L5 Remote forum

[jeffreyp]

whenever i work with a vendor who needs an email address from me, i
create a unique email address specifically for that vendor.

i run my own mail and dns servers, so i have automated the process of
creating a unique mail subdomain and unique email address within that
sub-domain; it takes all of ten seconds. for example, if the vendor is
l5 then i might create a subdomain of l5.example.com and then create and
email address along the lines of l5@l5.example.com. subdomain
l5.example.com has its own mx record, and the only valid email address
in that subdomain is l5@l5.example.com.

i never ever share that vendor's unique email address with anyone other
than the vendor. in most cases, the mail address is "receive-only"
(i.e., mail is never sent by me from that mail address.)

the reason i do that is so that if i start getting unexpected email to
that vendor's unique email address (i.e., if i start getting spam to
that address) then i know something is up with that particular vendor.

on 05/12/10 i ordered a remote. over the course of two days i received
five emails from l5 to that address, and i sent one from that address to
l5. then in october i joined the l5 forums and received one email from
vitaly (the standard welcome message). then in november i received a
marketing email regarding l5 and black friday. so far so good.

but starting on 05/16 i began received spam and viruses to my email
address. as of this afternoon i have received six. four about wire
transfers, one about insurance, and one hawking father's day stuff.

if someone sends you a private message in the support forums, you get
notified by the support forums that you have a message waiting. the
messages i have been receiving are not the same messages; the spam
messages i have been receiving are being sent directly to the email
address i used for l5.

my email address is not visible in the support forums. so then how is
someone directly sending email to that address?

one of the three things has happened: an email list was sold (which
would be contrary to l5's own policies); some database containing the
email address has been compromised (i.e., hacked into) and the email
addresses have been stolen (along with who knows what else -- has credit
card information been stolen from the ordering system?); a disgruntled
employee has stolen the information and is using it in some fashion.

on may 16 i sent an email to support@L5technology.com,
vitaliy@davaconsulting.com, sales@L5technology.com, and
media@L5technology.com documenting this security breach and i have not
heard a single word in response.

l5 has a legal and moral obligation to notify its users of any breach of
any personal data.

wade mcnary, what gives?

[wademcnary]

You're absolutely right about our obligations, and we take our customer's privacy and security very seriously. When I received your previous email, I looked into what might have happened. Rest assured that no credit card information has been compromised, as this is controlled directly by the credit card processor. We never see any credit card information.

We have not sold our customer's email addresses, and we rarely send promotions. You're welcome to opt out if you like. Nor do we have a disgruntled employee. The same person has been happily responding to customers since the beginning, and frankly, knows nothing about hacking or programming or spam.

When I received your previous email, I had our programmers check to see if there was any evidence of a security breach, and they couldn't find any. They suggested that it's possible that the email address was intercepted on your end, but it sounds like you're savvy enough to avoid that. I'm going to forward your email to the programmers, and ask what information might help track down the culprit.

Thank you for bringing this to my attention, and I'll be in touch.