While working on a False Positive (yes, it can happen to the best of us), I was stunned to discover how marketing people can bend email security rules.
The details
The message is a newsletter from a well-known Canadian bank: they’re sending an insurance reminder because the renewal date is coming up and they’re trying to get the customer to switch to them. The user is probably getting the message because he entered a contest or something, and specified his renewal date.
Since the user might not be a customer of this bank, the writer has to carefully word the promotional email. Also, he or she wants to add a bit of Sales/Marketing tracking to calculate the success rate of reaching the user, and whether the user clicks on the link. To improve the success rate, the bank hires a third-party specialist to create the newsletter.
The investigation
Looking at the sample, I first notice a dynamic FROM address in the envelope that comes from the 3rd party: 5t7t95c9t7ccg7bc897tvkrt@, whereas the FROM in the headers show the bank’s direct address. Okay, no big deal – this is now a common situation. A while back, though, the email would have been caught right away.
Now, for marketing purposes, every link contained in the email goes to that 3rd party for tracking purposes; let’s call them ‘thirdparty.moo’. There are 19 links in the email, all going to ‘thirdparty.moo/string?xyz’ instead of the bank itself. Of course, a lot of people won’t check that but ’email educated’ people and the ones who have had bad link-clicking experiences in the past will (i.e, victims of phishing, viruses and identity theft, etc.). The other problem is that some of these companies will openly relay almost any kind of mail to anyone, as long as they have been paid So, the links will appear in both legit and spam email.
Finally, I decided to have a look at the SPF record1. The bank added an INCLUDE clause for the 3rd party address, but it doesn’t match the IP from where the email was sent (this is the 3rd party’s responsibility).
This is the price to pay when marketing and tracking data win against email security.
So, if you’re not a customer of this bank, the message comes from a place that you’re not sure of, the links don’t point to the bank’s address, and if the SPF record is bad! Would YOU click on it?
References:
1. http://en.wikipedia.org/wiki/Sender_Policy_Framework
Well, I certainly wouldn’t click on it.
However, I do have a question: assuming the bank has the customer’s best interests in mind, and plans on sending them only useful information that the customer will want to receive (i.e. _not_ spam), what is the best way for the bank to accomplish it in this case?
The minimum would be the URLs to point to the bank’s website. The must would be a HTTPS link where the user would be able to see a trusted connection on his browser between the bank and his computer. This involves the bank to have a local tracking system if he wants to receive ‘click stats’.