Tag: email

Posted on
by

Have you ever abandoned an email address? Did you make sure everyone switched to your new one? If your old provider has reissued the address to someone new, your old contacts could still be sending mail to someone else with your personal information.

This shouldn’t be a surprise, but InformationWeek reports that Yahoo! users who’ve picked up recycled addresses are getting important mail meant for the previous owner of the email address.

It started off with some stuff from catalogs and clothing companies and I thought, ‘That’s fine, I’ll just unsubscribe.’…But then I started getting emails with court information, airline confirmations, a funeral announcement…

Update: Yahoo! is introducing a “not my email” button to report mistaken deliveries.

Well, that’s an interesting approach to the misdirected email problem. This might even be useful as a general solution beyond recycled addresses. I once ended up receiving someone else’s Sears receipt and promotions, I assume because of a sales clerk’s typo.

But I find myself wondering about the potential for backscatter, collateral loss of mail, and just how people will actually use it in relation to the report spam button.

And that’s just with the honest people who get the reused mailbox!

Update 2: For commercial email especially, XKCD points out the importance of actually verifying that the email address someone gave you is theirs, and not someone else’s address written as a typo, and Word to the Wise highlights some real-world cases they’ve written about in the past.

Originally posted as two link posts on Facebook and one on LinkedIn.

Posted on
by
Banner: Comic-Con International

If you’re trying to get a message out, or provide a service, analytics are great. They tell you what’s working and what’s not, so you can focus on what does work. Unfortunately, when it comes to email, a lot of organizations use a third-party click-tracking service, which registers which mailing the user clicked on, then redirects them to the real website.

Why do I say unfortunately?

Because it’s what phishing does: Sets up a link that looks like it goes one place, but sends you somewhere else instead. In the case of a legitimate email with a click tracker, you end up at the real site eventually. In the case of a phishing message, you end up at a fake login page that wants to capture your username & password, or a site with drive-by malware downloads. Using this technique in legit mail trains people to ignore warning signs, making them more vulnerable to the bad guys. And it makes it harder for security software to detect phishing automatically.

Now add another reason: You don’t control that click-tracking service, so it had better be reliable.

That’s what happened with Comic-Con registration today.

Getting tickets to San Diego Comic-Con used to be a breeze, but last year the system broke down repeatedly. It took them three tries, with multiple handlers, to open a registration system that didn’t melt in the first few minutes.

A few days ago, Comic-Con International sent out a message with the date and time registration would open, and a link to where the page would be when it went live. They went to a lot of trouble to make sure their servers could handle the load, as did the company handling registration. They built a “waiting room” to make sure that people trying to buy tickets would get feedback, and get into a queue, when they arrived, but could still be filtered into the registration system slowly enough not to overwhelm it.

The weak link: The click tracker.

Continue reading

Posted on
by

Blast from the past. Doing some email testing & dredged up my old netscape.net address. Had to re-activate it, and the handful of messages I probably saved way back in the day were gone, and now it’s aim.com instead…but it’s still got my years-outdated contact list, including people I haven’t interacted with in a decade.

As near as I can tell, I put together the list when I was in college, and never updated it. It’s still got all the old uci.edu and geocities.com addresses.

Oh, wow…there’s a pager number in there! (Remember those?)

Originally posted on Google+

Posted on
by

I’ve dealt with a couple of companies that try to plug the general lack of security in email by using a “secure email” service. The way this works is:

  1. The company sends you an email with a link to a third-party or co-branded website, asking you to click on it in order to read important information about your financial/insurance/whatever account. (Or better yet, the third party site sends you the mail on the company’s behalf.)
  2. You click on the link and open the site in your web browser.
  3. You register for the site (which usually involves entering your name, choosing a password, and possibly entering other personal detail like a reminder question.)
  4. You log into the site and actually read the message.

Can you see what the problem is?

That’s right: Steps 1-3 are exactly what you see in a phishing attack. Only in a phishing attack, the third-party site is a fake that’s trying to collect account information (like your login and password) or personal information (like your SSN).

So while they may be solving the immediate problem of “someone might intercept this message,” they’re perpetuating a broader problem by training people to fall for phishing attacks.

Sadly, this is not new.

Update 2022: A decade later, they’re still doing it.