This showed up in my mailbox earlier today:
The tweet in question
From Crunchbase: “Pluck is an email prospecting tool that gives you the email addresses of the people tweeting about subjects related to your business.”
Prospecting: another name for spamming. Look, I know that you want to sell you’re newest, greatest product to the world. But just because I tweet something with a # that you think is relevant to your product doesn’t mean that I want to get your spam. I also know it’s hard to get attention and find prospects; I’m a small business owner, too and I need to market my own services. But spamming isn’t a good idea. Ever.
There’s been a significant increase in this kind of spam “to help your business” lately. It’s a rare day I don’t get something from some company I’ve never heard of trying to sell me their newest product. It might be something if they tried a contact or two and then went away. But they’ll send mail for weeks or months without getting an answer. Look, silence IS an answer and it means you need to go away and leave your prospects alone.
Unfortunately, there are services out there that sell a product that let you “automatically follow up” with your prospects. Pluck up there uses one of them, as that’s who’s handling all the links in the message. In fact, if you go to the bare domain (qcml.io) they talk a good anti-spam game. “Die, spammers, die.” I reported the message to them. I’m not expecting them to actually do anything, and I’m not expecting a response.
It’s just spam under another name. There’s no pretense that it’s anything else. Even if it’s sent in a way that makes it look like a real person typed the message, like QuickMail offers. “All emails will come straight out of your personal inbox as though you typed them yourself.” As if you typed them yourself.
The worst part is there’s no real way to stop the mail. I can’t unsubscribe. The companies selling the software don’t provide any guidance to their customers about what the law requires. Take the message from Pluck that started the post. It violates CAN SPAM in multiple ways. Moreover, the address they used is not publicly associated with my twitter handle, which means they’re doing some harvesting somewhere. That means treble penalties under CAN SPAM.
I could reply and ask them to stop mailing me. I’ve done that a couple times with a message that says, “Please don’t email me any more.” I’ve got to tell you, some people get really mad when you ask them not to email you. Some just say yes, but others are really offended that you asked them to stop and get abusive. It’s gotten to the point where I don’t ask any more because of that one person who decides to harass, threaten and scream at me. Sure, it’s maybe 1 in 5, but I don’t have the time or energy to figure out who is going to be receptive and who isn’t. I don’t have time for that. No one has time for that.
I’m expecting that filters are going to catch up eventually and these types of mail will be easier to filter out. Until then, though, small business owners like myself are stuck in a place where we have to deal with spam distracting us from our business. At least I get blog content out of it.
Happy December! Between #blackfriday, #cybermonday & #givingtuesday, pretty much everyone in the US has just survived a week of email from every brand and organization they’ve ever interacted with. Phew.
Is this still the best strategy for most senders? Maybe. But it’s always important to be adaptable and continue to evaluate and evolve your strategy as you move through the year.
As always, I continue to think about evolving our own strategies, and how we might best support senders and ESPs. One of the challenges we face when we talk to senders with deliverability questions is that so many of our answers fall into a nebulous “it depends” zone. We’re trying to articulate new ways to explain that to people, and to help them understand that the choices and details they specify at each point of their strategic planning and tactical execution have ramifications on their delivery. While “it depends” is still a correct answer, I’m going to try to avoid it going forward, and instead focus on exploring those choices and details with senders to help them improve deliverability.
In our community of deliverability and anti-abuse professionals, we are — as you’d expect — quite sensitive to unsolicited email that targets our industry. When an email circulates, even what seems like a reasonably well-thought-out email, it occasionally does not land well. Worse still are the various email-related product and service providers who try to legitimize B2B sales messaging as if it is something other than spam.
The takeaway from these discussions for senders is, as always: know your audience. This post about research from Litmus on millennials and spam is a great example of the kinds of things you might consider as you get to know your audience and how they prefer to communicate.
We also had a presidential election this month, one that made much of issues related to email, and it will be interesting to see how the candidates and parties use the email data they collected going forward.
In industry and security news, we saw over a million Google accounts breached by Android malware. We also saw some of the ramifications of a wildcard DNS entry from a domain name expiration — it’s an interesting “how things work” post if you’re curious. In other “how things work” news, we noted some of the recent changes AOL made to its FBL.
I answered an Ask Laura question about dedicated IP pools, and I have a few more queued up as well. As always, we want to know what questions are on the minds of our readers, so please feel free to send them over!
Over 1 million Google accounts breached by Android malware.
There are some folks I know who really can’t understand why I stick with Apple over Android. The above issue is a big one. Doing what we do, security is a major consideration. I don’t need my accounts, or other accounts I have access to, compromised. It’s not that Apple is 100% compromise proof, but there are more checks and balances in the pipeline.
On the deliverability front, I had a recent interaction with someone from iCloud. This is a colleague I’ve worked with for years now, following him through multiple job changes. A client was having some delivery issues with a shared IP, so I was asking if he could send me some data to help track down the problem customer. I have a habit of asking for subject lines when I’m trying to get data. It’s usually enough for an ESP to track down the problem, and they’re not a way for folks to track down spamtraps or recipients. The answer I got back was sorry, they couldn’t give me any information at all, even something minor like a subject line.
Apple takes user privacy seriously and are doing a lot to protect their users. Does that mean I spend too much money on hardware I could buy cheaper? Perhaps. But, I’ll pay a little more to work with a company that puts privacy at the center of their product suite.
Last week Oracle announced they were buying Dyn. Interesting acquisition, but fills a spot in Oracle’s playbook to provide infrastructure.
None of the press releases I’ve seen about the acquisition mentions the Dyn email service platform. Oracle has at least two email platforms already (Eloqua and Responsys). It will be interesting to see what happens with email.
Last week the megarbl.net domain name expired. Normally this would have no affect on anyone, but their domain registrar put in a wildcard DNS entry. Because of how DNSBLs work, this had the effect of causing every IP to be listed on the blocklist. The domain is now active and the listings due to the DNS wildcard are removed.
How does a domain expiration lead to a DNSBL listing the whole internet?
Well, it’s kinda complicated and involves some of those grubby corners where different things that shouldn’t happen all occur and weird stuff happens.
But I thought there were rules and standards about this stuff.
Well, there are standards on the Internet. The IETF publishes documents “Request for Comments” (RFCs). These aren’t rules as much as they are standards. While many folks treat RFCs as rules, that’s not really what they’re for. All the RFCs do is tell operators how to do things if they want to communicate seamlessly with other entities. Not every RFC is a standard; some are informational, some are experimental, some are drafts being actively developed and some are current practices.
So how does a domain expiration lead to listing all IPv4 space on a blocklist?
Well, there are a few technical things we need to understand before we can see how we get from domain expiration to blocklisting.
How DNSBLs work
First we need to talk about how DNSBLs work. DNSBLs publish a list of IP addresses. To query a DNSBL for an IP address you take the IP address, reverse it, add the DNSBL name onto the end and query for that domain.
Let’s say I want to look up 220.127.116.11 on the SBL. I flip the IP address and add sbl.spamhaus.org to create the domain name 18.104.22.168.sbl.spamhaus.org. Then I do a DNS lookup on the domain name. If the IP is listed, then Spamhaus will return an A record / IP address. If the IP is not listed, then Spamhaus will return an NXDOMAIN and no A record.
All DNSBLs are run this way, so if you get any answer to a DNS query it means the IP is listed. And, yes, this is how blocklists are queried, even when you use a web form. It’s all DNS behind the scenes.
DNS wildcard records
Now that we know how DNSBLs are queried, we need to talk about DNS and wildcarding. Wildcarding is allowed in the DNS RFCs, but it’s complicated. So complicated entire RFCs have been written to try and explain the grubby corners. I’m certainly not going to try and explain it. If you want more details check out the Google support page, IAB commentary on wildcarding or the Wikipedia article.
The short version that works for our purpose is that a wildcard entry in DNS means that there is an IP for every domain queried. You can make up any domain name and it will return an A record.
Wildcard records and registrars
The next thing we need to know is that some registration providers take unregistered domains and publish wildcard DNS records for them. Typically this is done to collect add revenue for parked or unused domains.
OK… so how does that lead to blocking?
When a domain expires and the registrar reclaims it and publishes a wildcard DNS record, then every query to the DNSBL will come back positive. The only negative DNSBL response is “NXDOMAIN” so the presence of any A record is a listing.
That shouldn’t happen…
Well, no one is technically doing anything wrong here, except possibly the registrar by publishing wildcard record for expired domains. Or the domain owner by forgetting to renew their domain in a timely fashion. The good news is that it happens very rarely, typically once you lose a domain due to expiration you figure out how not to do that again. And not all registrars wildcard expired domains. This is just one of those things where no one is doing anything wrong or unusual, but when they all happen together unexpected things happen.
The good news is that, as of today, the domain is back and the false listings are removed.
Can a DNSBL stop this from happening?
There are number of ways a DNSBL can stop this from happening. The two big ones are not to let the domains expire and use a registrar that won’t wildcard parked domains. Other than that, though, they can’t really.
I’m a DNSBL user, how can I know this is happening?
Well run IPv4 DNSBLs should always list 127.0.0.2 and should never list 127.0.0.1. DNSBL users should query a DNSBL daily for these two addresses. If it is listing 127.0.0.1 or it is not listing 127.0.0.2 then it should be considered non functional and dropped from your filtering scheme. (RFC5782 and RFC6471, )
We’re two days out from the beginning of the Holiday Shopping Season here in the US. Three days out from one of the biggest retail shopping days of the year in the US. 5 days out from one of the biggest online shopping days of the year.
I’m sure everyone has their mail campaigns planned. Most of the messages are finished, just waiting for a tweak or the exact right image.
The challenge, during this time of year, is to actually think strategically about marketing. The challenge is to pay attention to what subscribers and ISPs are telling you. The challenge is to adapt to conditions on the ground, rather than just executing a strategy planned months ago.
I often joke that my job gets quiet around this time of the year. Most of my clients and customers are busy executing their strategy, not planning it. So much mail is being slung around that no one really has time to do any thinking about it. That is, of course, a gross exaggeration, smart email marketers are always considering strategy even as they’re in the middle of the holiday mailing season. They still pay attention, they adapt to the conditions, they get the mail through.
Just remember, 2016 is almost over. But we still have a lot of email to send first.
The two most hated words in deliverability. Many people ask general questions about deliverability and most experts, including myself, answer, “It depends.”
There are a lot of problems with this answer. The biggest problem is that it’s led to the impression that there are no real answers about deliverability. That because we can’t answer hypothetical questions we are really just making the answers up.
The reason we use “it depends” is because the minute details matter when it comes to deliverability. Wether or not something will hurt or help deliverability depends on the specific implementation. Who’s doing the sending? What is their authentication setup? What IP are they using? How were the addresses collected? What is their frequency? What MTA is used? Are they linking to outside sites? Are they linking to outside services? Where are images hosted? The relevant questions go on and on and on.
I am going to stop saying it depends when answering generic deliverability questions. Instead I will be using the phrase “details matter.” Details do matter. Details are everything. Details drive deliverability.
The importance of details is why many deliverability people hedge their answers. The details do matter.
I will do my best to stop answering It Depends to deliverability questions. Instead, I’ll be answering with question and pointing out the details matter.
Earlier this week Litmus and Fluent hosted a webinar title “Adapting to Consumers’ New Definition of Spam.” This had a number of fascinating facts about email marketing, many of which should reassure folks.
Litmus has a blog post up highlighting some of the findings specific to millennials and email. Good news is millennials like getting mail from brands and interact with them regularly. Even better, they will rescue mail out of the spam folder.
The full whitepaper is available from Fluent: 2016 Consumer Perceptions of Email. I’ll be writing more about this over the interesting tidbits here over the next few weeks. But I really suggest people go download it and read it.
There was quite a bit of content I cut out on my rant about parasites in the email ecosystem earlier this week. I had whole section on people who ask to connect on LinkedIn and then immediately send a pitch or scrape your address and add it to their marketing automation software and start spamming. Generally, the only reason I will drop someone off LinkedIn is because they do this.
Today, one of the deliverability mailing lists has been hopping over spam many folks in the industry received. The discussion started off simple enough, someone said “Is <companyname> spamming the industry?” People immediately chimed in that yeah, it did appear so.
A few people said they’d gotten the message and thought it was personal and were disappointed it wasn’t. Others weren’t sure why they were chosen to receive this message, or why some of their co-workers were chosen. A few of us didn’t get them. I didn’t.
This is a great example of marketing that was reasonably well planned, but a total fail for not knowing their audience. The product in question is an anti-abuse product. The company wants to reach people in the anti-abuse industry. They go off and find people in the anti-abuse industry and send them an email. Mail that seems personalized. It was a perfectly reasonable email. It asked questions and did get some people to engage with it by replying. They even appear to have done A/B testing on subject lines.
All solid marketing decisions. All great things to do.
But, the anti-abuse community is small, particularly the ESP anti-abuse community. We talk on mailing lists, IRC, LinkedIn, Facebook and Slack – and those are just the places I’m connected to. I’m sure there are other meeting places. The fact is, we’re a community and we do interact. If you’re going to try and do something like this, you have to expect that we’re going to realize you’re spamming. And many of us have very low tolerance for this kind of stuff.
A few years ago I worked with some senders who acquired most of their email addresses from technical conferences. They had a lot of delivery problems because a lot of their audience were the people who wrote and maintained filters. Spam the person who writes a spam filter and you may find yourself locked out from all of those filter users. I finally realized I couldn’t help those clients. No amount of technical perfection, personalization, looking like one-to-one mail or magic address cleaning is going to make this audience want your mail.
Marketing starts at understanding your audience. Permission is one of the better ways to understand your audience. Marketing to the anti-abuse crowd is a challenge. I can’t see any place where unsolicited email successfully fits into that plan.
Arrived yesterday! Still working on setting it up, but it’s pretty slick so far.