Blocked for phishing

A couple clients recently have had bounces from different places indicating that their mails were caught by the recipients’ anti-virus filter. These are some of my better clients sending out daily newsletters. They’ve been mailing for years and I know that they are not phishing. They asked me to investigate the bounce messages.
The information I had to work with was minimal. One bounce said:

The AntiVirus server has detected the Phishing.Heuristics.Email.SpoofedDomain virus in an email sent to you, allegedly sent by bounces*@customer.example.com. This email address may, or may not, be the originating source, as some viruses can hijack address books and in turn, send email with any of those addresses. Please take note that this virus has been destroyed and this email is a notification of virus activity and is itself virus free.

The other bounce said:

The message senders were
bounce*@bounce.example.com
Today@example.com.com

and they have been notified that they have sent a potential virus.
The message title was Customer: Subject line from email. The message date was Tue, 23 Jun 2009 12:16:13 – The virus or unauthorized code identified in the email is >>> Possible MalWare ‘Exploit/Phishing-amazon-04ee’ found in ‘5832897_2X_PM2_EMQ_MH__message.htm’. Heuristics score: 202
The real clue came when I looked at the emails that triggered the bounce. In both cases, my clients were linking to Amazon.com with a re-director link. There are many filters out there that look at the visible text of a link and compare it with the link target. If the link points to one domain like a re-director but the visible text points to another, this may trigger some spam or virus filters to intercept the email.
My experience suggests this happens more often when the domain used in the visible text is one of those domains that are heavily phished: amazon.com, ebay.com, bank websites, etc. The solution is to not include a domain name in the visible text portion of a link. Instead of “Go buy the DVDs at <a href=”http://www.example.com/linkdomain/”>Amazon.com</a>,” change the link to “Go <a href=”http://www.example.com/linkdomain/”>buy the DVDs</a> at Amazon.com.”  Same content, same call to action, but no chance of the email getting caught in a phish filter.

Related Posts

Yahoo fixed erroneous rejection problem

Yahoo announced over the weekend that they fixed their rejection problem. It may take some time to filter out to all their MTAs, but they do believe the issue is resolved.

Read More

Reputation

Reputation is the buzzword in delivery these days. Everyone talks about building a good reputation and how to do it. Makes sense, the ISPs are always hammering on reputation and how critical reputation is. The more I talk with delivery folks on the ESP side of thing, the move I realize that there is a fundamental disconnect between what the ESPs mean when they say reputation and what the ISPs mean when they say reputation.
Many people handling delivery think that the bulk of reputation is wrapped up in complaint rates and bounce rates. I think they know the ISPs measure more than just complaints and bounces (spamtraps!) but really believe that most of developing a good reputation is all about keeping those complaints low.
This perspective may have been true in the past, but is becoming less true as time goes on. There are a lot of very smart people managing incoming mail at the ISPs and they are constantly looking for ways to better meet the desires of their customers. Lest we forget, their customers are not the senders, their customers are the end users. Their customers are not senders.
Part of meeting the needs of end users means actually giving them a way to provide feedback. AOL started the trend with the this-is-spam button, and other ISPs (ones that controlled the user interface at least) followed suit. For a very long time, reputation was dominated by complaint percentages, with modifiers for number of spamtrap addresses and number of non-existent users.
The problem is, these numbers were easy to game. Spammers could modify their metrics such that their email would end up in the inbox. In response, the ISPs started measuring things other than complaints, bounces and spamtraps. These other measurements are strong modifiers to complaints, such that mailers with what used to be acceptable complaint rates are seeing their mail end up bulked or even rejected.
Recently, AOL seems to have made some subtle modifications to their reputation scores. The result is mailers who have previously acceptable complaint rates are seeing delivery problems. When asked, AOL is only saying that it is a reputation issue. Lots of senders are trying to figure out what it is that is more important than complaints.
Tomorrow, I will talk about what I think AOL could be measuring.

Read More

Links Post

Lifecycle Marketing on Bronto Blog. A good summary of issues in marketing to customers as they move through a relationship with recipients.
Blocked email: why me? on Cloudmark’s blog. A good introduction to blocking issues.
Tamara’s links for 4/16. She’s found a lot of good posts here, including multiple posts about unsubscribes and others on improving your email marketing program.
Speaking of unsubscribes, Loren McDonald discusses how the location of the unsubscribe link can affect reputation and email performance.

Read More