Is the email address I gave really private?

[Santa Claus]

In the efforts to eliminate spam from my inbox I will often create separate email addresses for the individual organizations that I deal with.  This allows me to know which companies are either insecure with my data or dishonest with their information / privacy policies.

When I registered on this site I created the email address spam.booklamp@drbroyles.com (without the prefix 'spam.').  According to my profile on this site I registered on June 05, 2009, 07:12:03 am.  I have made no forum postings yet so this email address could not have been scraped from the forums.  Also I have not sent any emails from that address so there is no possibility of an information leak in that method.

Can the people who run this site please explain how it came to be that a spammer got my email address?

-Santa Claus

[Aaron Stanton]

Santa,

I'm unsure how your e-mail received spam, but I can assure you that we don't share user information with anyone, and we take the security of that information very seriously.  While my word on the matter will only go so far, no one has access to the user information on the site but BookLamp, and we constantly monitor our system for security issues.

Over the last three years or so that we've been in operation, yours is the second concern raised about someone getting spam to one of their accounts that they had connected to BookLamp.  After discussing it with them in detail, we double checked our security, verified all the records of access, and even went to the extent of creating a number of fake accounts with purpose-specific e-mail addresses to see if we could reproduce the issue.  We were never able to reproduce the problem, and couldn't find other people that had a similar experience.  We queried a number of other users, and found that no one had a similar complaint, that we could tell.

So, while I still can't answer how exactly your e-mail address received spam, aside from the possibility that it was a random shot by a spam bot trying out word combinations, it wasn't us.    Though I can understand your concern about it, and wish I could be more help.

If I may ask, has it been lots of spam, or a limited number?  When did the first spam show up compared to when you registered?  How frequently are you getting them, and was it an all at once, or did it build?  I have read articles that discuss some of the various spamming techniques that are used, and one that I always thought was interesting was to randomly send e-mails to the (word)@domain.com, and watch which do and don't bounce.  If it doesn't bounce, it's recorded somewhere as a "real" address and used again later.  I have no idea if that's the case here, but perhaps adding a few extra numbers into your naming scheme might help.  booklamp93828@blah.com, or something.

Again, I'm sorry that this has caused you any trouble.  If you want, fire me an e-mail at aaron@cangooglehearme.com with details.  In the mean time, we'll check our system again, just to be sure.  I'm happy to talk more about it, since I'm sure that... well, if I were a spammer, you'd probably expect me to say what I just said.    But I'm happy to help where I can, if that's useful.

In the mean time, best of luck,

Aaron

P.S. While I have a fairly good knowledge of the systems, Paul is really the guy that knows the most about our security and the technical aspects of what we do.  If you keep having troubles, I'll bounce this off of him and see what he might have to add.  Thanks again.

[Santa Claus]

So, while I still can't answer how exactly your e-mail address received spam, aside from the possibility that it was a random shot by a spam bot trying out word combinations, it wasn't us.    Though I can understand your concern about it, and wish I could be more help.

Although booklamp isn't a word that I think would be "guessed" by a spammer that does seem like the most plausible theory.  I have other, older email aliases which do not receive spam so this does appear to be a "lucky guess" by a spammer.  I've decided to change my email address for BookLamp by adding some "salt" to the end.

If I may ask, has it been lots of spam, or a limited number?  When did the first spam show up compared to when you registered?  How frequently are you getting them, and was it an all at once, or did it build?  I have read articles that discuss some of the various spamming techniques that are used, and one that I always thought was interesting was to randomly send e-mails to the (word)@domain.com, and watch which do and don't bounce.  If it doesn't bounce, it's recorded somewhere as a "real" address and used again later.  I have no idea if that's the case here, but perhaps adding a few extra numbers into your naming scheme might help.  booklamp93828@blah.com, or something.

There has only been one email (the spam email) sent to the original address.  It was received about 11 months after I registered here.  I will now decommission that original address and see how many spammers grab hold of it now that they have verified it can receive emails.
 
Thank you for your sincere reply Aaron.  I do believe that you and booklamp.org are being honest and responsible in this regard.  I'll let you know if any bad patterns develop.

Thank you,
-Santa

[Aaron Stanton]

Thanks, Santa.  I half expected you to be like, "Well, yeah right.  Sure.  Whatever." 

I appreciate the benefit of the doubt.  If you do get any more spam to the "salted" address, and it's connected to us, please let me know as soon as you can.  Just in case.

I also have no real idea about the validity of the "booklamp" guess by a spammer.  Booklamp (one word) isn't really even a dictionary word, so it does seem unlikely that it would be guessed, even in a brute force dictionary hunt.  However, it's the only explanation I've got, as unqualified as it may be.

As I said, I'll ask Paul to verify the security of the system (his opinion is far more qualified than my own).  Keep me posted on any further changes.  After all, I'm registered with the system as well, and not all of my e-mail addresses are as public as the CanGoogleHearMe.com one. 

Thanks again,

Aaron