WebMink
Simon Phipps's personal commentary

Spammed until it hurtz [WebTech]

I receive a lot of spam. Some of the spam I get is nasty stuff, and the excellent POPFile does a great job of spotting most of it and filing it in the bin. For places where I expect spam, I use SpamGourmet to manufacture disposable addresses that allow only a few messages through before everything else gets trashed. For places I trust, I give a 'real' e-mail address. Being paranoid (remember, just because you're paranoid it doesn't mean they aren't out to get you), and owning several domains, I fill out any form I find on the web or elsewhere with a custom e-mail address so that I can tell if ever the list gets sold or abused. So far, remarkably, this has never happened.

Except for once. Some time last year, I started getting the nastiest sort of pornographic e-mail. It wasn't to an address harvested from my web page; it was to one of my 'custom' accounts, an address given to a trusted party. Hertz Corporation, in fact. It wasn't just a random dictionary search either; I got lots of them, and they kept arriving, and getting nastier in the process. In the end, I called Hertz and then wrote an e-mail to them. The reply that I received was surprisingly long - you can read it if you want.

While I was surprised and reassured to get a positive reply, the contents of the e-mail are concerning. I was pleased that "this solicitation did not occur as a result of Hertz selling your address to any third party" although it came as no great surprise. But the fact that "we do not believe any other sensitive information about you in Hertz databases have been captured by those responsible for the e-mail you received", while superficially comforting, was very worrying indeed in its lack of certainty, especially combined with the admission that they were not "able to identify how your e-mail address was obtained or who is responsible".

Hertz has involved "[the] Federal District Court in Utah ... two firms with specialized expertise in information systems security ... the FBI, US Attorney, and attorneys representing us in civil actions" so this is no small matter, even if they do claim that "the number of Hertz customers who have received these solicitations remains very small". They have clearly known about it for some time, and taken a series of increasingly desperate steps to stop the spam. They are to be commended for taking serious, positive steps against spammers in this way and for treating the matter seriously and tenaciously.

But the e-mail they sent me fails to reassure me on the more serious issues. For example, how long have they known that their customers' data has been compromised? What other data do they know has been compromised? Why, once they knew about the matter, did they not advise their customers of the compromise (there's no trace of a press release)? Are they sure the exploit cannot be repeated? And more. The most important issue for me is that I had to tell them. Is this a cover-up? Almost, yes. What can they offer me in amends? "we strongly advise you to ... terminate the e-mail address that was receiving the unwanted Spam." Well thanks, that's a great offer.

Spam is a serious issue, and my personal opinion is that it can be dealt with only by a combination of social and technical actions. But whatever action is taken, if large corporations who should know better try to keep it quiet when their security is compromised, no spam control actions will ever be enough.

posted at 11:20 PM (UK) | |