On November 2nd I received this spam:
(some headers removed; email@example.com is my censored email address)
Received: from mail15.soatube.com ([220.127.116.11]) by mail.bitfolk.com with esmtp (Exim 4.72) (envelope-from <firstname.lastname@example.org%gt;) id 1RLikr-00070I-6U for email@example.com; Wed, 02 Nov 2011 21:53:57 +0000 Received: from [18.104.22.168] (mail3.soatube.com [22.214.171.124]) by mail15.soatube.com (Postfix) with ESMTP id 6B324181CFF for <firstname.lastname@example.org>; Wed, 2 Nov 2011 14:46:01 -0700 (PDT) To: email@example.com From: firstname.lastname@example.org Date: Wed, 02 Nov 2011 14:00:40 -0700 Subject: BPM Panel Discussion: IBM, Oracle and Progress Software ------------- BPM-CON: BPM Panel Discussion - IBM, Oracle and Progress Software ------------- Online Conference Expert Speakers: IBM, Oracle, Progress Software etc..
The email address it arrived at was an email address I created in November 2004 in order to take a web-based test on Red Hat’s web site prior to going on an RHCE course. It has only ever been provided to Red Hat, and has not received any email since 2007 (and all of that was from Red Hat). Until November 2nd.
The spam email contains no reference to Red Hat and is not related to any Red Hat product.
From my point of view, I can only think that one of the following things has happened:
- Spammers guessed this email address out of the blue, first time, without trying any of the other possible variations of it all of which would still reach me.
- One of my computers has been cracked into and the only apparent repercussion is that someone spammed an email address that appears only in an email archive from 2004/2005.
- Red Hat knowingly gave/sold my email address to some spammers.
- Red Hat or one of its agents have accidentally lost a database containing email addresses.
Possibility #4 seems far and away the most likely.
I contacted Red Hat to ask them if they knew what had happened, but they ignored all of my questions and simply sent me the following statement:
Thank you for contacting Red Hat.
we apologies for the inconvenience caused however we would like to inform you that we have not provided your email address to anyone.
Red Hat Training coordinator.”
That wasn’t really what I was asking. Let’s try again.
“Hi Red Hat Training coordinator,
Thanks for your reply, but I’m afraid I am not very reassured by your response. Do you have any suggestions as to how an email address created in 2004 and used only by yourselves for my RHCE exam managed to be used for unrelated marketing by a third party in 2011, unless Red Hat either provided my email address or leaked my email address?
For clarity we are talking about the email address “email@example.com” which has never ever received any email except from Red Hat, until yesterday, when it got some unwanted
marketing email from a third party.”
Please be assured that Red Hat does not circulate student’s e-mail address to any third party.
Red Hat Training Coordinator”
I’m not getting anywhere am I? I was only after some reassurance that they would actually look into it. Maybe they are looking into it, and for some reason decided that the best way to assure me of this was to show complete disinterest.
Oh well, I can send that email address to the bitbucket, but I can’t help thinking it’s not just my email address that has been leaked.
Anyone else received similar email? If so, was it to an address you gave to Red Hat?
Update 2011-11-10: Someone suggested I politely ask the marketer where they obtained my email address. It’s worth a try.
“Hi Integration Developer News,
May I ask where you obtained my email address
“firstname.lastname@example.org”? I’m concerned that it may have been
given to you without my authority.
Also I have now been contacted by someone from Red Hat’s Information Security team, who is looking into it. Thanks!