We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
The Forum is currently experiencing technical issues which the team are working to resolve. Thank you for your patience.
Equifax - Warning! You might not get their fraud alerts!
GraceCourt
Posts: 335 Forumite
I will try and keep this simple and non-technical, but consumers ought to be aware that, due to the e-mail servers used by Equifax Plc not being configured according to the technical "rules" governing the running of the Internet (agreed by the IETF, the "Internet Engineering Task Force"), some e-mails sent out by the company, which will include alerts to people paying for their 'Fraud Prevention' services, will not be delivered.
In short, IETF RFC2822 says that any SMTP (Simple Mail Transport Protocol) mail server - that's a fancy name for an e-mail server! - must accept inbound mail addressed to 'postmaster' at every domain for which that server handles mail, including outbound mail. So, for Equifax, that would be postmaster@equifax.co.uk or postmaster@equifax.com as the case may be. Now, there is a mechanism called "Sender Callout Verification" (SCV), which is a very useful anti-spam mechanism, because a huge amount of spam (unsolicited bulk commercial e-mail) comes from non-existent e-mail addresses. What happens is that, as soon as one mail server (the "outbound" server) tries to deliver an e-mail to a second ("inbound" server), the inbound server delays acceptance whilst it quickly tries to send a dummy e-mail to the address declared by the outbound server to be the one from which the incoming message is being sent. If that attempt fails, the incoming message is refused. "Greylisting" (deliberately asking for delivery to be deferred because most spam e-mails aren't retained for a second delivery attempt) still works with this mechanism.
Normally, the declared sending address (the "envelope-from header" in the SMTP protocol) is the same as the address of the actual sender, but it doesn't need to be. However, it is the "envelope-from" address that is the one used for SCV, so it does have to exist. Many servers use the postmaster address for this, which normally, because of the requirements of RFC2822, isn't a problem. You can see what's coming now... Equifax's servers don't accept mail addressed to postmaster, so anyone whose mail server uses SCV will never receive mail from them.
I've raised this a number of times with Equifax using their online (secure) customer service system, but the company has failed to respond. My messages make it very clear that their e-mail system is improperly configured, and that its failure to comply with RFC2822 means that many of their customers will *not* receive the security alerts for which they might be paying. :eek:
It's unclear whether that would mean that the company is consequently liable if someone doesn't get an alert about theft of their identity, but it's a complete mystery why Equifax won't acknowledge the problem or even respond on this issue.
PS - It probably won't come as a huge surprise to readers of MSE's excellent forum that Santander Plc has the same misconfiguration... so if you aren't receiving any response from Santander to your e-mails, this could well be why!
In short, IETF RFC2822 says that any SMTP (Simple Mail Transport Protocol) mail server - that's a fancy name for an e-mail server! - must accept inbound mail addressed to 'postmaster' at every domain for which that server handles mail, including outbound mail. So, for Equifax, that would be postmaster@equifax.co.uk or postmaster@equifax.com as the case may be. Now, there is a mechanism called "Sender Callout Verification" (SCV), which is a very useful anti-spam mechanism, because a huge amount of spam (unsolicited bulk commercial e-mail) comes from non-existent e-mail addresses. What happens is that, as soon as one mail server (the "outbound" server) tries to deliver an e-mail to a second ("inbound" server), the inbound server delays acceptance whilst it quickly tries to send a dummy e-mail to the address declared by the outbound server to be the one from which the incoming message is being sent. If that attempt fails, the incoming message is refused. "Greylisting" (deliberately asking for delivery to be deferred because most spam e-mails aren't retained for a second delivery attempt) still works with this mechanism.
Normally, the declared sending address (the "envelope-from header" in the SMTP protocol) is the same as the address of the actual sender, but it doesn't need to be. However, it is the "envelope-from" address that is the one used for SCV, so it does have to exist. Many servers use the postmaster address for this, which normally, because of the requirements of RFC2822, isn't a problem. You can see what's coming now... Equifax's servers don't accept mail addressed to postmaster, so anyone whose mail server uses SCV will never receive mail from them.
I've raised this a number of times with Equifax using their online (secure) customer service system, but the company has failed to respond. My messages make it very clear that their e-mail system is improperly configured, and that its failure to comply with RFC2822 means that many of their customers will *not* receive the security alerts for which they might be paying. :eek:
It's unclear whether that would mean that the company is consequently liable if someone doesn't get an alert about theft of their identity, but it's a complete mystery why Equifax won't acknowledge the problem or even respond on this issue.
PS - It probably won't come as a huge surprise to readers of MSE's excellent forum that Santander Plc has the same misconfiguration... so if you aren't receiving any response from Santander to your e-mails, this could well be why!
0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350K Banking & Borrowing
- 252.7K Reduce Debt & Boost Income
- 453.1K Spending & Discounts
- 242.9K Work, Benefits & Business
- 619.8K Mortgages, Homes & Bills
- 176.4K Life & Family
- 255.9K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 15.1K Coronavirus Support Boards