The root of the spam problem.
Jun. 12th, 2003 12:03 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
tugrikThere are those of us who practice safe email methods. We keep our address completely out of public forums, posts, usenet and the like. We actually read the entire privacy policy of sites that we must use our email addresses at and only continue if we're assured they won't re-sell our addresses. The few, rare times we do have to have our address out where it can be seen, we properly obfusciate it to try to thwart automatic email-sweeping programs.
When it comes to personal address, this isn't the case. Some of my email addresses are 10+ years old and are all over the net. They get >60 spams a day each and that's the way it's going to be. I accept this. My professional email address at work, though -- that one I practice the utmost on Safe Computing. As a result I've had nearly 2.5 years of absolutely spam-free performance. The trick is that I never really use it outside of the company unless I'm going over secure links to our customers.
Then, the poor foolish sap I am, I went to Verisign to purchase two SSL certificates for our company's email and WAP gateway servers. They were $900 each. I read their privacy policies. I checked and re-checked how I'm supposed to 'opt out' of all email and sharing of my email address. I even used their 'be double sure to remove me' web page area to remove my address just after the purchase.
Within the week of having purchased the certificate I had received 10 spams. All of them blatantly and proudly trumpeted that They Were Allowed To Send Me This. They'd gotten my name from Verisign, and Verisign said it was all cool. "You opted in! Yay!". *fume*
I re-re-reunsubscribed at verisign and at the handful of 'trusted companies' that Verisign had sent my address to.
Within a month I was getting 20+ spams a day. They're now coming from fly-by-night junkmailers who have no pretense whatsoever of having got my address in any legit fashion. I am now having to use spam-filtering software on my work account, ruining two and a half years of pure, clean email practices.
My company was about to purchase 12 more certificates. That's $900 each, plus $500 each year to renew them. We are now definitely not going to use Verisign, and instead will seek out another competitor. Their abuse of their own privacy policy has just cost them $10,800 in initial purchases and $6500 a year in renewals. I also have the bulk of my 70+ domains on the Purrsia Project registered via Verisign. I had stuck with them because they were always reliable and they were the best at what they did, even if al ittle pricier. As domains come up for renewal I will now seek out all the wonderful alternatives out there that previously I was too lazy to go after. That's potentially up to $2500 a year they're going to lose.
IMHO, what just happened with my work email address and Verisign is the ugliest root of the spam problem. Sure, junkmailers will harvest, dictionary-attack and spoof things... but there are things you can do about that in the long run. It's when the legit companies start behaving in an unethical way that the problem turns from annoying to insidious.
If you can't trust someone as far up the Certificate Authority trust chain as Verisign, who can you trust? Can you give your email address to any company in good faith and not have it violated, eventually ending up in the "BUY VIAGRA NOW!" crowd? How in the world is it in Verisign's best interest to have customers be able to track nigerian email scams and breast enlargement spams directly to their company?
"Buy an SSL certificate for $900 and as an added bonus, you'll get MINI-RC-CAR BEST TOY EVER spams for free!"
Feh.
I've emailed and snailmailed a proper, fully detailed, spam-tracked-with-examples rant to Verisign. I've sent it to their customer support group, their privacy support group and our account rep. The snailmail one went to one of my manager's personal contacts up high in their management, and includes a signed letter by the officers of my company stating the dollar amounts Verisign has lost due to this incident. We'll see what kind of response I get.
When it comes to personal address, this isn't the case. Some of my email addresses are 10+ years old and are all over the net. They get >60 spams a day each and that's the way it's going to be. I accept this. My professional email address at work, though -- that one I practice the utmost on Safe Computing. As a result I've had nearly 2.5 years of absolutely spam-free performance. The trick is that I never really use it outside of the company unless I'm going over secure links to our customers.
Then, the poor foolish sap I am, I went to Verisign to purchase two SSL certificates for our company's email and WAP gateway servers. They were $900 each. I read their privacy policies. I checked and re-checked how I'm supposed to 'opt out' of all email and sharing of my email address. I even used their 'be double sure to remove me' web page area to remove my address just after the purchase.
Within the week of having purchased the certificate I had received 10 spams. All of them blatantly and proudly trumpeted that They Were Allowed To Send Me This. They'd gotten my name from Verisign, and Verisign said it was all cool. "You opted in! Yay!". *fume*
I re-re-reunsubscribed at verisign and at the handful of 'trusted companies' that Verisign had sent my address to.
Within a month I was getting 20+ spams a day. They're now coming from fly-by-night junkmailers who have no pretense whatsoever of having got my address in any legit fashion. I am now having to use spam-filtering software on my work account, ruining two and a half years of pure, clean email practices.
My company was about to purchase 12 more certificates. That's $900 each, plus $500 each year to renew them. We are now definitely not going to use Verisign, and instead will seek out another competitor. Their abuse of their own privacy policy has just cost them $10,800 in initial purchases and $6500 a year in renewals. I also have the bulk of my 70+ domains on the Purrsia Project registered via Verisign. I had stuck with them because they were always reliable and they were the best at what they did, even if al ittle pricier. As domains come up for renewal I will now seek out all the wonderful alternatives out there that previously I was too lazy to go after. That's potentially up to $2500 a year they're going to lose.
IMHO, what just happened with my work email address and Verisign is the ugliest root of the spam problem. Sure, junkmailers will harvest, dictionary-attack and spoof things... but there are things you can do about that in the long run. It's when the legit companies start behaving in an unethical way that the problem turns from annoying to insidious.
Trusted company collects address.
Trusted company uses the address internally.
Trusted company marks the address 'opt-in' against the consumer's wishes.
Trusted company sells this 'opt in' list to partners.
Partner companies start spamming.
Partner companies paid for this list, and want to make money off it.
Partner companies sell the 'opt in' list to their partners.
Distant partner company spams. They also want to recoup their money.
Distant partner company sells the 'opt in' list to their partners.
(Indent from here, ad-nauseum)
Shady distant partner company says "hell with it"
and sells the lists to junk spammers. Hey, make money fast.
Let the mass email spamming commence!
If you can't trust someone as far up the Certificate Authority trust chain as Verisign, who can you trust? Can you give your email address to any company in good faith and not have it violated, eventually ending up in the "BUY VIAGRA NOW!" crowd? How in the world is it in Verisign's best interest to have customers be able to track nigerian email scams and breast enlargement spams directly to their company?
"Buy an SSL certificate for $900 and as an added bonus, you'll get MINI-RC-CAR BEST TOY EVER spams for free!"
Feh.
I've emailed and snailmailed a proper, fully detailed, spam-tracked-with-examples rant to Verisign. I've sent it to their customer support group, their privacy support group and our account rep. The snailmail one went to one of my manager's personal contacts up high in their management, and includes a signed letter by the officers of my company stating the dollar amounts Verisign has lost due to this incident. We'll see what kind of response I get.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2003-06-12 12:09 pm (UTC)but did verisign just buy Thawte.
which stinks cus Thawte allowed *.name,suffix certs.
no subject
Date: 2003-06-12 01:01 pm (UTC)Me, the low-water-mark of spam attempts on my site was 60/day, but now I'm trying to attract more of it 'cos I do nassty things to foul up the open relays. :)
no subject
Date: 2003-06-12 01:11 pm (UTC)I've worked hard, with my spam-a-week average for the last five years. I respond to spam, and track down the entry points and websites and conacts and get them shut down.
It works, usually.
A couple months ago, a spammer I had gotten his accounts revoked, signed me onto dozens of lists, in retribution, false name and all.
Verisign is one of several registrars who refuse to deal with complaints that their database has errors in it (people and addresses which don't exist), and continues to re-register domain names of spammers as they use and lose their sites.
Quote: 'It is not our responsibility for the customer, we just register their domain name.' That domain name is how they continue to use and abuse the network.
I hate it.
no subject
Date: 2003-06-12 02:17 pm (UTC)1 - Dont give anyone you dont know personally your email address if at all possible.
2 - Remove yourself from any mailing lists.
3 - Dont purchase products from any company whose website shows the least signs of poor grammar, bad design, or who looks like they tried to build the page themselves. Basically avoid anyone that looks low-class.
4 - Change your email address by one digit per year. (Hence the good part about trusted friends having it only)
5 - Get a hotmail account for business corespondence.
6 - When forced to supply an email address, use yet another trash hotmail address. (I opened up a trash hotmail addy just for shits and giggles and found over 400 pieces of spam in it, all from supplying my address to one DVD seller, who I shot off a nasty letter to, then got a very defensive and rude letter in return from.)
Spam via hotmail.
Date: 2003-06-12 04:01 pm (UTC)The spam may not have been due to the DVD reseller. Not only his hotmail dictionary-spammed from here to the moon, but I and a few others suspect that it flat out gives out its valid email addresses to spammers.
Run a control experiment, opening a hotmail account and sending *nothing* from it. The results may be enlightening.
no subject
Date: 2003-06-12 02:23 pm (UTC)My dad, since retiring, is on an anti-junk mail crusade. Reading headers, making complaints, all that. Seriously, some guys take up golf. He took this up.
Engineers are WEIRD.
no subject
Date: 2003-06-12 02:42 pm (UTC)Good to see Verisign losing a sizable chunk of money due to their abuse though. If you're looking for a new registrar, might I recommend joker.com? they've given me excelent service, have a clean TOS and have never once spammed me or sold my address in my 6 years of using them..
It's a good option =>
no subject
Date: 2003-06-13 01:28 pm (UTC)However, after a couple weeks I stopped getting sites registered to them, so perhaps they do work. Some of their data is invalid.