Comments

Tom,

Join the club. Although it's not a club you'd ever want to actually join.

There are some things you can do to protect your email address and make it more difficult for the 'cyberpunk du jour'.

Don't publish your email address on your website without encrypting it, for example.

Free tools such as Super Email for Dreamweaver (you'll find it in the Dreamweaver extensions library) allow you to encrypt email addresses so they look correct on screen, but the email harvesting 'bots' can't actually see it.

All the best,
Stewart.

Posted by Stewart Rogers at November 1, 2005 12:25 PM

Yes, welcome to the club..we are all enjoying our email addresses being poked, probed, x-rayed and genetically modified.

Posted by Alex at November 1, 2005 12:27 PM

I can eliminate 95% of the junk email from a quick glance at the email address and attachments. Of course, I still read Ed McMann’s personal letters and Abdul’s hidden millions from the Gulf War that he will gladly send to me for simply providing my account numbers. Wow, what a bargain. Do I still worry about someone stealing my identity? Yes, but they would have to take my kids as well and after 15 minutes of the two year old repeating the two-year pledge(Why and No) 15,000 times they will be returned postage paid. :-}

Seriously, comment sense should rule for all of us. Don’t open any attachment unless you are 100% sure of the contents. Another thing I will do is visit the site the email originates. For example, if I get an email from john.doe@imcool.com then I will take a look at http://www.imcool.com. If the site doesn’t have anything of value then the email won’t either.

Posted by RTodd at November 1, 2005 12:44 PM

It does indeed give one a great feeling of unease to understate the case. On the other hand Tom, it is going to continue to create lots more jobs in the whole world of providing both organization and personal security as the legit techies try to stay reasonably even with the crooks.

Posted by Dave Opton at November 1, 2005 1:15 PM

Omamconsultants are likely not the culprits. The email address they used in this case was bounced by the email server back to the sender... which it thought was you, but was someone else (probably not Omamconsultants) who probably harvested your email address and is using it to send spam around the globe.

There. Does that make you feel better?

Posted by DUST!N at November 1, 2005 1:37 PM

Oh, and Tom... stop sending me spam!

Posted by DUST!N at November 1, 2005 1:38 PM

Grunt!

Yahoo now treats me as a spammer because some darn spammer sent email to millions of people with my email address as the sender. Obviously, someone complained (or maybe just sent that particular mail to the SPAM box).

So now I have to verify every outgoing mail from yahoo, which is why I'm quietly shifting over to gmail.

Ya can't help it. Email harvesters are everywhere. And they don't just send YOU spam, they send it to others in your name too.

I wonder how long it'll be before they can duplicate my mobile phone number too. THAT'S scary, isn't it?

Deepak

Posted by Deepak Morris at November 1, 2005 1:53 PM

I lost the e-mail address of that Nigerian bank that wants to send me $27M USD. Anyone have it?

Posted by Jeff at November 1, 2005 3:11 PM

Tom,

One of the major culprits in this problem is those companies which ask their site visitors to fill out a registration but then do not verify that the email address entered in the registration form actually belongs to the person who filled out the registration.

I own several domains and am constantly receiving emails from companies who say that I have registered when in fact what has happened is that a registrant has entered a bogus email address ending with the "@" character followed by one of my domain names.

The CAN-SPAM law should have included a mandatory double opt-in provision!!!!

James

Posted by J. H. Shewmaker at November 1, 2005 3:25 PM

Jeff,
The e-mail address of the Nigerian bank? I might have it... I think it is in the same folder as the "Performance Enhancement Herbs" e-mails and the "Microsoft Office for $50" messages.
(Just kidding in case anyone fails to notice)

Tom,
Another risk of spam is to have your whole domain (e.g. "tompeters.com") "blacklisted" by e-mail administrators, and then no one from your team is able to get their emails thru.

Posted by Gabriel Salcido at November 1, 2005 3:31 PM

Someone I know very literate in computing likes to say that " the bugs are everywhere". They are just another part of the Internet so we better learn to live with them.

Posted by Omara at November 1, 2005 5:33 PM

I'm very careful about using my credit cards online, but I was shocked recently to discover that someone was making fraudulent charges to my AmEx card. I suspect that the number was hijacked from a site with less-than-perfect security (the crook had my mailing address too), rather than being copied off a receipt by a waiter or salesperson with nefarious intentions. All's serene for the moment, and AmEx has been very helpful, but I know exactly how Tom feels!

Posted by Paula at November 1, 2005 5:51 PM

Jeff I'm writing you from the Bahamas. I have the $27 million. C'mon down, I'll buy you a drink.

Posted by tom peters at November 1, 2005 5:59 PM

Paula,
Just had my checking account hijacked.
Money in from sources I've never heard of. Money out the same way.
Won't change accounts as the bank suggested...
getting out of the bank...
FAST!!!

Posted by lem at November 1, 2005 7:36 PM

When you send an e-mail you have both a 'from' address and a 'reply-to' address. In this case it is very likely that the e-mail was sent not from your address, but from an account that masqueraded as yours by forging the 'from' address. They also put your address as the 'reply-to' address, which is why you received the bounced message.

This is very likely as a result of someone who has your address in their address book being infected with a virus. The virus propagates by sending messages to other people in the infected users address book, proporting to be from other users in the address book. The author of the virus is banking on the fact that aprasad.ahd@omamconsultants.com is more likely to open an e-mail from tom@tompeters.com than a random address.

Posted by Foley Lynn at November 2, 2005 2:34 AM

Tom, very sad to hear you can't make it to Birmingham this week. I've been waiting a long time to hear you speak. Guess I'm just going to have to wait a little longer.

Hope all is well and you're soon back to your usual Indefatigable self.

Posted by Matt at November 2, 2005 2:35 AM

Hi Tom,

This is what happening:

1- You have sent an email with your private address to a friend Mr.X recently.
2- Mr. X has your email address and also Aprasad's in his outlook address book.
3- Mr. X's PC is infected by a worm/virus which picks up two email addresses from the address book randomly in this case yours and Aprasad's and distributes itself via sending email from your email to his.
4-Aprasad has left the company apparently 6 months ago and his email address is closed and doesn't exist any more.
5- So what happens, the mail server bounces back the email to the sender's email.
6- And you receive an "mail delivery failed" message.

There is nothing to be worried about as long as you have virus scanning software.

Best, Ramin Roxely

Posted by Ramin Roxely at November 2, 2005 3:26 AM

Ramin Roxely, that is a great answer - beautifully clear, non-technical plain English. Thank you.

Posted by Michael from UK at November 2, 2005 6:57 AM

Tom, et al.

Take a read of a post that I submitted on October 30th:

Beware of Zombies This Halloween: The FTC launched Operation Spam Zombies to protect home computer users from malicious spammers who use unprotected, vulnerable personal computers to distribute spam for them, unbeknownst to their victims...

for the full post, with practical solutions for keeping zombies at bay, go to http://messagingtimes.blogspot.com (posted 30 October)

Posted by Tom O'Leary at November 2, 2005 7:31 AM

Bring back stamps I say .. only joking guys :-)

Gutted you are not coming to Birmingham this week Tom - Take care and keep smiling :-)

Posted by Trevor Gay at November 2, 2005 7:43 AM

arrgghhh... can someone please invent something that when i press the 'return to sender' button on emails from spammers, that actually gets back to them, reaches out from their screens, grabs them by the plums and performs a rectumotomy without delay?

viagra online next day delivery Posted by onehandclap at November 2, 2005 9:01 AM

Ramin's explanation of how it happened is spot on.

As for consequences, don't sweat it. That someone else is sending emails advertising Viagra/free-cash/whatever with your From: address on them is no more serious than someone mailing lots of postcards advertising the same stuff with your name and return address on them, but a different "responses here" address, a Chinese postmark and a phone number that doesn't answer "Tom Peters".

The bounces are irritating, but it is unlikely that anyone is going to blacklist emails from your address. More likely the mail relay responsible (probably a zombie PC) will make its way onto blacklists; blacklisting individual email addresses and domain names has become futile, so few organisations bother.

(Oh, and while we're on spam, your "comment" facility actually insists on being fed an email address. Unless you're actually planning to spam commenters, this should probably be optional...)

Posted by Roland Turner at November 2, 2005 9:03 AM

Unfortunately, legitimate, permission email marketers are more affected by CAN-SPAM legislation than malicious spammers are. That's why Spamhaus and Wired refer to the law as the You-CAN-SPAM act. All we can do is continue our pursuit of ethical, legitimate permission marketing and remain compliant to anti-spam requirements. You can also work with your ISP to build trusting relationships. There are several things we need to do in order to be compliant and to ensure that our email isn't perceived as SPAM by our customers, ISPs and recipient email clients: Read my last article on permission email at http://www.group-mail.com/asp/common/articles.asp?category_id=116

Roland, you are right about making email address submission in forms optional by the way!

Posted by Tom O'Leary at November 2, 2005 9:17 AM

I remember a while ago someone released some software that let you retaliate against spammers by figuring out where they were working from and sending them a zillion, "Sod off" replies. A couple of ISP's in the UK started to give it away but it was pulled. Leaving aside the moral arguments about whether 2 wrongs make a right or stooping to their level etc, the nub of it was you don't respond to illegal behaviour in an illegal manner.

I maintain a number of e-mail adresses, e.g. I've one I use for eBay and (guess what) it gets massive ammounts of spam mail. (Down, I suspect, to a) harvesters; and b) wallies on eBay who automatically add correspondants to their address book and have poor security that then allows it to get stolen.) I've others I use for work or private stuff which I'm protective about and get little spam.

Here's another idea: I keep 1 credit card that I use only for internet transactions and I keep a relatively low credit limit on it in case it gets hi-jacked. My day-to-day card never ever gets used on the net and has a much higher limit.

Remember: even if you're not paranoid, it doesn't mean they're not out to get you!

Posted by Mark JF at November 2, 2005 9:31 AM

Thanks, Rasmin. Your post was very helpful. I was hoping someone knew what was going on!

Posted by Marianne Powers at November 2, 2005 9:54 AM

Tom - and it seems that the more money you have - the more others try to siphon into their accounts - even [maybe especially] in the SMALLVILLES that I live in.

Posted by Sean at November 2, 2005 9:58 AM

eh ?? spamware is ok.

Hey TP.com wait till you get hit with splogware !! Lets say your blog is capable of posting via email... then what ?? :)-

btw , welcome to nitmarev2.0.. do you have recovery2.0 ready ?? :)-

Posted by /pd at November 2, 2005 12:08 PM

Case a couple of weeks back in Britain:

kid sacked by boss;

kid p*ssed off by boss;

kid sends hundreds of thousands of eMails to boss's computer;

boss's computer crashes;

kid taken to court under laws used to punish hackers and data thieves for conducting a denial of service attack;

kid gets off because he sent eMails to an eMail server that was designed to receive eMails, and therefore was doing nothing illegal.

http://news.bbc.co.uk/1/hi/technology/4402572.stm

Question: creative genius or criminal mastermind?

Posted by Ross Hall at November 8, 2005 8:43 AM

mexico viagra The UK law only covers unauthorized access or damage to a computer system, and the teenager in this case sent millions (not thousands) of emails to his bosses 'authorized' email address. They couldn't touch him. This wouldn't happen in the US with CAN-SPAM protection. Well, it might very well happen, but with Can-Spam, unsolicited email in bulk is punishable by law.

Answer: Creative criminal who saw the loophole!

Posted by Tom O'Leary at November 8, 2005 9:01 AM overnight shipping viagra to canada