Most people, as is perfectly normal, are not concerned about the technical details of the e-mail marketing software they use. But they should be. The devil is in the details, and technical ones are very important.

I've recalled this today, analyzing some commercial e-mails I've received recently.

For example, let's take a look to the URL an e-mail marketing provider generates for tracking reading stats for his customers (this is a real one, just changed the domains for privacy):

<IMG src="http://www.anemailprovider.com:8080/pcmwtg/trackingServlet=idtracking=2&idsend=906077">

Take a look at the evident purpose of each parameter of this tracking URL... What if I change the idsend value a little bit to, let's say, 06078?: I've just added a new read count to another user.

If I were not a really nice person (as I am in fact), I could easily mess-up all the reading stats of this provider, making them totally useless to their customers. :-(

Another thing interesting enough is that this image is not pointing to a real image. It doesn't even have an extension or even a real file name, which is easily spotted by some anti-spam filters. Not a good technical decision.

Now take a look at the typical tracking image we use in MAILCast:

<image src="http://mcs.krasis.es/C/R/MTc5NDA1NCAg.gif">

Well, the name of the image is not very beautiful either, but is clearly an image file name, and what's more important: all the information about tracking is nicely codified and encrypted in the name of the image, so is very difficult to tamper, and the stats are much more reliable.

Other issue involves the tracking of links. A tracked link in the previous sample e-mail was like this one:

http://www.anemailprovider.com:8080/pcmwtg/trackingServlet?idtracking=1&url=http://www.customerserver.com/landingpage.htm&idsend=906077

Uh??, The same as before but even worse. I could assign random clicks to anyone and the destination is directly embedded in the link, so I could easily avoid the tracking too.

A typical tracking link in MAILCast looks like this:

http://mcs.krasis.es/C/L/?V05_122498_MTc0NRB2NCAg

Which is, again, ugly (not uglier that the previous one, by the way), but is shorter and don't compromise the reliability of the tracking process.

The worst thing about the technical approach used in many e-mail marketing programs like the one I'm analyzing today is the unsubscribe link:

http://www.anemailprovider.com:8080/pcmwtg/GestionServlet?type=1&idunsubstemplate=10140&idCustomer=2447&idcontact=1572907

When I try writing in the browser that URL I get a message saying that I was successfully unsubscribed. But the customer ID and de contact ID are plain auto-numeric values in a database, so if I start trying different values I start to unsubscribe all the contacts of the customers of this provider too! Oh my!!!

Even If I get a message telling me that a unsubscribe confirmation e-mail is going to be sent to me, a malicious attacker could flood the inbox of all those contacts with unsubscribe confirmation e-mails which is in fact a cruel attack.

In fact if I try other values that are not numbers, in this case I could even make a SQL Injection Attack to the database, and don't want to know what a malicious attacker could do with this.

This is a very critical sample, but in fact a real one extracted from an email I've received this week. Just yesterday I received at least two newsletters that had this kind of issues, that are more common than you may think.

So the moral is: you don't have to be technical savvy for using an e-mail marketing or newsletter software, but is very important that you get advice from a skilled programmer or technician so that you don't have problems in the future. In fact you should get advice with any software you purchase, and this gets more important if you're dealing with your image and your customers' privacy.