7 Replies Latest reply: Feb 19, 2009 8:45 AM by Kurt Lang
Lukas Level 3 Level 3 (580 points)
+(Not sure which is the best forum to post this but here we go.)+

For many years I have been using a secret e-mail address as my Apple ID, which is known only to me and to Apple. I have NEVER used it as a general reply-to address. I'm using it only for logging into the Apple Store, this forums, the developer section and into the iTunes Store. And I have always been using one of my Macs to do so. The Macs are clean, no spyware, viruses, nada.
Additionally, a few times I have also used it as my contact address when I was on the phone with Apple Support (AppleCare in Irland). So the only e-mails I have received to this address they ALL came from Apple until now.

Well... Now how can it happen that all of a sudden I am receiving SPAM mails to this very address, which no one except of me and Apple should have ever known about?
Is Apple's database leaking or what?
You can imagine that it bothers me pretty much.
Has anyone had a similar experience?

MacBook Pro (2008 MATTE display), PowerBook G4/1.67/15, Mac OS X (10.5.6)
  • 1. Re: How safe is an Apple ID?
    Kurt Lang Level 7 Level 7 (31,995 points)
    It only takes one person that you've used the email for to share the information. Though it's highly unlikely Apple did any such thing on purpose. Someone also may have hacked into the support servers in Ireland and pulled a bunch of email account names.

    Other than that, you could easily just be the target of a brute force mailing. A spammer finds out the name of a domain (such as apple.com) and then starts a blind mailing of millions of emails starting with a@apple.com, b@apple.com, and so on, incrementing out as many places as they want to try. They don't care how many bounce back as undeliverable. The ones that don't also tell them which ones are real and so gets those names on a list to get more junk.
  • 2. Re: How safe is an Apple ID?
    Lukas Level 3 Level 3 (580 points)
    you could easily just be the target of a brute force mailing


    Yes, having my own domain, I thought of that possibility, too.
    That's why I wanted to check here if someone else has experienced a similar issue with their Apple ID or if it's just a coincidence.

    By the way, I used to have a "catch-all" mailbox, but my hosting provider disabled that function few years ago exactly because of such spam attacks. Hence I had to enable about 150 forwarding addresses afterwards, because I have always used a dedicated address for each site or software I registered...

    On the other hand, my other "login addresses" remain unspammed so far, with the exception of a macupdate.com registration few years ago which must have leaked apparently. (To be fair though, my subsequent registration at macupdate.com is still "safe" after three years, so it doesn't seem to be a general privacy issue with them.)
  • 3. Re: How safe is an Apple ID?
    Kurt Lang Level 7 Level 7 (31,995 points)
    I used to have a "catch-all" mailbox, but my hosting provider disabled that function few years ago exactly because of such spam attacks.


    Yes, you definitely don't want the catch-all set to "Save". They should always "Bounce", which is probably what your ISP did for you. Otherwise email that doesn't even have an existing name gets dumped into your real mail box.
  • 4. Catch-All
    Lukas Level 3 Level 3 (580 points)
    Not the ISP, but my hosting provider.
    They actually removed the "catch-all" option from the mail server backline altogether while they were redesigning the admin control panel. In fact, I was even one of their volunteer beta testers then, so at first I loudly protested after I have noticed that they did... But additionally they claimed that most of their customers supposedly never used it anyway. Hard to imagine when they advertise they are serving over 100,000 domain names, but what can a lone customer do...
    Anyway, later I have accepted that it was probably a wise decision, given the upcoming amount of such attacks.

    Message was edited by: Lukas (corrected a wrong expression)
  • 5. Re: Catch-All
    Kurt Lang Level 7 Level 7 (31,995 points)
    Not the ISP, but my hosting provider.


    Oh! Yes, my hosting provider does that too, though I can still change the catch-all setting if I want to. I don't know why anyone would want it on anything but bounce anyway. What your provider probably did was remove the ability for anyone to change the setting from anything but bounce.
  • 6. Re: Catch-All
    Lukas Level 3 Level 3 (580 points)
    I don't know why anyone would want it on anything but bounce anyway.

    Well, it was fun while it lasted. I could simply tell my clients to email me at anythingyou_want@mydomain.com. But yes, after the spammers found out that even sdjfbcrzsadned@my_domain.com doesn't get bounced, that's where the big trouble with catch-all starts.

    Anyway, I have argumented that if none of their customers ever uses catch-all anyway, it wouldn't hurt them much if they would leave the option available for those few who might make good use of it. For instance if you have a domain without actually running a corresponding public web site, making it harder for the spammers to guess if such a domain exists in the first place.
    But as I said above, what can a lone customer do...
  • 7. Re: Catch-All
    Kurt Lang Level 7 Level 7 (31,995 points)
    what can a lone customer do...


    Ah, I forgot about that. That's likely what happened, though not intentionally by a client.

    If any of your clients use Windows, then there's a possibility that at some point, they received a virus that emailed itself back out, using one of the names in that person's address book. At one time, a virus must have randomly chosen your address and it got sent out that way as the spoofed sender.

    There's various other ways it can happen, but in short, it's extremely difficult to keep a valid address hidden forever.