Errata: Veracode Spams

I received copies of this mail to errata[at]attrition.org, a contact address at OSVDB.org and DatalossDB.org. A quick Google search showed it was also sent to mail lists that it wasn't appropriate for. Blatant spam. My reply to Veracode follows.

Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative;
    boundary="----=_NextPart_001_AEA6_74B0DC51.19495CFF"
Reply-To: noxss@veracode.com
MIME-Version: 1.0
Message-ID: (1260327858.2674@veracode.com)
Subject: Announcing 5 Free Web Security Guides
Date: Mon, 20 Jun 2011 08:56:59 -0500
To: errata[at]attrition.org
From: "No XSS" (noxss@veracode.com)

Hello,

My name's Lesley and I work for a Web applications security company called Veracode. Since 
your site regularly publishes information in the security space, I wanted to reach out and 
see if you'd be open to adding our new "Free Security Threat Guides" to your site, be it in 
a helpful resources section, your blog roll or even as a mention in an upcoming article. 

Our five security vulnerability guides are packed with information yet easy to understand, 
and are useful for audiences ranging from IT executives to consumer-level cell phone users. 
A typical guide:

* Educates readers on threats like cross-site request forgery, SQL injections, mobile code 
  security issues 
* Gives easy-to-follow steps, guidelines and helpful "cheat sheets" for preventing attacks 
* Provides further free resources to learn more about security risk management

You can find links to our five free guides below:

* SQL Injection: http://www.veracode.[..]
* Cross Site Scripting: http://www.veracode.[..]
* Cross Site Request Forgery: http://www.veracode.[..]
* LDAP Injection: http://www.veracode.[..]
* Mobile Code Security: http://www.veracode.[..]

We'd love it if you'd take a look at the guides whenever you get a chance. If you like them 
and think visitors to your website will find them useful, it would be awesome if you shared 
them with your audience via a link or a mention in an article.

Thanks for your time and feel free to contact me if you have any questions.

Sincerely,

Lesley Michaels
Veracode

If you no longer wish to receive these emails, go to the following link to unsubscribe:
http://na-d.marketo.com/lp/veracode/UnsubscribePage.html?mkt_unsubscribe=[..]

From: security curmudgeon (jericho[at]attrition.org)
To: No XSS (noxss@veracode.com), lmichaels@veracode.com
Cc: cwysopal@veracode.com, ceng@veracode.com, mcirino@veracode.com, 
    crioux@veracode.com, gvilchick@veracode.com, creisig@veracode.com, 
    jstevenson@veracode.com, jcuff@veracode.com
Date: Tue, 21 Jun 2011 04:24:31 -0500 (CDT)
Subject: Re: Announcing 5 Free Web Security Guides

On Mon, 20 Jun 2011, No XSS wrote:

: Hello,

HI THERE

: My name's Lesley and I work for a Web applications security company
: called Veracode. Since your site regularly publishes information in the
: security space, I wanted to reach out and see if you'd be open to adding
: our new "Free Security Threat Guides" to your site, be it in a helpful
: resources section, your blog roll or even as a mention in an upcoming
: article. 

I am going out on a limb here and guessing you didn't see what kind of
information we publish about the security space? Let me give you the
five-cent tour:

http://attrition.org/errata/

This is where we point out all the crappy things about the security
industry like charlatans, plagiarism, security company screw-ups and
ironically, security companies that spam:

http://attrition.org/errata/spam/

We also like to publish fun rants and rebuttals about various security
topics:

http://attrition.org/security/rants/

http://attrition.org/security/rebuttal/

The rest of the site really isn't that interesting or topical to this
conversation.

: We'd love it if you'd take a look at the guides whenever you get a
: chance. If you like them and think visitors to your website will find
: them useful, it would be awesome if you shared them with your audience
: via a link or a mention in an article.

How about instead, I update the Errata Security Company Spam page to
include Veracode on it! Since you sent this mail to a list of people you
did not get permission from, this is blatant spam. I received three copies
of this mail, one to each of three different domains I am associated with.
I also noticed that you sent it to various mail lists as well, e.g.:

http://permalink.gmane.org/gmane.os.freebsd.questions/278504

: Thanks for your time and feel free to contact me if you have any questions.

I do have two questions and one long comment:

Question: What the hell were you thinking doing this? You sent this spam
to errata[at]attrition.org, right to the very address that embodies what we
do on this site. In what meth-induced state did you think sending spam was
an acceptable way to market Veracode's papers and services?

Comment: This absolutely disgusts me. Why? Because I personally respect
the hell out of several people at Veracode. I think that they are largely
a positive influence in the industry, and provide products and services
that would greatly enhance the security of organizations across the world
should they opt to use them. I know several people at Veracode personally
and have been acquaintances with one for going on fifteen years. I do NOT
want to add Veracode to Errata, but you have forced my hand. This site is
known for having a level of integrity that surpasses many reputable
companies in our industry. The security space knows that we will not
compromise on Errata work based on personal relationships or bias. Hell, I
had to put the company I work for on Errata earlier this year. Way to make
me a sad panda.

That said, I can only hope that the management team at Veracode, who I
have kindly CC'd in this letter, will drop your dumb ass from their ranks
before you make any additional world-class blunders.

: Sincerely,

Hugs & Kisses,

Jericho