« (In)Security | Main | PSA (Not That Kind) Test »

December 22, 2004

I am registered with several Yahoo! Groups for some professional and hobby interests of mine. I have a few of them send me digests of messages, while for the others I check the message boards manually from time to time. It's not a bad service, although the ads can get a bit intrusive.

The other day, a message arrives in my inbox from a yahoogroups.com address, and headers show the originating mail really did come from a Yahoo! Groups (YG) server. But the message was from a group I never signed up with. Moreover, the To: field (and envelope) of the message wasn't directed to the address I use for my real groups, but rather an address at one of my domains that had been harvested from another location on the Internet.

The message was from the moderator, wishing me (well, not by name) happy holidays, while he was about to go skiing in California for vacation. "Thanks for being a valued subscriber of mine," it ended. Above that was a pitch for an "amazing program" that earned him a bunch of cash. According to him, I had visited his Web site "a while back." Since I avoid scammy Web sites like the plague, and certainly wouldn't register with any kind of email address, I have only two words for this guy:

Im. Possible.

Upon visiting the YG home page, I searched for the name of the group (which has "home" and "biz" buried within it). It shows up with over 18,000 members. That is huge in Yahoo! Groupdom. I then click the link to visit the group's area.

Unlike other groups I've visited as a nonmember, this one didn't display any information or links or anything. Just a message that it is restricted to members only. Since I had not "joined" this group through my regular YG ID, I logged out and entered the group again as a non-person. Still no access unless I entered the right YG user ID and password.

But how can I do that if I didn't create the registration in the first place? Supplying YG with an email address is (thankfully) insufficient to get them to reveal the associated user ID and password. Without the user ID (that only the registrant knows), this registration cannot be used, modified, or terminated.

Here's what I think is going on here. This fellow is using YG to do the spamming for him. His "group" is nothing more than an outgoing spew machine to get people to visit his Web site. My spam filtering allows mail from YG, because I really want to get the messages from groups I belong to. Sure, I could unsubscribe from the group (provided I changed my email client to the harvested address -- NOT!), but that would only listwash me from this guy's hit list, while he continues this highly unethical practice to bother thousands of others. Besides, I never, never, never unsubscribe from something to which I didn't subscribe in the first place. Period.

I have filed complaints with Yahoo! Groups and the hosting outfit for his Web site. A few days later, the group is still up and running (but down about 6 "members"). The domain registration for this site is hidden behind one of the anonymizer registration services, but his message left other clues that this fellow may be located in the Las Vegas area.

If anything develops out of this, I'll let you know. I'm not expecting miracles.

And for the record, I've been working from home since March 1981. If the view from my home office window is straight out to where the waves crash for the annual Mavericks surfing competition, then I guess you'd say I'm doing OK. But sorry, my "amazing program" is not for sale.