Looking forward

The nice folks over at Sparkpost asked me and other email experts for some thoughts on what we think the most important issues in email will be in 2016.
I do think security is going to be a major, major change in delivery. From what I’ve seen there’s been a shift in the mindset of a lot of people. Previously a lot of folks in the email space were very accommodating to old systems and unauthenticated mail and were not quite ready to cut off senders that didn’t meet modern standards.
shareasimage
There were a lot of people who didn’t want to take any action that would break email. There are still a lot of people who think that breaking email is a bad thing and changes should be backwards compatible.
Then people started realizing not every change had to be backwards compatible.
 
There are a few reasons I think this attitude shift happened.

Email is a malicious channel.

I’ve mentioned this before, but email is an incredibly malicious channel and much of the email traffic out there is actively trying to hurt or steal from people. People have been fighting this malicious traffic for almost 2 decades. Some of the same folks who were doing this when I first started are still doing this. What they’ve done so far has mitigated many of the damages, but the problem isn’t under control. Now we’re looking at more than just a few tens of dollars paid to a spammer, but tens of thousands of dollars wired from businesses.
Internet crime is not “virtual” any longer. It’s real and it’s toxic.

The rise of Social Media.

Even a decade ago email lists were the way to chat with friends. Yes, there were some web based forums, but a lot of how we interacted with each other online was through email. Now, we have social media to communicate with folks. And it gives us a lot more flexibility. One of the things that seemed to happen on mailing lists, particularly large ones, is off topic posts and side conversations. People split off private lists as friendships (and even cliques) developed. This is so much easier with social media!
Social media has created an environment where email is not the only way to communicate and is often not the best way to communicate.

Yahoo broke email, and we all survived.

Then, 18 months ago, Yahoo flipped the p=reject switch for the yahoo.com domain. That did break email. A lot of people ended up scrambling very, very hard and fast to cope with how much this broke email. Even now, the problems created by Yahoo (and then AOL and soon Gmail) requiring all mail using their domains to come from their servers are not yet completely mitigated. But work arounds and fixes are being implemented.
I think this convinced a lot of people that “breaking email” wasn’t necessarily a bad thing. Three or so years ago, I made the statement I didn’t see the webmail providers implementing p=reject, because I really didn’t. It would force users to change how they use email. But, they did and   we could force a higher level of security, and even if it did break email the problems would be addressed and people would adapt.

IPv6 will change everything.

Even though most mail isn’t currently using IPv6 people are planning for it. They also realized they didn’t have to account for old, legacy systems that weren’t updated. Delivery standards could be set, like having rDNS or requiring authentication, and senders would have to cope. And people coped.
All in all, email security is going to be A Big Deal in 2016 and beyond.

Related Posts

Social media the Home Depot way

I’ve been following Richard the Cat on Twitter for a while. It’s the story of a family and their trials and tribulations with their yard as told by their cat.
The twitter feed (and Richard’s tumblr) are a product of the Home Depot marketing department. And it’s great. Richard has awesome comments on his humans and their struggle to create a happy yard. The tweets are low key and not overly home depot branded, but every Richard tweet I see, I think about the yard and things we might need from Home Depot.
And, of course, who on the internet doesn’t love a cat meme?
To my mind this is one of the better examples of brand social media. There is a theme. The tweets and tumblr does remind followers of the brand – Richard is an orange cat after all. The process is participatory, followers can upload cat photos on the Tumblr and tweet with Richard on Twitter.
Social media is social; a two way street. A lot of brands fail with the social part in that they treat it as a one way street. Home Depot doesn’t do that with Richard.

Read More

Strangers, connections and social media

One of the major challenges of social media is letting people connect with folks they don’t know while preventing abuse. Most of the major social networks are trying.
Let’s look at LinkedIn and the tools they give users to stop abuse. Overall, they are pretty good about stopping their platform from being abused, but don’t have many processes to stop folks from harvesting connection addresses off LinkedIn and then adding those addresses to marketing lists. Does it happen frequently? No. But it does happen.
I have a pretty liberal “accept an invite” policy on LinkedIn. If people want to connect with me there and they have real profiles and they’re in a relevant space, I generally accept their invites. This means there are times when I connect with people I don’t know. I’m OK with this, LinkedIn is a great way to meet an interact with colleagues. It also means that sometimes people connect with me, take my information and add it to their marketing lists.
This morning I got an invite from Greg Williams. The name and profile looked like one I’d seen before, so I dug through my mail to see why this raised my hackles. I figured it out. Greg is president of some Tuscon area scholarship fund. A year or so ago he decided to ask all his LinkedIn connections to donate thousands of dollars to his non-profit. I decided this was not a connection I really needed on LinkedIn and removed him.
I don’t really have a connection with Mr. Williams. We didn’t go to the same schools, we don’t work in similar fields. LinkedIn tells me that we have two connections in common. I know nothing about him except that the last time I connected with him on LinkedIn he decided to take this as an invitation to spam me with money requests for his foundation. A foundation he didn’t really tell me anything other than “we give money for scholarships.”
Even more crazy is that Mr. Williams sent me an invite that says “I trust you and I’d like you to be part of my LinkedIn network.” I’m not sure who you are or who you think I am, but I don’t think you know me well enough to trust me.
I’m not against reconnecting with Mr. Williams again, but I want to be sure he understands that just because we connect on LinkedIn doesn’t mean I want to be added to his begging list. I looked for a way through LinkedIn to send Mr. Williams a response. But I can’t. My two choices are to ignore him or report spam. I think I’ll ignore him, for now.
One thing LinkedIn does to stop this problem is get feedback from users. When I click Ignore on the invite I get the opportunity to tell LinkedIn “I don’t know this person.” Hopefully, telling them I don’t know this person will stop future invites.
Social networks are a great thing and allow people to connect and create communities and interact with one another. Stopping users from abusing other members of the network is an important part of that community building framework.
 

Read More

Compromises and phishing and email

Earlier this month, Sendgrid reported that a customer account was compromised and used for phishing. At the time Sendgrid thought that it was only a single compromise. However, they did undertake a full investigation to make sure that their systems were secure.
Today they released more information about the compromise. It wasn’t simply a customer account, a Sendgrid employee’s credentials were hacked. These credentials allowed the criminals to access customer data, and mailing lists. Sendgrid has a blog post listing things customers should do and describing the changes they’re making to their systems.
Last month it was Mandrill. Today it’s Sendgrid. It could be anyone tomorrow.
Security is hard, there’s no question about it. Users have to have access. Data has to be transferred. Every user, every API, every open port is a way for a bad actor to attempt access.
While it wasn’t said directly in the Sendgrid post, it’s highly likely that the employee compromise was through email. Most compromises go back to a phish or virus email that lets the attacker access the recipient’s computer. Users must be ever vigilant.
We, the email industry, haven’t made it easy for users to be vigilant. Just this weekend my best friend contacted me asking if the email she received from her bank was a phishing email. She’s smart and she’s vigilant, and she still called the number in the email and started the process without verifying that it was really from the bank. She hung up in the transaction and then contacted me to verify the email.
She sent me headers, and there was a valid DMARC record. But, before I could tell her it wasn’t a phishing email, I had to go check the whois record for the domain in question to make sure it was the bank. It could have been a DMARC authenticated email, but not from the bank. The whois records did check out, and the mail got the all clear.
There’s no way normal people can do all this checking on every email. I can’t do it, I rely on my tagged addresses to verify the mail is legitimate. If the mail comes into an address I didn’t give the sender, then it’s not legitimate – no matter what DMARC or any other type of authentication tells me. But most people don’t have access to tagged or disposable addresses.
I don’t know what the answers are. We really can’t expect people to always be vigilant and not fall for phishing. We’re just not all present and vigilant every minute of every day.
For all of you who are going to tell me that every domain should just publish a p=reject statement I’ll point out DMARC doesn’t solve the phishing problem. As many of us predicted, phishers just move to cousin and look alike domains. DMARC may protect citi.com, but citimarketingemail.com or citi.phisher.com isn’t.
We’ve got to do better, though. We’ve got to protect our own data and our customer’s data better. Email is the gateway and that means that ESPs, with their good reputations and authentication, are prime targets for criminals.

Read More