andy vt's tools & blog

Everyone, be aware that when you give your email address, it is being passed on to spammers!!  I track each time I submit my <disposable> email address to a site, and the spam hit my email address within 48 hours...pretty fast!!  And I even donated money to the cause.... :(

    Makes me wonder what else may be in the actual software.....
 

 I expect this post to be deleted pretty quickly, so hopefully some will see it before it is....
 

Few things.  You want to deal with this like an adult, I'm happy to indulge you.  We can discuss this here if you like, but you certainly don't need to start posting crap everywhere.  And you certainly don't need to be threatening this site with DOS attacks.

Why are you selling, or providing, our email to spammers? Within 48 hours of giving you my email address, I started getting spam; and I know it came from you as I use disposable email address for each place that asks for an email address. Thats really a bad idea, very disingenious, especially for those of us that actually donated money to you for the software. Makes me wonder if your software is malware as well... You are truly lucky I don't launch a DOS against your site......

I've moderated your account, which means that you'll still be able to post an download things. You can discuss your issues with spam here and as long as you remain on topic it will be published.

He's totally right about the open source thing. I for one think that you should think twice before accusing people about selling email addresses.

There are several ways spammers could get hold of those, except buying them. On my server I get tons of mail to accounts that never even existed. Spammers are trying different combinations of common words and variation of known addresses. Ex, I have an account on my own server called firstname@domain.com. I have never had an account called firstname_1@domain.com, but you could bet that it and many others gets penis enlargement spam.

I know nothing of this particular case, but I just saying that you shouldn't be too fast to jump to conclusions. There are other plausible explanations too.
 

Even if our e-mail addresses are making it "spammers" from here, what makes you think it isn't the forum hosting web site that is doing it?

I believe this sort of thing is fairly common (or at least was a few years ago) and is just an annoyance we have to deal with.  Web sites don't make much revenue, so selling e-mail addresses is a sort of grey market way to provide income.  Also, many of the agreements we "accept" when signing up to these forums do allow the selling of e-mail addresses.  I don't know if this one does or not.  Did you read it carefully? 

Personally, long before I signed up on this forum, my e-mail has been receiving spam.  Prior to receiving spam I never publicly disclosed my e-mail address.  All I did was sign up to a few different forums and register some products, most of them large forums such as thegreenbutton.com or reputable companies like Cyberlink, ATI, etc.

These days I don't worry about it.  Most of the spam gets taken care of with junk mail filters anyway.

BTW, if your e-mail address is mailtracker2000-dvrmstoolbox@yahoo.com and you are using it as your user name...  Do you really wonder how spambots were able to track down your e-mail address in 48 hours?

Since this is about my original comments, I might as well weigh in on it. 

First, I agree that if this is truly a fully open source software, without obfuscation of any source or associated libraries that may be linked in, then the chance of malware being introduced is very low.

Now, to the main topic at hand.  I too get spam from email addresses I've never had, but that is not the point.  I've got spam that was from an old email address I had, which is rather amusing, but still not the point.  The design pattern I use for my disposable email address is not one that is easily reproduced by anonymous email engine that builds email address from existing information. This is the first time I've actually received spam based on one of them.

The email in question is one that I created about 5 minutes before  using it on this site, so it could not have been harvested prior. I had not used in it any place except registration on this site, which I would suspect is not persistent so that a spambot can walk the site and gather it.  If it is, then I would say that not everything is being done on the site to safeguard the customers privacy. In a private message to Andy (of which there were several which Andy did not mention in his above posts), I said the leakage of the email address could be either intentional on his part, which he denies, or a weakness in one of his systems that is being exploited.  If it is a systems issue, as he seems to be a talented developer, he should be able to find and close this vulnerability.  If its a GoDaddy.com issue, who hosts this site, then I would expect them to have tight control of these types of issues, since they are a large and fairly respected "hoster", and would respond adequately if notified it was indeed their issue.  And they do have some anti-spam policies in place as a part of the Terms Of Service.

    So, to recap, a new email address is created for use on this site, and was not used external to this site.  It is not persisted by myself anywhere (to include this forum) that is knowingly externally exposed to harvesting. The only way it could have gotten to spammers so quickly is that it was intentionally released, which again Andy denies, or that an external systems is somehow harvesting internal information to this site.  Either of these are bad avenues. And if an external systems exploited a hole in the system and was able to get the information so quickly into a spammers database and be released into an actual spam email, perhaps indicates it knows that this site is exploitable. So I stand by my original position that my email address was 'leaked' from this site, and from this site alone; whether it was intentional or a hole in one of the systems that allows exploit, I can't say definitively.  If Andy says it wasn't intentional, then I will tend to believe him, based on what I see of his work and his interaction with the using community.  But that doesn't fix the problem. Speaking derogatively about me, and rather childish at that, is not the best way to handle this.

     Thats my logical view of the situation......

Most of this I covered in my previous post.  But your 1st and 2nd paragraphs allude to that fact that this site could be the source of the email address 'leakage", which is what I have postulated.  And a reputable site will have, as you indicate in your post, a privacy notice and usage of personal information posted an available.  I haven't seen one yet on this site. If I had seen one at the point of registration of my personal information, and it had said that my email address would be 'used' in some fashion other than direct support of my activities on this site, then I obviously not have signed up.

Now, to your point of my email address...a spambot can only harvest that information IF it is persisted in a website in a fashion that it can walk the site and gather it; in other words it's statically in a webpage somewhere.  That email address was never used anywhere on this site except for signing up (and not on this forum), and that is a dynamic process (and not posted to any static webpages I can see) and my email address does not appear to be posted external to that registration process and so should not be harvest-able by walking the site. 

BTW, I do use spam filters, at several levels, which is how I noticed that my email address had been hijacked so quickly... 

Your username is mailtracker2000-dvrmstoolbox@yahoo.com (HT Slider pointed this out earlier).  No one had to do anything nefarious, you published your email address for the whole effing world to look at.  I'm surprised it took 48 hours for you to get spam.

Honestly, given that you published your own email then blamed me for doing it doesn't really put you in the best light. Honestly you pretty much deserve any ridicule that you receive. 

Wow, you are amazingly clueless and don't read well.  You should put on some glasses and re-read my previous post on this exact issue!  With this poor attention to detail, or understanding of simple english, you must have a high defect count in the software as well.

But let me repeat as you may be a slow learner....my email address was never published to a static webpage where a spambot could walk the page and harvest it....never.  It was only submitted to your registration process, which did not seem to publish it is a static web page. An external spambot can only harvest info from a static webpage, or if a web page is dynamically generated (and doesn't require authentication or validation) that can be triggered by a spambot.  They cannot delve directly into your database, if its correctly designed and surfaced, to harvest information.  This is software development and information security 101.

Would you like me to explain this to you once more? 

Is the e-mail you are using mailtracker2000-dvrmstoolbox@yahoo.com?

If so, it is you that is confused.

There are e-mail searching "spambots" crawling around the web 24/7.  Any public web page that you or I can view without first entering a password will be searched by these "spambots" for e-mail addresses.  Once an e-mail address is found, it is added to various spam/junk mail source list and sold right away to anyone who has or is interested in purchasing e-mail lists.

You can try this as an experiment if you like.  Go to your favorite web forum and in any way you like (user name, message content, etc.), provide a new e-mail address that anyone viewing that page can see (create a brand new e-mail address and use it).  Then wait and see how long it takes for one of these web crawlers to find the e-mail address.  It might take a few hours, a few days, etc. but it will happen and it will happen fairly quickly.

I suggest in the future, if you don't want spam e-mail, don't place your e-mail address where anyone can read it.

More importantly, in the future, don't go flaming people so rudely.  You may find it you that has accidentally published something for the world to read.

everyone who registers here has a profile, every profile is visible, anything you choose to include in that profile is public to any entity that can process html (browsers, crawlers, etc).  you published your email address, this isn't a security issue it's user error.

click on your user name (it's the left corner of your posts), it will take you to your user profile page.  from here you can clearly see that your email address is published for everyone (including spam crawlers) to see.  my username works the same way, except my user name isn't my email address (which is hidden).  now we can debate whether it should be possible to enumerate user profiles (which can be done easily from here http://babgvant.com/user/Members.aspx), but ultimately that is a moot because it's intrinsic functionality with CS

Hard to believe you guys still don't get it; you keep repeating the same thing over and over.  You keep saying that I put my email address in a public web page where a spambot can crawl it.  I NEVER DID THAT!!!!  And you just repeated the same thing I said in my post about needing a password!!  I was getting spam before I posted anything here to this forum/website!!!  Can I be any more clear than that????  As a matter of fact, you and andy has placed my email address in more posts that I have, in the actual body of the post......

 Regarding the flaming, I was flamed first intially..I didn't start it.  I did not make my first post a personal attack on anyone; I only stated that my email address had been compromised..go read it again if in doubt.  Andy then started the derogatory statements, even in the private messages he sent, and also in the post above...don't make me the bad guy here.

I'm not going to repeat the whole reply I just did to HT Slider, but it is totally appropriate here as well.  I will just repeat again for the 5th time that I did not post my email address to any public webpage, anywhere, before I got spammed!!!  There is no way a spambot could have walked a website and gotten it.  Can you please understand this, so I don't have to keep repeating the same thing over and over?

The second point of your post is one I also brought up earlier.  As I didn't expose my email address to any public area where it could be harvested by a spambot, then it had to be either intentionally released by a person (which you say you didn't do) or it was exposed through a vulnerability of an underlying system. Thats the only 2 likely avenues, and I brought these up in earlier post but you were so focused on whacking me over raising the issue, I don't think you got it.  

And from what you just stated, a spambot can enumerate over your member list and harvest information, which is not a good security policy.  I find it hard to believe that a commercial product like CS would knowingly allow a vulnerability like this to continue to exist, with the nature of spambots and focus on internet security. At the least  you should put a notice when people are registering for the forum that lets them know that their information is at risk for spambot harvesting, and giving them the option to make changes or not join.

I dislike derogatory statements as much as the next guy.  But when I raised an issue here, that is what I got...sarcasm and derogatory statements; not a statement of concern or assistance.  And so I returned the favor with frustration that you just weren't really reading what I was saying. 

Also, you might want to check your usage of ad hominem, that is not really what happened, at least from my side.

I can't believe I'm wasting my time trying to help you understand how web forums work...

As soon as you create an account, your user name is available to spambots who search using the members list.

You chose to use your e-mail address as your user name so it was available the instant you created the account.  Case closed.

 Take a look at page 5 (currently at least) from the following link:

http://babgvant.com/user/Members.aspx?search=1&t=&sb=0&so=1

You'll find your e-mail address available for the world to see, without any passwords required.

I suggest you apologize to Andy and stop this ridiculous argument.