Huge Database Leak Reveals 1.37 Billion Email Addresses and Exposes Illegal Spam Operation

One of the largest spam operations in the world has exposed its entire operation to the public, leaking its database of 1.37bn email addresses thanks to a faulty backup. From a report: A faulty backup has inadvertently exposed the entire working database of notorious spam operator River City Media (RCM). In all, the database contains more than 1.37 billion email addresses, and for some records there are additional details such as names, real-world addresses, and IP addresses. It's a situation that's described as "a tangible threat to online privacy and security." Details about the leak come courtesy of Chris Vickery from macOS security firm MacKeeper who -- with a team of helpers -- has been investigating since January. River City Media's database ended up online thanks to incorrectly-configured Rsync backups. In the words of Vickery: "Chances are you, or at least someone you know, is affected." The leaked, and unprotected, database is what's behind the sending of over a billion spam emails every day -- helped, as Vickery points out, by "a lot of automation, years of research, and fair bit of illegal hacking techniques." But it's more than a database that has leaked -- it's River City Media's entire operation.

Redundant

[Anonymous Coward]

How many spam operations are legal?

Re:

[cdsparrow]

Most of the spam I see on any given day is legal... Store ads, etc...

Re:Redundant

[Obfuscant]

You signed up for it when you bought a product or made an inquiry on their site and did not uncheck a box that signed you up for them most-likely.

That's the lie every spammer uses to justify their garbage. De-selecting the "send me all kinds of email about stuff I don't want" checkbox does nothing.

If you're still getting it you're just too lazy to unsubscribe.

I SHOULD NOT HAVE TO UNSUBSCRIBE FROM JUNK EMAIL LISTS THAT I DID NOT SUBSCRIBE TO IN THE FIRST PLACE. THE FIRST PIECE OF SPAM IS STILL SPAM.

Re:

[Anonymous Coward]

That's the lie every spammer uses to justify their garbage.

Yes, Rule #1, spammers lie; that doesn't mean it isn't a legitimate justification for a lot of commercial email. If I order a pizza on PizzaHut.com, and next week Pizza Hut sends me an email with their weekly special offers, that isn't spam. It isn't mail I particularly want, but it isn't spam. I agreed to receive those emails by joining up with PizzaHut.com.

Spam is all the completely unsolicited boner pills, home mortgage, weight loss, and other garbage coming from randos who bought or harvested my email a

Re:Redundant

[Obfuscant]

that doesn't mean it isn't a legitimate justification for a lot of commercial email.

It is not a legitimate excuse for the commercial email I receive based on such lies. I ALWAYS uncheck this "pre-selected opt-in" (an oxymoron), and the spammer ALWAYS tells me that I opted-in.

If I order a pizza on PizzaHut.com, and next week Pizza Hut sends me an email with their weekly special offers, that isn't spam.

Yes, it is. Unsolicited commercial junk email. UCE. BY DEFINITION.

Spam is all the completely unsolicited boner pills, home mortgage, weight loss, and other garbage coming from randos who bought or harvested my email address somewhere,

Spam is not defined by topic. It is defined by UNSOLICITED COMMERCIAL EMAIL. Yes, there are many sources of spam. The fact that you bought a pizza at Pizza Hut does not excuse their unsolicited commercial email, which is spam.

Re:

[sit1963nz]

Set up a gmail account, something like xyzspamtrap@gmail.com

Give them that address, its yours, its legitimate but its worthless and they can spam as often as they like.

After than you no longer care if they ignore the "do not add me" part of their sign on sheets.

And if you have to "read their email" and click on the confirmation link, you can, and you can ignore them after that.

Re:

[afidel]

I use myemail+company_short_name@gmail.com if their form person isn't retarded (if they are and are blocking legitimate SMTP addresses they get the spam catcher email) which get filtered into folders, any company who abuses the address I give them loses all future business from me.

Re:

[marka63]

If I order a pizza from Pizza Hut or Dominos here in Australia. Neither Pizza Hut nor Dominos has the legal right to send me any advertising ever. The *only* thing they have a legal right to send me is email related directly to that transaction. They are also not permitted to tick check boxes saying that you request advertising material. They are also not permitted to send SMS messages except as related to the transaction in progress. They are permitted to send me mail that the post office delivers.

Now

Re:

[RobinH]

I'm not sure why some people have such a huge problem with spam. I use a service where I make up a unique email address for each account I sign up for. That (paid, but cheap) service forwards the mail to me. If I ever get unsolicited email on that address, I go to the service and delete the address, or if I really care, I make a new one and update that account, because they probably got hacked.

When an account sends me a mailing list, I click the unsubscribe button, and I would say 9 times out of 10 that

Re:

[eedwardsjr]

Same here. I use sneakemail.com. Spam email stands out like a sore thumb. I flag the address for bouncing and give them another one. It does not happen often.

Re:

[nobuddy]

No need for a service, gmail will do it by default.

If your address is "mymail@gmail.com" and you are filling out an order from Pizza Hut, use "PizzaHut+mymail@gmail.com"

now you have a unique one for them that you can block off at any time. With the added benefit of being able to see who sold your email to that spammer.

Re:Redundant

[Obfuscant]

use "PizzaHut+mymail@gmail.com" now you have a unique one for them that you can block off at any time.

You don't need to block it off, it will be sent to someone else who already has the "pizzahut@gmail.com" address, with the added benefit of telling them who is using their address to sign up for pizzahut spam.

Try "mymail+pizzahut@gmail.com".

Thanks to everyone who thinks I need to know how to avoid this spam, but I already do. I am well aware and a long time user of RFC5233 addressing.

Re:

[nedlohs]

Because gmail.com isn't a widely used domain for email or anything, so no spammer would ever think of changing x+y@gmail.com to x@gmail.com in their lists of addresses...

Re:

[whoever57]

Because I run my own mailserver, I see that at least one of my <me+website@mydomain> addresses has escaped into the wild, but the spammers appear to mis-process it, so I see hits to <website@mydomain>.

Re:

[radarskiy]

That's why you never use the bare address for anything. Any mail that then goes to the undecorated x@gmail.com address is either spam or faulty storage and can be automatically discarded.

Re:Redundant

[afidel]

other way around, myemail+pizzahut@gmail.com

Re:

[whoever57]

Unfortunately, lots of websites won't accept such email addresses.

I even have one case where I registered using such an address, but the website was changed so that now it won't accept such addresses, so I cannot use it for orders, change it or even unsubscribe. Fortunately, they don't use it to send more than about one email every two months, so I really don't care.

The unsubscribe option means one thing

[future assassin]

you validated a real email address that is important enough to you to use the unsubscribe.

Re:Redundant

[JoeMerchant]

In the 1990s, any acknowledgment of a spam e-mail was an invitation to more SPAM.

Lately, the unsubscribe links mostly work pretty well. I've been able to maintain the same address for 20 years now and it's still usable, sure it gets SPAM, but with billions of legitimate SPAM targets on the planet today, just knowing that the address is legit isn't enough to make it attractive anymore.

Also, there are some penalties for not handling "unsubscribe" requests properly, never looked into enforcement and collection, but I'm sure some people have.

Re:

[cdsparrow]

I filter it out and could unsubscribe, but easier to filter. I still consider it spam though... It's not nefarious spam, but spam nonetheless.

Re:

[Anonymous Coward]

Spam is UNWANTED e-mail. Whether or not I previously purchased something from a store is immaterial. If I don't want it, ITS SPAM.

Re:

[easyTree]

by signing up, you've agreed to receive the newsletter

the ability to remove yourself from their list, after agreeing to receive their emails, is why they don't get fined

Agreed, because it was likely clearly stated in a document linked ten levels deep, right near the middle in white-on-white text, "by purchasing products from xyz store, you agree to receive spam; that our unsubscribe link goes to a page which will crash in a manner which appears accidental and that we will not respond to your emails relating

Re:

[easyTree]

Please do go on a little more - we're entering useful-tip territory.

Re:

[thomn8r]

by signing up, you've agreed to receive the newsletter

the ability to remove yourself from their list, after agreeing to receive their emails, is why they don't get fined

Not when I buy something for my wife from store "A" and specifically un-check the "Send me more shit" button, but now I'm getting emails from stores "B" through "Z" for more. If I'm ever in charge of a corporate firewall again, you bet your sweet bippy that mailchimp, constant contact, et al are going to /dev/null

Re:

[doccus]

Have you TRIED ever unsubbing? Even with "respectable" publications such as certain computer publications, it seem to have no effect whatsoever. And these other ones that automatically pass your email to all their other associated pubs, and I find myself unsubbing the same ones over and over. And it's a lot of them

Re:

[Drethon]

Shouldn't have provided your e-mail to them if you don't want them to use it. Plus most of these stores seem to honor a remove from list request. Yeah having to opt out, rather than opt in is painful but this still differentiates from real spam.

Re:

[Obfuscant]

Shouldn't have provided your e-mail to them if you don't want them to use it.

Most online order forms demand an email for the purposes of communicating about that order. Further use of that email address for unsolicited commercial junk email is SPAM.

Plus most of these stores seem to honor a remove from list request.

"Seem to". And many of them don't. And many of them have invalid or non-working "unsub" links. Even the working ones don't help when your email reader doesn't do "the web" -- because it is an EMAIL READER. My procmail rc is filled with such "honorable" spammers.

Yeah having to opt out, rather than opt in is painful but this still differentiates from real spam.

No, it doesn't. It's unsolicited commercial junk email from the very first one

Re:

[gmack]

Doing it from procmailrc doesn't really get the point across since they never know it didn't get delivered. It is better to block it at the SMTP level and refuse to accept the message in the first place.

Re:

[Obfuscant]

It is better to block it at the SMTP level and refuse to accept the message in the first place.

You might think so, but do you REALLY think any spammer cares about or even looks at the bounces from their spam?

Unfortunately, the only way to "block it at the SMPT level" for users is to return error code 67 (IIRC) from procmail, and that doesn't work if you are using IMAP to pull email from a server that has already taken final delivery.

Re:

[Zocalo]

Pretty sure the number of spammers that look at (or even see) bounces or rejects is near enough to zero as to make no difference, or if they do then they certainly don't seem to care about them. I'm still getting attempts to send spam to accounts and entire domains that have been refusing to accept email at the SMTP MTA for over decade, which is fine by me, because every single IP that does so gets submitted to a whole bunch of DNSBLs.

Re:

[Etcetera]

It is better to block it at the SMTP level and refuse to accept the message in the first place.

You might think so, but do you REALLY think any spammer cares about or even looks at the bounces from their spam?

Unfortunately, the only way to "block it at the SMPT level" for users is to return error code 67 (IIRC) from procmail, and that doesn't work if you are using IMAP to pull email from a server that has already taken final delivery.

You're begging the question. SPAM is unwanted mail. You "wanted" it by opting in at some point (probably within the context of a purchase or something).

Someone who doesn't intend to spam will provide an opt-out link. It's 2017, not 2002. Use it.

If you can't reject at the SMTP level then that means you're not running your own mail server. Every ISP or mail service in the last 20 years has maintained abuse accounts and administrators that will accept spam reports and (eventually) configure their systems to re

Re:

[Obfuscant]

You're begging the question. SPAM is unwanted mail. You "wanted" it by opting in at some point (probably within the context of a purchase or something).

Like I said, that's the lie that spammers use to excuse their spam. No, sorry, I did not want it, nor did I "opt-in" to it.

Someone who doesn't intend to spam will provide an opt-out link. It's 2017, not 2002. Use it.

I am certain that I've already commented on this. Someone who doesn't intend to spam DOESN'T SPAM IN THE FIRST PLACE. And many "opt-out" links are invalid to start with, have no effect when they aren't outright invalid, and don't work well with a true email reader (that isn't a web browser.)

If you can't reject at the SMTP level then that means you're not running your own mail server.

You're pretty quick.

Every ISP or mail service in the last 20 years has maintained abuse accounts

Yeah, complaining to the spammers ISP or mail service is such a productive u

Re:

[gmack]

The opt out link doesn't always work even for legitimate senders. I have had a few places keep sending me email after the return link errored out.. or in one case, I lost the password and they would not change the account settings without it. In both cases, I blocked them at the mail server (rejected, not bounced) and when I got around to removing the block 6 months to a year later, I was removed from whatever list I was on.

Where's the bloody link???

[execthis]

Link to the data???

How has it been exposed if I can't download it?

Re:

[thomn8r]

Plus most of these stores seem to honor a remove from list request.

"It may take 4 to 6 weeks for your unsubscribe request to be processed..."

Re:Redundant

[sit1963nz]

It took me over 2 years to get off one hotel chains spam list even though I ticked "DO NOT email me offers"

Now I have a spam email address I use for all hotels , real estate agents, etc etc etc that fits into the format of x.x.xspamtrap@gmail.com
so they KNOW its a spam trap
Some have complained that its not a real address, it is, but anything that ends up there is automatically deleted, I never see any of it, and they get told this
I am more than happy to show them on my phone that its real, but worthless.

Re:

[Alumoi]

Aha, and the stores don't sell your email to spammers. Ever!

Re:

[Drethon]

Haven't had much issue with that. The spam mail shows up after I give my address to companies like Bath Fitters, who seem far less reputable in my experience. They turned out to me a massive waste of time. YMMV.

Re:

[Carewolf]

Aha, and the stores don't sell your email to spammers. Ever!

In the civilized world, no it is unlikely, considering it is illegal and is easy to track. It probably happens in the US and the third world though.

Re: Redundant

[cloudmaster]

I use "storename.or.website@catchall.domain" pretty consistently here in the US, and I've found a huge number of stores which apparently do provide their mailing lists to anyone and everyone. Equifax - the "reputable" credit reporting company - seems to be among the worst; I get a ton of spam to equifax@catchall.domain.

I should probably publish a list online somewhere from my spam logs... :)

Re:Redundant

[SeaFox]

Spam is UNWANTED e-mail.

No, spam is UNSOLICITED commercial email. When you did whatever action you did on their site to receive it, you solicited them to send it to you as part of it. True spam is from companies you never heard of and never had a business relationship with.

Re:

[Anonymous Coward]

Let the man define spam how he wishes. I personally agree with him. You've missed a rather important point though. He's talking about messages sent unsolicited AFTER whatever transaction or service he signed up for is finished. I'm not going to fill out any customer satisfaction survey no mater how many times you send it to me, nor do I care about the sale on the big item I purchased last week, I've already purchased one. I'd love to see this sort of thing made into illegal spam but it won't ever be, as we'

Re:Redundant

[nukenerd]

Spam is UNWANTED e-mail.

No, spam is UNSOLICITED commercial email. When you did whatever action you did on their site to receive it, you solicited them to send it

Bullshit. My "action" is to buy something online (it is getting hard to find some types of stuff any other way). Buying something is not "soliciting" for email adverts for ever after.

Anyway, I use disposable email addresses for purchasing. After it's delivered, I turn off the address and their spam is going into a black hole somewhere, not even as far as my spam directory. But I can look at the stats and see that some companies I have bought from (including a gardening supplier I bought a $10 item from 5 years ago) have sent me thousands of emails - a situation that is ridiculous

Re:

[dead_user]

Hehe, I bought about $4.00 worth of capacitors from Mouser.com once and they mailed me at least 8 different 1.5" thick catalogs in the post for the next several years trying to get me to buy more. My TV only broke once. I don't NEED more. At least in the case of the emails all that was wasted are a few electrons. ;)

The truth of the matter is that for a small business like that, curating the list takes time. Just letting the script run automatically once a week does not.

Re:

[Obfuscant]

they mailed me at least 8 different 1.5" thick catalogs in the post for the next several years

I like catalogs like that. They are much easier to use than an online search -- even though Mouser and Newark are getting much better. It's still easier, and more fun, to scan the pages looking for something by sight instead of having to come up with all the right search terms for it. And it is much easier when you're dealing with pieces that go together, like what plug matches this particular socket. It seems the online catalogs aren't very good at telling you that, at least I've not found them to be, but

Re:

[Solandri]

I've owned my own domain for about 15 years, so I create a new email address for every service or vendor I sign up with. I just use the vendor's name @ my domain. To date I have over 700 email addresses, all forwarding to my main email. Except for the ones I knew from the start were shady and probably fly-by-night operations, the vast majority of them have been true to their ToS and have not shared the email address I gave them. I have not received spam nor unwanted email (other than from that vendor) a

Re:

[Unknown User]

That's not how it works. Many companies let you sign up with email and will send you email years later even if you untick the "yes, please send me bullshit news" box. Others trick you into inadvertently subscribing to their newsletter by showing the preselected box again and again during updates. It's illegal spam in both cases, but they get away with it.

Re:

[easyTree]

It's just so pointless;

if (customersWantOurProducts) {
while (true) {
waitForNewOrder();
processCustomerOrder();
}
} else {
for (var c in customers) {
for (var p in products) {
sendEmail (c.email, "Although we recognise that this is a longshot, do you " + c.name + ", at this exact instant in time, require our product '" + p.name + "', for the

Re:

[easyTree]

if (javaScript === python) {
    console.log ('my bad');
}
else {
    console.log ('huh?');
}

Re:

[sit1963nz]

Which is why I have an email address I use for all those stores who think they are entitled to my email address.

I have multiple email addresses.
1 for work
1 for family
1 for personal use
1 for possible spammers
1 as a spam trap
1 that I give to stores I dont want junk mail from

They are all IMAP accounts, there is a script that automatically empties the last 3 accounts (2 of them once a week)
Plus my work one I can block whole domains on the email server e.g. *@*.com.br *@hotmail.com etc etc etc
My spam

Source article

[Anonymous Coward]

Vickery's own writeup is here [mackeeper.com].

Re:

[Anonymous Coward]

Wait, what? MacKeeper? The malware that advertises all over porn sites? If they "investigated" some spammer, rest assured that it's all part of a dastardly plot on MacKeeper's part.

ahem *MacKeeper*?

[fustakrakich]

I want a second opinion

Re:

[DontBeAMoran]

Funny because when a unwanted browser window/tab pops on my screen, it's for MacKeeper.

Re:

[sit1963nz]

Thats like asking "Syphilis " I want a second opinion.

Please hit your hand hard with a hammer, it will be less painful than trying to remove MacKeeper.

Can someone post a download link?

[downright]

I want to see if I'm on it. Yeah. That's why. Just Kidding. :-)

Re:

[Anonymous Coward]

You might be, I'm not. I want to see what kind of personal information was leaked about me or my family. I'm guessing it'll take me a day to find a torrent or magnet link for it.

Re:

[sizzlinkitty]

I'm looking for the torrent as well, will post if i find it.

BetaNews?

[Anonymous Coward]

So instead of linking to Steve Ragan's fantastical two-page report, the mod (who previously worked for BetaNews) has linked to a lame 250-word incomplete article on BetaNews... what a surprise!!! BetaNews needs to disappear. It's just stealing content from other publications and this mod is pushing their crap like it's CNN or Reuters.

Re:BetaNews?

[b0bby]

The indignant AC didn't post the link, but I assume it's this one:
http://www.csoonline.com/artic... [csoonline.com]
And yeah, it's a way better article.

Re:

[SandorZoo]

I guess this article [csoonline.com] is the one AC is referring to. Seems legit, but a little too esoteric for me to follow. It has links to other sources.

They seem to have "inside" contacts.

[Vlad_the_Inhaler]

The leaking servers went dark during the process of notifying law enforcement and the major companies.
Presumably this means RCM has contacts within Law Enforcement, Microsoft or Yahoo.

Re:They seem to have "inside" contacts.

[Zocalo]

Or maybe they just have an intrusion detection system and Vickery or one of his helpers tripped over it while exfiltrating the data. Hopefully they've got enough for law enforcement to identify at least some of those involved and, ultimately, send them for a lengthy stay somewhere where they need to worry about unsolicited male.

Re: They seem to have "inside" contacts.

[Anonymous Coward]

You mean getting my fisted in the shower room by your father? That's your good morning routine. Hehe.

Unsolicited males

[tomxor]

send them for a lengthy stay somewhere where they need to worry about unsolicited male

They certainly will need to worry about unsolicited males.

I don't get any spam

[Anonymous Coward]

I have a perfect solution for the spam problem. It's called NOT ASSOCIATING WITH PEOPLE. You motherfuckers are the motherfucking source of all spam. That's right. You. Fuck you. As soon as I decided never ever to talk to you fucking fuckers ever again, suddenly I stopped receiving spam. You people are the problem. FUCK! YOU!!

Re:

[Incadenza]

I've got a t-shirt [younggodrecords.com]for you.

Send everyone an email to let them know

[jfdavis668]

Download the database, and keep email everyone on the list that they are subject to spam emails. Do this every night to make sure they know. Add a few ads to help pay for the project.

Re:

[DontBeAMoran]

https://www.youtube.com/watch?... [youtube.com]

Re:

[Falos]

guys pls stop hitting "Reply All"

Are you affected?

[andrewa]

Just provide the following details and we will search the leaked database to determine if your details are compromised.

First Name:
Last Name:
Email:
Phone:
SSN:

[Submit]

Re:

[JoeMerchant]

That's not SPAM, that's a fish.

Awesome! Clickbait with no database source

[Anonymous Coward]

More clickbait with no link to the exposed database.

Click Click Click Click Click Click Click Click Click Click Click Click Click Click Click Click Click Click

Make Slashdot rich!

Need to download this...

[MiniMike]

Would like to use this list to seed my e-mail blacklist...

How ironic

[mandark1967]

Since the spammers had personally identifiable information, they're now required to contact those affected to notify them of the breach and what those affected by the breach should do to protect themselves, and get larger breasts naturally.

MacKeeper

[Mordaximus]

"Details about the leak come courtesy of Chris Vickery from macOS security firm MacKeeper"

Say no more; our news source is the much maligned, borderline malware vendor, probably trying to drum up business.

Re:

[ezdiy]

Given the methods employed by mackeeper, either a disgruntled "business" partner of RCM, or a competitor.

I, for one, welcome this new trend of one online crook outfit snitching on another.