The Perceptus Back Story

I care about email security and transparency of email content a lot.  I deal with it all the time as a contractor who produces a email newsletters for local retailers.  I’m also the guy who teaches end users (including family) to be extremely skeptical about all the email they receive because 90% of it is fake, SPAM, and scams.

So, I get peeved when larger firms do email communications wrong.

Today I received an email invite from a company claiming to do work for Fido.  I think it’s cringe-worthy.

My first step in my research was a quick glance at the Fido homepage – no mention of a new survey program, though, I didn’t really expect to find one.

Looking strictly at the email itself then, here are some tidbits:

Subject line:  Invitation to Join the Fido Listens Panel

OK so far.

From: Fido Listens Team <fidolistens@itracks.com>

Who is iTracks.com? I’ve certainly never heard of them.  Definitely a yellow caution flag.

The email copy talks about a survey and some prizes for participating in Fido’s latest customer feedback thing.

A lot of scams offer prizes or financial incentives.   Can you get two yellow caution flags?  Or maybe just upgrade to a larger one.

The survey link goes to  https://surveys.itracks.com/survey/RogersFido_4?ID=xxxxxxx.

Well,  iTracks.com hosts the survey.  Their homepage looks legitimate at least.  Funny, I was expecting iTracks.com to be an online MP3 store.

And a support email address of support@fidolistens.ca.

Wait, now what is fidolistens.ca? More on Fido Listens later on.

And a contact mail address of Ipsos Reid, a well respected research firm based in Vancouver.

Ah! I’ve heard of them. Actually, I know people who have worked there. Of course, anyone can write an email with someone else’s legitimate mail address.

So, let’s review. Yes, I am a Fido cellphone user.  But who is iTracks.com?  Do I really believe that they got my email address from Fido? Who is FidoListens.ca?  And is IPSOS really involved?

fidolistens.ca?  At least this was somewhat comforting.  The vanity domain of fidolistens.ca forwards to https://iaf.ipsos.ca…, i.e. a page belonging to IPSOS and transparently hosted by them on their own domain.

In the end, I feel comfortable doing a survey that is hosted by IPSOS.  But that’s only because I know that IPSOS Reid is a legitimate firm.  A little over a year ago I ranted about another Fido survey attempt in my blog post, How to Properly Use 3rd Party Web Services, I didn’t feel comfortable with the firm conducting that survey.

If you are using a 3rd party firm for surveys or anything that is customer related, please make it easy to verify that it’s legitimate.  At Papaya Polls, we offer to host our pages under your own subdomain.  It works great and it is very confidence inspiring.  I would have zero hesitation in doing a survey which had a web address of http://fidolistens.fido.ca or http://surveys.fido.ca.

Anyway, enough ranting.  Time to enjoy the sun.

Quick note to all who use the various Perceptus web sites, particularly our bingo card site and our hosted survey site:

Our virtual private server hardware was upgraded.  A couple hours of downtime occurred.  We’re sorry for the inconvenience.  Unfortunately, our provider did not give us much of a warning. Things seem to be up and running, but a bit slow – I think that will fix itself soon.

Today I got an email marketing message from Fido, my cellphone provider.

Probably.

Unfortunately, Fido used a third party email and contest manager that makes me unsure if the email is real or a scam.

The email “from” line looks good: fido.communication@fidomobile.ca.

But it’s trivial to fake a “from” line.

The email “reply-to”: fido.communication(xxxxxx)@mail.konversation.com

I removed the x’s which I suspect are unique to my email address and used for mail list management.  It doesn’t really matter.  Is this address confidence inspiring to the non-technical user? Nope.

Worse, the email is about a contest.  In the email there is a link to enter the contest:

http://kmkapp01.konversation.com/Fido/eNewsletter/Default.aspx?langue=en

What is Konversation.com?  And why should I enter my phone and other info into a website that doesn’t even spell conversation properly? (That’s a joke, I realize it’s a cute mispelling used for a website name).  Sure, there are Fido logos in the email and on the web page.  But who knows?  I’ve seen fake bank websites that also look authentic.  It’s easy to copy logos and verbage.

In the end, I decided to skip this contest.  Who knows if it’s a real contest or not.  Besides, I never win prizes anyway.

What should companies do?  Use their own domain for everything because they’re much harder to use fraudulently.  If they choose to outsource bulk email, use a provider that can use “bulkmailer.example.com” for their messages.  For contests?  “contests.example.com”.  For surveys, “surveys.example.com”.

In fact, that’s exactly what we offer with the custom survey domain feature of PapayaPolls.com.  We have several clients who host surveys using a subdomain of their primary domain.

It works for everyone.  The end survey respondents are confident that the survey is legitimately from our customer.  Our customers are happy that their survey respondents are confident, and thus willing to answer the survey.  And we’re happy to have paying customers.

So there you go.  A rant and an advertisment for one of our websites all rolled into one.  Not bad for a Friday afternoon.

To our valued users of our websites, especially those at PapayaPolls.com and Print-Bingo.com, we’re sorry.

Due to circumstances that were generally outside of our control, Perceptus’ virtual private server was down for 3-4 days (there were a couple multi-hour stints of uptime here and there).

The long story, short:

Our VPS provider (a VPS is a super-fancy variant of web hosting), with whom we’ve hosted for the last three years or so, had a border router go down badly on Friday.

Now, when we were choosing a VPS provider, we specifically looked for one that had fully redundant power, networks connections, reasonably intelligent sounding support, etc. This one did and still does advertise as such; however, as we’ve now discovered, this supposedly fully-redundant network of our VPS provider turned out to be mostly redundant with at least one single point of failure exception. When this border-router went down, there was no backup link, nor was there a convenient replacement unit for a quick swap. So their network went dead to the world for hours.

Eventually, our VPS provider fixed their network. However, the Perceptus’ VPS remained down. Several email tickets and live chats with support later, they figured out what was wrong, and the Perceptus VPS is finally up again on Monday.  It’s been several hours now, so our fingers are crossed that this might actually be over.

I won’t name our provider, but if you poke around enough, you’ll figure out who our VPS provider is. Suffice it to say that for the time being, don’t ask me for a VPS recommendation… I don’t have anyone to recommend. I don’t really blame them for the first few hours of downtime, overall I’ve been quite happy with them. But when a few hours stretched to a few days, they lost a lot of goodwill with me.

Lessons learned:

1. When things go down and you’ve got no control over the fix, start implementing a fall-back plan right away. Even if someone who claims to be in a position of knowledge says it will be fixed in a few hours, start the work on the fallback plan anyways. Nine times out of ten, things will get fixed before you have to go live with Plan B, but your time isn’t wasted. Consider it a test-run of your backup plans for the one time that you will be very happy that you did start on Plan B ASAP.
2. When possible, avoid single-points-of-failure, this includes your web host. Ironically, our VPS provider did a survey about a month ago asking about our interest in “high availability VPS’”… guess what would have happened to one of these last week? Yep, it would have been down anyway because the problem was at a choke point higher up the chain than the server.
3. When choosing a web host, ask if they actually have staff in the same city as their data centre. If they are just relaying tickets to the data centre staff, they don’t really have control over when anything is done either. I don’t know if our VPS provider had such a setup when we first signed up, but I have every indication that they weren’t physically in the data centre this weekend.

The Future for Perceptus’ Web Server:

We’ll be looking at setting up a fail-over server on a totally separate network, completely unrelated to our current setup. The only question is how will we do it relatively cheaply and with relatively low maintenance. We’ll post something when we figure it out.