NSI Mass E-mailing Raises Security Fears

A mass e-mail solicitation sent Wednesday night by Network Solutions Inc.
has generated a stormy reaction from some customers.

Bearing the subject line “Important information about your domain name
account,” NSI’s e-mail reminds customers that the company will switch Saturday to a new payment policy, previously reported by InternetNews.com, replacing the current
invoice system for new domain names and requiring advance payment by credit card.

What rattled some recipients most, however, was a separate offer in the message to set up a free, Web-based e-mail account hosted by NSI. Included were both a user name and password which recipients were instructed to use to set up an account under the dotcomnow.com domain.

“The big screw-up here is they made no attempt to make it secure,” said
Ralph Brandi, Webmaster for a large telecommunications firm, in an
interview with InternetNews Radio. “The passwords are incredibly easy to guess, because they all follow the same pattern, which is the login name plus the letters `NSI’ afterwards.”

According to Brandi, who received three copies of the NSI solicitation, proper security practices call for generating random, less guessable passwords, and then requiring recipients to change them as soon as they sign up for the service.

“I don’t want to overstate the security threat, but the fact that they’ve
created this account in your name and made it so easy for others to break
into it, the threat is that people could possible masquerade as you and do
damage to your reputation by sending out things under your name without you
even being aware of it,” Brandi said.

Network Solutions spokesperson Cheryl Regan Thursday confirmed the
company sent the offer to a “broad percentage” of its customers, but she
disputed customers’ security had been threatened.

“The free Web mail isn’t connected to your own personalized e-mail or to your
domain name, so there’s no security breech here,” Regan said. She also
pointed out that all Web-based email services allow individuals to sign up names other than their own.

Regan said NSI has been offering the free web mail service off its home page since
last January.
In response to the outcry, Network Solutions has begun requiring those who
respond to the offer to change their password at sign-up.

Adding to the confusion of some recipients were the solicitation’s message
headers and instructions for being removed from future mailings — all
pointed to an address at the domain integram.org. According to Regan, NSI
outsourced the dotcomnow mail promotion to Integram Inc., a direct e-mail
firm based in Fairfax, Va. As for the company’s use of a .org
address — registrations which were originally reserved for non-profits — Regan said, “They’re definitely not a non-profit, but there is no clear definition … anyone can register in all three top-level domains.”

Network Solutions (NSOL)has no further plans to send additional mailings touting the
dotcomnow.com service, according to Regan. But Integram president Arpad
Kovacsy said his firm, which specializes in “expedited communications,” expects to handle other programs for the domain registrar and considers the latest a success.

“It’s a huge volume, and for the number of communications we sent out,
we’ve had remarkably little response in terms of direct communications with us, either by email or phone calls, asking for removal.”

News Around the Web