Today, I received this email an email purporting to be from someone named Courtney Pruitt, whose email address was firstname.lastname@example.org, with the subject line:
Did you submit this comment to the FCC?
The email is the first that I’m aware of receiving in connection with my public comments to the FCC on the net neutrality issue.
My first thought was, “Hey! The FCC hired a research firm to verify which comments were from legitimate senders by emailing the commenters and asking them to verify their comment.”
On closer inspection, however, there is nothing official about this email at all. In fact, there are some suspicious details:
- The domain name, fcccommentsresearch.org, was registered via Namecheap on August 9, 2017.
- The domain name was registered with privacy turned on, which means that the public WHOIS shows proxy information rather than the details of the actual registrant.
- The statement, “We are investigating comments submitted to the FCC website on a public filing about net neutrality.” could be true of the email’s sender. It doesn’t actually even imply that the FCC has anything to do with the research nor the sending of the email message I received.
- This statement, “Responding to this email with help us verify real comments so that we can discover how the public truly feels about net neutrality.” is even more telling. Whoever “we” refers to, “they” want to know how the public truly feels.
- The message was sent via Mandrill, a bulk email service provider owned The Rocket Science Group, parent company of MailChimp.
The Mandrill platform allows for open tracking, and although I haven’t actually done a thorough analysis, I suspect this message contains a beacon for the purposes of open tracking. Thus, the sender knows that I’ve looked at the message.
I did not, however, click any links, nor did I take the action requested, which was to reply with a “yes” or “no” to the question of whether or not I actually submitted the comment that they quoted.
The message began:
Dear David Johnson,
According to the FCC website, you wrote a comment on 2017-07-14 10:37:46 about Net Neutrality.
Could you confirm that you submitted it by replying “Yes” to this email? If you did not submit this comment, please reply “No.”
The text of the message attributed to you is:
I’m redacting my comment here, although the email message I received did appear to have something I wrote (I didn’t actually check it thoroughly).
Then the email was signed as follows:
Data Analyst with Ragtag
Why you are receiving this email:
We are investigating comments submitted to the FCC website on a public filing about net neutrality.
Your name/email is attached to a duplicate comment, and we just want to make sure it was you who submitted it. You can see the comment on the FCC website here: https://www.fcc.gov/ecfs/filing/XXXXXXXXXXXXXXX [redacted]
Responding to this email with help us verify real comments so that we can discover how the public truly feels about net neutrality.
The refid at the bottom of the message is presumably a unique identifier which could be used by the receiving system to automate the analysis of replies.
I’ve always been mildly alarmed by the need to put my email address into information that will be displayed, unredacted, to the public. This makes my information susceptible to scraping. Whether or not this is actually a good idea is open to debate, as far as I’m concerned.
But since this is the first time that I’m actually becoming aware that my publicly-displayed email address has actually been used to contact me (and I’m only aware of this occurrence because it makes reference to my actual comment), this is my chance to voice my concern publicly.
Who is it that has scraped my comment and my email address?
Why do they take significant steps to mask their identity?
No Google search for “Ragtag” with phrases including “data analyst,” “data analysis,” or even “Courtney Pruitt” turned up anything useful. And I refuse to click the link for the word “Ragtag.” It’s destination URL is being masked by the Mandrill bulk email process in order to allow for click tracking by the sender.
Who has the resources to pay for this kind of research?
My concern on the net neutrality issue is that the big ISPs like Comcast, Verizon, etc. are the ones who would conduct research like this so that they could manipulate the outcomes of the research. Am I jaded and cynical? Probably.
If you’re a legitimate researcher, why not be more open about this research?
Will the data be shared publicly? If so, by whom? When? Where?
I don’t normally take the time to write about phishing emails. Maybe this is legitimate research, and maybe it isn’t.
Whatever it is, it rubbed me the wrong way.