I have receive a couple of emails and one post to this site from someone at Acunetix on this matter.
Although he denies that the company or it’s employees send spam or sell email addresses to spammers, the question still remains as to how the email address uniquely used on their site received spam.
It certainly wasn’t as the result of a brute force scan for guessable email addresses, as my mail server responds the same to both valid and invalid addresses, and there were no server logs indicating attempts to send spams to other common names.
It is unlikely that acunetix monitor the actions of their staff 24/7, so there is still a chance a rogue employee sold/leaked email addresses without the company as a whole knowing, similarly there is always the chance of one or more of their servers, or those of their isp being compromised.
So, i ask other people who have signed up to acunetix.com some time ago if they have started receiving spam on the address they used.
Many people use unique email addresses for such signups, but often put the company name in the address (as I often do too), however an unscrupulous company would likely filter these. Indeed, i have never received spam through a company where i put their sitename in the signup address.
A few days ago i posted about how a unique email address i created for signing up to acunetix.com started to receive a large volume of spam. As i wrote that article, i also mailed the company to complain, also cc:ing their upstream provider.
I looked through the original mail from Acunetix, and it came from the IP address: 22.214.171.124, which appears to be a cable provider in Malta. I then looked through my web logs, and low and behold:
126.96.36.199 – – [27/Jul/2007:11:16:27 +0100] “GET /wordpress/2007/07/27/acunetixcom-sells-your-mail-address-to-spammers/ HTTP/1.1” 200 2605 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:188.8.131.52) Gecko/20070713 Firefox/184.108.40.206”
220.127.116.11 – – [27/Jul/2007:15:13:51 +0100] “GET /wordpress/2007/07/27/acunetixcom-sells-your-mail-address-to-spammers/ HTTP/1.1” 200 2605 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:18.104.22.168) Gecko/20070713 Firefox/22.214.171.124”
126.96.36.199 – – [27/Jul/2007:15:16:00 +0100] “GET /wordpress/2007/07/27/acunetixcom-sells-your-mail-address-to-spammers/ HTTP/1.1” 200 2605 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:188.8.131.52) Gecko/20070713 Firefox/184.108.40.206”
220.127.116.11 – – [27/Jul/2007:15:42:51 +0100] “GET /wordpress/2007/07/27/acunetixcom-sells-your-mail-address-to-spammers/ HTTP/1.1” 200 2605 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:18.104.22.168) Gecko/20070713 Firefox/22.214.171.124”
126.96.36.199 – – [27/Jul/2007:15:43:00 +0100] “GET /wordpress/2007/07/ HTTP/1.1” 200 7811 “http://www.ev4.org/wordpress/2007/07/27/acunetixcom-sells-your-mail-address-to-spammers/” “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:188.8.131.52) Gecko/20070713 Firefox/184.108.40.206”
So interesting… They have viewed my site using several different computers, my guess is several employees of the company. However, they have not replied to my mail… They haven’t yet tried to deny selling their customers’ email addresses. It does look very much like they’re trying to lay low having been caught out.
A few months ago i signed up to download a piece of software from www.acunetix.com. Aparrently they provide software for testing the security of web sites. Of course i created a unique address for the sole purpose of this signup.
I got the software, had a play with it, and received a couple of followup marketting mails from acunetix, then heard nothing for several months. All fine so far i thought.
Until recently, when I started receiving spams to this address which was uniquely created for acunetix. I got the typical spams, fake rolex watches, cheap software (probably pirated), and various types of medications.
And these were only the spams that reached the second stage of my spam filter, spam which goes over a certain score or comes from a blacklisted address doesn’t even reach this stage, which provides an interface for me to weed out false positives.
I have received a total of 431 spams to this address within the past week.
To combat the problem of websites that need an email address for signup and all the junk mail they send, I came up with an approach designed to let me minimise that problem.
Basically, i create a new email domain and account for each site i sign up for, for instance if i were to sign up to my own site i would create an address like:
This address is unique to the site in question, so that if they continue to send me unwanted emails i can simply remove the account and the mails are gone.
Doing this however, resulting in me making an interesting discovery, not only did a lot of companies send me large amounts of marketting material on a regular basis, but some actually sold or leaked my details to spammers!
Yes that’s right, single use email accounts which were only ever used to sign up to a single website were now receiving bucket loads of the typical viagra, penis enlargement, fake rolex and all the other garbage spams that float around the internet on a daily basis.
So this category here is to name and shame these companies in the hope that the information will disuade people from signing up to such unethical companies, and hopefully in the long run to discourage these companies from such behaviour.
Today i had a listing cancelled on ebay, for:
“Circumvention of eBay Fees (=LS &12362 JM119848267)”
However, your listing was in breach of eBay’s Circumvention of eBay Fees policy and has been removed from eBay. All fees related to this listing have been credited to
your account. We also notified members who placed bids on the item that the listing has
We would like to take this opportunity to let you know what part of your listing is not permitted.
Your listing(s) contains the following information:
Payment by paypal will incur a 5 additional charge to cover fees
You may not manipulate eBay’s system in order to avoid paying certain eBay fees. This includes practices such as adding previously unspecified fees after the end of the
auction, or charging excessive postage and packaging in order to recoup your listing and Final Value Fees. Fee avoidance provides a poor buying experience and gives you
an unfair advantage over other eBay sellers.
Payment surcharges are a form of fee circumvention. eBay prohibits surcharging by sellers. Surcharging occurs when sellers pass the charges they incur for using eBay or
third party services such as payment services onto buyers.
eBay has adopted this surcharging policy to ensure that all buyers receive clear and accurate pricing information when trading on eBay.co.uk. This surcharge policy
applies only to items listed on eBay.co.uk.
For more information on Circumvention of eBay Fees copy this link into a new browser window:
What this basically boils down to is. I as a seller cannot make the buyer pay to cover the charges imposed by paypal… Thus, if a buyer pays for the item with cash, a cheque or some other method I receive all the money. If they pay using paypal, I lose a percentage of it. I don’t consider this at all unreasonable, if a buyer wants to use a method of payment that will cost more, they should foot the bill, not the seller. Ebay are doing this because making buyers pay the paypal charges discourages people from using it, so they screw the sellers instead.
Also let’s not forget that paypal take a cut from the money intended for shipping costs, so sellers have no choice but to inflate shipping costs to cover it.
So as a consequence, i will stop using paypal.
As i stated in my earlier post, i wrote them an email complaining about this horrendous behaviour. A few days later, i got a reply:
From: "Wendy Biggins" (firstname.lastname@example.org)
Subject: RE: March Offer
Can you deal with this one!!!!!!
From: MY_ADDRESS [mailto:MY_ADDRESS]=20
Sent: 03 March 2007 10:04
Subject: Re: March Offer
How dare you send me this unsolicited mail.
newsletter" tickbox, even if it's explicitely been left unchecked.
I was planning to make a purchase from your company, and i went through
the registration form while intentionally leaving the newsletter option
unticked as i don't like to receive floods of junk mail. When i clicked
the page. This is an illegal and incredibly insulting act, and caused me
to immediately stop placing an order and go elsewhere.
I want my details removed from your system IMMEDIATELY, or else i will
forced to report you for sending of unsolicited commercial email.
I also suggest that you modify the ridiculous policy of tricking people
into subscribing to your newsletter, as this highly offensive and
underhanded act will certainly cost you more customers than just me.
This looks like a pretty stupid screwup… It’s obvious she tried to forward this to one of her colleagues, but fucked up and hit reply instead of forward…
I did reply, to let her know of the mistake but have since not received anything back. How very rude of them.
I doubt i’m alone in being frustrated with the ridiculous anti-piracy measures these days…
The requirement to have the original CD/DVD in the drive to play a game for instance. I have several games installed on my HD, and the idea of installing games in the first place, was to improve load times and AVOID THE HASSLE OF HAVING TO LOAD ORIGINAL MEDIA AND/OR DAMAGE IT.
I work away a lot, and carry a laptop with me at all times. I don’t want to carry a stack of CDs on the off chance i might want to play them. I dont want to keep transferring the media between my stack at home, and my laptop bag.
People with pirate copies are much better off, they dont have to worry about losing media, they dont have to worry about bringing it along with them. It is actually advantageous to the game player to download a pirate copy. This is in stark contrast to the old anti-piracy advertising associated with analogue video/audio, where pirated copies were noticeably inferior to the originals. The advent of digital media levelled the ground, but rather than do something to compensate for that, companies have gone the other way and taken steps to make the originals actually inferior to the pirate copies.
Having to enter license codes or serial numbers is equally irritating, most people simply aren’t organised enough to keep track of all these small scraps of paper with serial numbers on them, and most people don’t want that much paper laying about. And losing that small piece of paper results in them being completely unable to use software they may have paid a large amount of money for.
Also the old code wheels, and requirements to enter a word/letter from the manual. This was common years ago, on the amiga for instance, and was incredibly irritating. Some even required you to re-enter codes at random points throughout the game, and would punish you if you entered them wrong.
So, i won’t buy games where i have to keep the DVD in the drive to play, and i won’t buy software where i need to enter a code to use it. Why should legitimate customers be at a disadvantage relative to pirates? If this is the thanks we get for buying software, then i think i’l side with the pirates as they don’t shaft their own customers.
Just what is the point of making people enter a “license code” to install a piece of software? How is this supposed to limit piracy? Like many other supposed “anti piracy” measures, it actually hinders legitimate owners, such that pirate copies are actually more useful then legitimate ones.
So to install any version of windows made for over 10 years you need to enter a license code, and this is supposed to stop piracy *how* exactly?
Right now, i can find many torrents offering all these versions of windows for download, all of which either have license codes included (so you still have the hassle of entering them) or better yet, have the requirement removed or the license code pre-entered in some way, such that the install bypasses that annoying requirement.
Another example, is tomtom. I bought one of their GPS devices a few years ago, it came with an SD card with the maps for my country preinstalled, and a larger map on CD that would require a bigger SD card. With the default map, the SD card is about 97% full so there’s very little space for points of interest and such.
So i bought a bigger card, formatted it, put the map and software on it, and the device tells me to go to the site “ttcode.com”. Once there, i had to enter the code the device was displaying, and my “license code” which was aparrently on a sticker affixed to the back of the paper cd wallet.
Now, i have long since lost this paper cd wallet, it’s just a typical white paper cd wallet with a circular plastic window on the front, like all the thousands of others i have. It got lost in with all the others, and may even have been thrown away by now. So i contacted tomtom, their response was that i should buy a whole new device! That’s right, because i lost a tiny little sticker i should buy a whole new gps device. So no, i wasn’t about to do that.
Instead, i went to Google and found myself a keygen. I entered the code from the device into the keygen, and it gave me the code to enter into the device. Enter it i did, and all worked, no hassle, and no stupid little strips of paper to keep track of.
But this also brings up another point, what happens when tomtom decide to stop running the ttcode site? Will this rather expensive device just become a glorified paperweight?
So what are license codes supposed to do:
Prevent piracy – NO, pirates will create keygens or remove the license requirement all together.
Keep track of who leaked keys – assuming keys are even leaked rather than generated or the requirement removed, they cant do much to someone who bought the device/software in cash at some random store, not to mention keys stolen from hacked machines and the like.
Irritate legitimate users – YES, codes get lost and legit users get shafted, entering the code is also a significant hassle that only legitimate users have to bear.
So come on, drop all this shit, stop making the pirate copies better than the legit versions.