Warning - Click On An Ad In An SSN Email, Your Entire Contact Info Sent To Advertiser

JH
John Honovich
Mar 02, 2014
IPVM

Did you know that?

Those trade magazine emails you get? When you click on an ad, not only does it record that you did it, it triggers your complete contact information, including email, name, company and job title to be sent to the advertiser. More than you were likely expecting for?

Indeed, SSN promotes this as lead generation:

I am quite sure SSN is not alone. Multiple manufacturers have told me that this occurs with other trade magazines, though this is the first time I found confirmation directly from the magazine itself.

This is not something that any mainstream website, like Google, Facebook, Twitter or LinkedIn does.

But the next time you cannot figure out why your are being emailed by some random manufacturer, now you know.

What do you think? Vote in the poll:

U
Undisclosed #1
Mar 02, 2014

You should post a tutorial on building "disposable" email addresses. You can do this with gmail and other providers. Don't just use your regular business email for everything you sign up for, use a custom one so you can track where those surprise emails come from.

And remember, if you're getting something for free, you're not the customer, you're the product.

JH
John Honovich
Mar 02, 2014
IPVM

I believe the + option provides this:

"Imagine you signup for a service like Twitter, but want to filter out any Twitter-related e-mails automatically. If your e-mail address was joe.smith@gmail.com, you would signup for Twitter using joe.smith+twitter@gmail.com, and any e-mails you received from Twitter would be delivered to your inbox, but would be marked as being sent to joe.smith+twitter@gmail.com."

Btw, I checked how many people do this (+ inside email) on our list, just 12 out of 35,000.

I think it's a very good idea. Even for me, I need to get into the habit of using it. The amount of extra work is trivial and the benefit is clear.

RW
Rukmini Wilson
Mar 02, 2014

Has the Junk mail community given you their private assurance that they won't simply remove the "+" tail string? ;)

Tired of unscrupulous bulk-emailers?

Talk back with S.A.S.S. - Slammers against Spammers... and get the Junk out of the Trunk!

JH
John Honovich
Mar 02, 2014
IPVM

For sure, that's a risk and this is at best 'security through obscurity' approach. If it become prevalent enough, it's not too hard to manually remove, write a 3 line script or have some third party tool strip them for you.

HL
Horace Lasell
Mar 03, 2014

"And remember, if you're getting something for free, you're not the customer, you're the product."

(UPVOTE).

PS
Philip Schaadt
Mar 02, 2014

I use Ghostery to give me granular control over what trackers are blocked per site.

More work but there are some sites that have useful info and are very bad actors.

Phil Schaadt

JH
John Honovich
Mar 02, 2014
IPVM

Phil, very neat tool. I just tried it out.

I don't think it deals with email address misuse, but it's eye opening for how websites are tracking your activities and what third parties they are using. I am trying it out for a bunch of manufacturers.

Btw, for others, here's Ghostery's 2 minute intro video:

Avatar
Marty Major
Mar 03, 2014
Teledyne FLIR

Some of the huge hosting sites (like GoDaddy, which I use) allow for 'catch-all' email addressing. This means that emails sent to literally anything@'mydomain'.com reaches me at my main account.

Using this functionality, I don't need mutiple addresses - but I still get the same benefit mentioned above of being able to track where anyone sending me unsolicited junk got my pertinents and such.

JA
J. A. 'Cal' Calcaterra
Mar 03, 2014

SSN? Like the graphic notice that when allowed has no graphic. Similar to this email???

Ghostery? Hadn't heard of it. Til now. Did a search |Ghostery review| (my normal search |item plus review| then problem, then fix if the first warrants them) Scanning through was a mention of NoScript as similar. Which I've been using for a long while. That and Ad Block plus. More searches and then |NoSript vs Ghostery|. Bottom line for me, Like a lot of tools, adding another may help or may hinder. I feel comfortable with what I have. So I'm not ready to trial and change.

From ghostery reviews:

https://purplebox.ghostery.com/post/1016023994

http://en.wikipedia.org/wiki/Ghostery

http://blog.privacychoice.org/2010/03/04/credibility-gap-what-does-ghostery-really-see/

Ohh Noo. Who bought whom when?

http://blog.privacychoice.org/2013/05/21/privacychoice-avg/ <----- AVG???

Don't use 're'active anti virus software. Way too much overhead. I have an arsenal of tools if I suspect any problems.

Email Spam solutions: Multiple email addies, while a pain sometimes, helps manage Spam. That and the ISP spam blocker that comes with. Currently? Search |roaring penguin|

Else most I see in traps 'appears' to be 'Russian'. Literally!

No luck searching parts or all of this:

"Talk back with S.A.S.S. - Slammers against Spammers... and get the Junk out of the Trunk!" Something more definitive?

...Cal

JH
Jim Hall
Mar 03, 2014

No luck searching parts or all of this:
"Talk back with S.A.S.S. - Slammers against Spammers... and get the Junk out of the Trunk!"

Somethin' tells me we been hoodwinked on this one Cal! Taking a gander at it now that you called b.s. on it, I reckon it be some kinda highbrow humor or what some might call satirical parody. I'm no expert but I'll take a crack at it:

That 'S.A.S.S' part is whippin' up on an organization like M.A.D.D., Mothers Against Drunk Drivers, and at the same time suggesting 'Sassy' so that the 'Talk back with' has a specious purpose and doesn't seem contrived 'post-hoc' or whatever they call it.

Imma figurin' the second part just kinda expands the acronym to reveal some sorta dyadic alliteration, and the last part is anybody's guess, and mine would be that it looks like a risque double entendre (pardon my french) crossed with an inside trade joke, all encased in a couplet of rhyming pentameter to boot!

Not bad I suppose but not Benny Hill either now is it?

HL
Horace Lasell
Mar 04, 2014

Totally upvote the Jim Hall folksy erudition

JH
Jim Hall
Mar 05, 2014

Thank you kindly sir, I often been called a Luddite but never an Erudite 'fore...

RW
Rukmini Wilson
Mar 03, 2014

...Cal, "Slammers against Spammers" as has been alluded to, should be viewed as a farcical romp, as even in this day and age, it is unlikely for the collective ire of 'those who would slam' to rise to the level necessary to actually organize a coalition to oppose 'those who would spam'.

Moreover, even granting suitable motivation were extant, it is unclear why such a movement would organize along the lines of an otherwise uncorrelated subgroup, as the notable and telling absence of groups like WACC - Wrestlers Against Climate Change suggests...

JA
J. A. 'Cal' Calcaterra
Mar 03, 2014
What? Noone had this happen: "SSN? Like the graphic notice that when allowed has no graphic. Similar to this email???" Seems that is directly related to the original question. Or my 'settings' was the cause. But then, that was the first I had ever seen it??? As to the: "Talk back with S.A.S.S. - Slammers against Spammers... " All I could do was ask. Thanks for the confirm of 'Not in this world'. :-)
KL
Keefe Lovgren
Mar 06, 2014
IPVMU Certified

John, are you following a link to the ssn newswire from your inbox or logged in as a member when browsing ssn for that to happen? Curious as to how they are obtaining your email.

JH
John Honovich
Mar 06, 2014
IPVM

Keefe,

This occurs when SSN sends an email to you / people. Each email is uniquely tagged with the person's email / database ID. When you click on a link in the email, it is routed through the email provider first, who logs that you clicked on the link and then redirects you to the requested piece of content.

That is how pretty much every email provider works. The extra element for SSN is that this information is routed to the advertiser. Does this make sense?

You don't need to be logged in at all. Just click any link in an email they send you and it's automatically done.

KL
Keefe Lovgren
Mar 06, 2014
IPVMU Certified

John,

That is what I figured was being done. All the more reason to not follow links out of the inbox I guess.

RW
Rukmini Wilson
Mar 06, 2014

One has to wonder whether this is just the tip of the iceberg though, since any company with the ethics to provide an adverstiser detailed contact info surely would not flinch at simply selling the entire database or any demographic slice of it!

Why wait for the click? Maybe they would hold off a while till they decide you are a 'deadbeat lead' but unless there is some privacy law requiring a click before information transfer, I'd say you've been bought and sold when you first hit submit on registration...

JH
John Honovich
Mar 06, 2014
IPVM

Selling / renting email lists is common practice among trade magazines. They are way ahead of you, Rukmini!

Avatar
Jon Dillabaugh
Mar 06, 2014
Pro Focus LLC

Easy fix is to not enter this info into your mail client, or even easier, copy the link, then just paste that link into a browser.

JH
John Honovich
Mar 06, 2014
IPVM

Even if you copy and paste the link into your browser, that link still includes your personal tracking ID. You'd need to first copy it into a text editor and only select the portion of the link they are ultimately redirecting you to.

RW
Rukmini Wilson
Mar 06, 2014

Easy fix is to not enter this info into your mail client...

That might work but how do you get any mail without an email address?

Avatar
Jon Dillabaugh
Mar 07, 2014
Pro Focus LLC

John, if the link contains all of the data prior to you clicking the link, then they ALREADY have your data and could already share it. How is clicking it going to further add more data?

JH
John Honovich
Mar 07, 2014
IPVM

Their terms is that they only share it if you click on it. In other words, if you do not click on an ad's tracking link, the point is that they won't share it.

Avatar
Jon Dillabaugh
Mar 07, 2014
Pro Focus LLC

John, I'm unaware what/who SSN is, so this might be funny or not. Do they use pics of muscle freaks or hot chicks to lure your clicks?

Avatar
Jon Dillabaugh
Mar 07, 2014
Pro Focus LLC

Rukmini, if the click through is gathering your info other than the email address, which is evident that it has it, then not offering that data is my offering.

But, that isn't the case, as John pointed out more recently. They ALREADY have all of your info. The click doesn't GATHER data, which is what I thought the OP meant. It is actually already known what your info is, but that by clicking the link, you are giving permission for the sender to now share your info with their partners.

I guess I don't see the big deal.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions