MainSleaze

Somewhere out there, there’s a web page that contains a “sign me up for the mailing list” link.

Somewhere out there, there’s a person with a grudge. Maybe a disgruntled spammer.

The two meet.

Result: The mailing list now contains two addresses for my business: the one in the Finnish Business Information System, and the one on the web pages. It contains one address for me personally, and it contains postmaster and abuse at three domains that are owned either by me or my business.

The mails from the mailing list don’t really contain an indication of the address source. The plaintext part contains nothing (and is therefore not truly multipart/alternative), and the HTML says, roughly translated, “The recipient information in this message is based on address sources that have subscribed to our newsletter.” (Yes, an “address source” that has subscribed to a newsletter. 🙂 Unfortunately it doesn’t indicate anything related to the apparent subscription, such as the timestamp or the IP address.

I’m not naming and shaming the vehicle here. I gave a call and a few emails to their CEO and explained the situation. I also explained that I have a hunch about the forge-subscriber’s identity.

If you’re running a mailing list, you need to confirm opt-ins. Otherwise you are an accident waiting to happen.