|Adwords Client Email Database Compromised?|
Received spam - email address is NOT public
Has anybody else recently received spam directed to your Adwords account email address?
I use a unique disposable email address (using the Spamex service) for each online registration - so I am able to identify where spammers got my address.
Today, I received a spam message to the email address associated with my Adwords MCC account.
I do NOT have a public profile for this Google account. This should be PRIVATE information that apparently has somehow been compromised.
I've had this account since December. This is the first spam I've received to this email address.
Am I incorrect in thinking that this email address should be private?
It should be private. However, there are other ways for people to harvest e-mail addresses besides just having it given to them.
Was the address such that it would have been impossible for a brute force spam attack to not have potentially gotten to it? If it was any common name or words, it is possible the just hit it by accident.
or spyware on your computer / browser
|Was the address such that it would have been impossible for a brute force spam attack to not have potentially gotten to it? If it was any common name or words, it is possible the just hit it by accident. |
Very unlikely that the address would have been hit by a brute-force guessing attack.
It's also of course possible that the disposible email address service that I use had a security breach.
Curious if anybody else has their account similarly configured (i.e. using a DEA) and recently received spam on the address.
Not a problem, as the address IS disposable. This is what it's for. I'll just disable the address, generate a new one, and update my MCC account.
A bit of explanation to understand why I think somebody somehow got their hands on a supposedly private email address registered with Google:
- I use a Disposible Email Address (DEA) service. (Spamex). This allows me to have a unique email address for each and every online registration - merchants, online forums, etc. I currently have 183 enabled and 3 disabled DEAs.
- I receive - and expect - spam - on most of those DEAs that are posted publically. I have a fairly small number of these (mostly addresses needed for WHOIS records).
- It's actually very rare to receive spam on DEAs that are not posted publically. (i.e. in cases where the website where I've registered claims that it is a private address.)
This is why I think something fishy could be up with the security of the Google registered-address database. If the address was harvested through spyware on my machine, etc. I would expect to receive spam on the OTHER DEAs that are not publically posted. I haven't.
After nearly a decade of working in the ISP industry, I can honestly tell you that I am convinced that spammers are finding ways to tap into network points and actually sniff traffic for addresses in real-time.
Case in point ... as I was leaving a small hosting company I was working at, I was on good terms with them so they agreed that they'd have my email forwarded to an account in my own domain. I set up the account oldmail@______.com for them to use for forwarding, and then made that account in my personal domain.
This account was only used in one direction - for their server to forward mail to my domain. I never used it on my own, it was never in anyone's address books, etc.
Three or four months after I set that up, I got my first spam on that account. Outright impossible, unless they were just bulk guessing at the name "oldmail" or found a way to compromise the mail server (also a possibility). Given that I have a separate "catchall" account for my domain, any dictionary attacks would have been obvious ... but there were none. I'm convinced that as the occasional email made it through the dozen-or-so hops to get from their mail server to mine, it was compromised somewhere along the way.
If you're a prolific spammer (and the top guys make insane amounts of money, unfortunately) it makes sense, from an economic perspective -- find some underpaid overworked network techie that works for a big ISP, offer to pay them $10k under the table if they'll give you two days worth of SMTP headers off the backbone... I bet it happens.
I would tend to lean towards creativity on the part of spammers (this is their primary business, after all - your email address) than any compromise at AdWords.
We actually run a disposable email service that we designed ourselves, and which I have used in the past for Google Adwords, Overture (now Yahoo) and Looksmart - I set up unique email aliases for each of those services, and ONLY used those email address for these services, and got significant spam on every single one. So if Google is letting out the email addresses, they're not the only ones doing it. I will say this - when they came up with the MCC, I switched over to a GMail account, and I don't seem to get any spam on that one, for the past couple years.
|After nearly a decade of working in the ISP industry, I can honestly tell you that I am convinced that spammers are finding ways to tap into network points and actually sniff traffic for addresses in real-time. |
I agree with this. I have set up e-mail accounts and have recieved spam within DAYS!
I've watched SMTP packets coming into my servers with systematic attempts at "bob@...", "cindy@..." etc, so "oldmail@..." would strike me as unsurprising.
I've gotten so frustrated with 10,000+ SPAMs a day that I've simply let my entire mail server die... When I am feeling strong I shall bring it back to life.
|I've watched SMTP packets coming into my servers with systematic attempts at "bob@...", "cindy@..." etc, so "oldmail@..." would strike me as unsurprising. |
Yes, but none of my user portions of my email addresses were actually proper names or words, so it would be virtually impossible for any dictionary attack to hit on one of my names. Our disposable email address system comes up with randomly generated strings like 'wroluphu' and 'trawowtheth' and things like that - no dictionary spam algorithm is likely to come up with even ONE of those, let alone all three of the unique addresses I used on google, overture and looksmart.
|If you're a prolific spammer (and the top guys make insane amounts of money, unfortunately) it makes sense, from an economic perspective -- find some underpaid overworked network techie that works for a big ISP, offer to pay them $10k under the table if they'll give you two days worth of SMTP headers off the backbone... I bet it happens. |
This is exactly what's been happening...
but I also wouldn't put it past them to have more sophiticated methods of actually "tapping in" these days.
I worked in pr0n for years...
been to tons of conventions and met many of the top spammers in the industry.
It's an incredibly big and sophisticated business.
These guys have resources like you wouldn't believe...
because the only people that can market a product better than an internet pr0nographer, is a professional spammer.
Anyway, I was just a web designer trying to make a buck in the aftermath of the dotcom explosion...
so don't flame me (or this thread) with your opinions on that topic.
I'm just affirming what was already said...spam is bad.
|It's an incredibly big and sophisticated business. |
Yup. One of the hosting companies I worked at was debating taking on a new client - they really looked like spammers, but they swore up and down that they wouldn't be sending mail from our netblocks, all of their email addresses were opt-in, blah blah blah. Our CEO was desparate for money, so he took the contract. $30k per month, plus about $15k up front as setup fee for provisioning all the gear. First month and setup were all typically payable in advance, so we probably got $45k out of this guy.
The guy was amazing. We were accustomed to having to help our clients a bit with installing apache, DNS, mail servers, etc. He refused the help, and had scripts automated to set up everything. He was up and running in under a day.
Well, sure enough, the next day the complaints started coming in. Our CEO, in not the brightest of moves, attempted to ignore the problem as long as possible. Probably did so for about 4-6 weeks, until our upstream provider told us they'd be cutting us off within 24 hours if the problem was not resolved.
We pulled all the gear off the network. Guess what? We watched his domain names, and in under 24 hours he was already up and running under yet another provider. So it was obviousl that he literally plans and expects to get cut off by his providers ... so as soon as he signs one contract for hosting, he probably starts negotiating the next one so it's ready to go as soon as its needed.
If he'd stayed with us, his hosting bills would have likely been $400,000 - $500,000 per year. So yup, there's big money in spam -- even still to this day -- and we should never underestimate what lengths they will go to in order to get fresh email addresses. Even to the point of hacking into servers, wiretapping communications points, or enlisting others to do so.