ProServ Innovation

Email Security Concerns

John Celoria -

Well. Someone brought up a good point.

TL;DR

If you're using the old faithful email hack to stop customers getting email, where you put an 'x' at the end of the customer email domain like john.celoria@oraclex.org, don't do that anymore. Instead, put ps.ringcentral.com at the end of the whole email, like john.celoria@oracle.org.ps.ringcentral.com

Long Version

The background

Long time ago. I mean long time ago. We brought up to the product team that not all customers want to have their users get activation emails when we set them up in RingCentral. Simple request. Product tried to implement this, and did in fact stop welcome emails, but that didn't stop other emails. Like here's how you log into the new RC Desktop app, or here's a great way to put in your forwarding setup blah blah.

So to stop customers from getting any emails at all, we instead started putting an 'x' on the end of those emails. Invalid address, didn't go anywhere, customers were happy, we didn't get yelled at, nice.

Eventually we made a cool Donut for activating users, etc. That worked really great, but the platform APIs that it uses required a valid top level domain (.com, .net, .org, etc). So, john.celoria@ringcentral.comX was no longer going to work. Quick solution was to just move the 'x' in front of the top level domain, making the address john.celoria@ringcentralX.com. We started doing that, and it worked great.

The problem

Wellllllll, someone recently pointed out that someone could actually own that web domain. Like, let's say our customer is Oracle. They're pretty popular, and somebody out there can go out on the internet and buy oraclex.com and then it's theirs. This actually happens a lot, because if Oracle ever decided that they wanted to buy that domain, and use it for some cool Oracle project, they would now have to buy it from the person that already owns it. Probably at a huge markup.

Here's a fun story of a guy who did this to Google. They let their ownership of the domain google.com lapse for just a few moments, and the guy bought it. They paid him to get it back. Cause ya know. Capitalism.

The security breach for us would be, if we send a few thousand welcome emails to @oraclex.com and the person that owns it starts paying attention, we could giving them access to setup the users on our customer accounts! Even make outbound phone calls using the caller ID for Oracle! That's super bad.

The solution

We're really hoping that one day we will never have to think about this non-sense again. Actively trying to find a way to never have to worry about this email stuff, and we can just magically stop sending emails, the way we've always dreamed.

In the meantime though, so that we keep our customers safe, if you need to use this, don't put an X before the domain anymore. Instead, keep the customer's whole email address, and add "ps.ringcentral.com" to the tail end of it. Then that whole thing gets removed, instead of just removing an 'x'.

So, if I'm John Celoria, a user from Oracle, who has an email with Oracle that is "john.celoria@oracle.com", that would now be "john.celoria@oracle.com.ps.ringcentral.com"

When the emails go out, they come all the way back to RingCentral and get safely ignored. Then later on, you change the email, send users welcome emails, the customer is happy, and no one has caused a security breach!

This works with any domain too. Say it was something like "john.celoria@bostoncollege.edu", you change that "john.celoria@bostoncollege.edu.ps.ringcentral.com" and we're all good to go!