Spam

There’s Some Spam On Your Slacks

I’m a member of a few different Slack channels – they’re great for collaboration, helping others out and asking for assistance when you get stuck on something.

The biggest one is Windows Admins; winadmins.slack.com with over 1700 members (highly recommended if you’re a Windows Administrator).

An interesting event occured today, where an account called ‘jb’ joined, and immediately posted this:

 

Rather spammy in itself from where I sit, and a few others piped up being unimpressed with this action. ‘jb’ apologised and removed the post.

Doing this in a sysadmin channel however, is asking for a bit of further investigation. Putting aside the name itself (which along with the logo, looks like it should be a product for a completely different industry), it was a bit weird that ‘jb’ appeared to be doing marketing, but had also signed up with an email address which was admin@theirdomain – not something that a marketer would have access to.

I’ve censored the image as I don’t have permission to use it, and it’s not about them at all – but for context, it was a black and white face shot of a young, white female, with their title as ‘designer and inventor’

Slack for iOS Upload

A reverse google image search on the profile picture used revealed this:

person

…which turns out to be photos of people at a clothing launch in Berlin, and ‘jb’s’ photo was a cropped version of that. Now, it could be that this fashion industry person in Berlin is also the the person that runs this Japanese based tech company’s PR, AND has access to the admin email account for their domain.

Asking this mystery person what was going on was just met with silence, and then the account became inactive. What happened?? We may never know.

There’s a few take away points from all from this:

  1. Don’t steal a photo from the internet to use as your marketing tool, reverse Google images is good enough to find even part of a photo if it’s indexed.
  2. Don’t go into a sysadmin channel and spam your product; it won’t end with a positive experience from the people who generally have to stop spam.
  3. Slack communities should be treated as open available information – if an account gets approval, they could be scraping the conversations (and using for legitimate business purposes too)
  4. Don’t be fake when peddling your wares; people see through it.
  5. Spellcheck your automated messages; morarale isn’t a word.

Again, I don’t know how much of this applies to the company in question, draw your own conclusions. Maybe it was an elaborate test to see how the mood changed in the Slack channel?

Your Personal Information Has Been Leaked

Opinion: The below is all my personal opinion, and although any company examples I give are true, this cannot be taken as 100% guaranteed evidence of a data leak.

Yep, you read the heading correct. If you’ve been online and signed up to even a handful of services, chances are some of your data has been stolen.

Troy Hunt’s website https://haveibeenpwned.com/ hosts some details on many millions of records that have been leaked one way or another from companies such as Adobe, Sony and Yahoo. Those are just known leaks though, where the data has been made publically available one way or another, and is only a snippet of what’s really out there.

How do I know this with such conviction? I’ve signed up to a LOT of things over the years, and using my methodology, each signup has a unique email address.

That unique email address per service gives me a pretty quick insight into who’s somehow lost my data. On a daily basis, I can have a look around my Google Apps spam folder, and see what email addresses were used to send spam to.

Often I’ll see the same email 15-20 times, sent to different email addresses on my domain. That’s pretty clear these spammers are finding multiple chunks of breached data, because my different email addresses aren’t going to be registered to a single site.

Today’s spam had the local part of the email address (the bit before the @) in the subject too, so here you can see what these emails were sent to:

spam

I tend to see a mix of gibberish (such as asYOyuPq) and leaked emails. In this example chunk of spam, there’s Adobe – which I know was leaked as confirmed on haveibeenpwned, but there’s also plenty of other worrying ones. Penguin is from Penguin Books Australia, Dropbox is obvious, Coles, Dell, and others.

Looking down my list in the last few days, I can see others like fringebenefits – an Adelaide Fringe run discount tickets I signed up to a couple of years ago. Viator, a service I booked a tourist attraction on when visiting the US a few years ago.

Then there’s ebay – that one I don’t know so well, because email addresses get passed around when you buy and sell things through a platform. Maybe I contacted a seller and they had my email address because of that, and was lost from there.  Acertabletforum from a few years ago when I downloaded custom ROMS for an Acer Android tablet. Umart, from when I bought some PC components a few years ago too. 

At this stage, you might be wondering how I know the problem isn’t me. As I said, I’ve signed up for probably thousands of services over the years, and continually only see a subset of addresses that get spam. If I was leaking the data somehow, I should see a big mix of everything I’ve used, or at least everything up to a certain point in time. This is definitely not the case.

On top of all these email addresses, I have no idea what other data was leaked with them. My name, date of birth, first pet’s name, my home address? I can’t remember which services required which pieces of info, nor will most of these data leaks ever be publicly known – so I have no idea.

I don’t know what the answer is to all of this. I called out one company recently asking if they had a data breach, as I started to get spam on the email address I’d signed up to their online store with, which resulted in them calling my personal mobile phone, finding me on Facebook, naming my wife and son to me and threatening to send friends around to my place of residence, which he had obtained from my domain registrar details. This happened 2 years after I explicitly requested the company delete all my details, which I happened to blog about here.

It’s a pretty sorry state of affairs, and I don’t see anything getting better soon. If you want real privacy, use a fake name, a PO box, a pre-paid mobile phone and so on – because as soon as you hand your details out to someone, the world’s going to know about it.

Thanks to Troy Hunt for giving me the idea to write this up.