In addition to being a developer, Beatrix W manages a few small email servers, which means she sometimes needs to evaluate the kinds of messages arriving and their origins, especially when they're suspicious. One such suspicious message arrived, complete with a few malicious links, and some hints of possibly being the start of a spear-phishing attack.
That was concerning, and as it turns out, the email came through a vendor who specializes in sending marketing emails- but the requested sort (or at least the sort where you got confused about which box to uncheck at checkout and accidentially signed yourself up for a newsletter). So Beatrix tracked down the contact form on the company website.
She filled out the form with a description of the issue. The form had a handy-dandy "Attachments" field, and the instructions said, "Attach the suspicious email with its full email headers." So, she copy/pasted the suspicious email, headers included, into a text file, and attached the text file. She reviewed her work, confirmed that the attachment had uploaded successfully, and then pushed "Send". A copy of her submission arrived in her inbox, attachment and all, so she filed it away and forgot about it.
Two weeks later, the vendor replied.
We were unable to complete your investigation of unwanted email because we did not have enough information. In order for us to address issues you may be experiencing with users of our services sending you unwanted, unsolicited, or otherwise problematic emails, it will be necessary for you to send us the full content of this message including the full headers.
Beatrix paused reading right there, and pulled up her email, and confirmed, yes, she had attached the email, complete with its headers. She went back to the vendor's email reply and continued reading:
Please note that due to security concerns we will not open attachments under any circumstance. You must provide any necessary information in plaintext in the body of your report.
At least they care about their security, if not yours. Though it does raise the question: why does their contact form have an attachments button if you shouldn't use it?
This post originally appeared on The Daily WTF.