Don't use your real email address on UKbikestore.co.uk

Jamey

I use a clever anti-spam service called Sneakemail. If you want to know exactly how it works you can click here but the basic gist is that it lets you see exactly who gave your email address to the spammers by allowing you to create a new, unique, tagged email address for every single website you need to register with.

So, to cut to the chase, yesterday morning I received some spam email from the address I have registered with UKbikestore.co.uk. I don't know how the spammers got this address but I would assume that UKbikestore have been the victims of some kind of malicious activity rather than it being a case of them selling email addresses.

I sent the following email to UKbikestore yesterday but have not had any reply from them yet:

Hello.

I think that the email address I have registered with you has somehow ended up in the hands of spammers and I'm concerned that they've obtained it through your website and possibly the email addresses of your other registered users too.

At this point you may be thinking that there are hundreds of places that spammers could have got my email address but please allow me explain properly.

I use an anti-spam service called Sneakemail. They allow you to create a unique email address for every single website (or person) that you need to give your email address to. When you create each new, unique address you tag it with a name so for instance, the address I created when I registered with your site had the tag "ukbikestore".

This new address redirects to your real email address but, more importantly, the service alters the "from" field of the email to contain the tag you entered when you created the address.

This means that if the address ever ends up in the hands of spammers, you can see which website the spammers got the address from because the emails from the spammers contain the same tag.

This morning, I received some spam email (specifically a phishing email, pretending to be from cahoot internet banking who I do not have an account with) from the sneakemail address I have registered with you, so somehow the spammers have managed to discover my registered email address through your website.

Please can you investigate this matter and see how my details could have been discovered?

If you would like to read more about how the Sneakemail service works (I've tried to explain it but there's more to it than I've been able to mention here) you can go to their website here:
http://www.sneakemail.com/info.pl/12367 ... l=faq&sid=

Thank you, hope to hear from you soon.
Jamey Howard

I would also highly recommend Sneakemail to anyone not using it already. It's free and very effective if used properly.

cee

the other alternative is that the spammers got your address through sneakemail.....

Jamey

Nope, not possible.

itboffin

@Jamey you have even more free time on your hands than me :P

Do you have a tin foil liner under your cycle helmet :roll:

Jamey

Hey... I've been waiting ages for Sneakemail to expose a reasonably respectable website as the source of a leak to spammers. Don't rob me of my moment, dammit

cee

Jamey wrote:

Nope, not possible.

Not Possible??? Why...because they say they won't let anyone get the sneakemail addresses? On their word that their infrastructure and software is secure?

Of course it is possible. most hacks are really just inside jobs or social engineering. It would only take one admin to sell of a bunch of mail addresses. Of course this would also be true of 'pick an online retailer'

Just pointing out that it is possible that sneakemail are the source, not saying that they are.

Jamey

You'd have to be pretty stupid to break into Sneakemail and steal the fake (ie redirecting) email address instead of the real email address.

Plus there would be thousands of users affected and I'm sure the admins would have notified people by now.

Mr_Cellophane

I have unlimited e-mail addresses with my ISP have been doing this for years.

Jamey

I've got unlimited email addresses on my domain but I still find Sneakemail much easier to use, plus it hides the whole domain as well as the specific mailbox.

cee

as i said...most spammers buy mailing lists from peed off staff. would seem a pretty good way to hide your true source to me.

Anyway....another (old) way is with sendmail based mail servers.....you could always add the +tag stuff to email addresses which would give the same tagging effect.

Jamey

Well look... It's extremely unlikely that the spammers got my email address (not even my real one, just one of several hundred redirects) from a small service specifically designed to combat spam.

So unlikely, in fact, that you're basically just arguing for the sake of it.

itboffin

FACT spammers buy lists of ISP and your most trusted sources, believe me I'm very well informed on the subject :roll:

Throlkim

I switched my domains over to gmail last year. Haven't seen any spam since, and I get 80 junk emails a day.

schlafsack

Jamey wrote:

You'd have to be pretty stupid to break into Sneakemail and steal the fake (ie redirecting) email address instead of the real email address.

Not really, the spam got through. Job done.

'Fake' or not, a live email address is spammer gold.

As an aside, how are sneakemail addresses formatted? Are they easy to guess?

Edit: Just found a few examples. They are easy(ish) to guess. Somebody has probably written a small app to generate random sneakemail addresses and send out quite a bit of spam.

DonDaddyD

I have never read so much geek speak in my life!

"Spammers... nerrrr!"
"I've got unlimited email address... so neerrr nerrr"
"Well I've got unlimted hosting rights and a domain name so there"
"My PC has quad core and 800gb of ram!!!!"
"Well my PC is friggen Skynet, DIE MAN KNID!!!"

Guys, sheesh! Stand shoulder to shoulder and ITB will measure who is the most manly!

:roll: :roll: :roll:

Jamey

itboffin wrote:

FACT spammers buy lists of ISP and your most trusted sources, believe me I'm very well informed on the subject :roll:

My ISP doesn't have my email address - I've never given it to them. I have my own domain(s).

If UKbikestore have sold my email address then this thread has even more purpose - none of you should be giving your real email address to them.

As for auto-generating random sneakemail addresses, that would be a ridiculous waste of bandwidth. The hit rate would be far less than one percent. And by hit rate I mean emails successfully delivered. The hit rate for people actually clicking the link in the spam email would be less than one percent of one percent.

schlafsack

Guessing is what a lot of spammers do. If you own your own domain, set up a catch-all mail account and look at what comes in.

Bandwidth is cheap, especially when you don't have to pay for it. Botnets are the king of the spam world.

Jamey

Actually, maybe we can do an experiment...

Is anyone else here registered with UKbikestore? Have you been registered more than a week or two? Did you get a spam email yesterday morning (or maybe during the night on tuesday) purporting to be from Cahoot internet banking?

Jamey

schlafsack wrote:

Guessing is what a lot of spammers do. If you own your own domain, set up a catch-all mail account and look at what comes in.

Bandwidth is cheap, especially when you don't have to pay for it. Botnets are the king of the spam world.

I've already tried the catch-all mailbox before and yes, it garners spam but the guesses aren't random, they try obvious things like info@, mail@, john@, steve@, dave@ webmaster@, technical@, support@, etc etc etc.

With Sneakemail there are quadrillions of possibilities. In fact there are probably more but I don't know what the next "illion" above quadrillion is.

In the six years I've been using the service I would have seen more than one fluke like this if the spammers were having any joy at all.

If it takes you six years of constant bandwidth-hogging to get one email delivered that's a terrible hit rate.

antfly

I ordered something off ukbikestore for the first time this week {apart from a helmet I bought years ago) and the very next day my card was used for fraud.It makes me a bit suspicious.Fortunately MBNA were alert as I never spend £150 on make-up! My card is now suspended which means my order with ukbikestore can`t go through,ironically perhaps.

The only spam I got was the usual penis enlargement stuff.Needless to say I didn`t buy it.

Underscore

Jamey wrote:

Actually, maybe we can do an experiment...

Is anyone else here registered with UKbikestore? Have you been registered more than a week or two? Did you get a spam email yesterday morning (or maybe during the night on tuesday) purporting to be from Cahoot internet banking?

Yep, I use http://www.spamgourmet.com to do a similar thing to you and I got a phishing mail claiming to be from Cahoot, sent to the mail address I used to register with UK Bike Store. I also sent them an e-mail informing them and have yet to receive a reply.

_

KonaKurt

Jamey - YES ME TOO!

I purchased something from UKBikeStore last week, and I too got exactly the same spamming email from 'Cahoot Internet Banking' asking me to click a link and 'update' my details..! To do so, would be lethal of course!

I think you hit the bullseye here, I think UKBikeStore is likely to be responsible for the Cahoot spam. I will send them the same email that you did, pointing out the problem. And I will close my account with them and never use them again, because I don't appriciate being spammed by a retailer that I chose to spend my hard earnt cash with.

KK.

itboffin

Stop surfing porn then your email addresses wouldn't be harvested

Perv :roll: