CPF email address privacy

Hi there,
Today I received Junk Email <SPAM> that was addressed to an email address I use exclusively on this forum. My profile specifies that this email address is not public and I can't see any (obvious) way for an outsider to obtain it.
This means one of two things: either someone hacked your system and obtained the address that way, or, someone with authority to access the email addresses sold them to a spammer. Either way, I'm not happy!
I suggest that the administrators publish a Privacy Policy and plug whatever leak was used to provide the spammer(s) with my address.
I also suggest that other members may want to use a "throw-away address" when registering on the cellphone forums in order to avoid getting bombarded with junkmail.

---

› See More: CPF email address privacy

Umm, please don't jump to conclusions and blame us for your spam. Do you know what a "spider" is (not the eight-legged kind)? This is a software legitimate websites use to catalogue the internet (search engines) but they can just as easily be exploited by hackers for more devious purposes. Once the domain your email originates from is spidered by google or other search engines, it becomes a public domain for the whole world to see. Spammers may then use a ware similar to a password cracker, which basically sends an email to everything from [email protected] to [email protected] and they know which ones are valid addresses because those are the ones that don't bounce back. After you receive that initial spam mail, they know you have a valid address and soon the spam will start pouring in. This is how spammers get huge lists of emails from domains like aol, hotmail, gmail, etc. A fourth possibility that you failed to mention is that your network could have at some point been compromised by a trojan, spyware, or key logger that reported back to its creator some of the places you've been and strings of text you've typed.

Do you know what slander and libel are? I'm not the webmaster, just a lowly Super Moderator, but I don't appreciate you making accusations about our site that you can't back up with any evidence you can present in court (other than your own naivete regarding how the world wide web operates). We have not been "hacked" or compromised, it is much more likely that you are the victim of hacker tricks like mail sniffers, key loggers, etc as mentioned above. So, please get your facts together before you start committing acts of libel against our highly reputable administrator and his site.

Next, you're gonna come back and tell me your network has never been compromised. Tell ya what, I'll remove any personally identifiable information from this quote I'm copying from your domain.

Email Spoofing (Faking or Forging) of xxxxx.cc addresses



Any spam email you have received did not come from us.



We, as well as you, are the victims of spammers who are forging/faking/spoofing xxxxx.cc email addresses. The spam was not sent from any of our facilities or email addresses. It was totally beyond our control, and we regret very much that we cannot stop it.



We had nothing to do with such spam, which is a misrepresentation of our good name. All xxxxx.cc email addresses are used for our business and private purposes. Our email addresses are not available to others. We do not send, and have never sent, spam email of any sort.



Non-existent email addresses are being given as the “FROM” and/or “REPLY-TO” address in spam email, for example [email protected], [email protected] and many others along similar lines. If you have received such spam email we are sorry, but emphasize that it was nothing to do with us and was beyond our control.



In all these instances the "(mis) users" of the email addresses have neither the authority nor the internet capability to use the email addresses involved. If you respond to any of these non-existent email addresses (or your vacation message does so on your behalf), you are likely not to get a response from us.



For more about email spoofing, try a worldwide Google.com search using the words (but not as a phrase) email spoofing spam . You can also search using the combinations forged email or spam spoofing or spoofing email



Thank you for your understanding, and we hope the rest of your day is a good one.



Sincerely,



The owner of xxxxx.cc



How You Can Help - Track Spam Spoofers
If you ever receive such spam-mails that look like messages sent by someone at xxxxx.cc, please:

Report spoofed xxxxx.cc e-mails to us at [email protected]

Send the original spoofed e-mail as an attachment. (See the "send" menu of your e-mail program)
Sending the e-mail as an attachment is the best way to preserve the "header information," which may enable us to trace the true origin of the forgery.

It seems you have gotten the attention of some spammy hackers, I would never in a million years think they would try to phish your domain for valid email addresses while they were using it to send out fraudulent emails to other addresses they randomly phished! Why would they do that when there are so many other thousands of domains to phish first? I guess you just got lucky.

My apologies Brad: It seems the explanation on my site was not explicit enough:
The spammers the site is talking about, FORGE randomly generated return addresses at my domain. They do not have access to my domain and cannot legitimately send anything FROM that domain. It is someone who sits in a different country, on a different continent who has absolutely nothing to do with me and just simply decided to insert phoney addresses into the header of the spam they send out.
This, however, is not the problem I was talking about in my original post. I was talking about an address that exists in only in the cellphone forum. There is, in fact, no true email account with that address - emails sent to that address are simply forwarded to my 'real' address.
I suggest, rather than getting all defensive and 'legalese' here, you may want to take my post as constructive criticism: There IS a problem - somewhere - and the source of this problem should be investigated. You probably dislike spam as much as I do and, as a moderator, I would have hoped you would show an interest in ensuring that the problem is not on the side of the cellphone forum.
(And no: in the 40-some-odd years I've made my living in computers, my own personal network has never been compromised <yet> )

Lars, you completely overlooked the points I was trying to make and misconstrued the rest. Spammers randomly obtain email addresses by phishing. They get a domain name, plug it into a program, and mass-mail a "test spam" to every imaginable user on that domain until they get a few "bites" (the ones that don't bounce back). This is a method of phishing.

You acknowledge that your domain is being fraudulently used by spammers to send mail out (yes yes I know they don't have access to your domain, well if I wanted to I could send you an email that appeared to be from any domain real or not, and if I had the right software I could sneak a mailsniffer into that email to let me know if it was delivered or bounced), but you don't seem to want to accept the possibility the same spammers might use your domain to phish other domains without trying to also phish your domain too.

The only person who has access to a database of email addresses here is the primary administrator, John. The supermods can view your email address, but only by looking you up by your username first (regular mods cannot). I guarantee you none of us have been sitting around here days on end copying email addresses one by one, and our site has never been compromised by hackers.

You have jumped to the conclusion we compromised your email address, but you're not listening to me tell you while there are some spammers who buy lists of email addresses, the vast majority of them have taken to simply phishing domains until they get a hit. I have gotten spam mails that were addressed to [email protected]in and I've gotten spam mails addressed to [email protected] with the blank being every possible 3 digit number combination.

So, you need to get over accusing us of letting your email address get into the hands of spammers and do some research for yourself where spam comes from. I have an email address I don't use for ANYTHING AT ALL, I've had it since high school and I only maintain it for the possibility that someone from high school will see it in their yearbook and try to write someday. It was only ever used to email a small handful of family and friends, but I stopped using it in 1999 and just check it often enough to keep the account open. About 2 years ago, I started getting spam mail at this address, which was at least 3 years since I had sent or received any mail from said address (it's hooked up to my outlook express).

I guess that means someone I knew 10 years ago in high school sold my email address to a spammer out of the back of their yearbook? Go figure. I get a ton of spam there now, and I can guarantee you I've never used that address to sign up for any websites or anything! My high school friends have long ago forgotten about me and the address is not used for anything whatsoever. I'm not going through the local phone directory calling people whose yearbooks I signed a decade ago to ask them if they sold me to a spammer... do you how this relates to you and what you're doing, especially after I've already explained it to you once.

Aside from all of what I just said, don't you think it was a little pissy for you to make a thread about it instead of contacting us first? If I seem a bit defensive it's because what you've done here I'd compare to badmouthing a coworker to a storeful of customers instead of going to that coworker and resolving the situation like a mature responsible adult, I'd fire the sleazeball that did that under my management. Sure I could delete the thread and be done with it, but we don't have anything to worry about from your false assumptions and our regular members are probably all laughing as hard as I am at all of this. Have a nice day, I see no point in continuing this discussion.

Nicely put Brad, He covered it all and he's right, you can open up an account on any random domain, and NEVER user it, never put it on any site, and dont tell anyone, and give it time and spam will start to flow into it, just a problem with how email is done, so you'll have to get used to, spam is easy to take care of anyway, plenty of good spam blockers out there.

Brad, he does have a right to be concerned. He's right, I should have a more clearly defined privacy policy. Unfortunately there is no standard on the interenet for this yet.

I assure you Lars, CPF does not sell e-mail addresses, and our system certainly hasn't been compromised.

Originally Posted by tavenger5

Brad, he does have a right to be concerned. He's right, I should have a more clearly defined privacy policy.

I agree with you John, I respect and empathize with his right to be concerned, but I think he could have brought his concerns to our attention either publicly in a thread or privately via our site's messaging system without the direct accusations and unfounded alarmist warnings to other members. That's what got me hot under the collar, and if any apologies are warranted on my behalf, they will be gladly doled out after Mr. Lars acknowledges that he could have asked for a manager instead of standing on our sidewalk picketing in protest.

(I tried to post a reply here yesterday but that one apparently went into the bit bucket)

Thanks to John (tavenger5): Yours was the first positive message that addressed the subject rather than trying to tear ME appart. I am glad to hear that you do not sell the email addresses and hopefully, at some future time, you will post a privacy policy. One question still remains: How did that spammer get that address?

Brad:
If I had been able to easily find a way to contact "the management" of Cell Phone Forums, I would have done so. Unfortunately, I was in a hurry at the time and could not find an obvious way to do so. (I have since found the appropriate link) In the absence of an obvious way to contact management, this seemed to be the most obvious way of getting your attention. (It seems to have worked!) Besides, I think other members might have an interest in this topic.
If I had found a Privacy Policy, I would certainly have studied it before raising this issue.
If I had found a way of unsubscribing from Cell phone Forums entirely, I would have unsubscribed, blocked the email address I used, and be done with it. Unfortunately, even your FAQs don't shed any light on how to do that. (Can you do that for me?)
As for my suggestion to the public to subscribe with a "throw-away" address: I belive this is a good practise for any subscribtion anywhere.

Since then, I have done a bit of "due dilligence":
I used a web spider to extract all available addresses from your site. As expected, my own address was not among the hundreds the spider found. This seems to confirm my initial guess that my email was not easily obtainable from your site by the 'average Joe spammer'.
I also used an email spider to check for email addresses at my own domain. As I pointed out earlier, even though it looks like a 'regular' domain, emails sent to that domain are simply forwarded to my 'real' address. As expected, the email spider marked each and every address (each and every possible number-letter combination) at that domain as "valid". Given that, why would that spammer have sent his junk ONLY to "[email protected]" but NOT to any other address on that domain? Spammers don't go through the addresses manually, they use a program to sent their stuff and a program behaves the same way for every address. It has no reason to single out this specific address.
Given all this, I STILL believe that this spammer had access to email addresses he or she should not have had.

You certainly have the right to stick your head in the sand and insist that nothing could possibly be amiss at your end, but it is YOUR reputation that is on the line here. If someone found my address and used it to send me junk email, the same is likely to happen to others and that then threatens the reputation of the entire cell phone forum. If I was in your shoes, I would certainly want to double check that nothing could have leaked out from my end.

Lars

Lars,

Rest assured that we are checking for possible breaches of the security. I have not, personally, seen any mention of the vbulletin software having security breaches that allow email addresses to be accessed. They are a very reputable company and would certainly not have patched the problem wihout notifying us.

There is always the possibility that a moderator past or present has viewed your email address, but the possibility is very remote as its just plain tedious to find addresses that way. We will, nevertheless, look into the possibility as much as the software allows.

I understand your concern, and appreciate the fact that you have brought it to our attention. You can certainly understand the points our moderators have made as well. If a man can get into FBI files using freeware available on the net, then either of our ends could have been compromised. Its a simple fact that both your security and ours is only as good as the software we use to protect it.

We do not intend to share anyone's email address at any time and you can be comfortable in the fact that you have opened our eyes as to writing a privacy policy. We'll state clearly that CPF only collects email addresses to verify them when accepting new members so that we, as a forum, can avoid spam in as many ways as possible.

Beyond that, the damage is done and I apologize if it was in any way our fault. You can read, in my words that I still have doubts, but an apology is necessary all the same.

Now... I can help to change some of your info on your account but would prefer to discuss that via PM to maintain whatever accesses you choose while protecting your privacy. I will respond to your PM when I receive it

Sincerely,
Jeanie

*Thread closed*

Lars and I have come to an agreement - he will not access this thread again and so it is being closed. This message is especially for mods who will still have the ability to post here... DON'T! If you wish to continue the professional discussion you can find a place in the mod forum to do that.