Tools from Amazon.com

At least some of their items still have free shipping - I just ordered a set of Bessey Uniklamps and an HTC mobile base, and I was looking at a Dewalt reciprocating saw and a Jet disc sander, all of which offered free shipping. Tools provided by Grizzly or other companies and sold through Amazon charge shipping, though. Are they just cutting back on free shipping for the really heavy stuff? On the topic of shipping, Rockler is currently offering free shipping over $49 (and sales on K-body clamps) if you join their VIP mailing list. Andy

I just (2 weeks ago) got a $259 tool from Amazon with free shipping. You just have to check it out before ordering.

Dave

A couple of months ago I ordered some DVDs through Amazon.com. The RFCs for email allow a person to 'tag' their email address by appending a plus sign '+' followed by a string. The '+' and the string between it and the '@' is ignored for routing purposes. So woowdorker+ snipped-for-privacy@example.com will be delivered to the mailbox belonging to snipped-for-privacy@example.com, but the address in the From: header will read, literally "woowdorker+ snipped-for-privacy@example.com". Neat, eh?

Not all email systems properly impliment tagging, compliance with the RFCs like everything else on the internet is, after all, voluntary. But SpamCop does allow it and amazon.com does accept tagged email addresses on their order page.

So when I ordered, I tagged the address with a unique string, used only

for correspondence with Amazon.com, which being the suspicious sort, is SOP for me when ordering over the internet.

SInce then I have not only received spam to that uniquely tagged email address, but also a credit-card phishing attempt, forged to appear to have been from amazon.com, though actually sent from (or through) a server registered to Apollo Hositng in Austin, TX.

My emailed notitification to Amazon.com resulted in a form email reply, what I politely refer to as an "auto ignore". Attempts to inform Amazon through their webpage interface have been failing for about the last month or so though, according the error message, they hope to have that problem fixed 'shortly'.

When I attempt to login into my Amazon.com account I am told that my account cannot be located and they suggested that I open a new account. Yet Amazon.com was able to send a spam to that uniquely tagged address immediately after I attempted to log in. Do you suppose that was a coincidence?

Yes, that was a spam. I have not subscribed to an Amazon.com mailing list and yes, it came from an amazon.com server. Oh, and to 'unsubscribe' from their spamlist I am supposed to log into my amazon.com account and update my preferences. See above.

If I take their advice and open a new account it certainly will not be with amazon.com!

So, if you chose to order from Amazon.com you can expect that your email address will be passed to spammers and pshishers, amazon.com will spam you directly, will disable your account so that you cannot unsubscribe from their spam list, and will not accept complaints.

You've been warned.

Woodcraft has the Delta drum sander for $709, with wheels. If I hadn't bought a performax last week I would be all over it. Oh well, the performax is better anyhow, right?

| So, if you chose to order from Amazon.com you can expect that | your email address will be passed to spammers and pshishers, | amazon.com will spam you directly, will disable your account so | that you cannot unsubscribe from their spam list, and will not | accept complaints. | | You've been warned.

Interesting. It might be worth lobbying your state legislators to pass a bill on the order of

Iowa, all that's necessary is to print out a copy of the spam and take it to small claims court (filing fee of $20) for a default award of $500. Not all spams can be traced, of course, but this does somewhat level the playing field.

I'm tempted to open a spAmazon account. :-)

-- Morris Dovey DeSoto Solar DeSoto, Iowa USA

The aptly named CAN SPAM (as in yes, thanks to the Congress they can spam you and get away with it) Act of 2003 (S. 877)

preempts state email laws, supposedly the only Federal Consumer Protection law that nullifies stronger protections at the state level.

Don't plan on being able to close it.

I'm not sure the spam you received was from Amazon. I've been using a technique similar to what you described for about 3 years and I have never received any spam.

My technique goes like this: I have my own domain (call it example.com) and therefore I can get any email address @example.com. Whenever I correspond with any companies that want my email address I use snipped-for-privacy@example.com. I have been dealing with Amazon for 3 years with the email address snipped-for-privacy@example.com and have never received any email at that address except correspondence from Amazon.

Having said all that, I am only dealing with Amazon.ca so I'm not sure if they have different rules to abide by in Canada or not (but I doubt it).

Quentin.

| The aptly named CAN SPAM (as in yes, thanks to the Congress they | can spam you and get away with it) Act of 2003 (S. 877) | |

| || expressly preempts state email laws, supposedly the only Federal | Consumer Protection law that nullifies stronger protections at the | state level.

Hmmm. That's nasty. I have a bucket with over 10K unique spams received so far this year. I think I may have to pick one out and do a test. The Iowa statute is still on the books; and I'm curious to see if the spammer will do what it takes to get the state judgement overturned, pays the award, or just lets the unpaid judgement sit on their credit record...

-- Morris Dovey DeSoto Solar DeSoto, Iowa USA

I am.

Here are the headers:

Return-Path:

Received: (qmail 21213 invoked from network); 1 Dec 2005 14:22:32 -0000 Received: from unknown (192.168.1.101) by blade4.cesmail.net with QMQP; 1 Dec 2005 14:22:32 -0000 Received: from mm-retail-out-1102.amazon.com (207.171.165.134) by mailgate.cesmail.net with SMTP; 1 Dec 2005 14:22:31 -0000 Received: from mail-app-2001.iad2.amazon.com (10.205.19.42) by mm-retail-out-1102.amazon.com with ESMTP; 01 Dec 2005 06:25:48

-0800 Received: by mail-app-2001.iad2.amazon.com id AAA-merchandizing-22498,1696; 1 Dec 2005 05:49:35 -0800 X-AMAZON-TRACK: merchandizing To: fredfighter+ snipped-for-privacy@spamcop.net From: "Amazon.com" Subject: Simplify Your Gift-Giving at Amazon.com Gift Central Bounces-to: emailSenderApp+ snipped-for-privacy@bounces.amazon.com Content-Type: multipart/alternative; boundary="mUlTiPaRtBoUnDaRy" X-AMAZON-MAIL-RELAY-TYPE: merchandizing

(192.168.1.101) is unroutable so it must be an internal handoff to the SpamCop webmail client server.

(207.171.165.134) is registered to Amazon.com.

Unless the spammer hacked into (192.168.1.101) to send his spam while forging the other received headers, that spam came from Amazon.

The phish, as already noted, did not come from Amazon.

Never ONCE had a problem with Amazon passing on my email address, purposely or accidently to ANY spammers or anybody else. I have my own domain name and have unique email address for different functions. I get ZERO spam.

192.168.1.101 is a typical internal IP address of a PC connection to a home router.

Tells me right there it didn't come from amazon. In addition, if you research cesmail.net, it's a company that a user can use to manage their email, for filtering, etc.

In this case, it is not. Received headers are pre-pended as the email is routed so that the most recent is at the top and the oldest at the bottom.

When you read those from the top down you are reading from the recipient backwards toward the sender.

Within each received header, read from left to right the sender is listed first (from) followed by the recipient (by) with an optional statement of the destination email address (for).

Uh, no. "by blade4.cesmail.net" means it was received _by_ that computer, not from it. Blade4.cesmail.net is the machine on which the SpamCop WebMail client runs. It is the last machine in the route, not the first. It is the machine on which I read the email.

Nor have I, and I've been buying there since 1997.

Ricky

Amazon 'subcontracts' though a loosely affiliated network of otherwise independent vendors. I bought about twenty DVDs, new and used, through Amazon and they were sent to me by more than a half dozen different outfits.

Most of those sent me emails directly from their own accounts confirming the order and some a second time confirming that they had shipped. So there is no question that Amazon passed my email address (and shipping address) on to those other parties. It would be trivial for Amazon to impliment an aliased forwarding system so that those same subvendors could send those emails to Amazon's customers without having the customer's actual email addresses. (and vice-cera, for that matter.)

At least one of those confirmation emails came from a hotmail account, so it is clear that some of those vendors are smalltime outfits. Most likely the phisher was one of those or obtained the email address from one of those. It is easy to imagine a small time vendor using an insecure PC.

I hope (and think it is reasonable to expect) that Amazon has applied better security to my credit card information. But their poor approach to handling abuse complaints leaves me with concerns about the quality of their security in general. A perpetually out-of-order abuse reporting web interface does not inspire confidence.

Clearly, in order to find and eliminate phishers from among their subcontractors Amazon would have to at least receive complaints from their customers as a first step.

Yeah, but Amazon states on the item description when you are buying from a third-party vendor. If they tell you that you are buying from a third party, and you buy from the third party, then you shouldn't (at least I wouldn't) hold Amazon accountable for what the third party did. I might complain on the Amazon site about what the third party did; there's a place for it, called vendor feedback, and I check it prior to buying from affiliates, and reading these reviews have kept me from buying from a couple.

Just today, however, I received a package from one of the third-party vendors. Very fast shipping and well packaged - and that was the gist of the reviews on this company.

Over the years I've used the "unique ID" test and never had a problem with Amazon, but I haven't used it since I started buying from the affiliates, so could be different with them. I've only bought from affiliates a few (three or four?) times over the past year or so and haven't noticed any increase in spam - but I can see where using them opens the door for it, so wouldn't argue with you there.

Ricky

Interesting series of events with Amazon.com lately....

I ordered a Makita air compressor from them on 12/1. The product description said it "usually ships in 24 hours", and it also said I'd get free 2-day shipping (they gave me an amazon Prime membership). Great!

Check my acount today and it says the compressor won't ship until JANUARY 1st through the 16th!!!! WTF! So I email them and tell them I really need this compressor and indicate my displeasure. Just tonight I get an email apologizing and saying it has shipped.

One other item of note was that when I checked to see if it had shipped, it not only told me that it wouldn't ship until January - but that I could NOT cancel my order!!! I think Amazon is playing some serious games with their shipping dates.

JP

Walter H. Klaus wrote:

I thought that was their business model. I didn't realize they had their own inventory.

Have you tried leaving feedback? As noted earlier, the webform that ostensibly is used for taking complaints appears to be perpetually out-of-order.

I understand what you are saying, but if they do not adequately police their afiliated vendors there is no question that they will wind up facilitating a host of criminal activity. The feedback system does not adequately address that. When a vendor gets a bad reputation they can just close their doors and join again under a new name.