BLOG

Industry News & Analysis

Use all the channels

One of the hardest deliverability situations to address is when all mail from a certain sender is going to the bulk folder. I’ve had numerous clients come to me to address this situation over the years. Ideally, clients come to me before all their mail is going to bulk. Then we can make some tweaks and changes to their mail program, repair the reputation and then recover other addresses. We have knobs we can twist to fix things if some people are still getting messages in their inbox. We have data to measure.

When all mail is going to bulk, though, we lose access to the knobs and the data. There are zero complaints if mail is going to bulk. There are no opens or clicks, because many ISPs disable images and links in the bulk folder. Our normal “fixing reputation” tools are taken away from us.

Senders with all their mail going to bulk are faced with a profound challenge. How can they engage customers who are unengaged and who are not seeing mail at all? How can we fix deliverability when our normal tools and metrics are unavailable?

If we can get even a small percentage of recipients to go pull mail out of bulk or spam and move it to their inbox, then we’re well on our way to repairing reputation. But how can we get them to go look for the mail in the bulk folder. Recent Litmus research suggests that a significant percentage of folks regularly check their spam folder, but this isn’t always enough to repair reputation,

The question becomes how can the senders encourage recipients to go digging through their spam folder. 
This is the point where I start quizzing clients on what other channels they use to communicate with their customers. I’ll run through the whole list: social media, snail mail, push notices through apps, SMS, website popups, Facebook ads. I work with them to identify users who are engaged with their brand and brainstorm ways to get those users to look for mail.

I’m always pleased to see large brands using these strategies. Just recently Blizzard used twitter to communicate with their users about email problems. They tweeted.

BlizzardTweet

The link takes you to the Blizzard support site. Where they give specific instructions on how to whitelist mail and what mail to whitelist.

We regularly send emails from @blizzard.com@email.blizzard.com@em.blizzard.com, and @battle.net. It’s important that you have your email filters set up correctly for those domains so our messages aren’t sent to your spam or junk box.

For instructions to set up your filters, choose your email provider below. If your provider isn’t listed, check with them directly for assistance.

Using alternate channels to get people to engage with mail is a workable solution to delivery problems. Even big brands with engaged user bases have to do it occasionally. Don’t let embarrassment stop you from addressing this problem.

No Comments

One way to deal with B2B spam

We’ve been talking a lot about B2B spam recently. I’ve posted repeatedly, Steve wrote a post about it yesterday. It’s in the forefront of our minds because we’re dealing with just so much of it. Multiple emails a day asking for “just 10 minutes of your time.” Of course, the 10 minutes isn’t really just 10 minutes. Sure, the call might be 10 minutes, but there’s overhead to that call that will probably eat 20 – 30 minutes of time. That’s at best.

Because they’re using providers who don’t notice or don’t care about the spam, there’s little to be done. No one is going to stop them from mailing me. They are required to comply with the law, but 99% of the mail doesn’t. Which gave me an idea.

I’ve started replying to every incident of “just 10 minutes of your time” with a pleasant email thanking them for their interest in our CAN SPAM verification program. I point out that I have noticed at least one violation and we’re happy to consult with them on how to fix it for a fee.

Wait? You mean they’re not interrupting my time simply to receive a sales pitch? Well. Gee. I’m just replying to them.

It seems petty, but we’re less than 2 weeks into 2017 and I already have over a dozen of these “one time” emails. If history tells me anything, these same people will follow up in a week, and then 2 weeks, and then a month. Meanwhile, new people are going to be sending me a request for 10 minutes of my time, and their followups and in a month I’ll be getting a dozen emails a week. In two months I’ll be getting 2 dozen. In 3 months it will be 4 dozen.

And, yeah, most of these messages do violate CAN SPAM. Most of them by not including an unsubscribe links, which makes getting the mail to stop a challenge. There’s no way to unsubscribe, so it’s either answer it or just keep getting contacted. I wrote last year about the woman who continued to email me for months. She even announced she was going to call 911 because clearly I was injured and unable to answer her mail.  Multiple times she promised to stop mailing me, but never did.

I do feel bad for many of these senders. They’ve been sold on a prospecting tool by vendors who fail to provide them with a minimal level of guidance. Even just mentioning that there are laws regulating email, and they should comply with them would be better than nothing.

In many ways I find this kind of spam more annoying than the viagra or the malware that ends up in my mailbox. Those can be selected and deleted pretty easily. These, however, have subject lines that look just like my legitimate business mail. I have to read them and figure stuff out. It’s a total PITA.

EDIT: And it’s not even effective according to some experts.

1 Comment

Google and Amazon and B2B spam

Many of the operational goals of a commercial spammer aren’t related to email delivery at all, rather they revolve around optimizing ROI and minimizing costs. That’s even more true when the spammer isn’t trying to sell their own product, rather they’re making money by sending spam for other companies.

Most legitimate network providers pay at least lip service to not allowing abusive behaviour such as spam from their networks, so a spammer has to make a few choices about what infrastructure to use to optimize their costs.

They can be open about who they are and what they do, and host with a reputable network provider, and build out mailservers much as any legitimate ESP would do. But eventually they’ll get blacklisted by one of the more reputable reputation providers – leading to little of their mail being delivered, and increasing the pressure on their provider to terminate them. They social engineer their provider’s abuse desk, and drag their feet, and make small changes, but eventually they’ll need to move to another provider. Both the delaying tactics and the finally moving are expensive.

Or they can host with a network provider who doesn’t care about abuse from their network, and do the same thing. But they’ll still get blacklisted and, unlike on a more reputable network, they’re much less likely to get any benefit of the doubt from any reputation providers.

Every time they get blacklisted they can move to a new network provider. That’s easy to do if your infrastructure is virtual machine based and moving providers just involves buying a new hosting account. But as anyone who’s heard the phrase “ramping-up” knows mail from new network space is treated with suspicion, and as they’re continually moving their mail won’t reach the inbox much.

Preemptively spreading the sources of your spam across many different IP addresses on different providers, and sending spam out at low enough levels from each address that you’re less likely to be noticed is another approach. This is snowshoe spam and spam filters are getting better at detecting it.

What to do? In order to get mail delivered to the inbox the spammer needs to be sending from somewhere with a good reputation, ideally intermingled with lots of legitimate email, so that the false-positive induced pain of blocking the mailstream would be worse than their spam. That’s one reason a lot of spammers send through legitimate ESPs. They’re still having to jump from provider to provider as they’re terminated, but now they’re relying on the delivery reputation of the shared IP pools at each new ESP they jump to. But that still takes work to move between ESPs. And ESP policy enforcement people talk to each other…

As a spammer you want your mail to be sent from somewhere with good reputation, somewhere you can use many different accounts, so your spam is spread across many of them,  flying below the radar. Ideally you wouldn’t have any documented connection to those accounts, so your activity won’t show up on any aggregated monitoring or reporting.

If nothing in the mail sent out identifies you there is nowhere for recipients to focus their ire. And if recipients can’t tell that the hundreds of pieces of spam in their inbox came from a single spammer, they’re much less likely to focus efforts on blocking that mail stream.

Over the past couple of years I’ve seen a new approach from dedicated B2B spammers, the sort who sell “buy and upload a list, blast out something advertising your company, track responses, send multiple mails over a series of weeks” services to salespeople. They’re the ones who tend to have glossy, legitimate websites, talking about “lead nurturing”, “automated drip campaigns” or “outreach automation”.

They have each of their customers sign up for gmail or google apps accounts, or use their existing google apps accounts, and then the spammer funnels the spam sent on behalf of that customer through that google account. There’s no obvious connection between the spammer and the google account so there’s no risk to the spammer. Google is fairly unresponsive to spam complaints, so as long as the volume sent by each customer isn’t spectacularly high it’s going to be well below Google automation’s threshold of notice.

Google do record where mail that’s injected into their infrastructure in this way comes from, in the Received headers. But the spammers run their sending infrastructure – list management, message composition, tracking and so on – on anonymous, throwaway virtual machines hosted on Amazon’s EC2 cloud, so there’s nothing in the email that leads back to the spammer.

And, for recipients, that’s a problem. Spam filters aren’t going to block this sort of mail, as they can’t easily tell it is this sort of mail. It’s coming from Google MTAs, just like a lot of legitimate mail does. In terms of sheer volume it’s dwarfed by botnet sourced mail or dubious B2B manufacturing spam out of Shenzhen. But, unlike most of that, it’s in your inbox, in front of your eyeballs and costing you time and focus. And that’s much more expensive than network infrastructure or mailbox storage space.

I’m not sure what, if anything, Google or Amazon can do about it at scale, but it’s something that’s going to need to be dealt with eventually.

Meanwhile, if you receive some marginally personalized mail from a sales rep, one attempting to look like 1:1 mail, look at the headers. If you see something like this …

Received: from nordvpnmedia.com (ec2-23-22-26-38.compute-1.amazonaws.com. [23.22.26.38]) by smtp.gmail.com

… at least now you know something about where it came from.

No Comments

Asking for help with a blocklist

There are often questions arising about how to go about getting off a particular blocklist. A few years ago I led the MAAWG effort to document what to if if you were On a Blocklist (pdf link). That document was aimed primarily at MAAWG members and deliverability experts with working knowledge of blocklists. I think, even now, it’s a good background on how to deal with a listing and mail being blocked.

stop_at

There have been discussions on multiple mailing lists over the last week or so about how to deal with listings at different blocklists. Many folks on these lists have extensive experience, so these are good places to ask. With that being said, a lot of the requests lack sufficient details to help.

So, if you’re ever on a blocklist and want some help from a mailing list about the problem, here’s a short guide for how to ask for help.

DO:

  • Keep the request short and concise. We don’t need 14 paragraphs about a business or how long a poster has been doing mail. Focus instead on details that people are going to need to answer the question.
  • Tell them which blocklist. “Listed by Spamhaus” isn’t a useful statement. Spamhaus runs almost half a dozen lists, all with different listing criteria. “A domain blocklist” isn’t helpful, there are dozens of lists, all with different criteria. Getting delisted on the DBL is different from getting delisted by URIBL. State the specific list involved.
  • Include the IP address. Most people people try and hide their IP address, limiting the amount of help anyone, including the blocklist folks, can give. Those folks who finally admit the IP often find very helpful answers from list members. On some lists, folks run spamtraps and are happy to share data from those feeds, even if they’re not involved in the listings.
  • Include full bounce messages, if you have them.  The messages sent during a rejected SMTP transaction are full of information about why a message was rejected. “Blocked with 554 at AOL” doesn’t tell anyone that much. “Blocked with 554 RLY:B1” at AOL tells us a lot more. Including the full message will save a lot of time in tracking down the information.
  • Include how long this has been going on. A listing that’s been up for a few weeks is different than a listing that’s been up for months. Likewise, if the listing goes away and comes back, say that.
  • Include what you’ve done to resolve it. Stating the steps already means new ideas, not the stuff already tried.

DON’T:

  • Challenge the legality of blocklists. IP based blocking using public sources of data is 2 decades old at this point. They are a part of the email ecosystem. What few cases have been brought against blocklists have reinforced their legality.
  • Get personal. This isn’t about a particular individual. All the lists used by the large mail providers are run by teams. Sometimes they are small teams, but they are teams.
  • Argue the mail isn’t spam. It may or may not be, but these arguments can go on and on and only delay actual help in the delisting process. Also, some blocklists don’t list for spam, so the argument becomes even more pointless.

If a blocklist is in wide enough use that a listing is causing delivery problems, there are a couple things this says about the list.

  1. It blocks enough bad mail to be useful
  2. It doesn’t block much good mail.
  3. The policies for listing and delisting are supported by the receivers using the list.
  4. True listing errors are corrected quickly.

There are, maybe, a dozen lists that are used widely enough to significantly affect delivery of email. There are hundreds of other lists that are less widely used. I tell clients to not worry about being on a list unless it’s actively causing delivery problems. Yes, I use some of the online tools that check hundreds of lists. But just being listed doesn’t mean there’s a problem. Likewise, folks who are on no blocklist can still have delivery problems at major providers across the net.

 


Word to the Wise provides delisting assistance as part of our consulting program. If you’re having problems with a blocklist and need advice, feel free to contact us

No Comments

If I can’t tell, it’s spam

Judging by the amount of B2B spams I’ve gotten this past week, a number of businesses got bright, shiny new email programs for Christmas. “Like to set up a call with you…” “Just need 10 minutes of your time to explore…” “Love to jump on a call and tell you about our product…”

That’s just the mail that comes into my personal address. There’s also a raft of mail coming into our contact address. The majority of those are trying to sell me FB or Twitter followers, although Instagram is rising in the ranks. Some of those messages are kinda funny, though. They try so hard to pretend there’s a real person who really did look at our website and who really has a comment.

Most of the time it’s pretty obvious that it’s not from a human. But every once in a while a message comes in that might be from a real person. I’ve finally decided that if I have any question if a message was written by a human or a bot, it will be treated as written by a bot.

Unfair? Maybe. But I’m a small business owner and a consultant; I don’t have tons of spare time to sit around letting folks pitch me on their business. I don’t think I’m actually that unusual when it comes to entrepreneurs. We’re busy, we don’t like distractions and we go out and search for the things we actually do need.

1 Comment

Sharing access to Google Postmaster Tools

As a delivery consultant, I always ask clients to share their Google postmaster reports with me. As Gmail is one of the bigger delivery challenges for a lot of senders, having access to the postmaster tools helps tease out issues. I had some issues earlier this week getting access to tools and so brought up a conversation on one of the delivery lists. The nice folks there helped me get it solved.

A few hours later someone asked me how do I get access and I thought that was a brilliant idea for a blog post today.

Site owner grants access.

The owner of the postmaster tools account goes to http://postmaster.google.com and hovers over the domain to share. A context menu pops up.

PostmasterTools1

Click on the “Manage Users” link.

PostmasterTools2

Adding a user is as simple as clicking on the big red button and typing in the users email address. This address must be either a gmail.com address or a domain hosted at Google apps.

Once that’s done, tell the user they have permission to access the document.

User adds domain to their dashboard.

Before the data is visible, the user must add the domain to their dashboard. Again, click the big red button in the bottom corner.

A dialog box pops up asking for the domain used to authenticate your email.

PostmasterTools3

Type in the domain name. It should now appear in their dashboard.

Things to remember.

Only gmail.com or google apps hosted email addresses can be used for the Postmaster tools. Those of us using our own domains on different hosting must create a gmail.com address in order to see Postmaster tools.

Postmaster tools only provide data after a threshold volume is reached. We have no data for wordtothewise.com, for instance, because we simply don’t send enough mail.

Happy Investigating!

No Comments

December 2016: The Month in Email

Happy New Year! We’re looking forward to some interesting new projects this year, both for our clients and for Word to the Wise. Stay tuned!

December was a slow month for blogging, with everything going on. But we’re back on the horse now and ready to blog for 2017.
WalesCaernarfonCastle

List and subscription management continue to be hot topics, especially in the wake of the listbombing attacks earlier this year. Earlier this month, I presented a webinar on listbombing for the EEC and DMA to review the attacks and discuss best practices for companies to manage subscriptions. For Ask Laura, I wrote about the unsubscribe process and how senders can best manage those requests to keep their lists current and compliant.

With all the holiday mail flying around, Steve wrote up a good post about the challenges of DNS hosting and issues customers may have reaching your site. He also wrote about canonicalization, a process for comparing things to see if they are the same, which is useful for understanding how messages change during the delivery process. It’s important to understand how this works with DKIM, as that process specifically looks at changes to messages in delivery to validate them.

I wrote a post about how delivery at Gmail is a bit different from other mail providers, which can lead to intermittent delivery problems, and got some useful information in the comments about some upcoming process changes. And as always, unwanted email is SPAM. It doesn’t matter if you call it outreach or prospecting, or “here’s something you might find interesting!” Still SPAM.

No Comments

Happy New Year!

Well, we mostly survived 2016. A year ago I was making predictions about how 2016 would be the year of email security. I was thinking of things like TLS and authentication and access to the inbox. It wasn’t out of the question, Gmail said they’d be turning on p=reject sometime mid-year. They also were suggesting that they would be putting more value on messages that aligned, even in the absence of a DMARC signature. The first still hasn’t happened, and the second doesn’t appear to be in place, either.

DataSecurity_Illustration

That doesn’t mean email security wasn’t a hot topic in 2016. In fact, the use of a private email server was a major topic during the US elections. We also had spear-phishing play a major role in the compromise of campaign systems. I didn’t talk much about that here when it happened, but news reports make it clear that Chairman Podesta and others were targeted for compromise. The NY Times has a more in depth article with broader context around the attacks and how emails were used to infiltrate a major political party.

The irony is with all the time spent talking about how insecure the private server was, that server wasn’t compromised. Instead, the compromise was at Gmail.

We all need to pay attention to our email and how we use it. It also means when we’re sending bulk and marketing email we need to consider the private and personal information we’re putting in messages. Do you send PII? Is there a way you don’t have to? What can we do to protect our brand and our users?

It’s not just bulk email we need to think about, either. Personal email can contain PII, or personal information. A common saying among some of my security friends is “never put in email anything you wouldn’t want to see on the front page of the Washington Post or NY Times.” That’s an easy thing to say, but the convenience of email makes it easy to share information that we may not want on the front page of either paper. Many of us aren’t actually targets of malicious activity so we don’t have to worry about being targeted the way elected and other officials are. But that doesn’t mean we are not at risk. It just means we’re at less risk than others.

Email is a frequent vector for malicious actors to access computers. Most, if not all of the major breeches in the last few years have started with a phishing attack of some sort. The attacks are planned out and sophisticated. This is not going to get better. The phishers are smart and plan the attacks.  We also need to be more personally aware of security given the current political climate. We need to take steps to protect ourselves more than we have in the past.

Security is more important than ever and we all need to protect ourselves.

No Comments

It’s that time of year

I’m winding down blogging through the next week or so. I have a lot to say and blog about in the coming year, but I don’t think I’m alone in saying good bye and good riddance to 2016.

Happy Holidays to everyone, whatever events you may celebrate. I have to admit, it doesn’t feel very holiday around here. Part of that is we cut the cord a few months ago and we’ve not been subjected to the unending stream of Nutcracker music during commercials.  We’ve also not been volunteering as stage crew for the local ballet school’s Nutcracker performance. There’s a definite dearth of Nutcracker music, which makes it seem less like the holiday season.

We did get our tree up this past weekend. I’ve got to admit, I’m really impressed the camera in my iPhone 7. It makes our tree look very festive (with a little help from Luminar)

IMG_6784

Happy Holidays and a bright, shiny new year.

1 Comment
  • AOL FBL change

    Reminder for folks, AOL is changing their FBL from address starting on Jan 17th. AOLlogoForBlogThe (in)famous scomp@aol.net is going away to be replaced by fbl-no-reply @ postmaster.aol.com. These messages will be signed with the d= mx.postmaster.aol.com. Time to update your scripts!No Comments


  • Vague reports of Yahoo problems

    A number of people, on different forums, have been asking if anyone is seeing a higher bounce rate than usual with Yahoo. Not sure exactly what's going on here. As I understand it, folks are talking with Yahoo about it. If I hear anything more, I'll share. For now, though, if you're seeing a small increase in Yahoo bounces (or other weirdnesses) others are seeing something odd, too.No Comments


  • Responsive design just got easier at Gmail

    Today Gmail announced they are supporting media queries in Gmail and Google Inbox. This should simplify the creation of emails for multiple platforms. The full list of supported rules can be found on the Google Developer Site.No Comments


Archives