Another kind of email breach

In all the recent discussions of email address thievery I’ve not seen anyone mention stealing addresses by abusing the legal system. And, yet, there’s at least one ambulance chasing lawyer that’s using email addresses that were never given to him by the recipients. Even worse, when asked about it he said that the courts told him he could use the email address and that we recipients had no recourse.
I’m not sure the spammer is necessarily wrong, but it’s a frustrating situation for both the recipient and the company that had their address list stolen.
A few years ago, law firm of Bursor and Fisher filed a host of class action lawsuits against various wireless carriers, including AT&T. At one point during the AT&T lawsuit the judge ruled that AT&T turn over their customer list, including email addresses, to Bursor and Fisher. Bursor and Fisher were then to send notices to all the AT&T subscribers notifying them of the suit.
This is not unreasonable. Contacting consumers by email to notify them of legal action makes a certain amount of sense.
But then Bursor and Fisher took it a step further. They looked at all these valid email addresses and decided they could use this for their own purposes. They started mailing advertisements to the AT&T wireless list.

Spam to my AT&T address from Bursor and Fisher
I received one of these emails back in January. I was concerned that my information, including credit card had been leaked so I contacted Mr. Fisher by phone to ask him about the source of the email addresses.
 
On the call Mr. Fisher told me a number of things. One, that it was not spam I received because I could always opt-out. When I pointed out the email was unsolicited he said that he disagreed with me.
When I asked about how this wasn’t a violation of my agreement with AT&T he asserted that he was not a party to that agreement and therefore could do anything he wanted with my email address. He also informed me that I had no recourse.
Mr. Fisher also told me that he had a court order that allowed him to use the AT&T customer database however he pleased. He declined to send me a copy of the court order, however, because he didn’t want to me to call him a spammer again.
From what he told me and piecing together information I found online, this is my best understanding of what happened. A few years before I received mail for the myspace class action, he used the AT&T database to shop around another suit against AT&T. AT&T was justifiably upset by this and took him to court. The judge ruled in his favor. I’ve tried to find a copy of this ruling, but it appears many state court rulings aren’t published. Lawyer friends have even looked for me, but no one can find such a ruling.
It is, of course, completely possible that the lawyer doesn’t have said ruling and that’s why he declined to email it to me. Or it’s possible he does have a ruling and I just can’t find it.
In any case, the AT&T customer database from a few years ago is in the hands of a spammer who believes it is his right to use that database however he wants. His acquisition of the list was clearly legal, and his use of the list may be legal as well. But I am still uncomfortable with the concept that judges can force a company to turn over my personal information to spammers.
As an aside, I sent a letter to the judge who ruled that AT&T must hand over their list to Bursor and Fisher. I also contacted AT&T through their privacy address and through one of my personal contacts. To date, no one has followed up with me.

Related Posts

Another security problem

I had hoped to move away from security blogging this week and focus on some other issues. But today I see that both CAUCE and John Levine are reporting that there is malware spam coming from a Cheetahmail customer.
Looking at what they shared, it may be that Cheetahmail has not been compromised directly. Given mail is only coming from one /29, which belongs to one customer it is possible that only the single customer account has been compromised. If that is the case, then it’s most likely one of the Cheetahmail users at the customer got infected and their Cheetahmail credentials were stolen. The spammer then gained access to the customer’s Cheetahmail account.  It’s even possible that the spammer used the compromised customer account to launch the mail. If this is the case, the spammer looked exactly like the customer, so most normal controls wouldn’t have noticed this was a spammer.
This highlights the multiple vectors these criminals are using to gain access to ESPs and the mailing systems they use. They’re not just trying to compromise the ESPs, but they’re also attempting to compromise customers and access their accounts so that the spammer can steal the ESPs hard won and hard fought sending reputation.
Everyone sending mail should be taking a long, hard look at their security. Just because you’re not an ESP doesn’t mean you aren’t a target or that you can get away with lax security. You are also a target.

Read More

I hate spam

But sometimes it makes me laugh. Yesterday I got a 419 that said, “[…]have been diagonalized with HIV/AIDS which has defiled all forms of medical treatment[…]” Diagonalized? Defiled all forms of treatment?
At least it was entertaining, right?

Read More

Email marketing firm smacked by the SEC

Yes, the SEC. Really.
Apparently the email marketing firm mUrgent, which provides services to the restaurant and hospitality industry also had a side business. According to the complaint filed by the SEC last month, they had an entire boiler room set up to sell shares for their non-existent IPO.
I’d never heard of this firm before, so I did a little digging. First step, check out their website.

Read More