(last edited on April 29, 2014 at 1:28 am)
Lately I’ve been getting email on one of my unpublished email addresses. It’s the kind of fun mail that we all love, with email attachments of a mysterious nature. But what’s really mysterious is how this email address got “out in the open” to begin with.
This is the address that’s used by my contact form AND for comments out on the internet. They used to be separate, but I merged them by accident a few months ago and never switched them back. Doh. Wish I had.
- It’s possible this address was harvested from someone I wrote back to who hasn’t scrubbed their computer free of viruses and other malware. This is a good reminder; I should be careful of which email addresses I use for public contact. I might even use an entirely-different email account and email program for this now, but it’s probably inevitable that someone using an unsecured computer is going to have an accident.
It’s possible that this address was harvested from a blog comment, if somehow that information was exposed on the back-end.
Maybe there’s a security hole in my WordPress setup. The email address, though, is stored in a database which theoretically is secure, unless some kind of traffic intercept occured between me and the database. It’s not otherwise stored in any static files on my webserver.
This is the most alarming thought: I may have replied to a contact email to answer what I thought was a genuine question, but it was actually a social engineering attack to harvest a return email. I just looked through the past emails I’ve received through the contact form that are the “fishiest”, and one in particular triggers several alarms. Hindsight is 20:20. It’s written as an innoculous inquiry about what I charge for design work. It could actually be a real inquiry, but as the sender hasn’t replied to my email I’m now a little suspicious. In the future I’m going to be much more discerning between what looks like a serious inquiry versus one that may not be (or something worse).
p>A marketing person I used to work once told me that a certain number of sales calls are just fishing attempts from other agencies, recruiters, other sales people, or builders of commercial databases. When someone is dangling the possibility of work on the other end of the line, we’re much more willing to extend the trust of providing our contact information. I may modify this policy and ask for the prospect to send me their contact information first, and schedule a callback if the circumstances seem a little odd.
This sucks, but at least the damage is relatively contained. It does mean, though, that I may have to retire an email address.
A friend of mine in Chicago once worked for a company that collected information about the executive members of privately owned companies (who don’t have to publish their information).
She said the typical call, to a standard receptionist, went, “Hi! I’m from XYZ Magazine, and I’m calling about your recent subscription renewal. We only have the recipient listed as ‘President,’ but our subscription process has updated this year and we now require a full name. Can you transfer me to your President or can you provide the name for us?” And no receptionist was going to allow such a simple call to bother the president of the company, so et viola, now my friend’s company had a name to research.
But socially engineered spam harvesting? Now that’s really sick. Yet, somehow completely unsurprising.
Dave, those men from Nigeria didn’t really have two million dollars to put in your bank account.
Dave, if someone with your otherwise unpublished address has been the victim of an email worm, it’s quite possible that their address book has been used by the worm to send copies of itself to other people (and may or may not use the initial victim or other people in the address book to populate the ‘from’ field).
It’s also possible that such a worm could be harvesting addresses for other purposes, but your comment about mysterious attachments makes me think ‘worm’.
Maybe not the paranoia-inducing situation you allude to above, but apparently quite common.
While I may not be as high profile as some folks, the idea of unpublished email addresses is quite silly. Its sort of a social type version of “security by obscurity” that has long ago been discredited, yet still practiced.
First of all, you can’t hide forever. Having it unpublished may give you peace for a while, but vermin and roaches will wiggle into the most secure of places.
Secondly, its horrible to have your friends and accomplices have to remember obscure email addresses like “firstname.lastname@example.org” and its even worse when you have to give it to someone incidental, like your childs teacher and perhaps over the phone.
To make the pain smaller, you need a good email host that employs lots of the standard tools like spamassassin and such. They should all be updated frequently. If you are very anal and lazy, or can’t talk your friends into doing it for you, pay some money and do something like the Postini route. I have postini at work and get like a spam message a couple of times per week. Considering that I was deluged by spam, prior to postini, at my work address minutes after starting back at the company, I think postini is doing a great job.
The next step, which is something you should be doing anyways, as an email-dependent species, is to set up your mail filters to sort stuff to your expectations. Stuff that comes from unexpected places, gets put into the “possible spam” or “spamish” folder for eventual consideration. I have my email sorted into several sensible folders, like “Solicited” for recurring spam (that I signed up for, like geeks.com sale brochures) and stuff from mailing lists that I sign up for.
Its unlikely that you are ever going to hit nerdvana and a spam-free life, but you also don’t have to create a large ugly structure to attempt it either.
Paul: That’s what I’m hoping, just an email harvesting worm. There are some other patterns that make me think it’s currently a single infected computer. I’m hoping I’m not being needless paranoid, but it’s not a far leap from referrer spam.
Dean: Those are all great suggestions. I am employing most of them, except for the postini suggestion (thanks for the reference). I generally use special email addresses for external contacts (company registration forms, for example), and also for blog-related contacts. And yes, it’s all filtered at the host and into a mailbox structure. That’s probably the most unwieldy thing I have to maintain. So far it’s been pretty effective so far; this is the first weird email I’ve gotten in a couple of years (the occassional comment spam excepted).
While I agree that security through obscurity is not 100% ironclad, that doesn’t negate the defensive advantages of maintaining a low target profile.
I get lots of spam to an email address that’s unpublished but I think that’s basically because they go through standard combinations of [insertwordhere]@domain.com. It’s really rather annoying!
I got the same form of email-spam. They use my domain or they had used the unsecure wp-contact-form. I have deleted the contact-form and now it is more quite. Or there is a bug in wordpress/php.