Legal disclaimers
by Volker Weber
We like to repeat all the stupid mistakes others have made. I am not going to explain why legal disclaimers don't work here. Udo Vetter has done this before (sorry, cannot find the permalink).
What we can see however is that besides being useless, they also break the message. First of all, your X.509 signature becomes useless, since the message has been tampered with and the receiving mail client will flag this.
Second, the implementation is often very flawed. In this case you can see one character missing (? instead of ß) because the disclaimer is not encoded correctly.
The good news: This disclaimer is only a few lines long. I have other respectable customers who show their legal ignorance with two pages of disclaimers. Too bad, if your business is closely related to legal counsel.
Comments
This is one thing I do like about the new disclaimer function in Notes/Domino V7.
In ND7 the disclaimers are added at the client side and not at the server side. By doing this the disclaimer can be added before the message is converted to mime or s/mime. The administrator also has the option to turn off disclaimers on encrypted emails to give true 'untampered' emails if they wish.
It isn't just disclaimers that break signatures of course. I have some evidence that some AV software also does.
BTW, here's what I think of disclaimers.
I know, that the Domino-add-on virus scanner in our organization messes up the notes signatures as well, as soon as there's an attachment in the message. Very bad, since e-mails with malicious attachment impose the biggest threat in notes. Most of the JavaScript and simply all ActiveX based stuff can easily be caught.
Nice writing, Chis. Highly recommended, everyone!
Ragnar, when x.509 was introduced for Domino I tested this with then CTO Nick Shelness. It did not work for me. As it turned out, Norton Antivirus did a MIME-CD-MIME round-trip since it was only able to scan CD messages. Once I had removed NAV, the problem went away.
Chris, what happens with spam filters? They add stuff to the header, which should be fine, I suppose.
Yup. Well behaved spam filters do just that. SpamAssassin is the obvious open source one but commercial packages tend nowadays to work in a similar way. For example, Trend Scanmail for Domino version 3 adds X- headers with a spam score if the anti-spam feature is enabled (including a signed email I have here from you) and the signature is fine. Your spam score FWIW:
X-TM-AS-Product-Ver: <SMD>-<3.0.1.3014>-<1.25.1015>-<13122>
X-TM-AS-Result: <No>-<0.460>-<7.0>-<99000>
There was an issue with the content filter in SMD3 that added whitespace in message bodies and subjects and that did break both x.509 and Notes signatures, but that bug has been fixed.
What I don't get about these disclaimers: At the very end they tell me that it may be confidential and that I'm not allowed to read it ... by that time I've already read the mail. How else would have ended up at the bottom? I usually start reading mails at the top, not at the bottom.
Hm, hit me if I'm too stupid, but wouldn't it make sense to publish your public key of the thawte certificate on vowe.net? I've looked for a directory on thawte.com, but couldn't find one.
From what I can tell, you could embed it in your VCard file, for example.
Any reasons why this would be a bad idea?
