The Email Innovations Summit in London was a good conference. Much smaller than Vegas, but with a number of very interesting talks. I got to meet a number of folks I’ve only known online and we had some interesting conversations at the conference and at the pub-track in the evenings.
I had so many grand plans for doing some work while in London. So many plans. And then I actually mostly disconnected and ignored anything I “should” be doing. Instead, Steve and I did some touristing, some relaxing, some family time and some connecting with his college friends. We also (over)heard a lot of conversations about the US Election. One night at dinner every table around us was talking about our candidates and what they thought of them. It’s always interesting to hear what non-Americans think about our country.
In addition to missing two debates, it seems we missed some online news, too. I think the biggest thing was another large DDoS attack against that took out many major websites. I’m starting to see some comments that spam levels were down during the attack, too, but haven’t dug into that yet.
I did have an article published in the Only Influencers newsletter last week: Marketers Can’t Learn from Spam. All too often marketers think spammers are better at unboxing because they see spam in their inbox. But spammers are just more criminal and spend a lot of effort trying to bypass filters. These aren’t lessons marketers can learn from.
Unfortunately, due to our London trip, we are going to miss M3AAWG in Paris, which starts today. Two weeks between conferences was exactly the wrong time for going to both. Never fear, many folks will be tweeting what they can using #m3aawg38.
We’re both slowly getting back into the swing (and timezone!) of back to work. Blogging will pick up over the next few days. And I have new castle pictures to share.
Al posted about this over on his blog earlier this week. Yahoo has disabled the ability to forward email from one Yahoo account to an email account on a different system.
There is, of course, all sorts of speculation as to why forwarding has been disabled including speculation this has to do with holding on to accounts during the Verizon purchase. It’s certainly possible this is the case.
However, forwarding email is hard. Forwarding email on a large scale can result in spam blocks and delivery problems. It’s such an issue M3AAWG published a forwarding best practices document. It’s possible that Yahoo is making some changes on the back end to better implement the best practice recommendations. I don’t know, but it’s possible that Yahoo is telling the truth that they’re improving technology.
I’m headed to London this weekend to speak at the Email Innovations summit next Thursday. It will be an updated version of “How to Talk Tech for Marketers” that I debuted in Vegas earlier this year.
Expect blogging to be light for the next 2 weeks while I’m gone. There are a few things I have to post, but I’m going to try and unplug and for part of the time I’m out of town.
Happy October, everyone. As we prepare to head to London for the Email Innovations Summit, we’re taking a look back at our busy September. As always, we welcome your feedback, questions, and amusing anecdotes. Seriously, we could use some amusing anecdotes. Or cat pictures.
We continued to discuss the ongoing abuse and the larger issues raised by attacks across the larger internet infrastructure. It’s important to note that even when these attacks aren’t specifically targeting email senders, security issues affect all of us. It’s important for email marketers to understand that increased attacks do affect how customers view the email channel, and senders must take extra care to avoid the appearance of spam, phishing, or other fraudulent activity. I summarized some of the subscription form abuse issues that we’re seeing across the web, and noted responses from Spamhaus and others involved in fighting this abuse. We’re working closely with ESPs and policy groups to continue to document, analyze and strategize best practices to provide industry-wide responses to these attacks.
I was pleased to note that Google is stepping up with a new program, Project Shield, to help journalists and others who are being targeted by these attacks by providing hosting and DDoS protections.
I’m also delighted to see some significant improvements in email client interactions and user experiences. I wrote a bit about some of those here, and I added my thoughts to Al’s discussion of a new user interaction around unsubscribing in the iOS 10 mail client, and I’ll be curious to see how this plays out across other mail clients.
For our best practices coverage, Steve wrote about global suppression lists, and the ways these are used properly and improperly to prevent mail to certain addresses. I wrote about using the proper pathways and workflows to report abuse and get help with problems. I also wrote about the ways in which incentivizing address collection leads to fraud. This is something we really need to take seriously — the problem is more significant than some bad addresses cluttering up your lists. It contributes to the larger landscape of fraud and abuse online, and we need to figure out better ways to build sustainable email programs.
Is there such a thing as a perfect email? I revisited a post from 2011 and noted, as always, that a perfect email is less about technology and more about making sure that the communication is wanted and expected by the recipient. I know I sound like a broken record on this point (or whatever the 21st century equivalent metaphor of a broken record is….) but it’s something that bears repeating as marketers continue to evolve email programs.
We had a bit of a discussion about how senders try to negotiate anti-spam policies with their ESPs. Is this something you’ve experienced, either as a sender or an ESP?
In Ask Laura, I covered shared IP addresses and tagged email addresses, questions I get fairly frequently from marketers as they enhance their lists and manage their email infrastructures. As always, we welcome your questions on all things email delivery related.
Today it was revealed that Yahoo has been scanning people’s email for the federal government.
Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.
The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events. (Reuters)
This activity was, apparently, authorized by Yahoo CEO Marissa Meyer but not the former CSO Alex Stamos. Mr. Stamos left Yahoo in June 2015. He also publicly disagreed with the director of the NSA back in February 2015 about the NSA having access to encrypted data.
This is probably the part where I’m supposed to write something insightful, but honestly, I don’t have much. Like many people, I’m shocked and dismayed at Marissa Meyer’s decisions to allow this. I’m also somewhat heartened by the fact that, reportedly, Yahoo staff detected the malicious software within a few weeks of it being deployed. Apparently the deployed software was buggy and could have been compromised by third parties.
On the heels of a major compromise of email accounts by “unrelated 3rd parties” I have to wonder how much more bad news Yahoo can take. They’ve had their ups and downs, but most folks I know who worked there don’t any longer. It’s certainly not a place anyone I know considers when looking for new jobs.
In many ways it’s sad to watch one of the foundations of the internet flail and fail. It didn’t have to be this way, I’m sure.
What’s interesting is who has commented on this.
Verizon: nothing I can find. If you remember, Verizon announced a deal to buy Yahoo for 4.83 billion dollars this past summer. The deal was supposed to close in Q1 2017. Wonder if Verizon is questioning their purchase now?
Other companies have responded.
Google: We didn’t and wouldn’t do this.
Microsoft: We didn’t and wouldn’t do this.
Twitter: We didn’t and wouldn’t do this.
Facebook: We didn’t, wouldn’t and will fight any attempt at this.
We know Apple has fought this kind of request, publicly. Interesting to note in that article, Yahoo is not one of the technology companies listed as supporting Apple’s stance.
I’m sure this isn’t going away any time soon. The internet, privacy, free speech, access, harassment, abuse… these are all issues many folks have hand waved around for a long time. Now we’re really going to have to start addressing them, not just with technology but also with real, concrete actions.
An article popped up on LinkedIn about a recent 2nd court of appeals ruling that I thought was interesting.
Back in 2011, the FTC and the state of Connecticut filed suit against a company called LeanSpa and their affiliate marketer called LeadClick. LeanSpa sold various diet products through negative option marketing. LeadClick was the affiliate company they used to help drive traffic and customers to their websites.
LeadClick and their parent company was included in the suit because the FTC alleged that they were aware of and facilitated the false claims made by their affiliates. The case went to court and LeadClick lost. They appealed to the 2nd Circuit court. Last week the 2nd Circuit Court upheld the trial court’s finding of liability for LeadClick.
In its press release for the case, the FTC says:
the court ruled that LeadClick was responsible for the false claims made by affiliate marketers it recruited on behalf of LeanSpa, LLC, a company that sold acai berry and “colon cleanse” weight-loss products. According to the FTC’s complaint, LeanSpa used a “free trial” ploy to enroll consumers into its recurring purchase program that cost $79.99 a month and that was difficult to cancel.
LeadClick’s network lured consumers to LeanSpa’s online store through fake news websites designed to trick consumers into believing that independent news outlets and independent customers, rather than paid advertisers, had reviewed and endorsed LeanSpa’s products.
LeanSpa was owned by Boris Mizhen, and we briefly mentioned this lawsuit back when it was filed
More legal problems for Boris. The FTC’s assertion was that the affiliates were “under the control or influence of” Boris. While it’s taken years, the FTC has prevailed.
A lot of email marketers use affiliates. In my experience a lot of email marketers use affiliates as a way to insulate themselves and their reputation from certain activities, including spamming. This ruling tells us that affiliates are not protection from fraudulent activity. Nor are affiliates protected from the fraudulent activities of their customers.
First of all, I’d like to thank you for the amazing blog. It helps me a lot and I have much fun to read it.
Now I have a question to the google alias addresses.
As you must have known, Google offers alias addresses and you can put any thing between the local part and @gmail.com with a “+” sign
What do you think, what should the onlineshops deal with such address for newsletters?
Should they be acceptable globally? Even “+trash”? Or better we do not use it?
Thanks in advance and best wishes from Germany.
Trash the Tags
Thanks for your kind words and for being a loyal blog reader.
Tagged addresses are a subject near and dear to my heart. I’ve been using tagged addresses for almost 20 years now and I love how they help me manage my incoming email and my online identity. I have found so many advantages to using tagged addresses, I can’t imagine ever not using them.
- Tagged addresses let me filter mail effectively. In this case, they make sure I don’t lose mail I want. Every few weeks I go through my inbox and look at what tags are delivering there. I pull them out and update my filters so those messages will bypass spam assassin and my mail client filters and be delivered exactly where I want them to be. Newsletters go into one folder, marketing goes into another, social media notifications go into a third, different mailing lists go into their respective folders. I could not do this as effectively as I do without tags.
- Tagged addresses let me identify phishing. All of my online accounts have tagged addresses. If I get mail “from” that online service and it’s not to that tagged address I know it’s not legitimate and I should not give them any information or click any links.
- Tagged addresses let me keep an eye on spam. There are tagged addresses that I used and stopped using for various reasons. Some were scraped from websites, some were leaked by vendors, others were stolen from ESPs, the list goes on. If I get messages to certain groups of addresses I can monitor a small part of the spam ecosystem. I can see who is scraping the web, buying stolen lists, or other nefarious behavior.
To answer your question, I absolutely think that tagged addresses should be globally acceptable, even when they’re things like +trash. This goes back to senders respecting recipients and being aware that email is a very personal way of interacting with customers. You’re entering their home and their inbox, treat the space with respect.
When people hand over email addresses, the permission that they’re giving you is tied directly to that email address. Permission isn’t transitive. While it may sound appealing, stripping the tag is the same as creating a different address for that person. It’s not a good idea to assume you know better about that person than they do.
You can think about it as compared to phone numbers. I contact your sales team and ask some questions. I leave my work number for followup discussions. An aggressive sales person decides that he isn’t satisfied with talking to me during business hours. Instead, he goes out and discovers my home phone number. Now he starts calling me at home at dinner time to discuss his offer. Most folks would consider that extremely rude, right? Same thing with tagged addresses. I gave you this address to contact me, don’t make changes to it or attempt to contact me at another address.
The other thing to think about is that often folks who use tagged addresses are the most sensitive to spam. They’re reasonably technically savvy, enough to know tagged addresses are a thing and how to use them. If you strip the tag they are not going to treat it very well. I know for me, whenever I get a message to an untagged address I immediately view it as spam. If someone is mailing an untagged address they don’t have permission and they’re spamming. If I received mail at a provider with a “this is spam” button I would hit it. That dings the sender’s reputation and, if enough people do it, can affect inbox delivery.
Respect the tags,
One of the things I discovered yesterday while looking at Krebs on Security was that Google Alphabet has a program to provide hosting and dDOS protection for journalists. Project Shield, as it’s called, is a free service for approved applicants that keeps up websites that might be taken down otherwise. Eligible organizations include those providing news, information on human rights and monitoring elections.
This is something I hadn’t heard of before and my only reaction is good for Google.
Look, we’ve gotten to the point where attackers have resources beyond the scope that most of us can imagine. It’s expensive even for large organizations to manage and pay for the level of protection they need.
Even more importantly a lot of very important work is done by individuals or small organizations. Brian is a prime example of that. He does an incredible job investigating online crime on his own time. His site and his information is an invaluable resource for many. Losing his site, and losing his information would leave a huge hole in the security community. There are other folks in other spaces who, like Brian, don’t have the resources to protect themselves but do have important things to say and share.
I’m glad to see Google committing their resources and skills to help organizations protect themselves. It’s so important that this work is done and we don’t lose voices just because they can’t afford hundreds of thousands of dollars a year.
There has been abuse and harassment online for as long as I’ve been here. But it seems recently the size and severity of attacks have increased. And a lot of service providers are struggling with how to manage it and what their responsibilities are.
A few weeks ago Facebook deleted an iconic photo from the Vietnam era due to child nudity in the photo. That decision was reversed and discussed in many, many different places. One of the most interesting discussion happened on a friend’s Facebook feed. Many of the participants work at various online providers. They have to make these kinds of decisions and create policy to do the right thing – whatever the right thing is. It was very interesting to be able to follow the discussion and see how many different issues FB and other online providers have to consider when creating these types of policies.
I thing the thing I have to confront the most about the internet is how big it is. And how crucial it’s become to all sorts of issues. Social media can be a cesspool of abuse, there’s no question. But it can also be a force for good. I’m glad companies like Google are stepping up to preserve the good parts of the internet.
Cybersecurity has been on my mind lately. There is a lot of bad stuff going on, from giant dDOS attacks, to subscription bombing, to the ongoing low level harassment that some people have to deal with on a daily basis. I’ve written a lot about how I think marketers are going to have to step up and stop being a conduit for abuse. I do believe this. There are a lot of different issues to discuss but there are also many, many different stake holders in the issue of cybersecurity.
I’ve been on multiple calls with different groups over the last few weeks discussing the implications of the subscription attack and how it was carried out. The majority of my focus is email and how to protect senders from becoming a conduit for abuse. Other folks participating on the call are looking at what abuse is out there and how to stop it or minimize it.
One thing that came up on a recent call is that the bulk of dDOS traffic that took Brian Krebs’ website down was from various Internet of Things devices. Security cameras, DVD players, televisions, lightbulbs and other connected devices were part of the problem. It’s a huge issue, and one that cannot simply be mitigated by just ISPs and providers. But convincing individuals to secure their lightbulbs can be a challenge, we can’t even protect their computers completely. Convincing companies to stop providing default usernames and passwords or using the same keys for every device is another challenge.
These are big issues that we’re going to have to deal with.
Last night, with 100 million of my virtual friends and a small group of local ones, I watched the first Presidential debate. Part of the debate was about cyber security. To misquote Vice President Biden, “Cybersecurity is a big freaking deal.” We have nation states, and groups with the resources of nation states, conducting covert operations online. We have hacking, compromises, bonnets and other malicious activity occurring every, single day. And, the more complex the site and the more users it has the more likely it is to be compromised. Cybersecurity is a critical part of national security and our own individual security. We must take it seriously and we must address it.
Now, I’ll be honestI don’t think there is a solution to the problem. I think, though, that there are hundreds of things we can do as individuals, as companies, as nations, as volunteer organizations, as NGOs and as coalitions to solve different parts of the problem. We all need to think about what it is and who’s doing the bad stuff.
It’s common to think of hackers as lonely boys in basements who have too much time and too little to do. Back in the ancient days of the spam wars some folks referred to them as “chickenboners“: beer drinking rednecks who ate fried chicken and threw the bones on the floors of their trailers. The reality even then, though, was that many spammers ran businesses and made a lot of money. Admittedly, the descriptions of how the business was run are cringe inducing and full of illegal activity.
Now, much of the hacking is actually organized crime outside the US. This makes it hard to address successfully through legal channels.
It’s all very complicated. But I think we can agree security is a big deal. We are all part of the solution, by securing our sites and our personal devices. We’re also part of the solution by paying attention to the larger issues and events going on around us.