Don't use your real email address on UKbikestore.co.uk

Jamey
Jamey Posts: 2,152
edited March 2009 in Commuting chat
I use a clever anti-spam service called Sneakemail. If you want to know exactly how it works you can click here but the basic gist is that it lets you see exactly who gave your email address to the spammers by allowing you to create a new, unique, tagged email address for every single website you need to register with.

So, to cut to the chase, yesterday morning I received some spam email from the address I have registered with UKbikestore.co.uk. I don't know how the spammers got this address but I would assume that UKbikestore have been the victims of some kind of malicious activity rather than it being a case of them selling email addresses.

I sent the following email to UKbikestore yesterday but have not had any reply from them yet:
Hello.

I think that the email address I have registered with you has somehow ended up in the hands of spammers and I'm concerned that they've obtained it through your website and possibly the email addresses of your other registered users too.

At this point you may be thinking that there are hundreds of places that spammers could have got my email address but please allow me explain properly.

I use an anti-spam service called Sneakemail. They allow you to create a unique email address for every single website (or person) that you need to give your email address to. When you create each new, unique address you tag it with a name so for instance, the address I created when I registered with your site had the tag "ukbikestore".

This new address redirects to your real email address but, more importantly, the service alters the "from" field of the email to contain the tag you entered when you created the address.

This means that if the address ever ends up in the hands of spammers, you can see which website the spammers got the address from because the emails from the spammers contain the same tag.

This morning, I received some spam email (specifically a phishing email, pretending to be from cahoot internet banking who I do not have an account with) from the sneakemail address I have registered with you, so somehow the spammers have managed to discover my registered email address through your website.

Please can you investigate this matter and see how my details could have been discovered?

If you would like to read more about how the Sneakemail service works (I've tried to explain it but there's more to it than I've been able to mention here) you can go to their website here:
http://www.sneakemail.com/info.pl/12367 ... l=faq&sid=

Thank you, hope to hear from you soon.
Jamey Howard

I would also highly recommend Sneakemail to anyone not using it already. It's free and very effective if used properly.

Comments

  • cee
    cee Posts: 4,553
    the other alternative is that the spammers got your address through sneakemail..... :wink:
    Whenever I see an adult on a bicycle, I believe in the future of the human race.

    H.G. Wells.
  • Jamey
    Jamey Posts: 2,152
    Nope, not possible.
  • itboffin
    itboffin Posts: 20,062
    @Jamey you have even more free time on your hands than me :P

    Do you have a tin foil liner under your cycle helmet :roll: :lol:
    Rule #5 // Harden The Feck Up.
    Rule #9 // If you are out riding in bad weather, it means you are a badass. Period.
    Rule #12 // The correct number of bikes to own is n+1.
    Rule #42 // A bike race shall never be preceded with a swim and/or followed by a run.
  • Jamey
    Jamey Posts: 2,152
    Hey... I've been waiting ages for Sneakemail to expose a reasonably respectable website as the source of a leak to spammers. Don't rob me of my moment, dammit :)
  • cee
    cee Posts: 4,553
    Jamey wrote:
    Nope, not possible.

    Not Possible??? Why...because they say they won't let anyone get the sneakemail addresses? On their word that their infrastructure and software is secure?

    Of course it is possible. most hacks are really just inside jobs or social engineering. It would only take one admin to sell of a bunch of mail addresses. Of course this would also be true of 'pick an online retailer'

    Just pointing out that it is possible that sneakemail are the source, not saying that they are.
    Whenever I see an adult on a bicycle, I believe in the future of the human race.

    H.G. Wells.
  • Jamey
    Jamey Posts: 2,152
    You'd have to be pretty stupid to break into Sneakemail and steal the fake (ie redirecting) email address instead of the real email address.

    Plus there would be thousands of users affected and I'm sure the admins would have notified people by now.
  • I have unlimited e-mail addresses with my ISP have been doing this for years.
  • Jamey
    Jamey Posts: 2,152
    I've got unlimited email addresses on my domain but I still find Sneakemail much easier to use, plus it hides the whole domain as well as the specific mailbox.
  • cee
    cee Posts: 4,553
    as i said...most spammers buy mailing lists from peed off staff. would seem a pretty good way to hide your true source to me.

    Anyway....another (old) way is with sendmail based mail servers.....you could always add the +tag stuff to email addresses which would give the same tagging effect.
    Whenever I see an adult on a bicycle, I believe in the future of the human race.

    H.G. Wells.
  • Jamey
    Jamey Posts: 2,152
    Well look... It's extremely unlikely that the spammers got my email address (not even my real one, just one of several hundred redirects) from a small service specifically designed to combat spam.

    So unlikely, in fact, that you're basically just arguing for the sake of it.
  • itboffin
    itboffin Posts: 20,062
    FACT spammers buy lists of ISP and your most trusted sources, believe me I'm very well informed on the subject :roll:
    Rule #5 // Harden The Feck Up.
    Rule #9 // If you are out riding in bad weather, it means you are a badass. Period.
    Rule #12 // The correct number of bikes to own is n+1.
    Rule #42 // A bike race shall never be preceded with a swim and/or followed by a run.
  • Throlkim
    Throlkim Posts: 94
    I switched my domains over to gmail last year. Haven't seen any spam since, and I get 80 junk emails a day. :D
  • Jamey wrote:
    You'd have to be pretty stupid to break into Sneakemail and steal the fake (ie redirecting) email address instead of the real email address.

    Not really, the spam got through. Job done.

    'Fake' or not, a live email address is spammer gold.

    As an aside, how are sneakemail addresses formatted? Are they easy to guess?

    Edit: Just found a few examples. They are easy(ish) to guess. Somebody has probably written a small app to generate random sneakemail addresses and send out quite a bit of spam.
  • DonDaddyD
    DonDaddyD Posts: 12,689
    I have never read so much geek speak in my life!

    "Spammers... nerrrr!"
    "I've got unlimited email address... so neerrr nerrr"
    "Well I've got unlimted hosting rights and a domain name so there"
    "My PC has quad core and 800gb of ram!!!!"
    "Well my PC is friggen Skynet, DIE MAN KNID!!!"

    Guys, sheesh! Stand shoulder to shoulder and ITB will measure who is the most manly!

    :roll: :roll: :roll:
    Food Chain number = 4

    A true scalp is not only overtaking someone but leaving them stopped at a set of lights. As you, who have clearly beaten the lights, pummels nothing but the open air ahead. ~ 'DondaddyD'. Player of the Unspoken Game
  • Jamey
    Jamey Posts: 2,152
    itboffin wrote:
    FACT spammers buy lists of ISP and your most trusted sources, believe me I'm very well informed on the subject :roll:

    My ISP doesn't have my email address - I've never given it to them. I have my own domain(s).

    If UKbikestore have sold my email address then this thread has even more purpose - none of you should be giving your real email address to them.

    As for auto-generating random sneakemail addresses, that would be a ridiculous waste of bandwidth. The hit rate would be far less than one percent. And by hit rate I mean emails successfully delivered. The hit rate for people actually clicking the link in the spam email would be less than one percent of one percent.
  • Guessing is what a lot of spammers do. If you own your own domain, set up a catch-all mail account and look at what comes in.

    Bandwidth is cheap, especially when you don't have to pay for it. Botnets are the king of the spam world.
  • Jamey
    Jamey Posts: 2,152
    Actually, maybe we can do an experiment...

    Is anyone else here registered with UKbikestore? Have you been registered more than a week or two? Did you get a spam email yesterday morning (or maybe during the night on tuesday) purporting to be from Cahoot internet banking?
  • Jamey
    Jamey Posts: 2,152
    schlafsack wrote:
    Guessing is what a lot of spammers do. If you own your own domain, set up a catch-all mail account and look at what comes in.

    Bandwidth is cheap, especially when you don't have to pay for it. Botnets are the king of the spam world.

    I've already tried the catch-all mailbox before and yes, it garners spam but the guesses aren't random, they try obvious things like info@, mail@, john@, steve@, dave@ webmaster@, technical@, support@, etc etc etc.

    With Sneakemail there are quadrillions of possibilities. In fact there are probably more but I don't know what the next "illion" above quadrillion is.

    In the six years I've been using the service I would have seen more than one fluke like this if the spammers were having any joy at all.

    If it takes you six years of constant bandwidth-hogging to get one email delivered that's a terrible hit rate.
  • antfly
    antfly Posts: 3,276
    I ordered something off ukbikestore for the first time this week {apart from a helmet I bought years ago) and the very next day my card was used for fraud.It makes me a bit suspicious.Fortunately MBNA were alert as I never spend £150 on make-up! My card is now suspended which means my order with ukbikestore can`t go through,ironically perhaps.

    The only spam I got was the usual penis enlargement stuff.Needless to say I didn`t buy it.
    Smarter than the average bear.
  • Underscore
    Underscore Posts: 730
    Jamey wrote:
    Actually, maybe we can do an experiment...

    Is anyone else here registered with UKbikestore? Have you been registered more than a week or two? Did you get a spam email yesterday morning (or maybe during the night on tuesday) purporting to be from Cahoot internet banking?

    Yep, I use http://www.spamgourmet.com to do a similar thing to you and I got a phishing mail claiming to be from Cahoot, sent to the mail address I used to register with UK Bike Store. I also sent them an e-mail informing them and have yet to receive a reply.

    _
  • KonaKurt
    KonaKurt Posts: 720
    Jamey - YES ME TOO!

    I purchased something from UKBikeStore last week, and I too got exactly the same spamming email from 'Cahoot Internet Banking' asking me to click a link and 'update' my details..! To do so, would be lethal of course!

    I think you hit the bullseye here, I think UKBikeStore is likely to be responsible for the Cahoot spam. I will send them the same email that you did, pointing out the problem. And I will close my account with them and never use them again, because I don't appriciate being spammed by a retailer that I chose to spend my hard earnt cash with.

    KK.
  • itboffin
    itboffin Posts: 20,062
    Stop surfing porn then your email addresses wouldn't be harvested :lol:

    Perv :roll:
    Rule #5 // Harden The Feck Up.
    Rule #9 // If you are out riding in bad weather, it means you are a badass. Period.
    Rule #12 // The correct number of bikes to own is n+1.
    Rule #42 // A bike race shall never be preceded with a swim and/or followed by a run.