La gaffe del giorno di Microsoft

Questa è davvero singolare. Mi ero iscritto alla mailing list Microsoft su Palladium, per tenermi aggiornato sull’argomento. Oggi mi arriva il terzo comunicato, che tra l’altro dice:

New format

Beginning today, we are sending our newsletter in text-only format. In previous mailings, on September 18 and October 3, you likely received an HTML version of this newsletter (unless your email is configured to receive plain text only).

HTML format is standard for many email newsletters as it allows for a more visually pleasing format and a means of allowing the sender to track the reach of the newsletter. Measuring this reach involves placing a tag embedded in the HTML that is not readily visible to the recipient (see technical details below), but tells the sender if and when the newsletter is opened.

As a matter of policy, Microsoft is committed to notifying individuals about all collection of personally-identifiable information, and in this case, no PII was collected. However, since HTML mail tags have been abused by many in the past, we have decided to move to a text-only newsletter format for all our future communications, and apologize for any misunderstanding this instance might have caused.

We do want to assure you that no personally identifiable information was ever sent to or collected by Microsoft, and no unique identifier was sent to Microsoft or our email newsletter agency. In the end, we believe this change will allow you to still get full use out of our correspondence while also knowing that Microsoft is committed to protecting your privacy.

Technical details of the HTML newsletter behavior

  • Each HTML version of the e-mail contained one HTML tag –

    “img src=3D”http://pens.tm500.com/track.php/74D0265C6D/icon.gif” height=3D1=width=3D1″
  • The image tag was from the same domain as the domain from which the e-mail message originated (e.g., pens.tm500.com).
  • The tag URL contained a serial number (e.g., 74D0265C6D) which was tied to the specific e-mailing.
  • On the network, one HTTP GET could be seen going to pens.tm500.com when the message was viewed. The GET request contained only standard HTTP GET information (e.g., browser type, version, language, OS).
  • One HTTP response was sent back containing the GIF (a blank, transparent icon).
  • The number of times that the GIF was requested was used in reporting (the IP address was not used in reporting).
  • On the management server, we could view how many requests had been made for the GIF associated with the e-mail. No other information was provided. (This is the same way that common web page counters work.)
  • The tag was visible at the end of the e-mail if you used a text mail client or you viewed the original message source.
  • Opening the message multiple times would not generate multiple requests if the mail client caches HTTP objects.
  • Many spammers will often include your e-mail address, or a unique identifier, to track specifically what e-mail addresses are valid. Thus, opening a piece of spam in an HTML capable e-mail client will ensure you get more spam from them. This was not the case with this tracking tag.
  • There is an option in Outlook Express to “Read all messages in plain text.” If the user had this option checked they would not have requested the tag.

Davvero stupefacente! Campioni del mondo nello spararsi nel piede! Non passa settimana che non vengano beccati con le mani nella marmellata.