Mass. state police instructor email database hacked/leaked

milktree

NES Member
Joined
Aug 31, 2008
Messages
8,121
Likes
11,663
Feedback: 35 / 0 / 0
I use a unique email when dealing with the Mass SP for instructor certification.

Today that email address got something that is clearly spam, but had in it my BFS instructor ID number, and claimed some association with the Mass State Police.

This is what I got:

https : // rhinoresearchllc.lt.acemlnc.com/Prod/link-tracker?redirectUrl=(redacted)



Milktree BFS0000XXXX (My actual BFS instructor number)
[milktree's special email address]
Department of State Police,

[my town] Massachusetts

I, Anthony Robert Calascione,
am personally writing to you,
because it's important.

The number one cause for inequality is search engines.
If user's searches were calculated by distance,
and not highest bidder, then local community
would naturally nurture local business.

Instead that transfer of sales from,
local business to big business,
equals jobs, standards of living, tax revenue,
and overall happiness basically.



As a result,
everyone knows they are being stolen from,
they just don't know from who.
As a result,
everyone is highly susceptible to point fingers,
and regress to their "they look like me" tribe.

As the funds continue to transfer from local community,
the happiness becomes frustration becomes resentment.
We are real people, with real families.
Caveman survival kicks in.

Imagine if a non-profit invented
an individual search engine
for every city in the entire world.
So people can simply choose
to search their community first.

RHINOStreet
Saturday June 25th, 2022

Meeting Tomorrow. 2pm EST.
[Accept Invite HERE]

Last Week's Replay
[Accept Replay HERE]

Anthony Robert Calascione

Rhino Research LLC, Founder

www.RHINOStreet.com
_________________

Sent to (my email address)

Unsubscribe:
RHINORESEARCHLLC Email Marketing (readacted)

Rhino Research LLC, 788 Shrewsbury Ave, Tinton Falls, NJ 07724, United States
[ Note: This message contains email list management information ]



Anthony Calascione <[email protected]>

Who the hell is Rhino Research LLC? New Jersey?


Have any of you gotten anything like this?
 
Yes, I received he same thing.

Both the company and the founder's name are real. They are on LinkedIn and Facebook. They are a marketing firm . . . and now we know how secure MSP databases are! [angry2]

I put a call in to Kristin at MSP and left a message that they were hacked. My BFS # isn't posted anywhere publicly and thus only students and MSP have it.
 
Yes, I received he same thing.

Both the company and the founder's name are real. They are on LinkedIn and Facebook. They are a marketing firm . . . and now we know how secure MSP databases are! [angry2]

I put a call in to Kristin at MSP and left a message that they were hacked. My BFS # isn't posted anywhere publicly and thus only students and MSP have it.

I traded a couple messages on FacePlant with him.

He pointed out that all that information is available on the web:


So, not hacked. Mass State Police is just sloppy with their data.
 
:oops: Wow! I never knew this. I know that you can Request to be listed on the MSP site as an instructor with contact info, but I always understood it to be an "opt in" situation with both BFS and LEOSA instructors. I never opted-in.

Very sloppy indeed. Hopefully this will wake them up if enough people complain and perhaps they might re-think it and secure the info. No reason for our BFS cert number to be public info.
 
He's still a scammer, claiming a meeting of all of us tomorrow!

I hope that he gets slammed.

Thanks for that update however.
 
It sure would be a bummer if he got subscribed to a bunch of mailing lists for political groups and sex toy vendors.
... You know, ones you can "simply unsubscribe [from] and never be bothered again"

04.png
 
It sure would be a bummer if he got subscribed to a bunch of mailing lists for political groups and sex toy vendors.
... You know, ones you can "simply unsubscribe [from] and never be bothered again"

Yeah. Nothing wrong with him emailing people and asking if they would like to subscribe in the first place. But automatically subscribing people and forcing them to “simply unsubscribe” is scammy.
 
MSP violated MGL C. 66 S. 10B by posting the lists (both BFS and LEOSA instructors) without opt-in permission.

I put a call into MSP last night and have been discussing it with @JGreen If those lists don't get taken down post-haste, I will be filing a law violation complaint against MSP with the AG and this guy strongly implies that his "meeting" is on behalf of MSP, so he's ripe for a FTC complaint as a scammer.
 
Yup. Constant stream of spam emails from this asshat now.

Sign him up for a bunch of mailing lists, the more lewd the better. Any place that sells sex toys, or ED drugs, or the most extreme political organization you can think of. Make him "unsubscribe" over and over again.
 
Yeah. Nothing wrong with him emailing people and asking if they would like to subscribe in the first place. But automatically subscribing people and forcing them to “simply unsubscribe” is scammy.
And yet it's standard business practice.

For a while I was getting some professional networking outdoor in Boston stuffing their events into my calendar. Even if you don't RSVP it'll sit there. I had to create some mail management rules to thwart them.
 
MSP violated MGL C. 66 S. 10B by posting the lists (both BFS and LEOSA instructors) without opt-in permission.

I put a call into MSP last night and have been discussing it with @JGreen If those lists don't get taken down post-haste, I will be filing a law violation complaint against MSP with the AG and this guy strongly implies that his "meeting" is on behalf of MSP, so he's ripe for a FTC complaint as a scammer.

You know as well as I do none of that matters. (lol when has this state ever been punished for breaking its own laws?) Also the cat is out of the bag, but getting them taken down might prevent newer instructors from getting spam at least.
 
You know as well as I do none of that matters. (lol when has this state ever been punished for breaking its own laws?) Also the cat is out of the bag, but getting them taken down might prevent newer instructors from getting spam at least.
That's my intent. Stop MSP from posting the lists without opt-in agreements.
 
Anyone else getting a surprising amount of spam email to that address since he started this shit? Like the nigerian type scam emails? I have been getting a ton since he sent his meeting email and I never had squat for spam to that email address before.
 
Anyone else getting a surprising amount of spam email to that address since he started this shit? Like the nigerian type scam emails? I have been getting a ton since he sent his meeting email and I never had squat for spam to that email address before.
Not surprised. His shtick is that he's a marketing person.

I unsubscribed after receiving a bunch of his garbage.
 
If you guys really want him to get punched in the rectum figure out how to get him blacklisted by vz, comcast and gmail, 90% of his mail will bounce lol
 
If you guys really want him to get punched in the rectum figure out how to get him blacklisted by vz, comcast and gmail, 90% of his mail will bounce lol

I would love to do this. I'm not quite sure where to start though.
 
I would love to do this. I'm not quite sure where to start though.
Read email headers to figure out which service he’s using (if he is) and reach out to their abuse contact. They are super sensitive to having their ip space listed in RBLs.

If he’s sending directly, same routine w/his ISP and/or add him to RBLs.

R

ETA - doubt he’s sending directly, as isps often block outbound 25 and many RBLs block end user IPs that are not swip’ed (ie, residential).
 
fukin' duh...

In the header of the emails:

X-Report-Abuse: Please report abuse to [email protected]

So, I suggest every single one of you forward one of his spams to that address and tell them:

  • He used a Mass State Police website to collect email addresses
  • He added every address to his totally unrelated mailing list.
  • When told it was inappropriate to use a government database to spam people and he should remove every single address from his list, he said, "thanks, each person can click unsubscribe if they don't want to get any more emails from me."
 
well, this is a good/bad mix;

Good: They responded.
Bad: it looks like they're not shutting him down, they're just preventing him from sending email to ME.

Maybe if they get 3,000 complaints they'll fire him.

This is what I got:

ActiveCampaign said:
Mick Fanning, Jun 5, 2022, 3:39 AM CDT

Hello,

Thank you for reporting this to the ActiveCampaign Abuse Desk. We hold a strict stance against unsolicited and malicious
mail and take your complaint very seriously. Your abuse complaint has been fully reported. I can confirm this sender will
not be able to send you any more emails through our platform.

The information you provided has allowed us to locate the account in question, and we are currently investigating the
issue.

If you have any additional questions, please let us know.

Kind Regards,
Mick
Compliance Analyst
ActiveCampaign


Thanks!
ActiveCampaign

This is what I sent:

milktree's complaint said:
I'd like to lodge a formal complaint against

"Anthony Calascione" <[email protected]>


- He used a Mass. State Police website to collect email addresses
- He added every address to his mailng list to sell investment crap
- When told it was inappropriate to use a government database to
spam people and he should remove every single address from his list,
he said, "thanks, each person can click unsubscribe if they don't want
to get any more emails from me." and continued to send out a ton of
emails.


He clearly doesn't understand what "unsolicited" means, and and has no
respect for anyone's time. This behavior is in violation of most
service providers' terms of service. I hope you have a similar set of
terms.

Furthermore, I expect it's a crime to misuse a government database.

Thanks,

-milktree
 
well, this is a good/bad mix;

Good: They responded.
Bad: it looks like they're not shutting him down, they're just preventing him from sending email to ME.

Maybe if they get 3,000 complaints they'll fire him.

This is what I got:



This is what I sent:

Report it to the blocklists while you are at it.

 
Got the list and having fun sorting through the numbers, there are 3,167 people on the list

@Rob Boudrie , who knew our own Rob is currently the 3rd lowest on the list

way back when, Rob alerted me about the program so I'm after him, currently the 29th lowest number on the list.

@Len-2A Training Len is waay back at with a 4 digit number, 67th on the list

looks like there were a max of 6600 people who got the cert and only 3167 are left

Where do you fit in and shame on you if you haven't become an instructor
 
Last edited:
How do you change your address with them? Asking for a friend...
 
@Rob Boudrie , who knew our own Rob is currently the 3rd lowest on the list
My number is actually BFS007 (though they inserted some more leading zeroes at renewal time, the used the same number). Must have had 3 people ahead of me not renew. I was hoping to get #1, but #7 was a nice consolation prize.

I see the list at https://www.mass.gov/doc/basic-firearms-instructor-listing-05-30-2022/download. Did you scrape that data into a readable form or find a more easily parsed format online?
 
Last edited:
How do you change your address with them? Asking for a friend...
Good question. They still have my former MA town listed. And of course, Kristin won't return my multiple phone calls/VM messages, so . . .

I'll be submitting a LEOSA qualification report this week, so I'll also send a note to update my address as well.
 
My number is actually BFS007 (though they inserted some more leading zeroes at renewal time, the used the same number). Must have had 3 people ahead of me not renew. I was hoping to get #1, but #7 was a nice consolation prize.

I see the list at https://www.mass.gov/doc/basic-firearms-instructor-listing-05-30-2022/download. Did you scrape that data into a readable form or find a more easily parsed format online?
I just use adobe to sort through the .pdf, it was interesting to see how many were in my little town as well
 
MSP violated MGL C. 66 S. 10B by posting the lists (both BFS and LEOSA instructors) without opt-in permission.
And made that doubly clear by their requirement that all BFS instructors must have an LTC, so they cannot argue it is not a list of LTC holders.
 
And made that doubly clear by their requirement that all BFS instructors must have an LTC, so they cannot argue it is not a list of LTC holders.
I started the online complaint form to the MA AG, but got called away and it timed me out. I'll do it tomorrow morning since my messages to Kristin have been ignored. It's time for formal complaints. File a consumer complaint

Afterwards I'll consider sending a similar complaint about the idiot who scraped the PDF list and spammed us as I'm pretty sure that his initial message strongly implied he was either from MSP or authorized to contact us by MSP. Even if it goes nowhere other than an inquiry by the AG's office, that ought to scare him straight!
 
Back
Top Bottom