Wandering Thoughts archives

Sometimes looking into spam for a blog entry has unexpected benefits

Today, I was all set to write an entry about how I especially hate slimy companies that gain access to people's address books. In fact I had a particular company in mind, because it's clear that they did this to one of our users recently. As part of starting to write that entry, I decided to do some due diligence research on the company involved. What I found turned out to be rather more alarming than I expected.

There are two usual run of the mill ways to steal people's address books. The 'not even sort of theft' way is to just ask people to give you their address books so you can connect them to any of their friends on your service, and then perhaps send some invitation mails yourself. The underhanded way is to persuade people to give you access to their GMail or Yahoo or whatever email account for some innocent-sounding purpose, then take a copy of their address book while you're there.

These people went the extra mile; they made a browser extension. Of course it does a lot more than just take copies of your address book and none of what it does seems particularly pleasant (at least to me). Getting a browser extension into people's browsers is probably harder than getting their address books in the usual way, but I imagine it's much more lucrative (and much more damaging).

What this means is that our user didn't just give a company access to their address book; instead they've wound up infected by something that is more or less malware (and of course this means that their machine may also have other problems). And I wouldn't have found any of this if I hadn't decided to turn over this particular rock as part of writing a blog entry.

(It turns out this company has a Wikipedia entry. It's rather eyebrow raising in a 'this seems so whitewashed it's blinding' kind of way. Since it was so obviously white, I dipped into the edit history and the talk page and found both rather interesting, ie there was and may still be a roiling controversy that is not reflected in the page contents. I'm kind of sad to see Wikipedia (ab)used this way, but I'm not wading into that particular swamp for any reason.)

Red Hat are marketing email spammers now (in the traditional way)

We used to use Red Hat Enterprise Linux (in our previous fileserver generation and in a few other roles), although we've wound up switching to CentOS. As part of having those RHEL machines we have a RHN account, which is registered with a specific email alias here. RHN uses that email address to do things like notify us about important security updates, machines not responding, and so on. Although in practice all of those are basically noise, that's okay; that's what we registered the email address for and RHN is only doing what we told it to.

The other day we got the following email to that address from a Red Hat address, sent from Red Hat's own SMTP servers:

Subject: Red Hat Forum: Build an Efficient and Agile IT Organization for the Future - On Behalf Red Hat

Dear Valued Client,

We would like thank you for attending our Mobile Enterprise Application Workshop. We hope you enjoyed it. Since may of the attendees have requested, we are pleased to share with you our upcoming forum you may be interested in.

Join our annual Red Hat Forum on June 18 , 2015 for an insightful morning with industry leading analysts from IDC [...]

This is not RHN notification email. More than that, the first paragraph is a further lie; we didn't (and haven't) attended any Red Hat 'Mobile Enterprise Application Workshop'. Oh, and this claims to have been sent from Red Hat's Canadian office but includes no unsubscribe link, which means that it is clearly in violation of recent Canadian anti-spam legislation on top of everything else.

At one level I'm not particularly surprised. Companies do this all the time, often although not exclusively as a result of address list creep. Red Hat is just the latest one, and why would I be surprised at that? Everyone screws you eventually (it's why modern email is such a hassle).

At another level I'm terribly disappointed. At one time I could think of Red Hat as clearly good guys, people who would never ever behave in such an unethical and frankly slimy way. Clearly those days are over now, as Red Hat has given me a clear and unambiguous sign that marketing is winning over morals. I'm not sure what I can expect next, but I'm sure I'm not going to like it.

(Maybe Red Hat marketing will win the argument that everyone who has ever submitted a RHEL related Bugzilla report is fair game for RHEL related marketing emails.)

PS: I sent email to Red Hat when we got this email. I have of course received no reply.

(This elaborates on my tweet at the time.)