Selling Your Email To Advertisers?

JH
John Honovich
Mar 23, 2013
IPVM

In the security industry, it is quite common for publishers to re-sell emails on their list to third party advertisers. Indeed, it is a very lucrative business as each email run can cost advertisers thousands of dollars.

To be very clear, we have never done that nor would we ever do that.

Today, I received a very interesting email from a security trade magazine with a strange announcement. They have (or were) opting my email into being resold to third party advertisers but were providing a link to opt-out. All things considered, this is not too horrible considering most just silently resell without any notice.

I was curious to your experience with your email being resold / receiving advertisements from other companies you have not signed up for? Is this a problem or concern?

Avatar
Christopher Freeman
Mar 23, 2013

Hi John

This is a really common problem built into the ( Agreement Documents ) we sign or authorized when ever we download Whitepapers or advertisers pdf's.

We really dont pay attention to the fine print.

Especially the new app markets downloads.

Who really reads all of the full disclosure documents when you ask for documents?

UI
Undisclosed Integrator #1
Mar 23, 2013

I recently attended a manufacturers partner conference and since being there have been bombarded with emails and phone calls from some of their partners. I never spoke to most of the companies that were set up in their "vendor area". It has got to the point where I just send them all to voicemail and just delete it. I wish there was the opt out option for phone calls.....

Avatar
Christopher Freeman
Mar 23, 2013

Go online, Register for a download, I will almost promise by the next day you will get called and reached out to by the sales dept.

The newest Bait & Tackle schemes in our industry

JH
John Honovich
Mar 23, 2013
IPVM

I can understand the 'register for a download', get called by a sales person the next day as long as its from that same company. Now, it annoys me but I understand the risk of putting in my phone number. Of course, because of that I rarely but in my real phone just so I can avoid being stalked.

Undisclosed's example is even scarier to me. When a company gives a number to other companies, the risk really multiplies.

Avatar
Marty Major
Mar 23, 2013
Teledyne FLIR

It's actually quite easy to find out what a particular entity does with your submitted e-mail address. Just use a unique gmail, yahoo or hotmail account for times when you must submit an email address to receive documents/downloads and keep a record (don't use the same address twice or the exercise is pointless). :( Anything you receive from 3rd parties is then indirectly coming from the original company that you submitted the email address to.

I have a yahoo account that I've had for like 10 years; I just add a number to the end of the address (creating a new email account (using same pw); takes like a minute) and add the new address (and what I used it for) to a list in a draft email that I've been saving in my original email account since I started this practice.

I only use my 'real' email address for communicating. I use fake ones for everything else. :)

Avatar
Carl Lindgren
Mar 23, 2013

I just use email address filtering. Spam emails are automatically forwarded to "deleted items" after the first one.

JH
John Honovich
Mar 23, 2013
IPVM

Carl, well that takes care of the problem after the first one but the problem still remains that there are lots of new spam/misuse?

One thing that may work is this:

The trick is to use a plus sign next to the @ sign in your gmail or googlemail address. Say, for example, your email address was myemail@gmail.com. You’ve set up your account on… let’s say Moodle… to use this email address. The next account you set up on Moodle insists that you provide a unique email address. No problem. Add a + sign within your email just after the name of the email account and put anything you wish after it. So you could use myemail+1@gmail.com or myemail+sue@gmail.com or myemail+asmanyvariationsasIwish@gmail.com. All these addresses will work and you’ll receive the email into your mailbox for myemail@gmail.com

This way you can now track how your email is being distributed because it will be unique to the service you signed up for (like myname+bobco@gmail.com). This would be more convenient than the approach Marty described above.

Avatar
Ethan Ace
Mar 23, 2013

The plus sign trick is handy, but a lot of sites won't allow addresses with plus signs in them. I've gotten it rejected more often than it works.

What usually does work is that you can put periods anywhere in your gmail username you want. So I can use ethan.ace, e.thanace, e.than.ace, e.t.h.a.n.a.c.e, or anything else I want.

JH
John Honovich
Mar 23, 2013
IPVM

Ethan, interesting. I know we allow addresses with + signs. I don't know why sites would reject them. You can just as easily strip it out and save.

The problem with inserting periods is that it's harder to figure out what company you submitted to, if it eventually gets passed and you get spammed.

Avatar
Carl Lindgren
Mar 23, 2013

Thanks, but that doesn't help me much. My business cards have my work email address and our IT department won't let me change that.

JH
John Honovich
Mar 23, 2013
IPVM

You actually deal with people in the real world? :)

I suspect most of the spam / email reselling comes from online submissions but for real life interactions, that's a limitation.

Avatar
Carl Lindgren
Mar 23, 2013

ISC is known for that. Every year, we get contacted no only by manufacturers whose booths we visited and left our contact info, but by others. I assume there is a way to "opt out" buried in the registration form, but I've never seen it.

I do often give a fake email address when accessing certain noncritical info but the vast majority of contacts are with companies who I want to respond back. Just them, though; not everyone and their brothers.

LinkedIn is also notorious for this. I've received emails from Chinese manufacturers who are not in my contacts list. How they get my address is beyond me, especially since I don't use my work email address in my profile.

JH
John Honovich
Mar 23, 2013
IPVM

"Every year, we get contacted not only by manufacturers whose booths we visited and left our contact info, but by others."

That's because many share / trade leads.

I never allow my badge to be scanned for just that reason. It inevitably results in bombardments.

Avatar
Marty Major
Mar 23, 2013
Teledyne FLIR

I have another, more elegant workaround too.... but you have to own your own domain on godaddy (and maybe other hosting companies have this as well).

I own the martymajor.com domain and my admin email address is marty@....

Godaddy allows you to set up your main email address as a 'catch-all'.... meaning if you send email to XXXX@martymajor.com, where XXXX can be anything you want, it comes to my main address - and I can see the 'send to' in the header to tell where it came from (by keeping a record of the different 'XXXX' that I use to submit online).

I can even use descriptive XXXX such as the name of the site Im submitting the address to (like netflix@martymajor.com, sdnmagazine@martymajor.com, etc)

Avatar
Carl Lindgren
Mar 23, 2013

Marty,

Good idea! I wonder if carllindgren.com is available...

Nope, taken: Carl Lindgren - not me.

I will have to check other suffixes: .info?, .nom?, .xxx?

Avatar
Marty Major
Mar 23, 2013
Teledyne FLIR

casinosurveillanceguru.com is available

Avatar
Carl Lindgren
Mar 23, 2013

I refuse to use the term "guru". It is such an "in" joke... ;^)

JB
Jeremiah Boughton
Mar 25, 2013

Who Registers for ASIS or ISC West with their email address? I learned my lesson years ago. Now a receptionist uses her email to Register me:)

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions