Send Actual SMTP

It’s rare I find mail that violates the SMTP spec (rfc5321 and rfc5322). I’ve even considered removing “send mail from a correctly configured mail server” from my standard Best Practices litany.

But today I got mail asking me to respond to a survey.

This whole email is a mess of problems, and it’s claiming to be from the California Secretary of State.  It’s also discussing the June Primary, which isn’t the election we just had. The from address doesn’t reassure me, they’re claiming to be: VotersChoice.SoS.Ca.Gov@mailservices6.com. The mail is being sent to the address I gave California when I registered as an overseas voter, but those lists are public.

In the course of trying to decide if this was real or was just some way to steal private information, I discovered this particular mail server isn’t actually sending real SMTP.

X-Amavis-Alert: BAD HEADER SECTION, Non-encoded non-ASCII data (and not UTF-8) (char 9C hex): Received: \x{9C}by v1.mailservi

Now, quite honestly, I suspect this is actually legitimate mail. A few google searches and I discover mailservices6.com belongs to California Survey Research Services, Inc. They manage data collection for a lot of different government agencies. Looking at information around them this is exactly the kind of vendor that I expect a government agency to use.

I have to wonder, though, how well their email surveys actually perform. They’re not sending actual SMTP. The non-ASCII character is in their own internal handoff to a server running an obsolete version of Sendmail. While our mail server is somewhat forgiving of non-SMTP mail not all mail servers are. Even if that isn’t enough to tank their delivery, there are multiple similar but not identical domain names in the body of the message. The link to ‘research.net’ doesn’t actually go to research.net, it points to yet another random domain name. Put all this together with the unsolicited nature of the email I’d be amazed if any of their mail was reaching the inbox at the consumer ISPs.

Looks like I’ll be keeping the “and make sure you send SMTP” in the list of recommendations, because there are still groups out there who are not sending valid SMTP. If my mail is to be believed, some of them are being paid by the state of California to do so.

Related Posts

10 things every mailer must do

A bit of a refresh of a post from 2011: Six best practices for every mailer. I still think best practices are primarily technical and that how senders present themselves to recipients is more about messaging and branding than best practices. These 6 best practices from 2011 are no longer best, these days, they’re the absolute minimum practices for senders.

If you can’t manage to do these, then find someone who can.

Read More

Happy New Year!

Well, we mostly survived 2016. A year ago I was making predictions about how 2016 would be the year of email security. I was thinking of things like TLS and authentication and access to the inbox. It wasn’t out of the question, Gmail said they’d be turning on p=reject sometime mid-year. They also were suggesting that they would be putting more value on messages that aligned, even in the absence of a DMARC signature. The first still hasn’t happened, and the second doesn’t appear to be in place, either.
DataSecurity_Illustration
That doesn’t mean email security wasn’t a hot topic in 2016. In fact, the use of a private email server was a major topic during the US elections. We also had spear-phishing play a major role in the compromise of campaign systems. I didn’t talk much about that here when it happened, but news reports make it clear that Chairman Podesta and others were targeted for compromise. The NY Times has a more in depth article with broader context around the attacks and how emails were used to infiltrate a major political party.
The irony is with all the time spent talking about how insecure the private server was, that server wasn’t compromised. Instead, the compromise was at Gmail.
We all need to pay attention to our email and how we use it. It also means when we’re sending bulk and marketing email we need to consider the private and personal information we’re putting in messages. Do you send PII? Is there a way you don’t have to? What can we do to protect our brand and our users?
It’s not just bulk email we need to think about, either. Personal email can contain PII, or personal information. A common saying among some of my security friends is “never put in email anything you wouldn’t want to see on the front page of the Washington Post or NY Times.” That’s an easy thing to say, but the convenience of email makes it easy to share information that we may not want on the front page of either paper. Many of us aren’t actually targets of malicious activity so we don’t have to worry about being targeted the way elected and other officials are. But that doesn’t mean we are not at risk. It just means we’re at less risk than others.
Email is a frequent vector for malicious actors to access computers. Most, if not all of the major breeches in the last few years have started with a phishing attack of some sort. The attacks are planned out and sophisticated. This is not going to get better. The phishers are smart and plan the attacks.  We also need to be more personally aware of security given the current political climate. We need to take steps to protect ourselves more than we have in the past.
Security is more important than ever and we all need to protect ourselves.

Read More

Improving Outlook Email Display

Today Litmus announced they had partnered with Microsoft to fix many of the rendering issues with Outlook. Congrats, Litmus! This is awesome. I know a lot of folks have tried to get MS to the table to fix some of the problems with Outlook. Take a bow for getting this off the ground.
According to Litmus, the partnership has two parts.

Read More