back to article ICO decides against probe of Santander email spam scammers

Santander customers say they are continuing to be deluged with Trojans and other junk to email addresses exclusively used with the bank months after the problem first surfaced back in November. At least two Reg readers have put in complaints to the Information Commissioner's Office. But the data privacy watchdog told us that …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    I wouldn't use their website anyway...

    I can't see the front page as I use FlashBlock in Firefox.

  2. AndrueC Silver badge
    Unhappy

    Not the only ones. I blocked my original LinkedIn email a couple of years ago because they leaked it. Then last November I was job hunting so gave them a new one. Last week I got a couple of emails sent to it. It's not likely I'd give it to anyone else by accident since it has the text 'linkedin2' as part of it.

    Needless to say I've added that to the blacklist. So that's twice in two or three years. Not the kind of networking I was expecting.

    1. A Non e-mouse Silver badge

      I found spam being sent to my LinkedIn email address. I deleted my LinkedIn account and deleted the email address.

      It can be a bit of a pain having to create email accounts for every system, but it makes it much easier to spot who's selling your information on.

      1. John Brown (no body) Silver badge

        "It can be a bit of a pain having to create email accounts for every system, but it makes it much easier to spot who's selling your information on."

        Not really. With your own domain, anything@domain.tld drops into postmaster@. Just make up a new address on the spot as required. You can deal with "formalising" it later if there's a need for it.

        Personally, I use company.name@mydomain.net. The ones who sell it on, leak it or get hacked stand out like a sore thumb. You can then either spam filter it locally or block at the host level soit bounces back to sender (or gets blackholed)

        1. Alan Brown Silver badge

          Yeah, that works real well - until a spammer forges stuff @ your domain and you cop all the bounces.

          One of my clients ended up with 19 million bounces as a result of this back in the 90s

      2. Jamie Jones Silver badge
        FAIL

        I have <anything>@jamie.mydomain.com go to my main mailbox. If anything needs to be blacklisted it can be set to 'no such user' in the sendmail virtaliases file.

        A long time ago, I used to use date-expiring email addresses for usenet, of the form YYDDD - even now, I'm still seeing sendmail rejecting spam sent to email addresses last valid in 1997!

        1. AndrueC Silver badge

          If anything needs to be blacklisted it can be set to 'no such user' in the sendmail virtaliases file.

          I run my own email server and used to that. Then in the new year some git started sending 100kB emails to random addresses at the rate of four or five a minute. Used up something like 20GB of my allowance in a couple of days. Now I've gone back to rejecting them at RCPT.

          1. Jamie Jones Silver badge

            @Alan: yep, anything@domain is too generic. That's why I use a subdomain for wildcard stuff.

            @AndrueC: As above. Also, sendmail blocks 'no such user' at RCPT

            Cheers, J

  3. Anonymous Coward
    Anonymous Coward

    i've seen this as well

    I have a mortgage with Santander and since November have been receiving targeted Santander emails with my full name in them and a supposedly attached statement in an attached zip file.

    I didn't necessarily put 2 and 2 together though as I wasn't using unique email addresses at that stage.

    :(

  4. Roo

    There is insufficient evidence...

    There is insufficient evidence showing that the ICO is fit for purpose or competent. They should return their pay and shuffle off down to the job centre.

  5. Red Bren

    "We have received some complaints relating to this matter"

    "But they can afford better lawyers than us so we're hoping it will go away if we ignore it!"

    FTFY

  6. bigtimehustler

    So basically what they are saying is that a number of independent witnesses is not enough evidence. Does this mean the ICO can only really act when companies admit to wrongdoing themselves, or some document is found somewhere it shouldn't, otherwise it seems your pretty much safe just telling the ICO all is well here.

    1. John Brown (no body) Silver badge

      Maybe an enterprising investigative journo on the El Reg staff can put in an FOI request for the ICO documented procedure for deciding which complaints to pursue and what conditions must be met to trigger the action.

      1. moonrakin

        ICO has

        As somebody who's had to use the ICO over the last four years - I can tell you that they've been changing the way they operate of late.

        I think the volume of requests has been ratcheting up and they are hitting the "resource constraints" and they're getting significant flack from on high....

        The upshot is that less experienced junior staff are dealing with enquiries and one gets the feeling that there is an element of deflection and taking the side of the subject of a complaint (particularly if a government department) at the start - rather than do a little 'scoping of a complaint..

        An FoI will likely not help. What will get them hopping around is an MP's letter.

        .

        1. Alan Brown Silver badge

          Re: ICO has

          "An FoI will likely not help. What will get them hopping around is an MP's letter."

          Which I think they'll be getting shortly....

  7. Conrad Longmore
    Boffin

    I have this argument over and over again..

    I have this argument over and over again when email addresses leak out. Usually the people who've been hacked are either too stupid to understand the problem or are in denial.

    Let's take an example of how unlikely it is that an email address like this has been guessed at random. If you use a 10-letter unique email address comprised just of alphabetic character then there are 26^10 possible combination to guess, which is about a 141 quadrillion to one against probability. And when multiple people report the same problem that it should quickly become apparent that the only explanation is an email address leak, everything else is statistically impossible.

    Just to ensure that the email address cannot be guessed, you can combine it with a secret word (e.g. tribbles-santander@mydomain) and apply a filtering system to look for the secret word. That's quite a simple system that will cut down on directory harvesting attacks and should be within the capabilities of any El Reg reader to do.

  8. Christoph

    If you've had your email database hacked, you admit the mistake and apologise.

    If you've sold your email database to spammers you dismiss complaints contemptuously and refuse to admit that anything is wrong.

  9. Tom 38

    ..deluged with Trojans..

    The capitalisation of 'Trojan' gives mind to America's #1 brand rather than the malware.

    1. phil dude
      Joke

      Re: ..deluged with Trojans..

      It's a proper name from antiquity, so capitalisation is correct.

      It's one of those works that is a both a noun and a verb....

      P.

  10. McSounds

    Had my first of these recently. Unique email address and has my surname so it wasn't just addresses that leaked.

  11. Martin S

    I have never received any phishing or trojans to the email address Santander have for me but plenty to my email addresses they dont have on record.

    It's just has likely the email addresses were not unique for Santander use but given to other companies too.

    1. Nick Kew

      There's usually more than one explanation.

      I too have an address unique to Santander, and it's NOT attracting crap (unlike, for instance, my address for amazon or for nectar, both of which got deleted after a week or two - the latter due to Sainsburys spamming it).

      My suspicion would be that some folks might have failed to tick the "don't spam me" box when signing up for online service. Santander's website is painful, but not too painful to put up with for 3% on £20k ready cash in today's market.

  12. Tom 13

    I don't have an account with them so not my problem, but...

    There's no suggestion that there's any problem with Santander's online banking system.

    I'd say that's rather a bit of splitting hairs too finely. There may be a separation between the system that handles the transfer of electronic bits from one account to another and the communications system of the bank, but I'd regard them both as part of the online banking system, because they work together to support a bank account. Compromise the one and the chances of compromising the other go up considerably. What if, instead of it being a spam campaign it had been a carefully crafted spear phishing expedition. Good graphics and clean language with a fake call back number, ask them to call to confirm something, and you're well on your way to a compromised account.

    Given their lack of action, at this point if I had an account with them I'd be looking to quickly move to a new bank. It's the only thing they'll understand.

  13. John Savard

    Sufficient

    Certainly it is very strange when absolute proof does not constitute adequate evidence to proceed with an investigation. This type of confusion needs to be remedied forthwith.

  14. penguin42

    Not just Santander

    I had the same thing happen yesterday with a small building society; I'd never sent mail with that address, and the mail goes no further than a mutt on the mail server that receives it.

    Personally I suspect spammers are getting addresses from sniffing backbones/major mail servers or AV scanning services.

    But remember, generally email isn't encrypted over the wire - so gathering email in transit would be easy.

  15. JCB
    Alien

    I have two unique addresses with two companies later absorbed into Santander. I started receiving spam on both of them at around the same time. They have certainly never been used for any purpose other than corresponding with the banks. In fact when I looked closer it appeared that one had never even been used for that purpose, but existed only because an email address was required on a form many years ago.

    Life's too short to try and persuade a bank that they have done something wrong. How do you supply the level of evidence required? Have a minister of the church swear in triplicate that they definitely saw that you never ever used the email address at any time? "Yes, M'lud, I definitely saw him not doing it."

    1. jonathanb Silver badge

      If the email address in question is "bradfordbingley@mydomain.com", I would say that is pretty strong evidence.

    2. Destroy All Monsters Silver badge

      I'm not saying it's aliens, but it could well be aliens.

  16. Stretch

    You're the 12th person we've told today...

    ...there's no evidence.

  17. alanw

    The ICO's website says: 'We deal with complaints where you can identify the sender. If you become able to identify the sender, we may be able to help further. Please return to our website if that happens.' This makes it useless for most problems of this kind.

This topic is closed for new posts.

Other stories you might like