MV Communications Newsletter: January 2004

MV Communications Newsletter: January 2004

In this issue:

Unfamiliar or bizarre terms that you run across might be in the newsletter glossary (-- if not, suggest that we add it.)

 

Feedback on Feedback

Our last newsletter garnered quite a bit of feedback, particularly in response to some of our suggestions about how to protect against inadvertantly abusing others on the net (via having your computer infected, compromised, or otherwise used in ways you don't want it to be used). We really appreciate the feedback and notes, even if we don't respond to many of them individually (sometimes we don't have a direct answer- and in nearly all cases it's very tempting to begin an extended dialog, a temptation that has to be consciously resisted).

One point of feedback was to note that the "netpersec" utility that we mentioned is no longer a free download. We didn't really mean to imply that it was or was not: we mentioned it only as an example of the type of connection rate we were talking about. There are a number of such monitoring programs; you can find some by using a search engine such as google, or even by browsing our TUCOWS mirror at tucows.mv.net . As always, be careful when downloading a program onto your computer: trust the source, and even then you should verify that it is virus free. (The phrase "trust but verify" comes to mind.)

Other places to find information about firewalls and connection monitoring include broadbandreports.com (nee dslreports.com) and practicallynetworked.com . These are only two: we're sure you can find many more with a little savvy surfing.

On a related note, a group of vendors has put together a site called personalfilewallday.org . There is sales-related material to be found there, but that's not necessarily bad.

 

Microsoft provides Blaster worm removal tool

At the close of 2003, Microsoft released a tool that will help remove the Blaster worm from Windows 2000 and XP systems that may have been infected before the appropriate security patch was installed. If you have one of these operating systems, Microsoft recommends that you apply the security patch (preventing future infection) and use a tool such as this one to eradicate any Blaster infestations that may have occured.

The removal tool can be found here.

Note: There are a lot of virus/scams going around in email that urge you to "install this patch" from Microsoft or other vendors. Do not install those patches, and in general don't install anything that arrives in your mailbox out of the blue.

 

What's this spam?

Did you ever open a message that you thought just might be spam but you simply weren't sure, only to find out that the message simply contained garbage characters or random words? Did you wonder what the purpose of that message was?

Before getting into what the message may have been doing, let's take a quick look at Outlook Express, one of the more common email applications. In most versions of Outlook Express you can actually set your email to be shown as "text" only. This has a number of advantages, most notably is that is makes your spam safer to open. Not necessarily "safe" -- just "safer." If you look in "Tools" "Options" under the "Read" tab, you should see a "Read all messages in plain text" button. Make sure to check this. When you open new messages, you will now see them as text, and HTML directives will not be processed. Multipart messages (those with text and HTML) will show up as having an attachment which can be opened to show the HTML version of the message.

Back to those seemingly random spam messages. Often they will have HTML within the message which may seem fairly harmless. It may do something as simple as loading a graphic image or setting the background. The problem is that while the sender of the email can't track who is actually reading the email when it is opened, they can track who is reading the email in HTML by looking at the logs on their webservers to see who has downloaded the graphics. Often these image tags will have a format like: 

   <img src=www.example.com/graphics/img.jpg?user@mv.com>
This does more than just opening up an image in your browser. The site owner now knows that "user@mv.com" not only was a valid email address, but the owner actually opened the email and read it! Bingo, this email address has just been verified. This is a technique used very widely by spammers to validate email addresses, and often relates to how much the spammer is paid to send out mass amounts of email. The image in question is not always visible to you: it's very common to use a 1 pixel by 1 pixel image size (the smallest possible point on your screen) which you're not likely to even notice. Nevertheless, if you are rendering the HTML portion of your email, any such image reference will provide the verification feedback they are looking for.

 

Scammers exploit IE bug

Somewhat related to the use of the "img" tags described above is a flaw in the Internet Explorer (IE) web browser that was revealed late last year. If a special unprintable character (a control-A character, to be exact) appears in a URL, Internet Explorer's location bar will only contain the portion of the URL up to that character, and nothing beyond it. So you might have a URL that looks like this: 
    http://www.mv.com-CA-@www.example.com/
(except that we're using "-CA-" here where the special character would be, since we can't print it here either.) Because of this problem, IE would display the URL as simply 
   http://www.mv.com
whereas (because of the way URLs work), the URL would actually take you to www.example.com . Several scams are already spreading that take advantage of this. One, for example, is a "phishing" attack where the victims believe they are communicating with citibank's website, when they really are communicating with an entirely different place.

This sort of exploit just underscores the importance of being careful. A lot of scams, infections, and other attacks succeed partly or entirely with the cooperation of the victim. If you receive HTML mail from an unknown source, why click on it? If somebody that you do business with is asking for your password via email, why would they do that? If you receive an executable program via email, why install it? If some stranger is offering you a lot of money, a good deal, or even something free: think a little bit about how this too-good-to-be-true deal really works. Be smart: don't do these things, don't be so trusting, and protect your system and the rest of the Internet.

 

FTC vs domain registration scam

In the past we've warned you to be on the lookout for domain registration trickery. A domain registrar may send you a paper notice telling you that your domain name will expire unless you sign a form, send them money, or otherwise authorize them to renew the domain for you. Somewhere in fine print may be a note telling you that it's a solicitation, but in every other regard it's designed to look like a bill from somebody you do business with. The goal is to get you to switch your registration service to that registrar, and it's surprising how often it works (although this kind of thing has been going on in many industries for many lifetimes). This activity became so rampant that we now lock all domains by default. (Locking a domain prevents a transfer without us unlocking it. We're happy to unlock a domain at your request, but this does help prevent these inadvertent transfers.)

In December the FTC requested a court order to penalize Domain Registration of America (DROA), which was one of the registrars prominently employing this tactic. Under the terms of the stipulated agreement, DROA would be required to stop this practice, provide redress for up to 50,000 registrants, and be subject to careful monitoring in the future.

You can see the FTC's release at http://www.ftc.gov/opa/2003/12/domainreg.htm

 

Sending business mail without spamming

There's a lot of damage caused by spam, not the least of which is to the way we regard electronic mail. Spam is so rampant, spammers so virulent, and both so nasty, that most of us have long ago given up even the slightest bit of consideration for any kind of commercial email. And if you are a business (or other organization) who is considerate and legitimate, you're probably gunshy about using email as a way to communicate with your audience. You'd like to reach them, but the downside is huge: do you want to be thought of as a spammer, and shunned as a result? We thought we'd take a few paragraphs to note how you can "play by the rules" -- and indeed what some of those rules might be.

And it is hard to play by the rules. Even if you have the explicit permission of everyone that you send email to, you will always get some backlash. People forget. Or they get so much spam they lump yours in with the rest. Or you may not have taken the steps you should have. Or (and this may not be a popular view) the spam/antispam wars have engendered a lot of very one-dimensional and contradictory viewpoints even between people who hate spam. These are all reasons to be very careful, and to send email only to people who really, really (really!) want to hear from you.

So here are some of our thoughts about what the some of the rules are.

Have permission.
This is the fundamental principle. You don't have a right to send email to somebody without their permission. It's not enough just to obtain somebody's address (e.g., via an entry form on your website, or collecting business cards at a trade show), unless they specifically and knowingly sign up for your email (so make it clear that that's what they are doing).

Verify.
If you have received someone's email address (again, as long as you explicitly told them that you would be using it to send them your information), that's not enough. You might have been given somebody else's address (as a prank, or worse). Or that person might have misunderstood your intent. Send a message to that address requiring that they confirm that they give you permission to send future mailings to that address. Lack of response is not confirmation here: in fact if you get no response, you should assume they don't confirm, and you should bother them no more.

Opt in, not out.
Never sign somebody up for your mail under the belief that it's OK because they can remove themselves later. Opt-out puts the burden on them, which is wrong. A recipient must explicitly sign up for (opt into) your mail; you must not make them take action to reject it (except in the case where they have asked for your mail and later remove their permission).

Process unsubscribes correctly.
Permission can be revoked at any time. Provide clear instructions on how to easily unsubscribe from future emails, and act on those instructions. "Easily" will vary from audience to audience, but generally: don't make somebody use a different method to get off your list than they used to get on it. Don't complicate things: e.g. if via a website, don't require anything other than basic HTML; if via email, don't require fancy file formats or attachments.

Handle abuse complaints gracefully.
Even if you follow all the rules, you will almost certainly receive abuse complaints. Handle them without rancor. If you can provide proof of their explicit subscription to your emails, so much the better: but don't let that stop you from doing the correct thing (including removing their address from future mailings). And if you find that you have indeed done something wrong, fix it.

Do the right thing.
Why send email to somebody who doesn't want it? Aside from violating our terms, that would be counterproductive and annoying. Don't confuse this list of rules with what's right: following rules is not the goal. The goal is doing the right thing. These are some guidelines for getting it right, they don't themselves represent the right thing. The right thing is communicating with people who you are entitled to communicate with. Nothing more.
None of this should be taken to mean that MV Communications condones or supports spam in any way. These guidelines dovetail with our policies, terms, and conditions pages our found here, and we present them in hopes of helping you not to spam.

 

Outages, News, etc.

A brief outage of the mail server at about 11PM January 16 prompts this reminder: you can check for reports of recent outages on our web server. One way is to go to our CS web page at home.mv.net and follow the "Network Status" link to "Outages." Another is to go to our home page at www.mv.com, access the "MV Information" pull-down to find the "Outages" selection, and hit the "Go" button. (You'll also see a link to "News" in that same pulldown.)

The outages area contains a running log of significant outages, as well as notices about planned events and any current outages being worked on. Unfortunately the outages area is not available if the outage affects the web server: in this case we try to put a notice in our phone system greeting.

 

Interesting Link(s)

Here again is a corner of our newsletter where we mention one or more sites that we have run across (via our wanderings or in newsletters we receive or in other places) that are interesting to us. Items here do not necessarily have anything to do with us (and often do not), nor do they necessarily have anything to do with our business or anything else we do. (It should go without saying that we make no representation about anything contained on those web sites.)

Alertbox: Cleaning up Information Pollution

We talk a lot about spam and how it is destroying the usability of email. But in many cases we don't need spam for that: we do it to ourselves.

Jakob Nielsen's Alertbox newsletter often provides some refreshing notes about how to make computers (particularly websites) more usable. Earlier this month he wrote some cogent tips about increasing productivity, mainly in regards to email. Included are some tips about what individuals can do, and what companies can do. It's a good read: find it at http://www.useit.com/alertbox/20040105.html .

 

Your feedback?

Do you have feedback on this newsletter (or past or future newsletters)? If so, please either:

 

Edit History

20040116: posted
20040117: add outages, news, etc. section.
20040117: fix typo in "Nielsen"