[conspire] Creepy Web 2.0-service sales come-on

Don Marti dmarti at zgp.org
Wed Jan 18 11:57:31 PST 2006


begin Rick Moen quotation of Wed, Jan 18, 2006 at 08:36:53AM -0800:

> I've altered the example to protect my friend's privacy, but imagine you
> know Sam Jones, his mail addres, etc. reallly well.  Most people don't
> view full SMTP headers, so it really does seem to be personal mail from
> Sam, recommending an "interesting business tool".  He starts out with
> "Rick," closes with "-- Sam", and the sender "From:" SMTP header is
> _forged_ to use Sam's real e-mail address.
> 
> Note that latter point:  It uses some of the same forge-mail techniques
> that the spammers use to hide themselves.  Only the (normally hidden)
> Return-path envelope header and Received headers are valid.
> 
> Yes, Sam undoubtedly did in _some_ sense authorise the sending of this
> "invitation" mail on his behalf -- but he sure as hell didn't write it
> or send it from his personal e-mail address, as is falsely claimed.

RFC 2822 says:

  The "From:" field specifies the author(s) of the
  message, that is, the mailbox(es) of the person(s) or
  system(s) responsible for the writing of the message.
  The "Sender:" field specifies the mailbox of the
  agent responsible for the actual transmission of
  the message.

I see from the quoted message that LinkedIn doesn't
include a "Sender:" header.  Their use of "From:"
seems to be legit, and there's nothing that mandates
the use of "Sender:" unless you use more than one
address in "From:".

I have used this service (I accepted a bunch of
invitation from current and former co-workers),
so I can comment on the UI from "Sam"'s side.

It's not as creepy as it looks, because the user does
have just as much control over the sent message as he
or she would in a normal mail client, and the contact
information that the site collects is available
for download in a format that you can import into a
normal mail client.  So if you stop using the site,
your addressbook doesn't go away if you chose to
download a copy.

On the LinkedIn site, "Sam" entered your name and
email address, or, your name and email address were
in his email client addressbook, which he uploaded
to the LinkedIn site.

Then he got to a web form with sample mail subject
and text, which appeared in a text field that he had
an opportunity to modify.

He had to know your email address to get to that form.
LinkedIn keeps track of email addresses of people
who have accepted its EULA, but it won't send mail
"From:" a user unless that user enters an address.
(This is apparently to keep people from inviting
everyone, willy-nilly, Orkut-style.)

So, "Sam" had control of the "To:" name and address,
the "Subject:" line, and the text.  That's just as
much control as he would have running any mail client.

Here's a screenshot.
http://zgp.org/~dmarti/images/linkedin.png

There are some contact management services whose mail
I ignore, such as the really annoying one that sends
me "Hi, I'm updating my addressbook and I'm using
this service to make you do the work for me" mail.
But a LinkedIn invitation is as much under the user's
control as

If you have a LinkedIn account, and you go to
https://www.linkedin.com/addressBookExport

you can get a copy of the contact info for your
LinkedIn connections, as CSV or vCard.

-- 
Don Marti
http://zgp.org/~dmarti/
dmarti at zgp.org




More information about the conspire mailing list