Spam or not spam — I cannot tell, dear United Healthcare

Occasionally I get e-mail that looks like this. I cannot tell whether this is spam or a just very badly made actual e-mail from United Health, my health insurer:


Here’s the evidence:

  • Sender: Looks very suspicious, as anybody can register a domain like that.
  • Googling the e-mail address produces 18 hits, on mostly strange websites. Not one is an official United Healthcare website that mentions this e-mail address or domain.
  • The formatting! It’s non-existent. I do delayed-image loading to avoid telling them spammers I read their mail. Perhaps that’s why. But I won’t hit “load images” exactly for that reason!
  • Accessing the domain in the browser produces a “The page you requested is not available.” error message that looks like it came from some piece of software a company like United Health might actually have bought.
  • whois information says that domain is registered to ExactTarget, a marketing firm. Entirely possible that United Health would use them for e-mail distribution.
  • I could click on one of those links, but I won’t, because if it is spam, it means the spammer “got me” and might send some malware down in my direction. (Also, the identifiers are long enough to uniqely identity not just every person in the world, but every bacterium!)
  • The program that the e-mails talks about indeed exists. But any spammer could have copied that.
  • A company as big and slow as United Healthcare of course could be doing all of this, blissfully unaware just what kind mess this is. So it could be real.

But who knows? Dear United Health, if you read this, and you wonder why your e-mail campaign has zero uptake among security-minded individuals, this is why.

This is a great example that digital identity on the internet does not just need to be about individuals authenticating against corporate websites, but also corporates authenticating against individuals. Not something anybody in identity land usually works on.