Security people shouldn?t pay the "spam support system" for email lists to send SPAM

Published: 2010-05-25
Last Updated: 2010-05-25 16:51:09 UTC
by donald smith (Version: 1)
4 comment(s)

Yes this is a pet peeve of mine. I am not going to out the various security companies that do this but when I get SPAM from a “security company” I often report them to their ISP for AUP violation and attempt to educate the SPAMMER who sent the SPAM.

I recently replied to one of the many such SPAMs I received.

They were advertising a Security & Risk Management Summit taking place in Washington, DC.
I asked how they got my email address and was told they buy their lists from various sources.  I explained that by buying those lists they were feeding the spam support system. They didn’t respond to that comment so either they already knew and don’t care or felt it was justifiable.

I recommended that they ONLY use doubly opted-in lists. (Ones that you opt-in to and get an verification email sent to you to ensure someone else didn’t opt you in).

They did provide an opt-out option and when confronted stated that they were can-spam compliant. If you’re a security company and you send me SPAM expect me to respond and request termination of your service for AUP violation!


4 comment(s)


So, I should send an email to SANS' provider for termination of their account for AUP violation?

Every time I attend a conference, I get SPAM from SANS (who buys the attendee list). I kindly ask them to opt-out and go on my way. No Big Deal.

I track "where" my email got loose by changing the title I use when I register. So when I receive an unsolicited marketing email from SANS and they use a title I used at RSA(for example) I know where they purchased my name.

Marketing messages are what brings customers to organizations. If a vendor (SANS) wants to try and build their revenue, they will do this. If they don't - they risk imploding revenue (no new markets).

The real question is do they make it easy, AND if you opt-out - when they purchase a new list are they scrubbing your email from it based on your first opt-out? If they do that, I'm generally happy. When they don't, I get cranky.

Grab a cup of coffee and relax. Only provide your "work" email at conferences and the like if absolutely necessary. Make use of burn accounts when you can and give people (and ISPs) a break.

I do something similar, but I use fake e-mail addresses. I purchased a personal domain and directed ALL e-mail to a single e-mail address. If you send to it gets redirected to Anytime I sign up for something I use a different username based on the website url. If I start getting spammed I know exactly who they sent it to, even if they try to hide the TO address because the actually TO address is always in the headers.
I tend to use a few alternate email accounts which only get checked occasionally. I do own my own domain name if I suspect the privacy policy is seedy.
We have an anti-spam device from a company I don't want to name, but it rhymes with "arracuda" and begins with "B". I recently got spam from them (!), and while looking at the headers, I noticed it came through Exact Target, who we explicitly block by IP. It turns out that this company has an undocumented IP and domain whitelist, which overrides any setting you have on the device. Looking through the logs for email let through because it was on this whitelist, it's pretty obvious that it's designed with "commercial spammers" like Exact Target in mind. Of course it's impossible to view the whitelist, and they make it difficult to figure out how to turn it off. Support gave me instructions on how to disable it only after I threatened to rip the devices out, although we're probably going to do so when it's time to renew anyway due to their "ethics".

Diary Archives