|
 |
|
Dev Hardware Forums
> GENERAL GooSH!™
> Local Pub
|
Beware of Namesdatabase.com
Discuss Beware of Namesdatabase.com in the Local Pub forum on Dev Hardware.
Beware of Namesdatabase.com Local Pub forum discussing non-technical issues. Come here to hang out with other visitors, and tell them about how your day is going. Talk about anything from music to your personal milestones.
|
|
 |
|
|
|
|
Dev Hardware Forums Sponsor:
|
|
|
February 4th, 2006, 02:34 PM
|
 |
|
|
Join Date: May 2004
Location: New Springfield, OH
|
|
|
Beware of Namesdatabase.com
I recently registered at namesdatabase.com. It's sort of an online Who's Who for tracking down old high school classmates.
Their site featured the two logos shown below:
 
The certifications were issued by a company called SecurityMetrics, a for-profit company that specializes in site security and identity theft protection.
Or so I thought!
As a requirement for free registration at namesdatabase.com, I had to supply 24 email addresses for referrals. I admit that I cheated a little (I used some from my own domain) in coming up with 24 addresses, but it allowed me to see exactly what kind of identity protection that SecurityMetrics was really offering.
Here is a copy of one of the referral emails that I received. Pay close attention to the opt-out section near the bottom.
Quote:
Remember your link from my name here:
http://namesdatabase.com/2m.pl?k2=24947321050
1 -> Use my name here's link by clicking above.
2 -> Enter your info for a membership connected to my name here.
3 -> Share links with other friends, family and co-workers.
4 -> Use the members-only people search tools.
my name here selected you for this on 09-02-2004 22:52 ET.
nilpo@nilpo.com (my name here) initiated this to insider@nilpo.com
at 01-31-2006 07:19 on namesdatabase.com from the IP address 67.172.xx.xx.
If you do not know a my name here, use http://namesdatabase.com/u.pl?bb2=24947321050 to halt more reminders about this.
For reference, the address of The Names Database is PO Box 550175, Waltham, MA 02455.
|
I've edited email for posting in this forum. For my own protection I've removed my name and hidden my IP address. Both were fully visible in the email. A couple of members here received these emails and can speak for that.
It's fairly common knowledge now days that this type of practice is both foolish and unnecessary. I contacted SecurityMetrics at the abuse email listed on their website and sent the following message. (Also edited for posting.)
Quote:
To Whom It May Concern:
I recently enrolled for a membership at namesdatabase.com. Their site features
both a "SecurityMetrics Certified" logo and an "Identity Theft Protected" logo
from your site.
As part of the enrollment, I had to list 24 other email addresses to "recommend"
their site to. A copy of one of those emails was sent to me and is copied
below.
You'll note in their opt-out section at the bottom they have listed the IP
address that I registered from. This email went to all 24 of the people I
recommended.
"Identity Protection"? What a joke! Where's my online identity protection?
This type of security vulnerability is both common knowledge and unacceptable.
If this is the type of site that you are willing to certify, it doesn't speak
very highly of your services.
As both a Webmaster and an e-Security professional, I find this practice
repulsive. I would recommend you revoke their certification. This not only
reflects on their poor judgement but also suggests yours.
A Concerned Identity,
my name here
pasted copy of original email with headers
|
I sent a similar message to namesdatabase.com.
I have yet to receive a reply from either of them.
Last edited by Nilpo : February 4th, 2006 at 02:36 PM.
|
February 4th, 2006, 02:50 PM
|
 |
Enjoy the silence
|
|
Join Date: Jan 2003
Location: North of the 49th Parallel
|
|
|
I'm interested in their response.
The thing with ID theft is that there are now so many vectors that I'm not sure which ones they're protecting you from.
On a side note, you should read back issues of Cryptogram for the Doghouse commentary. Its quite a read.
|
February 4th, 2006, 03:09 PM
|
 |
Command Line Warrior
|
|
Join Date: Jan 2006
Location: Sector ZZ9 Plural Z Alpha
|
|
|
24 addresses?? WTF?
For me that'd be the first clue to the fact that those people either don't have a clue, or are on a cheap scheme to harvest addresses for a spam list.
|
February 4th, 2006, 03:53 PM
|
 |
<~~ This is why I'm hot
|
|
Join Date: Jan 2004
Location: <?php echo "At the console."; ?>
|
|
|
Or y'all could just do what I do. A@A.com, B@B.com, etc. But wow, that is interesting...definitely post their response.
__________________
...yeah you know you like that
|
February 4th, 2006, 04:07 PM
|
|
Command Line Warrior
|
|
Join Date: Jan 2006
Location: Sector ZZ9 Plural Z Alpha
|
|
|
Or if they check for the presence of an MX server (I know the mail script on my site does), use A@Namesdatabase.com, B@Namesdatabase.com, etc...
That'll teach 'em... :-D
|
February 4th, 2006, 10:48 PM
|
|
|
|
Join Date: May 2004
Location: New Springfield, OH
|
|
Quote: | Originally Posted by Itsacon 24 addresses?? WTF?
For me that'd be the first clue to the fact that those people either don't have a clue, or are on a cheap scheme to harvest addresses for a spam list. |
They're trying to get as many people to register as possible. They are a legit service, they just have shady tactics.
|
February 4th, 2006, 10:50 PM
|
|
|
|
Join Date: May 2004
Location: New Springfield, OH
|
|
Quote: | Originally Posted by pyromonkey Or y'all could just do what I do. A@A.com, B@B.com, etc. But wow, that is interesting...definitely post their response. |
They verify each address. They have to successfully send each email before registration continues.
I'd love to get my hands on their script. lol.
|
February 5th, 2006, 04:31 AM
|
|
Command Line Warrior
|
|
Join Date: Jan 2006
Location: Sector ZZ9 Plural Z Alpha
|
|
Quote: | Originally Posted by Nilpo They verify each address. They have to successfully send each email before registration continues.
I'd love to get my hands on their script. lol. |
Something like this?
php Code:
 Original
- php Code |
|
|
|
function getmxrr2($hostname, &$mxhosts) { exec('nslookup -type=mx '. $hostname, $result_arr); foreach($result_arr as $line) { if (preg_match("/.*mail exchanger = (.*)/", $line, $matches)) $mxhosts[] = $matches[1]; } return( count($mxhosts) > 0 ); } function validate_email($email) { $mxfunc="getmxrr"; else $mxfunc="getmxrr2"; ##### Create the syntactical validation regular expression $regexp = "^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$"; ##### Presume that the email is invalid $valid = FALSE; ##### Validate the syntax if (eregi($regexp, $email)) { list($username, $domaintld) = split("@", $email); ##### Validate the domain if($mxfunc($domaintld,$mxrecords)) $valid = TRUE; } else { $valid = FALSE; } return $valid; }
Like I said, my server performs the same check...
Except maybe for sending an email address and seeing if it was bounced.
Easy way to circumnavigate that is to use false email addresses on a server that has a catch-all configured, so non-existent addresses don't get bounced.
|
February 5th, 2006, 05:58 PM
|
|
|
|
Join Date: May 2004
Location: New Springfield, OH
|
|
|
It waits to see if they bounce. That is a nice script though.
|
Developer Shed Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
