Tony Henrich wrote:
@Nina you could have posted what happened without making any accusations or judgmental decisions and solicit explanations. THEN when you receive them, you make your conclusions. There's probably an explanation you have never thought of. Take this as an advice for anything you do in life. There's an explanation for everything.

DNN is open source. Any backdoors or call home features would have been easily discovered. Don't you think after all these years with thousands of eyes looking at the source, someone would have noticed it? and I doubt dnnsoftware would sneak in something like this. It would tarnish their reputation.

BUT if they are sending emails without the client's opt-in permission, the practice might be questionable.

Just a thought.

Here is how I reached my conclusion - 

The email came from a domain that was registered, and pointed a website that was built by a staff member for a friend of his, to replace the domain in an already existing website.

I do not jump to conclusions, I research and see if there is anything on the website that might give cause to have this problem. We do not have check for upgrades, and even if we did, I use the same email address on all installs on our preconfigured blank XD style template.

I've been doing this for 10 years and know how to turn off all the copyright and custom messages and upgrade function and templates that are being used we modify.

This person doesn't know the technology from a bar of soap and doesn't even log in to do the modify the content. She doesn't even know her login, and our staff update the site for her.

Any more information needed to make me question why this email address is getting spam from DNN?

Nina

Actually I do need to apologise - on this particular build my staff member manages - he did not turn off check for Upgrades.

I can confirm the email address that received this unsolicited email, was in fact in that build, and when I did a who is on the domain name, the domain privacy email address XXXXXXX@obscure.com forwarded this email to me.

So I am now 100% sure that if you have notify for upgrades turned on, it exposes the domain name to DNNCorp, who then do a whois search on the website to identify the owner of the domain name and then send an email.

Here is my issue - what right does DNNCorp have to do this and send unsolicited email to people in the first place. This really is gutter marketing because firstly - it's SPAM, secondly - at not point in time do you tell anyone who is using this open source software that you will use the site in this fashion that IF we choose to be notified on upgrades, then we also will receive emails from DNNCORP.

This is not opt in email at all - not in the slightest and it's embarrassing that now I will have to deal with phone calls from people to explain this to them. It doesn't sit well.  But I guess you'll just brush me off again as being over the top, paranoid and bla bla bla.. Nothing new but this goes beyond dark patterns in your behaviour on the website.

Just my 2c on this - 

Nina

Cathal, Tony, Nina, et al - If you look in the source code under - dotnetnuke.services.upgrade in the upgrade.cs file is the method that sets up the url that is being passed back to DNN.  The method in question is called  UpgradeIndicator()

Basically it builds a URL that points to an aspx page on the dnn servers - this URL passes details of the current version hosted on the server - AND since all it is really doing is placing an IMAGE url on the calling page - the called update.aspx page would also see the domain name / ip address and any other public values by simply looking at the HTML header details of the calling page - it does not NEED to send the domain back its always there as a part of the http headers that are passed around with every http request.

This is how the url looks when its placed in an image tag in the superuser ribbon bar / controlpanel.  If there is an update available - then image will be shown an [UPDATE] otherwise its just a single pixel transparent.

http://update.dotnetnuke.com/update.aspx?core=070200&version=070200&type=Framework&name=DNNCORP.CE&id=1650BDB5-2102-4F11-862F-3C4B6832459E&no=1&os=0603&net=0400&db=1100

What is more of convern however - is that it DOES also have the potential to pass back an email address  - every time its called.

When you first install DNN - and you see the GettingStartedPage popup - there is an option at the TOP to enter an email address - which most people assume would just subscribe you to a newsletter of some sort.

BUT in reality - if you DO enter an email address in the subscribe to newsletter field - it is in fact being stored as a part of your portal settings under the value  -  NewsletterSubscribeEmail.

AND - EVERY TIME YOU LOGIN as HOST after that and on EVERY page you visit while logged in - that EMAIL address will be sent as part of the update check image url in the form:

http://update.dotnetnuke.com/update.aspx?core=070200&version=070200&type=Framework&name=DNNCORP.CE&id=1650BDB5-2102-4F11-862F-3C4B6832459E&no=1&os=0603&net=0400&db=1100&email=subscribedemailaddress 

To me there is a fairly serious breach of privacy going on at this point - at NO stage is it made known to anyone that this email address is in fact going to be stored on my local hosting - AND repeatedly sent back to the server every time I login as a superuser.

The fact that it IS being sent back every time a superuser logs in - along with details such as the number portals being hosted, the operating system, net framework, sql server type and the hosts unique GUID - does amount to significant information that could be used for profiling or targeted marketing.

I would strongly suggest that DNN immediately remove the transmission of this email address from the update check url - along with any OTHER details such as the host GUID that could be used to profile or identity the person or persons making that update check request.

Im not saying that DNN is currently using any of that information in ways that could be considered a breach of privacy or breach of trust - but that it is imperative - to remove any doubts that the transmission of that specific sort of information could be used in ways that may possibly breach a persons privacy.

So to be very precise about it - at this moment - anyone installing dnn 720 - and opting to sign up for a DNN 'Newsletter' is opening up a repeated callback that passes a private email address that was given for the sole purpose of a newsletter subscription in a way that could be considered a breach of both trust and privacy - and which COULD be used for profiling or other misuse.

When coupled with an email posted by nina that would appear on the face of things to be a direct attempt to UPSELL someone to EVOQ - there are also some serious questions regarding commercial propriety  that would possible need to be asked.