Modern Day "Magazine Subscription" issue

[Lose Remerswaal]

I manage a shared mailbox at work. Logged in this AM expecting my usual 2-12 emails, but there are 1040, plus another 900 in Junk. Looks like the address (it's not published, but vendors have it) got a ton of subscriptions overnight.

I've notified IT, haven't heard back yet. Going thru the slog and unsubscribing and deleting, but is there any way to avoid this kind of thing happening?

Nothing weird about the subs, per se. Medical sites, food, ancestry, household products, psychics, etc.

Finding a bunch of international ones now, in other languages. Also a few charities and more than one Gun Lovers site

 

[Fisks Of Fury]

No guarantee that this applies in your situation, but I'd keep an eye out for "legitimate" emails while slogging through the rest. It's somewhat common practice that if you manage to an account on another site which might be tied to a specific email address, to spam the @#$% out of that email address hoping that they won't notice what is really happening to that account in question.

For example, my wife's Walmart.com account login was compromised a few months ago, and the would-be thief ordered an XBox and controllers for pickup at a store in northern NH. But at the same time, he/she signed the associated email up via a spam/subscription aggregator so her email inbox was flooded with a bunch of garbage emails at the same time that the order notification email came through. Luckily she noticed, immediately changed her password, and reported the fraud to both Walmart and her credit card company.

(Side note, the CC company handled things fine, no charges ever actually hit her card and they sent out a replacement immediately... Walmart did nothing... so we altered the order to insist that it could only be picked up by someone showing ID with my name on it. Last I checked they had not successfully picked it up and eventually the order was cancelled)

She then needed to manually unsubscribe from a bunch of garbage sites, but has been able to weed out most of them by now.

As far as how to STOP that from happening... as far as I know, it woiuld necessitate either a highly detailed set of "whitelist" rules for acceptable email sources at your mail server, or implementing a 3rd party spam detector platform. My employer uses "Proofpoint", and every few days I get a report with a list of a bunch of suspected spam emails for me to look at and make sure nothing important is getting filtered out... but the emails never make it to my inbox.

 

[Lose Remerswaal]

Good info, thanks! In theory, we have a good spam filter at work. I get very little to my personal work account and none to 2 other shared boxes, and historically the only "spam" to this account was mass mailings that truly were trying to sell me stuff.


I now know how to recognize "Unsubscribe" in German, French and Finnish. Can't figure it out in Portuguese or in a couple of non-latin character languages yet.

There was a Walmart order (and cancellation) in the first 100 that I've gone thru.

 

[Papelbon's Poutine]

No guarantee that this applies in your situation, but I'd keep an eye out for "legitimate" emails while slogging through the rest. It's somewhat common practice that if you manage to an account on another site which might be tied to a specific email address, to spam the @#$% out of that email address hoping that they won't notice what is really happening to that account in question.

For example, my wife's Walmart.com account login was compromised a few months ago, and the would-be thief ordered an XBox and controllers for pickup at a store in northern NH. But at the same time, he/she signed the associated email up via a spam/subscription aggregator so her email inbox was flooded with a bunch of garbage emails at the same time that the order notification email came through. Luckily she noticed, immediately changed her password, and reported the fraud to both Walmart and her credit card company.

(Side note, the CC company handled things fine, no charges ever actually hit her card and they sent out a replacement immediately... Walmart did nothing... so we altered the order to insist that it could only be picked up by someone showing ID with my name on it. Last I checked they had not successfully picked it up and eventually the order was cancelled)

She then needed to manually unsubscribe from a bunch of garbage sites, but has been able to weed out most of them by now.

As far as how to STOP that from happening... as far as I know, it woiuld necessitate either a highly detailed set of "whitelist" rules for acceptable email sources at your mail server, or implementing a 3rd party spam detector platform. My employer uses "Proofpoint", and every few days I get a report with a list of a bunch of suspected spam emails for me to look at and make sure nothing important is getting filtered out... but the emails never make it to my inbox.

Wait, what? The account captured her CC info but didn’t ask for an id for pickup? Something is off there. If you want to dig in anymore, PM me; my BiL is a regional for e-commerce with them, I can ask if he can find anything out. None of that should have happened, frankly it sounds like a bigger hack.

 

[Fisks Of Fury]

Wait, what? The account captured her CC info but didn’t ask for an id for pickup? Something is off there. If you want to dig in anymore, PM me; my BiL is a regional for e-commerce with them, I can ask if he can find anything out. None of that should have happened, frankly it sounds like a bigger hack.

I was probably unclear...the CC was assigned to her WalMart account, so the purchase was made and theoretically charged to the card. But we caught it, cancelled it through the Wm.com page, and just to be safe called the CC company to notify them of the fraudulent charge. The charge never made it onto the card, but for some reason, WalMart never actually "cancelled" the order, and it still showed as being set to be picked up in store. We just changed it to set my name up as the pickup person instead of hers, thinking that it would be one more thing they'd have to work past to pick anything up if Walmart didn't do their job.

The only real seeming fuckup was that WM never actually cancelled the order. We knew we weren't getting charged for it, the CC took care of that, but despite cancelling it through the website, it never actually stopped the order process. So out of spite, we changed everything possible to make sure this guy couldn't get anything in case WM dropped the ball all the way.

 

[Papelbon's Poutine]

I was probably unclear...the CC was assigned to her WalMart account, so the purchase was made and theoretically charged to the card. But we caught it, cancelled it through the Wm.com page, and just to be safe called the CC company to notify them of the fraudulent charge. The charge never made it onto the card, but for some reason, WalMart never actually "cancelled" the order, and it still showed as being set to be picked up in store. We just changed it to set my name up as the pickup person instead of hers, thinking that it would be one more thing they'd have to work past to pick anything up if Walmart didn't do their job.

The only real seeming fuckup was that WM never actually cancelled the order. We knew we weren't getting charged for it, the CC took care of that, but despite cancelling it through the website, it never actually stopped the order process. So out of spite, we changed everything possible to make sure this guy couldn't get anything in case WM dropped the ball all the way.

Right, but even if she saved it to her wallet, without the 3 digit to enter, they shouldn’t have been able to use it. Which is what made me think it might be bigger than Walmart, I didn’t know if he could dig into it, but if you’re content, all good.

 

[Fisks Of Fury]

Right, but even if she saved it to her wallet, without the 3 digit to enter, they shouldn’t have been able to use it. Which is what made me think it might be bigger than Walmart, I didn’t know if he could dig into it, but if you’re content, all good.

Just walked through a purchase almost to the end, and as far as I can see, the Walmart.com site does NOT require the entry of the 3 digit code to use a previously stored credit card. So they didn't need to breach anything accept the wm.com account to place the order.

 

[Papelbon's Poutine]

That’s odd, because when I do it, it does. Well, hope I’m wrong.