Quoting Daniele Nicolodi <dani...@grinta.net>:
On 5/17/18 3:59 PM, Mike Guelfi wrote:
Quoting Noel Jones <njo...@megan.vbhcs.org>:
It seems counterproductive to rewrite a plain-text link... I don't
know it there's a setting in the O365 controls to avoid mangling
plain text, so you may have to live with it.
-- Noel Jones
The worst of it is, MS are inserting themselves in the transaction so
they get to track which links you click in emails.
There's a good security reason to do so
What MS does is to "check" (whatever that entails) the URL and then
respond to the HTTP client with a redirect. I can envision a very simple
mechanism for which the response served to the MS robot that verify the
URL is different from the one served to other clients.
Can you please elaborate on what are the "good security reasons" for
which that is a good idea and not simply a form of user tracking?
It's at least a reputation service, which means that if they notice it go
bad after they've already sent you the email, they can still block it when
you attempt to click through on their server.
They might be expending some actual effort like sandboxing to inform their
reputation server, or user reporting, etc. But either way it's better from a
service delivery perspective to allow the email before the testing is complete
and hope you click the link afterwards. They have no warranty on the service
anyway so no downside to them.
That said; I have still asked them to turn it off.
I got a 1st level human to acknowledge it's been escalated, but
nothing else so far.
I think this thread is starting to be wildly OT though...