on the entire planet still come in. Get rid of the TOP ones though...
The other thing is, even if you do catch, or ping some fucking server in the USA, you can't stop them. Or get paid. I was told I could get paid for each spammer I caught. Problem is there's no way to legally stop them and prove you caught them. (That's a LAW problem) Or I would be doing this every day, as my primary source of income!!!
On one server, I blocked, .Cn, .Ru, .BR, .FR Some germans..um, the bogans, and using log statistics to sort the top spam sources . I managed to get the CUSTOMERS HAPPY, and the CPU from 99% to 2% idle. Not one complaint about an email not reaching the Falun Gong.
A user who fucks up and hits an email list accidentally is not spam. (though assholes out there try to make it like it is, with solicitors and lawyers) But at the same time ANONYMOUS should pass though, and at the same time the real spammers need LIFE in prison.