whenever i work with a vendor who needs an email address from me, i
create a unique email address specifically for that vendor.
i run my own mail and dns servers, so i have automated the process of
creating a unique mail subdomain and unique email address within that
sub-domain; it takes all of ten seconds. for example, if the vendor is
l5 then i might create a subdomain of l5.example.com and then create and
email address along the lines of email@example.com. subdomain
l5.example.com has its own mx record, and the only valid email address
in that subdomain is firstname.lastname@example.org.
i never ever share that vendor's unique email address with anyone other
than the vendor. in most cases, the mail address is "receive-only"
(i.e., mail is never sent by me from that mail address.)
the reason i do that is so that if i start getting unexpected email to
that vendor's unique email address (i.e., if i start getting spam to
that address) then i know something is up with that particular vendor.
on 05/12/10 i ordered a remote. over the course of two days i received
five emails from l5 to that address, and i sent one from that address to
l5. then in october i joined the l5 forums and received one email from
vitaly (the standard welcome message). then in november i received a
marketing email regarding l5 and black friday. so far so good.
but starting on 05/16 i began received spam and viruses to my email
address. as of this afternoon i have received six. four about wire
transfers, one about insurance, and one hawking father's day stuff.
if someone sends you a private message in the support forums, you get
notified by the support forums that you have a message waiting. the
messages i have been receiving are not the same messages; the spam
messages i have been receiving are being sent directly to the email
address i used for l5.
my email address is not visible in the support forums. so then how is
someone directly sending email to that address?
one of the three things has happened: an email list was sold (which
would be contrary to l5's own policies); some database containing the
email address has been compromised (i.e., hacked into) and the email
addresses have been stolen (along with who knows what else -- has credit
card information been stolen from the ordering system?); a disgruntled
employee has stolen the information and is using it in some fashion.
on may 16 i sent an email to support@L5technology.com,
email@example.com, sales@L5technology.com, and
media@L5technology.com documenting this security breach and i have not
heard a single word in response.
l5 has a legal and moral obligation to notify its users of any breach of
any personal data.
wade mcnary, what gives?