Month: December 2009

Kosher spam.

Even a local delicatessen needs to follow the rules.

med

ENABLER
Ben’s Kosher Delicatessen and Ronald M. Dragoon
Address unknown

OFFENDER(S)
LB (initials only displayed here; I am in possession of full names, called out in emails)

CHARGE
Ben’s Kosher Delicatessen allows customers to sign up for their Ben’s Preferred Patrons Club and email notifications, without confirming via an email loop that the customer has accurately provided, and/or the Ben’s Kosher Delicatessen CSR has accurately acquired, the customer’s proper and true email address.


DOSSIER
Beginning on August 1, 2009, I started receiving email from Ben’s Kosher Delicatessen. It appears that one of their customers used my email address as their sign up address, and Ben’s Kosher Delicatessen doesn’t employ a confirmation loop, their customer, who likely is a Ben’s Preferred Patrons Club cardholder, is not getting these messages. They are not able to take advantage of any of the offers that Ben’s Kosher Delicatessen gives, ostensibly one of the reasons to join the Ben’s Preferred Patrons Club in the first place.

EVIDENCE
Note that the actual customer’s full name is included in the email.

example-redroofredicard

UNSUBSCRIBE VIA LINK?
Yes, but that would only stop the symptom, not the problem.

CAN-SPAM COMPLIANT?
NO [click for explanation]

REHAB ATTEMPT
I’ve forwarded the email to the email address noted on the actual advertisement with my standard response of their lack of use of confirmation loops and how to fix it.

RESULT
No change

DEVELOPMENTS
As you read this, I have received no response at all from anyone at Ben’s Kosher Delicatessen or Ronald M. Dragoon himself.

Misplaced charity.

A spammer with a heart.

med

ENABLER
Globonder.com
Address unknown

OFFENDER(S)
The site themselves – they created a list by gathering names from the Internet. Their mailing list is managed by a non-US server, http://www.virtualtarget.com.br – not required to be compliant with CAN-SPAM.

CHARGE
Globonder added me to their list without my knowledge or consent, and decided that their “mission” was important enough to be an excuse for this behavior.


DOSSIER
Being placed on a list without my consent is bad enough, but when it’s justified with something along the lines of “Hey – we figured you’d want to be on this great list!” it’s worse. The actual words in the opt-out paragraph: “Disclaimer….if you are on this list it is because we have crossed paths with you somewhere and found you to be an interesting, accomplished person whom we would like to keep on our radar screen. We hope that you find the information in our Globonder Journal and if not, please click on the link at the bottom of this email to unsubscribe. You may send all questions and feedback to lisa@globond.com.”

Which I did. They use http://www.virtualtarget.com.br, so I doubt “Lisa” cares.

EVIDENCE
No names or personalization are included in the email.

example-redroofredicard

UNSUBSCRIBE VIA LINK?
Yes, but that would only stop the symptom, not the problem.

CAN-SPAM COMPLIANT?
Yes [click for explanation]

REHAB ATTEMPT
I’ve forwarded the email to the email address noted on the actual charity pitch with my standard response of their lack of use of confirmation loops and how to fix it.

RESULT
No change

DEVELOPMENTS
As you read this, I have received no response at all from anyone at Globond, or the mysterious Lisa.

Stalled engine.

GM’s partnership with HSBC isn’t creditworthy.

med

ENABLER:
HSBC Card Correspondence
1441 Schilling Place
Salinas, CA 93912

OFFENDER(S)
TS (initials only displayed here; I am in possession of full names, called out in emails)

CHARGE
HSBC allows customers to sign up for their affiliate-branded GM Credit Card and email notifications, without confirming via an email loop that the customer has accurately provided, and/or the HSBC Inn CSR has accurately acquired, the customer’s proper and true email address.


DOSSIER
Towards the beginning of 2009, I started receiving email from HSBC, meant for their customer, TS. It appears that he used my email address as his sign up address, and HSBC doesn’t employ a confirmation loop, TS, who is a GM Card cardholder, is not getting these messages. He’s also not getting his payment messages, his “great offer” messages and more. I am.

I happen to be a member of one of HSBC’s other affiliate card programs, so when I called (see REHAB ATTEMPT below), they wanted my information to add to their case notes. I purposely refused to give them that as I didn’t want them to “accidentally” screw up MY file. They don’t need it anyway, but nothing has changed.

EVIDENCE
Note that the actual customer’s full name and the last four digits of their account number is included in the email.

example-hsbcgmcard

UNSUBSCRIBE VIA LINK?
No. You can update your “email preferences” if you sign in, but as I am not the intended recipient, I don’t have the customer’s login information. HSBC requires personal information to have the login information sent to the customer, so I was not able gain access to the account to disable it.

CAN-SPAM COMPLIANT?
NO [click for explanation]

REHAB ATTEMPT
I’ve called several time to try to rectify this situation, all to no avail. In each case, I’ve been unsuccessful in getting an HSBC CSR to understand the intricacies of the situation.

RESULT
No change

DEVELOPMENTS
As you read this, I have received no response at all from anyone at HSBC.

Lights out.

They say, “We’ll leave the light on for you.” Um, no.

med

ENABLER
Red Roof Inn, Inc. and RediCard Member Services
2071 N. Bechtle Ave. PMB 226
Springfield, OH 45504-9980

OFFENDER(S)
Unknown – the email message showed no other information than a first name.

CHARGE
Red Roof Inn allows customers to sign up for their RediCard charge card and email notifications, without confirming via an email loop that the customer has accurately provided, and/or the Red Roof Inn CSR has accurately acquired, the customer’s proper and true email address.


DOSSIER
Beginning on September 14, 2009, I started receiving email from Red Roof Inn. It appears that one of their customers used my email address as their sign up address, and Red Roof doesn’t employ a confirmation loop, their customer, who likely is a RediCard cardholder, is not getting these messages. They are not able to take advantage of any of the offers that Red Roof gives, ostensibly one of the reasons to use the RediCard in the first place

EVIDENCE
Note that only the actual customer’s first name is included in the email.

example-redroofredicard

UNSUBSCRIBE VIA LINK?
Yes, but that would only stop the symptom, not the problem.

CAN-SPAM COMPLIANT?
Yes [click for explanation]

REHAB ATTEMPT
I’ve forwarded the email to the email address noted on the actual advertisement with my standard response of their lack of use of confirmation loops and how to fix it.

RESULT
No change

DEVELOPMENTS
As you read this, I have received no response at all from anyone at Red Roof Inn or at their RediCard division.

Overdrawn.

You’d think a bank would do better than this.

med

ENABLER:
Bank of America, N.A.
101 South Tryon St., 8th Floor (email responses go there)
Charlotte, NC 28255-0001

OFFENDER(S)
LA | VL | LP | LV | LM (initials only; I am in possession of full names, called out in emails)

CHARGE
Bank of America allows customers to sign up for their Online Banking and email notifications, without confirming via an email loop that the customer has accurately provided, and/or the Bank of America CSR has accurately acquired, the customer’s proper and true email address.


DOSSIER
Bank of America is one of the banks with which I have a relationship, which makes this post even more important. I’ve banked with them for a long time, and for the most part, they are pretty good about getting their systems down, but in this case, they’ve continued to fall down on the job.

I’ve received multiple email messages for each of several of their customers. Some are notices for mortgage payments due, account application updates, survey notices and so on. I, too, get these notices as a B of A customer, so I know what they look like, and I’m very aware (and wary) of phishing attempts.

Bank of America, as you’ll see in the evidence below, not only allows their customers to give them inaccurate email addresses, but they send out emails to their customers complete with their full names, email addresses and the last four digits of their account number. This is dangerous, as an attempt at social engineering is far easier with that information in hand than without.

EVIDENCE
Note that the actual customer’s name has been redacted, but I have that, as well as the last four digits of their account number.
example-bankofamerica

UNSUBSCRIBE VIA LINK?
Yes, but that would only stop the symptom, not the problem.

CAN-SPAM COMPLIANT?
Yes [click for explanation]

REHAB ATTEMPT
I’ve contacted the Online Banking support team on numerous occasions, explained the issue, and have had both good and bad experiences with the CSR’s response. At no time have any of Bank of America’s representatives understood completely what I’ve explained, and given that the emails continue, nothing has been accomplished.

11/20/09: I searched online for the highest ranking security official within the Bank of America organization, former assistant director of the Criminal Investigative Division and former acting executive assistant director for Law Enforcement Services at the FBI, Chris Swecker, and called their Charlotte offices and asked for his office. They eventually gave me his voice mail. I left a clear voice mail as to why I was calling, with an explanation of the issues and what needed to be fixed.

RESULT
No change

DEVELOPMENTS
As you read this, I have received no response at all from anyone at Bank of America.