So someone signed you up for hundreds of mailing lists? This happened to me a while back, and it’s surprisingly hard to find information on the motive behind this. I figured out why someone would do such a thing, so hopefully this post will get some Google juice and help people out!
TLDR: someone probably has your credit card info, or something else of interest such as a bank account. Go check now!
I received hundreds of “thanks for subscribing!” emails from random sites within the span of an hour. I decided to poke around and try to figure something out. One thing I checked is that sometimes when you sign up for a mailing list, it includes the IP address of the machine that signed up. I found 4 such addresses, but it turned out they were all Tor exit nodes. But while sifting through emails for clues, I discovered a purchase receipt from Nikon for a very expensive lens.
In the order confirmation, I noticed too that the cc and address were correct, however the phone number was not. My assumption is that the fraudster would later call Nikon to have the shipping address changed.
Checking the phone number, I discovered that it was registered to Twilio. I used to think Twilio was a kind of brilliant company, but have recently come to believe that it’s basically a cover for fraud or unsolicited marketing. I know it has a nice API, so there are plenty of folk using it for legitimate reasons, but even so, of all the Twilio users, my life is dominated by the bad guys.
I toyed with the idea of actually calling the fake phone number, but work and travel made that difficult to do immediately, and by the time I had a free moment I figured that the trail had gone cold. If this happens to you and you do end up calling the number, report back to me, I’d love to hear about the conversation! Alas, I had no such spare time, so I simply reported the number to Twilio.
One thing that could have made the whole thing marginally better is for mailing lists to require double opt-in. This would require you to actually respond to the initial email to get onto the list, but it of course doesn’t eliminate the burst of junk that covers up the actual fraud. But now, weeks later, I have to unsubscribe to a handful of mailing lists a day.
Another possibility is Google could tag subscriptions with a different label, much like it does with mass emails. This way, the signups wouldn’t cover up real inbox email such as the Nikon order receipt.
Anyways, if you happened on this most via search then godspeed.
