Email marketing company gives out questionable security advice

From: Richard M. Smith (rmsat_private)
Date: Wed Jul 02 2003 - 17:03:16 PDT

Next message: Delfim Machado: "[VulnWatch] MacOSX - crash screensaver locked with password and get the desktop back"

Previous message: Microsoft Security Response Center: "Contact information for Microsoft Security Response Center [tf]"
Next in thread: stonewall: "Re: Email marketing company gives out questionable security advice"
Reply: stonewall: "Re: Email marketing company gives out questionable security advice"
Reply: D. J. Bernstein: "Re: Email marketing company gives out questionable security advice"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
 
Last week, I received an unsolicited email message from Mobil Travel
Guide about their new online service.  In the message, I was encouraged
to turn back on ActiveX and scripting in Outlook in order to view a
Flash movie embedded in the message.  Needless to say, I thought this
was a terrible idea.  Instead, I wrote the company who created the ad,
Digital Produce (http://www.digitalproduce.com), saying they were giving
out bad security advice and they should stop doing this sort of thing
in future mailings.  

I got a reply from the company this week basically saying that they
agree with my concern, but not my solution.  Instead they decided to put
a little security warning on their "real media fix" page.  This fixer
page can be found here on their Web site:

   http://www.digitalproduce.com/site_resources/pdfs/outlookfix/

I think the warning message is pretty lame and misleading.  Microsoft
released the Outlook Security Update a few years back because anti-virus
software wasn't stopping email worms.  Turning back on ActiveX and
scripting only encourages the virus writers.

(As an aside, the Xbox division of Microsoft is also a customer of
Digital Produce.  I wonder if any Xbox ads gave out this same bad
security advice?)

OTOH, it's not too hard too understand where Digital Produce is coming
from.  According to a recent article in Internet News, only about 30% of
email users can view rich media email.  This percentage is declining as
people upgrade Outlook and Outlook Express to newer versions with better
security features.  It's pretty obvious that Flash-enabled email is a
dying market.

Along these same lines, images in HTML email messages will be the next
thing to go.  The upcoming versions of Outlook and the AOL 9.0 email
reader will no longer show images in HTML email messages by default.
Hotmail offers this same feature as an option today.  This feature is
intend to make email more kid-friendly by blocking porno pictures in
incoming spam messages.  It also stops spammers for snooping on people
using Web bugs.

It will be interesting to see how email marketing companies and
spammers adapt to these technical changes in HTML email.

Richard M. Smith
http://www.ComputerBytesMan.com

Next message: Delfim Machado: "[VulnWatch] MacOSX - crash screensaver locked with password and get the desktop back"
Previous message: Microsoft Security Response Center: "Contact information for Microsoft Security Response Center [tf]"
Next in thread: stonewall: "Re: Email marketing company gives out questionable security advice"
Reply: stonewall: "Re: Email marketing company gives out questionable security advice"
Reply: D. J. Bernstein: "Re: Email marketing company gives out questionable security advice"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 04 2003 - 11:39:50 PDT