Educause Security Discussion mailing list archives
Re: Email marketing keys and contact information privacy
From: Dennis Meharchand <dennis () VALTX COM>
Date: Tue, 31 Mar 2009 16:51:50 -0400
Gary, Disclosure: Vendor response - Valt.X develops computer security hardware To prevent harvesting - A pattern should never be used. If the ID was numeric I would say getting just one hit in a thousand would be discouraging to a harvester - staying away from completely numeric would be best -even throwing in one letter makes it much more difficult to harvest. I speak from experience - besides developing computer security products we spend all day and night obtaining data:) One of the techniques we used to determine if valid data is returned is the file size - a page returned with no data is usually all the same size and smaller than one with data - returning bogus data instead for invalid queries (not used ID's) would frustrate the harvester. Dennis Meharchand CEO, Valt.X Technologies Inc. Cell: 416-618-4622 Tel: 1-800-361-0067, 416-746-6669 Fax: 416-746-2774 Email: dennis () valtx com Web: www.valtx.com -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Flynn Sent: March 31, 2009 2:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Email marketing keys and contact information privacy Lets say there is a mass marketing company who sends e-mail on behalf of its customers based on contact information given to it by those customers. The URLs in the individual e-mail messages are unique for each recipient so when the recipient clicks the link, the marketer knows what e-mail address is responding and can record the individual who responded and adjust the display accordingly if desired. Standard operating procedure so far, right? Now lets say that mass marketing company has the name, address, and phone number associated with each e-mail address and displays that information based on the link in the e-mail. So if I get one of these unsolicited messages and click the link, my name, address, and phone number is displayed. Under such a system, one could theoretically download the customer database contents by making successive requests: https://website.com/person?ID-number000,000,001 https://website.com/person?ID-number000,000,002 https://website.com/person?ID-number000,000,003 . . . https://website.com/person?ID-number999,999,997 https://website.com/person?ID-number999,999,998 https://website.com/person?ID-number999,999,999 Under what circumstances would this be acceptable? If the ID-number was a certain minimum size that was X orders of magnitude greater than the population? If the URL in the e-mail only worked a limited number of times to prevent the harvesting and limit re-use? Never? -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Email marketing keys and contact information privacy Gary Flynn (Mar 31)
- <Possible follow-ups>
- Re: Email marketing keys and contact information privacy Jason Testart (Mar 31)
- Re: Email marketing keys and contact information privacy Dennis Meharchand (Mar 31)
- Re: Email marketing keys and contact information privacy Crim, David (Mar 31)