Researchers' Typosquatting Stole 20 GB of E-Mail 204
NeverVotedBush writes "Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months. The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions."
Good test. (Score:3)
Anyway, of the 20 Gig they collected, I am sure 19.9 Gig was this boilerplate text.
Re:Good test. (Score:4, Informative)
>Let us see if that stupid boilerplate text has any legal standing
It doesn't. It didn't work for real mail so why should it work for email?
You get something unsolicited, and you are free to do with it whatever you choose. It's up to the sender to get the address right in all cases.
--
BMO
Re: (Score:3, Informative)
Not true, at least in the UK:
Interfering with mail - Postal Services Act 2000 Section 84
Triable Summarily (Magistrates court)
6 Months and or a fine (Max)
A person commits an offence if they without reasonable excuse intentionally delay or open a postal packet in the course of transmission by post or intentionally opens a mail bag.
A person commits an offence if, intending to act to a person's detriment and without reasonable excuse, opens a postal packet which they know or suspect to have been delivered incorrectly.
If you work for the Post service you could commit other offences under Section 83 triable either way (Magistrates or Crown court) and get a sentence of 2 years and or a fine.
Re: (Score:2, Interesting)
"Delivered incorrectly" is different from "addressed incorrectly". One is an error of the Postal Service, the other is an error of the sender.
Re: (Score:2)
"Delivered incorrectly" is different from "addressed incorrectly". One is an error of the Postal Service, the other is an error of the sender.
Either way, as confirmed in the Regulation of Investigatory Powers Act 2000 [opsi.gov.uk]:
It is an offence to open, destroy, hide or delay any post that is addressed to someone else. Post cannot be opened if it is to the addressee's detriment and without reasonable excuse. Reasonable excuse is not defined by the Act.
An example of a potential conflict is if a landlord opens a previous tenant's post in order to trace them. Post cannot be opened if someone knows or reasonably suspects the post has been incorrectly delivered.
It is also an offence to divert someone's post in order to intentionally delay them from receiving it. An example of this could be where a person re-posts documents or cheques to delay the addressee from acting upon them.
Re: (Score:3)
It was addressed to me; I own the address that received it, it is mine. According to the laws you've quoted, anyway, which strictly forbid opening mail addressed to other people. Only I may legally open it; it is mine.
I get a dozen emails a month on my gmail account that are intended for a person with a name very similar to mine.
These emails are all addressed to me, although that's not who they should have been sent to. The person sending intentionally sent it to me - th
Re: (Score:2)
But it doesn't have your name on it, so you can't open it under the laws of many countries. You need more than just the address for it to be your, it must have address and name or say "occupant" or the like. There is also a test that courts would apply about whether it was reasonable for you to assume that it was intended for you or not. It's one thing to make an honest mistake, but if you are reading the previous tenant's post then you are on shaky legal grounds depending upon where you live.
Re: (Score:2)
Me: bob@aple.com
Not Me: bob@apple.com
Amy means to send to bob@apple.com but can't be bothered to be careful and sends to bob@aple.com.
Can I read it?
Of course. It is addressed to me so "offence to open, destroy, hide or delay any post that is addressed to someone else" doesn't apply. It was addressed to me and therefore delivered to me so "someone knows or reasonably suspects the post has been incorrectly delivered" so this too doesn't apply. Also, I did not delay delivery since it was addressed t
Re: (Score:2)
I should reasonably suspect her messages are not for me. I do get mail from people I don't know, it is rare but it does happen. I do not have any reason to assume any e-mail was not intended for me until I have opened the message and seen it's contents.
In the case of the post (not that I believe it should apply, just that's what we're talking here); if the letter was addressed to your name and the address was incorrect, it would be a simple case of mistaken identity, and although probably illegal somehow - I'm sure it wouldn't be enforced.
If you'd set up aple.com for the deliberate purpose of fraud, (like those in the article have) then you can "reasonably suspect the post has been incorrectly delivered".
Re: (Score:2)
You don't seem to want to acknowledge the difference between incorrectly delivered and incorrectly addressed. If someone puts my address in the To field and it arrives in my inbox then it was correctly delivered. Whether they intended for me to receive the email or not is not relevant to the laws you referenced.
Re: (Score:2)
You don't seem to want to acknowledge the difference between incorrectly delivered and incorrectly addressed. If someone puts my address in the To field and it arrives in my inbox then it was correctly delivered. Whether they intended for me to receive the email or not is not relevant to the laws you referenced.
If we're going to take the Post metaphor so seriously; presumably if it's in your inbox - but clearly not for you; then you cannot open it since 'Post cannot be opened if someone knows or reasonably suspects the post has been incorrectly delivered.'.
However, of course, if you aren't sure if it is for you; then that would likely be a 'reasonable excuse' to open it under the law.
Presumably once you have opened it and realised it is not for you, you would follow the boilerplate and delete the message.
Seri
Re: (Score:2)
There you go again. If it has my address then it's not incorrectly delivered. What is it about that you don't get?
Re: (Score:2)
It was delivered to a person other than the recipient. That means it was incorrectly delivered. Whether it was incorrectly delivered because the person who addressed it made a mistake or because the person who delivered it made a mistake is immaterial to the fact that it was not delivered to the right person.
Furthermore, the rules in question belong to a legal system which is explicitly designed to handle such questions and come to meaningful answers based on the details of precisely what happened. You may
Re: (Score:2)
You have to "open" email, just to see who it's sent too.OOPS. TOO LATE.
No, at least in theory, you don't. SMTP [ietf.org] literally has an "envelope"; it should be all the server looks at to relay/deliver messages.
Re: (Score:2)
No, not really. If you're a BCC'd recipient you wouldn't even be able to tell from the headers. All you'd see is a delivered-to header and obviously that has to be you since you received it. It's the RCPT TO field that determines who actually receives the e-mail, not the To, Cc, or Bcc headers (the Bcc header is stripped out anyway).
Re: (Score:2)
No, not really. If you're a BCC'd recipient you wouldn't even be able to tell from the headers. All you'd see is a delivered-to header and obviously that has to be you since you received it. It's the RCPT TO field that determines who actually receives the e-mail, not the To, Cc, or Bcc headers (the Bcc header is stripped out anyway).
Yes, BCC is another reason why the original comparison (from 'bmo') to post vs email is not a fair comparison; and why the laws (that really do exist in the UK) shouldn't apply to email.
Re: (Score:2)
It's not "delivered incorrectly" if the address is right (your house) but the contents are wrong (meant for your neighbor)... That's basically what is going on here. While it could easily be argued that they acted with intent (since they certainly don't have a business called Kelllogggs that they need to send/receive email for) it is still within the bounds of "we read it because we were the intended recipient"... Those boilerplates are about as useful as walking around with a t-shirt saying "you just re
Re: (Score:2)
It's not "delivered incorrectly" if the address is right (your house) but the contents are wrong (meant for your neighbor)... That's basically what is going on here. While it could easily be argued that they acted with intent (since they certainly don't have a business called Kelllogggs that they need to send/receive email for) it is still within the bounds of "we read it because we were the intended recipient"... Those boilerplates are about as useful as walking around with a t-shirt saying "you just read this now you owe me twenty quid".
While I'll agree the 'envelope' was correct - it was delivered to the correct address; the person who it was delivered to was not the recipient.
If this was applied to mail, not only would it be that they 'know or suspect to have been delivered incorrectly', they are certainly acting with intent. It would be hard to claim they didn't "know or suspect" these mails were not meant for them!
Sure, the boilerplate is meaningless; but to take the postal analogy further - this would be like me deliberately openi
Re: (Score:2)
While I'll agree the 'envelope' was correct - it was delivered to the correct address; the person who it was delivered to was not the recipient.
I do not think that word [reference.com] means what you think it means.
By definition, if something is addressed to you and you get it, then you are the "recipient". It does not matter what the thing is that you received, or why you received it. And, even the UK law you quote agrees with this definition, and gives only examples of when the mail is "addressed to someone else". This law is the US is similar. For example, the Post Office even made ads about how receiving something by mail that you did not request doesn't make you obligated to pay for it, because scammers were sending unrequested items via the mail and enclosing bills, then suing for non-payment.
Re: (Score:2)
So...what you're saying is that I could not open or throw away mail that is addressed to someone that does not live in my house, yet has my address on it? Pretty soon, I'm going to be crushed under the weight of all the mail addresses to "homeowner" or "recipient"!
Or, am i expected to find out where this person is, and do the Post's job for them? (fat chance).
If you're the homeowner or recipient, then you are the addressee... no need to be facetious.
If it has someone elses name on it, no you cannot legally open it, at least by the law of the UK.
If you set up a similarly named address, for the sole purpose of intercepting mail, then I would expect that yes, you're still breaking the law.
Re: (Score:3)
You're supposed to mark it "no longer at this address - return to sender", black out the barcode at the bottom with a marker, and put it in the outgoing mail.
Re: (Score:2)
Email doesn't follow most of the postal rules because of the relative infallibility of machines, thus most postal privacy laws don't apply.
You're right - I agree entirely. But I wasn't the one who compared the email with postal services;
I simply took issue with 'bmo' comparing the two when there ARE laws in the UK about opening post not to the addressee.
I don't even believe the postal laws should apply to email; I believe the law should only come into effect where it's clear the 'typosquatted' domain is there for fraud.
Re: (Score:2)
Or giving Satan an EULA when he comes to collect your soul.
Re: (Score:2)
But it was delivered completely correctly. The sender specified the wrong address, but it was delivered absolutely correctly to that address.
Re: (Score:2)
But it was delivered completely correctly. The sender specified the wrong address, but it was delivered absolutely correctly to that address.
As others have pointed out, delivered!=addressed.
i.e. just because my bank sent my bank statement to your house by accident, that does not give you the right to read or open it (at least not via post in the UK)
Re: (Score:2)
If it has my address on it, how am I even supposed to know it's not for me before I open it?
Re: (Score:2)
If it has my address on it, how am I even supposed to know it's not for me before I open it?
Do you not have a name, Chris Mattern? =)
Re: (Score:2)
The name is a part of the address! If the letter says "Bob Smith" and you are not "Bob Smith" then it is NOT addressed to you even if the street address matches yours.
Re: (Score:2)
Ding ding ding! We have a winner!
Re: (Score:2)
If they addressed it to me i'm pretty sure it does - or am I supposed to use magical powers to determine I should open that piece of mail with my name and my address on it?
This is not "Bob Smith at 12 Station St" getting mail addressed to "Bill Jones at 14 Station St" It is not even "Bob Smith at 12 Station St" getting mail addressed to "Bill Jones at 12 Station St". This is "Bob Smith at 12 Station St" getting mail addressed to "Bob Smith at 12 Station St".
Sure the sender screwed up an actually meant to se
Re: (Score:2)
If they addressed it to me i'm pretty sure it does - or am I supposed to use magical powers to determine I should open that piece of mail with my name and my address on it?
This is not "Bob Smith at 12 Station St" getting mail addressed to "Bill Jones at 14 Station St" It is not even "Bob Smith at 12 Station St" getting mail addressed to "Bill Jones at 12 Station St". This is "Bob Smith at 12 Station St" getting mail addressed to "Bob Smith at 12 Station St".
Sure the sender screwed up an actually meant to send it to Bill, but are you seriously saying Bob is going to be breaking the law by opening it.
And that could happen with physical mail - it's not such a stretch to put the a letter in the wrong envelope. I'm sure someone somewhere has sent TIm's wedding invitation to Jane because they screwed up when putting 200 personalised invites into 200 addressed envelopes. Or a letter printer and envelope printer got out of sync in some automated setup.
You've made a few errors there. This is "12 Staton St" getting mail addressed to "Bob Smith at 12 Station St". It would be unfortunate in the postal system if the a duplicate name lived at the mistaken address. If there is a "Bob Smith" at the real address, it's unlikely, but surely it would be a "Reasonable Excuse" - as defined in the law you replied to.
However, in this case, the fake "Bob Smith" has set up a house called "12 Staton St" and hoping people get the wrong address; and he isn't really even cal
Re: (Score:2)
I was only respinding to this part:
just because my bank sent my bank statement to your house by accident, that does not give you the right to read or open it (at least not via post in the UK)
Which has nothing to do with email and domain squatting and so on.
If my name is Bill Smith and I live at 12 Station St and your bank decides to send your bank statement to me addressed as:
Bill Smith
12 Station St.
Then surely it can not be against the law for me open the letter? How do I know it isn't for me before I open it?
Re: (Score:2)
You don't need it for real mail because tampering with an envelope addressed to someone else is a federal offense.
Re:Good test. (Score:4, Interesting)
Well, in this case, you have to make the explicit step of setting up an alternate site, and having something there to get email. So you've explicitly put stuff in place to catch these messages.
Under normal circumstances, the user would get a bounce-back of the message ... so, someone might be able to argue that it's not like something was delivered to you out of the blue. You've actually created the thing that it gets delivered to, and made it look as close as you could to the intended one.
At a minimum, this might get into a gray area, and might be full on illegal, even if you were only passively receiving the mis-directed stuff thereafter.
I don't think you can make the claim that you just happened to be receiving these emails.
Re:Good test. (Score:4, Informative)
The boilerplate has no legal force. First, it's like someone sending you unsolicited snail mail - anyone who sends you, say, an unsolicited book by snailmail can't then send you a demand to pay for it - it's already yours.
Additionally, boilerplate "contracts", even ones you agree to, are governed by different laws than regular contracts (search for "contract of adhesion" or "standard form contract").
Re: (Score:2)
With physical goods, like a book, I suspect they could legally demand the book be returned (although, who's going to hire a lawyer and go to court over a $10 book).
If it were something sufficiently valuable for it to be "worth it", though, they could probably demand it be returned. I mean, mailing something to you doesn't make you the 'owner' - netflix mails me DVDs, but I don't "own them", and must return them. I suppose the courts could look at a mis-sent item as never actually having ownership transferre
Re: (Score:2)
With physical goods, like a book, I suspect they could legally demand the book be returned (although, who's going to hire a lawyer and go to court over a $10 book).
I can suspect that all you want. You'd still be wrong.
https://postalinspectors.uspis.gov/investigations/MailFraud/fraudschemes/othertypes/UnsolicitedFraud.aspx [uspis.gov]
If it were something sufficiently valuable for it to be "worth it", though, they could probably demand it be returned. I mean, mailing something to you doesn't make you the 'owner' - netflix mails me DVDs, but I don't "own them", and must return them.
You have an agreement with netflix before they sent them that you would return them. If netflix sent you some DVDs to someone who hadn't requested them out of the blue, then that person now owns those DVDs.
Re: (Score:2)
U.S. postal regulations explicitly state that if you receive unsolicited goods in the mail, they are yours to do with as you wish - you have no obligation to the sender. The liability is always with the sender. This is to discourage certain obvious scams.
If something is delivered to you which is clearly intended for someone else (i.e., right address, wrong name), things might get more complicated. I don't know the legalities in that case.
Re: (Score:2)
Your netflix example is silly - you have an agreement to lease the DVDs with them.
Sending it to a mistaken address is a different story as well.
But sending unsolicited material to the RIGHT recipient transfers ownership, plain and simple.
Re: (Score:2)
I always thought that was bullshit. How do i *Know* if the email was intended for me? because it's got my email address, that's how.
Now, how can someone demand that i "promptly delete" the email? i have server logs, backups, and a whole array of things (required - as i understand it - as part of SOX) that would have to be scrubbed. Who's paying? The sender wants me to foot the bill to do all that when i had NO say in whether or not I got the email? How about if I sent the sender an email everyday - unintent
Re: (Score:2)
At least morally
Re: (Score:2)
At least 1.3GB must have been the pretty little green text (sometimes with a graphic of a tree) to "think of the environment before printing this email...
Re: (Score:2)
100 megs of useable data is what we are talking about. ...
what that might cover is legal issues, user names and passwords and the like
so the ability to profit is present, and just like spam, you only need a few to make it worth while
Re: (Score:2)
Re: (Score:2)
19.9 Gig was pr0n, lolcats, and "Undeliverable Message" replies.
NO TYPING! (Score:2, Funny)
The attacker relies on the fact that users will always mistype a certain percentage of e-mails they send.
Who is doing this? Who types email addresses and doesn't use a contacts list or similar?
I suppose this is Window's fault but typing is so 20th Century....
Re: (Score:2)
You have to type it in the first time -- unless they sent you an email. So.... type it in wrong. Send off an email. Oops. Now it's in your mail app's magical "previous recipients" list. Update your official contact list. Send them another email. But your mail app decides to use the previous recipient entry since it's "more recent" (or whatever) than your official contact entry. Unless you click on the person's name to verify the updated address you'll never know and another misdirected email is se
Re: (Score:2)
Re: (Score:2)
You don't type? How did you compose your post?
Typing is the solution, not the problem. (Score:2)
I administrate several email domains.
The people who turn off autocomplete and type all their email addresses by hand do not make these mistakes, because they have significant amounts of practice typing them correctly.
The people who use email clients that remember and autocomplete addresses don't ever integrate the RFC822 parse logic into their brains or fingers, so they always type .com for .net and .org addresses, and they always type smith when they mean smythe, and then forever after their mis-populated
Re: (Score:2)
Any sufficiently advanced operating system would have known who you meant to email and automatically routed the message regardless of your inability to type "landolakes.com" without making a mistake. Duh.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
When you're working with someone from a different company, they won't be in your company's address book, so you have to type it in at least once to get it into your personal address book. If your company manages it well, that'll go into the corporate address book, but you'll still need to add people from other companies from time to time.
Re: (Score:2)
So what is this an argument for? (Score:2)
Re: (Score:2)
Re: (Score:2)
One obvious lesson for this is that using email systems that have autocompletes for addresses you've already used or have had replies from is obviously important. A lot of modern software does this although some does not (my university's default webmail application doesn't for example although gmail does).
Don't forget the very real problem of someone's self-configured email client putting the wrong return address on everything. Although they "should" catch it quite quickly as they see a distinct lack of responses to any emails they sent out, it might not be enough for some people. More strict send rules for all values in the email header could probably eliminate 99% of this traffic from ever happening. Just set the server up to read the recipient, check for similar domains, and weight the domains by "legi
Re: (Score:2)
Re: (Score:2)
Don't be so sure... One of our customers has her reply-to address set to an address pointing to a mailbox she never checks. She tells you her email address is X, and she does get mail addressed to X. But her emails come "from" (and "reply-to") Y. Y happily accepts mail, so there's no bounce or anything, it's just that it's a totally unused box at a no-longer-used domain.
She doesn't seem to think this is a problem...
Re: (Score:2)
Another obvious lesson is that once you've sent mail to wrong address, autocomplete will helpfully fill in that wrong address next time.
Re: (Score:2)
AOL's webmail autocompletes EVERYTHING YOU'VE EVER TYPED that matches, including truncated and nonresolving email addresses. You have to manually dig into options and delete the duplicate/false 'contacts.'
Common problem... (Score:2)
I get the same situation. I've got a ".ca" with my last name, and a Canadian lawyer with the same last name has the ".com". I get a bunch of their email on my "catch-all", which is awkward, given the confidential nature of things you may discuss via email with your lawyer.
Re: (Score:2)
To date, I've only met one lawyer who encrypted legal communications. You think it would be more commonplace than it is for exactly the reason you described.
Re: (Score:2)
Anyone who can come up with a way to sign and encrypt email that makes sense to lawyers (my lawyer still uses AOL!) will make a helluva lot of money.
They should have been doing it ten years ago. It should be illegal to send attoney-client privileged emails in plaintext. But guess who makes the laws?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Actually, both I and the lawyer are in Canada (ironically, their offices are about a 10 minute drive from my house). And I have contacted them - spoken to one of their lawyers in person, actually, when my realtor used them to execute my paperwork when I bought my house... but, as other commenters have pointed out, they aren't too quick on the uptake with things like PGP...
Re: (Score:2)
Confidential things? Over email? Is this 1983?
Doesn't matter. There will always be failures in any manual process. About once a week I get multi-page faxes to my home phone number, destined for law firms in my home town, that contain confidential information. In those cases I contact the firm and forward the information to them in whatever manner they ask, then destroy my copy. Funny thing is that in most cases, the real fax number isn't even close.
Large firms to monitor domain registrations (Score:2)
From TFA:
Kim said that out of the 30 doppelganger domains they set up, only one company noticed when they registered the domain and came after them threatening a lawsuit unless they released ownership of it, which they did.
I guess a domain registration police department will become common in large firms now.
Re: (Score:2)
I guess a domain registration police department will become common in large firms now.
That's been a good idea since companies first started building a web presence. It's part of your brand and you want to make it's not tarnished. It should be one of the responsibilities of a corporate IT security department alongside encrypting laptops and intrusion detection.
Probably cheaper to outsource at least the detection part to a company who specializes in exactly that thing. I'd be surprised to hear no company provides such a service by now; especially registrars who deal with domain names 24x7 a
Re: (Score:2)
two things about it, though:
1. getting all of the typo-domains near your trademark can be expensive or impossible
2. if any are legitimate, you're just going to have to negotiate with them for what to do with missent emails
Re: (Score:2)
At my work we have people sending stuff to a similar domain on a regular basis. We have info@*****inc.com while his is info@*****.com , the owner of the domain is nice enough to forward on the emails at least.
I own a domain name (Score:2)
That has a similarity in name to one of the US Navy's aircraft carriers. I used to get a fair amount of email for people on that ship. Nothing classified (I would've been really disappointed and shocked, but probably not surprised), but there was one sailor in particular who must've had quite a taste for porn because that address got so much porn spam it was amazing.
Re: (Score:2)
Re: (Score:2)
The number with a taste for it is enormous. The number who don't know they can be disciplined for using the ship's internet connection to obtain it is closer to 1.
In other news, Navy ships have internet connections. Not gob-smacking, but pretty cool.
Re: (Score:2)
Stolen email? (Score:5, Insightful)
No mail was stolen. It was delivered exactly where it was addresst.
It's the fault of the monkey behind the keyboard and nobody else.
--
BMO
Re: (Score:2)
But the recipient was fraudulently pretending to be someone else. This is not a case of accidentally having a similar email address, instead the domains were created specifically to intercept misaddressed email. The con man should be considered guilty and not blame it solely on a naive victim.
Re: (Score:2)
They may not have broken any laws, that remains to be seen. However, it's clear what they did was unethical and they did not act in good faith. They knowingly attempted to receive misaddressed e-mails. That's not ethical behavior.
They were attempting to quantify how much a problem this is. Can you suggest other ways this could have been done that you think would have been more ethical?
This is why I turned off my catch-all (Score:2)
My domain is a letter off from a big company's, and I used to get what looked like pretty sensitive email all the time. After a few attempts to tell employees to stop doing it, I just turned off the catch-all.
Re: (Score:2)
Me too. I have a .com domain which is the same as a school domain in .co.uk. I used to get a fair amount of their mail, until I turned off the catch-all address.
(That was years ago. Today, if you have a catch-all address, you get to see the same spams come in for a long list of common names.)
This reminds me (Score:2)
Hmm, on second thought, no one would ever go there.
Re: (Score:2)
They will if I squat on Slashdot.Com at the right time...
Self funding research (Score:2)
"The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions."
I wondered how they could pay for their research in this era of vastly reduced funding - it's self funding!
Re:Self funding research (Score:4, Interesting)
Re: (Score:2)
It didn't say "top secret". It just said sensitive security info. What's significant gold to a h4xx0r may be gibberish to some, or mundane to those who requested it.
Re: (Score:2)
Better question, why do email applications default to sending unencrypted e-mail in the first place? The default should be encryption turned on.
You can't default to something that requires a preliminary exchange of information. While you can encrypt the SMTP exchanges, the e-mail itself can only be meaningfully encrypted if the recipient transmits his key to the sender beforehand (using a mechanism that prevents a man in the middle attack on the key exchange).
Re: (Score:2)
They reported in their findings the emails sent to people who didn't pay.
Note the absence of any mention of pr0n or affairs.
Both my wife and I regularly receive email... (Score:2)
intended for others. I have a full name @mac/@me account and my wife has a full name @gmail.com and I assume these people chose 1stnameLastname+1 account names making it very easy for their friends and business acquaintances to wrongly send us their email instead. I've gotten sensitive business information, invitations to exclusive events (unfortunately in the UK so I can't attend) . My wife has had an interesting time unintentionally following the life of a New York mover and shaker.
We don't know the real
Re: (Score:2)
intended for others. I have a full name @mac/@me account and my wife has a full name @gmail.com and I assume these people chose 1stnameLastname+1 account names making it very easy for their friends and business acquaintances to wrongly send us their email instead. I've gotten sensitive business information, invitations to exclusive events (unfortunately in the UK so I can't attend) . My wife has had an interesting time unintentionally following the life of a New York mover and shaker.
We don't know the real recipients actual email addresses so we can't warn them and have to read our own email to find out if it is intended for us or not so we can't help but read their email. Interesting conundrum.
This research result is not at all surprising- it is the same thing, just at a bigger scale and deliberate.
I have a similar problem from time to time with my gmail account. In addition to your comments, some people seem to think that first.last and firstlast at gmail are different email addresses, as a result I periodically get emails for people who screwed up signing up for an online account, and since the company gladly accepted any email address as unique as long as it didn't match an existing one, signed me up.
When it obviously an error I replay saying - pops wrong person. All but one generally reply with
Re: (Score:2)
We don't know the real recipients actual email addresses so we can't warn them and have to read our own email to find out if it is intended for us or not so we can't help but read their email.
You can find the real recipients actual email addresses with just a little leg work. Just reply to the sender and let them know the situation and ask if they could send you the correct email address or other contact information.
Re: (Score:2)
I have received email meant for someone else for over a decade. This comes from different sources, almost all of it advertising for a particular town and a few makes of automobiles or mortgages. My email is something like "john@abc.com" and easy to remember by any and all, since I snagged it early before all the rush to get email addresses. I suspect this other person filled out some forms with this email address even though his actual address is "john.smith@abc.com" or "john3317@abc.com" or something li
steal is a little strong (Score:2)
They captured 20GB of email.
They didn't really steal it, people addressed the email to them, they just did it errantly.
Not surprising (Score:2)
I emailed one guy back who was writing to his military son. He got all kinds of pissed off, and accused me of 'intercepting his emails'. Sorry dude...YOU screwed up.
I always try to email them b
Re: (Score:2)
1. Enable catch-all email accounts on all domains you own ...
2.
3. PROFIT!
20 gigs sounds like a lot, but since these were corporations, you can expect that a lot of them were huge Microsoft Word attachments with one-liners like "Peter: Remember to complete your TPS report by Friday." and equally vacuous Powerpoint slide decks. And people trying to email DVDs. And pr0n - lots of pr0n, if it was government employees.
Re: (Score:3)
Re: (Score:2)