« Bank Mergers and Phishers | Main | Goodbye Julie, Hello Sarah (grumble, grumble) »

July 03, 2005

As Master of My Domain, I have the luxury of setting up special user names for email addresses on my system. I don't have a lot of special addresses set up, but I do have a separate address for my eBay account. It is used nowhere else. All messages directed to that address go straight through to the my incoming mail (after checking for viruses, however). This became necessary when my rather tight filtering was diverting real post-auction communication to either the spam suspects bin or trash bin on my server. With the dedicated eBay address, I don't have to whitelist each new correspondent. No matter who sends a message to that address, I'll see the message.

I had that address in my eBay preferences for at least a couple years—maybe longer. It is, of course, immediately helpful in recognizing bogus eBay phishing messages, which invariably get sent to my regular (non-eBay) adddress, and therefore couldn't possibly be legitimate. After all, it's my regular address that is in vastly wide circulation in spamdom. Over all that time, I never received a single unsolicited message directed to that address. It signalled to me that eBay was good to their privacy policy and they respected my email preference settings.

But a couple of days ago, some garbage directed to that address started to arrive. A medz spam, a junk stock pump-and-dump appeal, to cite two. The main reason I noticed them is that the messages made it to my personal computer but had other markings that would have normally caused them to be deleted or diverted at the server.

So, that address is now lost to spamdom.

As to how that happened, there are several possibilities:

1. A former eBay correspondent filled in that address in a place where spammers collect addresses.
2. EBay's database was broken into.
3. A former eBay correspondent's computer became infected with a worm that harvested local addresses.

In rating these possibilities, No. 1 has a low probability in my opinion. No. 2 sounds good to the conspiracy theorists of the world, but I think we would have heard about this earlier.

That leaves No. 3, whereby the PC of an earlier correspondent had been compromised, and all addresses found in address books, archived messages, and so on, were collected and fed back to a spammer. It's a clear indication that, as I state in Spam Wars, you cannot protect an email address if you ever use it, even sparingly. The sanctity of your address is in the hands of the security-mindedness of every one of your correspondents. One click of a message link can take them to a malware installation site; their PC is hosed, and your email address is "out there."

Although I've been an eBay user for a long time, I haven't done a lot of eBay buying or selling over the last couple of years. I could probably narrow down the list of suspects to about 20 individuals. But that would be a waste of time. If I sent messages to all of them accusing them of possible PC infections, most of them would probably blame me for making a false accusation—denial runs rampant among those who exhibit the riskiest Internet behavior. And, as I've described elsewhere, infections can come not only from virus mail attachments, but from simply visiting, no matter who briefly, a malware installation site at the other end of a spam message's link.

I'm fortunate that I can not only set up a new address for my eBay auctions, but that I won't lose touch with anyone as a result. For the moment, I have a reprieve. Anyone sending to the old address will have the message immediately rejected by my server. The moment I start communicating with someone after a new auction, however, my new eBay address will be at risk of escaping into the wrong hands.