For some time I had been receiving junk email, aka SPAM, at an inbox that I had setup solely for the use for interactions with [Large Global Software Company]. With various possibilities for why the email address was compromised, including Heart Bleed, I decided to change the address so I created a new address, logged in (over HTTPS) and manually typed in the new email address.
In less than three days I started junk email to the new email address. At this point there were three parties with access to that email address; me, the mail provider and [Large Global Software Company]. The mail provider is also a large global software company but as I have many email addresses there with over 90% never receiving a single instance of junk mail I have ruled them out at this point. And we can be certain that I have not handed out the email address in any way whatsoever (apart from as described above).
This post is to document the attitude of [Large Global Software Company].
I contacted [Large Global Software Company] with a security concern as, to my mind, they had a data breach and as a responsible customer I wanted the overall issue resolved. They opened an issue and asked for evidence then promptly closed the issue. The closing of the issue I assume was an error – we all make mistakes. Their request was reasonable so I provided the text of the email and a screenshot that they asked for. I was surprised that they didn’t ask for the mail headers but I thought that would come later.
They then called me and explicitly stated that they could not be the cause of the leaked data. They explained that everyone gets junk mail and to just block the sender (anyone who knows anything amount SPAM knows how ridiculous a suggestion this is, anyone else should ask someone who does – but in short the junk was coming from different email addresses). I explained that this was not a satisfactory solution and that it was too late for my email address but this is most likely an ongoing problem. Here I hit a brick wall. Their advice would not change and they refused to look into the matter further. I pleaded that I would assist them in any reasonable manner before finally threatening them with providing evidence and posting it publically in order that they took their responsibilities seriously. I have left it a bit of time so that they have had a chance to find and resolve the issue or even to reconsider and get back in touch with me.
It will be two weeks tomorrow so here goes. The following is a timeline of what has occurred and
13th May 2014 [Large Global Software Company] opens case based on website “Contact Us” from me promising that they “will get back to [me] within 2-3 business days”.
19th May 2014 [Large Global Software Company] requests a screenshot of 1st junk email then immediately close the case.
21st May 2014 Informed them of inappropriate case closure and uploaded screenshot and plain text of email.
23rd May 2014 [Large Global Software Company] confirm that the sender’s email address is not one of theirs and request the screenshot again. I respond highlighting that I had already uploaded the requested screenshot.
2nd June 2014 [Large Global Software Company] helpfully say that my email address has nothing to do with them, that there are a number of ways spammers can get email addresses and to just block the sender. I respond by insisting that their position is unjustified and challenge them to explain a single way that any spammers could have got this email address.
10th June 2014 I receive a telephone call from [Large Global Software Company] in which they refuse to provide a single explanation of how anyone could have got hold of this email address, refuse to do anything about it and refuse to accept that blocking the sender of every junk email I receive to this address will resolve nothing.
23rd June 2014 Two accounts setup with mail provider to see if they get any SPAM before use i.e. provide evidence of whether the mail provider in the clear.
1st July 2014 It has been more than a week and I have yet to receive any SPAM to either account. Next step is to change the email address at [Large Global Software Company] and see how long it is until I get SPAM. [Large Global Software Company] has marked my issue as Withdrawn and made adding comments or re-opening the case impossible. For the record, I never withrew my issue but I did accept that they could close it as they were prepared to do nothing.
2nd July 2014 I have just updated the email address and verified it at 11:43 BST. Now, bearing in mind the weekend is in the middle, how long until I get SPAM?
21st July 2014 I have not received SPAM to either email address. I can only conclude that [Large Global Software Company] suffered from a vulnerability like Heart Bleed bug and busily fixed it whilst denying all wrong doing. For me this is where it ends. I shall now change the email address to something else and delete the test email accounts. Whilst I am far from happy with the way I was treated by [Large Global Software Company], they shall remain anonymous as I have failed to prove anything.
1st August 2014 After thinking it was all over, yesterday I changed the email address once more at [Large Global Software Company] and this time changed the email address of the distribution group previously getting email at the email provider (as opposed to creating a new one). Within a few hours I was getting SPAM to the new email address. So today I have created a new email address for a new email distribution group and changed the email address of the distribution group getting SPAM. I shall change the email address at [Large Global Software Company] to the email address of the new distribution group. Which one will get SPAM? I am now wondering whether it is [Large Global Software Company] or the email provider.
6th August 2014 The cause is a simple one: when changing the email address of a distribution group the previous email address is kept as an alias. This is a very handy feature if you want to change email addresses but want to keep receiving emails to the previous email address for a transitionary period. This alias can be removed at any time. I posted to the email provider on Twitter on 1st, received back advice to post on their forum on 5th (2 business days later) then I posted on their forum today and received the solution 19 minutes later. Now that is good customer service; well done Microsoft!!! (I still feel that I received poor customer service from [Large Global Software Company] and will name them the next time they treat me, the customer, poorly as had they worked with me in the first place then I would not have taken so long to find the issue – after all they “gave away” one of my email addresses in the first place.