Tell HN: I've started to get email spam to my Comcast-only email address
I have a unique email inbox that I have only given out to Comcast. A few days ago, I started getting occasional spam (phishing) emails to it.
Either Comcast has gotten breached or they sold my data.
I don't think that this should come as a surprise to anyone here, but in case you needed confirmation, here it is.
Edit: the address is a Fastmail masked email address of the form word.wordxxxx@fastmail.com. One email claimed to be from a Gmail address, and it appeared to have DMARC/SPF headers, but I'm not experienced enough to know if they're valid. I'll try to provide the headers soon.
27 comments
[ 0.19 ms ] story [ 77.7 ms ] threadmost mail providers don't guard against that
I appreciate the post, as of course it is an act of community goodwill; but this isn't really confirmation. I could simply write this same text with any company I wished to label as unsavory. Also, just like spam calls are more coming from lax caller protections rather than data sales, it could be that your email address was simply guessed by some spammer and upon not bouncing marked as email-able
Not saying Comcast didn't sell your info (probably likely), but there are other possibilities.
However, that seems pretty unlikely in my case. If someone was enumerating the Fastmail address space, then I would have needed to receive a "probe" email to that address first, and I don't recall receiving anything except communications from Comcast itself (and this is a low-volume inbox where I read every email).
Alternatively, that could have been the spammer's probe email - except that I emailed several of the other addresses on the recipient list, and none of those emails bounced, and I got several responses from real humans.
So either the spammers had a long list of addresses that they knew and were only probing mine (which seems far-fetched) or they just happened to guess both my address and every one of the others that I emailed (which seems incredibly unlikely).
Unless there's something else that I'm missing...
I'll try to provide redacted headers within the next day or two so that interested parties can take a look anyway.
I'm sorry, I don't see how the fact that there are a large number of recipient email addresses provides evidence for the idea that my email address was guessed. A spammer with a list of addresses bought off a marketplace could easily have done the same thing, couldn't they?
if someone got a fresh list of mail addresses, they'd probably test all the mails coming from this source at the same time, could confirm your theory
Adobe, Dropbox, Tumblr, Last.fm, DailyMotion, Abbreviations.com, Filesavr.com, 1and1.com - these are just from the last day or so as I deleted so much spam from before.
https://www.wired.com/2004/06/aol-worker-sells-92-million-na...
The more interesting part on this is that it's not listed in HaveIBeenPwned as a breach / leak, which means Comcast / Xfinity don't know about it (or are keeping quiet), and it hasn't been widely released anywhere. Both options are pretty odd to me given the spam.
This also implies either Comcast / XFinity don't have honeypots for customer info leaks, or they don't care about breach notifications.
Note, while this is just one extra data point, I can't add more detail than the above to help your specific case.