Bennett Haselton, 3/5/2001
|Update, 3/19/2001: Since the release of this report, InfoSpace.com has changed the format of listings on their Web site so that email addresses are no longer publicly displayed, and spammers and other third parties can no longer use InfoSpace to harvest HotMail users' email addresses.|
After receiving complaints from HotMail users about junk mail in accounts that had never been "publicized" anywhere, we found that HotMail was sharing its member email addresses with InfoSpace.com, which makes the addresses available on its Web site where they can be "harvested" by third parties, including spammers. The statement on the InfoSpace Web site -- "For privacy, we don't show the full email addresses of people listed in our directories" -- turned out not to be correct, since HotMail provides its users with a search interface that allows them to harvest the email addresses of users listed on InfoSpace, including other HotMail users.
- The details
- Reverse lookup (updated 3/19/2001)
- HotMail's statements on privacy
- Why publicize it
- How we found out about this
When HotMail users create a new account at HotMail's signup page, the following text appears at the very bottom of the page, separated from the signup form by a full screen-length of other small print:
This small print refers to the "Internet White Pages" checkbox in the signup form, which is checked by default:
Internet White Pages
Click this option, and your name, location, and Hotmail e-mail address will be automatically listed in one or more Internet e-mail directories so others can look you up and send you messages! All other information about you is kept confidential.
For privacy, we don't show the full email addresses of people listed in our directories. You may use the form below to send a message, and your recipient may reply if he or she chooses.But, if you are logged in to your HotMail account, you can click on the "Directories" link from your Inbox page and follow the "Email Search" link, which points to the InfoSpace "HotMail Email Search" form at
http://lw10fd.law10.hotmail.msn.com/cgi-bin/compose?curmbox= F000000001&a=5923bd6c1845c649c283ccfc41212975&mheader=to&log firstname.lastname@example.org&curmbox=ACTIVEwhich contains "John Smith's" email address. If you're logged in to HotMail, clicking on that link takes you to a "Compose Message" page, with the recipient's email address already filled in.
By default, InfoSpace lists only 5 member email addresses at a time, but
you can list up to 100 addresses per page by taking the URL for the search results:
http://kevdb.infospace.com/info/kevdb?OTMPL=%2Femail%2Femail-out.html &QK=5&QN=smith&QF=john&KCFG=email&ran=14657and changing "QK=5" to "QK=100", giving you a URL that lets you collect up to 100 email addresses at a time:
InfoSpace also provides a form where users can enter an email
address and find a person's location:
(go to the form at the bottom of the page)
At various times, the HotMail member signup page has asked new members to either their city and state of residence, or only their state (currently, only the state of residence is requested). But the form also requests a zip code, and the user is prompted to re-enter their information if the city/state and zip code don't match. So the location information associated with most HotMail users is correct, since the only way for a new user to enter incorrect information when they sign up, would be to look up a valid zip code for another city, and most users don't bother.
Most HotMail users might assume that a person corresponding with them over the Internet can't determine their location based on their address, but this isn't true if their address is listed at InfoSpace.
Publishing this report does raise the issue of whether it is ethical to reveal this information, including the details of how to collect the email addresses of HotMail members that HotMail shares with InfoSpace. However, the amount of spam received by HotMail users who never published their email addresses, suggests that many spammers had already discovered how and where HotMail makes its members' email addresses available. Since HotMail and InfoSpace will probably stop publishing member email addresses immediately after this report is brought to light, the window of opportunity for any new spammers to exploit this loophole is too short to be of any use, and the end result should be less spam for HotMail users in the long run.
In January 2001, we publicized that HotMail had been silently blocking their users from sending us mail (as part of a private boycott against our service provider), returning the messages to the sender with a bogus "Returned Mail" error. Most of our members with HotMail addresses were outraged to find out that HotMail had been blocking their outgoing mail to Peacefire.
HotMail immediately stopped blocking outgoing mail, but defended the boycott as a "spam-fighting" tactic. (Our ISP refuses to host spammers, but was targeted for the boycott anyway because of the content of some hosted sites including ListSorcerer.com and BulkISP.com, which do business with spammers located on other providers. This "boycott blocking" is of course different from the far more common practice of blocking actual spam, which ISP's do to protect their user's accounts, usually with their approval, and not for any boycott-related reasons.)
Our members with HotMail addresses, in addition to being outraged to find out that they had been co-opted into this "boycott" without their permission, said in some cases that the "spam-fighting" excuse was ironic, given that they had been receiving spam in HotMail accounts that they had never publicized anywhere. We began investigating whether HotMail had made its member addresses available to third parties where spammers might have harvested them, and found the connection to InfoSpace.
Bennett Haselton, 3/5/2001