NTL: email addresses obtained by spammers?

[nedsram]

Over the last two weeks I have received about ten emails. In every case they are sent to a single ntl email customer, and bcc-ed to an unknown number of other ntl email customers. The last one I received was addressed to me. They contain offers of pirated software at knockdown prices (e.g. XP Professional $49.95). They are flagged by NTL as spam, but I have opted to receive "spam" until I am satisfied that there are no "false positives".

I have several concerns about this:

1. It appears that spammers have obtained a list of ntl email addresses. As a result of this I could - if I wished - collect email addresses of other users. In other words I believe that there has been a security breach at NTL. I had a similar problem with tesco.net a few years ago. Naturally they denied that there had been a security breach, even though one of the recipients was their own marketing department.

2. The emails are deliberately dressed up to appear very similar to those sent out by Amazon. They include numerous graphical links to amazon.com. I informed Amazon of this development, together with details of IP addresses, and received the appended reply. (The odds against the email addresses being "randomly generated" is extremely high.)

3. If you are enticed into buying this pirated software, you will be directed to a website hosted in China (I did a whois lookup on the IP address). There you will be directed to a "secure payment" site, also hosted in China, and asked for your credit card details. In other words this is a phishing attempt. The reason they cite for being able to offer the software so cheaply is that it is "only available by download, so no fancy packaging...". Nice try - must do better next time. Note that Amazon require you to log in before accepting orders, and they will normally use credit card details previously registered with your account.

If anybody wants me to post the contents of this email, or anybody from NTL would like a copy forwarded, please let me know.

----------
Amazon response:
Thank you for writing to Amazon.co.uk.

The e-mail you received did not originate from Amazon.co.uk and we
had no part in it or its content. It is not the policy of
Amazon.co.uk nor Amazon.com to request payment card numbers by e-mail
and we would never write to a customer to ask them to do so, as
electronic mail does not provide security.

Please rest assured that we understand your concerns regarding the
e-mail message you received. We are also very concerned about the
implications of this message and the misappropriated use of our name,
and we are currently investigating this situation.

You should not send any information about yourself back to the e-mail
that you received (especially any credit or debit card numbers or
personal information).

Also, please be assured that Amazon.co.uk is not in the business of
selling customer information. Many spammers and spoofers use programs
that randomly generate e-mail addresses, in the hope that some
percentage of these randomly-generated addresses will actually
exist. Further altering the appearance of the sender in e-mail
headers can be a relatively simple process and copying the general
appearance of a website is also simple.

If you encounter any other uses of the Amazon.co.uk or indeed, the
Amazon.com name that you think may be fraudulent, please do not
hesitate to contact us again. The Internet is a large and fairly
unregulated universe; it is only through our constant vigilance and
with the help of others like yourself that we can ensure that our
name is not misappropriated for illegitimate uses.

We hope that we have been able to alleviate your concerns. Thank you
again for alerting us to this situation.

Warmest regards

Rocke W.
Customer Service
Amazon.co.uk
----------

Thanks for the warning - however I doubt there has been a security breach, they are quite possibly using a list generated out of common words and people's names, all hit and miss - many emails will fail or bounce, but some will get through. I get spam at my work addy, with a load of other people's names @myemployer.com copied in, and I know for a fact that many of the names on the email don't exist in our address book.

[MovedGoalPosts]

Spammers frequently just send a whole list of mailings commonly guessing email addys and domains. The big domains are ideal targets. If you then have an easily guessed dictionary user name, that's it you are on a list.

If you email addy has been published on the web somewhere, you've got it on your website, or youv'e made the mistake of posting it to a forum or whatever, bots will have found it, recorded it for posterity, and sent it to dozens of spammers. It's all too easy.

I got rid of most of my ntl spam by the simple expedient of having an unusual user name, and never publicly posting it.

[nedsram]

Quote:

Originally Posted by Rob C

If you then have an easily guessed dictionary user name, that's it you are on a list.

I'm far from convinced by that argument, although of course I can't prove it either way. Once this started with my Tesco account, the number of spam messages increased exponentially - presumably as they sold on the stolen list of email addresses to other people. Eventually I was forced to abandon my Tesco email account, as it was receiving about 100 spam messages a day - and I had been very careful not to disclose my email address in Usenet or anywhere else.

BTW my email address is of the form joe.bloggs23@ntlworld.com (heavily munged). Another interesting thing - which I also noticed at Tesco - was that only my primary email address gets the spam. None of the secondary ones I created receive any of it. (Yes, I've turned off the spam filter for all of them.) Which tends to support the theory that somebody has obtained a list of primary email addresses I'm afraid - especially as some of the seconday email addresses would be much easier to generate randomly than mine.

I'll check back tomorrow and see how this thread develops.

Brian

[fireman328]

I am getting properly addressed, first and last name spam, it would be very difficult for any spammer to get lucky and guess as my name is, as far as I know, unique so there would appear to be some list somewhere.

[patrickp]

Quote:

Originally Posted by nedsram

BTW my email address is of the form joe.bloggs23 at ntlworld.com (heavily munged). Another interesting thing - which I also noticed at Tesco - was that only my primary email address gets the spam. None of the secondary ones I created receive any of it. (Yes, I've turned off the spam filter for all of them.) Which tends to support the theory that somebody has obtained a list of primary email addresses I'm afraid - especially as some of the seconday email addresses would be much easier to generate randomly than mine.

Brian

Has it occurred to you that there may well be a real joe.bloggs23 with ntl, Brian? If you're going to post even imaginary addresses in a forum, it's wise either to present them in a form that they're not readable as valid email addresses, or to ensure that they are not existing addresses or for existing domains - even if the address doesn't exist, the domain's servers will still get the mail and have to deal with it.

Certainly, it's true that spammers are unlikely to be trawling a forum like this, but it's not impossible, and it's also a very bad habit to get into.

And, incidentally, the format of email address you've presented _is_ likely to be duplicated by spammers' address generators. Do you think they don't know that ISPs usually discriminate between customers with the same name by adding a number after the name? You'll have to be a little more subtle than that.

[jonifen]

I'd recommend (if using Outlook) to look into the email properties and check the MIME headers of the email - may give an idea as to where the email originated from and action could be taken from there.
It may be worth looking into using a program like Mailwasher to fire emails back where they came from for a few weeks - see if this helps reduce the amount of spam emails received. It may actually help (it has done for me in the past).

[jonbr]

Quote:

Originally Posted by fireman328

I am getting properly addressed, first and last name spam, it would be very difficult for any spammer to get lucky and guess as my name is, as far as I know, unique so there would appear to be some list somewhere.

One of your friends, or companies, you have exchanged emails with may have a virus which is sending out spam emails. These virus use the infected computers contact list to get the address of other peoples email and infect their PC. Then is does it again, and again, and again......

[nedsram]

Quote:

Originally Posted by jonbr

One of your friends, or companies, you have exchanged emails with may have a virus which is sending out spam emails. These virus use the infected computers contact list to get the address of other peoples email and infect their PC. Then is does it again, and again, and again......

I don't think this is the problem here. The emails I was referring to are sent to several different NTL email addresses (how many I have no idea as all but one are BCC), and I have yet to see one where the main recipient wasn't an NTL email address. Too many coincidences there...

However about 3 days ago these emails suddenly stopped, so maybe somebody has tracked down the source of them.

For now I'll keep the NTL spam filter turned off though, as in the last 24 hours is has flagged 2 genuine emails (one from CNet) as spam.

[nedsram]

Quote:

Originally Posted by nedsram

However about 3 days ago these emails suddenly stopped, so maybe somebody has tracked down the source of them.

That was tempting providence wasn't it. Another arrived just now. Here are the headers (and I hope Patrickp isn't upset this time):

------------------------------

Return-Path: <WinnieXiong@fones4all.com>
Received: from aamta06-winn.ispmail.ntl.com ([81.103.221.35])
by mta05-winn.ispmail.ntl.com with ESMTP
id <20051119040012.NVIJ28994.mta05-winn....spmail.ntl.com>;
Sat, 19 Nov 2005 04:00:12 +0000
Received: from user-0c6tokc.cable.mindspring.com ([24.110.226.140])
by aamta06-winn.ispmail.ntl.com with SMTP
id <20051119040006.OQQX18434.aamta06-win...mindspring.com>;
Sat, 19 Nov 2005 04:00:06 +0000
Received: from tWG@localhost by 799.int (8.11.6/8.11.6); Fri, 18 Nov 2005 22:16:29 -0600
Message-ID: <kgi40Uj8seIakLtGUlE42u28@francekeys.com>
From: "Wendy Acevedo" <WinnieXiong@fones4all.com>
Reply-To: "Wendy Acevedo" <WinnieXiong@fones4all.com>
To: foo.bar@entee-ell.com
Subject: [SPAM?] Huge $avings on ALL best-selling Macromedia titles
Date: Sat, 19 Nov 2005 02:13:29 -0200
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.2730.2
X-Sender: WinnieXiong@fones4all.com
Content-Type: multipart/mixed; boundary="--ACLzoXmwsHcnbS4IswL"

------------------------------

It appears that the email has come from the USA - possibly California.

Brian

[Watchman]

a few years ago, my brother who works in communications, was offered an ntl email list (within the last 4)

can't remember the exact details, too distant and hazy now

[patrickp]

Quote:

Originally Posted by nedsram

Quote:

That was tempting providence wasn't it. Another arrived just now. Here are the headers (and I hope Patrickp isn't upset this time):

------------------------------

Return-Path: <WinnieXiong at fones4all.com>
Received: from aamta06-winn.ispmail.ntl.com ([81.103.221.35])
by mta05-winn.ispmail.ntl.com with ESMTP
id <20051119040012.NVIJ28994.mta05-winn....spmail.ntl.com>;
Sat, 19 Nov 2005 04:00:12 +0000
Received: from user-0c6tokc.cable.mindspring.com ([24.110.226.140])
by aamta06-winn.ispmail.ntl.com with SMTP
id <20051119040006.OQQX18434.aamta06-win...mindspring.com>;
Sat, 19 Nov 2005 04:00:06 +0000
Received: from tWG@localhost by 799.int (8.11.6/8.11.6); Fri, 18 Nov 2005 22:16:29 -0600
Message-ID: <kgi40Uj8seIakLtGUlE42u28@francekeys.com>
From: "Wendy Acevedo" <WinnieXiong at fones4all.com>
Reply-To: "Wendy Acevedo" <WinnieXiong at fones4all.com>
To: foo.bar at entee-ell.com
Subject: [SPAM?] Huge $avings on ALL best-selling Macromedia titles
Date: Sat, 19 Nov 2005 02:13:29 -0200
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.2730.2
X-Sender: WinnieXiong at fones4all.com
Content-Type: multipart/mixed; boundary="--ACLzoXmwsHcnbS4IswL"

------------------------------

It appears that the email has come from the USA - possibly California.

Brian

The 'fones4all.com' address is for a Californian company called, of course, fones4all. See here for a brief description of what they do. They would appear to be a telephone service dedicated to supplying a low-cost service to underprivileged households in Southern California who might not even be able to have a telephone service without an organisation like this.

It would therefore seem unlikely that they're the real source of a spam email pushing "ALL best-selling Macromedia titles," the return-to address would appear to be spoofed (it would seem to come from a mindspring.com user, and fones4all appear to use "the telecommunications infrastructures of SBC and Verizon" for their service), and I find it somewhat churlish to post an email address at their domain in a public forum - whether or not they actually have a Winnie Xiong, any spam arising from that post will still have to be dealt with by their servers. It may not be that likely from a post in a forum like this, but it's not impossible, and I really think you should be more careful about the email addresses you post, nedsram.

I notice you've taken care to obfuscate your own email address ("foo.bar at entee-ell.com") in this. Why is that?

[nedsram]

Quote:

Originally Posted by patrickp

I notice you've taken care to obfuscate your own email address ("foo.bar at entee-ell.com") in this. Why is that?

I took the trouble to post details of what is in my view a serious violation of email rules, as well as an apparent security breach. I also published the headers in the hope that it would help somebody to track down the source of these messages. In return I get flamed.

For your information, the email address I obfuscated wasn't mine - I was in the bcc list. As for the other email address you mentioned, I can assure you that it is genuine. Have you perhaps considered that the owner may have had her PC infiltrated, and is unaware of this?

I won't be reading - or contributing to - this thread again. Thanks to everybody else for the useful discussions.

Brian

[patrickp]

Quote:

Originally Posted by nedsram

Quote:

I took the trouble to post details of what is in my view a serious violation of email rules, as well as an apparent security breach. I also published the headers in the hope that it would help somebody to track down the source of these messages. In return I get flamed.

For your information, the email address I obfuscated wasn't mine - I was in the bcc list. As for the other email address you mentioned, I can assure you that it is genuine. Have you perhaps considered that the owner may have had her PC infiltrated, and is unaware of this?

I won't be reading - or contributing to - this thread again. Thanks to everybody else for the useful discussions.

Brian

My point about the email address was, I thought, quite obvious - not that you shouldn't have obscured it, but to ask again, if not directly, why you found it necessary to post someone's (who was clearly _not_ the author of the spam email) email address in full in a public forum.

If you want to complain about receiving spam, fine. If you want to post about ntl selling on email addresses, I think you're wrong, but but I have no problems with you arguing the point. But posting people's email addresses in a public forum is _not_ acceptable behaviour for me, and I have to say that I think the less of you for throwing a temper tantrum rather than simply taking it on board and refraining from doing it again. I had pointed out to you once before that this is not an appropriate thing to post.

[nedsram]

OK I'm going to break my silence Patrick.

I undertstand your concerns about publishing email addresses, although I think that you are over-reacting. However I won't publish any in future.

The number of spam emails I am receiving is now starting to increase. Note that only my primary email address is receiving them. Today, as well as yet another offer of pirated software, I have received:

o confirmation of my "registration";
o information on how to enlarge a certain member;
o an email from the "FBI" that I have visited 30 illegal web sites, and must complete and return the attached form.

This is depressingly reminiscent of what happened at tesco.net a few years ago. At least I can turn the spam filter on, so that I don't get any of this junk (and lose a few genuine emails as well). However if anybody from NTL is reading this, I suggest that you monitor the levels of spam email received, as my prediction is that it will rise continuously (as people sell off this illegally obtained list of email addresses to other spammers). I would also suggest that NTL might like to investigate how a list of primary email addresses got into spammers' hands in the first place.

OK Patrick, I know you think I am wrong on this one as well, but sadly I have been here before, and all the evidence points to the conclusion I have drawn. I also recall somebody else suggesting that a copy might have been sold by an unscrupulous employee.

What I may have to end up doing is create a new seconday email address for myself, and using that instead of the primary one. I could then set up a mail rule for everything received on my primary address to be deleted at the server. However let's hope it doesn't come to that.