[Quick update: I searched for the dealer sites. Last time I looked, I couldn't find dealer sites. This time I found sites for both dealers, and both had live chat services. Very helpful operators. It looks like the problem I had before, of not being able to contact them, has been solved. That just leaves the domain name problems.]
[Second update: (24 October) Nope. My optimism was not founded. Or only half-founded. There is no Chrysler-wide policy. I've communicated directly with sales managers at the dealerships involved, and at least one seems to have a policy that they want addresses they can automatically dump their regular sales announcements to, more than they want real customers. (Sorry to be so blunt about it.)
How is it that people would rather have a bigger pay check now than understand where the money comes from, and why and when the stream is going to dry up?
I guess that's a subject for another blog, sometime.]
One good tell-tale for phishing used to be found in the return e-mail address or in the url link that took you to the web page the mail was sent to inform you about.
If it was different from the domain name of the purported sender, you could guess that the message was not legitimate. And delete it or send it to the spam bucket for your admin to collect and add to the spam filters.
For example, if the mail claims to be from PayPal, and the return address (as, when I click "Reply") is
advertising@deptA.paypal.comthe address is in the paypal.com domain, which I have strong reason to believe is owned and operated by PayPal. (How I have reason to believe that is a subject for another post.)
On the other hand,
paypal@deptpaypal.advertising.comis in the advertising.com domain, and who knows who is operating that right now?
Likewise, if I copy a link url (right click, copy url or copy link) and paste it into a text editor window, I can see the raw url. Again,
http://accountsurveys.paypal.com/custcode/?3234dsdf3324stvp1d
is a url in the paypal.com domain. Unless I have been a victim of dns poisoning, the server I would go to when I click on that should be managed by the same people that manage paypal.com. But
http://paypal.accountsurveys.tv/custcode/?3234dsdf3324stvpld
is a url in the accountsurveys.tv domain, and could very well be somebody phishing for my PayPal password.
If PayPal wants me to trust the link they send me, but wants to outsource the advertising or the customer surveys, they should delegate a subdomain to their contractor.
Paypal would enter a domain name record that says, effectively,
deptA.paypal.com => deptpaypal.advertising.com(This is not the actual command, and it's a little more complicated than just a single line, but it's something a good systems administrator should be able to take care of in an hour, with spare time for a snack, easily. Or, maybe five minutes today, ten minutes tomorrow, and twenty-five minutes in a week from now, checking the results. Done quickly, does not cost a lot.)
With that setting, which PayPal controls (barring software bugs), advertising.com can do their PayPal related stuff using e-mail addresses in the paypal.com domain, and that lets me know that they are, in fact, authorized by PayPal to do it.
(Not 100 percent sure, but better than 90% sure. Again, I should talk more about that elsewhere. But if they ask for my password or login ID by e-mail I should contact paypal.com directly, instead. e-mail is currently not safe to send passwords by.)
And a similar setting can let the folks at accountsurveys.tv (if they really are legitimate) put a whole web site up under
accountsurveys.paypal.comwhich is in the paypal.com domain, and, again, let me know they are authorized by paypal to do it.
Well, even so, they should never ask me to tell them my password in a survey site. Passwords are not their business.
By the way, I think I remember seeing PayPal slip up on this kind of thing once or twice in the past (new grads or summer interns?), but they are generally pretty good about it.
(If you see a message from PayPal that comes from some domain that is not a PayPal domain, it's not them. Just hit the spam button. Unless it has personal details on you, in which case, contact PayPal directly.)
But there are lots of non-IT companies who seem to be outsourcing stuff and not realizing they need to delegate the domain names to do it under. Chrysler would seem to be one.
Shoot, they have such a variety of websites that I can't tell if any of them really have anything to do with the car company. This is bad news, and may have some influence on the state of their bottom line.
Some specifics --
For more than a year, I have been regularly getting messages with subjects like this:
or like this:Hey Joel, come back to Fremont Chrysler Jeep Dodge Ram
Now I really liked the family car I drove when I was a teenager. It was a Mistsubishi-made Dodge Colt (circa 1974). Wonderful car, lightweight, fast, easy to park, room to cart my stereo to church for the dances, etc.Your recent Dodge Grand Caravan service at Concord Chrysler Dodge Jeep Ram
Sometime while I was taking a break from college, my parents bought a second hand Ram van and used it for a long time. Quite dependable, allowed them to travel in reasonable comfort between their home in Texas and my grandfather's home in Utah. That van was turned over to a friend who needed transportation some ten years ago, I think.
I like Chrysler vehicles in general, but I myself have never bought a Chrysler, Dodge, Jeep, or Ram. And the last several years have definitely not seen me anywhere near Fremont or Richmond.
However, there are plenty of people in the world with the same first and last name as me. Some of them have been known to be careless when giving out their e-mail address. I have had to tell people in both England and Australia that I am not the Wookie they are looking for. (And I really am not.)
It is very difficult to tell a Chrysler dealership that they have the wrong e-mail address for a customer. I've tried that and failed several times. I'll probably try looking at the dealer sites for some sort of human-powered contact again after I post this. I'm too nice. Perhaps I should keep just sending these to the unsolicited (spam) box. A click every week or so costs me less time than this post.
On the other hand, this is a good example of how people should not use the internet. So it's not a waste of time to explain what's wrong.
So, back to the subject.
In Google's webmail interface, you have the reply arrow above the message, on the right. Next to that is a little triangle pointing down. Click that triangle and you can get a lot of fun things like "reply to all", "forward", and "filter messages like this".
You can also get "show original". Click that and a new tab opens to show the raw plaintext of the message, including the e-mail headers and, if the message is html formatted, the html source code. Basically, this allows you to see through all the tricks that illegitimate mailers use to make you think a message came from someplace else.
One is from
bounce-long-string@bounce.chrysler-email.mar0.netWho is mar0.net?
It uses links in
http://www.feedbackpage.com/Who are they?
And it says in the plain-text part,
PLEASE DO NOT REPLY TO THIS EMAIL. Your message will not be read. Instead, please contact us by phone at the Customer Assistance Center:Have you ever tried calling a 1-800-number from Japan? It doesn't come free.
And it tells me the VIN of the car and gives me a PIN to register the car at
moparownerconnect.comI remember Mopar from when I drove that Colt. Bought fan belts and distributor caps and carburetor kits from them.
But moparownerconnect is not the way to do a domain name. They could have that as a vanity domain and have it redirect to
ownerconnect.mopar.comand that would make much more sense. But the domain should be in mopar.com.
WAITAMINUTE!
I don't own that car. But now I know the VIN. If I were a black-hat wannabee, I could cause them some serious customer problems.
No. They should not have sent me that. Not until after they had verified, probably by phone, that the real customer was getting his mail, at least. (And I wouldn't put it in unencrypted e-mail anyway. Sometime I need to blog about how to do that with the current mess, and the technical/marketing/political barriers to doing it right.)
Yes. It is important to understand what I'm trying to say in this over-long blog post.
The other has similar issues, but different.
Their contractor seems to be exacttarget.com.
exacttarget.com seems to think plaintext is evil. That is, there is no plaintext, just HTML that looks almost deliberately obscured.
And they seem to think shortened urls in e-mails are cool. Don't do that. shortened urls tell you nothing, and you really should never trust them.
Well, a shortened url within a known domain might work, I suppose. Perhaps something like
shortA0194.cdjr.comwould be reasonable, if cdjr.com were publicly advertised on the Chrysler, Dodge, Jeep, and Ram websites and in the dealers' show windows as being a shorthand site for all four brands.
There's more in this vein, but I think the above illustrate some common traps that should be avoided by users of e-mail, on both sides of the corporate divide.
Mind you, I have nothing against Chrysler/Dodge/Jeep/Ram or their dealers. And I am going to try to contact them again so they can fix this stuff. I think, if I can explain things reasonably enough, they'll be willing to go to the effort of using their domain names correctly.
Who is going to contact the other nine hundred and ninety-nine domain name abusers, I don't know.
No comments:
Post a Comment