Instructables

How I discovered Instructables' email database had been stolen

Also, how you can track who let spammers get your address!

I have my own domain which I use for signing up to various websites. My registrar [and many others] allow me to have a "catch-all" so any mail sent to my domain is forwarded to my regular address. When I join a website, I use the name of the site in the address like this example:

instructables@example.com

So, if I get mail to that address, I can easily filter it into my 'Instructables' folder, and also see if spammers have gotten it. I never use it anywhere else, and I can't even send mail from it, so only one website even knows the address.

Yesterday, the spam [Re4plica Wat4ches Nice Gift] started to my unique instructables address.

This has happened with other websites [vox.com, for instance], and I have informed them, usually to a mute silence. Sometimes, they claim it was a dictionary attack and that spammers are just jamming random words and phrases onto domains and sending those.

Maybe, sometimes, they are right. Maybe some spammer has "instructables" in his dictionary and just tried it out on my personal domain. Maybe not!

I also got spam from 3 forged addresses [so far]:

instructables@****mathews.com
instructables.com@****vall.org
instructables.kz8@****puppy.com

I went to the "forgot my info" page, and entered those addresses. All are valid here. I tried a randomly typed address, and was informed it was invalid.

This is a security design mistake, it should silently fail instead.

Now, if this had been a dictionary attack, I can certainly imagine the evil, but not stupid, spammers already know my technique, and might try 'instructables@example.com' or 'instructables.com@..." but the chances of guessing "instructables.kz8" and have it just happen to be a valid Instructables community member are practically nonexistent.

 
Remove these adsRemove these ads by Signing Up
lulz4you2 years ago
This is no database breach...this looks like the instructables admin, siteowner, whatever is selling our emails to mass spammers for a quick buck.
1tri2god3 years ago
Thank you BobCat for writing this, it is indeed informative...not just that this is a useful way to track down such grievances (will be getting my own domain soon...just so smart that you thought this up) but also because Eric and Rachel are courteous to publicly address this. I'm just a neutral 3rd party who don't know any of you. But there are definitely less responsive webmeisters out there!
kick in the teeth!
rachel4 years ago
It's also worth it to explicitly state that we have no reason whatsoever to believe that any of Instructables' machines have ever been compromised. And iContact (as well as our current newsletter provider Streamsend) do not have any user information other than email addresses. As Eric stated, we do take our users' privacy very seriously. Please check our Privacy Policy for our full disclosure on the subject. And do continue to give us your feedback!
archdave4 years ago
I also use this method and have gotten spam via Instructables.

P.S. I said it nicely.