Security Basics mailing list archives
Re: How can you trust a company you don't know?
From: "Steve" <securityfocus () delahunty com>
Date: Tue, 21 Oct 2003 18:17:20 -0400
To check them out, ask them for references and actually check them. You could do a D&B (finances check) on them and that will show if they have any pending litigation. You won't really know if they are spamming from your domain, but your customers will complain. Make sure to have input to the opt-out text in the emails they send out. You could make this a double opt-in approach, someone signs up and an email goes to the address they submitted and they have to reply to that, like how the Security Focus lists work. This reporting approach is not uncommon for email newsletters and it works really well. I personally have my email client and firewall configured to block these types of communications that are outbound once you receive the email newsletter. But their approach does provide excellent reporting for the client of the fulfillment house. Does your firm has a privacy policy for customer data? If yes, you should cross reference with this particular initiative. If not, you need one. I have dealt with some email list fulfillment houses so if you want to share the name with me I can tell you if they seem kosher from my experience. There are a couple of sites with good email marketing info, see www.gotmarketing.com and www.yesmail.com for some good stuff. ----- Original Message ----- From: "Nicholas Diotte" <xphox () xphox net> To: <security-basics () securityfocus com> Sent: Tuesday, October 21, 2003 2:39 PM Subject: How can you trust a company you don't know? Greetings List, Recently I've been asked to look into a product, that a company I've never heard of sells. The company in question has a service that our Marketing Department would like to purchase. It being computer related, IT gets final say. Basically this company is advertising, "Fully-Branded Emails". Currently we restrict our Marketing Dept. from using "fancy" HTML emails, and only allow them to send plain text. However this company will allow them to send Rich Text, and HTML emails. They will even provide what seems to be impossible reporting, dynamic content (via database), and custom emails based on user interaction (in other words profiling). Basically I'm assuming each email will contain embedded hidden pictures, etc that will track what users are doing. A little scarry for me, as the last thing I want is our company emails being picked up by spyware scanners, etc.. I've done some basic research on the company and they do seem rather legitamite, however I have found traces of them on a couple mail abuse lists. Basically it's an opt-in newsletter, how it works is you give them a subdomain, and point the MX record to their mailserver. But how do I know they won't spam from our domain, how do I know they won't sell the opt-in list, and what about user tracking... Do I have to alert our subscribers that they will in fact be "profiled"? What steps would you take if you needed to look into a company and give a report to your VPs, giving the product a yeah, or nah. Thanks, --Xphox --------------------------------------------------------------------------- Visual & Easy-to-use are not words that you think of when talking about network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that makes the complex - easy http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Visual & Easy-to-use are not words that you think of when talking about network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that makes the complex - easy www.clearsightnet.com/jmp6-downloadtrial.jsp ----------------------------------------------------------------------------
Current thread:
- How can you trust a company you don't know? Nicholas Diotte (Oct 21)
- The answer is, "you cant" Dave Hartnell (Oct 21)
- RE: The answer is, "you cant" Mike Molloy (Oct 22)
- RE: The answer is, "you cant" Xphox (Oct 22)
- RE: The answer is, "you cant" Mike Molloy (Oct 22)
- Re: How can you trust a company you don't know? Steve (Oct 21)
- Re: How can you trust a company you don't know? Steve (Oct 22)
- RE: How can you trust a company you don't know? Rob McComber (Oct 22)
- Re: How can you trust a company you don't know? Steve (Oct 23)
- <Possible follow-ups>
- Re: How can you trust a company you don't know? SMiller (Oct 21)
- The answer is, "you cant" Dave Hartnell (Oct 21)