The pitfalls of web mail
Yahoo! seem to have the knack of putting their collective foot in it.
I was checking my Yahoo profile, wondering why the picture had disappeared from it, and why some users of YahooGroups mailing lists I run were being told suddenly that they were not authorised to post.
Then I saw they offered to import addresses from other providers, and thought I would try that, since I haven’t updated my Yahoo contacts list for three years or more.
They had a third party to do the transfer.
The third party asked a few questions:
- Do you want us to tell everyone you’ve switched to a new Yahoo address? (No)
- Do you want to change all your e-mail to your new Yahoo address? (No)
- Do you want to copy your address book to your Yahoo address? (Yes)
So what do they do? They do 1, which I did not ask them to, and did not do 3, which I did ask them to do. They sent a message to everyone in my Gmail address list, telling them I have a “new” Yahoo address, and asking them to change to that in their address book.
I do not have a new Yahoo address, I have a very old one, which I’ve had since 1996. I found Yahoo mail very unreliable, so I switched to Gmail for web mail. At one point, in 2006, I lost access to my Yahoo address for 6 months, and could not log in to it. When access was restored, all my archived mail had been deleted (that happens if you don’t log in for more than three months). Since then, about 99,5% of the messages at my Yahoo address have been spam. I read it about once every 3-4 weeks, and delete the accumulated spam. So if you send me a message to the Yahoo address, I’m not likely to read it soon, and it might not stand out from the spam, so I might inadvertently delete it and never read it.
For web mail, I still prefer Gmail to Yahoo because:
- It has a less clunky user interface
- It puts the signature at the end of the message where it belongs — Yahoo have taken to putting it at the beginning.
- It has a much more efficient spam filter — 99,5% of my Yahoo mail is spam, 99,5% of my Google mail is not spam
- Yahoo have proved unreliable in the past, and I don’t trust them since the time that my Yahoo mail didn’t work from July to December 2006 and they lost all my archived messsages
So now I had to send messages to all the people in my Gmail address list to tell them that the message they had received about my change of address was a hoax, and that they should not put my Yahoo address in their address books, because if they sent me a message there I might inadvertently delete it along with all the spam.
It was easier said than done, because there were errors in the Gmail address list, and I’d got up to “L” in the alphabet when Google informed me that I’d sent too many messages already, and must wait 24 hours before sending any more, as part of their anti-spam policy. So now the people from M to Z are sending me messages to say that they have changed my address in their address books. They’ll have to wait for tomorrow for my message informing them that it was a hoax, and they shouldn’t bother to change it, or rather, they should go through all the bother of changing it back again!
And, what is more, the hoax message sent out by Yahoo’s third-party group Trueswitch, was sent out with Lazy HTML. Lazy HTML is a trick used by spammers and distributors of malware. Some legitimate organisations, who don’t know any better, also use it for newsletters and things like that. But legitimate or not, I delete them unread, because my mail reader is set not to display the links.
This is the message my mail reader displays when I receive messages with Lazy HTML:
Message contains potentially dangerous “Lazy HTML” data
This message contains data that includes references to items that are not present on your computer — typically graphics or frames stored on a remote system on the Internet and accessed using HTTP URLs.
This type of message, called “Lazy HTML” can represent a privacy or security risk, for the followingt reasons:
- It can be used to send information about you without your knowledge, including the fact that you read the message, when you read it, how often you read it, whether or not you forwarded it, your computer’s IP address and more.
- It can be used to download unauthorised programs to your computer. This is a common vector of attack for viruses and Trojan horses.
Pegasus Mail protects you completely from any problems associated with this kind of data, because it never downloads remote-linked items by default. A side-effect of this is that that remote-linked graphics in the message will display as grey boxes in the Pegasus Mail message reader.
So instead of trying to puzzle out what might be in the grey boxes, I just delete it unread. Trueswitch sent out a hoax spam message in my name to everyone on my Gmail address book, when I specifically hadn’t asked them to, and used the spammers trick of writing it in Lazy HTML.
So if you’re on Yahoo, and you see tempting offers to import your address books from elsewhere via Trueswitch, be very, very careful. And be prepared for some unasked for and unexpected consequences. It’s not simple like importing it into Facebook or MySpace (though even that has dangers), but does much more.