The worst is the address used for my eMusic subscription, which now receives between 20-50 spams each day. I am also receiving spam at the address I used when I was a Sprint PCS customer, as well as addresses used for rebate submissions to Sprint, CompUSA, Micro Center, and Daewoo Electronics. The latter two were separate store and manufacturer rebates on a 17″ LCD monitor a few years back and I used a different variation of the address for each rebate. Both addresses receive the same spam, usually only a few seconds apart. It wasn’t until last week that I noticed the spam at the Sprint PCS addresses; one was my customer address, the other was for a Sprint mail-in rebate.

A search for eMusic spam turned up several people who have had unique addresses given only to eMusic become targets for spam. I complained to eMusic support about about this and actually got a response from a human asking me to forward complete copies of some example spam along with message headers. I sent them twenty samples and a week or two later got the same response others have received: it’s a dictionary attack.

That’s crap. If it were a dictionary attack I would be getting tens of thousands of spams to all kinds of unique words or word combinations. Instead, the spam I receive is targeted at about three or four specific addresses these days. In fact, about 90% of my spam has been stopped simply by blocking about twenty specific addresses at the server; before that, I would routinely receive anywhere from 3,000-4,000 spams every 24 hours. The remaining 300-400 spams I receive each day are sent almost exclusively to my primary e-mail address and my eMusic address.

It’s pretty clear that when executives want some more money, privacy policies can be easily rewritten to permit a company to sell whatever customer data they feel like sharing. One person whose eMusic address has been spammed thought that eMusic’s servers had been compromised. I don’t believe that. Rather, I think one look at their “privacy” policy shows that they are free to share their customers’ personal information with whatever “partner” they wish, making that data subject to some other company’s privacy policy which we, as the customer, have no ability to accept or reject. eMusic itself may not have sold the customer data, but it’s likely that one of their “partner” companies did. (A note for the lawyers in the audience: I’m not outright accusing eMusic or its partners of doing this; it just seems a bit suspicious that this particular e-mail address is now receiving spam.)

As an aside, because I have never used my primary address for anything but personal mail, I suspect the majority of the spam is from well-meaning friends using it to send e-cards or it having been harvested from peoples’ mailboxes by viruses, worms, and other malware. Folks, BCC is a friend and you should use it. It’s simply not a good idea to send a message addressed to tens or hundreds of To or CC recipients. But that’s a different topic.