Security Basics mailing list archives
RE: Incredimail
From: "Hindle, Dallas" <Dallas.Hindle () bakersdelight com au>
Date: Tue, 13 Sep 2005 15:54:42 +1000
Sorry, it isn't formatted very well, but we sent this out to our franchisee's earlier this year... How it helps. Incredimail - Is it worth the risk? It has recently come to our attention that quite a few franchisees are using a program called "Incredimail". Incredimail allows you to customize the appearance of your e-mail messages and is available as both a stand alone E-mail client and as an Add-In for Microsoft Outlook. It's most obvious application is the addition of smiley faces etc. within mail you receive. Whilst Incredimail may make your e-mail look more attractive, there are several security and privacy risks that come with installing the software. The first problem this software causes is that it adds advertisements to all of your outgoing e-mail which, unless you buy the full version of the software, cannot be removed. This advertisement contains an animated image and a link to the Incredimail site. This can cause messages not to reach their intended recipient if there is any form of SPAM e-mail filtering. For example, many messages with this animation at the bottom never make it to staff at head office as our Mailguard filtering service reads them as SPAM and quarantines the messages. A screen shot of this advertisement is shown in the box below: A major security problem with the software is that it has a loophole which enables malicious users to send you Incredimail content that can overwrite files on your computer. These users can edit files so that when you access a website or open an e-mail with Incredimail content, the skin\image\animation\sound sent with the e-mail overwrites a selected file on your hard drive. More alarming facts about the service can be found within the contents of its ever changing 'Privacy Policy'. * "IncrediMail pledges to you that it will never spam you, force you to install 3rd party software on your system or harm your online privacy in any way. IncrediMail is not a spyware." Whilst the Incredimail website displays the above promise, the underlying privacy policy tells a different story. Incredimail promises not to SPAM you but retains the right to: * "Provide Users with certain content that may be of interest to that User based on the information the User provides." Incredimail also promises that: * "IncrediMail does not collect personally identifiable or non-personally identifiable information". However the Privacy Policy states: * "Users, including without limitation, Users in the European Union, fully understand and unambiguously consent to the collection and processing of their personally identifiable and non-personally identifiable information, in the United States." Also of note is the following statement regarding unsolicited materials, which can be almost anything you send by e-mail. * "10. UNSOLICITED MATERIALS Any confidential, secret or proprietary information or other material submitted or sent to IncrediMail, including without limitation via any Message sent by You through the Service, Site, or IncrediMail's physical mail and e-mail addresses, or in any other way, will be deemed to be not confidential or secret. By submitting or sending information or other material to IncrediMail or by posting information on any portion of the Service you (a) Warrant that you have all rights of any kind to the material and that to the best of your knowledge no other party has any rights to the material; and (b) Grant IncrediMail an unrestricted, perpetual, irrevocable license to use, reproduce, display, perform, modify, transmit and distribute the material, and you further agree that IncrediMail is free to use any ideas, know-how, concepts or techniques you send us or post on the Service for any purpose, without any compensation to you or any other person." Incredimail also reserves the right to change its privacy policy at any time without user consent or notification! More alarming facts discovered by people who have investigated the use of Incredimail: * Installing Incredimail makes over 1600 critical changes to windows, however uninstalling it removes only 110 of these! * Resource hungry - Uses much more of your computer's resources than the standard Outlook Express/ Outlook applications. * Application continually contacts the Incredimail servers to send back usage statistics and other information. References: http://www.incredimail.com/english/privacy.html http://www.incredimail.com/english/fullprivacy.html http://www.incredimail.com/english/termsofuse.html http://www.eyeonsecurity.org Thanks Dallas Hindle Infrastructure Team Leader Bakers Delight Holdings Limited. Suite 1, Level 1 293 Camberwell Road Camberwell, Victoria, 3124 Australia p. +61 3 9811 6183 m. 0413 707 451 f. +61 3 9811 6100 w. www.BakersDelight.com.au e. Dallas.Hindle () BakersDelight com au -----Original Message----- From: Barbara Filkins [mailto:filkins () impulse net] Sent: Monday, 12 September 2005 12:58 PM To: security-basics () securityfocus com Subject: FW: Incredimail ________________________________ From: Barbara Filkins [mailto:filkins () impulse net] Sent: Sunday, September 11, 2005 7:46 PM To: 'security-basics () securityfocus com' Subject: Incredimail Is there a general place where I could find information about any exposure that may occur with Incredimail and other similar products? Thank! barb Filkins -- Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering. http://www.mailguard.com.au/mg
Current thread:
- FW: Incredimail Barbara Filkins (Sep 12)
- <Possible follow-ups>
- RE: Incredimail Hindle, Dallas (Sep 13)
- RE: Incredimail Murad Talukdar (Sep 14)
- Re: Incredimail Greg (Sep 15)
- RE: Incredimail Murad Talukdar (Sep 14)