Whenever I sign up to an online service, I use a unique email address. That way when spam starts coming in I can see whose fault it is. I’m suddenly getting rather a lot of spam, sent from disposable email accounts (e.g. Yahoo) and directing me to various scam websites registered in Russia. All at once, from multiple vectors. That’s the part that worries me; here’s why.
First: here is the list of organisations that have leaked my email address to spammers (most probably because they have been compromised):
- Ning (probably through the Association of Virtual Worlds, which has published its entire membership list as a PDF including everyone’s email addresses)
- Amnesty International (probably by publishing my email address on a petition)
- Palmgear (yes, I was a huge Palm fan, long ago)
- Reqall (an iPhone app with an online service – I prefer Evernote, who have also never leaked my email address to spammers)
- socialthing (now AOL LifeStream, and utterly uninteresting to me)
- Skitch (dammit, I like Skitch!)
- ServiceCentral – a service to book tradespeople to come and break your plumbing.
- Whrrl (some kind of location-based iPhone game thing).
- Spotlight – I’m a “VIP member” of this store, which apparently means that I want Russian spammers to sell me a counterfeit watch.
- Webjam – I presented at Webjam once, so this may not be a leak from their website – I gave out this address to the entire audience so anyone there could be the source of the leak.
- Saasu – online (cloud) accounting. If I can’t trust them with my email address, I’m not going to trust them with my financial data.
- Xero – as above. This is a pretty severe problem in both cases; I’ve signed up for free trials of two cloud accounting services and both have leaked my email address to Russian spammers.
I’m getting about 40 spams a day at the moment, all through the above vectors. I’m redirecting those email addresses into the void now.
(I’m getting about another 40 spams each day to my ACM and SIGGRAPH addresses, but those are all obvious enough that Apple Mail’s spam filters are catching them for me. And oddly, none of those are in English.)
I’ve been signing up for online services this way for a long time, and it’s only recently that they have become a serious vector for spam. And the spam is pretty consistently for the same group of Russian-registered sites.
I wonder how long my personal information has been accumulating, being leaked, then sold, then finally used. I wonder whether other cloud services that I’m actually using have been compromised (as opposed to ones I’ve only signed up for and not entered data into). I wonder how long the attackers will wait, accumulating more personal information on us, and how damaging the resulting identity-theft storm might be.