Whenever you sign up to a website to buy goods or set up an account for one reason or another, I can't think of a single example that have not asked for an email address. Most of the time email addresses are required to be provided for the service. Many people don't think about what happens to that information once they press the submit button, especially after they have ticked all those boxes to request the company to not provide their details to any other third parties and partners, we all would presume that this information is now safe and secure.
Unfortunately these things are not perfect. So my trick is to create an email address or use plus addressing* to ensure that each time I provide an email address to a website, it is unique and therefore traceable.
In this instance I have been receiving a number of spam and viruses from an address that I had setup to only use on the confused.com website. The problem with such a company is that it is the core of their business to forward your information onto other systems that store and use your data. This makes it very hard to work out where a leak of the addresses would have occurred, but none-the-less it would have originally started at confused.com.
I strongly believe that the measure of a good company is not by the problems they will inevitably face. Every single business will experience problems like this at some point, and no matter how much planning is put into place, something will inevitably get missed. It's just the nature of tech, and an element of sods law. What makes a good company is the way they deal with the problems and I have to say I am impressed/surprised with confused.com.
I think is only fair to let a company know of problems that they may be unaware of. I'd expect the same for my business, So I proceeded to let confused know via an email address they issued on their website regarding any reports of problems regarding privacy. I even attached the original spam/virus (cleaned) emails, but to find that their own messagelabs spam filter bounced the email back. Out of a little frustration (I was only trying to help) I placed a message on twitter last night, mentioning that the spam was coming from the confused.com email address. To my shock, within THREE minutes a polite Kelly from confused.com PR messages me asking if they could help. So a few messages back and forth and I send details about what had happened. This morning I get an email from the CEO of confused.com (Carlton Hood) acknowledging the information I sent with a promise to try and track down any leaks they can find.
I dare say, that would be a difficult task to undertake. I know that the email hadn't come directly from confused.com, but likely a bot net that had already obtained the email address lists either from a compromised address book, badly issued mail list (everyone in the To or CC lists), or a compromised system on a partners network.
I do know that the last emails came from machines on the BT network through the BT SMTP services. BT should REALLY do something about tracking spam and letting their customers know that they could have been subjected to a virus or trogen that is using their machines to send unsolicited email. But that is a different story.
It is unfortunately common for some businesses to just play the naive game when it comes to issues like this. I was surprised to find confused.com so active around the report. Meanwhile I'll continue using unique email addresses for websites in order to track where my spam originated from, and would recommend the same with others if you can.
* Plus addressing is supported by a number of email services and when enabled will allow you to add additional address information on to your email address in order to differentiate where the email is from or what the email is for. You do not need to set up individual email addresses which makes this an ideal solution for problems as discussed above.
For example if I was to use adam@mydomain.com, with plus addressing I can have adam+confused@mydomain.com or adam+anything@mydomain.com that will all still be delivered to the inbox of adam@mydomain.com automatically.