back to article Oi, bank manager. Only you've got my email address - where're these TROJANS coming from?

Santander customers are continuing to complain about receiving trojans and other junk to email addresses exclusively used with the bank. The reports began last month, prompting promises of an investigation by Santander. It's still unclear whether email addresses leaked from the bank or one of its affiliates. Independent …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Oh really?

    "...spammers just trying everything@the_domain... That’d be a huge waste of resources – and I’ve never seen it happen."

    Happens to me all the time. Couple of dozen a day, all to addresses such as 2a60d7b58@ and bf88cf663@mydomain.

    Fortunately, Google's spam filter gets them all, otherwise I'd probably have to dump the domain.

    1. mike2R

      Re: Oh really?

      Happened to our main domain at work once years ago, vast amounts of email came in to different variants of firstname.lastname@ourdomain.co.uk

      But I think the article is right that this isn't a cost effective method of spamming individuals. I assume that whoever it was had (wrongly) identified us as a large company where they could hope to get hundreds or thousands of hits with that sort of sending. Even if you're using a botnet, sending that amount of email is at very least an oppertunity cost, and in reality they are probably being rented for actual money.

    2. AndrueC Silver badge

      Re: Oh really?

      Happens to me all the time. Couple of dozen a day, all to addresses such as 2a60d7b58@ and bf88cf663@mydomain.

      Same here but they fail because all the addresses hosted on my server have at least two parts to the name. I also get someone trying to log in to my web UI with random user names as well. That I really can't understand. Hitting on a valid email address is possible..but the chances of generating a valid username/password combo is surely miniscule.

      1. Gav

        Re: Oh really?

        "the chances of generating a valid username/password combo is surely miniscule."

        They aren't generated. They are username/password combos that have been stolen from other systems. Because people frequently use the same username/password over multiple systems, it's worth the criminals' time trying them elsewhere.

        1. AndrueC Silver badge

          Re: Oh really?

          They are username/password combos that have been stolen from other systems.

          Ah yes, you're right. Having checked my logs again those are all 'sensible' user names. It's only the spam attacks that are random.

    3. Phil Endecott

      Re: Oh really?

      Are those 2a60d7b58@ addresses actually message-ids?

      That is what i see. Someone has greped using a regexp that picks up messag-ids as well as email addresses.

    4. Oh Homer
      Flame

      Re: Oh really?

      Yes, in my case it was a tagged email alias I'd used to sign up to Interflora, to which I suddenly started receiving "offers" from, amongst others, "The Book Club of Britain".

      When challenged, Interflora's typically inept tier one'ers just dismissed it as a problem at my end ... until I got the ICO involved, then suddenly I had their undivided attention, and the problem was ultimately escalated to some regional manager.

      It turned out they were using a professional spammer marketeer called CheetahMail (subsequently assimilated by Experian), which had "accidentally shared" my Interflora address, along with those of about another ten million people, with various parties they ought not to have. Being an American company, CheetahMail didn't seem to understand what all the fuss was about, given that America had (and clearly still has) absolutely no concept of data protection whatsoever (the safe harbor provisions didn't come into effect until years later, and even so are highly dubious at best, for various reasons).

      In fact I made that point to the aforementioned regional manager, and suggested that maybe they shouldn't be handing British citizen's private data over to furriners not subject to our data protection laws. He appologised and made some vague assurance that Interflora would be "reviewing its relationship" with the spammer marketeer in question. It didn't matter. I ditched the alias and with it my "relationship" with Interflora.

      Fool me once...

  2. Mike Bell

    Another possibility

    A compromised router outside of Santander's control.

    It's all very well saying that you just use a particular e-mail address for one purpose, but sending or receiving e-mail is generally like sending or receiving a postcard. Any number of prying eyes have the opportunity to snoop on the address.

    1. Great Bu

      Re: Another possibility

      Also, who's to say that the e-mail address hasn't been compromised from the owners' system (i.e. they have picked up a virus that has mined their own contacts list from their PC or 'phone) ?

      1. Tom 13

        Re: Another possibility

        For a single instance, that's usually the way to investigate. This is multiple instances and the primary or only commonality is the bank. Also, if it was the user's PC, the virus would have ALL the email addresses being used, not just the one from the bank. At the very least I'd expect the intrepid spammer to go for credit card info as well.

    2. Nick Ryan Silver badge

      Re: Another possibility

      While that's true, the much simpler answer is that some dickhead at the bank either has a compromised system or (not so) carefully found a way to export a list of email addresses that subsequently got added to spam sender's systems.

      However it's telling that it's more targetted than the usual penis enlargement or penny stock spam.

      1. Anonymous Coward
        Anonymous Coward

        Re: Another possibility

        I feel concerned that I *haven't* had the 'penis enlargement' spam for sometime now. It just doesn't feel right.

        1. Anonymous C0ward

          Re: Another possibility

          Take it as a compliment.

        2. VinceH

          Re: Another possibility

          "I feel concerned that I *haven't* had the 'penis enlargement' spam for sometime now. It just doesn't feel right."

          It doesn't feel right, you say? Does it feel too small, perhaps? If so what you need is to respond to one of those emails for peni... oh, wait.

      2. Jaybus

        Re: Another possibility

        Or an insider with access to the list of e-mail addresses is actively stealing them and selling them on the black market for some extra pocket money. That's my guess.

    3. Tom Wood
      Black Helicopters

      Re: Another possibility

      Could be the NSA... ;-)

    4. Anonymous Coward
      Holmes

      Re: Another possibility

      Exactly. I'm staggered that this article seems complicit with the assumption that an email goes directly from a user's computer to the bank's. Who's to say that the ISPs are not to blame?

      I had a clean email address until I contacted a programmer in Russia. I'm willing to bet a good proportion of the servers that handled that one have been compromised to harvest addresses.

      1. AndrueC Silver badge

        Re: Another possibility

        Exactly. I'm staggered that this article seems complicit with the assumption that an email goes directly from a user's computer to the bank's. Who's to say that the ISPs are not to blame?

        I can say that for my mail. I run my own mail server and it connects direct. The only things my mail passes through are generic network routers.

  3. This post has been deleted by its author

    1. Phil O'Sophical Silver badge
      Thumb Up

      Re: A number of years ago....

      Over 50% of the spam I get is received at oddbins@MyDomain.com despite me having used that address precisely once, many years ago, to order wine online for a family party. It doesn't exist in any of my contacts lists or history.

      1. lglethal Silver badge
        Go

        Re: A number of years ago....

        "It doesn't exist in any of my contacts lists or history."

        How do you know it gets lots of spam then? You have to login and check it periodically, or you have it forwarded to your account. Either way, news of that account is on your computer, so if you end up comprised, it would be as well...

        1. Phil O'Sophical Silver badge

          Re: A number of years ago....

          How do you know it gets lots of spam then? You have to login and check it periodically, or you have it forwarded to your account.

          No, there is no such account. The spam gets picked up by the catchall filter for "all unassigned addresses to mydomain". Nothing on my computer has any record of that email address.

  4. vahid

    send in inspector cludeo

    ye a few of the possibilities outlined above, its worth trying to work out what the end users systems are, what browsers they are using. How many devices are used to interact with santander.

    This at least may help identify if its specific to end users i.e. windows users using firefox/chrome/IE - then it be worth drilling into plugins used etc to see if some specific add on is causing this.......

    1. Anonymous Coward
      Anonymous Coward

      Re: send in inspector cludeo

      If you are using a specific email address for your bank then you are probably using specific email addresses for ebay, amazon, friends and family, elreg, etc. If it is your system that has been compromised then these other email addresses would also start receiving spam. Since they aren't it pretty much discounts the theory that it is a problem on the users side.

  5. Anonymous Coward
    Anonymous Coward

    The answer is obvious

    It's Santander. The bank that is consistently at the bottom of UK customer satisfaction tables. The bank that sends out letters on outdated stationery so you have to go on a wild goose chase trying to clarify what the letter meant.

    There are lots of theoretical possibilities, but it's Santander. They're incompetent. It's what they do best.

    1. No Quarter

      Re: The answer is obvious

      Sometimes you can discuss all the possible options when in reality it's the bleeding obvious that is the case.

    2. Anonymous Coward
      Anonymous Coward

      Re: The answer is obvious

      Like most here - I also use individual addresses pointed at a catch all address so I can filter out spam / monitor which companies are ignoring my "tick if you do not wish to be contacted by selected 3rd party companies".

      Quite a few years back when I first started doing this - I'd contact the company to tell them that their email list had been compromised (in one situation, I signed up to a bands website, to be sent an email about a gig down in that London for a different band), however the response was an aggressive, ignorant, buck pass saying they'd never use their mailing lists for 3rd parties, rather than figuring out who's been selling their mailing list to their mates... No good deed goes unpunished!

      1. VinceH

        Re: The answer is obvious

        "Like most here - I also use individual addresses pointed at a catch all address so I can filter out spam / monitor which companies are ignoring my "tick if you do not wish to be contacted by selected 3rd party companies"."

        Ditto.

        I have two domains specifically for this purpose. It is the only thing they are used for, and usually only receive email, so no individual usernames are set up on my system, other than the domain itself. In the event I want to send an email to a company using these domains, I have to manually type in the email address I am sending from.

        "Quite a few years back when I first started doing this - I'd contact the company to tell them that their email list had been compromised [...] however the response was an aggressive, ignorant, buck pass saying they'd never use their mailing lists for 3rd parties, rather than figuring out who's been selling their mailing list to their mates... No good deed goes unpunished!"

        Yup. Been there, done that, didn't buy the t-shirt from the spammer.

        More than one such address has been compromised. In some cases, while a unique address at one of the domains is used, I know that the "company" is really just a small-fry sole trader, so the chances are their computer has been compromised.

        The very first time it happened, though, it was either Experian or Equifax (I can't remember which), the address being one I'd used when I checked my own credit rating* - and when I contacted them about it, the response I got was, as yours: "not us guv, not possible, we're squeaky clean and more secure than a nun's nethers, honest to goodness."

        * Always worth doing. Then you get to discover things like you have an alias that you never knew about - which I discovered on my most recent check.

      2. pop_corn

        Re: The answer is obvious

        Every time I've done this I've had the same response.

        When I started getting spam to planetAMD64@mydomain.com and I, along with several others, complained, planetAMD64.com's response was that they were a huge and popular site and I was probably suffering a dictionary attack on my domain. As I have a catchall address, it must have been a dictionary attack of 1 word, a word that isn't even in the dictionary! Their response was to ban my account from their forum "for slander"! I get some satisfaction from the fact their "huge and popular" site is no more.

        More worryingly when I started getting spam to pcg@mydomain.com which I'd only ever used for the Professional Contractor's Group at pcg.org.uk my report of spam was also met with instant disbelief and denials.

        The reality is, that whilst it's evidence of some betrayal of confidentiality or security breach, it's very difficult to prove it or find the cause of the leak. The best you can do is black hole that email address and give them another unique one.

    3. Conrad Longmore

      Re: The answer is obvious

      Abso-fragging-lutely. The simplest answer is the most likely one - Santander has been compromised, or one of firms that they outsource to (which I count as the same thing).

      Like a lot of El Reg readers, I come across this sort of thing a lot because I also use a unique address for everything. And most of the time the people who have leaked out the information flatly deny it despite the evidence, and are often rude and hostile. And stupid, which probably explains why they got leaked in the first place.

      This should probably be dealt with by whatever the current toothless watchdog that oversees the banking industry is.

  6. Flywheel

    "Carefully selected 3rd parties" eh? Obviously not selected carefully enough.

    1. wolfetone Silver badge

      "Carefully selected 3rd parties" eh? Obviously not selected carefully enough.

      I don't know, the viagra pill sellers only have my girlfriends sexual experience at heart when sending me those emails....

    2. Anonymous Coward
      Anonymous Coward

      > "Carefully selected 3rd parties" eh? Obviously not selected carefully enough.

      I am they were extremely careful to select the third party that paid them the most for their email database.

  7. Anonymous Coward
    Anonymous Coward

    Not surprising really

    They can't even get your home address right when you move house and tell them more than once but they persist on sending correspondance to your old address, so I wouldn't have any hopes of them being able to deal with email addresses properly either!

    1. Anonymous Coward
      Anonymous Coward

      Re: Not surprising really

      They can't even get your home address right when you move house

      I wonder if they've improved their data capture screen for mortgage details. I lived on a street called Frognal, but all my mortgage related correspondence went to a Frognal Lane which was several streets away. On going into the branch I discovered that their data capture screen insisted on a street address having a suffix that had to be selected from a ridiculously long drop down box. So it would accept Frognal Lane, Frognal Road and so on, but any address without a suffix - or with a suffix not on the list - couldn't be entered. Quality bit of UI design that.

      1. Dan 55 Silver badge

        Re: Not surprising really

        I know for a fact that work on Santander UK systems is carried out by Spanish consultancies as it works out cheaper for them, at least by the indicators they are using, bad customer service reputation not being one of them.

        Putting two and two together to make five, it sounds like that particular system was adapted from or at least heavily inspired by similar software for Spain which does have a fixed set of road types.

        Complaints to the data registrar probably mean another road type being made just for you, you lucky thing.

    2. mathew42

      Re: Not surprising really

      From past experience, I've found that complaining to the who ever is responsible for data protection tends to solve the home address problem reasonably quickly.

  8. Mr_Pitiful

    It's not just Santander....

    I opened an account with Natwest a few months ago, using a specific email address only for them

    Started getting spam to that address after a few weeks, with zipped attachments!

    When I complained, they said my system was probably infected and I should call in an expert!

    I think they must 'sell' their email lists to the highest bidder

    1. Anonymous Coward
      Anonymous Coward

      Wasn't it NatWest

      that ended up in the papers (not just the IT ones) when they flogged off a server without sanitising it first? I;m sure others do it too, but this one had scanned images of credit card applications on it.

      Oh yes it was: http://www.theregister.co.uk/2008/08/26/more_details_lost/

      They've had five years to sort it, I'm sure their IT is much better now.

      1. Yet Another Commentard

        Re: Wasn't it NatWest

        @AC

        I am sure they have sorted it. Or at least that impeccable holding company of theirs, the one with the perfect IT record, RBS, has sorted it for them.

  9. Martin H Watson

    I even get spam sent to the unique address I use for my very well-known ISP. They denied any wrong doing. And it happens with at least two other unique addresses. The latter two I blackholed so it's a pointless exercise for them.

  10. Anonymous Coward
    Anonymous Coward

    Well, after I used the RAC's recovery service

    I have been plagued by Cowboy Personal Injury firms trying to foist their services upon me.

    1. Destroy All Monsters Silver badge
      Trollface

      Re: Well, after I used the RAC's recovery service

      Glad you didn't respond. Their services must seriously hurt.

      1. Anonymous Coward
        Anonymous Coward

        Re: RAC

        That's interesting. Now you mention it, I also had the same experience.

        I was a little perturbed to receive a phone call from a stranger that began "did you ever claim for injury following your accident on <date>?".

        Needless to say I told them very firmly not to contact me again.

  11. AndrueC Silver badge
    Thumb Down

    These kind of problems crop up regularly and are far from limited to Santander. It's a familiar story

    Very true. I stopped using Avast AV because I began to get spam to the address used to register. I tried to bring it to their attention but got attacked on by the forum denizens who refused to believe there was anything odd when address similar to:

    mrwidget.avast@fake-domain.null

    Started to receive spam. Most claimed the address was picked up by a packet sniffer (odd how only that address got picked up and this was ovr six months IIRC since I last registered it) or else that I had a virus infection that had got the address from my address book (why would I have that address in my address book and as per the first suggestion why did only that address get spam?) Oh and some fools suggested it was a dictionary attack against my domain (that's one hell of a precise attack).

    I gave up the discussion when it looked like becoming a flame war.

    1. jaduncan

      Yes, most companies just lie about their practices or aren't aware of just how casual marketing are with the databases.

  12. Rob Willett

    Similar issues...

    I have had exactly the same issues with a number of sites. I register using a unique e-mail address that is only ever used for registration. I run my own mail server which uses certain rules to forward the unique mail address to a real e-mail address. If the rules don't match then the mail is simply discarded. I can then add specific e-mail addresses that are blocked.

    I registered with the no2id people and have started receiving spam e-mails to that specific e-mail address. I tried to contact them and got zero response which is fairly ironic given how much they claim to value our privacy.

    I've just looked through my blacklist and can see magazine subscriptions, easyjet4ski, worldpay, Adobe, easydns hammersnipe, appdev, groupon and other real outlets who appear to have lost, sold or given out a unique e-mail address. I have tried to contact every one and complain and with the exception of Adobe, none have ever admitted a problem. Its always been my issue never theirs.

    My solution is easy, I simply block the address (15 secs) and then never do business with them.

    What experiences to other people have when they try to complain about this?

    Thanks

    1. We're with Steve

      Re: Similar issues...

      Most times they don't give a s**t. Just trying to get them to understand you might have more than one email address/your own domain is a job in it's self.

      I don't block them anymore, I just forward the email address that has been compromised to one of theirs. Job done (and rather satisfying too).

      1. YetAnotherLocksmith Silver badge

        Re: Similar issues...

        That, Sir, is truly a brilliant idea. Can't believe that isn't standard practise. I'm going to add "Forward to: CEO at email-sellers-domain.com" to the front of all my kill filters.

        My wife (who is in IT, as I used to be) complains at my use of many different email addresses like this, but I find it very useful for the reasons given by others.

  13. We're with Steve

    I am one of the people affected/complaining

    I started receiving the virus spam emails in November and immediately started a complaint. Allow me to share some of my insight/experience.

    The article discusses a number of sources of the leak and the user could possibility. I did consider this as I can be a numpty but:

    1) I started getting virus spams to two unique email addresses on the same day.

    2) This was shortly after the Adobe breach in November 2013.

    3) I have a whole raft of unique addresses and I was only getting spam virus emails to two of them

    4) The email address was not "Santander" or anything that could be guessed (really).

    My guess it was the same crew that took the addresses from both Santander and Sportsbikeshop.co.uk. If I was to get a free bet I would suspect (as I used to work in Direct Marketing for a bank now "eaten" by Santander) that an external agency using Adobe products and the same password everywhere is to blame.

    It took me some time to get my complaint listened to. Their Data Protection Officer wasn't having anything to do with me (FFS, What is their purpose!) and I had to raise three complaints before Santander "engaged".

    However since "engaging" the poor Scottish chap dealing with the complaint has been great. You couldn't fault him. If you're reading this mate then I owe you a pint.

    1. Mark #255

      Re: I am one of the people affected/complaining

      ...Their Data Protection Officer wasn't having anything to do with me (FFS, What is their purpose!)

      This is Yes, Minister 101 - get the tricky bit dealt with in the title.

      The purpose of any Data Protection Officer is (obviously) to minimise the blame which can be attached to the company in any Data Protection issue.

    2. Anonymous Coward
      Anonymous Coward

      Re: I am one of the people affected/complaining

      I received spam from 3 Santander subsidiaries (Santander, Cahoot & Abbey National), in each case sent to a disposable email-address only disclosed to the respective bank. Since I receive no other spam, I'm in no doubt who leaked it.

      On 2013-11-04, I contacted Cahoot, but despite receiving a response, received little joy.

      On 2013-12-03, I registered my complaint to the Information Commissioner's Office.

      They responded on 2013-12-16:

      In this case we have decided that it is likely that Santander (Cahoot) has complied with the requirements of the DPA.

      This is because Principle 7 of the DPA states that ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’

      In practice, this means that an organisation must have appropriate security in place to prevent the personal data they hold being accidentally or deliberately compromised.

      In deciding what security is appropriate, the DPA specifies the organisation must consider the harm that might result if data is lost or disclosed, and the nature of the data to be protected.

      Therefore the DPA does not dictate what security measures an organisation should have in place. How this is specifically achieved is left to the discretion of the data controller.

      It appears from the information provided that Santander have a security measures in place when dealing with personal data and that they have confirmed there is no evidence of a security breach within their systems and there is no evidence available to prove that a breach has occurred.

      In light of all of the above, we do not recommend that Santander need to take any action in relation to this matter.

      This matter is now closed. Thank you for bringing it to our attention.

  14. Arthur the cat Silver badge
    Unhappy

    Santander are very good at ignoring you

    I've had this problem, although nothing has arrived in the last week or two. I'm with Cahoot, Santander's online bank, and most of the trojans I've received have been supposedly from Fedex or other large carrier claiming they were unable to deliver a parcel, details in the zipped attachment. The sole entry in the zip file has a long name so the extension(s) are probably invisible to most, and end .pdf.exe. The mails might be a tad more plausible if the source addresses weren't scattered round the world but claiming to be from the UK.

    On several occasions I've complained to Cahoot, but my emails just get ignored. I've never been arsed to keep trying as I don't run WIndows, so the mail is a mere nuisance rather than a threat. One of these days I ought to change banks, but how the hell do you choose a good one? I had been thinking about switching to the Coop ...

    1. olyd

      Re: Santander are very good at ignoring you

      I got the trojan to a Santander-unique email on 4th November and told Santander about it that day. Three days later they decided which team might take an interest in it, but strangely I haven't heard anything more from them, despite promises to the contrary. Hush hush, tippy-toe walk away...

  15. NomNomNom

    it could be goasts they should hire a PI to check their bank for spirits. goasts would have access to the email addresses and even the vaults.

    We had a similar problem when I ran my business at the old mill. People were being phoned up during the day, myself included, by a well mannered chap sporting a mild cornish accent. Unfortunately he was not a client and wouldn't desist the calls which became a nuscience. The police couldn't make head or tail of it so we called in a local paranormal investigator who set up all manner of spirit detecting contraptions: night vision cameras, temperature switches, even tripwires. Never caught the goast redhanded but it sure scared him off, never had a call again after that.

    1. Dodgy Geezer Silver badge

      Brilliant!

      I want to hear more from this contributor!

  16. Anonymous Coward
    Anonymous Coward

    It won't be the bank

    Prediction - It'll be the company they outsource with to send Emails on their behalf will have been sloppy with the data somehow. You may have ticked the box asking not to share your details, but the bank need to monetise you as a customer and will use your email to sell you other products or to send you regulatory information. Or even an email to tell you your statement is ready to view online, for example.

    Although it can also be the banks Marketing teams who are as much to blame - if most bank's information security teams knew what their marketing teams got up to behind their backs, it would make them go white. Unencrypted .CSV customer list database sent to an email marketing company attached to a non-encrypted email? Of course....

    There's only very few banks that send their own email directly. It's all outsourced to 3rd parties who do the work on their behalf.

  17. heyrick Silver badge

    "it's more likely to be a third party contracted to do mailing that’s been compromised than the bank itself."

    However, YOU having provided information to the bank, it is reasonable to expect that they will treat the data responsibly, and more importantly ensure that any third party they use respects their privacy policy... And to take responsibility if they don't.

  18. 3el

    Only took 3 days

    I use catch all on my domain. Never received spam on Santander@domain but 3 days after I gave that address to Santander I started to receive spam/trojans.

    They have a issue somewhere and they need to plug it. I phoned and reported it but haven't had a call back (don't expect I will get one).

  19. geoff 9

    Me too...

    I've experienced spam relating to two Santander / Abbey addresses since early November. I'm almost certain it's due to some email address leakage on their behalf. The two addresses are of the format myname.santander@mydomain.co.uk and myname.abbey_business@mydomain.co.uk and the spam messages come to both in pairs, so it's most unlikely that the addresses been 'guessed'. So far I've formally complained to Santander who said it can't possibly be their fault and essentially blamed my internet security behaviour but gave me £50 anyway. I'll be taking it to the ICO and Banking Ombudsman next as I don't believe Santander have adequately protected my personal data.

  20. 3el

    Only took 3 days

    I use catch all on my domain. Never received spam on Santander@domain but 3 days after I gave that address to Santander (over the phone) I started to receive spam/trojans.

    They have a issue somewhere and they need to plug it. I phoned and reported it but haven't had a call back (don't expect I will get one).

  21. DaveR167

    They can say its not them but ...

    I've had the same problem. They have 3 unique addresses on my domain belonging to other parts of the group the Alliance, Abbey and Santander made unique by an eight digit hash also in the address. These addresses are only know to myself and themselves. This is not some hacker trying random combinations, their email database has been compromised. Personally I will be closing my personal accounts with them this Christmas because of the lacklustre attempts to blame everyone else for the breach. If the email addresses have leaked was else is leaking that they have not admitted to.

  22. Smartini

    Generally not very good at security...

    ...or so it seems from the gist of this post:

    http://ramblingrant.co.uk/2013/12/10/santander-another-demonstration-of-how-not-to-handle-security/

    Apparently _most_ of the observed issues have been resolved *except* for the weak password storage issue. I wonder which particular security 'issue' or combination thereof facilitated the lifting of email addresses.

  23. AnoniMouse

    The banks are flouting their own rules [surprise]

    email from a UK High Street Bank, entitled "Avoid fraud - follow our top tips"

    * Never click on a link from any email that takes you to an online banking log on page

    email from card operation of same UK High Street Bank (and this is genuine, not a phishing scam):

    ":You can see the full statement by going online at ...." followed by a login button.

    1. pop_corn

      Re: The banks are flouting their own rules [surprise]

      Many moons ago I emailed Egg, pointing out that their own emails broke 6 out of the 10 tips they had for spotting phishing emails. They never bothered to reply. Shambles.

  24. TechEmperor

    Natwest/RBS/Mint spam

    The day after I registered with Natwest for a bank account with a unique email address just for this purporse, I started receiving SPAM emails about credit card notifications. All of them were from fake Natwest, RBS and Mint. It's really annoying.

  25. Marshalltown

    You think so?

    "...spammers just trying everything@the_domain," Grooten told El Reg. "That’d be a huge waste of resources – and I’ve never seen it happen."

    With a computer to roll the dice, the procedure is childishly simple and involves minimal work for the spammer. I've received spam where the cc list is open and it is quite clear that a machine is generating permutations of strings and firing off emails to each permutation@domamin.com in batches. By scanning the bounced "no-such-address" responses the list can then be refined to active email addresses. Someone who wanted to stay away from the strictly illegal side of things could then compile and sell lists of "good" email addresses. I've suspected this for years since I've received identically sourced spam simultaneously to different addresses that are specifically "purposed." Much of it was "legitimate" spam attempting to market some POS I had no interest in. Others carried payloads of trojans or viruses.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Legal"

      In the UK the sending of unsolicited commercial e-mail to personal addresses is in breach of the CAP code. Businesses not adhering to the code can face penalties from the Advertising Standards Authority:

      http://www.out-law.com/page-4222

      Also, bulk network scanning/probing/e-mail sending could well be argued to fall under the scope of the Computer Misuse Act, which could have criminal implications as well as being in breach of your ISP's usage agreement.

  26. Robert Sneddon

    Mail spam

    Organisations like banks are made up of people, some of whom may well be supplementing their meagre salaries by selling contact lists and the like to spammers, the same way people working for police intelligence centres get caught selling data to private investigators and newspaper reporters every now and then. It doesn't necessarily need to be a Mahogany Row level decision to spam or to sell the data to spammers.

    A long while back I had to sort out a billing problem when signing up for cable TV service and I created a new home address for myself, basically 111a Mystreet, Mytown etc., not an address I ever used anywhere else or gave to anyone else. A few weeks later I got a large wadge of weird religious bumf mailed to that 111a address. I figured someone at the cable company had harvested my name and address privately and taken the opportunity to give free rein to the voices in his head while spending a few quid on postage (this was a thick wadge of A3 colour photocopies). There was no financial gain for the sender (at least as far as I could figure out) or even a solicitation for money, just disjointed rambling and Jesus clip art.

    1. JCB

      Re: Mail spam

      "A few weeks later I got a large wadge of weird religious bumf mailed to that 111a address. I figured someone at the cable company had harvested my name and address privately and taken the opportunity to give free rein to the voices in his head while spending a few quid on postage (this was a thick wadge of A3 colour photocopies). There was no financial gain for the sender (at least as far as I could figure out) or even a solicitation for money, just disjointed rambling and Jesus clip art."

      I think they just take satisfaction in saving your soul. In olden days, when The Times printed the postal addresses in letters to the editor, I had a letter published. I had about half a dozen letters sent to me as a consequence, all perfectly polite, and I had a conversation with a couple of them regarding the subject of my letter. It was quite some time later that I had a letter, four sides of notepaper filled with closed space handwriting about god and Jesus, etc. I suspect that they took my address from The Times too. As you said, no request for money or anything, and no return address.

      Back on topic, I too have had spam on two unique addresses used for banks that were later absorbed into Santander. Like other commenters, I have more than one personal internet domain, and i use mostly unique addresses for non-personal stuff. The style of spam is unique to these two addresses and started arriving simultaneously. All my spam is personally hand-deleted by myself from the catch-all folders. The addresses could only have been harvested from Santenders internal lists

    2. Anonymous Coward
      Anonymous Coward

      Re: Mail spam

      When it comes to fake addresses and names, I find none better than http://www.fakenamegenerator.com/

      However, when I am feeling ornery, I revert to my trusty ...

      1600 Pennsylvania Ave NW, Washington, DC 20500, United States

      Phone: (202) 456-1111

      which passes all the tests and ticks the boxes.

      I wonder how many "free" itunes accounts there are at that address?

  27. Peter2 Silver badge

    First Direct gets a dishonourable mention from me for sending "secure emails" which are a plain html file that the end user is meant to open and then put their username/pass into before getting redirected to another website. Shake my head with amazement every time, have those people not heard of phishing scams?

    I remain unconvinced that conditioning end users to open html files attached to unexpected emails and then entering their username+password is actually secure. Who the hell comes up with this stuff?!?

  28. Lost in Cyberspace

    I get this all the time

    I get this with

    CompanyIOnceUsed@domain.com too - and nobody ever believes it is their fault.

    The same happens with Post too - I put a unique identifier in my address (a made up house name). It's surprising who sells you out to the highest bidder.

  29. Joe Montana

    Same problem

    I too use unique email addresses, and often meet with disbelief when i attempt to contact those who have leaked my address to spammers...

    What we need is a common forum where we can report sites that do this, perhaps they would be forced to listen if a large number of people complained about the same thing and named&shamed them in a public forum.

  30. Anonymous Coward
    Anonymous Coward

    I too have had this problem but the difference is I am not with santandar

    I use the name of the people I am giving dummy addresses to as part of the email address and opt out of "3rd party companies" and it is clear that UK companies are allowing these addresses to be sold.

    Whilst European business still believe they make more money outsourcing to the third world than they loose due to the inherent corruptibility of the same then this will continue.

    That these same businesses are never brought to book for these leaks is the very reason they continue. In the UK these companies outsourcing are supposed to be required to confirm that the third party companies operate at least the same level of data security before passing data however what they fail to address is cultural difference.

    I know it isn't PC but the facts are that whilst they are allowed to outsources to areas of the world where corruption is not just seen as a way of life but where the corrupt are respected then ofc this is going to happen. Anyone who thinks I am a bigot should try actually talking to the people in these countries outside of a formal structure. Corruption is accepted in many cultures because everyone does it, the difficulty is only when people from our culture insist that they are required to conform to alien standards and concepts outside of their cultural upbringing. They just don't get it, no matter what they might say in a formal environment they have their own upbringing and it isn't the same as ours

  31. Robert Carnegie Silver badge

    Some addresses are guessable.

    If you know that Robert Carnegie works at SomeOrganisation, then you can try,

    Robert.Carnegie@SomeOrganisation.co.uk.

    Or, try common names at random - if it's a large organisation, then some of them will hit. Mail administrators: add a short random number to each user's address, to avoid this, as well as for when two or more colleagues have the same name.

    Technically you could send your complaint to the large organisation that leaked your e-mail address by that means, but I'm not clear if that would be illegal too. Does sending an e-mail to someone that you have no particular reasonable right to contact, count as Computer Misuse?

    1. Nasty Nick

      Re: Some addresses are guessable.

      Maybe some of the posters here who manage their own domain email would care to run an experiment:

      1 create a couple of random email accounts like "mr.noname@somedomain.com" and "fred.thecat@somedomain.com".

      2 Do not use these email addresses for anything at all.

      3 Redirect these to one of your business as usual catchall accounts.

      4 Wait a few weeks and see what comes in.

      5 Report back to this thread (assuming Reg mods lets it stay active that long).

      I have no idea how this will turn out, but if we have a few hundred addresses between us it might provide some useful info about this.

      1. Anonymous Coward
        Anonymous Coward

        Re: Some addresses are guessable.

        You don't need to "create" addresses. A basic option on a domain is to enable 'catch-all', which is what many commenters above describe: your suggestion is what they are already doing (look it up if you're not sure what it means).

        It is very easy to just look down the list and see all addresses that have been targeted. In my experience I have seen lots of guesses like firstname.lastname@; initial.lastname@; enquiries, sales, etc@; bob, fred, julie, chris, etc@.

        They come in batches and are easily identifiable as guesses. I have never seen anything like santander@domain.com and certainly not firstname.lastname.santander.curentaccount@domain.com or anything remotely like that. Spammers probably don't even dream that people are using such schemes, their business is about bulk dealing with average joes. It's not even remotely worth their effort to worry about savvy IT types - their chances of success are much lower than usual even if their phishing emails make it through.

        Sometimes it can take a while to convince a call centre drone that you really do want to use theircompanyname@domain.com as the contact address for this account, no amount of explaining about domains will ever allow them to understand.

        The best suggestion, taken from above, would be to use very unique addresses, such as firstname.lastname.targetorganisation.purpose.arbitratily-chosen code@domain.com - this would provide the best evidence that the origin of unwanted email was not a guessing run. Just make sure you save the addresses you thought up somewhere, if you ever want to log in again!

  32. ShortLegs

    Not just email addresess

    Why is it necessary for companies to take your name and address when returning goods? So they can sell your details on in a mailing list.

    I refuse to provide details, and when confronted by the implacable spotty face youth or middle aged female "customer service" rep, make a point of providing a name based on the company, such as Mr C.Urry or Mr I.Kea, and note the name of the person dealing with me (and a copy of the paperwork where they claim never to share your data with third parties).

    Several weeks later, I go back to the store with a handful of unsolicited mail shots addressed to the non-existent Mr Urry, and ask them to explain.

    They make an awful lot of "accidents" and "mistakes" when processing those forms...

  33. Idocrase

    I really do NOT envy the person who has the legitimate version of one@one.com email address. I use that for every bit of spam-bait nonsense I run across. Gmail's spam filters eat everything else.

This topic is closed for new posts.

Other stories you might like