Thursday 13th December 2007
petitions.pm.gov.uk Leak Your Email Address
If there was anywhere I thought would have more sense than to pass on email addresses, it would be the 10 Downing Street petitions system. But no, they too have leaked my address - the tell-tale method of mine to use a different alias for every website points the finger again. Now don’t get me wrong, I have almost no respect for any arm of the government, but the system is run by MySociety so I’m quite surprised.
Dear webmaster at PMO.gov.uk,
As the owner of the gravitystorm.co.uk domain, I frequently choose different email addresses to use on different websites, so that I can trace who is providing my email addresses to third parties. The email address petitions@[redacted].co.uk has been used exclusively on the “petitions.pm.gov.uk” website. I’m sure you can see how I can be certain that it is only you, and I, who have knowledge of this alias.
Can you please inform me as to whether you, or your contractors for the site (”MySociety”) are responsible for passing on my address to the fraudsters who emailed me (see below). I can provide the full messages that I received today if this helps in any way.
Please note that I am fully aware that you have nothing to do with the spam itself, but you are quite obviously leaking my email address to third parties without my permission.
Many thanks,
Andy Allan——– Original Message ——–
Subject: LOTTERY WINNING NOTIFICATION{CONGRATULATIONS}
Date: Wed, 12 Dec 2007 06:32:37 -0800
From: UK COVENTRY PROMOTIONS <coventrylotterypromotions @coventrylotto.com>
Reply-To: covpayer34@aim.com
To: petitions@[redacted].co.uk
I doubt this will get anywhere, but I may as well fish for an apology (and who knows, it might even prod them into fixing whichever hole these email addresses are leaking from).
Peterborough City Council are one of the sources of spam that I know about. They are the only leak that i have caught so far. Its so significant now that the email address given to them will be in my blacklist soon….
Comment by Eddie — 13/12/2007 @ 11:21 am
“Petitions” is a word. It is possible that the spammers are sending to @[redacted].co.uk as this actually happens quite often to domains.
The only way to conclusively prove that it’s the Petitions site that is doing it, is to assign them something that isn’t a real word as an email address. If you want to make it recognisable, by all means use petitions.12Asdfr@[redacted].co.uk but definitely put some random data that will survive a dictionary attack in there.
Side Note: Why haven’t I made it to the Hall of Shame yet?
Comment by Sam — 30/12/2007 @ 10:29 pm
oh god, why on earth do you sanitise <randomword>
Comment by Sam — 30/12/2007 @ 10:31 pm
heh, I can beat your filters… The above post should say in the first line “<redacted>@[redacted].co.uk
Comment by Sam — 30/12/2007 @ 10:32 pm
Good point on the Hall of Shame - perhaps I expect so little that I so rarely check your site.
I think the filters just eat every html tag that isn’t pre-approved, so it’ll eat things with angled brackets but not html entities. It’s not exactly rocket science but it does the job. You could argue that unknown tags should get escaped and white-listed html tags get left as-is, I suppose.
But as to your original point, I get lots of spam, and I so I see what dictionary words are being used. ‘Sales’ appears to be the only one, along with a load of random personal names. Never any other nouns. I never heard back from the pmo.gov.uk guys, which makes them cretins in my opinion - at least they could have told me to bog off.
Comment by Andy — 31/12/2007 @ 12:41 am
You email probably fell that the pmo.gov.uk spam filter!
Comment by Nia — 4/1/2008 @ 9:08 pm
YOUR email even
Comment by Nia — 4/1/2008 @ 9:08 pm
Your email probably fell at the pmo.gov.uk spam filter!
(3rd time lucky? It _feels_ like its been a long two day week!)
Comment by Nia — 4/1/2008 @ 9:09 pm
Oh no, Nia; it’s *your* comments, and they fell into *my* spam filter!
I did chop out all of the email before forwarding it to them to try to prevent that, but hey-ho.
Comment by Andy — 5/1/2008 @ 1:52 am