Email leak to spammers


#1

I registered for cloudflare and this community forum with a unique email address. Now suddenly I have spam coming in on that email address. I’m pretty sure I have email visibility turned off. Where’s the leak?


#2

Is this a non-trivial address not used anywhere else? What would you say is the probability spammers could have simply “guessed” it, whats the string complexity?


#3

Yes, non-trivial and not used anywhere else. Very unlikely to have been guessed.


#4

Alright, that would somewhat point towards the forum then :thinking:

First off, Cloudflare does not host the forum, but it is run by Discourse. So we have two potential sources. Secondly, I seriously doubt Cloudflare sells email addresses and, to be honest, I dont think Discourse would either.

So if we can really rule out the address was guessed or acquired via some other channel this might point towards some leak (note: I am not in panic mode yet :smile:). Generally, authentication (using the email address) happens on Cloudflare’s side, however Discourse has the address too.

Unfortunately I cant comment on anything else here, maybe @cloonan or @cscharff might have some additional information :man_shrugging:


#5

If it is [email protected]
E-Mail was leaked on Twitter

@Conquistadog


#6

@Conquistadog, Cloudflare does not sell or trade lists, I am certain that is the case for Discourse as well.


#7

It’s the profile name…

image


#8

I wouldnt have thought so either but there could be a potential data leak somewhere. If that was the case I am not sure attackers would use addresses gained in that way for spam straight away instead of for more hostile purposes, but - assuming the address is really as non-trivial and singled-used as the OP stated - I am not sure how else they would have got hold of it. :confused:

At this point it really comes down to if that address was exclusively used for community purposes and as unguessable as claimed.

That could be but I wouldnt consider it a strong connection. Its a bit from username on a service to email address with a random domain. Even though possible I am not sure why they should automatically assume @gmail.com for every username. That would seem a bit of a reach. If it was a different domain that would be even more unlikely, if not bordering impossible.


#9

I eat my own words :smile:

If the email in question is the same as on that Twitter account, it is not exactly singled-used :wink:


#10

Enjoy your meal. :rofl:


#11

Well, crap. Bad idea to default the profile name to the first part of the email! But that’s not a disproof of the leak, because of all my domains, the right one was picked… And it’s not exactly the same as that twitter account – and the exact one that IS on the twitter account was NOT spammed (surprisingly enough).

Please believe me, there is a leak. You’re looking really hard at how it might be my mistake and not a leak. Don’t hand wave me away. There is a leak.

  • The email is on one of my own domains, not gmail or anything like that.
  • I have dozens of domains at CloudFlare, but ONLY the one I actually use was the one spammed.
  • No other guesses in any form remotely like it, on any other of my domains, were made.
  • I have wildcard receipt enabled; I’d receive it if they tried any others.
  • I have NO spam filtering on these domains; I’d receive it if they tried any others.
  • It was just one guess, and just one direct hit.
  • It was pretty bad spam; most spam filters would catch it and you’d never know.

I’m sorry, but there is a leak. There’s too much exactly right on exactly the first try for it to be a guess. Would you like me to create another account to test something more believable to you?.

I’m sorry, but there is a leak. I have way less trust in this forum now – and in CloudFlare too, as a result, very sadly for me indeed.


#12

Maybe try searching google/yahoo/bing for that specific email and surround it in quotes. This will let you know if it’s available on any pages indexed by them.


#13

Done. No results.


#14

No i didnt’t. I just shared my findings. How did I get there?

  • Your community profile
  • another thread here
  • you shared the registry stuff to get a wave up in that thread
  • the twitter profile is showing an email address.

Please read my private message


#15

Didn’t mean to be accusing. Ruling out alternative explanations is a good investigative practice. Sorry I took it the wrong way. But I think I’ve ruled out everything else, so far. Let me know what else I can do to help. It does sound like you want to get to the bottom of it if possible.


#16

Ok guys the twitter profile is out. @Conquistadog confirmed that it is not the email address in question.

Most of us don’t have access to your account data so we can’t check this.

Just mention again @cloonan @cscharff if they have further ideas.
I can only share my own experiences. There was no spam since i registered here. And that’s about… four or five years.

The email address is not shown in your profle and not searchable and…


#17

There was no spam since i registered here. And that’s about… four or five years.

That would seem to suggest that the leak is in a stream of new accounts somehow, perhaps.


#18

That is not accurate. I did voice my concern in case your story checks out. The last information I received was that the email address in question was in fact use elsewhere. You have denied this now. I have no way of verifying either thing (whether the address in question was really unique and whether the displayed address is the spammed address).

Again, if you can absolutely guarantee that the address in question hasnt been used anywhere else outside of a Cloudflare context (and implicitely Discourse context) and that it is not (easily) guessable/generatable I’d still agree that there might be something someone should look into. But at the same time I wouldnt want to jump to conclusions and present a leak as a fact.

At this point the only thing I could suggest is to poke @cloonan and @cscharff again. If there is a real chance of a leak it should definitely be investigated but if there is a real chance your email address might have shown up somewhere else you should equally come forward and not solely point the finger at Cloudflare and Discourse.


#19

I apologize for my accusation which has now been put back to me twice. With that frustration past me, I welcome and encourage efforts to disqualify other possibilities.

I do indeed assure you – I absolutely guarantee, to be quite sure – that the email address is unique and not used anywhere else. That’s my practice with every new account I make, actually. I keep a detailed and precise list of them, and I do so for precisely this purpose: If any of my email addresses are harvested, I know precisely from where.

The twitter account was also unique, even though it only differs by only three characters. Nevertheleses, it’s different and unique enough to be quite certain. The domain is also unique enough; among all of those I have at cloudflare which were not harvested, it points a very strong finger.

I have received a second piece of spam to the same target. If anyone in a position to investigate would like raw copies including headers, I would be happy to provide them. I believe I will also be changing the email I use here to another equally unique one, as both an experiment and attempt at avoidance.

It is indeed something someone should look into. Please let me know if I can help further. Thanks for your consideration.


#20

Just to make sure we have all the facts - you made an email only for Cloudflare, then came here [and logged in with CF], and now you’re receiving emails.

  1. Are you certain there are zero other “email address activation” emails or newsletters from any other companies whatsoever in your inbox?
  2. What e-mail service is this running on? GSuite, Office 365, VPS, Managed e-mail from another hosting company, etc?
  3. What type of spam is this? I’ve found that most spam to non-gmail addresses goes along the lines of “Free website consultation” or “$50 custom logo for your business!”. Is this regular spam or spam targeting businesses/freelancers/etc?