back to article That big scary 1.4bn leak was 100s of millions of email, postal addresses

The “1.4 billion identity leak” that was hyped up before the weekend involved, no, not a database ransacking at Facebook, YouTube, or anything like that. No, instead, a US-based spam-slinging operation accidentally spilled its treasure chest of email and postal addresses used to deluge people with special offers, marketing …

  1. Colin Millar

    Oh boy

    This is going to be the most popular sueball in history

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh boy

      This is going to be the most popular sueball in history

      I don't think so. These people have figured out all the loopholes well in advance, but I sure hope they get an international effort after them to lock them up, preferably in a sex offenders institute.

      These f*ckers have no problem with flooding 18M messages to earn $15k in revenue: that's 18 million people spammed to earn an average of $0.00083 per message. If we assume that an email takes 10 seconds to delete against a salary of $50000/annum you will see that the cost they impose on others for that profit is over 100x as much ($0.086).

      Such a waste of talent: they could have worked in the banking industry..

    2. Anonymous Coward
      Anonymous Coward

      Re: Oh boy

      Based on their press release, will definitely have a lot of legal action circulating.

      River City Media, LLC issues this press release to address the numerous false and defamatory statements published by Chris Vickery, Mackeeper.com, Steve Ragan and CXO Media, Inc. (which operates csoonline.com) regarding River City’s business practices, which was based upon information they admittedly obtained through illegal computer hacking in violation of federal and state law.  Contrary to the assertions in the libelous publications, the hackers did not stumble upon River City’s confidential and proprietary information through an unprotected rsync backup.  River City’s backups were not stored on an open web server as falsely reported and, moreover, much of the information that was stolen and then published by the hackers could only be obtained by accessing third party resources with stolen logins and passwords.

      Omitted from the defamatory publications is the fact that the parties who hacked into River City’s network engaged in numerous computer crimes, including violations of the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act and the Wire Fraud Act.  The hackers accessed River City’s Paypal account and used funds from that account to purchase goods or services without River City’s permission—i.e. outright theft.  They misappropriated River City’s financial information and databases in violation of the Defend Trade Secrets Act.  And, incredibly, they unlawfully accessed River City’s accounts with third party email service providers for the purpose of sending unsolicited email messages to River City’s databases.

      By their own admission, the publishers of the so-called articles never spoke with anyone at River City before they published their hit pieces.  Had they done so, rather than rush to publish, they would have realized that a number of the statements in their articles were false and easily disprovable.  For example, Vickery represented that River City sent a billion emails per day using “illegal hacking techniques,” which he placed in conjunction with a stolen document entitles “Project X1 (IPv4/IPv6).”  However, the document that Vickery posted was submitted by a third party who never worked for or was affiliated with River City; the third party submitted the document in connection with an application to work for River City.  In fact, River City has never used the mailing technique detailed in the “Project X1” document, nor mailed a billion emails in a day.  Vickery also represented that River City used a mailing technique, which he described as “a type of Slowloris attack,” based on a chat log between River City and Sean McKeown.  However, River City has never used the mailing technique described in Vickery’s defamatory publication, nor did it ever use any of the “scripts or techniques” provided by Mr. McKeown.  The technique described in the chat log, and the scripts provided by Mr. McKeown, were never used by River City because (1) they were inconsistent with River City’s emailing practices, and (2) could not even be carried out given the technical limitations on River City’s email delivery platform.  Indeed, River City distributed emails on behalf of well-known and reputable companies, including MetLife, LifeLock, Liberty Mutual, Match.com, DirectTV, and Lyft, to name a few.  Had River City engaged in “unlawful hacking techniques” as claimed in the defamatory publications, it would not have been permitted to transmit commercial email messages on behalf of such well-recognized brands, which it has done for years.  In sum, the direct and implicit representations in the false articles that River City engaged in criminal activity, illegal IP hijacking or unlawful hacking are false.

      As for Ragan’s attempt to smear River City by suggesting it did something wrong by obtaining consumer’s email addresses from third parties, he apparently missed the fact that even his employer, csoonline.com, engages in the very same practice.  In his attempt to further tarnish River City, Ragan quoted Mike Anderson of Spamhaus to establish that River City obtained consumer email addresses from partners who “tricked” consumers into giving them their email addresses; the partners would then share that data with River City for delivering email marketing.  Yet, according to csoonline.com’s Privacy Policy, consumers who submit their email addresses to csoonline.com “agree to receive email from outside firms, the Publisher and its sister IDG companies, and the IDG Network.”   Had Ragan focused on the truth, and not simply tarnishing River City, he might have realized that not every email address that is obtained by a web site and then shared with a third party is acquired by “tricking” the consumer, and that data licensing is lawful and a common business practice by website operators…including his own employer.

      River City has operated as an email marketing affiliate since 2003.  It has worked with many upstanding digital marketing agencies, well known-brands, service providers and hosting companies.  And it has always sought to comply with all applicable laws, rules and regulations, including the CAN-SPAM Act of 2003.  However, due to the acts of these hackers, the company has suffered a number of catastrophic and damaging events, which have not only impacted the company, but also its loyal employees and partners.  Accordingly, River City has also been in contact with government officials and authorities to further investigate the unlawful hacking and numerous computer crimes committed by the hackers, and will be pursuing its legal remedies against the hackers who have stolen money and property, destroyed business relationships, and defamed the company.

  2. redpawn Silver badge

    Spam is Kept in a Can for a Reason

    Bits of Spam if allowed out contaminate any substance it comes in contact with. Spam is now on the loose. Filters on, and good luck to you all.

  3. Mark Simon

    … by why the drum roll … ?

    OK, this is a sizeable breach, but, given the speculation on potential sources, it’s not quit as earth-shattering as might have been expected.

    So why the dramatic wait for the announcement?

    1. Mark 85 Silver badge

      Re: … by why the drum roll … ?

      So why the dramatic wait for the announcement?

      Someone needed some special attention.... can you think of a better way to get your name into the news? Well... one that's not illegal or involve politics?

    2. a_yank_lurker Silver badge

      Re: … by why the drum roll … ?

      @Mark Simon - It might have been orchestrated by the authorities as the information points to very likely criminal charges in the future from their own leakage. Probably needed to get details like getting search warrants and arrest warrants ready. The idea would be to make a eye catching announcement to get people to tune to the details. The timing is probably more dictated by the state of criminal investigations.

      1. Anonymous Coward
        Anonymous Coward

        there are some other significant leaks today

        stuff about infected Samsmug smart TVs simulating 'off', occasionally.

        not much in the non-wacky media yet

        1. Roj Blake

          Re: there are some other significant leaks today

          Coincidentally, the BBC are reporting that MI5 have worked out how to hack Samsung tellies.

  4. tfewster Silver badge
    Joke

    Aw, shame it was only the backup

    If he'd found the main DB, he could have corrupted it over time to make the email addresses invalid, put RCM out of business and earned the gratitude of Netizens

  5. frank ly

    re. Spamhaus

    Haven't Spamhaus (or somebody like them) been sued in the past for flagging an organisation's emails as spam? I hope they're suitably structured to make it difficult to get money out of them.

    1. Anonymous Coward
      Anonymous Coward

      Re: re. Spamhaus

      "Haven't Spamhaus (or somebody like them) been sued in the past for flagging an organisation's emails as spam?"

      See e360 Lawsuit section

    2. LDS Silver badge

      Re: re. Spamhaus

      They tried more than once, but never went far. Anyway the e360 case shows how dysfunctional US legal system could be when a foreign entity is concerned - and we should trust Privacy Shield?

  6. Your alien overlord - fear me

    I'm suprised Spamhaus (and others) haven't already flagged RCM as a major spammer

    1. Doctor Syntax Silver badge

      "I'm suprised Spamhaus ... haven't already flagged RCM as a major spammer"

      They have but that doesn't help as much as they'd like because spammers switch addresses and domains.

      If you read the details they got a lot more than the address lists. They got internal communications which show how, for instance, they acquire a domain, send mail from it to addresses they control so the domain builds a reputation of sending non-spam (they don't complain about their own emails ;) and then switch it to spamming. They also found scripts which were used to overload targets so large spam loads could be forced through before the target could react. This information will help defend against their tactics. If it provides evidence for criminal investigation so much the better.

    2. Gordon Pryra

      I expect they have

      or at least some of the smaller "parts" to the "company"

      But when the naming systems and organisations who can hand out names are so corrupt there is little they can achieve except force the spammers to spend a couple of days and change their domain names. How long will it take to run a script to create a few hundred domains and then spend some time to "warm them up"? RCM can probably take the chance for a team building holiday to the bahamas for their script monkeys while the infrastructure builds itself.

      Its not like the email addresses are any less useful, considering most of them are live and have real people attached I doubt Google and co will be closing them.

      This whole story is like when the police show pictures of a drugs bust in the UK, 20-50 keys of coke! yay! we are making a difference!!!!! it Is just a pity 50 times that is consumed in one day.

      Its a nice find, but the tip of the ice-burg.

      Going after the names who pay for the adverts however, that would hurt the spammers. Cant see this ever happening though

      (NB - figures for drugs use are just numbers pulled out of the air)

      1. BebopWeBop Silver badge

        Re: I expect they have

        (NB - figures for drugs use are just numbers pulled out of the air)

        Unfortunately I can't remember whew I saw it (possible Private Eye) but there was a rather amusing article 18 months ago or so contrasting street prices with the 'value' of the drug hauls stated by the UK police. There was considerable inflation on the police numbers.....I can't think why they would do this?

        1. Anonymous Coward
          Anonymous Coward

          Re: I expect they have

          Police tend to value drugs based on the price of the smallest quantity that can be purchased (in other words the price of a single hit)

        2. Anonymous Coward
          Anonymous Coward

          Re: I expect they have

          there was a rather amusing article 18 months ago or so contrasting street prices with the 'value' of the drug hauls stated by the UK police. There was considerable inflation on the police numbers.....I can't think why they would do this?

          Because the product is easier to trust if you buy it from a man in a uniform?

          :)

          1. Anonymous Coward
            Anonymous Coward

            Re: I expect they have

            Plod in my home town would stamp cannabis resin blocks when seized to mark them as evidence.

            It wasn't unheard of for blocks with those stamps to appear on the street.

          2. John Brown (no body) Silver badge

            Re: I expect they have

            "Because the product is easier to trust if you buy it from a man in a uniform?"

            And you thought you were being funny? Life is always more absurd than any humour.

            Durham Police to give drug addicts heroin in bid to cut crime

            1. Anonymous Coward
              Anonymous Coward

              Re: I expect they have

              "And you thought you were being funny? Life is always more absurd than any humour."

              It's not absurd. The job of police is really to keep communities secure, and if this sometimes involves quietly ignoring the sheer stupidity of politicians, that is sensible rather than absurd.

              In this country we are fortunate in that we often get the police we need rather than the police the Daily Mail and its hysterical "journalists" want. (Keep your Calvinist nose out of Avon and Somerset, Dacre!)

      2. LDS Silver badge

        Re: I expect they have

        One of the real problem is having turned domain name sales in a bulk business without any kind of due diligence to assign them. Spammers quickly took advantage of it, and because "pecunia non olet", registrars don't care from where the money come from.

        The new tlds have only worsened the problem. Here what Spamhaus found:

        https://www.spamhaus.org/news/article/728/spamhaus-presents-the-worlds-worst-top-level-domains

        It's almost surprisingly one of the most abused domain among the new ones is .science.

        I'm quite surprised "AI" can't be used to identify which kind of domain registrations are fake.... guess they need an economical incentive - i.e. a fee for each domain knowingly used by spammers while the abuse department does nothing, or drags its feet.

        1. Crazy Operations Guy

          Re: "The new tlds have only worsened the problem."

          And that would be why I've a script for my DNS servers that periodically grabs the root zone from the InterNic FTP site and removes every TLD longer than 3 characters (so the internationalized ones still work). So far, I have missed nothing of value.

          1. Anonymous Coward
            Anonymous Coward

            Re: "The new tlds have only worsened the problem."

            And that would be why I've a script for my DNS servers that periodically grabs the root zone from the InterNic FTP site and removes every TLD longer than 3 characters (so the internationalized ones still work). So far, I have missed nothing of value.

            Hmm. We've had a few country TLDs come in that were longer, and I've already seen ".eu" used for spam so I'm not sure that strategy will hold for much longer.

            That said, DKIM is stupidly long. Have a look at messages sent by a Microsoft resource, a simple "Hello World" email will come in at over 10k just because of the DKIM debris in the header. Not fun.

      3. Crazy Operations Guy

        Re: " force the spammers to spend a couple of days and change their domain names. "

        The spammers are constantly building new domains and doing the warm-up procedures. They'll have dozens, if not hundreds, or domains at the ready.

        From some of the reports I've seen, most spam operations will be cooking 20 or so domains at a time, building up reputations, so if one is found out, it is immediately replaced with another. One of the spam operations I've seen actually did so right in the middle of a campaign.

        1. John Brown (no body) Silver badge

          Re: " force the spammers to spend a couple of days and change their domain names. "

          "so if one is found out, it is immediately replaced with another."

          The good thing about this leak though is that it's not just a one or a few domains being "found out", it's a huge swathe of their domains, including ones being "warmed uo" and others not even in use yet. If there's no criminal charges or other law enforcement action, at the very least this is going to cost them in time and money to rebuild, not to mention the lost revenue from the spamming and the likely lost revenue from the legit names who are linked to them either directly or via what might be "clean" or "slightly dirty" third parties.

      4. John Brown (no body) Silver badge
        Paris Hilton

        Re: I expect they have

        "This whole story is like when the police show pictures of a drugs bust in the UK, 20-50 keys of coke! "

        Drugs bust? Keys of coke? Are US police writing the UK Police PR releases now? :-)

    3. LDS Silver badge

      Regardless of what spammers think of it, Spamhaus is very cautious about the IPs it blocks. The need clear evidences of almost exclusive spammer activity. Of course if this leak brought some useful evidences which weren't available before, guess Spamhaus did use them.

      I never had issues in utterly rejecting mails which are caught by Spamhaus lists - and it does block big spam operations effectively.

      There are other lists which are fairly more aggressive.

      1. Anonymous Coward
        Anonymous Coward

        Regardless of what spammers think of it, Spamhaus is very cautious about the IPs it blocks. The need clear evidences of almost exclusive spammer activity. Of course if this leak brought some useful evidences which weren't available before, guess Spamhaus did use them.

        Yes, I never knew just how well SPF worked until a friend of mine tried to use the wrong SMTP server for an email to me (the side effect of mail programs like Apple Mail and Thunderbird keeping a separate list of SMTP hosts instead of properly and exclusively connect them to one account).

        He immediately got a bounce, with a nice weblink to Spamhouse that explained what the problem was. Well, the explanation required knowing how email works so it was of no value to him, but at least it helped me to figure out what was going on :).

        1. LDS Silver badge

          Spamhaus blacklists checks the sender IP (only the DBL checks domain names) - it can work even before the "elho/helo" or "mail from" smtp command is issued (depends on what the server allows, and how you prefer to use the response ). It's a DNSBL, which is different from SPF.

          SPF and DKIM are different mechanism that uses mail from data, headers and specific domain DNS records to to check if a message comes from an authorized sender for that domain - they don't require a separate "service" (but the DNS which handles your domain).

          They are designed to hinder spoofing, (quite useful for phishing and the like), not generic spam.

          Also, it's Spamhaus, not Spamhouse, which could be something very different :-)

          (spamhouse.com is registered by GIT MEDIA/GRIFFIN IT MEDIA, INC. Delray Beach, FL... which looks to be run by someone who likes to register this kind of domains, was sued by MS too)

        2. Bronek Kozicki

          Bounce from SPF? That's new one for me. SPF as specified is meant specifically to suppress impersonation of sender. If actual impersonation was to take place, then owners of both email addresses (i.e. apparent sender and receiver) are the victims, and the reaction of sending servers (I am familiar with) is not to generate a bounce (as not to bother either party) despite persistent SMTP error received from receiving server, enforcing SPF. At least, that's how SPF "worked for me" when my email provider quietly enabled it on my accounts.

          Since my email address is "portable" one and relies on forwarding to "real" address, all my emails were quietly subjected to SPF and significant portion was rejected, without me or senders knowing. Some of them were important and it took me 4 weeks to figure out, checking the email provider logs (the only thing they did right - making the logs available to users) that the large proportion of my emails are being dropped on the floor. Changed the provider since then - new one is using SPF only for spam scoring, but provides both SPF and DKIM for my domains.

          1. LDS Silver badge

            "without me or senders knowing "

            In the best XCD approach, they designed DMARC to address tthat....

            1. Bronek Kozicki

              Re: "without me or senders knowing "

              .... ah yes, I knew I forgot something. They provide DMARC too.

          2. Paul Crawford Silver badge

            "Bounce from SPF? That's new one for me. SPF as specified is meant specifically to suppress impersonation of sender."

            True, but if you are impersonating someone you probably are a spammer. So a bounce to tell anyone of mis-configured system that is being spam-filter blocked is useful.

        3. Anonymous Coward
          Anonymous Coward

          Yup, you're right - the response included a link to OpenSPF.org, not Spamhaus (shows you how tired I was when I typed it - I do know how to spell Spamhaus :) ). Fatigue must have crossed some wires in my head - I spent the previous hours working through Spamhaus docs precisely because I was busy locking down a mailserver..

          The mail system <xx@xxx.xxx>: host [redacted] [000.000.000.000] said: 550 SPF-check failed: Please see http://www.openspf.net/Why?s=mfrom;id=as%40[redacted];ip=000.000.000.001;r=[redacted] (in reply to MAIL FROM command)

          Reporting-MTA: dns; [redacted]

          X-Postfix-Queue-ID: 0DECFC0FF8

          X-Postfix-Sender: rfc822; yy@yyy.yyy

          In any case, I'm glad it works.

      2. EllieStevens

        Spamhaus is NOT careful about what they list. They've listed hospitals and schools recently so people were sick and dying and doctors couldn't get internet because Spamhaus had nothing better to do.

        1. Anonymous Coward
          Anonymous Coward

          EllieStevens, sounds like you have skin in this game

          Declare your interest.

        2. Crazy Operations Guy

          "so people were sick and dying and doctors couldn't get internet"

          Email is not internet. The lists that Spamhaus produce are intended as part of a spam reduction system, not for just out-right blocking. The intention is that organizations would use their lists in calculating the probability of the message being spam (Spam filters tend to look at multiple factors, not just origin to determine if a message is spam)

          Of course, those Hospitals / schools are likely to have been blocked because they were sending out spam. I have seen numerous hospitals and schools that were compromised and used to relay spam . Just this morning, I got a message from compromised email account at UC Berkley trying to sell me Viagra. I had another form a hospital trying to to sell knock-off designer clothing. Students and doctors tend to be the worst when it comes to InfoSec and if the IT folk aren't paying attention, the organization may well be a major source of spam. That does discount the malicious admins out there working for peanuts that sell access to their servers to spammers to amke some cash on the side (Hospitals and schools tend to pay their IT personnel quite badly, many working for not much more than minimum wage)

        3. Anonymous Coward
          Anonymous Coward

          Spamhaus is NOT careful about what they list. They've listed hospitals and schools recently so people were sick and dying and doctors couldn't get internet because Spamhaus had nothing better to do.

          Look, it's cute that you attempt a Fake News troll here, but you may want to do your homework first as you're mainly dealing here with people who analyse information for a living.

          1 - people don't die because they don't get email. If it's life threatening, hospitals have been known to use a more symmetric form of communication called the phone. When it comes to diagnostic data, images tend to be too big for email anyway so other means are used.

          2 - Spamhaus doesn't block "the internet", it doesn't even get involved at the network level other than when whole IP ranges emerge to be supporting spam - Spamhaus busies itself with email exclusively.

          Now, come back when you are capable of putting a more coherent story together that actually stacks up. Or not. Better not.

  7. Version 1.0 Silver badge

    Fake mail addresses

    My company moved locations about 16 years ago and within six months our mail server started receiving emails addressed to the former residents names @ our domain name. I monitor the addresses that receive email (whether they are valid or not) and I would estimate that about 80% our spam load is addressed to a fairly small (100-200) set of fake, but plausible, email addresses.

    I honeypot the fakes to feed Spam Assassin so it's not a big deal but it does demonstrate that someone is combing though the public records and making up "valid" email addresses - it would be interesting to see how much of the "personal" data in these huge data breaches is actually fake.

    My suspicion is that the spammers are getting scammed.

    1. LDS Silver badge

      Re: Fake mail addresses

      Besides harvesting addresses from several sources, often spammers do build email addresses from scratch and then test them against valid domains to see if they match a real one - especially useful against large email providers like gmail or the like, where most combinations of names (and eve letters) have a good chance of being a mailbox used by someone.

      That's one reason, for example, to disable the VRFY command on SMTP servers (because it makes spammers life easier). Many servers are set to accept any address for that domain, and silently sinkhole non existing ones, again to avoid spammers to know which one are real, but that has the disadvantage of not letting legitimate senders know if they mistyped an address.

  8. Stevie Silver badge

    Bah!

    And double bah!

  9. Anonymous Coward
    Anonymous Coward

    <joke alert>

    disprupt the spammers networks by inserting short pieces of lead in to key network centers.

    </joke alert>

  10. Anonymous Coward
    Anonymous Coward

    Source IPs

    I sure would like to see a search so I could find out the source IP next to my info and allocate blame accordingly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021