Performancing.com user database ends up where it doesn’t belong

I got an email from Mr. Robert Lo, Foreign Service Manager at Delixi Global Resources, based in Hong Kong. The sender was robertlo@shaw.ca, but the reply-to mail address was delixicompany_agent@yahoo.co.uk, the mail mentioned a website, but no website address was given, and the mail was not sent from Hong Kong, but from Alberta, Canada (ISP location via IP address). The most remarkable about this apparent job scam, was that they got my email address via the blogger community (and former blog statistics service and ad network) at performancing.com.

How do I know?

Every time I sign up for a website or service, I use a unique email address. Usually something simple as yourdomain@mydomain.com (so yes, this mail was sent to performancing.com[at]vanhecke.info - see headers at the bottom of this post).

But the scammer could have gotten my email address in another way?

No. The mail address performancing.com[at]vanhecke.info only existed in my Gmail Inbox and in the Performancing.com user database. It was never even on my hard drive, (except for the browser cache). What’s more: a friend of mine who had signed up for the Performancing Metrics (blog statistics) service as well, got the same scam mail from the same IP address, with a 20 minutes time difference.

Am I accusing Performancing of selling mail addresses to scammers?

No. I am just saying something went wrong with the user database. I have no clue what exactly. It is possible data was sold, it is possible data was copied by someone who illegitimately had access to the server, it is possible a pc of one of the performancing team members had a copy of the database and was compromised (i.e. with a virus/Trojan) or stolen.

More about Performancing

Performancing was a service I really liked. It used to be run by a web-savvy team that created the Performancing Firefox plugin and a visitor statistics service for bloggers that has been the best free service out there for a long time (apart maybe from Measuremap, but that is still in closed beta).

The idea behind this all was to first create an audience by offering free tools and a community site, in order to obtain critical mass for an ad network (they reached 28.000 blog owners, see 2d paragraph of this interview). The ad network launched last October (I had metrics and ad code on my blog for a while), but apparently things did not work out as expected: both statistics and blog ads stopped functioning and the community site and user database were sold to another blog network, Splashpress media.
Again, I am not implying any of the members of the old or new team has anything to do with it. But it does make you wary of privacy statements: you never know if they’ll be kept to when the difficult times come, financially, organisationally or technically.

Part of the email’s headers:

Return-Path: <robertlo@shaw.ca>
Received: from mx1-intern.mailprotect.be (mx2-intern.mailprotect.be [217.19.237.51])
by vanhecke.info (8.11.6/8.11.6) with ESMTP id l1NCaUu30690
for <performancing.com[at]vanhecke.info> Fri, 23 Feb 2007 13:36:30 +0100
Received: from mx.mailprotect.be (mx.mailprotect.be [217.19.237.56])
by mx1-intern.mailprotect.be (Spam Firewall) with ESMTP id 8452A66B34A
for <performancing.com[at]vanhecke.info> Fri, 23 Feb 2007 13:36:24 +0100 (CET)
Received: from pd8mo4no.prod.shaw.ca (idcmail-mo2no.cg.shawcable.net [64.59.134.9])
by mx.mailprotect.be (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l1NCZ9UM016391
for <performancing.com[at]vanhecke.info> Fri, 23 Feb 2007 13:35:10 +0100
Received: from pd7mr2no.prod.shaw.ca
(pd7mr2no-qfe3.prod.shaw.ca [10.0.144.129]) by l-daemon
(Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004))
with ESMTP id <0JDX009301MTA0A0@l-daemon> for performancing.com[at]vanhecke.info;
Fri, 23 Feb 2007 05:35:17 -0700 (MST)
Received: from pd6ms2no.prod.shaw.ca ([10.0.145.193])
by pd7mr2no.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep
5 2006)) with ESMTP id <0JDX00AH21MSC760@pd7mr2no.prod.shaw.ca> for
performancing.com[at]vanhecke.info; Fri, 23 Feb 2007 05:35:17 -0700 (MST)
Received: from shaw.ca (pd6ms2no-con [10.0.145.193])
by l-daemon (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006))
with ESMTP id <0JDX004G61MRZVD0@l-daemon> for performancing.com[at]vanhecke.info;
Fri, 23 Feb 2007 05:35:16 -0700 (MST)
Received: from [10.0.144.81] by pd6ims1.prod.shaw.ca (mshttpd); Fri,
23 Feb 2007 13:35:15 +0100
Date: Fri, 23 Feb 2007 13:35:15 +0100
From: Robert Lo <robertlo@shaw.ca>
X-ASG-Orig-Subj: Part Time Job Offer (FreeJobs.Gigcities.Com)
Subject: Part Time Job Offer (FreeJobs.Gigcities.Com)
Bcc:
Reply-To: delixicompany_agent@yahoo.co.uk
Message-id: <ceeb8835fb98.45deed93@shaw.ca>
MIME-version: 1.0
X-Mailer: Sun Java(tm) System Messenger Express 6.2-7.05 (built Sep 5 2006)
Content-type: text/plain; charset=us-ascii
Content-language: en
Content-transfer-encoding: 7bit
Content-disposition: inline
X-Accept-Language: en
Priority: normal
X-Barracuda-Bayes: INNOCENT GLOBAL 0.5000 1.0000 0.7500
X-Barracuda-Virus-Scanned: by Mailprotect Spam Firewall at mailprotect.be
X-Barracuda-Spam-Score: 1.07
X-Barracuda-Spam-Status: No, SCORE=1.07 using global scores of TAG_LEVEL=3.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=4.2 tests=MISSING_HEADERS, TO_CC_NONE
X-Barracuda-Spam-Report: Code version 3.1, rules version 3.1.9479
Rule breakdown below
pts rule name description
—- ———————- ————————————————–
0.19 MISSING_HEADERS Missing To: header
0.13 TO_CC_NONE No To: or Cc: header

From: Mr. Robert Lo

Full Text

From: Mr. Robert Lo
Foreign Service Manager
Delixi Global Resources
5 Goldhawk Estate, Brackenbury road,
HONGKONG W6 0BA
A company, Delixi Consults based in People Republic of China and has a Chapter in England,is in need of representatives in Europe and North America and south America and Canada to represent its interests with some companies that export products from China to this continents.
This message is send in english for universal understanding. Our company Tao & Wang Associate, a small consultantcompany in P.R. of China and England has been mandated to seek individuals in North America SouthAmerica, Europe Asia and Canada and All over the World for this purpose.We
are able to get your email address with the help of marketing research basedon our location.
The Representatives will act as a receiving payment agents and also placing orders for goods and products from customers. You can be compensated with between 10% and 15% for your service. We guarantee you a minimum of$2,000 monthly part time and can reach $20,000 based on the volumeand experience as time goes on. All this is possible because of
delaying getting approval for oversea branch. You can view our website for more details, If you are interested and for more information, please send an email
with your
Title : Ms/ Mr/ Mrs/ Dr:
…………………………………………
First Name:
…………………………………………………….
Surname:
……………………………………………………….
Age: 25-65+ : ………………………………
Relevant Experience: ………………………………………..
Your Company Name: ………………………………………
Monthly Income: ……………………………………………
Country:
………………………………………………………
Residential Address: ………………………………………
Phone Number: …………………………………………….
Fax Number: ………………………………………………..
Email Address: …………………………………………….
*Do you have an exclusive relationship with another china based
company?
YES /NO.*
TO:delixicompany_agent@yahoo.co.uk
Thank you.
Mr Charley wu
C.E.O
For Delixi Consults & Co

Bookmark this post:
Subscribe to future posts:

This entry was posted in Blogging, WebWatch on Monday, February 26th, 2007 at 02:20 and tagged as: . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

12 Responses to “Performancing.com user database ends up where it doesn’t belong”

links for 2007-02-27 | blog.forret.com Says:
February 27th, 2007 at 17:14
[…] Performancing.com user database ends up where it doesn’t belong Am I accusing Performancing of selling mail addresses to scammers? No. I am just saying something went wrong with the user database. I have no clue what exactly. It is possible data was sold, it is possible data was copied by someone (tags: performancing blog email spam) […]
Jose Says:
February 27th, 2007 at 23:07
Hello Pascalvanhecke ,

Let’s hope that this is only a one time thing. I recently joined Performancing, and am hoping that I don’t have to deal with my data being usurped by some unscrupulous marketer.

Thanks for visiting my blog. It was appreciated.

Jose
Douglas Holt Says:
March 1st, 2007 at 04:41
I just received one of these same messages this evening. When I Googled the company name {Delixi Global Resources} your post was the first result. I did not use the same trick as above so I can’t be absolutely sure that the spammers obtained my email address from performancing but I did sign up for and use their services last year when they were available. Usually I use the free service at spamgourmet.com to sign up for questionable services so I can tell when my email address has been “bartered” without permission. This most recent event helps convince me that every service I sign up for may have a “questionable” privacy policy. Thanks for pubishing.
David Krug Says:
March 1st, 2007 at 10:41
I’ve been researching this as well. I got the same email and I have my suspcions how it happened whether through a linked in email sell possibly, or through a faulty host. Performancing had a rocky hosting history.

I know we take privacy very seriously and I’m sure the old team did as well. Let me know if there is anything I can do to help rectify this situation.

David Krug
Pascal Says:
March 2nd, 2007 at 01:35
Hello David,

I guess you can’t put the genie back in the bottle now… You probably have seen a similar posting on the performancing forum already?

And yes, I have once had a Linkedin Connection request on my performancing mail address (but I assume that was limited to people who opted in for the “Partners” ad network - my friend, who didn’t sign up for the ad network, hadn’t gotten it).

What you might try is find out how to file a complaint for data theft in Canada? I have heard stories of our local Belgian “internet police” acting very efficiently… With the ip address from the email headers (I get quite some traffic the past few days on searches for this ip address…) Canadian police should be able to track down the owner of the originating machine.
Pascal Says:
March 6th, 2007 at 01:00
Another one today - but I guess I cannot make any claim any more since I published how I form my email addresses ;-) :

Return-Path:
….
Received: from imf22aec.mail.bellsouth.net (imf22aec.mail.bellsouth.net [205.152.59.70])
by mx.mailprotect.be (8.13.4/8.13.4/Debian-3sarge1) with ESMTP id l25KrWRe011442
for
; Mon, 5 Mar 2007 21:53:33 +0100
Received: from ibm65aec.bellsouth.net ([192.168.16.253])
by imf22aec.mail.bellsouth.net with ESMTP
id <20070305205327.PIPG13228.imf22aec.mail.bellsouth.net@ibm65aec.bellsouth.net>
for
;
Mon, 5 Mar 2007 15:53:27 -0500
Received: from mail.bellsouth.net ([192.168.16.253])
by ibm65aec.bellsouth.net with SMTP
id <20070305205326.EVEF21542.ibm65aec.bellsouth.net@mail.bellsouth.net>;
Mon, 5 Mar 2007 15:53:26 -0500
X-Mailer: Openwave WebEngine, version 2.8.16.1 (webedge20-101-1106-101-20040924)
X-Originating-IP: [72.36.218.138]
From: Uk National Lottery
Reply-To: claimsoffice_martincole@yahoo.co.uk
To:
X-ASG-Orig-Subj: Congratulations You have won =?ISO-8859-1?B?ozUwMCwwMDBHQlAhIQ==?=
Subject: Congratulations You have won =?ISO-8859-1?B?ozUwMCwwMDBHQlAhIQ==?=
Date: Mon, 5 Mar 2007 15:53:26 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <20070305205326.EVEF21542.ibm65aec.bellsouth.net@mail.bellsouth.net>

The National Lottery
P.O.Box 17,
Kempsford GL7 4WZ
London.
UNITED KINGDOM
(Customer Services)
Date: 5th of March 2007

FROM:UK NATIONAL LOTTERY
TICKET NUMBER: 74454774
SERIAL NUMBER: 144-66584
BATCH NUMBER : BT-4478474121P

AWARD FINAL NOTIFICATION:
We happily announce to you the draw (#999) of the UK NATIONAL LOTTERY,online Sweepstakes International program held on the 3rd of March 2007. You were entered as dependent clients with: Reference SERIAL NUMBER:
144-66584 and Batch number BT-4478474121P.

Your email address attached to the ticket number: 74454774 that drew
the lucky winning numbers:

Bonus Ball [38] which subsequently won you the lottery in the 2nd category i.e match 5 plus bonus. You have been approved for a payment of
500,000.00 POUNDS (FIVE HUNDRED THOUSAND Pounds Sterling.) in cash credited to file
reference number:UKL/K5598/U4.This is from a total cash prize of
five million pounds shared among the ten international winners in first
categories.

All participants were selected through a computer ballot system drawn
from 50,000 (Fifty thousand) names of email users around the world, as
part of our international promotion program. Due to mixed up of some
names and addresses,we ask that you keep this award personal, till your
claims has been processed and your funds remitted to you.This is part
of our security measures to avoid double claiming or unwarranted taking
advantage of the situation by other participants or impersonators,You
are to contact our accredited agent for your winnings.

SIR MARTIN COLE.
UNITED KINGDOM LOTTERY CLAIMS AGENT.
UK NATIONAL LOTTERY SECURITY AGENCY.
E-mail: claimsoffice_martincole@yahoo.co.uk
Tel:+447031820222

He is your agent, and responsible for the processing and transfer of
your winnings to you. YOUR SECURITY FILE NUMBER IS Z-90237-Y�67/U4
(keep personal) Remember, your winnings must be claimed not later than
(13th of March 2007).

Our Lottery agent will immediately commence the process to facilitate the release of your funds as soon as you contact him. You may wish to establish contact via e-mail with the particulars presented above citing the batch and reference numbers to this letter.
Our winners are assured of the utmost standards of confidentiality, and press anonymity until the end of proceedings, and beyond where they so desire. Be further advised to maintain the strictest level of confidentiality until the end of proceedings to circumvent problems
associated with fraudulent claims. This is part of our precautionary
measure to avoid double claiming and unwarranted abuse of this program.

Goodluck from me and members of staff of the UK NATIONAL LOTTERY.

Yours faithfully,
Lou Stradd
Online coordinator for UK NATIONAL LOTTERY
Sweepstakes International Program.
Copyright � 1994-2006 The UK National Lottery Inc.
All rights reserved. Terms of Service - Guidelines
Alder's Tone Says:
March 6th, 2007 at 23:04
Same thing happened, thanks for the PM Pascal. Performanicing didn’t have the decency to respond when I questioned it.

My opinion of performancing’s handling of user data isn’t positive. How would they feel if their bank let slip their personal details like this?
chad Says:
March 15th, 2007 at 22:10
I had the same thing happen. 1 to 1 email for each signup I ever do. Performancing to date is the only one to have been spammed. They sold the list. Pure and simple.
Bas Says:
March 19th, 2007 at 15:00
After some comments on the Perfomancing Members Forum, my account has now been closed.

Is Performancing (turning) EVIL?
links for 2007-03-23 at Past is prologue Says:
March 23rd, 2007 at 20:26
[…] Performancing.com user database ends up where it doesn’t belong Nice one Pascal (tags: spam performancing) […]
Fanis Says:
June 12th, 2007 at 20:15
Got a spam on my performancing email too, from REV. RICHARD CLAMPTON” (but actually revrichardclampton@terramail.com.sv), mailed from a polish host. *sigh*
Robert Lo Says:
June 15th, 2007 at 02:00
Hi here,
This is Robert Lo, and the shaw email address is my personnal email address. Ok, the followings are truth:
I live in Alberta, Canada now.
I was born in Hong Kong.
I studied at UoL (UK)
Other than that, I do not know delixicompany_agent@yahoo.co.uk, Delixi Global Resources, and Performancing.com, and I do not contact you any part time job.
Now, I do not know is it my pc, my isp ,or performancing.com get hacked

cheers,
RL

Notes, links and conversation