Hacker News new | past | comments | ask | show | jobs | submit login
GoDaddy Released My Personal Information to a Spammer Troll (skepchick.org)
342 points by kmfrk on Apr 16, 2014 | hide | past | web | favorite | 141 comments

While GoDaddy has a point about the opt-in component being important for deciding whether spamming took place, they certainly didn't need to release her personal information to the spammer. That's a terrible, serious breach of privacy.

A naive approach that might work without either party needing to divulge emails:

GoDaddy: "We have received complaints that you've been spamming. Give us a list of SHA-1 hashes of addresses of the people that opted in and show us how they opted in."

Customer: "Here's the list."

GoDaddy: "At least one complaint email we received does not match the SHA-1s on this list."

While GoDaddy has a point about the opt-in component being important for deciding whether spamming took place

I don't think they do have a point. If someone is spamming, why the hell aren't they just going to lie to GoDaddy about who opted in?

Even if they're not outright lying, lots of businesses have a very sketchy idea of what "opting in" means. I had my email address posted on a website once as a public contact. You would be surprised how many people consider that "opting in." When I used that email address to make sales enquirers, plenty of sales departments considered that an "opt-in" too.

The spam filters we had were fine for the outright trash, but the the flavor of spam that doesn't fall under the legal definition of spam was a nightmare.

I eventually had Constant Contact blacklist every single email alias I had at the organization because of how often I was "opting in" to email.

Whether someone is intentionally spamming or not, if they want to keep the registrar happy and stop getting complaints, they remove the email address of the complainant from the database if they receive a complaint. Unless there's a sufficiently large body of spam reports to automatically take action against the account of the alleged spammer - which may have happened after the OP's complaint - that's actually the best way to resolve the problem. 99.9999% of mailing list owners and blatant spammers alike are in it for the money rather than trolling complainants

I'm really struggling to see how GoDaddy could have a policy that fixes the issue of a person complaining about unwanted emails without disclosing the email of the person who doesn't want to receive the email any more.

"When I used that email address to make sales enquirers, plenty of sales departments considered that an "opt-in" too."

This seems like more of a gray area to me. Sending sales material to people who have actually sent queries to your sales department doesn't seem nearly as bad as spamming random people (as long as there's a clear, and working, way to turn the sales emails off if you don't want them).

Sending sales material to people who have actually sent queries to your sales department doesn't seem nearly as bad as spamming random people

And it's all not nearly as bad as sending me spam for horse pron websites. You can rationalize it however you want. Still doesn't make any of it cool. Why didn't the person I'm already in an email conversation with ask if I wanted to be on the list? Because they know I'd say no (especially when the conversation turns to the fact their company can't do anything for us). That's what makes it opt-out bullshit.

It's not something that gets me hot under the collar, even at it's worst it was a minor nuisance I dealt with over coffee. But after a year having a published address and 4 years of fallout afterwards, I've heard all the bad rationalizations for spam and they don't stand up. I have a polite and friendly "fuckoff" form letter for people without unsubscribe links. The second time I have to send it I CC the technical contacts in the domain's whois record. When someone gets upset or angry at me for doing so, I know damn well that they know they're lying when they try to justify their spam.

I did say "as long as there's a clear, and working, way to turn the sales emails off if you don't want them".

"It's not something that gets me hot under the collar"

Dude, you're emailing the domain's technical contacts, who likely have no say whatsoever in company sales policy. That sounds pretty hot under the collar to me.

Dude, you're emailing the domain's technical contacts, who likely have no say whatsoever in company sales policy. That sounds pretty hot under the collar to me.

Eh, I never thought of it as that big of a deal, just another task at work where something needs to happen or stop happening, and I only have a handful of routes to take. If asking the sales contact to stop didn't work, it turns out that most people don't make public the contact info for the sales managers' boss.

I'm not going to play cooperate politics somewhere I A) don't work B) have no ability to contact anybody with control over any policy and C) even if they were publicly accessible, don't understand why spamming isn't cool. It easy enough just to contact the dudes running the infrastructure used to spam me. And because they're techies and not salesmen they're actually nice people and already know this kind of behavior is unacceptable emailing. They might not have control over the policy, but they have something I don't: access to the people who can fix the policy or at least get me off the list.

It was actually the nice alternative to calling my netadmin. He was a very good admin, the emails would disappear from my inbox instantaneously, but when he checked the spam filter and marked true positives, his scripts made people wind up on email blackhole lists.

Let me fix that for you:

Customer: [generates the SHA1 of every email on their list they bought for $14.95 from totally-not-sketchy-email-lists.com] Here you go

There's nothing in the hash of an email address other than an indicator that the person knew who they emailed.

Hence the "prove to us that they opted in" part. (That's why law enforcement should handle this, btw.)

I read this as GoDaddy releasing her email address only. In theory, isn't an email address only personally identifiable if the address owner has done some action linking it to a real world identity? I assume that's the argument GoDaddy would make.

However, it should have been made abundantly clear to someone reporting spam that their email address may be disclosed to the accused party.

An email is personally identifiable information, in and of itself. NIST includes it right in their definitions. [0]

[0]: http://en.wikipedia.org/wiki/Personally_identifiable_informa...

Thanks for this. I am not up to date on what is considered privacy information, apparently.

That may be true if your email address is pm@example.com, but less so if it is philip.mclelland@example.com. For example.

And no, reporting abuse should not carry the expectation of having anything about the reporter disclosed to the abuser. That would severely discourage the reporting of abuse.

Except of course if you deal in any way whatsoever with GoDaddy you should always expect the worst possible outcome.

So hypothetically speaking you'd be OK with receiving a message from a hosting provider you did business with accusing you of spamming an unspecified person at an unspecified e-mail address and threatening to terminate your account, leaving you with no way of knowing what actually happened?

The opt-in argument is useless since there is no way to verify that the user subscribed in the first place, giving them the address or not. All you do is providing value to the spammer since they have now verified that the email is indeed real and read by a person. When reporting abuse you can already forge any email out of nothing, and you cannot prove that the email was forged unless they have a trace of the email being sent by their server (logs), and if they have that trace they can see easily see a pattern of mass distribution and start an investigation by contacting the other recipients on that list, or just wait for more reports to come in. Guess it's been a while since I worked at an ISP, but I have never heard of a spam abuse investigation strategy that involves forwarding the address to the suspected spammer.

If I am innocent, I will tell the ISP that fist.last@example.com opted in, and I will be telling the truth. If I am a spammer, I will say the same, and I will be lying. So what difference does it make?

If GoDaddy released the email address, then all the person had to do was go Google that email address and most likely they would have found it. Or, they could find it using DomainTools whois lookup (if they didn't use whois privay on ALL domains they own at all times), or use Gmail or Google Plus to find out who is associated with that email address.

Once the email address is given out, then it's just as if someone had all their personally identifiable details.

Not necessarily: the email address could be the classical <first name>.<name>@<whatever>.com.

Yes, I agree, even if it is firstname dot name @ whatever, you still can just google that email address and even get more information or look it up online to get photos, address information, etc. etc.

> they certainly didn't need to release her personal information to the spammer

At that point in the process, your premise that they are a spammer is flawed. They are an accused spammer. Even though Godaddy's customer service process isn't a courtroom, the principle of innocent before before proven guilty should apply when penalties could be applied.

A small business, individual, big company, anybody should have the right to have full information to adequately defend themselves from false claims.

You don't think there are unscrupulous small businesses out there that file false spamming claims on their competitors? That does happen.

Or you don't think that people actually do opt into email lists, forget it about, and then accuse a company of spamming a few months later? It also happens.

Small businesses making false claims are pathological and completely identifiable cases by a hosting company themselves, they don't need to give the 'accused spammer' _anything_ to verify that sort of thing.

If you even want to go with the 'courtroom' analogy, accused only get the chance to 'confront' their accuser in court, they don't get a dossier on them outside of court so they can do whatever they want. You know why? Because this type of thing would happen.

This is nothing short of harassment and defamation/libel

GoDaddy: "We have received complaints that you've been spamming. Give us a list of SHA-1 hashes of addresses of the people that opted in and show us how they opted in."

Considering that the spammer has the email addresses already, it would be as simple as forging a letter. Even fake a handwritten sign up form should "prove" it. No one is going to do a handwriting check to make sure it's actually correct.

This is absolutely the case. I think the original comment missed the assumption that the spammer already has the email addresses they spammed.

So, that process assumes that the end users are technically competent. Based on the way it was phrased (it sounds like this guy just CCd everyone), that does not seem to be the case.

That also assumes that a person looked at this email before it was forwarded on. With a hosting company the size of Godaddy, that's unlikely.

Hm... there really is no difference between an email address and SHA-1 (or SHA-2) of an email difference.If you have one, you can get another easily.

OK, email me at f234567a360f54c1d31a70936f336bc679ba4f9f (sha1sum of an email address with no trailing carriage return or line feed[1]) and I'll believe you.

1. e.g.

    $ echo -n billg@microsoft.com | sha1sum
    2517e4726f81e16f65eb95cf6446ad35352f566e  -

In general, the search space even for email addresses is probably too large for me to crack in a few days, but in the context above, where the author's email was already available online (on her website, in SPAM databases, in leaked credential datasets, ...), there is hardly any difference. In any case, if you consider my email address "personally identifiable information", I consider its checksum such information as well.

So have the customer hash her list with a salt, and you hash your list with the same salt, and everyone goes home for dinner.

> In any case, if you consider my email address "personally identifiable information", I consider its checksum such information as well.

I wonder what the odds are on a hash collision from another email address (including abusing + addressing) that genuinely belongs to another person (rather than just exists) and therefore the resulting hash does not uniquely identify a single person.

Very, very small.

The 'birthday attack'[0] article covers this pretty well, but if we take the output size of a SHA-1 hash as 160 bits, and assume it's outputs are equally distributed[1], a brute-force approach (equivalent to a non-maliciously generated accidental collision across all addresses ever) is:

    sqrt(2**160 * PI/2) ~= 1.5 x10**24
for there to be a 50% probability of a collision occurring. (if I understood/got the maths right)

[0] https://en.wikipedia.org/wiki/Birthday_attack [1] This is the intent of all hash functions, and I don't think there are any fundamental attributes of email addresses that would cause systematic bias in the output

To put things into perspective:

Approximately, 10^3 = 1000 ~= 1024 = 2^10, 10^2 = 100 ~= 128 = 2^7.

Assume you have 1 billion (10^9) computers, each computer can do 1 billion hashing operations per second. That is 10^18 operations per second combined.

Rounding up, one day has 1 million seconds (10^6), and one year has 1000 (10^3) days. So, we have 10^27 ~= 2^90 operations per year.

100 million years is 10^8 ~= 2^27. So, you have 2^117 operations in 100 million years. Geologically, there was an Extinction Event [1] about every 100 million years (e.g. 66, 200 and 251 million years ago). So, having an (unintentional) hash collision in more than 128 bits (assuming a good hash function that has uniformly distributed hash) is less likely than an event happening within the next second that kills 50% of the Earth's species.

[1] http://en.wikipedia.org/wiki/Extinction_event

I'm not willing to answer the challenge, but I definitely believe it could be done. If someone was willing to purchase a large list of harvested e-mail addresses and sha1sum them all, it is very likely a commonly used address would show up in it. Now, if the address you used above is actually some single-purpose address similar to what I use for all my online accounts, that would not work, but I believe that very few people use dynamic partial addresses in that way. Not even the simple ones that gmail provides.

If by "dynamic partial addresses" you mean "plus addressing" then, yes, it does use that.

> The document then says that in 2011 he sent an email to “hundreds of atheists” with a link to his website and that I had reported him for violating GoDaddy’s policies against spam.

Give it to me in a list along with "hundreds" of red-herrings (let's say < 10000), and sure, no problem.

If you have the original list of addresses, and you are given a shasum, you can easily determine to which address the sum belongs. The proposals above do not indicate that GoDaddy should provide the sum to the e-mail sender though.

Umm. Just leaving this here for anyone who doesn't know - the whole point of hashing things like emails or passwords is that reversing the hash is very difficult (read: near impossible). Indeed, once it becomes feasible to do, the hash is no longer considered useful (for this purpose).

So no, given a hash you can't get the email easily. If this were the case, there would be no point in hashing passwords - might as well store them as plain text.

Password hashing algorithms make it a bit harder to guess passwords by doing thousands of iterations ("rounds") of hashing, in addition to adding a random salt to prevent creating a dictionary for common passwords.

However, e-mail addresses are generally short, human readable, and have a high probability of being at one of a handful of common domains. It would be easy to brute force your way through common e-mail address patterns at common domain names fairly quickly, if they were only protected by a single round of SHA1.

OpenSSL's benchmarking tool claims that one of my servers can do 30 million SHA1s per second given 64 bytes of input each. And we know from Bitcoin that GPUs and FPGAs can do many orders of magnitude faster than that.

How long would it take to get an arbitrary "firstname.lastname@gmail.com" given only its SHA1? The US Census reports that there are about 5,200 common first names and 89,000 common last names, for a total of around 460 million pairs or 15 seconds on my server to try all of them.

I suspect that with some heuristics to favor common e-mail address patterns, guessing at least half of a list of arbitrary e-mail addresses really wouldn't take that long.

Isn't so hard if you've seen the email address before. Hashing an email somewhat of a joke in the industry.

Of course, that's why everyone suggests hashing passwords with SHA1, no salt. /sarcasm

Just because an algorithm isn't suitable for use as a cryptographic hash function doesn't mean it's easy to crack. There's a world of difference.

I'm loathe to defend GoDaddy, but I don't know if they can be "blamed" in this case, if only because what happened here was not the typical spam scenario.

If I'm understanding the situation correctly (and if I'm not, please let me know), a crazy person with an agenda sent a mass-mailing to about hundreds atheists/bloggers in an attempt to push his POV. Skepchick reports him to his email host (in this case, GoDaddy), under their spam terms.

GoDaddy does their standard process, which includes asking for opt-in proof, and revealing the email. Crazy guy goes crazy and makes a website dedicated to trying to defame Skepchick, using info he found about her online.

The problem is, this wasn't typical spam. Meaning, this wasn't some bot sending out Viagra sales pitches or the "great investment leads" people that send me 30 messages a day. This was unsolicited mail, yes, but it was with an agenda. Basically, I'd classify it more as harassment.

I'd imagine the situation would have been handled differently if it was flagged/seen/filed as harassing messages, rather than spam. I don't know, but I have to assume GoDaddy has an abuse team and that their methods of handling this sort of thing would be different.

Please understand, I'm not putting the onus on Skepchick to correctly know how to classify the message. It stands to reason she thought this was spam. But at the same time, I don't know if this sort of edge case is common enough to require a more complex method such as SHA-1 hashes.

Shitty situation all the way around, but I think the biggest problem was this was treated as a normal case of spam, when really it was a case of abuse/crazy.

So GoDaddy is utterly terrible both when you're their client and when you're not their client. Great. Could that company be burned to the ground already?

Sadly it seems good marketing can compensate for being terrible.

It's pretty much the law of businesses this days. If you pump enough money to market your product/company, then your sales will be orthogonal to the product itself. You can sell any crap, as long as your marketing team is good enough.

Hold the torches and pitchforks there.

Why? GoDaddy is merely popular. They do not provide a service that is not fulfilled as competently or as featurefully by a competitor. If GoDaddy ended as a business overnight, there would be a transition cost while people figured out which competitor to go with and moved their things, but nothing would actually be lost.

The only reason they can ignore internet rage is because their market share is gigantic, and it's gigantic only because they're really good at marketing.

To contrast this with a real world example, if your neighbor is having a party and you call in a noise compliant to the police, I don't think they tell the party host "we got a noise complaint from your neighbor at 123 My Street".

Depends on the locale; I've heard stories of officers showing up at the complaintant's door 2nd.

TL;DR: User got spam from a website hosted by GoDaddy. User reports spam. GoDaddy wants to be good guy and asks spammer if user opted in (by providing spammer with the user's email). Spammer stops spamming, but harasses user by posting her photo online, which s/he probably got using the email address GoDaddy provided.

In retrospect, I'm sure there are better ways for GoDaddy to investigate such complaints, but I think they didn't do something very evil - an email address is hardly "personally identifiable information". On the other hand, if you don't want your photo to be posted online, don't post your photo online.

So email address is not personally identifiable information even though it was all the spammer needed to identify her? Right.

In some parts of the world (e.g. Slovenia) personal email is very much considered a personal information and any operator divulging it in such manner would pay a steep fine.

So if I forward your email, I'm committing a crime? There's too much law about the internet...

> In some parts of the world (e.g. Slovenia)

Slovenia is rather crazy about everything computer-related. A while ago Google was forbidden from collecting Street View data. I really hope that has been reversed by now...

You wouldn't in common cases because as an individual you are not required to care.

However if you are an owner of a database containing personal information (where database means collection, not a particular technology), then rules are different. You then are required to collect only what you need for purposes granted by their owners and have to take care of not disseminating it without approval to others.

Google wasn't allowed to collect Street View data until they could conform to our privacy laws which mostly meant not making photographed people easily identifiable. This requirement is in no way specific to Slovenia (e.g. I think Germany has the same one) and Google complied which is why you can use street view in Slovenia now.

I would not describe our computer-related laws crazy. They are lacking as laws everywhere are and certainly sometimes in uniquely our way. However it is often the enforcement (or lack of) that is the problem, not laws themselves.

> Slovenia is rather crazy about everything computer-related. A while ago Google was forbidden from collecting Street View data


That was Austria.

Slovenia as well - full article (in Slovenian): [1]. In 2010, information commissionaire first rejected Google's request for recording [2], but it was finally approved in 2013 [3].

[1] http://lendavainfo.com/google-street-view-za-slovenijo-je-ko...

[2] https://www.ip-rs.si/varstvo-osebnih-podatkov/iskalnik-po-od...

[3] https://www.ip-rs.si/novice/detajl/snemanje-ulic-za-storitev...

You didn't wonder why the poster mentioned Slovenia specifically? It's a bit of an odd choice for an example. It's like the poster knew something personally identifiable about you.

I'm guessing it's because he's from Slovenia (as well).

> an email address is hardly "personally identifiable information"

Except for it being PII according to NIST, that is: http://en.wikipedia.org/wiki/Personally_identifiable_informa...

Is an e-mail address really any different from a phone number? I can't imagine anyone arguing that it would be okay for an intermediary in a dispute to disclose one party's phone number to the other, regardless of the reason. It is simply not GoDaddy's place to expose such information.

And I don't think her problem was with the photo being on the internet. It was more that her photo was sandwiched between blatantly defamatory content.

> an email address is hardly "personally identifiable information"

Are you sure about that Tom from Slovenia?

Hint: google yours...

OK, so the following happened:

    1. User got spam
    2. GoDaddy ... provid(es) spammer with the user's email
    3. Spammer ... using the email address GoDaddy provided
But wait, how did step one happen? Spammer must have had user's email, as a pre-requisite to sending said spam via email (presumably) in the first place?

I'm confused. Or am I missing something important?

Yet another reason to not use GoDaddy!.

I highly recommend Hover as a domain Registrar. Tried them with a few new domains, and loved it so much I migrated everything there.

Sure, use whatever other registrar/host you want, but it quite evidently doesn't exactly help people who aren't using godaddy but still have to deal with abuse related to people who are.

Indeed. I just look for opportunities to talk about how awesome hover is :-)

Despite all my hate towards GoDaddy, I cannot see the happening being their fault.

As tomp pointed out, disclosing email address is part of the process, probably not clearly stated, but GoDaddy handled it well. They issued a fine to a spammer, resolving the initial spamming case.

Worse would be if they have not carried out any actions at all.

Now, concerned the harrassment, how come GoDaddy is responsible for trolls being trolls? As Company pointed out, report him to law enforcement. Sue him, or anything, victim has got the spammer's domain, thus all the private information needed to escalate the problem further.

It shouldn't be godaddy handing the abuser the email for verification, it should be the abuser handing godaddy it's opt-in-list for verification. This way the reporters identity is never in danger... Of cource it's their fault.

What verification?

The sender obviously had my name on his list, they used that list to send the e-mail. The dispute is that this list isn't really opt-in, and it's hard to imagine any reasonable verification (instead of, say, detailed audit of the sender's internal processes) that could prove otherwise.

Imagine yourself being a highly respected business owner, where your main product is sending personalized newsletters to privacy concerned customers paying you much for their data to stay safe.

Will your argument still stay the same? Are you going to hand in millions of your precious customers email addresses each time to your domain registrant when one of them marks your email as a spam? How are you going to explain later to your customer why he is receiving spam on email address 100mil_worth_customer+news_from_wattengard@gmail.com? That you had to send everyone's address lists each time a spam was reported?

The assumption would be that the registrant acts in a professional manner and only uses the list to verify the complainant's claims.

hashes my friend, hashes

It would have been better in the victim's case if GoDaddy did nothing at all.

I think all this just goes to reinforce the complete brokenness of e-mail to date.

While the proposals for requesting proof of opt-in via SHA hashes and such seem technically feasable, I think it pretty quickly breaks down when you think about how much cost and overhead that would put on GoDaddy (or law enforcement) to manage.

Think about the volume of spam out there. Then imagine a very tiny fraction of that being reported. Each one of those would require validation. While you could automate all the SHA sum comparison stuff, I don't think you could easily automate the validation of whether the opt-in mechanism was appropriate. If the sender indicates there was an opt-in, the validator must still confirm with the complainant whether that is a true claim. Without that, the system is useless because the spammer just keeps a SHA sum for each of the addresses they've purchased and supplies them along with an "Yes they opted in!" claim.

Manually validating the opt-in mechanism would require lots of manpower, and more importantly, a common and universally agreed upon set of rules for how opt-in should work. There are all sorts of nuance in the way there. Should it be a double confirmation? Does existing business relationship count? If so, what are all the rules regarding what constitutes such a relationship? What about unsubscribing afterward?

Edit: Removing the pessimistic and un-useful concluding paragraph on the hunch that was what warranted downvotes.

Forwarding a complaint onto the end user is standard practice these days. It seems that every few months there is a story like this where someone sends an abuse complaint then is surprised when the hosting company sends it to the end user. For any large enough company it's unlikely a person will even read your complaint before it gets forwarded on. Most complaints are designed to be sent to the end user so it's no surprise companies automate this process.

Forwarding the complaint itself is normal, forwarding the identity of the complainer?

Anonymous complaints are an ethical issue. If you have no recourse then complaints become pernicious.

Also, they forwarded some pretty basic details, an email and a name. They weren't sent her SSN, mailing address, or anything like that, so it's no more identity than she associates already with her email address, as far as I can tell.

You need to be able to contact a complainant, otherwise there is no resolution, only a complaint.

> Anonymous complaints are an ethical issue. If you have no recourse then complaints become pernicious.

The complaint itself is not anonymous, there is an intercessor which knows the identities of both parties, and who is the recourse.

> Also, they forwarded some pretty basic details, an email and a name. They weren't sent her SSN, mailing address, or anything like that, so it's no more identity than she associates already with her email address, as far as I can tell.

Oh great, they didn't send enough for a complete identity takeover so I guess everything's… wait what?

They sent personal information to somebody who might — if the complaint was well founded (which it clearly was) — take retributive action. That does not strike me as an ethical or sensible move.

> You need to be able to contact a complainant, otherwise there is no resolution, only a complaint.

No, not necessarily and definitely not if the complaint is simply a well-founded one where the resolution is to fix your shit. And if it turns out you do actually genuinely need to directly contact the complainant, contact information can be asked of the intercessor.

Contacting a complainant who is complaining about being contacted is probably the wrong thing to do.

Email addresses are personal information and companies should work to best current practice, not just whatever they can get away with under the lax laws of their jurisdiction.

Yes, that's also normal. We send out a ton of abuse complaints daily, and we get responses directly from the end user in most cases. It's fairly rare that the provider acts as a middleman (and even then, it's generally just automated prodding of the user if they don't respond quickly).

I would report GoDaddy and the spammer to the police. If the spammer went through all that trouble he's probably nuts.

The religious references are a bigger red flag of the spammer's mental health I'd say.

Well at least he doesn't seem to be mabus-nuts: http://rationalwiki.org/wiki/Dennis_Markuze

So there's that...

There is a similar, perhaps more significant problem with Twitter's abuse reporting tool[0]. To submit the form, users are required to tick the box that notes they accept the following:

"I understand that Twitter may provide third parties, for example the reported user, with details of this report, such as the reported Tweet. Your contact information, like your email address, will not be disclosed."

I think it highly likely that would encourage further abuse. This has prevented me using the tool in the past, and makes me think Twitter doesn't quite understand the issue.

[0]: https://support.twitter.com/forms/abusiveuser

What's wrong with this? they say "Your contact information, like your email address, will not be disclosed". They just tell the person who's twitter account it is something like, "By the way, it's this tweet that was reported as abusive and they said it was abusive in this way" am I misunderstanding this?

That's also my reading. They warn that they may share the report itself, such as the reported tweet and the comments (e.g. the "further description of the problem" field) to the reported, but will not share contact/identifying reporter information. That seems fine to me, one needs to know what he's being accused of to mount a defense.

Welcome to GoDaddy's customer service. I don't even let them have my domain names. Use NameCheap (and no, I'm not being paid to endorse them).

Agree, I switched all my domains. Turned out to be much easier than I thought. I'm not endorsed by them either, just a very happy customer.

Please tell me nobody here is actually using GoDaddy anymore. How many lessons does one need to learn before they realize GoDaddy is an awful company?

Well, I struggled to get through the first half of that article. Enough banner ads?

Yeah, me too. Made it impossible to _focus_ on the content.

So I'd normally use Readability, but in this case: the content was in the comments already. For anyone interested: https://www.readability.com/articles/f4bokl2i

You can do this here: https://www.readability.com/shorten

Disclaimer: I just like Readability... :-)

She's making money selling her story.

You mean just like news outlets do when they sell stories?

Oh, how dares she!

Use noScript - works wonders. I have no idea what you are talking about. :)

Was their response really just "Go call the cops"?

I am not hating on Go Daddy but I will say that articles like these do not come out of left field. There was the incident about two months ago with the @N twitter name that involved them and I have heard other grumblings about them. Then when you have other registrars that offer competitive services and do not have those grumblings, you switch. I did. (namecheap.com) Just sayin'...

Not surprising. GoDaddy does not have a good reputation among anyone I know, and I've been involved with domain names since the mid 1990s. I recommend you research other registrars and consider taking your business to them. I know Namecheap has good prices, 2FA, low prices, and discount codes for people leaving GoDaddy. Best wishes.

There's no reason to expect professionalism from a company that proudly portrays itself as a gang of leering adolescents.

Released the same personal information that is widely available via WHOIS, it seems..

I'm still puzzled that people are still using companies like Godaddy, Network Solutions etc.. which collect more horror stories than any other ones. Are customers really that stupid ?

Clearly, the answer is yes. In a commodity business, where your customer does not necessarily know much about your product, brand name recognition, price competition, and other-people's-money buyers are your bread and butter.

GoDaddy advertises heavily. NetSol relies on the fact that they were the first and no one ever gets fired for recommending them.

The people who are still their customers obviously do not realize they can get better value--though not necessarily a lower price--from other companies.

And, apparently, there are also the buttmunches out there that are customers because the customer service (and self-policing in particular) is awful.

Note that in this case, as far as I can see TFA is not using GoDaddy, the spammer was and TFA reported them for breach of GoDaddy's TOS.

So which registrar does HN recommend?

I've used Namecheap before and they were decent, though the dashboard looks like it was built in the 90's.

I checked out Hover but they seem to charge a lot for email.

Namecheap recently redesigned. It looks much more modern now but it still looks like the same template everyone else uses.

Their front page looks nice, but the dashboard and everything else looks the same.

I've been using Dynadot lately and have been pretty happy. My only complaint is that their 2 factor authorization is not Google Authenticator compatible and doesn't work at all if you have 2 accounts on the system (like work and personal).

I use iwantmyname.com for just domain names, but they have great one-step integration for email with Google Apps/Live for Domains/Zoho/pick-your-choose.

Name.com, they are great. They have great support and prices are competitive. I've slowly been migrating all my domains there.

Gandi.net has a good reputation, and offers nearly every TLD.


I've lost several domains that simply got deleted from my account. Every time I tried contacting them about the subject they refused to answer.

Time to switch to proxy email id's, which do not give out the first name or the last name.

From now on, I'll be known as wHzqbUWp at gmail.com

They are also elephant killing [1] sopa / pipa supporters [2].

[1] http://gawker.com/5787676/meet-godaddys-ridiculous-elephant-...

[2] http://godaddyboycott.org/

The spammer appears to be a religious hypocrite, so why not spam the spammer with religious hypocrisy right from their own playbook?

I would begin with Isaiah 45:7 "I form the light, and create darkness: I make peace, and create evil: I the LORD do all these things."

"I noticed that the email address it came from as well as the link went to a GoDaddy registered domain."

Who does a whois lookup on domains from spam emails?

I do, when they're particularly annoying.

If I think the spammer is legitimate enough that a complaint will make it harder for them to spam, I do.

If I just want to pretend to be a volunteer junior deputy for the Sheriff of the Internet for two minutes, I'll do it.

Spammers would not have their accounts suspended as often or as quickly if no one ever reported them to abuse@some.service.provider.com . There's always the possibility that my iota of caring generated the lead that sparked the investigation that allowed the actual network security guard to take down the spammer kingpin or a portion of his botnet.

Mostly, it's when I just want to kick the spammer squar in the danglies, for annoying me when I'm bored.

This is the 3rd article on HN about GoDaddy being an absolute shit-show. I am curious how long they gonna keep up.

With Skepchick involved, this seems sketchy.

I'm not going to spend today defending GoDaddy, as they've been a fair fly in the ointment to me. However I would not suggest burning them at the stake because of somebody on this particular blog posted an inconclusive statement about a breach which was, as far as we can tell, dealt with already.

As a customer of theirs, I'll probably be contacting them about this to make sure I don't have any similar issues, and suggesting a remedy (probably something like the cryptographic hash based verification method suggested elsewhere on this page) for the future.

Seems sketchy? She has evidence to back up her claims including an email from godaddy.

I don't trust the source though. /she/ included "an email" "from godaddy". But Skepchick has been host to such golden, contributing members of society as Rebecca Watson, so excuse me if I don't feel compelled to believe incriminating claims from people who ruin blood cancer research donation drives with inappropriate and divisive humour, then criticize others for being confused or offended rather than apologizing.

From reading the article alone, sure, I wouldn't be quite as skeptical, but I'm going to hold out until GoDaddy has a say in this case, because I don't really trust either of them.

So this seem sketchy because it is on the same blog that also includes someone completely unrelated that made a joke you find offensive? Whatever floats your boat I guess...

Who on earth reports spam to originating server administrators? It might seem contrary to general sentiments here, but really, why not handle your own problem (and adjust your spam filters) instead of troubling GoDaddy?

> It might seem contrary to general sentiments here, but really, why not handle your own problem

Same reason why you should report spam to SpamCop: help clean up the internet, and clamp down on spammers so others don't have to deal with them?

Especially when the originating server specifically has a policy of not allowing outbound spam.

Then, instead of whining around on the internet writing blogposts and making money off those banner ads, the poster should have contacted local law enforcement authorities.

I don't see why she should defame GoDaddy. If I had a server there, and I was accused of sending spam, I would have the right to know which address considered my email as spam (and determine for myself whether the user subscribed to my services or not).

> Then, instead of whining around on the internet writing blogposts and making money off those banner ads, the poster should have contacted local law enforcement authorities.

This and that are not exclusive.

> I don't see why she should defame GoDaddy.

Because they shared personal information with a complainee? If you go to the cops and make a complaint, would you find it normal that the cops go to that person and immediately give them your name and address?

> I would have the right to know which address considered my email as spam

Now consider that from the POV that your are a spammer and acting in bad faith, you've just been handed the keys to retribution, that sounds absolutely wonderful does it not?

No. You could send them the sha1 checksums of those who had opted in, and godaddy could confirm if it matched or not. You have no right to their personal information, but you do have a right to be heard.

GoDaddy deserved every last ounce of negative coverage for this they can get.

So, every time someone receives an abuse complaint, they should have to send checksums of every email on their list? What if it's a massive mailing list by a large company? What if it's a fraudulent abuse complaint, just designed to get the company to waste resources?

What if the company just lies that someone's not on their lists - they'll have to turn the information over one way or the other if it's to be checked, and it may as well be in a checksum as anything else.

I've never heard of any provider making someone turn over their mailing lists. Do you have any further information about when this has occurred?

Generally, when someone gets too many spam complaints, or doesn't handle them well, they get terminated from the hosting provider.

> I've never heard of any provider making someone turn over their mailing lists. Do you have any further information about when this has occurred?


I didn't mean to imply that was what happened. I said that they'd have to if it's to be checked.

My thoughts were that you're either going to have to trust the accused spammer - in which case you can turn over the SHA of the complaining email address, and the provider can compare it to the SHA hashes of their own. Or... they're going to have to turn the list (again, preferably with the entries hashed) over to you - and then, I suppose, you'll have to trust that they're giving you a truthful list.

But, either way, I don't see how the mere act of hashing the list is going to significantly alter the problems of nuisance complaints or of dealing with large lists. Hashing is a very cheap thing to do after all.

There's not really anything you can do about an individual spam complaint, aside from telling the end user and having them remove the email from their list (aside from things that are quite obviously spam).

The problem is the 'Report Spam' button is also the 'I no longer wish to receive this email' button to non-technical users. Just because you've received a spam complaint, doesn't mean that it wasn't an opt-in email.

Providers never attempt to verify your email list. If you generate too many spam complaints, you get terminated. It's not feasible for a third party to get a copy of your mailing list, then somehow evaluate how legitimate it is.

I'm not sure what good this would do. Wouldn't the spammer just include the ones that had not opted in (while claiming otherwise)? It'd be hard to prove them wrong.

> If I was accused of yyy, I would have the right to know who accused me

That is false for any value of yyy.

You don't need the email address to defend yourself (which is ok), you only need it to retaliate (which is not ok).

That is false for any value of yyy.

It seemed to be a comment drawing an analogy to the criminal legal process. And in the US, that process guarantees you the right to know what you're accused of, why you're accused of it, and to confront the people accusing you.

> And in the US, that process guarantees you the right to know what you're accused of, why you're accused of it, and to confront the people accusing you.

Only the latter being at issue here, and in criminal proceeding it's done through cross-examination during criminal trial, not by giving the witness's address to the accused.

In civil proceedings, there is the discovery phase where pretty much anything is theoretically up for grabs.

AFAIK there's no right to confrontation in civil cases.

You get to know who's suing you and subpoena all sorts of information from them. Which is effectively the same result.

For example, if someone sues you for spamming (under some theoretical law which would allow that), you'd be able to know who they were and get information from/about them during discovery.

People should just just flag trollish comments like this. Feeding trolls just encourages them.

That is rude!

She did handle her problem by reporting it to GoDaddy.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact