From the linked page: "I just got spammed this morning via my dropbox@... custom email address. cc'd on the spam were two other email addresses which belong to the two dropbox accounts that I share folders with. There is no way this was a random spammer guessing addresses as some of the mods are suggesting."

Seems highly unlikely that the situation this person described would result from anything other than dropbox being compromised in some way.

The people he shared folders with could have been compromised.

Entirely possible. The moderator's handling of this issue was pitifully bad but the assumption that Dropbox MUST be at fault here is ridiculous.

Dropbox may or may not be "at fault", but they've certainly got a problem. Even if the root cause turns out to be a common rootkit/trojan/botnet has started extracting and reporting email addresses from Dropbox clients on exploited customer machines, that's still a problem for Dropbox (and their customers) even though few people would call Dropbox "at fault" in that circumstance.

And, the mods there held on to the "it must be your fault, probably just an easily guessable email address + random bad luck" line _way_ past the point of credibility.

"they've certainly got a problem"

If you mean they should sort out their forum moderation policies then I agree.

If you mean that this must be a technical problem on their part then I disagree. A 3rd party submitting their address book to a Friend Finder or similar tool would not be the responsibility of DropBox.

We both agree on two points, they need to do something about their support forum, and they don't definitely have a technical problem with their site/code/security.

They do seem to have a customer expectation and privacy problem though. If, as described by enough forum poster for it not to be a coincidence, email accounts created just for Dropbox's service and which are not trivially guessable are getting spammed - then Dropbox has somehow leaked customer data that customers had expectations of being private. If that were me, I'd consider myself to "certainly have a problem" - whether that problem is "my user database just got exposed via an SQLi attack", or "my contract with my newsletter emailing partner or customer support software service wasn't well thought through enough and they've used my clients email addresses without my/their permission".

While I agree that a 3rd party (or even a 3rd party app) uploading their addressbook is beyond Dropbox's control - that doesn't seem likely to be the cause from my reading of the first few pages of that forum thread this morning - I doubt the sort of person who creates "username.dropbox@example.com" style email addresses for Dropbox is likely to then add that address into a contact list where Facebook or Instagram style contact-mining apps are likely to find them.

It'll be interesting to see this as it pans out - I'm reasonably sure Dropbox or one of their partners (I'd put a small wager on Zendesk) or some malware targeting their client-app; is "leaking" username/emails.

I think you're missing the perfectly plausible use case where the user has used the Dropbox send link feature.

Note that a third party will now have the second party's email address without Dropbox being in any way culpable.

It's possible that the feature was never used but it's hardly an obscure use case.

If they were lucky guesses, his catch-all box would also have caught other random guesses for that domain.

He doesn't run a spam filter and he's using a catch all, therefore any email sent to any address on his domain will get to him.

If someone was just trying things to see what worked he would see those emails.

This is not entirely true. A very large percentage of spam (70-90%) is stopped at or before the banner, at a layer he probably doesn't control (unless he runs his entire email infrastructure).

I do run my entire email infrastructure, in this case. During the time period where a lot of these spam messages were received, it was directly hosted on a enterprise fiber line, on its own IP address, which I wouldn't imagine was doing any sort of filtering.

I could be wrong and it's possible that some filtering was happening on the ISPs side, but you'd think that of the thousands of spams that get through, there would be some that looked like guesses.

I'm curious, do you have a source for this? I have a google apps account for my domain, are they rejecting emails before they reach the 'spam' folder?

There would have been unlucky guesses as well as lucky guesses. It's incredibly unlikely that the first guess was correct, and that there were no guesses before or after that.