On the Soapbox

This is a follow-up to this post...

Got an e-mail today about my Northwest Airlines miles. The problem? The e-mail came from worldperks.miles@mpmvp.com. WTF is the mpmvp.com domain name?! I visit the domain in the browser, and I get a SSL certificate warning because the certificate was signed for nwa.mpmvp.com and not for mpmvp.com or www.mpmvp.com (the correct solution would have been to redirect mpmvp.com and www.mpmvp.com to nwa.mpmvp.com; this is the first sign that the IT "professionals" who set this up are utterly incompetent). The site looks just like the NWA website. Okay, I understand that these companies like NWA often enter into various affiliate programs with places like points.com and it may be temping to set up the joint website on a separate domain to avoid the hassles of dealing with the NWA DNS hostmaster. But this is BS because it is trivially easy to set up a points.nwa.com zone and then delegate it (NS records) in DNS to the people at points.com so that it can be administered entirely independently of NWA's DNS. It is these utterly incompetent and appallingly stupid setups that make user education about security that much harder. Oh, and there was no SPF record either. Where do they find these idiots?!