ASB Bank, compromised?

Kris Price — Sat, 23 May 2009 04:09:08 +0000

Since I got my domain name, back in 2000, I’ve been running an experiment on spam. Whenever asked for an email address, such as when signing up for a website, or making a paper application for bank account, I create and provide a unique alias for that website or company in question. It has been interesting to track where spam comes to. The most spammed address is the one I used for ICQ. There have been a few obvious cases where it appears dodgy websites have leaked the email address, but the first seriously concerning case has happened recently.

Back in April of this year I started to recieve spam to the unique email address I gave ASB Bank. What does this mean? Well the possibilities are:

My computer or webserver was compromised, and my list of mail aliases escaped onto a spam list. But this doesn’t add up. I don’t seem to be compromised, and more tellingly there hasn’t been any other cases of this, which would be statistically strange given the list of aliases is very long.
I somehow mucked up, and entered the same email address on a website that turned out to be dodgy. This doesn’t seem likely, because the email address is distinctly identifiable as intended for ASB Bank.
I sent an email from that address to someone else, not at ASB Bank, where it escaped. But that one doesn’t add up either, because my records seem to show no outbound email from that address, and only a few legitimate inbound emails to it (the last in October 2008).
An employee at ASB Bank has extracted the email addresses from their database and sold them. I hope this isn’t the case, but it always is a slim possibility.
A computer at ASB Bank was compromised, and the email addresses were harvested that way.

This last one seems more likely.

1. Speak, 2. Think » spam

ASB Bank, compromised?