Email Lists

23 Oct 2010

The Problem

Last week I came across a data set of 1 million emails who were said to have "opted-in" to spam. It listed: email, name, address, city, state, zip, extended zip, phone number, date of birth, time added, IP and the source.

To anyone that's a lot of personal information!

How did they get this information, I had a look at the sources column which contained these distinct values.

classifieds.com
amny.com
chicagotribune.com
baltimoresun.com
washingtonpost.com
careerbuilder.com
greenwichtime.com
orlandosun.com
apartments.com
metpronews.com
dailypress.com
courant.com
latimes.com
sun-sentinel.com
stamfordadvocate.com

My theory is they filled in all this unnecessary information on signup and left a box ticked that allowed the website to share this information.

The Attack

eBay sent this message to Steven Roddis (steven*****). Your registered name is included to show this message originated from eBay.

With a dump like the one I found, it's easy to spoof eBay emails with more apparent legitimacy.

The Mitigation

Use fake info everywhere, sites like http://www.bugmenot.com, http://www.mailinator.com and http://www.fakenamegenerator.com can help.

Of course your bank and ebay should know your real name, dob, etc, but the LA Times can think I'm:

Beulah Williams
4263 Joseph Street
Milwaukee, WI 53226