« Who(m) Do You Trust? | Main | Phishing Blast from the Past »

October 23, 2007

Early in 2005, I had the privilege of speaking at a conference hosted by The Institute for Spam and Internet Public Policy. During my speech, one of my slides was a tongue-in-cheek suggestion that email users should be tested for fundamental knowledge about proper handling of email—almost to the same extent that preparing for a driver's test keeps us from running willy-nilly around the pavement (most of the time):

Funny, ha ha.

But then something happened to me today that not only made me resurrect the slide image, but prompted me to show it boldly here with tongue removed from cheek.

Without getting too detailed about it, let's say that I'm assisting a technophobic senior citizen relative of mine complete a real estate transaction. My relative is in Indiana, the real estate agent involved with the transaction is in Illinois, and I'm in California. My role is merely to be another set of eyes overlooking the deal.

The agent is a little frustrated with my relative who has no computer, fax machine, or cell phone. The agent is apparently thoroughly modern in this regard, and wants to use technology to its fullest. Normally, that's okay by me.

To bring me up to speed on the transaction, the agent needed to send me via email copies of various documents, some of which would be generated by outside services. Because I could not predict who the senders of these missives would be, attempting to whitelist those senders on my server in advance was impossible. Instead, I entrusted the agent with a private email address of mine that has no filtering on it whatsoever. Within hours, relevant documents started pouring in as expected.

But within 24 hours, I received another message from the agent that had nothing to do with the transaction. She was forwarding an announcement that some high-end condominium was soon opening its sales center. Whoop-de-freakin'-doo.

So, it was clear that the agent had—vacuum-cleaner-style—sucked my private address into her email distribution list. While that action, itself, is a horrible breach in protocol (an early chapter in the non-existent pamphlet shown above), it could be attributed to the overzealousness of a real estate salesperson (imagine!), and could be stopped with a single warning.

But, the situation was out of control long before I ever saw my copy of the forwarded message. This real estate agent—in her over-zeal—sent the message to 47 individuals, each of whose email address is in plain sight in the To: field of the message.

Now, I'm not too worried that my 46 co-recipients are going to start emailing me, but some of these addresses must belong to people who have the dough to be interested in a building whose top unit will be going for $40 million. On the other hand, that I'm on the list doesn't prove a thing. Still, if I were in that category, I certainly wouldn't want strangers to know it or know how to find me.

My real beef with this laundry listing of To: addresses in plain sight is that neither the sender nor any other recipient knows if the PCs on the receiving end are infected with malware that regularly inspects files for email addresses. If the message is instantly deleted, it will probably still stay in a trash folder for 30 days, ready to be snarfed up at will during that period. Even if the infection rate of the recipients were as low as ten percent, it means that five or so of these recipients' computers can expose my private, unspammed address to the spam gangs. In truth, all it takes is one compromised machine to compromise this private address. And, as we all know, once an email address gets out there, you can't get it back.

It's not difficult at all to create an email distribution list that utilizes the BCC (blind carbon copy) field to list all intended recipients. The beauty of the BCC field is that the addresses are not sent with each message to each recipient. Instructions on how to do that and, more importantly, why, would be another chapter in the Emailers Handbook. In the meantime, if I were an email cop, I'd pull over this real estate agent and give her a ticket for forwarding without a brain.

UPDATE (28 October 2007) — While I may have been spitting bullets about my experience with a clueless forwarder, a far more egregious example appeared this past week. An email sent by the House Judiciary Committee (U.S.) accidentally went out to everyone who had previously filled out a web site form to blow the whistle on questionable activity in the Justice Department. All addresses were exposed in the To: field of the message. Every whistleblower could see who else had blown the whistle. Oh, and so could whoever opens email addressed to Vice President Cheney. Next Monday's staff meetings could be ugly. More on the story here. Now, where's my Clue Stick?