Oh dear. Hot on the heels of the play.com data hiccup, I find myself on the receiving end of spam from an address I’ve only ever used at amazon.co.uk. To avoid the likelihood of a dictionary attack guessing a forwarding address, I often use the format <website-fqdn><yyyymmdd><code>@domain, which is approximately what I use at Amazon. Nevertheless, I recently received this delightful scam email at my Amazon alias, apparently from an IP range in the Ukraine:
Date: Thu, 5 May 2011 16:xx:xx +0000 [ 5 May 2011 05:xxPM BST] From: leanne spencer <email@example.com> To: [my-amazon-alias]@[mydomain] Subject: Jon
Internationally located organization searching for employe in the UK for representation job with part-time and full-time schedule options.
Relocation is not required, you will operate from her city. Medical and travel fees are repaid.
Must be motivated organized person, 18+ age. Salary from 3000 GBP + commission earned.
This capacity is ideally suit to an individual with demonstrated experience through purchaser service, supply chain & logistics within a production environment where quality is high.
Simply respond to this email to find a full job description. Feel free to send your Resume for a confidential discussion. They are looking forward to discuss the job occasion with you.
£3K – is that per month or per week? 🙂
Anyway, I’ve sent a few messages to Amazon, and they’ve:
- Reassured me that Amazon is safe to use
- Asked me to send the item of spam in for analysis
- Sent me information on phishing and internet security, in case I’m an techno-numpty
- Escalated the problem to another team, who said much the same thing
They’ve not yet, however, explained how an impossible-to-guess email alias has ended up on a spammer’s database.
Interestingly, the play.com debacle was easy to prove, since a flood a complaints appeared on the internet – it would have been daft of them to deny it. However, I can only find one other instance of the above connected to Amazon, which isn’t particularly persuasive even if I’m certain of my case. In any case, Amazon would need a good handful of examples in order to narrow down their various third party suppliers and affiliate sellers who had access to all affected customer records.
So, for the time being, this post is search engine bait. If you’ve received spam to an address that only Amazon should have known about, post in the comments. Meanwhile I’ll keep the alias open to pick up any more spam, but for now it seems to have been a one-off.
Update 10 May
I’ve given up with Amazon. Even though there’s another instance of the same item of spam, involving an Amazon-only email address, and within the same time-frame, they’re nevertheless certain that they “have had no leaks within our system”. With an infrastructure as large as theirs, I am not convinced that it is possible to be sure of that. Still, one can take heart from the helpfulness of their customer service reps: their latest message contained the suggestion that I call the police “to report the crime”! 😀