RE: Incredimail

["Hindle, Dallas" <Dallas.Hindle () bakersdelight com au>]

Sorry, it isn't formatted very well, but we sent this out to our
franchisee's earlier this year...

How it helps.



 Incredimail - Is it worth the risk?

It has recently come to our attention that quite a few franchisees are
using a program called "Incredimail". Incredimail allows you to
customize the appearance of your e-mail messages and is available as
both a stand alone E-mail client and as an Add-In for Microsoft Outlook.
It's most obvious application is the addition of smiley faces etc.
within mail you receive.
Whilst Incredimail may make your e-mail look more attractive, there are
several security and privacy risks that come with installing the
software.

The first problem this software causes is that it adds advertisements to
all of your outgoing e-mail which, unless you buy the full version of
the software, cannot be removed. This advertisement contains an animated
image and a link to the Incredimail site. This can cause messages not to
reach their intended recipient if there is any form of SPAM e-mail
filtering. For example, many messages with this animation at the bottom
never make it to staff at head office as our Mailguard filtering service
reads them as SPAM and quarantines the messages. A screen shot of this
advertisement is shown in the box below:

A major security problem with the software is that it has a loophole
which enables malicious users to send you Incredimail content that can
overwrite files on your computer. These users can edit files so that
when you access a website or open an e-mail with Incredimail content,
the skin\image\animation\sound sent with the e-mail overwrites a
selected file on your hard drive.
More alarming facts about the service can be found within the contents
of its ever changing 'Privacy Policy'.

* "IncrediMail pledges to you that it will never spam you, force you to
install 3rd party software on your system or harm your online privacy in
any way. IncrediMail is not a spyware."
Whilst the Incredimail website displays the above promise, the
underlying privacy policy tells a different story.
Incredimail promises not to SPAM you but retains the right to:

* "Provide Users with certain content that may be of interest to that
User based on the information the User provides."
Incredimail also promises that:
* "IncrediMail does not collect personally identifiable or
non-personally identifiable information".


However the Privacy Policy states:

* "Users, including without limitation, Users in the European Union,
fully understand and unambiguously consent to the collection and
processing of their personally identifiable and non-personally
identifiable information, in the United States."
Also of note is the following statement regarding unsolicited materials,
which can be almost anything you send by e-mail.

* "10. UNSOLICITED MATERIALS Any confidential, secret or proprietary
information or other material submitted or sent to IncrediMail,
including without limitation via any Message sent by You through the
Service, Site, or IncrediMail's physical mail and e-mail addresses, or
in any other way, will be deemed to be not confidential or secret. By
submitting or sending information or other material to IncrediMail or by
posting information on any portion of the Service you (a) Warrant that
you have all rights of any kind to the material and that to the best of
your knowledge no other party has any rights to the material; and (b)
Grant IncrediMail an unrestricted, perpetual, irrevocable license to
use, reproduce, display, perform, modify, transmit and distribute the
material, and you further agree that IncrediMail is free to use any
ideas, know-how, concepts or techniques you send us or post on the
Service for any purpose, without any compensation to you or any other
person."
Incredimail also reserves the right to change its privacy policy at any
time without user consent or notification!
More alarming facts discovered by people who have investigated the use
of Incredimail:

* Installing Incredimail makes over 1600 critical changes to windows,
however uninstalling it removes only 110 of these!

* Resource hungry - Uses much more of your computer's resources than the
standard Outlook Express/ Outlook applications.

* Application continually contacts the Incredimail servers to send back
usage statistics and other information.


References: http://www.incredimail.com/english/privacy.html
http://www.incredimail.com/english/fullprivacy.html
http://www.incredimail.com/english/termsofuse.html
http://www.eyeonsecurity.org



Thanks

Dallas Hindle

Infrastructure Team Leader
Bakers Delight Holdings Limited.
Suite 1, Level 1
293 Camberwell Road
Camberwell, Victoria, 3124
Australia
p. +61 3 9811 6183
m. 0413 707 451
f. +61 3 9811 6100
w. www.BakersDelight.com.au
e. Dallas.Hindle () BakersDelight com au 



-----Original Message-----
From: Barbara Filkins [mailto:filkins () impulse net] 
Sent: Monday, 12 September 2005 12:58 PM
To: security-basics () securityfocus com
Subject: FW: Incredimail

 

________________________________

From: Barbara Filkins [mailto:filkins () impulse net]
Sent: Sunday, September 11, 2005 7:46 PM
To: 'security-basics () securityfocus com'
Subject: Incredimail


Is there a general place where I could find information about any
exposure
that may occur with Incredimail and other similar products?  Thank!
 
barb Filkins

-- 
Message protected by MailGuard: e-mail anti-virus, anti-spam and content
filtering.
http://www.mailguard.com.au/mg