Thoughts on filters

One of the questions we received during the EEC16 closing keynote panel was why isn’t there a single blocklist that everyone uses and why don’t ISPs share data more. It would be so much easier for senders if every ISP handled mail the same as every other. But the world isn’t that simple, and it’s not always clear which mail stream is spam and which is good mail.

12495088_10154028658527410_7653293570464523506_n

There were quite a few answers but they basically boiled down to a few facts.

  • Different blocklists have different data strengths and weaknesses.
  • No blocklist has all a full view of all the bad mail.
  • You may want to have different polices for delisting depending on what kind of mail the blocklist is targeting. For instance, Spamhaus has different polices for different lists: CBL has self serve delisting, SBL requires email, ROSKO requires no traceable spam for 6 months.

The short reason was we use different lists and techniques because it makes the spam filtering better.

When I got home from the conference, I saw In-depth analysis of the lessons we learned while protecting Gmail users post. Among other things, it answered the “why not one blocklist” question. Even more, I think it did a really good job of talking about what email looks like from the receiving end.

Any defense can be defeated – Use defense in depth with multiple layers of protection.
Since no combination of detection systems at a given layer is perfect, there is a need to add multiple layers of defense to make it even harder for attackers.

One thing I’ve been trying to get across to marketers is that email is an a very malicious channel. Many of the bad mails out there, the ones the filters are aiming for, are dangerous and malicious. Those attackers spend a lot of time trying to figure out how to get past the defenses.

Make it hard for attackers to understand your defenses – Use overwhelming force and deploy many countermeasures at once.

It is very important to make probing more difficult for attackers by rolling out multiple changes. That way they are overwhelmed by the number of things to test and can’t easily figure out what changed.

This is why it’s so hard to test “what Gmail changed.” They are going out of their way to release multiple things at once. It’s also why it’s not really useful to test. It’s more useful to look at your mailing practices and see where they might be borderline and driving your reputation down.

The whole article is well worth a read. It gives a good overview of what Gmail is doing and how they think about email, filtering and dangers. It also gives examples of the different challenges they deal with on a regular basis.

Overall, it’s important to realize that filters are an important part of the email ecosystem. They are a big part of why it’s a viable marketing channel. Think of it this way, an unweeded garden is not as productive as a weeded garden. Weeds take nutrients away from the plants and stunt their growth. They also make it harder to find the actual produce at harvest time. Filters are the herbicides and weeding that keep gardens healthy and productive. Without them, no one could effectively use or trust email.

Dueling data
Ask Laura: Can you help me understand no auth / no entry?

Related Posts

Security vendors and trust.

A big part of my predictions for 2016, that I’ll publish shortly, is that security is going to be a huge issue. I think we’re really going to see receivers expecting senders to have their houses in order when it comes to sending mail.
Of course, some filter companies need to get their houses in order to. Yesterday, a security researcher went public with problems in the TrendMicro anti-virus appliance. These vulnerabilities would let any email sender remotely execute code on the recipients machine with no interaction of the user. They also exposed all the passwords on the machine to the outside world.
Even worse, Trend doesn’t seem to understand the urgency to fix this. They have started releasing patches for the exploits, but there are significant problems with the patched versions as well.
If you’re a Trend user, you may want to consider other vendors for desktop security. I know that no security is perfect and that other vendors have problems, too. But shipping a password manager that exposes all passwords is just incompetence. It seems like a corporate lack of understanding of what their business is and how to actually create security software.
Even worse is that lack of urgency from the Trend folks as the security researchers are explaining the problem. I don’t care if the person receiving the report was the janitor, anything that says security exploit should be escalated to someone who can determine if the report is valid.
Compare Trend’s reaction to this to Juniper’s reaction to discovering a backdoor in their code in December. First off, Juniper found the exploit during a routine code review. That alone tells you Juiper is continually monitoring their code security. Second, Juniper was reasonably open about the issue, with executives posting blogs and security posting advisories talking about the issue. More importantly, they shared how they were going to fix it and prevent it from happening again.
Security is such a large issue right now. We have to be able to trust our vendors to do what they’re selling us. Every vendor is going to make mistakes and have vulnerabilities. No code and no developer is perfect. I do expect, though, that vendors will take exploits seriously and act fast in order to correct the problem. I’m not seeing that sense of urgency with Trend.
 

Read More

Random thoughts on reporting abuse

stop_atOn IRC today, someone mentioned an Ars Technica article discussing how a research team tried to contact Xfinity about a security flaw in their home security system.

Read More

Thoughts from #EEC16

EEC16 was my first Email Experience conference. I was very impressed. Dennis, Len, and Ryan put together a great program. I made it to two of the keynotes and both took me out of an email focused place to look at the bigger picture.
speakingIconForBlog
Patrick Scissons discussed his experiences creating marketing and advertising campaigns for good and to share messages. Some of the campaigns were ones I’d seen as a consumer, or on the news. One of the campaigns he talked about specifically was for the group Moms Demand Action, looking at sensible gun control in the US. The images and symbology used in those campaigns were striking and very effective.
Kelly McEvers talked about her experiences as a correspondent in the middle east during the Arab Spring. She is an engaging speaker, as one who does radio should be. Her overall message and theme was that sometimes events are such that you need to throw the list away and go with it. As someone who lives by “the list” and tries to make sure I’m prepared for every eventuality I found that a very useful message. Particularly when throwing away “the list” turned into some massively successful stories.
In terms of sessions, I found the email content session fascinating. I blogged about content in email last week and did some live tweeting, too. What really hit me after that session was that good marketing drives deliverability. Everything that Carey Kegel was talking about in terms of better marketing, sounded like things I recommend to clients to drive deliverability.
Back in 2012 I was writing posts about how delivery and marketing were somewhat at odds with each other. The premise was that marketing was about creating mindshare, and repeating a message so often a recipient couldn’t forget it. In email, repetition can cause recipient fatigue and drive delivery problems. But what I’m hearing now, from the leading minds of email marketers, is that email marketing works better if you send relevant and useful information to consumers. Recipients are key and you can’t just keep hammering them, you have to provide them with some value.
It seems marketing has finally come around to the delivery point of view.
 
 

Read More