Surprising advice from OD

[aussiefrog]

After receiving 10 scam enquiries all in one go, I complained again to OD and received this reply. I’m surprised at the grammar they’ve used, also that they advise me to ‘continue with the normal booking procedure’ and only worry about things if the payment ‘clear’ or not.

Also wonder if, because my ads are on the ‘masked mailing service’, this is the reason my OD enquiries for November are 60% down on the month of November last year, and bookings down 80%.

Doesn’t give me much confidence.

“We are in a delicate situation in which it is difficult for us to determine whether every enquiry is a possible scam this is the reason why we suggest that you continue with your normal booking procedure and if the traveller makes payment and if the payment clear this will then help you assess if whether the traveller is a scammer or not.

HomeAway takes this matter very seriously, which is why we enquiry filter engine that filters out scam a long with a dedicated team trained to check held enquiries. Suspicious enquiries may come through despite our efforts in circumstances where the suspicious enquiries are sophisticated enough to go through and we profusely apologize.

The main prevention we have at this time for spam and suspicious enquiries is the Mask Mailing service we have recently introduced where we mask the email address of both the owner and the traveller but owner would still have the ability to access the travellers email address through their enquiry dashboard at any time. Our record shows that your advertisement is on the masked mailing service.

Please note that even you are using the mask mailing service at any given point you feel uneasy with continuing with their booking it is within your discretion to refuse their booking.

The spoof email address is for our IT security team which is an external team that specializes on "phishing" emails. The email address "spoof@homeaway.com" is an inbox built as an inbound only. If you are sending email enquiries that you feel are suspicious, then I am sorry to say that an acknowledgement or confirmation of receipt with not be returned. Please only send "phishing" emails to the spoof email address.

If you feel that enquiry suspicious, please use the support request form ( http://help.homeaway.co.uk/contact?#reasons ) and email us the email address so that we can block from the website.

Please do not hesitate to contact us, if you have any further queries. Thank you.”

[GRL]

That is an appallingly written response. What is "masked mailing service"? My enquiries/booking are down a similar amount but I put it down to the problems OD have been having and the press coverage about this.

[kevsboredagain]

That is an appallingly written response. What is "masked mailing service"? My enquiries/booking are down a similar amount but I put it down to the problems OD have been having and the press coverage about this.

It's the same as on HA and other sites, where you can go to your dashboard to respond to enquiry. This prevents the phishing attempt because the scammer cannot, at that point, send you a dodgy attachment.

All phishing attempts and scams should be reported to OD, as they say. If they have a decent team (some doubt here) then they would be able to immediately block certain email addresses or IP addresses. This would be to the benefit of most of their clients.

[FelicityA]

I am similarly appalled by their written English.

Rosie, the masked mailing service ( about which, has anybody been informed??) is that which Homeaway has introduced on some ( or perhaps all?) of their other sites. When you press reply through the dashboard or from your own inbox the email address of the recipient is shown as gobbledygook. Yours is also scrambled from the dashboard but would show 'true' if you email from your own box. You can still fish out the real address from the dashboard. I have to say that although it is an irritation to have to log in for this, I am sometimes quite glad not to be giving my email address to someone I am just not sure about (usually the ones I suspect of phishing). I am pretty sure the avalanche of 'here is your invoice' ones I am currently getting in my cottage spam box are the result of a bogus enquiry I didn't spot.
BUT, they should have told anyone they were masking ( is this a random experiment with just some people?).

[tavi]

Call me stupid but the last thing I want is HA or OD filtering my enquiries and deciding which emails are scam/phishing and which are not. In the same way as I don't want all my communications with my guests to be channelled through a dashboard in the guise of "added security". I can make my own decisions and take my own risks, my spyware tells me sometimes if it sees a "dodgy" email - but it allows me to check it out. I don't need no Nanny doing it for me

Agree with everyone - appalling English - how scary that these people are in charge of one of the most important listing sites in the English speaking world.

[kevsboredagain]

Call me stupid but the last thing I want is HA or OD filtering my enquiries and deciding which emails are scam/phishing and which are not. In the same way as I don't want all my communications with my guests to be channelled through a dashboard in the guise of "added security". I can make my own decisions and take my own risks, my spyware tells me sometimes if it sees a "dodgy" email - but it allows me to check it out. I don't need no Nanny doing it for me

So instead of say, 10 people verifying a scam and reporting it to OD, who then can block the email address or IP address, you would prefer that the scammer can send his phishing or scam attempts to 100s of people unlimited? Then people, who by their own admission, are unable to even verify if email addresses are fake or real, can post said scam in this section for the benefit of a few people on LMH or those that stubble here through Google?

I think blocking the problem at the source is the most efficient and will protect the largest number of people. ISPs and server owners already make a huge effort to keep you safe.

[tavi]

Call me stupid but the last thing I want is HA or OD filtering my enquiries and deciding which emails are scam/phishing and which are not. In the same way as I don't want all my communications with my guests to be channelled through a dashboard in the guise of "added security". I can make my own decisions and take my own risks, my spyware tells me sometimes if it sees a "dodgy" email - but it allows me to check it out. I don't need no Nanny doing it for me

So instead of say, 10 people verifying a scam and reporting it to OD, who then can block the email address or IP address, you would prefer that the scammer can send his phishing or scam attempts to 100s of people unlimited? Then people, who by their own admission, are unable to even verify if email addresses are fake or real, can post said scam in this section for the benefit of a few people on LMH or those that stubble here through Google?

I think blocking the problem at the source is the most efficient and will protect the largest number of people. ISPs and server owners already make a huge effort to keep you safe.

I agree with you blocking the problem at source would be ideal, but an organisation who allows emails to go out such as the one Aussie copied can hardly be trusted to successfully police my enquiries. They are a listing site and not an internet security service.

If 10 people verify a scam and report it to OD, or OD's own security systems have their suspicions, what I would expect them to do is to have something in their software which would allow them to flag it up as "possibly unsafe" but to still forward it to me.

What I don't want them to do is to take it upon themselves to wipe my enquiries.

They still haven't made all the fields in the enquiry form required information.

edited for typos.

[kevsboredagain]

I agree with you blocking the problem at source would be ideal, but an organisation who allows emails to go out such as the one Aussie copied can hardly be trusted to successfully police my enquiries. They are a listing site and not an internet security service.

If 10 people verify a scam and report it to OD, or OD's own security systems have their suspicions, what I would expect them to do is to have something in their software which would allow them to flag it up as "possibly unsafe" but to still forward it to me.

What I don't want them to do is to take it upon themselves to wipe my enquiries.

They still haven't made all the fields in the enquiry form required information.

edited for typos.

It's often the case that IT people, like myself, are terrible at English. Perhaps their IT manager wrote that response, which I agree is pretty bad.

A listing site has a huge advantage over you or I, in that they can easily detect the activities of a scammer as well as receive notification from a client database of 10,000s. We are merely 1 single target.

I don't think too many clients would be happy to receive confirmed phishing or scam attempts, even if marked as unsafe.

Am I alone in not wanting to receive enquiries which have come from confirmed malicious sources?

Making all the fields mandatory won't stop them, just slow them down a little. An English grammar catchpa might stop them though

[GRL]

An English grammar catchpa might stop them though

... and far too many genuine enquiries as well

[GRL]

Just sent myself a test enquiry and it's come through as normal so pesumably not all advertisers are on the masked mailing service. Somy enquiries and bookings are just down

[e-richard]

I'm afraid I disagree with Kevin.

As Tavi said:

What I don't want them to do is to take it upon themselves to wipe my enquiries.

And that is what will happen. We'll lose genuine enquiries.

We have all experienced emails from ourselves (genuine people) going into our guest's spam boxes because some IT geek somewhere has written a spam filter that is too stringent. I reckon to lose at least 30% of my replies per annum.

I do not trust any computer to spot scams nearly as well as a human.

I'd rather the effort went into education and information. If they use IT to gather data for information, then that is a good use of technology.

[kevsboredagain]

What I was talking about was not a software filter. If people report scams, then it has indeed been verified by a human - by several humans in fact. The listing site then has the power to see what other enquiries have been made from the same IP address or email address. Clients can be notified and that IP address or email address blocked.

Surely blocking more of these from the same source is worth it? At present the same scammer goes unstopped for days or weeks. The reputation of the listing sites is already rapidly declining because so many scammers are unstopped.

What is impossible to calculate, is how much trade we lose because of this decline in reputation and how much we would lose if they were more active in preventing it in the first place.

[e-richard]

What I was talking about was not a software filter.

I can't disagree with that part of it.

[kevsboredagain]

What I was talking about was not a software filter.

I can't disagree with that part of it.

But I agree with what you're saying. OD could not even introduce a new photo slideshow without displaying total incompetence, so they stand little chance fighting scams.

[tavi]

I do understand what you're saying Kev, and in an ideal world these low-life should be stopped in their tracks. But, as we know it's a terribly difficult thing to do even for the experts

The other day, my own email server (the National phone company) didn't notice a very obvious "here's your invoice" spam, while my computer's spyware on the desktop flagged it for me. I'd have spotted it a mile off myself.

I don't profess to know the answer to a problem like Aussie's but I don't think it's to get OD to block enquiries. Clearly in this case the Captcha is no deterrent and maybe there's other aspects of security in the enquiry form they could be tightening up.