The way the moderators handled this was pretty damn bad. Two different users tell the moderator they use UNIQUE e-mail addresses for dropbox only, and they received spam roughly at the same time and yet the moderator answers by assuming the users are idiots.
Yup, especially Chris' behaviour is a no go. I don't know how the mods are affiliated with dropbox but if they are employees I wouldn't let them have any customer contact at all.
I was wary of this thread showing up on HN because I felt I was a bit unkind when posting in that thread, but Chris' comment towards me seemed completely unjustified. And he deleted a prior post along the same lines, hence why I quoted him on my next post.
I also use unique addresses for every site, and while my Dropbox email wasn't compromised, I've occasionally gotten that response from tech support elsewhere.
You mean that tim-somespecificsite@mydomain.com was randomly compromised, but NO OTHER random email was mailed to me? No, that's not how spammers work. If they'd decided to spam tim-*, I would have gotten hundreds of emails...sigh...
Looks like Chris is battening down the hatches. His linked site[1] was up about an hour ago, but it redirects to a placeholder now. Also, he's deleted all but his first comment, wish I'd taken a screenshot of his other comments.
Tangentially related: It drives me nuts to deal with people whose default answers are "no," "you must be doing it wrong" and so on. Particularly the moderators who insisted someone must have guessed a ten digit random email address -- because Dropbox and its vendors couldn't POSSIBLY have ever done anything wrong, and it's MUCH more likely that a spammer magically brute-forced a 10 billion combination address! Grrr. I'm not sure what the right word is to describe that sort of personality, but such people should never have contact with customers. Or with me.
It's not just a 10-character address. It's a 10-character address on a non-standard domain (or so the conversation led me to believe). All without getting another email on that domain's catch-all address. If it was a spammer, who randomly-generated addresses on this domain, I would imagine that they would have been shotgunned across the whole domain. Not just hit that one single address.
They have a title, and that must mean they have authority. Volunteers are a fine thing, but make sure the title listed has the word "volunteer" in it else they will taken for employees.
On a side note, why the heck does dropbox have volunteers running their support forum? At this stage, cost savings isn't worth the reputation hit.
"On a side note, why the heck does dropbox have volunteers running their support forum?"
If I had to guess - I'd suspect three or four "nines" of their customer support workload comes from their "free tier" non-customers. (Having said that, there's evidence upthread in these HN discussions saying they're also dropping the support ball for paying, even team-account-sized paying customers - that's not OK...)
Doesn't really matter for dropbox users though. They're the people the seller is putting in charge of being its face in the support place, and they're awful.
The way some people do "fredsmith+amazon@gmail.com" as proof that it must be amazon that leaks their passwords has some issues.
The guy who says that he had a truly random bunch of letters as his dropbox account is probably a better indicator, but it's hard to know if the guy ever leaked it himself.
Doesn't excuse the moderators being jerks, though.
When I try subaddressing as I try to sign up for new online services, more often than not that address format is rejected as invalid. Most online services don't have very good email validation.
Use a whole domain name, e.g. signup for dropbox with dropbox@tokenadult.com. You could do this with Google Apps Gmail by setting a catch-all forwarding address for the domain.
I use a sub-domain (e.g. @m.mydomain.com) for my catch-all and this hasn't happened to me. There are various easy ways for spammers to find out about domains, but sub-domains can remain relatively obscure.
Or worse, using <randomchars>@somesubdomain.example.com as the SENDER address on spam to others. I once had spammers find a subdomain that accepted wildcard emails, and the backscatter was just insane. Had to spend a whole day trying to make a list of valid <usernames>@ on that subdomain to whitelist to put an end to it. (Not easy if you haven't already been keeping track of which addresses you've handed out throughout the years)
I have a setup like that, I get more spam because of that of course but Google is really good at filtering it. And especially in conjunction with priority inbox, it's a breeze (and very convenient).
Yeah, I've got postfix setup so I just need to add a line to a textfile with "servicename.somerandomchars[1]@mydomain" and it's starting to route to my inbox.
When an address is "compromised" and starts to receive spam, I move the line to a "banned_recipients" file with an SMTP reject header listing the new email. That way, a human using an old address would get a bounce back with the new email.
[1] so that the argument about bruteforcing "common-service@domainname" can be avoided
That's a nice technique; thanks for sharing it. This kind of flexibility is one of the many benefits of running your own mail server (I'm always happy to see that at least some people here are still doing that).
If you run postfix you can have that even easier; look for smtpd_recipient_restrictions and check_recipient_access in 'man 5 postconf'.
I'm running with this rule in the access map:
/^from-.*@foobar.com$/ OK
That accepts all mail to an address prefixed with "from-" and (by default) rejects everything else. This way you can just make up the dummy-addresses on the fly.
I remember being slightly worried about using such a simple prefix when setting it up initially. However I have never received mail to a from-* address that I didn't "create". Not once in over 6 years.
And disabling an address that has turned spammy is as easy as:
/^from-stuffit-expander@foobar.com$/ 554 No thanks.
It's actually _not_ because their validation sucks, but because salespeople decided that it means you won't read their newsletter or other spam. They understand the situation as - hi, this is my email please use that subaddress so I can mark it as spam (yes, I know that spam filters don't need subadresses - but try to explain it to an average salesdude - I've tried).
I have anything sent to any address at my vanity domain forwarded to gmail. I use the name of the website and add e.g. ".shop@mydomain.tld" or ".bank@mydomain.tld" so I can apply different labels to them in gmail. It works great except I chose a .info domain which some sites don't recognise as valid.
I should also have said that this system means that for forums I feel safe enough using the same password on all sites as it will never be linked with the same address. (I still use a different (predictable for me) password for banking/ecommerce websites)
These (the dot and underscore separators) are a great solution, because when the spam-happy-marketroids try to get the webdevs to intentionally implement broken email address validation, they can point out all the corporate email addresses which are by-policy of the form "firstname.lastname@domain.tld"…
Yeah, so much for RFC2822. Oh well, apparently, some spammers are clever enough to grep the emails with "+" and throw away the obvious additional portion.
Some of the posters seem to be saying they have received spam on a single, dropbox-specific address on their own domains, though, presumably with catch-all email, so that an attacker wouldn't just have had to guess fredsmith.dropbox@fredsmith.com, but also not tried a single other address @fredsmith.com
Speaking of which, this alias system from google is great in theory, but kind of pointless in practice; spammers can easily figure out they can just remove everything from the + sign, including the sign itself, and boom, they have my address without the specific alias.
It's pointless in practice in theory; in practice in practice spammers (in my experience) don't target + aliases. And if you think about the set of people who are likely to give money to spammers, the set of people using + aliases, and the fraction of + alias space that is occupied versus the fraction of non-+'aliased space that is occupied, the reason why becomes clear.
I've tried to use this system in the past, but found it to be a PITA. A lot of email systems won't let you use a +. The other gotcha I get is that they use the email address as a login token (Dropbox, for example). So you have to remember a) that you used a token and b) what it was. Any suggestions on approaching these?
Even though a service might desperately want to know my personal and/or business email address, and disguise that desire with the usual "Hey, just use your email address as your login username!", doesn't mean I have to comply. Unless they're prepared to accept responsibility to disclosure of my address, I feel perfectly happy taking the required measures to minimise those risks myself - no matter what they attempt to enforce with crappy email validation or ToS requirements.
(And, although Dropbox have finally arrived in their forum-thread ~24hrs late apologising for their "community moderators" calling their customers idiots, the responses from Nathan and especially Chris only strengthen my resolve to ignore any attempt by companies/services to gain access to my personal email addresses as part of their user databases.)
I always use the domain-name minus the top level for my token. So if my base email were "david@example.com", for "dropbox.com" it would be david+dropbox@example.com. That makes it very easy to figure out all the emails I might have (since I'm essentially just remembering an very simple algorithm to generate them). Very often sites have sucky email validation that rejects "+" so I configured my system to allow . and _ to also work the same way. That way I can choose david.dropbox@example.com or david_dropbox@example.com if the + doesn't work.
I once ran into the problem where a retail site forced me to sign up before paying, then refused to accept Paypal payment from any address except the one I signed up with. Of course my Paypal wasn't myemail+retailsite@gmail.com. Very annoying.
spammers can easily figure out they can just remove everything from the + sign, including the sign itself, and boom, they have my address without the specific alias.
Yahoo! Plus has a much better system where you use a different base email address plus the sub-address rather than your regular address.
For example, if my account is "somebody@gmail.com" then you use somebody+dropbox@gmail.com. But with yahoo, you pick an alternate, e.g. "huggybear", and use that instead (huggybear-dropbox@yahoo.com). That way if a spammer seems the sub-addressed account, they can't send email to huggybear@yahoo.com unless they want to end up on Yahoo's blacklist.
I've had a great deal more success with Yahoo's sub-addressing than Google's.
I should clarify: with Yahoo plus you only create one base for all your sub-addresses, not a new base for every sub-address.
So in my earlier example, if you wanted to sub-address ebay, amazon and hackernews you'd have huggybear-ebay@, huggybear-amazon@ and huggybear-hn@.
The big deal is that huggybear@ != someone@ and sending to huggybear@ won't reach someone@ and likely earns you a place on their blacklist (or some points towards ending up there).
The initial responses by moderators were fine and correct. They met the complaint with skepticism.
The fact that the guys email was blah.dropbox@blah.com meant it was a possibility that another site had been compromised and the email matched a keyword filter which allowed it to be easily guessed.
Its like passwords. MyPASSW0rDdropbox. If this is leaked it is fairly likely someone may try.. MyPASSW0rDfacebook.
They failed a bit further on. One obviously misread the thread and made a comment which isn't really acceptable.
Generally though it is the typical user forum thread. User repeatedly hammers the moderator with the same question. The user cannot elaborate. The moderator can only speculate due to lack of information. User doesn't find moderator answer acceptable, provides no further information and asks the same question.. both sides get annoyed.
It seems like the spam is to do with the data that Dropbox previously lost. An answer which a moderator actually provided.
