[plagueboy]

Quote:

Originally Posted by Pokerchiplounge

I don't no how his information was compromised. We certainly don't sell it or give it away. And then there is the question of was it really compromised or do we have someone with a lot of time on his hands looking to cause trouble? I guess you can read through the posts from this thread and make a determination on that.

This will be our last post on this issue. I'd like to say though before leaving we address all customers concerns, as we did the plagueboy and we do not sell email address. All customer contact and payment information is kept offline on our end so it's protected from any security breach.

It's obvious that you don't keep the information "on your end", and you did give it away (on purpose or not) or sell it. Unless you're admitting to sending the spam yourself? I guess that your sending the spam is one possibility. Another possibility is that after I posted a negative review of your customer service, you subscribed the email address that I provided you to some spam mailing lists.

I guess I'll never know as you couldn't care less, but I'm glad that everyone that reads this post will know that "buyer beware" applies to your business due to your lack of concern over information security.

[dad604]

Let put this issue to rest. He did get his money back. Maybe his original chips was the countfeit.

As to the email addr issue, it could have been harvested. I am aware of the PSO problem. I never got the spam on my hotmail account but all my friend with Yahoo email had the spam. There is more than one way from selling email address for email to get into the hands of spammer.

[Wedge Rock]

Quote:

Originally Posted by Pokerchiplounge

I don't no how his information was compromised. We certainly don't sell it or give it away. And then there is the question of was it really compromised or do we have someone with a lot of time on his hands looking to cause trouble? I guess you can read through the posts from this thread and make a determination on that.

Accusing a customer of making trouble while you are supposedly protecting his information doesn't really address the concern for how he got spammed...

I guess the problem is, dad604, that there seems to be no concern for how the breach occurred (especially since it will be the last post to address the topic). That's what's disappointing.

I don't use unique email addresses when I buy online, so I guess I will stay clear of this vendor.

[palmimports]

Quote:

Originally Posted by Wedge Rock

Accusing a customer of making trouble while you are supposedly protecting his information doesn't really address the concern for how he got spammed...

I guess the problem is, dad604, that there seems to be no concern for how the breach occurred (especially since it will be the last post to address the topic). That's what's disappointing.

I don't use unique email addresses when I buy online, so I guess I will stay clear of this vendor.

Im no rocket scientist with this stuff- and rather then continue to harbor ill feelings towards another CT member and in the hopes of understanding more about this spam thing...

Lets assume the email used to order the chips was unique for pokerchiplounge- or lets say palmimports...

and lets say this unique email used to order widgets from palmimports gets onto a spam server and our customer gets spam...

is it possible our customer's site was compromised rather then OUR site-- and ANY emails used for orders- to palmimports using this unique email- and other unique email addresses--from our customers site/location was the source of compromise rather then our site or pokerchiplounges's site...?

Maybe I can learn something out of all of this..

so-- rather then continue a thread on it's initial merits- or shortcomings.. perhaps someone well versed in this field can comment so perhaps this does not happen to our accounts/emails/etc.


WHat say the techno gurus on CT..

[Wedge Rock]

I think that is what Plague Boy was looking for... I think he used an email address for the first and only time with PokerChipLounge (thus, a "unique" email address) and then he got spam at that email.

Was PCL's security breached? Was his ISP's security breached? Was it somewhere in between?

I think Plague Boy was looking for reassurances that it wasn't a breach of PCL's security. That was the point that was never really addressed, except in conclusory fashion.

[kmalsom]

It's possible either side was compromised.

If someone got ahold of a maillog file from either the sending machine, the receiving machine, or any relay in between, the addresses are all there.

There are also exploits that can harvest email address from servers on either end.

Some servers automatically make any email address on thier domain a user on the machine, which opens a whole extra series of exploits on that end.

Most email clients (outlook, thunderbird, etc,..) save the address of any emails that have been sent or recieved and these can (and have been) exploited by worms and other means.

The database on the serverside may or may not save email addresses (depending on the server setup).

The possibilities are almost endless and most people don't run their own servers, especially smaller companies; so it's impossible to say what the ISP may or may not do. The only thing one can do in that case is get in touch with the ISP and inform them that their server might have been compromised.

Look at all the information leaks that have taken place on the internet. Government sites are cracked daily. Any machine connected to the internet is at risk. Period. It even looks like Netteller may have been cracked today by some of the posts going around.

[JM]

It could also be that they drop ship your orders from 5star who then sends you a confirmation email with the tracking info. They could then sell your address.

[kmalsom]

Quote:

Originally Posted by JM

It could also be that they drop ship your orders from 5star who then sends you a confirmation email with the tracking info. They could then sell your address.

Good point, could be them, or any other dropshipper. I've wondered about some of the payment gateway's as well.

[plagueboy]

People always use the myth/scape goat that the information was sniffed somewhere between the sender's email server and mine. This is an unlikely scenario.

As far as SMTP relaying, most outgoing email only passes through the sender's outgong email server which delivers the email directly (direct TCP connection) to the recipient's email server. However, if it did go through additional SMTP relays, one should be concerned if one's configuration is routing email through an SMTP relay that has been compromised or is just run by someone that you don't trust.

As far as sniffing the direct TCP connection between the outgoing email server and the recipient's email server, one can't simply put a sniffer on one of the Internet's backbone routers. Any sniffing is likely occuring on the sender's network or the recipient's network, before it reaches the Internet backbone. You should be concerned if someone is running a sniffer on your outgoing email server's network.

People are always concerned about having that "lock" symbol, the one that indicates they're using SSL encryption so that their personal information can't be "sniffed". Most information security problems occur because of poor security when the information is stored or retransmitted.

As far as this merchant is concerned, they use a third party managed web/email host, a third party managed shopping cart, and shared my email address with UPS. Additionaly, they have at least one workstation that had my information on it. Definitely a lot of links in the information security chain.

[palmimports]

Quote:

Originally Posted by JM

It could also be that they drop ship your orders from 5star who then sends you a confirmation email with the tracking info. They could then sell your address.

hmmm never even thought of that one--