Who's Trading Your E-mail Addresses?

Bennett Haselton is back with another piece on e-mail privacy. He starts "On April 14, 2007, I signed up for an AmeriTrade account using an e-mail address consisting of 16 random alphanumeric characters, which I never gave to anyone else. On May 15, I started receiving pump-and-dump stock spams sent to that e-mail address. I was hardly the first person to discover that this happens. Almost all of the top hits in a Google search for "ameritrade spam" are from people with the same story: they used a unique address for each service that they sign up with, so they could tell if any company ever leaked their address to a spammer, and the address they gave to AmeriTrade started getting stock spam. (I don't actually do that with most companies where I create accounts. But after hearing all the AmeriTrade stories, I created an account with them in April just for the purpose of entering a unique e-mail address and seeing if it would get leaked.)" Bennett continues on if you're willing to click the link.

What's surprising is that as far as I can tell, AmeriTrade has taken almost no heat in the media for letting this happen. Despite the abundant testimonials from bloggers who had their addresses leaked, the story never crossed over into the "mainstream" Internet press. In a recent Bloomberg News story, the FBI warned that E*Trade and AmeriTrade users were vulnerable to spyware installed by criminals in hotels and cybercafes to capture accounts and run pump-and-dump stock spams; no mention of the fact that all AmeriTrade e-mail addresses were apparently already in the hands of spammers anyway (although no one knows if usernames and passwords were leaked to the spammers as well).

This doesn't bode well for anyone who uses any type of online service and wants that service to keep their personal information secure. If AmeriTrade got skewered in the media for leaking customers' personal information to spammers, other companies would see that and learn the lesson. On the other hand, if AmeriTrade gets away with it with barely a whisper in the mainstream news, other companies are going to take note of that, too. Besides, spam and identity theft hurt everyone, not just the victims, because the costs are passed on to all of us in terms of higher ISP charges, higher payment processing fees, and more mail lost due to stringent spam filters.

AmeriTrade disclosed in April 2005 that a tape containing some customer information might have been stolen in February of that year, and many spam victims who blogged about their AmeriTrade addresses being stolen, referenced that incident as the likely cause. But after Bill Katz's blog post became a clearinghouse of sorts for complaints about stolen AmeriTrade addresses (probably as a result of being the first match on Google for "ameritrade spam"), several users posted that they had received spam at accounts that were only created with AmeriTrade in summer 2006. And then my e-mail address got leaked between April 14 and May 15, 2007. So it's pretty clear that some attacker has access to the AmeriTrade customer database on an ongoing basis, and the February 2005 tape theft probably had nothing to do with it.

AmeriTrade says that California law required them to notify their California customers of a potential security breach after the tapes were stolen, and that they went further and notified all of their customers anyway. Since there is now proof that their database is more or less perpetually open to some outside attacker, will they send out another notification letter to customers?

An accidental security breach can happen to any responsible company, especially if they are compromised from the inside. But the trail of blogosphere and UseNet posts indicates that several times AmeriTrade has concealed the full extent of the problem from customers who asked them about it, or has given out information that they already knew was wrong. In one thread in October 2005, a user reported that they wrote to AmeriTrade asking why their AmeriTrade-only e-mail address was getting spammed, and AmeriTrade replied that the spammer might have guessed the address using a dictionary attack, adding:

We have no reason to believe that any of our systems have been compromised. Ameritrade deploys state of the art firewalls, intrusion detection, anti-virus software as well as employs a full time staff of employee's dedicated strictly to Information Security and protecting Ameritrade's systems from unauthorized access.

But that was long after February 2005, when AmeriTrade said that tapes containing customer data were stolen. (Even if that turned out not to be the cause of the spam after all, by that point AmeriTrade knew that their customers' addresses had been leaked somehow.)

Then when my friend Art Medlar complained to AmeriTrade this year about the same thing happening, he got a response saying that even if he was getting spammed by an address that he only gave to AmeriTrade, that could be the result of hackers "implanting 'bots' that have the ability to extract e-mail addresses from your computer, even when you have protective spy software engaged". But of course this makes no sense -- if this were the source of the problem, it would affect everyone's e-mail addresses equally, and would not explain why a disproportionate number of complaints were coming from people who created addresses that they gave to AmeriTrade specifically.

When I sent AmeriTrade my own inquiry, I got a response that was identical to a forwarded message that someone else posted to news.admin.net-abuse.email in April. (To their credit, in this version of the message, AmeriTrade is acknowledging responsibility for the problem instead of attributing it to dictionary attacks or botnets. But the e-mail contains the curious piece of advice: "Please be sure to delete any spam you might receive, then empty your e-mail's trash so that it's no longer kept there, either." Huh? As one reader replied to the UseNet thread: "Cynical Translation: Please don't retain any independent evidence.") At first I didn't realize this was a boilerplate response, so I sent back some more questions, asking, for example, whether they would notify their California customers of the data security breach as required by that state's laws. The second response I got was a copy of the old boilerplate that they were sending out two years ago, blaming "dictionary attacks".

Now, compared to the 1,000 spams I already get every day (pre-filtering), the AmeriTrade spams were just a drop in the bucket, and many of their customers are probably in the same boat. And unlike most AmeriTrade customers, at least I can stop all AmeriTrade spam just by de-activating those addresses, since they aren't used for anything else. (Right now I'm keeping them open just to see what else comes in.) But AmeriTrade's database also contains much more valuable information such as names, PIN numbers (do you use the same PIN number everywhere that you sign up?), and Social Security Numbers. When I signed up for my account, informed by dire warnings that federal law required accurate information "to help the government fight the funding of terrorism and money laundering activities", I gave AmeriTrade my real SSN, address, and other personal data, figuring that if I gave them false information, I might get in more trouble than the experiment was worth. But now that the attacker has my e-mail, they might have all of my other information as well. In the coming months I'll probably start checking my credit report more often than I used to.

Probably someone inside AmeriTrade is selling customer data to an outside spammer. (It seems less likely that an attacker would keep breaking into AmeriTrade repeatedly to get updated copies of the customer list. Once you've broken in and gotten the customer database from 2006, why bother breaking in a year later, taking the risk all over again of getting caught and going to jail, just to get the updated 2007 database? Surely the 2006 list would be enough to run any pump-and-dump stock scam that you want!) Two suggestions to AmeriTrade to tighten their security: First, the number of people within the company who can access the customer database, is probably a lot larger than the number who actually need to access the customer database. Limit access to the e-mail database to people who actually need it. Second, in any cases where different employees really need to have access to the list, try giving them different versions of it, where each version is "seeded" with spamtrap addresses at Hotmail and Yahoo Mail. If the spamtrap addresses that start receiving spam are all ones that were used to seed one particular employee's copy of the list, then you've found the source of the leak. That won't stop the spam being sent to addresses that have already been stolen, but it could prevent further leaks from happening.

The SEC recently announced that they would suspend trading of companies whose stocks had been the target of spam campaigns to manipulate the price. Perhaps AmeriTrade could do something similar -- once a stock is identified as being promoted in spams sent to AmeriTrade customers, any customer attempting to buy that stock would be presented with a message saying that AmeriTrade was blocking the transaction for security reasons. (If this runs afoul of some SEC regulation that a brokerage has to let you buy any stock you want any time you want, then at least display a big warning when AmeriTrade users try to buy it through their system, saying that the stock has been the subject of a fraudulent promotion scheme and is an extremely high-risk buy.) However, while this would remove the incentive for stock spammers to target AmeriTrade customers, it's also really just covering up a symptom of the problem, rather than addressing the problem itself, which is that a spammer was able to steal the customer information from AmeriTrade's database in the first place.

But whatever they do, AmeriTrade should stop blowing off the people who complain about the spam, with messages about "dictionary attacks" and "botnets". When customers create specialized spamtrap addresses to detect if their e-mails ever get leaked, those are the tech-savvy customers who (a) know what they're doing, and (b) hate spam more than most people, and giving them misleading information is just poking a stick in their eye. Not a smart move when AmeriTrade has been leaking private customer information and is based, as their name indicates, in the most litigious country in the history of the world.

Re:Abusable fix?

[UbuntuDupe]

Based on the comments on other threads on this topic, the flaw with such a plan is in "short it". To short-sell a stock, you must borrow it. To borrow it, someone must be willing and able to lend it. To be able to lend stock, you have to be a large institution, which are generally prohibited from buying (and thus holding) thinly-traded penny stocks. And it's exactly the penny stocks that are targeted by pump-and-dump schemes.

Strangely enough

[zappepcs]

I met someone not long ago that wanted some DB work. They were wanting to organize and sell phone numbers, street addresses, email addresses, and they attempt to collect/gather as much meta information as possible. Various relationships tell them whether you are a good target for any given spam type email or direct mail campaign.

Someone with your address on their list will try to sell it for $.50 or up to $5/10 if they can get it providing it is a valid address. There is money in selling such information. THAT is why you get spam. If they could figure out how to make all drivers of any vehicle made before 2000 as they drive down the highway, people would sell that to autodealers... Its all about Ad revenues, and your email address is just another pageview sort of thing for people buying the lists.

There is no method to prevent this. If one person at company X illegally sells a list of clients of that company, it will be out in the wild, nothing to stop it from being resold dozens of times.

There's another possibility

[drgroove]

AmeriTrade is simply selling your information to third parties.

Dell does this. I know this for a fact - I gave Dell my information while setting up a business account for a small consultancy that I was running a few years back out of my house. I hadn't yet formalized the business legally, but gave Dell the name that I was going to use for my business. Within weeks, I began to receive snail-mail spam using the business address that I had only given to Dell. No one within Dell was stealing my information - Dell sells information about their customers to make a buck.

AmeriTrade very likely does the same thing. After you give your email, snail mail, phone, etc info to them, they turn around and earn a buck or two by selling your information to other companies.

Re:gmail mail tracking trick

[TheThiefMaster]

You're assuming that said site knows that email addresses containing a + are valid.

Lots of places check for alphanumerics, dot and @ and reject anything else.

Re:Abusable fix?

[FasterthanaWatch]

Wouldn't this also be abusable? Pick a stock, short it, spam the hell out of everybody, watch Ameritrade or whoever blacklist it, and watch the price drop.

I'm pretty sure you can't short those stocks.

Inside Job

[interstellar_donkey]

Probably someone inside AmeriTrade is selling customer data to an outside spammer

That would be my guess. There's probably not a whole lot Ameritrade (or any company) can do about it other than figure out a way to deeply restrict access to the email addresses. But when you need customer service/marketing/administration departments to have access to customer's email addresses, it can get a little hairy.

I can remember back in '99 going to work for a rather large ISP. My first day there they created an email account for me. After four days of orientation and I started to actually do work, I checked my email and found it loaded with spam. This account had been on no mass mailings, has had nothing sent out, and had received no communication from within the company. The name wasn't anything close to what you'd find in a dictionary. As far as I could tell, the only way spammers could have gotten their fingers on the address was if someone inside the company was selling the address out.

Re:Abusable fix?

[mcrbids]

Wouldn't this also be abusable? Pick a stock, short it, spam the hell out of everybody, watch Ameritrade or whoever blacklist it, and watch the price drop.

Thoughts like this are the kind of thoughts that convince Libertarians that the marketplace will ALWAYS correct itself. Notice that a protection against one type of unscrupulous behavior becomes an enabler for another type of behavior - which is then protected against.

The net effect of this continuous spy-vs-spy type war is a balanced marketplace that does an amazingly good job of equating equity and earnings. What few Libertarians really grasp, however, is the role of infrastructure on the enablement of the marketplace.

Every American is born with almost half a million dollars in pre-existing infrastructure that is directly available to him/her. This includes roads, schools, etc. This infrastructure is what's used to generate the earnings - society usually gets about 8% return on investment for its infrastructure, based on the national average income.

But who wants to WORK for a living? Despite having the highest standard of living in human history, people would rather cheat and game the system to avoid even the pitiful 40-hour work week. And so the spy-vs-spy game continues, people try to get money for nothing, and the inherent laziness of mankind, which is our never-ending drive to resource efficiency, continues.

Was I saying something? /QUIT

I reported this to the SEC, but not much happened

[JeffL]

The first time I received spam, not ads for "partner" companies, but pump-and-dump image spam, and such, I reported Ameritrade to the SEC. After contacting Ameritrade and receiving a big "so what" from them, I filled in the SEC's online complaint form, detailing the problem. A week or two later I received a letter (on paper) from them asking me to e-mail them more information and any additional evidence. I sent them a detailed explanation of the problem, along with information about why it was extremely unlikely that the e-mail address was stolen from my end (none of my other unique addresses were receiving spam), and a copy of all of the spam messages that had been sent to my ameritrade address.

Since that time I've not heard anything back from the SEC. I didn't really expect to, but I was hoping that if 10-20 people complained about the same thing, and provided evidence, they might actually start an investigation. That was August, 2006, so maybe they really are doing something, and I should just be more patient.

A friend who was also receiving the ameritrade spam convinced ameritrade to waive the account transfer fee, and moved all of his stuff to Scottrade. I changed my ameritrade e-mail address, and haven't received spam to the new address, so I thought perhaps the leak had been fixed. Now that I see the problem is still occurring, I'll take the time to move my accounts.

Re:A way to kill the competition!

[nelsonal]

Pump and dumps are for little bitty companies that don't really do anything (most aren't operating) think Infinium Labs (maker of the Phantom console). It would take billions to pump and dump a listed stock.

Assume the worst...

[wowbagger]

Assume the worst:

• Assume that any business to which you give an email will immediately sell it to every spammer on the planet.
• Assume that any individual to whom you give your email will be trojan'ed and harvested by spammers.
• Assume that any web site to which you give an email will be scraped by spammers.
• Assume that every mailing list to which you sign up will be scraped by spammers.

In other words, for any email address you use, assume that it will at some point fall into the hands of spammers.

So, given these assumptions, what are you to do?

1. Never get too attached to any given email address. Be prepared to drop any address like a hot rock.
2. Thus, try to have one address for each role in your life: one for friends, one for close friends, one for work, one for each mailing list, one for each business with which you do business, etc. Use sites like SneakEmail or SpamGourmet as needed.
3. Refuse to give your email where-ever possible. Most places that want it don't need it, but ask for it so that they can spam it. Ask yourself "Do they REALLY need to be able to email me?" If you cannot think of a good reason why they should, refuse.
4. For entities which will NOT allow you to refuse to give your email, give them a disposable email, and revoke it as soon as possible. Alternatively, use an email which has become compromised and is now worthless.
5. Make up a list of disposable emails, print it out, and carry it with you, to deal with those Big Blue Room incidents where you need to fork over an email. Make the print-out have 2 parts — one to tear off and hand to the requester, one to keep for yourself (with a space below the email into which you enter the entity assigned to it.)
6. Use email hosts which have the best possible spam filtering. I suggest setting up an account with Spamcop and using them.
7. Don't use the email assigned by your ISP for anything if at all possible: that way if you need to change ISPs you can do so without any big issue.
8. When creating an email address, don't use your name or any other unique identifying information (e.g. a ham radio call sign) - those are too easy to guess.

Yes, this may sound paranoid. But unfortunately until the technology is changed to allow tracking spammers down, and the laws are changed to allow dealing with spammers effectively (.30-06 is effective), these are the sorts of measures needed to keep your inbox relatively clean.

Re:gmail mail tracking trick

[egypt_jimbob]

...invalid characters.

Read the rfc [faqs.org]. Specifically sections 3.2.4 and 3.4.1; "+" is an atext character that is valid in the local-part (the junk before "@") of an address.

And to the grandparent: gmail is not the only mail client that allows this. Mutt and pine definitely do and I am sure there are others, since the use of "+" is perfectly valid. In fact, the ones that don't are non-compliant.

Use dots/periods with gmail addresses

[dmeranda]

Another gmail trick that is more friendly to dumb sites that
use broken regexes is to just insert extra periods in your
mailbox name. Then you can filter based on that. If your
gmail address is johndoe@gmail.com, then you can also use
things like jo.hnd.oe@gmail.com, joh.n.do.e@gmail.com, etc.

Re:Ameritrade is bunk

[drinkypoo]

Bricks and mortar Bank of America is not going to fuck over customers to get 10 bucks an email address

Bank of America is pure, concentrated evil. Not only do they have some of the worst customer service on the planet (especially if they feel you are in the wrong) but they were one of the last corporations to pull out of their investments in Apartheid.

Re:gmail mail tracking trick

[SpeedyBandito]

Make sure you use something like my.address+personal@gmail.com, and then set gmail to automatically filter anything without a +suffix.

Spamgourmet is even easier.

[Kadin2048]

Protip: if you run your own mail server generate a whack of aliases (ie: bogus000 through bogus999) so you always have a disposable address available.

Even easier: just go to Spamgourmet.com [spamgourmet.com] and set up an account there (takes about 15 seconds, seriously), and then you can use all the addresses you want of the form [someword].youremail@spamgourmet.com.

E.g., if you're signing up for Ameritrade, you could use the address "ameritradesucks.kadin@spamgourmet.com" (or any other of about 10 different domains, it's not just limited to spamgourmet).

After each address has forwarded a set number of emails through to your real, hidden address, it will shut off and all further messages will be "eaten." (You can re-activate emails if you want, or set up whitelists so that all email from ameritrade.com gets through.)

It's a pretty brilliant system, and it's completely free. If you set up an account and use Spamgourmet dummy addresses everywhere, you can almost totally prevent spam arriving directly to your inbox. Also, you can go in later and see which addresses have been flooded with spam (some of mine have received thousands of messages) and see exactly what services are selling out out. Very cool.

Re:Hrm.

[oyenstikker]

I used to use aliases, but they got too cumbersome. Now I use a database table.

I started out following this tutorial: http://workaround.org/articles/ispmail-sarge/ [workaround.org]

Re:May be related to TD Waterhouse merger

[CrazyLegs]

I work for TD. There is a TD Waterhouse Canada, and there used to be TD Waterhouse USA. The later was recently mergered into Ameritrade, which then became TD Ameritrade. TD Waterhouse Canada remains a separate subsidiary.

Re:Assume the worst...

[joh]

Another way to deal with this is to just use one address and filter the spam. I'm doing it this way: I have exactly two addresses (one for professional use, one for private use) which I have not changed for more than 10 years now. I don't protect them in any way, I post with these addresses to Usenet, to mailing lists, use them for newsletters and use them without even thinking of spam just everywhere.

Effect: Yeah, these two addresses are very likely to be found in every single spam database in the solar system and beyond. So what? Filtering works good enough to allow only about a dozen spam mails get past my filters daily. Nothing to be afraid of. On the other hand I don't have to deal with a myriad of addresses which may or may not receive legitimate mail, I have not to waste any thought over what address I give out to whom and every single person who wants to send me mail can do so, even if he finds my address in some dusty mailing list archive from a decade ago -- it's still the same address and it works.

Don't take it personally but your strategy is really flawed. Take an address (make sure it is your own and register a domain) and stick to it. Everything else makes the solution worse than the problem, since you not only receive spam on several addresses but also have to carefully track which address may still receive legitimate mail.

Yes, this may sound paranoid. But unfortunately until the technology is changed to allow tracking spammers down, and the laws are changed to allow dealing with spammers effectively (.30-06 is effective), these are the sorts of measures needed to keep your inbox relatively clean.

My inbox *is* relatively clean.

Re:Hrm.

[greed]

I had the same problem as the parent with the same config the grandparent was using. Two things helped immensely.

First, a few rules in my Postfix helo_access file:

/\.mydomain\.mytld$/ 550 You are not me.
/^mydomain\.mytld$/ 550 You are not me.
/^[\d.]+$/ 550 See RFC 2821.
/^\[my.dot.ted.quad\]$/ 550 You are not me.
/^\[10\.[\d.]+\]$/ 550 Your network is unreachable.
/^\[192\.168\.[\d.]+\]$/ 550 Your network is unreachable.

(Yes, that doesn't trap all ways of writing IP address, and leaves out 172.16/12. It's the first 3 rules that do most of the work, as it turned out.)

Second, turning on some more RFC strictness in Postfix SMTP chat:

smtpd_recipient_restrictions =
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unauth_destination,
reject_non_fqdn_sender,
reject_non_fqdn_hostname,
reject_invalid_hostname,
check_helo_access pcre:/etc/postfix/helo_access

And I'm thinking of moving permit_mynetworks to just above check_helo_access now that I've got SASL working nicely on all the other stations.

But it's all moot now, because pobox.com can now do MX for customer domains with wildcard addresses AND you get all of their peer-IP-address- and header-based anti-spam checks. I've been using them for _years_, so was quite happy to use that new service.

Well, I left it all there, so that no-one going directly to the A record for the domain can invent things, either.

Re:Hrm.

[DarkAxi0m]

with gmail, if your address is foo@gmail.com, you can send mail to foo+bar@gmail.com (it might be bar+foo@gmail.com, i can't really remember) and it will get to your account.

You can then set up a filter for it. I find it a good way to filter mailing lists.

It can become a problem where some sites wont allow + in the email address

Re:Assume the worst...

[bcrowell]

Your advice misses the point. I have followed every single piece of advice on your list. I am getting pump and dump spam to the disposable e-mail address I set up solely for my ameritrade account. I couldn't care less about spam being sent to that address, because it's all going to the bitbucket. The problem is that (a) I have the vast majority of my life savings entrusted to these idiots, and they're apparently completely clueless about security, and (b) it's not clear to me that I have any way of bailing on them without incurring massive capital gains taxes.