[Lias] Verification of vendor communications

[Paul Gear]

Hi folks,

(Insert standard cross-posting apology here.)

This morning, i received an email closely resembling the following
from a respected system software vendor (name obfuscated by FOOBAR to
protect the guilty).

-- Snip -- 8< ----------------------------------------

Dear Valued FOOBAR Customer
Thank you for using FOOBAR Software products and services.

As part of our ongoing efforts to improve customer experience, we are
currently conducting an exercise to verify your Company's information
as well as the designated contact person's information. Your Company's
name or addresses may have changed since and they may not have been
updated in our records. As such, we will like you to reply to this
email with the following information so that we can verify and
rectify, if necessary.

Name of Company:
Company's Address:
Name of Contact Person:
Contact Person's Tel#:
Contact Person's Fax#:
Contact Person's email:

Please ignore this email if you have responded to our earlier calls to
verify your contact information.

Thank you for your participation.
Rgds,
FOOBAR Software Asia Pacific Pty Ltd

-- Snip -- 8< ----------------------------------------


My first question is this: if you received an email such as this,
would you trust it?  Obviously, i didn't.  I contacted the vendor's
local office, was quickly put through to a technical person, who
subsequently verified the authenticity of the message.  (The only
reason i called them instead of just deleting it was the fact that the
Received: headers in the email did not appear to be forged.)

My reply to the person who verified the message read as follows:


-- Snip -- 8< ----------------------------------------


Thanks for the reply.  Could you please pass this feedback on to the
appropriate people:

My primary expectation with email communication like this is some sort
of cryptographic signature, like PGP or S/MIME (the latter is probably
preferable, since it is available at no cost to users on many email
platforms).  All relevant keys or certificates should be shipped on
your product CDs so that they can be verified through a channel
independent of the email.  Other (less desirable) independent channels
might be telephoning your local office (as i did today), or
downloading keys or certificates from your web site.

Please note that simply turning the email into HTML and adding a
corporate logo and a link to your web site are not sufficient.  In
fact, all links in HTML email are automatically suspect as far as i am
concerned, due to the number of viruses and scams now masquerading as
legitimate emails from companies like Microsoft, Symantec, and
Westpac.  If you cannot yet send signed messages, then at least make
sure they are plain text.

I realise these are not things that can be implemented overnight, but
they are essential for you to implement if you are to communicate with
your customers in a trustworthy manner via email.  If i cannot verify
the message itself, and cannot easily contact someone in the local
office and independently verify the message, then i will simply ignore
it, wasting your time and mine and possibly complicating matters next
time i make a support call.

And while i'm at it (since you jogged my memory by mentioning
marketing spam , let me mention that for a company like yours,
marketing via email, even to existing customers, is an unneccessary
and distasteful practice.  Speak with your products, not your mailing
lists.

The thing that will get me to use your products (and indeed this is
why i am an existing customer), is recommendations - stories of strong
reliability and service from my peers and colleagues in industry.
Advertising, even about useful products from companies i know, just
ends up in my junk mail folder.


-- Snip -- 8< ----------------------------------------


More questions: Do other "respected" software vendors communicate with
you like this?  What do you do about it?  Am i being too harsh?  Do
you care?  (For those of you reading this email in an attachment due
to the PGP/MIME bug in MS Outbreak, i can probably guess on your
answer to the last one. :-)

-- 
Paul Gear, Manager IT Operations
Redlands College, 38 Anson Road, Wellington Point 4160, Australia
(Please send attachments in portable formats such as PDF, HTML, or
OpenOffice.)
-- 
The information contained in this message is copyright by Redlands
College.  Any use for direct sales or marketing purposes is expressly
forbidden.  This message does not represent the views of Redlands
College.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.linux.org.au/pipermail/lias/attachments/20040324/6672404f/attachment.pgp