Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Weird Me.com "spam"?

whooleytoo

whooleytoo

macrumors 604
Original poster
Aug 2, 2002
6,607
716
Cork, Ireland.
Ever since Apple activated the Me.com domain for mail, I've had a huge increase in the amount of spam I get, all going to "me.com", not the old "mac.com" address.

What's odd is that some of it comes from fairly reputable sites - NY Times, Motley Fool and several others.

Weirdest of all though, I got a shipping confirmation from AT&T for an iPhone, I checked it out (purely to confirm) and it's genuine.

It looks like someone thinks they're using my email address?!? I have a full postal address (in Florida), but not a name. Should I write a letter asking him to STOP GIVING OUT MY EMAIL ADDRESS! :p

Help!!
 
Well, at least I know one company which has signed me up for spam with legitimate companies, ActiveResponseGroup.com.

From their site:
"Generating 1 million new customer leads per month" :mad::mad::mad:

What do people think? Since some of these sites (NYTimes.com, Philips etc.) are reputable sites that aren't likely to spam, is it safe to cancel all these spam subscriptions, or would that just confirm it's a live email address?

Several of the spammers don't even offer an unsubscribe option.
 
It could be the guy has a real email address got into the habit of using xxx@me.com when forced to give an email address (e.g. forum registrations etc). And for a long long time, this was just a defunct email address... but now it comes to you!
 
whooleytoo said:
Well, at least I know one company which has signed me up for spam with legitimate companies, ActiveResponseGroup.com.

From their site:
"Generating 1 million new customer leads per month" :mad::mad::mad:

What do people think? Since some of these sites (NYTimes.com, Philips etc.) are reputable sites that aren't likely to spam, is it safe to cancel all these spam subscriptions, or would that just confirm it's a live email address?

Several of the spammers don't even offer an unsubscribe option.
Click to expand...

Beware the unsubscribe option from spam. It is often a way to confirm your real email address.

If you get new spam just delete it. Eventually it will go away.
 
Cheers, I won't click the unsubscribe link so.

My 'username' is a short, common word, which is in the dictionary so that might be part of it. (I often get seemingly valid emails too by accident.. from the World Health Organisation, from people messing around in Apple Stores etc.) I even received one blank email which occurred when someone pasted a joke into the To: field by accident and it sent to every word! (There@mac.com, was@mac.com, a@mac.com, blonde@mac.com....)

It's just odd that there has been such a big increase since me.com activated, and the volume seems to be growing daily.

And receiving the valid order info from AT&T is odd too.
 
Also -- insecure usernames alert -!

I posted about this earlier, hoping we can generate some *critical mass* to get Apple to remedy this simple, and inexcusable, security hole -- originally pointed out by a poster on Apple's own discussion forums:

Mobile Me e-mail addresses are vulnerable to being harvested for spamming, or worse, due in part to their being visible to THE PUBLIC -- because they are automatically appended to the URL of Mobile Me web galleries.. for example, Emily Parker's Web Gallery address is:
http://gallery.mac.com/emily_parker#gallery

see thread:
https://forums.macrumors.com/threads/529621/

- Let's put some friendly viral pressure on Apple (YouTube video clip..?..) to
*PLEASE*
*FIX*
*THIS* - !
 
I don't think this will get "fixed".

It's the intended functionality of MobileMe (and .Mac before it).

All of your services are accessible from one name.

There wouldn't really be a way to solve this, without making things far more complex than a consumer level product needs to be.

You would need to have multiple identities for each service.

You can't really have a service like MobileMe work unless you accept that certain parts will be accessible by all internet users (both good and bad).

The average user will want to tell someone that their MobileMe gallery is located at http://gallery.mac.com/username#gallery

Same with iDisk.
 
Daveoc64 said:
I don't think this will get "fixed".

It's the intended functionality of MobileMe (and .Mac before it).

All of your services are accessible from one name.

There wouldn't really be a way to solve this, without making things far more complex than a consumer level product needs to be.

You would need to have multiple identities for each service.

You can't really have a service like MobileMe work unless you accept that certain parts will be accessible by all internet users (both good and bad).

The average user will want to tell someone that their MobileMe gallery is located at http://gallery.mac.com/username#gallery

Same with iDisk.
Click to expand...

Umm..
this seems like quite a fatalistic view of things.
I don't agree that a service intended for use by the masses *has to* be insecure just because it is meant for use by "average" users.

..makes me think of those "Dumb & Dumber" movies... which I truly don't believe is Apple's ambition! (sorry, no flaming intended -- but I don't think we should just assume that we "have to" follow THAT model! ;-)

Part of the success of an information-services company like Apple is to accomplish skilled, educated, intellectual work "behind the scenes" that the average user CAN'T do, so PAYS for. Certainly Apple consistently markets itself as capable of innovatively solving "complicated" software problems elegantly and effectively.
(which is why so many people are indeed surprised and dismayed by the recent inelegant launch of MobileMe.. )

As I recall, this same username security issue was raised in connection with Google's online photo-album service, "Picasa Web Albums" -- so it's hardly the first time this has come up. (I can't remember what the outcome of the Picasa username controversy was, though.)
 
MacAhoy said:
Umm..
this seems like quite a fatalistic view of things.
I don't agree that a service intended for use by the masses *has to* be insecure just because it is meant for use by "average" users.

..makes me think of those "Dumb & Dumber" movies... which I truly don't believe is Apple's ambition! (sorry, no flaming intended -- but I don't think we should just assume that we "have to" follow THAT model! ;-)

Part of the success of an information-services company like Apple is to accomplish skilled, educated, intellectual work "behind the scenes" that the average user CAN'T do, so PAYS for. Certainly Apple consistently markets itself as capable of innovatively solving "complicated" software problems elegantly and effectively.
(which is why so many people are indeed surprised and dismayed by the recent inelegant launch of MobileMe.. )

As I recall, this same username security issue was raised in connection with Google's online photo-album service, "Picasa Web Albums" -- so it's hardly the first time this has come up. (I can't remember what the outcome of the Picasa username controversy was, though.)
Click to expand...

It's not really fatalist because I don't see it as a very big issue.

If you think about it, .Mac and iTools have been doing the exact same thing since 2000. There may or may not have been a spam issue as a result, but it's not really new to MobileMe.

The way I see it, your MobileMe name is your identity across several services and devices.

There's no logical way to have different names for different parts of MobileMe (which is the only way you could solve this issue).
 
Daveoc64 said:
It's not really fatalist...

There's no logical way to have different names for different parts of MobileMe (which is the only way you could solve this issue).
Click to expand...


Perhaps I should have been more specific..

What I meant is that (in general) usually there IS more than one way to solve this sort of problem. Your view struck me as being "fatalistic" because you claimed that there is only one way to handle this particular problem.

Of course, having multiple names for different parts of the Mobile Me service *would* be clumsy & not worthwhile; but I doubt that this is the "only" way to make the username more secure, in this situation.
I freely admit that I don't personally want to spend a lot of time figuring out these alternatives -- that's what Apple gets money for doing for me!
 
pjac said:
It could be the guy has a real email address got into the habit of using xxx@me.com when forced to give an email address (e.g. forum registrations etc). And for a long long time, this was just a defunct email address... but now it comes to you!
Click to expand...

hehe, that's a good point; I used to regularly put "me@me.com" in email fields when blasting through some stupid registration to download a patch or some other extraneous file from a site I'd not need to go back to. This was long before it was a real domain.
 
MacAhoy said:
Perhaps I should have been more specific..

What I meant is that (in general) usually there IS more than one way to solve this sort of problem. Your view struck me as being "fatalistic" because you claimed that there is only one way to handle this particular problem.

Of course, having multiple names for different parts of the Mobile Me service *would* be clumsy & not worthwhile; but I doubt that this is the "only" way to make the username more secure, in this situation.
I freely admit that I don't personally want to spend a lot of time figuring out these alternatives -- that's what Apple gets money for doing for me!
Click to expand...

You just can't look at things like that.

At the end of the day, one of the key points of how this service works is that your username is used in various places. The ONLY way to solve this would be to have a different name on your gallery.

It's not fatalistic to say that:

Right now I can tell my Mum who can barely use a computer, that my gallery is at gallery.me.com/username

She can remember this because my e-mail is username@me.com

If I were to introduce her to Public iDisk, she could also get there from my username.

It's a core part of the service's design.

I just don't see how you can change it without the service being degraded.

Apple isn't being paid to solve problems for you, you are paying for MobileMe in its current state. Apple probably doesn't see this as an issue, due to how long its actually been around (since 2000).
 
Daveoc64 said:
If you think about it, .Mac and iTools have been doing the exact same thing since 2000. There may or may not have been a spam issue as a result, but it's not really new to MobileMe
Click to expand...

In which case, that may not be my issue - since I've had a massive increase in spam since the move to MobileMe; plus as I've mentioned, the spam is odd in that much of it is from reputable sites/companies who wouldn't normally do so.

I think it might just be people typing in random/junk addresses when they don't want to enter their own, and given that my address is a short and common word just meant I'm getting a lot of random junk now that address has been activated.

I might just send everything addressed to ...@me.com to the bin and keep using mac.com. Seems the only option.
 
Dont forget that with the online Me mail, you have the option to "report as Spam" option... I use this with every spam email I get.... Seems to work!
 
pjac said:
It could be the guy has a real email address got into the habit of using xxx@me.com when forced to give an email address (e.g. forum registrations etc). And for a long long time, this was just a defunct email address... but now it comes to you!
Click to expand...

Why don't you get up an alias for signups, that way if it gets too bad, delete it and start again.
 
Daveoc64 said:
You just can't look at things like that.

At the end of the day, one of the key points of how this service works is that your username is used in various places. The ONLY way to solve this would be to have a different name on your gallery.

It's not fatalistic to say that:

Right now I can tell my Mum who can barely use a computer, that my gallery is at gallery.me.com/username

She can remember this because my e-mail is username@me.com

If I were to introduce her to Public iDisk, she could also get there from my username.

It's a core part of the service's design.

I just don't see how you can change it without the service being degraded.

Apple isn't being paid to solve problems for you, you are paying for MobileMe in its current state. Apple probably doesn't see this as an issue, due to how long its actually been around (since 2000).
Click to expand...

Don't worry, your Mum should still be able to use this service to reach you even if Apple DOES improve username security ... :)

Indeed, Apple *is* paid to solve "problems" -- i.e., to figure out how to program software that will provide valuable services (this is what I mean by a "problem" .. until a programmer comes up with a software "solution.")
(It's been a long time since I myself have done any programming, but in my experience such "problems" are actually fun for programmers. :)

As I said, I don't have energy or time to spend on finding an answer to this particular "issue" (if you prefer to call it something other than "problem")... but what I imagine is something that would be done on the server side of things, not on your Mum's (or my) side of things: i.e., yes, we need to be able to use our usernames as a sort of master key to Mobile Me services -- but Apple could employ any number of other software actions on its part to prevent universal access to accounts. Password-protecting a Web Gallery is just one example (and by no means the best, I suspect).

So yes I think that there probably ARE multiple ways of addressing this -- probably at least a few that we as users would have a difficult time dreaming up since we are not programmers.
 
Daveoc64 said:
.. you are paying for MobileMe in its current state. Apple probably doesn't see this as an issue, due to how long its actually been around (since 2000).
Click to expand...

Sorry, forgot to add that as of yet I am *not* paying Apple for MobileMe in its current state, primarily because its current state doesn't seem to be worth the fee so far......... :-(

I agree that Apple probably doesn't see this username security hole as an issue -- which is why I think it should be brought to their attention, since I truly believe that it is actually not a hugely difficult thing to address. (Of course, right now they're no doubt busily working on other MobileMe items that ARE hugely difficult.........)
 
MacAhoy said:
Don't worry, your Mum should still be able to use this service to reach you even if Apple DOES improve username security ... :)

Indeed, Apple *is* paid to solve "problems" -- i.e., to figure out how to program software that will provide valuable services (this is what I mean by a "problem" .. until a programmer comes up with a software "solution.")
(It's been a long time since I myself have done any programming, but in my experience such "problems" are actually fun for programmers. :)

As I said, I don't have energy or time to spend on finding an answer to this particular "issue" (if you prefer to call it something other than "problem")... but what I imagine is something that would be done on the server side of things, not on your Mum's (or my) side of things: i.e., yes, we need to be able to use our usernames as a sort of master key to Mobile Me services -- but Apple could employ any number of other software actions on its part to prevent universal access to accounts. Password-protecting a Web Gallery is just one example (and by no means the best, I suspect).

So yes I think that there probably ARE multiple ways of addressing this -- probably at least a few that we as users would have a difficult time dreaming up since we are not programmers.
Click to expand...

Passwords would not work.

You'd still have your gallery at:

gallery.me.com/username

The public gallery being public isn't the "problem", it's the fact that the username is in the URL for every MobileMe user.

If you password protected the gallery, it would still exist at gallery.me.com/username - that would be just as open to abuse by spammers.

As a programmer, I understand the concept of solving a problem with a technical solution, but when the problem is actually a benefit in another area there isn't a lot you can do.
 
Daveoc64 said:
Passwords would not work.

You'd still have your gallery at:

gallery.me.com/username

The public gallery being public isn't the "problem", it's the fact that the username is in the URL for every MobileMe user.

If you password protected the gallery, it would still exist at gallery.me.com/username - that would be just as open to abuse by spammers.

As a programmer, I understand the concept of solving a problem with a technical solution, but when the problem is actually a benefit in another area there isn't a lot you can do.
Click to expand...

It seems to me that USERID's have been used for this type of thing for a very long time (easy to implement). So it is not new. It is just that the bad guys have gotten a lot more persistance over the years.

However, they could follow the way Google Calendar works. When you create your Google Calendar you are provided with a VERY LONG URL to give out to people that want to share your calendar and it does not have your USERID as part of the URL. Maybe they could offer both options. A simple (but less secure) URL and the Longer more secure URL.
 
Daveoc64 said:
Passwords would not work.

You'd still have your gallery at:

gallery.me.com/username

The public gallery being public isn't the "problem", it's the fact that the username is in the URL for every MobileMe user.

If you password protected the gallery, it would still exist at gallery.me.com/username - that would be just as open to abuse by spammers.

As a programmer, I understand the concept of solving a problem with a technical solution, but when the problem is actually a benefit in another area there isn't a lot you can do.
Click to expand...

Right, it would still exist at that URL -- but the URL itself could be protected by password, no? (I haven't utilized this feature myelf so don't know how it works at present). As I remember, this same controversy arose when Google first offered its "Picasa Web Albums" service -- Sergey Brin's photos were being accessed by persona non grata, because they were able to easily guess the URL for his albums. Seems to me that this was resolved (or, maybe not..) by establishing an alias that could be utilized for the URLs in question.

In any event, the main security issue has to do with the ease with which usernames could be located by search engines -- not so much to do with the "guessability" of usernames, which is always possible (but less of a concern than harvesting via Google searches, for instance).

What sort of programming do you do?
 
MacAhoy said:
Right, it would still exist at that URL -- but the URL itself could be protected by password, no? (I haven't utilized this feature myelf so don't know how it works at present). As I remember, this same controversy arose when Google first offered its "Picasa Web Albums" service -- Sergey Brin's photos were being accessed by persona non grata, because they were able to easily guess the URL for his albums. Seems to me that this was resolved (or, maybe not..) by establishing an alias that could be utilized for the URLs in question.

In any event, the main security issue has to do with the ease with which usernames could be located by search engines -- not so much to do with the "guessability" of usernames, which is always possible (but less of a concern than harvesting via Google searches, for instance).

What sort of programming do you do?
Click to expand...

I'm currently doing a Computer Science degree, so a large part of it is programming.

The problem is not anything to do with the security of the gallery.

The OP (and others) were concerned that people could simply look at the name of every MobileMe gallery and automatically gain access to a huge amount of guaranteed to work e-mail addresses for SPAM purposes.

If http://gallery.me.com/emily_parker is a valid gallery (i.e. the user is paying for their MobileMe subscription), then emily_parker@me.com (or @mac.com) is a valid address that could be spammed.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back