[PSA] Joost sells email addresses

Steven Hatfield steven at lacasacontenta.net
Mon Mar 5 12:29:52 PST 2007 

The email alias that I used was "joost-srh at knightswood.net".  This  
isn't exactly a dictionary attack friendly name, as it is unlikely to  
have been used anywhere else in the world or exist as an option to  
try against a mail server.

I entered into their beta test signup page, to be notified when they  
would like me to help them beta test.  This was some time ago, and I  
had never heard from (or really thought of them) again, until I  
received an email this morning from a spammer in Malaysia (myjaring.my).

I would never accuse a company of selling an email address unless I  
knew that they had sold it, or it was "more likely than not" that  
they had sold it.  I sent the company's "privacy at joost.com" account a  
note this morning, and have not heard anything back yet.

To the person who said "So what" about receiving a spam email:

I do get spam, it is inevitable.  I use aliases to curb the amount of  
spam that I do get.  There is a bigger issue here.  When a company  
publicly states that they do not sell your email address, and then  
sells it, that calls into suspicion the character of the company.  I  
gave Joost the benefit of the doubt, because their privacy policy  
clearly states that they hold your personal data sacred.  It turns  
out that they do not.  On top of that, they are going to release a  
service on the Internet that allows people to watch TV shows (or  
movies or whatever video content), and will have the ability to track  
large amounts of data on a vast number of people.  If they can't keep  
email addresses secret, what makes you think they'll keep your  
viewing history secret?  It is best to know who the "good" companies  
are, rather than lose what computer using privacy you have left.

I just wanted to help some fellow Mac users out of receiving even  
*more* spam than they already do, and alert them that "here be  
dragons" on the spot on the Internet map where Joost exists.

Peace.
-Steven

On Mar 5, 2007, at 2:28 PM, Michael Brian Bentley wrote:

>> I don't think you can be certain that Joost sold your address. The  
>> spam could have been the result of Directory Harvest.
>>
>> http://en.wikipedia.org/wiki/Directory_Harvest_Attack
>>
>>  M
>
> I think this is still an attack based on the use of a dictionary of  
> likely or possible address names. If you use an unlikely name,  
> something that otherwise looks like an arcane password, such as  
> M2rg4tr0yd_ (at)Ivorytower(dot)com, the dictionary is unlikely to  
> contain that name--unless the name slips into spammer consciousness  
> by using it in the open on Usenet, or by sending it to a company  
> that claims to not sell contact information... making the name as  
> arcane as possible for use in one specific, private situation is  
> going to make it difficult to describe how a spammer got hold of it  
> by any way other than the recipient selling it.
>
> Because some enterprising Joost employee may be taking liberties  
> with incoming addresses in a fashion counter to expressed Joost  
> policy, I'd try to contact Joost and complain about it. The beauty  
> of one-shot names is that they can be turned off instantly.
>
> -Mike
> _______________________________________________
> MacOSX-talk mailing list
> MacOSX-talk at omnigroup.com
> http://www.omnigroup.com/mailman/listinfo/macosx-talk
>

More information about the MacOSX-talk mailing list