My Spam Trap Caught A Company - How Legitimate Is Their Response? [closed]

I have my own domain (lets call it MyDomain.com), and my email account is set up such that all mails sent to @MyDomain.com will end up in the same mailbox.

So, think of a word, put it in front of @MyDomain.com, send me an email, and I will get it.

When I sign up for SomeService.com, the email address I will give them is ‘[email protected]’.

This means that if I get a spam email sent 'To' [email protected], I can identify 'someservice' as having compromised my email address...Or so I thought.

When catching a company (a pharmacy from whom I'd bought earplugs), as far as I was concerned, red-handed, I sought them out, and got the following response:

I am one of the webmasters of the [SomeService] commerce portal. We take user data security very seriously as our business depends on this.

We have been PCI certified by 2 independent agencies who routinely scan our systems for security flaws.

Emails can leak out at multiple levels including the users computer or in transit due to network sniffers that are increasing being employed by professional spammers.

We not only keep our systems behind a firewall but also encrypt user data to ensure privacy even from our own staff.

I reiterate this is not something we condone and we will do an internal investigation to ensure our systems are clean. Kind Regards [administrator]

What do you folks make of this? Some questions I'm asking are

  • What is PCI certification and can I take this seriously/is is credible?
  • Is the 'email-leaking' and 'network sniffer' claims credible?

And any thoughts in general. Let's just say I'm learning.

Thanks, James


PCI certification probably relates to PCI Security Standards Council, which is mostly about Payment Application Data Security, rather than email security. In short: No relation to your request.

As regarding sniffers on your local network, I really don't think that anybody went to trouble of connecting to your home in order to get your email addresses. So again: Not related to your question.

A firewall is not an ultimate protection, since it may have unplugged security holes, and it anyway passes emails which may convince employees to install spyware behind it on the internal network, which then becomes wide open to the hacker.

Encrypting user data is nice, but a virus can always intercept the email before it was encoded.

Conclusion: This is a high-and-mighty blah-blah whose purpose is to hide that the guy doesn't have a clue as regarding security. Don't trust them, they might be full of viruses and still naively fully confident of their firewall.

For protecting your email, I suggest to have a look at e4ward. It has free or paid accounts (only $10 a year) and allows much better control of your email, since it lets you cut-off such guys.


PCI compliance is a data security standard used by those who handle credit card data. It is certainly possible to harvest email addresses in a variety of ways. Whether and how often this is done over the wire is the question. The response doesn't address whether they sell their email addresses. You should be able to obtain their privacy policy on their web site or by request and it should cover this issue. Also, it might be possible for an insider to harvest addresses (I don't know how PCI deals with this possibility).