Forgot your password?
typodupeerror
Security IT

Researchers' Typosquatting Stole 20 GB of E-Mail 204

Posted by Soulskill
from the of-tips-and-icebergs dept.
NeverVotedBush writes "Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months. The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions."
This discussion has been archived. No new comments can be posted.

Researchers' Typosquatting Stole 20 GB of E-Mail

Comments Filter:
  • by 140Mandak262Jamuna (970587) on Friday September 09, 2011 @01:01PM (#37353184) Journal
    Every damn email they suctioned up has stern boilerplate warning: "This email is intended for XYZ only. If you are not XYZ and you got this email, and if you don't delete it and forget what you have read immediately we are going to pretend we could come after you like gangbusters". Let us see if that stupid boilerplate text has any legal standing.

    Anyway, of the 20 Gig they collected, I am sure 19.9 Gig was this boilerplate text.

    • Re:Good test. (Score:4, Informative)

      by bmo (77928) on Friday September 09, 2011 @01:09PM (#37353308)

      >Let us see if that stupid boilerplate text has any legal standing

      It doesn't. It didn't work for real mail so why should it work for email?

      You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases.

      --
      BMO

      • Re: (Score:3, Informative)

        by duguk (589689)

        >Let us see if that stupid boilerplate text has any legal standing

        It doesn't. It didn't work for real mail so why should it work for email?

        You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases.

        -- BMO

        Not true, at least in the UK:

        Interfering with mail - Postal Services Act 2000 Section 84
        Triable Summarily (Magistrates court)
        6 Months and or a fine (Max)

        A person commits an offence if they without reasonable excuse intentionally delay or open a postal packet in the course of transmission by post or intentionally opens a mail bag.

        A person commits an offence if, intending to act to a person's detriment and without reasonable excuse, opens a postal packet which they know or suspect to have been delivered incorrectly.

        If you work for the Post service you could commit other offences under Section 83 triable either way (Magistrates or Crown court) and get a sentence of 2 years and or a fine.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          "Delivered incorrectly" is different from "addressed incorrectly". One is an error of the Postal Service, the other is an error of the sender.

          • by duguk (589689)

            "Delivered incorrectly" is different from "addressed incorrectly". One is an error of the Postal Service, the other is an error of the sender.

            Either way, as confirmed in the Regulation of Investigatory Powers Act 2000 [opsi.gov.uk]:

            It is an offence to open, destroy, hide or delay any post that is addressed to someone else. Post cannot be opened if it is to the addressee's detriment and without reasonable excuse. Reasonable excuse is not defined by the Act.

            An example of a potential conflict is if a landlord opens a previous tenant's post in order to trace them. Post cannot be opened if someone knows or reasonably suspects the post has been incorrectly delivered.

            It is also an offence to divert someone's post in order to intentionally delay them from receiving it. An example of this could be where a person re-posts documents or cheques to delay the addressee from acting upon them.

            • that is addressed to someone else.

              It was addressed to me; I own the address that received it, it is mine. According to the laws you've quoted, anyway, which strictly forbid opening mail addressed to other people. Only I may legally open it; it is mine.

              I get a dozen emails a month on my gmail account that are intended for a person with a name very similar to mine.

              These emails are all addressed to me, although that's not who they should have been sent to. The person sending intentionally sent it to me - th

              • by Darinbob (1142669)

                But it doesn't have your name on it, so you can't open it under the laws of many countries. You need more than just the address for it to be your, it must have address and name or say "occupant" or the like. There is also a test that courts would apply about whether it was reasonable for you to assume that it was intended for you or not. It's one thing to make an honest mistake, but if you are reading the previous tenant's post then you are on shaky legal grounds depending upon where you live.

            • by 0racle (667029)
              Example:

              Me: bob@aple.com
              Not Me: bob@apple.com

              Amy means to send to bob@apple.com but can't be bothered to be careful and sends to bob@aple.com.

              Can I read it?
              Of course. It is addressed to me so "offence to open, destroy, hide or delay any post that is addressed to someone else" doesn't apply. It was addressed to me and therefore delivered to me so "someone knows or reasonably suspects the post has been incorrectly delivered" so this too doesn't apply. Also, I did not delay delivery since it was addressed t
              • by duguk (589689)

                I should reasonably suspect her messages are not for me. I do get mail from people I don't know, it is rare but it does happen. I do not have any reason to assume any e-mail was not intended for me until I have opened the message and seen it's contents.

                In the case of the post (not that I believe it should apply, just that's what we're talking here); if the letter was addressed to your name and the address was incorrect, it would be a simple case of mistaken identity, and although probably illegal somehow - I'm sure it wouldn't be enforced.

                If you'd set up aple.com for the deliberate purpose of fraud, (like those in the article have) then you can "reasonably suspect the post has been incorrectly delivered".

                • You don't seem to want to acknowledge the difference between incorrectly delivered and incorrectly addressed. If someone puts my address in the To field and it arrives in my inbox then it was correctly delivered. Whether they intended for me to receive the email or not is not relevant to the laws you referenced.

                  • by duguk (589689)

                    You don't seem to want to acknowledge the difference between incorrectly delivered and incorrectly addressed. If someone puts my address in the To field and it arrives in my inbox then it was correctly delivered. Whether they intended for me to receive the email or not is not relevant to the laws you referenced.

                    If we're going to take the Post metaphor so seriously; presumably if it's in your inbox - but clearly not for you; then you cannot open it since 'Post cannot be opened if someone knows or reasonably suspects the post has been incorrectly delivered.'.

                    However, of course, if you aren't sure if it is for you; then that would likely be a 'reasonable excuse' to open it under the law.
                    Presumably once you have opened it and realised it is not for you, you would follow the boilerplate and delete the message.

                    Seri

                    • There you go again. If it has my address then it's not incorrectly delivered. What is it about that you don't get?

                    • by Miseph (979059)

                      It was delivered to a person other than the recipient. That means it was incorrectly delivered. Whether it was incorrectly delivered because the person who addressed it made a mistake or because the person who delivered it made a mistake is immaterial to the fact that it was not delivered to the right person.

                      Furthermore, the rules in question belong to a legal system which is explicitly designed to handle such questions and come to meaningful answers based on the details of precisely what happened. You may

        • by jeffmeden (135043)

          It's not "delivered incorrectly" if the address is right (your house) but the contents are wrong (meant for your neighbor)... That's basically what is going on here. While it could easily be argued that they acted with intent (since they certainly don't have a business called Kelllogggs that they need to send/receive email for) it is still within the bounds of "we read it because we were the intended recipient"... Those boilerplates are about as useful as walking around with a t-shirt saying "you just re

          • by duguk (589689)

            It's not "delivered incorrectly" if the address is right (your house) but the contents are wrong (meant for your neighbor)... That's basically what is going on here. While it could easily be argued that they acted with intent (since they certainly don't have a business called Kelllogggs that they need to send/receive email for) it is still within the bounds of "we read it because we were the intended recipient"... Those boilerplates are about as useful as walking around with a t-shirt saying "you just read this now you owe me twenty quid".

            While I'll agree the 'envelope' was correct - it was delivered to the correct address; the person who it was delivered to was not the recipient.

            If this was applied to mail, not only would it be that they 'know or suspect to have been delivered incorrectly', they are certainly acting with intent. It would be hard to claim they didn't "know or suspect" these mails were not meant for them!

            Sure, the boilerplate is meaningless; but to take the postal analogy further - this would be like me deliberately openi

            • by nabsltd (1313397)

              While I'll agree the 'envelope' was correct - it was delivered to the correct address; the person who it was delivered to was not the recipient.

              I do not think that word [reference.com] means what you think it means.

              By definition, if something is addressed to you and you get it, then you are the "recipient". It does not matter what the thing is that you received, or why you received it. And, even the UK law you quote agrees with this definition, and gives only examples of when the mail is "addressed to someone else". This law is the US is similar. For example, the Post Office even made ads about how receiving something by mail that you did not request doesn't make you obligated to pay for it, because scammers were sending unrequested items via the mail and enclosing bills, then suing for non-payment.

          • by shentino (1139071)

            Or giving Satan an EULA when he comes to collect your soul.

        • A person commits an offence if, intending to act to a person's detriment and without reasonable excuse, opens a postal packet which they know or suspect to have been delivered incorrectly.

          But it was delivered completely correctly. The sender specified the wrong address, but it was delivered absolutely correctly to that address.

          • by duguk (589689)

            A person commits an offence if, intending to act to a person's detriment and without reasonable excuse, opens a postal packet which they know or suspect to have been delivered incorrectly.

            But it was delivered completely correctly. The sender specified the wrong address, but it was delivered absolutely correctly to that address.

            As others have pointed out, delivered!=addressed.

            i.e. just because my bank sent my bank statement to your house by accident, that does not give you the right to read or open it (at least not via post in the UK)

            • If it has my address on it, how am I even supposed to know it's not for me before I open it?

              • by duguk (589689)

                If it has my address on it, how am I even supposed to know it's not for me before I open it?

                Do you not have a name, Chris Mattern? =)

              • by Darinbob (1142669)

                The name is a part of the address! If the letter says "Bob Smith" and you are not "Bob Smith" then it is NOT addressed to you even if the street address matches yours.

            • by nedlohs (1335013)

              If they addressed it to me i'm pretty sure it does - or am I supposed to use magical powers to determine I should open that piece of mail with my name and my address on it?

              This is not "Bob Smith at 12 Station St" getting mail addressed to "Bill Jones at 14 Station St" It is not even "Bob Smith at 12 Station St" getting mail addressed to "Bill Jones at 12 Station St". This is "Bob Smith at 12 Station St" getting mail addressed to "Bob Smith at 12 Station St".

              Sure the sender screwed up an actually meant to se

              • by duguk (589689)

                If they addressed it to me i'm pretty sure it does - or am I supposed to use magical powers to determine I should open that piece of mail with my name and my address on it?

                This is not "Bob Smith at 12 Station St" getting mail addressed to "Bill Jones at 14 Station St" It is not even "Bob Smith at 12 Station St" getting mail addressed to "Bill Jones at 12 Station St". This is "Bob Smith at 12 Station St" getting mail addressed to "Bob Smith at 12 Station St".

                Sure the sender screwed up an actually meant to send it to Bill, but are you seriously saying Bob is going to be breaking the law by opening it.

                And that could happen with physical mail - it's not such a stretch to put the a letter in the wrong envelope. I'm sure someone somewhere has sent TIm's wedding invitation to Jane because they screwed up when putting 200 personalised invites into 200 addressed envelopes. Or a letter printer and envelope printer got out of sync in some automated setup.

                You've made a few errors there. This is "12 Staton St" getting mail addressed to "Bob Smith at 12 Station St". It would be unfortunate in the postal system if the a duplicate name lived at the mistaken address. If there is a "Bob Smith" at the real address, it's unlikely, but surely it would be a "Reasonable Excuse" - as defined in the law you replied to.

                However, in this case, the fake "Bob Smith" has set up a house called "12 Staton St" and hoping people get the wrong address; and he isn't really even cal

                • by nedlohs (1335013)

                  I was only respinding to this part:

                  just because my bank sent my bank statement to your house by accident, that does not give you the right to read or open it (at least not via post in the UK)

                  Which has nothing to do with email and domain squatting and so on.

                  If my name is Bill Smith and I live at 12 Station St and your bank decides to send your bank statement to me addressed as:

                  Bill Smith
                  12 Station St.

                  Then surely it can not be against the law for me open the letter? How do I know it isn't for me before I open it?

      • by shentino (1139071)

        You don't need it for real mail because tampering with an envelope addressed to someone else is a federal offense.

      • Re:Good test. (Score:4, Interesting)

        by gstoddart (321705) on Friday September 09, 2011 @02:37PM (#37354702) Homepage

        It doesn't. It didn't work for real mail so why should it work for email?

        You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases.

        Well, in this case, you have to make the explicit step of setting up an alternate site, and having something there to get email. So you've explicitly put stuff in place to catch these messages.

        Under normal circumstances, the user would get a bounce-back of the message ... so, someone might be able to argue that it's not like something was delivered to you out of the blue. You've actually created the thing that it gets delivered to, and made it look as close as you could to the intended one.

        At a minimum, this might get into a gray area, and might be full on illegal, even if you were only passively receiving the mis-directed stuff thereafter.

        I don't think you can make the claim that you just happened to be receiving these emails.

    • Re:Good test. (Score:4, Informative)

      by tomhudson (43916) <barbara@hudson.barbara-hudson@com> on Friday September 09, 2011 @01:10PM (#37353322) Journal

      The boilerplate has no legal force. First, it's like someone sending you unsolicited snail mail - anyone who sends you, say, an unsolicited book by snailmail can't then send you a demand to pay for it - it's already yours.

      Additionally, boilerplate "contracts", even ones you agree to, are governed by different laws than regular contracts (search for "contract of adhesion" or "standard form contract").

      • by JSBiff (87824)

        With physical goods, like a book, I suspect they could legally demand the book be returned (although, who's going to hire a lawyer and go to court over a $10 book).

        If it were something sufficiently valuable for it to be "worth it", though, they could probably demand it be returned. I mean, mailing something to you doesn't make you the 'owner' - netflix mails me DVDs, but I don't "own them", and must return them. I suppose the courts could look at a mis-sent item as never actually having ownership transferre

        • by nedlohs (1335013)

          With physical goods, like a book, I suspect they could legally demand the book be returned (although, who's going to hire a lawyer and go to court over a $10 book).

          I can suspect that all you want. You'd still be wrong.

          https://postalinspectors.uspis.gov/investigations/MailFraud/fraudschemes/othertypes/UnsolicitedFraud.aspx [uspis.gov]

          If it were something sufficiently valuable for it to be "worth it", though, they could probably demand it be returned. I mean, mailing something to you doesn't make you the 'owner' - netflix mails me DVDs, but I don't "own them", and must return them.

          You have an agreement with netflix before they sent them that you would return them. If netflix sent you some DVDs to someone who hadn't requested them out of the blue, then that person now owns those DVDs.

        • by Lucidus (681639)

          U.S. postal regulations explicitly state that if you receive unsolicited goods in the mail, they are yours to do with as you wish - you have no obligation to the sender. The liability is always with the sender. This is to discourage certain obvious scams.

          If something is delivered to you which is clearly intended for someone else (i.e., right address, wrong name), things might get more complicated. I don't know the legalities in that case.

        • by tomhudson (43916)
          No, they can't. A publisher sent me an unsolicited book, based on a mailing list that I would be a likely sucker. I kept the book, tossed out the invoice. Legally, the book is mine, and I have no legal obligation to either pay for it or return it.

          Your netflix example is silly - you have an agreement to lease the DVDs with them.

          Sending it to a mistaken address is a different story as well.

          But sending unsolicited material to the RIGHT recipient transfers ownership, plain and simple.

    • by Hooya (518216)

      I always thought that was bullshit. How do i *Know* if the email was intended for me? because it's got my email address, that's how.

      Now, how can someone demand that i "promptly delete" the email? i have server logs, backups, and a whole array of things (required - as i understand it - as part of SOX) that would have to be scrubbed. Who's paying? The sender wants me to foot the bill to do all that when i had NO say in whether or not I got the email? How about if I sent the sender an email everyday - unintent

      • by CBravo (35450)
        I hear a new scam born... And you invented it. That means you are responsible for all damage that results, right?

        At least morally ;-)
    • At least 1.3GB must have been the pretty little green text (sometimes with a graphic of a tree) to "think of the environment before printing this email...

    • by onepoint (301486)

      100 megs of useable data is what we are talking about.
      what that might cover is legal issues, user names and passwords and the like ...

      so the ability to profit is present, and just like spam, you only need a few to make it worth while

    • We had some "security" training here at work about just that topic a couple of months ago. Basically what I gathered is that it is similar to the BS in EULAs that they put in there just in case case law or an actual law is written that makes it enforceable. But in general those notices carry no weight.
    • by blair1q (305137)

      19.9 Gig was pr0n, lolcats, and "Undeliverable Message" replies.

  • NO TYPING! (Score:2, Funny)

    by ColdWetDog (752185)

    The attacker relies on the fact that users will always mistype a certain percentage of e-mails they send.

    Who is doing this? Who types email addresses and doesn't use a contacts list or similar?

    I suppose this is Window's fault but typing is so 20th Century....

    • by phallstrom (69697)

      You have to type it in the first time -- unless they sent you an email. So.... type it in wrong. Send off an email. Oops. Now it's in your mail app's magical "previous recipients" list. Update your official contact list. Send them another email. But your mail app decides to use the previous recipient entry since it's "more recent" (or whatever) than your official contact entry. Unless you click on the person's name to verify the updated address you'll never know and another misdirected email is se

    • Totally 20th century. Personally, I only use eye movements and slight neck twitches for e-mail inputs. In fact, this post is composed solely of copied and pasted letters and characters.
    • by Darinbob (1142669)

      You don't type? How did you compose your post?

    • I administrate several email domains.

      The people who turn off autocomplete and type all their email addresses by hand do not make these mistakes, because they have significant amounts of practice typing them correctly.

      The people who use email clients that remember and autocomplete addresses don't ever integrate the RFC822 parse logic into their brains or fingers, so they always type .com for .net and .org addresses, and they always type smith when they mean smythe, and then forever after their mis-populated

  • One obvious lesson for this is that using email systems that have autocompletes for addresses you've already used or have had replies from is obviously important. A lot of modern software does this although some does not (my university's default webmail application doesn't for example although gmail does). Another more technical response to this is for people to use public key encryption when they are sending sensitive stuff. There's still some danger that they will at some point look up the public key but
    • The whole point of a public key is that it's public. The bank doesn't need to give you the key on a USB stick - they can just put it on their website. If someone actually tries to impersonate a bank website, then you can let loose the lawyers of war.
    • by jeffmeden (135043)

      One obvious lesson for this is that using email systems that have autocompletes for addresses you've already used or have had replies from is obviously important. A lot of modern software does this although some does not (my university's default webmail application doesn't for example although gmail does).

      Don't forget the very real problem of someone's self-configured email client putting the wrong return address on everything. Although they "should" catch it quite quickly as they see a distinct lack of responses to any emails they sent out, it might not be enough for some people. More strict send rules for all values in the email header could probably eliminate 99% of this traffic from ever happening. Just set the server up to read the recipient, check for similar domains, and weight the domains by "legi

      • by JoshuaZ (1134087)
        That's a really good idea. And it shouldn't be that hard to implement. You could possibly have the software update for new companies. I like your idea a lot.
      • by XanC (644172)

        Don't be so sure... One of our customers has her reply-to address set to an address pointing to a mailbox she never checks. She tells you her email address is X, and she does get mail addressed to X. But her emails come "from" (and "reply-to") Y. Y happily accepts mail, so there's no bounce or anything, it's just that it's a totally unused box at a no-longer-used domain.

        She doesn't seem to think this is a problem...

    • One obvious lesson for this is that using email systems that have autocompletes for addresses you've already used or have had replies from is obviously important.

      Another obvious lesson is that once you've sent mail to wrong address, autocomplete will helpfully fill in that wrong address next time.

    • by jackbird (721605)

      AOL's webmail autocompletes EVERYTHING YOU'VE EVER TYPED that matches, including truncated and nonresolving email addresses. You have to manually dig into options and delete the duplicate/false 'contacts.'

  • I get the same situation. I've got a ".ca" with my last name, and a Canadian lawyer with the same last name has the ".com". I get a bunch of their email on my "catch-all", which is awkward, given the confidential nature of things you may discuss via email with your lawyer.

    • by Abstrackt (609015)

      To date, I've only met one lawyer who encrypted legal communications. You think it would be more commonplace than it is for exactly the reason you described.

      • by psydeshow (154300)

        Anyone who can come up with a way to sign and encrypt email that makes sense to lawyers (my lawyer still uses AOL!) will make a helluva lot of money.

        They should have been doing it ten years ago. It should be illegal to send attoney-client privileged emails in plaintext. But guess who makes the laws?

        • by WorBlux (1751716)
          You can use imap to pull mail in from yahoo to his computer, and use any sane mail client with will encrypt outgoing mail (PGP extensions). Instruct clients to do the same or use hushmail (which does PGP automatically)
    • by Culture20 (968837)
      If you *think* you're conversing with your lawyer, but it's really someone else, is it still privileged info?
      • by WorBlux (1751716)
        Yes, it it's addressed to the lawyer, but thats not to say how it might be used out of court.
    • Have you ever tried contacting the lawyer suggesting that he use encryption. As you are in Canada and the lawyer is in the US you wouldn't be subject to the US laws. I have actually had a similar problem but where people try to send me thing but it goes to a different person in the company. Apparently there is another person with the same first and last name as mine in the company but they are over in England. If I ever get a chance to go over to England I may have to look him up. Every once in a great whil
      • by drosboro (1046516)

        Actually, both I and the lawyer are in Canada (ironically, their offices are about a 10 minute drive from my house). And I have contacted them - spoken to one of their lawyers in person, actually, when my realtor used them to execute my paperwork when I bought my house... but, as other commenters have pointed out, they aren't too quick on the uptake with things like PGP...

  • From TFA:

    Kim said that out of the 30 doppelganger domains they set up, only one company noticed when they registered the domain and came after them threatening a lawsuit unless they released ownership of it, which they did.

    I guess a domain registration police department will become common in large firms now.

    • I guess a domain registration police department will become common in large firms now.

      That's been a good idea since companies first started building a web presence. It's part of your brand and you want to make it's not tarnished. It should be one of the responsibilities of a corporate IT security department alongside encrypting laptops and intrusion detection.

      Probably cheaper to outsource at least the detection part to a company who specializes in exactly that thing. I'd be surprised to hear no company provides such a service by now; especially registrars who deal with domain names 24x7 a

      • by blair1q (305137)

        two things about it, though:

        1. getting all of the typo-domains near your trademark can be expensive or impossible

        2. if any are legitimate, you're just going to have to negotiate with them for what to do with missent emails

        • by Jeng (926980)

          At my work we have people sending stuff to a similar domain on a regular basis. We have info@*****inc.com while his is info@*****.com , the owner of the domain is nice enough to forward on the emails at least.

  • That has a similarity in name to one of the US Navy's aircraft carriers. I used to get a fair amount of email for people on that ship. Nothing classified (I would've been really disappointed and shocked, but probably not surprised), but there was one sailor in particular who must've had quite a taste for porn because that address got so much porn spam it was amazing.

    • by chinton (151403)
      You're right, there is only one sailor with a taste for porn... ;-)
      • by blair1q (305137)

        The number with a taste for it is enormous. The number who don't know they can be disciplined for using the ship's internet connection to obtain it is closer to 1.

        In other news, Navy ships have internet connections. Not gob-smacking, but pretty cool.

    • You would have been shocked but not surprised?
  • Stolen email? (Score:5, Insightful)

    by bmo (77928) on Friday September 09, 2011 @01:13PM (#37353352)

    No mail was stolen. It was delivered exactly where it was addresst.

    It's the fault of the monkey behind the keyboard and nobody else.

    --
    BMO

    • by Darinbob (1142669)

      But the recipient was fraudulently pretending to be someone else. This is not a case of accidentally having a similar email address, instead the domains were created specifically to intercept misaddressed email. The con man should be considered guilty and not blame it solely on a naive victim.

  • My domain is a letter off from a big company's, and I used to get what looked like pretty sensitive email all the time. After a few attempts to tell employees to stop doing it, I just turned off the catch-all.

    • by Animats (122034)

      Me too. I have a .com domain which is the same as a school domain in .co.uk. I used to get a fair amount of their mail, until I turned off the catch-all address.

      (That was years ago. Today, if you have a catch-all address, you get to see the same spams come in for a long list of common names.)

  • must check if Slashdot.xxx is still available.

    Hmm, on second thought, no one would ever go there.
  • "The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions."

    I wondered how they could pay for their research in this era of vastly reduced funding - it's self funding!

    • by Riceballsan (816702) on Friday September 09, 2011 @01:29PM (#37353580)
      Better question, why are high end companies sending top secrete confidential data over normal unencrypted e-mail. Even your bottom of the line MMORPG sends a note to it's users saying a GM will never ask for or send your password via e-mail, but our fortune 500 companies can't match that level of security? Typical e-mail passes unencrypted past so many hands it isn't funny, the typical e-mail from home to work, passes unencrypted across a wifi network, that may or may not be compromised if it was even bothered to be secured, to your ISP where low wage monkeys may or may not have access, accross the cloud where it will pass through unknown number of nodes, to the entery mailservers at said company, that may or may not be managed by medium wage contractors that know they only have the job for a few months at best anyway, finally to the person who it is intended to go to. Yeah I see no reason to think twice before sending my SSN CC# and confidential data through an e-mail.
      • by blair1q (305137)

        It didn't say "top secret". It just said sensitive security info. What's significant gold to a h4xx0r may be gibberish to some, or mundane to those who requested it.

    • by blair1q (305137)

      They reported in their findings the emails sent to people who didn't pay.

      Note the absence of any mention of pr0n or affairs.

  • intended for others. I have a full name @mac/@me account and my wife has a full name @gmail.com and I assume these people chose 1stnameLastname+1 account names making it very easy for their friends and business acquaintances to wrongly send us their email instead. I've gotten sensitive business information, invitations to exclusive events (unfortunately in the UK so I can't attend) . My wife has had an interesting time unintentionally following the life of a New York mover and shaker.

    We don't know the real

    • intended for others. I have a full name @mac/@me account and my wife has a full name @gmail.com and I assume these people chose 1stnameLastname+1 account names making it very easy for their friends and business acquaintances to wrongly send us their email instead. I've gotten sensitive business information, invitations to exclusive events (unfortunately in the UK so I can't attend) . My wife has had an interesting time unintentionally following the life of a New York mover and shaker.

      We don't know the real recipients actual email addresses so we can't warn them and have to read our own email to find out if it is intended for us or not so we can't help but read their email. Interesting conundrum.

      This research result is not at all surprising- it is the same thing, just at a bigger scale and deliberate.

      I have a similar problem from time to time with my gmail account. In addition to your comments, some people seem to think that first.last and firstlast at gmail are different email addresses, as a result I periodically get emails for people who screwed up signing up for an online account, and since the company gladly accepted any email address as unique as long as it didn't match an existing one, signed me up.

      When it obviously an error I replay saying - pops wrong person. All but one generally reply with

    • by Jeng (926980)

      We don't know the real recipients actual email addresses so we can't warn them and have to read our own email to find out if it is intended for us or not so we can't help but read their email.

      You can find the real recipients actual email addresses with just a little leg work. Just reply to the sender and let them know the situation and ask if they could send you the correct email address or other contact information.

    • by Darinbob (1142669)

      I have received email meant for someone else for over a decade. This comes from different sources, almost all of it advertising for a particular town and a few makes of automobiles or mortgages. My email is something like "john@abc.com" and easy to remember by any and all, since I snagged it early before all the rush to get email addresses. I suspect this other person filled out some forms with this email address even though his actual address is "john.smith@abc.com" or "john3317@abc.com" or something li

  • They captured 20GB of email.

    They didn't really steal it, people addressed the email to them, they just did it errantly.

  • I have a very short (3 letter) AOL email address from days long gone by. I still check it every other week or so. I've been on a boy scout troop mailing list a few states away, a kindly grandmothers All Family contact list, and a few mislabeled business communications, most notably, someone buying a car in England.

    I emailed one guy back who was writing to his military son. He got all kinds of pissed off, and accused me of 'intercepting his emails'. Sorry dude...YOU screwed up.
    I always try to email them b

"There is nothing new under the sun, but there are lots of old things we don't know yet." -Ambrose Bierce

Working...