Ask HN: A business sold my email. What can I do about it?

11 points by sbeckeriv ↗ HN
I have used the + feature in gmail for a while now. I finally received spam from one of these emails. I bought something on mace.com 4 years ago and today I received an email from NewYorkLife.com acarapezza@ft.newyorklife.com via mailchimp to the same address.

I reported as spam to mailchimp. I told gmail it was spam. I also emailed mace's support address asking them to remove me from the list emails they are selling. Searching google I see lots of suggestions to use the + feature but never what to do after catching someone using it.

Is there anything else I can do about it?

13 comments

[ 4.6 ms ] story [ 22.1 ms ] thread
You could basically file suit, not sure it would be worth the time and effort though.

Hell, even a $500 small claims court suit might make for a good option.

Does some offer this as a service yet?
I doubt it'll be worth your time trying to get something out of it. My experience is that they'll say sorry, and keep on doing it anyway.

Depending on how often they sell the info, you can just change your address with them, and permanently scuttle the original address (saves you from having to look at spam, etc).

Forgot to mention - if they'd sold it once, they probably sold it more than once - you just haven't received mail from anyone else yet. Even more reason to just scuttle the address now.

If more people do this, then hopefully selling information like this will become less lucrative over time.

I assume they sold my email. I have no supporting evidence that they did. I did receive an email back from support saying they don't sell email addresses. I replied with more information.

I did just noticed 5 days before I received spam to the same email address from

Copyright © 2014 Amazon.com Best Sellers, All rights reserved.

Our mailing address is: Amazon.com.bestsellers@gmail.com

I do the same thing, but instead of plus addressing I give each vendor a unique email at my domain. I now receive spam on my mint, geico, tumblr, lendingclub, disney, adobe, and dropbox addresses. In my case it's always outright spam instead of something remotely legitimate.

Your situation seems different than mine. I think my addresses were taken during a security breach instead of being sold by the company.

In my case I just change my address with the company to dropbox2@, and block the original address.

I also have a friends-and-family email address that isn't published anywhere online that finally started receiving spams. I think it was taken from a neighbor's address book in hotmail when he got phished.

I think a possible long-term solution would be for everyone to have a unique address for everyone else. The email software would auto-negotiate a unique address after your first communication with the person, creating a pairing similar to a friendship on a social network. I'm getting off-topic, but here's a link explaining what I mean a bit more: http://stevenjewel.com/2014/02/clearskies-chat/ (It's about decentralized IM instead of email, but the same antispam technique would work for either.)

In my case I just change my address with the company to dropbox2@, and block the original address.

I suspect some spambots just try common dictionary and business words at domains with valid MX records.

I don't think so. Here is my experience so far. For background, I don't run a spam filter at all and host my own mail on a enterprise fiber line that's unlikely to have ISP-level filtering. (If they do have it, it's terrible, since it doesn't even block email that has a certain product targeted at males mentioned in the subject line and spelled correctly.)

I've only seen what would be considered dictionary attempts for four addresses, info@, admin@, sales@, and support@ but only on a few of the domains.

A few years ago I started getting spam at random hexadecimal addresses at two of my domains, such as 72da48ba6@, about two spams per address per day. There turned out to only be ~ 800 unique addresses that were targeted, and so it was easy to block. What I think happened is this case is a address-to-spam-list creator padded his lists manually before selling them to make the list size bigger. I still get email at those 800 addresses, but no new hexadecimal addresses since I blocked the original set.

I have a different explanation for the hexadecimal addresses.

I get maybe 30 a day, from numerous sources, and they actually turn out to be legitimate message-IDs which were generated by my host when replying to public mailing-lists.

I think some kind of automated spider decided they were mail addresses.

Oh, I hadn't thought of that. That makes perfect sense.
I use a random email alias on a domain I own for each company I deal with. Generate one, throw in a database. For example: HN could be 8o0yxfkzleeftylr3dmb@example.com.

When I get incoming spam I can look up who the address is assigned to, cut off the alias and then take further action such as notifying the company, giving them a new email, or cutting ties with them.

I don't bother with retribution (would take too much time) -- if the company is unwilling to acknowledge the incident or it happens multiple times I cut the cord and move on.

Follow up: After some back and forth with support they are forwarding it to the "webmaster". They do not sell emails so no small claims. I will be following up with them.

Thanks!