A naive approach that might work without either party needing to divulge emails:
GoDaddy: "We have received complaints that you've been spamming. Give us a list of SHA-1 hashes of addresses of the people that opted in and show us how they opted in."
Customer: "Here's the list."
GoDaddy: "At least one complaint email we received does not match the SHA-1s on this list."
I don't think they do have a point. If someone is spamming, why the hell aren't they just going to lie to GoDaddy about who opted in?
Even if they're not outright lying, lots of businesses have a very sketchy idea of what "opting in" means. I had my email address posted on a website once as a public contact. You would be surprised how many people consider that "opting in." When I used that email address to make sales enquirers, plenty of sales departments considered that an "opt-in" too.
The spam filters we had were fine for the outright trash, but the the flavor of spam that doesn't fall under the legal definition of spam was a nightmare.
I eventually had Constant Contact blacklist every single email alias I had at the organization because of how often I was "opting in" to email.
I'm really struggling to see how GoDaddy could have a policy that fixes the issue of a person complaining about unwanted emails without disclosing the email of the person who doesn't want to receive the email any more.
This seems like more of a gray area to me. Sending sales material to people who have actually sent queries to your sales department doesn't seem nearly as bad as spamming random people (as long as there's a clear, and working, way to turn the sales emails off if you don't want them).
And it's all not nearly as bad as sending me spam for horse pron websites. You can rationalize it however you want. Still doesn't make any of it cool. Why didn't the person I'm already in an email conversation with ask if I wanted to be on the list? Because they know I'd say no (especially when the conversation turns to the fact their company can't do anything for us). That's what makes it opt-out bullshit.
It's not something that gets me hot under the collar, even at it's worst it was a minor nuisance I dealt with over coffee. But after a year having a published address and 4 years of fallout afterwards, I've heard all the bad rationalizations for spam and they don't stand up. I have a polite and friendly "fuckoff" form letter for people without unsubscribe links. The second time I have to send it I CC the technical contacts in the domain's whois record. When someone gets upset or angry at me for doing so, I know damn well that they know they're lying when they try to justify their spam.
"It's not something that gets me hot under the collar"
Dude, you're emailing the domain's technical contacts, who likely have no say whatsoever in company sales policy. That sounds pretty hot under the collar to me.
Eh, I never thought of it as that big of a deal, just another task at work where something needs to happen or stop happening, and I only have a handful of routes to take. If asking the sales contact to stop didn't work, it turns out that most people don't make public the contact info for the sales managers' boss.
I'm not going to play cooperate politics somewhere I A) don't work B) have no ability to contact anybody with control over any policy and C) even if they were publicly accessible, don't understand why spamming isn't cool. It easy enough just to contact the dudes running the infrastructure used to spam me. And because they're techies and not salesmen they're actually nice people and already know this kind of behavior is unacceptable emailing. They might not have control over the policy, but they have something I don't: access to the people who can fix the policy or at least get me off the list.
It was actually the nice alternative to calling my netadmin. He was a very good admin, the emails would disappear from my inbox instantaneously, but when he checked the spam filter and marked true positives, his scripts made people wind up on email blackhole lists.
Customer: [generates the SHA1 of every email on their list they bought for $14.95 from totally-not-sketchy-email-lists.com] Here you go
There's nothing in the hash of an email address other than an indicator that the person knew who they emailed.
However, it should have been made abundantly clear to someone reporting spam that their email address may be disclosed to the accused party.
And no, reporting abuse should not carry the expectation of having anything about the reporter disclosed to the abuser. That would severely discourage the reporting of abuse.
Except of course if you deal in any way whatsoever with GoDaddy you should always expect the worst possible outcome.
Once the email address is given out, then it's just as if someone had all their personally identifiable details.
At that point in the process, your premise that they are a spammer is flawed. They are an accused spammer. Even though Godaddy's customer service process isn't a courtroom, the principle of innocent before before proven guilty should apply when penalties could be applied.
A small business, individual, big company, anybody should have the right to have full information to adequately defend themselves from false claims.
You don't think there are unscrupulous small businesses out there that file false spamming claims on their competitors? That does happen.
Or you don't think that people actually do opt into email lists, forget it about, and then accuse a company of spamming a few months later? It also happens.
If you even want to go with the 'courtroom' analogy, accused only get the chance to 'confront' their accuser in court, they don't get a dossier on them outside of court so they can do whatever they want. You know why? Because this type of thing would happen.
This is nothing short of harassment and defamation/libel
Considering that the spammer has the email addresses already, it would be as simple as forging a letter. Even fake a handwritten sign up form should "prove" it. No one is going to do a handwriting check to make sure it's actually correct.
That also assumes that a person looked at this email before it was forwarded on. With a hosting company the size of Godaddy, that's unlikely.
$ echo -n email@example.com | sha1sum
I wonder what the odds are on a hash collision from another email address (including abusing + addressing) that genuinely belongs to another person (rather than just exists) and therefore the resulting hash does not uniquely identify a single person.
The 'birthday attack' article covers this pretty well, but if we take the output size of a SHA-1 hash as 160 bits, and assume it's outputs are equally distributed, a brute-force approach (equivalent to a non-maliciously generated accidental collision across all addresses ever)
sqrt(2**160 * PI/2) ~= 1.5 x10**24
 This is the intent of all hash functions, and I don't think there are any fundamental attributes of email addresses that would cause systematic bias in the output
Approximately, 10^3 = 1000 ~= 1024 = 2^10, 10^2 = 100 ~= 128 = 2^7.
Assume you have 1 billion (10^9) computers, each computer can do 1 billion hashing operations per second. That is 10^18 operations per second combined.
Rounding up, one day has 1 million seconds (10^6), and one year has 1000 (10^3) days. So, we have 10^27 ~= 2^90 operations per year.
100 million years is 10^8 ~= 2^27. So, you have 2^117 operations in 100 million years. Geologically, there was an Extinction Event  about every 100 million years (e.g. 66, 200 and 251 million years ago). So, having an (unintentional) hash collision in more than 128 bits (assuming a good hash function that has uniformly distributed hash) is less likely than an event happening within the next second that kills 50% of the Earth's species.
Give it to me in a list along with "hundreds" of red-herrings (let's say < 10000), and sure, no problem.
So no, given a hash you can't get the email easily. If this were the case, there would be no point in hashing passwords - might as well store them as plain text.
However, e-mail addresses are generally short, human readable, and have a high probability of being at one of a handful of common domains. It would be easy to brute force your way through common e-mail address patterns at common domain names fairly quickly, if they were only protected by a single round of SHA1.
OpenSSL's benchmarking tool claims that one of my servers can do 30 million SHA1s per second given 64 bytes of input each. And we know from Bitcoin that GPUs and FPGAs can do many orders of magnitude faster than that.
How long would it take to get an arbitrary "firstname.lastname@example.org" given only its SHA1? The US Census reports that there are about 5,200 common first names and 89,000 common last names, for a total of around 460 million pairs or 15 seconds on my server to try all of them.
I suspect that with some heuristics to favor common e-mail address patterns, guessing at least half of a list of arbitrary e-mail addresses really wouldn't take that long.
If I'm understanding the situation correctly (and if I'm not, please let me know), a crazy person with an agenda sent a mass-mailing to about hundreds atheists/bloggers in an attempt to push his POV. Skepchick reports him to his email host (in this case, GoDaddy), under their spam terms.
GoDaddy does their standard process, which includes asking for opt-in proof, and revealing the email. Crazy guy goes crazy and makes a website dedicated to trying to defame Skepchick, using info he found about her online.
The problem is, this wasn't typical spam. Meaning, this wasn't some bot sending out Viagra sales pitches or the "great investment leads" people that send me 30 messages a day. This was unsolicited mail, yes, but it was with an agenda. Basically, I'd classify it more as harassment.
I'd imagine the situation would have been handled differently if it was flagged/seen/filed as harassing messages, rather than spam. I don't know, but I have to assume GoDaddy has an abuse team and that their methods of handling this sort of thing would be different.
Please understand, I'm not putting the onus on Skepchick to correctly know how to classify the message. It stands to reason she thought this was spam. But at the same time, I don't know if this sort of edge case is common enough to require a more complex method such as SHA-1 hashes.
Shitty situation all the way around, but I think the biggest problem was this was treated as a normal case of spam, when really it was a case of abuse/crazy.
The only reason they can ignore internet rage is because their market share is gigantic, and it's gigantic only because they're really good at marketing.
In retrospect, I'm sure there are better ways for GoDaddy to investigate such complaints, but I think they didn't do something very evil - an email address is hardly "personally identifiable information". On the other hand, if you don't want your photo to be posted online, don't post your photo online.
In some parts of the world (e.g. Slovenia) personal email is very much considered a personal information and any operator divulging it in such manner would pay a steep fine.
> In some parts of the world (e.g. Slovenia)
Slovenia is rather crazy about everything computer-related. A while ago Google was forbidden from collecting Street View data. I really hope that has been reversed by now...
However if you are an owner of a database containing personal information (where database means collection, not a particular technology), then rules are different. You then are required to collect only what you need for purposes granted by their owners and have to take care of not disseminating it without approval to others.
Google wasn't allowed to collect Street View data until they could conform to our privacy laws which mostly meant not making photographed people easily identifiable. This requirement is in no way specific to Slovenia (e.g. I think Germany has the same one) and Google complied which is why you can use street view in Slovenia now.
I would not describe our computer-related laws crazy. They are lacking as laws everywhere are and certainly sometimes in uniquely our way. However it is often the enforcement (or lack of) that is the problem, not laws themselves.
That was Austria.
Except for it being PII according to NIST, that is: http://en.wikipedia.org/wiki/Personally_identifiable_informa...
And I don't think her problem was with the photo being on the internet. It was more that her photo was sandwiched between blatantly defamatory content.
Are you sure about that Tom from Slovenia?
Hint: google yours...
1. User got spam
2. GoDaddy ... provid(es) spammer with the user's email
3. Spammer ... using the email address GoDaddy provided
I'm confused. Or am I missing something important?
I highly recommend Hover as a domain Registrar. Tried them with a few new domains, and loved it so much I migrated everything there.
As tomp pointed out, disclosing email address is part of the process, probably not clearly stated, but GoDaddy handled it well. They issued a fine to a spammer, resolving the initial spamming case.
Worse would be if they have not carried out any actions at all.
Now, concerned the harrassment, how come GoDaddy is responsible for trolls being trolls? As Company pointed out, report him to law enforcement. Sue him, or anything, victim has got the spammer's domain, thus all the private information needed to escalate the problem further.
The sender obviously had my name on his list, they used that list to send the e-mail. The dispute is that this list isn't really opt-in, and it's hard to imagine any reasonable verification (instead of, say, detailed audit of the sender's internal processes) that could prove otherwise.
Will your argument still stay the same? Are you going to hand in millions of your precious customers email addresses each time to your domain registrant when one of them marks your email as a spam? How are you going to explain later to your customer why he is receiving spam on email address email@example.com? That you had to send everyone's address lists each time a spam was reported?
While the proposals for requesting proof of opt-in via SHA hashes and such seem technically feasable, I think it pretty quickly breaks down when you think about how much cost and overhead that would put on GoDaddy (or law enforcement) to manage.
Think about the volume of spam out there. Then imagine a very tiny fraction of that being reported. Each one of those would require validation. While you could automate all the SHA sum comparison stuff, I don't think you could easily automate the validation of whether the opt-in mechanism was appropriate. If the sender indicates there was an opt-in, the validator must still confirm with the complainant whether that is a true claim. Without that, the system is useless because the spammer just keeps a SHA sum for each of the addresses they've purchased and supplies them along with an "Yes they opted in!" claim.
Manually validating the opt-in mechanism would require lots of manpower, and more importantly, a common and universally agreed upon set of rules for how opt-in should work. There are all sorts of nuance in the way there. Should it be a double confirmation? Does existing business relationship count? If so, what are all the rules regarding what constitutes such a relationship? What about unsubscribing afterward?
Edit: Removing the pessimistic and un-useful concluding paragraph on the hunch that was what warranted downvotes.
Also, they forwarded some pretty basic details, an email and a name. They weren't sent her SSN, mailing address, or anything like that, so it's no more identity than she associates already with her email address, as far as I can tell.
You need to be able to contact a complainant, otherwise there is no resolution, only a complaint.
The complaint itself is not anonymous, there is an intercessor which knows the identities of both parties, and who is the recourse.
> Also, they forwarded some pretty basic details, an email and a name. They weren't sent her SSN, mailing address, or anything like that, so it's no more identity than she associates already with her email address, as far as I can tell.
Oh great, they didn't send enough for a complete identity takeover so I guess everything's… wait what?
They sent personal information to somebody who might — if the complaint was well founded (which it clearly was) — take retributive action. That does not strike me as an ethical or sensible move.
> You need to be able to contact a complainant, otherwise there is no resolution, only a complaint.
No, not necessarily and definitely not if the complaint is simply a well-founded one where the resolution is to fix your shit. And if it turns out you do actually genuinely need to directly contact the complainant, contact information can be asked of the intercessor.
Email addresses are personal information and companies should work to best current practice, not just whatever they can get away with under the lax laws of their jurisdiction.
So there's that...
"I understand that Twitter may provide third parties, for example the reported user, with details of this report, such as the reported Tweet. Your contact information, like your email address, will not be disclosed."
I think it highly likely that would encourage further abuse. This has prevented me using the tool in the past, and makes me think Twitter doesn't quite understand the issue.
So I'd normally use Readability, but in this case: the content was in the comments already. For anyone interested: https://www.readability.com/articles/f4bokl2i
You can do this here: https://www.readability.com/shorten
Disclaimer: I just like Readability... :-)
GoDaddy advertises heavily. NetSol relies on the fact that they were the first and no one ever gets fired for recommending them.
The people who are still their customers obviously do not realize they can get better value--though not necessarily a lower price--from other companies.
And, apparently, there are also the buttmunches out there that are customers because the customer service (and self-policing in particular) is awful.
I've used Namecheap before and they were decent, though the dashboard looks like it was built in the 90's.
I checked out Hover but they seem to charge a lot for email.
From now on, I'll be known as wHzqbUWp at gmail.com
I would begin with Isaiah 45:7 "I form the light, and create darkness: I make peace, and create evil: I the LORD do all these things."
Who does a whois lookup on domains from spam emails?
Spammers would not have their accounts suspended as often or as quickly if no one ever reported them to firstname.lastname@example.org . There's always the possibility that my iota of caring generated the lead that sparked the investigation that allowed the actual network security guard to take down the spammer kingpin or a portion of his botnet.
Mostly, it's when I just want to kick the spammer squar in the danglies, for annoying me when I'm bored.
I'm not going to spend today defending GoDaddy, as they've been a fair fly in the ointment to me. However I would not suggest burning them at the stake because of somebody on this particular blog posted an inconclusive statement about a breach which was, as far as we can tell, dealt with already.
As a customer of theirs, I'll probably be contacting them about this to make sure I don't have any similar issues, and suggesting a remedy (probably something like the cryptographic hash based verification method suggested elsewhere on this page) for the future.
From reading the article alone, sure, I wouldn't be quite as skeptical, but I'm going to hold out until GoDaddy has a say in this case, because I don't really trust either of them.
Same reason why you should report spam to SpamCop: help clean up the internet, and clamp down on spammers so others don't have to deal with them?
Especially when the originating server specifically has a policy of not allowing outbound spam.
I don't see why she should defame GoDaddy. If I had a server there, and I was accused of sending spam, I would have the right to know which address considered my email as spam (and determine for myself whether the user subscribed to my services or not).
This and that are not exclusive.
> I don't see why she should defame GoDaddy.
Because they shared personal information with a complainee? If you go to the cops and make a complaint, would you find it normal that the cops go to that person and immediately give them your name and address?
> I would have the right to know which address considered my email as spam
Now consider that from the POV that your are a spammer and acting in bad faith, you've just been handed the keys to retribution, that sounds absolutely wonderful does it not?
GoDaddy deserved every last ounce of negative coverage for this they can get.
Generally, when someone gets too many spam complaints, or doesn't handle them well, they get terminated from the hosting provider.
I didn't mean to imply that was what happened. I said that they'd have to if it's to be checked.
My thoughts were that you're either going to have to trust the accused spammer - in which case you can turn over the SHA of the complaining email address, and the provider can compare it to the SHA hashes of their own. Or... they're going to have to turn the list (again, preferably with the entries hashed) over to you - and then, I suppose, you'll have to trust that they're giving you a truthful list.
But, either way, I don't see how the mere act of hashing the list is going to significantly alter the problems of nuisance complaints or of dealing with large lists. Hashing is a very cheap thing to do after all.
The problem is the 'Report Spam' button is also the 'I no longer wish to receive this email' button to non-technical users. Just because you've received a spam complaint, doesn't mean that it wasn't an opt-in email.
Providers never attempt to verify your email list. If you generate too many spam complaints, you get terminated. It's not feasible for a third party to get a copy of your mailing list, then somehow evaluate how legitimate it is.
That is false for any value of yyy.
You don't need the email address to defend yourself (which is ok), you only need it to retaliate (which is not ok).
It seemed to be a comment drawing an analogy to the criminal legal process. And in the US, that process guarantees you the right to know what you're accused of, why you're accused of it, and to confront the people accusing you.
Only the latter being at issue here, and in criminal proceeding it's done through cross-examination during criminal trial, not by giving the witness's address to the accused.
For example, if someone sues you for spamming (under some theoretical law which would allow that), you'd be able to know who they were and get information from/about them during discovery.