by Sebastien Lahtinen

The recent stories in the media of marketing firm Epsilon has brought into sharp focus the problems associated with managing user data, as well as the fact most users simply do not know where their data is stored. Whilst I am disappointed that such a breach has occurred, no system administrator is going to give a guarantee it cannot happen to them, and every sysadmin I have spoken to about these types of issues is always worried they may be next.

Spam from Barbara Cook t/a Towelsoft to e-mail address provided originally only to Vodafone UK

Over 1,000 thinkbroadband users have given us e-mail addresses that are clearly unique to us (for example [email protected] – although something a bit less predictable is better) and I would highly encourage it, and it’s exactly what I do with many suppliers so that I can track who is abusing my personal data by distributing it to third parties, despite the fact I tick all the ‘opt-out’ boxes.

On Friday 4th of March, I received a spam e-mail sent by a company called TowelSoft (sent via an e-mail distribution company Purepromoter) trying to sell me towels. What made this worrying was that it was sent to an e-mail address I have only ever provided to Vodafone.
I contacted Vodafone about this within three hours of receiving the e-mail to assist them in tracing how it was possible that an e-mail address I had only ever provided to them, ended up being spammed by a third party. I explained the situation and asked to speak to someone who would be able to look into the matter.
“I don’t know how that would happen especially with a company selling bath sheets. I’ve never given my address to anyone but I get spam .. I get spammed a lot. Anyone can get your e-mail address no matter what it is. I don’t know how those companies do it. That’s definitely not information we would give out.”
Vodafone operator
I was explicit in trying to make it clear this wasn’t a random spam: “This e-mail address I have given to you is specific to Vodafone. I have never given it to anyone else. It’s not a generic e-mail address that’s on my business card or that I put into random websites. The only company I have ever given this e-mail address to is Vodafone.”
The operator then advised me that I would have to get in touch with head office, but when asked for a number, told me that I couldn’t call them and would have to send a letter.
I cannot say with certainty that it is impossible that someone may have obtained the e-mail address from my system or some other way, but I find that highly unlikely, not least because it would not make sense to spam that address and only that address.
I am of course concerned about what appears to be a data compromise, but even more alarmed by the fact that this did not raise concerns within Vodafone.
I thought long and hard about whether to write this article and whether to name Vodafone, but after years of being a customer, I am quite astounded by the lack of a security mindset especially as I have mentioned this to two different Vodafone representatives. A novice in social engineering could defeat many of the security steps in place, and at least cause inconvenience if not significant damage.
We live in a world where private investigators are hacking into voicemails, and yet warning signs are not acted upon quickly. Having since seen the Epsilon stories, I do wonder if Vodafone are an Epsilon customer, or whether this is just another similar case. I hope at least this article will raise awareness of this issue and encourage companies to put in place systems to handle such reports.

Tags: , , , ,

10 Responses

  1. Mike on 07 Apr 2011

    “it’s exactly what I do with many suppliers so that I can track who is abusing my personal data by distributing it to third parties, despite the fact I tick all the ‘opt-out’ boxes.”

    Except that’s not a very good way of tracking because most full-time spammers will also use robots and predictive text methods to guess email addresses. “Thinkbroadband” is two english words together and also a well known website domain, so such an address could easily be spammed without you having given it out to anybody. A combination of different characters and numbers after your name would be better.

    This has happened a lot to me in the past, without evening giving my email out, over time it will get spammed if it’s easy to re-produce.

  2. seb on 07 Apr 2011

    @Mike – In my case the address wasn’t “[email protected]” – and I would have seen if there was a large scale attack in the logs. That’s why I suggested something other than “[email protected]” would make sense. Even with [email protected] I think realistically you’re going to find it’s not going to hit often.

  3. HmmmUK on 07 Apr 2011

    I see the same with my domain/email provider – as you say it’s difficult to prove what’s really going on.

    Every now and again I get spam sent to accounts on my domains that have just been setup for testing or something similar. No one has ever known the address etc. etc. but some of the more sophisticated attacks manage to find these never used ‘hidden’ accounts.

    Whether by ‘brute force’ attack or other means some people seem to be able to dig out your accounts!

  4. seb on 07 Apr 2011

    @HmmmUK: This isn’t a “[email protected]” type address so it’s unlikely to have been found by spammers on the basis of just guessing, and if they had done that, my log would be full of the attempts. Also the mail server is run by us here, so there are no third parties involved on our side here.

  5. HmmmUK on 07 Apr 2011

    @seb Yes, I appreciated that. My test accounts were often fairly obscure as well but they were found.

    But as you say if it was brute force/dictionary attack, in your situation your logs should have shown this.

  6. seb on 07 Apr 2011

    @HmmmUK – were your accounts with a common e-mail provider like google/hotmail? They are going to target those for any possible address. I’ve found I get a lot of spam to my gmail address which isn’t obvious but could be found using dictionary + brute force.. fortunately google detects spam well (including towelsoft one)

  7. HmmmUK on 07 Apr 2011

    @seb – No, they are addresses used on my own registered domains.

    I also used Gmail to pick up a copy and as you say Google does do a pretty good job with spam.

  8. Tony Doherty on 09 Apr 2011

    A couple of years ago I was being constantly plagued by calls to my mobile by a company called Phones4U (though I think that they traded under several names).

    They knew that I was a Vodafone customer and certain details about my contract and were trying to get me to change provider. Now why would a reselling agent authorised to work for Vodafone try that sales tatic?!

    I had to write to Vodafone and threaten legal action before the calls stopped.

    My assumption is that someone within Vodafone was leaking/selling subscriber numbers to a 3rd party.

  9. eclecticsol on 26 Apr 2011

    My email domains accept emails to [email protected] the domain so no guessing is required. However over time I get SPAM to two addresses provided only to Eclipse Networking, other addresses provided only to forums (mono, omg), addreses provided only to companies and one address which exists only as the source address in a Netgear Router for it to report its status.

    The Netgear address (which has an unusual company name) appears only in the router, in the outgoing mail-server (Orange), on the wire, in the incoming server (Gradwell) on the wire to my ISP / PC and in my PC. One of those systems must have been compromised at some time. I get a pair of daily emails from hacked hotmail accounts offering cheap software.

    I do not get SPAM to random addresses any or all of which would work.

  10. Bob on 03 May 2011

    Whilst it’s only slightly relevant to the article, I’d like to comment on Gmail. As a VirginMedia customer, and NTL before that, I have an NTL address that I use purely for friends and family. Frankly, it’s hardly ever used, perhaps get 1 or 2 personal emails a week. That was the case until the Virginmedia email system was switched over to Gmail. Now I get the same 1 or 2 personal emails and about twice that in spam. To an address that I would guess 6 people actually know, and the same 6 have known for over 5 years. Coincidence? As has been said, whilst it is still an address, spammers target mail servers with random addresses and I would guess this is what has happened to me. Perhaps to you to? Just a random hit?

Leave your comment