I have my personal email configured in a very particular way; I have set it up so that anything@ sent to jasondunn.com will come to me (unless it’s been previously blocked). Why do I do this? The key problem with the way email works today is that once you give someone your email address, you lose control over it – they can sell it, share it, spam you with it, etc. Worse, unlike the telephone system where the caller is identified with a number that can be blocked (with the exception of hidden caller ID of course), there’s little you can do to protect yourself from incoming spam…if you block one sender, it will just come at you from a different one. The sender on the email is rarely the person or company actually generating the email.
By using a unique email address for every newsletter I sign up for, every company I buy from, and every account I register online, I have a system for figuring out who is spamming me, who is selling my email address, and I can turn off an alias if need be. There are some negatives to this approach mind you: it doesn’t keep me completely spam free, because eventually my real email address gets out there in the wild – likely from compromised email accounts or the malware-laden PCs of people that I correspond with – but it does afford me some granular control over how companies correspond with me.
I’ve turned off more than a few aliases over the years and that kills 100% of the spam that was coming in via that alias. This method does leave me vulnerable to dictionary-based email domain attacks, or domain reply-to hijackings, but both are exceedingly rare (say, three times in the past five years). People using Gmail can do something similar to my method, though it’s not quite the same because it still exposes your real email address.
Given all of the above, you can imagine my surprise when I received an email from an online lingerie company named Rupaz addressed to me using an email address that I’ve only ever used with one company: Battdepot (I’ve purchased laptop batteries from them a couple of times). I very rarely see this problem; the last time was when I received a spam email addressed to an email address unique to Canadian robot company Robotshop. I contacted them, they investigated, and determined that their customer database was hacked and copied. I think this happens more often than companies would like to admit, but to Robotshop’s credit, they sent out an email explaining what happen, pointing out that customer credit card information was not compromised, and offered customers a discount coupon as an apology. Not bad as far as responses go.
Sometimes it’s hacking that compromises an email address; other times it’s breaking the trust of your customers. I received a promotional email from Tivity Software (now defunct, but here’s the product they were promoting) to an alias I use only with AutoFX Software. When I confronted them about it, they informed me that the CEO of AutoFX Software had started up a new company, Tivity Software, and opted to “borrow” the AutoFX customer database. Not exactly above board, right? I sure never gave him permission to do that.
But back to Rupaz…the first email I received from them was on November 29th, 2010. You can imagine my surprise seeing a bunch of scantily-clad ladies in their underwear in my inbox:
At the bottom of the email is another confirmation of which email address of mine they used, along with a statement that I was receiving the email because I either signed up for it or through their “partners and affiliate networks”. I’m pretty sure that when I created an account with Battdepot to purchase a laptop battery, I didn’t give them permission to give my email address to a lingerie company.
I immediately sent Battdepot an email, asking them what was going on:
Battdepot never responded. The second email from Rupaz came on December 7th:
I emailed Battdepot again, asking them to respond to my previous email, and they didn’t respond. I tried hitting up Rupaz a couple of times on Twitter to figure out if they were related to Battdepot in any way, and they never replied either. The third email came on December 24th:
At that point, I unsubscribed from the Rupaz newsletter and so far I haven’t been spammed by them again. They seem like a legitimate business, so I hope/trust they’ll respect my unsubscribe request.
The question remains, how did Rupaz get my email address? Did Battdepot sell my customer information to Rupaz? Did Rupaz somehow get access to Battdepot’s customer database without their permission? I think it’s probably the former more than the latter, if only because both Battdepot and Rupaz have ignored all my attempts to communicate with them. I suspect they know they’ve gotten caught doing something they shouldn’t have and are trying to pretend it never happened.
One thing is for sure: when I need a laptop battery next, I’m not going to be ordering it from Battdepot!
2 thoughts on “Email Spam, Database Hacking, and Customer Trust: A Tale of Battdepot and Rupaz”