Couple of days ago I was thinking to try some mass mail software on my server for sending personalised messages to all my clients from time to time to make my life a bit more easier. So I found phpList script which had really good reviews and I thought lets give it try!
I’ve installed script, set it up without paying much attention to it and imported few dummy contacts for testing. I’ve also imported real contact list of my clients to just save the time, which I guess was big big mistake. Since I’ve never used something like this in past and of course I did not paid enough attention to set it up properly – of course testing emails was send not only to my dummy testing emails but to all lists. Pretty bad foo-pa right?
Few of my clients actually contacted me and told me about this. I though for a minute that script was compromised or email or something went terribly wrong, but when checked server logs and script it self, I found that everything was just fine and nothing was compromised. Those emails was simply send out somehow to all contacts in that phpList script which resulted in action from me to remove that script from my server asap and possibly never use it again.
Lesson learned – when testing something new make sure you only use dummy data to prevent foo-pas like this one.
From that moment all emails from me are and will be signed by gpg key to verify my identity and the fact that email is actually really from me.