Large companies (un?)knowingly hire spammers

This morning, CSO and MacKeeper published joint articles on a massive data leak from a marketing company. (Update: 2019: both articles are gone, a cached version of the CSOnline link is at https://hackerfall.com/story/the-fall-of-an-empire-spammers-expose-their-entire)  This company, River City Media (RCM), failed to put a password on their online backups sometime. This leaked all of the company’s data out to the Internet at large. MacKeeper Security Researcher, Chris Vickery discovered the breach back in December and shared the information with Spamhaus and CSO online.
The group has spent months going through the data from this spammer. As of this morning, the existence of the breach and an overview of the extent of their operation were revealed by CSO and MacKeeper. Additionally, Spamhaus listed the network on the Register of Known Spamming Operations (ROKSO).

There are a couple interesting pieces of this story relevant to legitimate marketers.
The biggest issue is the number of brands who are paying spammers to send mail from them. The CSO article lists just some of the brands that were buying mail services from RCM:

[…] Nike, LifeLock, Liberty Mutual, Fidelity, MetLife, Victoria’s Secret, Kitchen Aide, Yankee Candle, Bath & Body Works, Gillette, Match.com, Dollar Shave Club, Dewalt, DirecTV, Covergirl, Clinique, Maybelline, Terminix, and AT&T.

This shouldn’t be a surprise to anyone who has been paying attention to the industry. We described this many years ago in a series of articles about mainstream spam. (Note: the organization in the article has cleaned up their act and no longer uses affiliates).
Addresses were collected through many ways, including the use of co-reg. Chris Vickery explains:

Well-informed individuals did not choose to sign up for bulk advertisements over a billion times. The most likely scenario is a combination of techniques. One is called co-registration. That’s when you click on the “Submit” or “I agree” box next to all the small text on a website. Without knowing it, you have potentially agreed your personal details can be shared with affiliates of the site.
You are never told who the affiliates are and groups like River City Media capitalize on that aspect. One line of the leaked chat logs explains it all very succinctly:
“The key is sincerity.  Once you can fake that…”

Legitimate companies do buy co-reg data, still. The problem is that there’s no real permission associated with the address. In the absolute best case scenario, permission is taken by the co-reg provider rather than given by the recipient. All too many co-reg vendors go out of their way to hide the fact that they will sell the addresses in their privacy policies. This isn’t transparent. This isn’t real permission.
One argument I’ve heard over and over about laws, particularly CASL, is that it’s targeting the wrong companies. As the argument goes, the real problem with spam is spammers, not legitimate companies. But CASL and other laws target legitimate companies. I never really bought into that argument as it’s clear to me a lot of the money supporting spammers comes from the legitimate companies spending real marketing funds.
Legitimate companies are paying third parties to send spam on their behalf and are profiting. For a long time brands have pretended they’re not responsible for the mail. This recent breach shows that they are paying spammers to send mail on their behalf.
Looks like maybe the laws are targeting the right companies.

After this was posted, River City Media sued Chris Vickery and others. https://www.courtlistener.com/docket/4685667/1/river-city-media-llc-v-kromtech-alliance-corporation/. The case was settled in September 2018. 

Related Posts

Another kind of email breach

In all the recent discussions of email address thievery I’ve not seen anyone mention stealing addresses by abusing the legal system. And, yet, there’s at least one ambulance chasing lawyer that’s using email addresses that were never given to him by the recipients. Even worse, when asked about it he said that the courts told him he could use the email address and that we recipients had no recourse.
I’m not sure the spammer is necessarily wrong, but it’s a frustrating situation for both the recipient and the company that had their address list stolen.
A few years ago, law firm of Bursor and Fisher filed a host of class action lawsuits against various wireless carriers, including AT&T. At one point during the AT&T lawsuit the judge ruled that AT&T turn over their customer list, including email addresses, to Bursor and Fisher. Bursor and Fisher were then to send notices to all the AT&T subscribers notifying them of the suit.
This is not unreasonable. Contacting consumers by email to notify them of legal action makes a certain amount of sense.
But then Bursor and Fisher took it a step further. They looked at all these valid email addresses and decided they could use this for their own purposes. They started mailing advertisements to the AT&T wireless list.

Read More

ROKSO

ROKSO is the Register of Known Spamming Operations. It is a list of groups that have been disconnected from more than 3 different networks for spamming. ROKSO is a little bit different than most of the Spamhaus lists. The listings themselves talk more about the background of the listees and less about the specific emails that are the problem.
Many ISPs and ESPs use ROKSO during customer vetting processes.
Networks can be listed on ROKSO without any mail being sent from those networks. These listings are as much about just categorizing and recording associated networks as they are about blocking spam.
Spamhaus does not accept delisting requests for ROKSO records. In order to be delisted from ROKSO there must be a 6 month period with no spam traceable to the ROKSO entity. After that 6 months the listee can petition for a review of the record. If the spam has stopped their record is retired.
In my experience there is often a lot of research put into each ROKSO record and not all that information is made public.
The only time a record is changed is if Spamhaus is convinced they made a mistake. This does happen, but it’s not that common. Given the amount of research that goes into a ROKSO record, there is a fairly high burden of proof to demonstrate that the information is actually incorrect.
It is possible to get delisted off ROKSO. In all of the cases I know about, the listed entity either got out of email altogether or they radically changed their business model.

Read More

Spammer prosecuted in New Zealand

Today (well, actually tomorrow, but only because New Zealand is on the other side of the date line) the NZ Department of Internal Affairs added a 3rd statement of claim against Brendan Battles and IMG Marketing. This third claim brings the total possible fines to $2.1 million.
Brendan is a long term spammer, who used to be in the US and moved to New Zealand in 2006. His presence in Auckland was noticed by Computerworld when a number of editors and staffers were spammed. When contacted by the paper, Brendan denied being involved in the spam and denied being the same Brendan Battles.
New Zealand anti-spam law went into effect in September 2007. The Unsolicited Electronic Messages Act 2007 prohibits any unsolicited commercial email messages with a New Zealand connection, defined as messages sent to, from or within New Zealand. It also prohibits address harvesting.
The Internal Affairs department also appears to be investigating companies that purchased services from Brendan Battles.

Read More