PDA

View Full Version : Advertising via Infusionmail/Infusionsoft



WH_Client_N
10-22-2011, 05:03 PM
Hi Westhost,

I recently received what I think is the second instance of a "appears to be arranged by and sent on behalf of Westhost" advertising related email from a host in the infusionmail.com domain and which had links to and HTML images pulled from Infusionsoft.com. It was sent to one of my most private "only extremely rarely given out so as to remain zero spam" email addresses that I gave to you for account related correspondence. This email had a subject of "7 days left to protect your brand from .XXX". The From field jives with a young Westhost Brand Manager. I'm posting here rather than privately emailing him because this appears to be an instance of a somewhat wider issue... and threat... that I care about and think worthy of a post. Hopefully it will be taken, by all, as an attempt at constructive comment.

One aspect to this issue is the opt-in vs opt-out nature of non-essential, for secondary purposes type email from a company such as yours to its clients. I can't remember what options were presented to me when I signed up (over a decade ago) and I'd have to go fishing to see if there is a way to log into an account page to check and adjust my email preferences. Asking upfront, providing an interface to make changes, and providing a link to a Westhost-hosted opt-out page would seem desirable. The opt-out link in this email looks user-specific and takes you to an Infusionsoft page. I for one would rather have no contact with, let alone confirm a working email address to, such an entity. Having touched upon that, the main point of this message...

In this case it appears that a (well protected/private) email address I gave to you ended up in the hands of, and used by, a third party (Infusionsoft) marketing/CRM firm. Like millions of other Internet users, I have been burned by that type of sharing before. Where it wasn't the company I trusted with my email address but rather the third-party marketing/CRM firm they chose to use that leaked my email address, etc. Epsilon being but one recent, higher profile example of this type of thing. When an email address is shared with such a third-party it generally increases the attack vectors and puts personal information at greater risk. They are high-profile targets. It also often, depending on the specific circumstances, puts one's privacy at greater risk for these marketing/CRM firms technically gain awareness of and sometimes other visibility into one's relationship with numerous companies.

I suppose you would like to focus on your core business rather than developing secondary solutions. However, you are in the hosting and email business and I very strongly suspect you could very easily carry out a mass mailing on your own! We trust our hosting to you, our email to you, and by extension in some cases client information to you. It would nice if you made every effort to earn and protect that trust including avoiding/eliminating unnecessary client information sharing with third party companies. I think, at least.

So having shared my point of view, I hope you will consider it and I'll watch the thread to see what the comments are. Thanks for everyone's time.

jneeley
10-31-2011, 10:00 AM
Hi, thanks for the comments on the recent email message we sent out. I can assure you this email was 100% from us, sent by us (I personally hit send) and that your email address has not been sold/given/leaked to any person or any company. Infusionsoft simply provides a Software as a Service (Saas) solution that we started to use to send messages to our clients. No one at Infusionsoft sends emails for us or helps us do so in anyway. We decide what we send or don't send; end of story.

I am sorry this came at a surprise to you and hope your excuse our dust, figuratively speaking, while we move forward with better emails.

For the last couple years we've used a different SaaS email provider and sent you and all other clients many messages through them. Recently found that Infusionsoft helped us managed things much more efficiently with better subscription options (like you mentioned and we will be setting up) and other features that help us protect your privacy, permissions and messages.

WH_Client_N
10-31-2011, 03:03 PM
Hi Mr. Neeley, thank you for the reply. Judging from the email headers (redacted)...



Return-Path: mailer@infusionmail.com
Received: from mta-c-24-43.infusionmail.com ([208.76.24.43])
by XXXXXXXXXXXXXXXXXXXX Fri, 21 Oct 2011 22:33:00 +0000
Return-Path: <mailer@infusionmail.com>
Pool-Debug: hsi value
Pool-Name: default_value
x-sieve: XXXXXXX
Pool-Version: X
Received: from [10.0.0.229] ([10.0.0.229:51875] helo=chase)
by sureshot (envelope-from <mailer@infusionmail.com>)
(ecelerity 3.2.2.42971 r(42971)) with ESMTP
id 47/24-05108-04XXXXXE4; Fri, 21 Oct 2011 18:33:36 -0400
Date: Fri, 21 Oct 2011 18:33:36 -0400 (EDT)
From: Jake Neeley <XXXXXXXXXXXXXXXXXXX>
Sender: mailer@infusionmail.com
To: XXXXXXXXXXXXXXXXX
Message-ID: <XXXXXXXX.XXXXXXXXXXXXXXXXX.JavaMail.tomcat@chase>
Subject: 7 days left to protect your brand from .XXX
Errors-To: mailer@infusionmail.com
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_55440_2047595246.1319236416502"
X-MailSentId: XXX
X-campaignid: infusion_hsiXXX
BatchId: XXX
X-BatchId: XXX
X-InfApp: hsi
X-InfContact: XXXXX
X-InfSent: XXXXX
Package: value
X-inf-package: value
X-inf-source: MBFR
X-inf-uflags: SO
X-inf-iflags: SO



The web bug (redacted)...



<img height="1" width="1" style="display: block;" src="https://hsi.infusionsoft.com/app/emailOpened/XXXXX/XXX">



and opt-out link (redacted):



https://hsi.infusionsoft.com/app/optOut/8/XXXXXXXXXXXXX/XXXXXX/XXXXXXXXXXXXXX



I'm inclined to think that it is Infusionsoft's systems which executed the campaign. Based on a quick review of the Infusionsoft product, it appears to me that client data would be imported into their system in order to carry out such campaigns. So while you may have been the one to prepare the campaign and no human at Infusionsoft may have been actively involved with the campaign, it appears to me that Westhost client information was provided to Infusionsoft [systems] and could still reside on Infusionsoft systems in the form of an active people database and/or log files from the campaign.

It is this last bolded part that I was referring to. Are you saying that didn't happen? Does Westhost own/protect/operate mta-c-24-43.infusionmail.com, hsi.infusionsoft.com, and mailer@infusionmail.com?

wildjokerdesign
10-31-2011, 05:42 PM
No you are right the database would be housed on the Infusionsoft servers since they provide the service that WestHost is using.but that is not any different then the last service they used. This is pretty normal for companies to do. In fact I often suggest to clients that instead of trying to handle their email programs themselves that they use services like this. In the long run it is more efficient and secure. The companies are in the business of sending out emails so their systems are optimized for it. They are not going to sell these databases off to other people because it would hurt their own business that also means they are going go to great lengths to protect the database.

WH_Client_N
11-02-2011, 08:53 AM
I am aware it has become common and I can actually think of some reasons why such a service might appeal to some companies. I place a high priority on privacy/security though, and tend to emphasize related fundamentals: minimize access to (sharing of) information, honor the information owners' preferences, need to know, compartmentalization, utilize physical protection mechanisms where possible, when you release information you lose control over it and can never get that control back, those sorts of things.

I'm curious, how do you determine if it is "more secure" if your clients utilize one of these services.

wildjokerdesign
11-02-2011, 06:10 PM
I'm curious, how do you determine if it is "more secure" if your clients utilize one of these services.
Because most of my clients are not technically inclined and thus would not know best how to keep the data secure. :)

WH_Client_N
11-03-2011, 12:15 PM
What would be your fall-back if all such services went away? Have you ever looked into turnkey VPS solutions that are pre-configured to be very secure and just perform the functions needed?

wildjokerdesign
11-03-2011, 06:46 PM
Well I really doubt that all such services are going away any time soon. :) Also remember that I said that the people I suggest this to are not internet or computer savvy. These are people who can't even remember to keep such things as form, CMS or blog programs on their hosting accounts updated. I doubt they could handle keeping a VPS up to date.

WH_Client_N
11-03-2011, 07:23 PM
Right, so how can that problem be solved? I suppose a managed VPS would be one option. Another option would be some kind of turnkey VPS with a one-click update/migration mechanism. I thought you might be familiar with what is and isn't available and/or might have some specific thoughts on the subject.

wildjokerdesign
11-04-2011, 05:20 AM
Well yes you could use a company like vps.net which is a sister company of WestHost. I have not explored their "turnkey" options recently so not sure what they offer in terms of bulk mail programs. You still would be spreading your user data to another server/company though just like if you used a service. Even with managed options at vps.net you have more responsibility for managing the program. While they may do the dirty work you would still have to let them know what you want to do. :) It is one reason people go with a vps enviroment. With the service the running and management of the program is completely out of your hands. All you have to worry about is sending out emails to your customers. For many that is the best situation.

Also Infusionsoft is more then just a bulk mail system. It is a marketing service for increasing sales. I for one have no real marketing training. I have some knowledge of how a car works (or at least I did) but I still go to a service station when I need work on my car done not only because they specialize in it but because they have all the right tools to do the job. :) I consider using a service like this as kind of the same thing.

WH_Client_N
11-06-2011, 10:52 AM
Would you still be making data accessible to an another party? Would that be a party that doesn't already have access to it? I feel as though answering those questions would require some others. For example, I think many hosted webservers store email addresses for non-marketing-email purposes and the webhosting company would technically have some access to those. If the site owner does marketing-email from their existing server, nothing at all may change in terms of who has access to what. If the site owner establishes a relationship with a new marketing email service company, that would increase the parties with access to the email address database.

I felt the need to mention a managed VPS simply because that is one approach for those who can't/won't take care of it themselves. However, it is actually the unmanaged, hardened turnkey VPS approach that I think has greater potential from a data protection POV. I don't think it is truly possible to protect a VPS from its host environment. Even if it were running a fully encrypted filesystem, there would still seem to be at least CPU & RAM vulnerabilities. Still, if someone needed a hosted server and wanted to keep the data it stores as secure as possible, I think this approach could have merit. I think in very many cases the goal is to capture and tie customers to a service that produces recurring revenue rather than sell a product that the customer can run on their own platform. So even if it does have merit, I have doubts that the products available are as rich as they could be if the service hype didn't exist. Most companies put their own convenience above protecting customer data. So even where there would be a robust product solution that is as easy to use and maintain as a service, I'm sure many companies would balk due to it taking more than 5 minutes to bring up and/or it not offering the perceived safety of a "professionally run" service.

This is a sad state of affairs I think, and one which affects us all. Underneath the business hat there is always a consumer hat.

WH_Client_N
11-06-2011, 11:04 AM
BTW, I just went looking for the Westhost privacy policy. I found one at http://www.westhost.com/policies/privacy-policy.html which says:

WestHost insures that all personal information being voluntarily submitted to us in the processing of your order (to be used for record and billing purposes, etc.), inclusive, but not limited to, credit card and other personal information, will be kept strictly confidential and used "solely" by WestHost its authorized representatives and employees; for the strict purpose for which it was intended, and for the benefit of the subscriber. We agree not to share, rent, sell or release this information to any individual, entity or third party, for any reason, without the specific written consent of the subscriber; with exception as required by law, regulation or governmental authority. WestHost is committed to protecting and securing all subscriber provided information, through the use of firewalls and additional security measures in place at its physical facilities to protect against the loss, misuse or alteration of such information.

Last Revision September 1, 2002

Perhaps one would argue that Infusionsoft is a representative of Westhost?