“I can’t believe you are wearing one of those,” they said while sneering at the Pebble watch I was wearing. Yes, that’s how someone introduced themselves to me at a conference last year. Apparently, I’m not allowed to wear smartwatches, or something. It wasn’t clear what their problem was or why they thought that was a good opening line. Best I can figure, it was some commentary on the hypocrisy of me wearing a smartwatch and claiming to be pro-privacy.
The thing is, I think I’m aware of how much information is out there about me, although I’m pretty convinced there’s even more than I think there is. The decisions we make about privacy and tracking are complicated. Do I take this 5% discount on something in return for having my purchases tracked? Do I participate in Facebook knowing they’re compiling a full dossier on me? Do I stay logged into Google? Does any of that matter?
We’re watched by corporations and they know a lot about us and what we do. Loyalty cards are ubiquitous and they’re purchase tracking devices. Many apps track us and send that data back to companies. Half of Palo Alto office space has been taken over by a secretive company called Palantir that is built on tracking and profiling people. Tracking is a fact of life.
Online we’re tracked all the time. Even if we try and avoid it, if we participate in almost anything online we’re tracked. In many cases, this is taken as implicit consent to be tracked. Being a part of a community we enjoy or using services that benefit us come with the price of tracking.
Many people don’t really understand how ubiquitous tracking is. I’m sure I don’t, and I believe everything I do is tracked somewhere by someone.
I pointed out earlier this week that the company Unroll.me was using the access they had to consumer mailboxes to sell data they extracted from emails. I also pointed out there are other companies with access to mailboxes and that many email marketers are the target market for the data they’re selling.
Return Path commented on my post and clarified how transparent they attempt to be in their various data products. I’m sure they are, I know a lot of the folks at Return Path and I trust them. But that doesn’t scale. I can’t personally know the executives at every company I do business with and trust they’re not out to invade my privacy.
It’s a fact that the modern lifestyle includes tracking. That doesn’t mean we shouldn’t pay attention to apps and what access they have. But it does mean if we want to fully participate and have access we need to accept the price is some privacy invasion and tracking. What unroll.me did might be unexpected, but it’s not unusual.
We often talk about confirmed opt-in (aka “closed-loop opt-in” or “double opt-in”) as the gold standard for address acquisition for permission-based mail.
It’s not the only way to gather permission, and in some ways it’s a rather blunt tool that can discourage people from completing a sign-up process if it’s done badly – the confirmation email isn’t sent immediately, it goes to the recipients spam folder, they don’t have any reason to go and look for it, …
When it’s done well, though, it’s excellent.
Tor.com, the site for science-fiction and fantasy operated by publisher Macmillan, just did it very well with an ebook giveaway.
Last year they published Every Heart a Doorway, a novella that won several awards and caused quite a bit of buzz in the SFF community, partly because it’s very good and partly because it’s author, Seanan McGuire, has some serious social media chops. The sequel, Down among the Sticks and Bones, is being released in the next month or two.
Perfect timing for a time-limited giveaway of the first book, tied to signing up for their mailing list.
The signup form is on a page dedicated to the giveaway that talks about the book and sets some expectations about the mailing list. The form itself makes it very clear that you’ll need to enter a real email address to get the ebook download, so email@example.com is less likely to subscribe.
People aren’t required to sign up for the mailing lists to get the download. This isn’t a barter, a mailing list signup for a book, rather it’s putting the opportunity to sign up for the mailing lists in front of people who are self-selected to be interested in the content. That probably reduces the “how many people signed up” metric somewhat, but I bet the “how many new subscribers are still signed up in a month” numbers will look very healthy.
It provides some options. Do you want weekly content? Monthly? Both? You know that you’re not going to end up on a thrice-daily list from Macmillan and all their affiliates.
The confirmation email landed in my inbox within a few seconds after I clicked the “Sign Me Up” button. That’s important. If it takes even a few minutes I might have moved on, and wouldn’t be looking for the confirmation mail if it had ended up in my bulk folder.
And the confirmation mail isn’t a “click here to confirm your subscription” yawnfest. The subject line is “Download EVERY HEART A DOORWAY by Seanan McGuire Now” and the body content is on-brand and includes the front cover of the book.
Way more compelling.
It’s still solid informed consent from me, and confirmation that I, the owner of the email address, want on the list. (And, yes, the download link has 56 bytes of opaque hex-encoded data in it, so I know they’re tracking that.)
This is how it should be done.
(And, if you like fantasy you should head over to Tor and sign up for their promo. Seanan writes some amazing things, and I’m not just saying that because she’s a friend.)
I just added a DMARC validation tool over on tools.wordtothewise.com.
You can give it a domain – such as ebay.com – and it will fetch the DMARC record, then explain and validate it. Or you can paste the DMARC record you’re planning to publish into it, to validate it before you go live.
If you’ve not seen our tools page before, take a look. As well as DMARC we have a DKIM validator, SPF expander and optimizer, general DNS lookup tools, a bunch of RFCs covering all sorts of protocols, and base64 and quoted-printable decoders.
There’s also a widget that lets you add those little unicode pictures to your subject lines, whether you need a snowman ⛄, a forest 🌲🌳🌴🎄, or a pig getting closer 🐖🐷🐽.
The results pages all have easily copyable URLs so they’re pretty good for sharing with co-workers or customers if you need that sort of thing.
(And if you need a cidr calculator, whois, or easy access to abuse.net & Microsoft SNDS check out Al’s xnnd.com.)
On Sunday the NYTimes published an article about Uber’s CEO. One of the pieces of information that came out of that article is services like unroll.me sell information they scrape out of emails sent to their users.
Uber devoted teams to so-called competitive intelligence, purchasing data from an analytics service called Slice Intelligence. Using an email digest service it owns named Unroll.me, Slice collected its customers’ emailed Lyft receipts from their inboxes and sold the anonymized data to Uber. […]
Slice confirmed it sells anonymized data (meaning that customers’ names are not attached) based on ride receipts from Uber and Lyft, but declined to disclose who buys the information.
Unroll.me is a service that takes user’s commercial email and “rolls it up” into an easy to digest email. Basically users give unroll.me access to their mailboxes, and the company digs through the mail you’ve received in order to organize it. I wrote about them back in 2015 because they were mishandling unsubscribe requests. The issue then was they were not sending unsubscribe requests if the List-Unsubscribe header was a mailto: link. They noticed and then flooded ESPs with requests all at once, causing many people to question if these were legitimate unsubscribes.
What I didn’t realize at the time is that using unroll.me means you are granting a 3rd party application access to your entire mailbox. Their FAQ claims you’re agreeing to “limited access.”
The signup process is quick and easy. Here’s how it works: Click on the “Signup” button on the homepage. Type in your email address. Unroll.me will ask for limited access to your email address using OAuth for Gmail or username/password for all of the other services. After granting limited access, Unroll.me scans your inbox and compiles a list of your email subscriptions.This can take a few moments. Once the scanning process is complete, a list of your email subscriptions will be presented to you. You’ll be able to edit them right away. That’s it! Once you’re done, begin enjoying the Unroll.me experience!
What does that “limited” access look like? This is how Google describes the access unroll.me wants:
Unroll me has unrestricted access to read, send delete and manage your email. What Google doesn’t know or say is that you are also giving unroll.me permission to sell information and data about your commercial and transactional emails (as defined in CAN SPAM).
We may collect, use, transfer, sell, and disclose non-personal information for any purpose. […] we may collect data from and about the “commercial electronic mail messages” and “transactional or relationship messages” (as such terms are defined in the CAN-SPAM Act (15 U.S.C. 7702 et. seq.) that are sent to your email accounts. […]
We may disclose, distribute, transfer, and sell such messages and the data that we collect from or in connection with such messages; […] all personal information contained in such messages will be removed prior to any such disclosure. […]
We may collect and use your commercial transactional messages and associated data to build anonymous market research products and services with trusted business partners.
Unroll.me isn’t the only provider to access your inbox and sell the data. Boxbe, owned by eDataSource, and Otherinbox, owned by Return Path both access mailboxes to collect user data. That is the “panel data” so many of my readers use to measure deliverability.
The biggest problems with these services is that an email address is more than simply a mailbox. Email addresses are the keys to our online identity. Giving companies like unroll.me, or Return Path or eDataSource access to your mailbox allows those companies access to private data and other online services associated with that email account.
Make a purchase from an online retailer? That receipt is a commercial electronic message. Register an account for an online service? The email with your registration information is a commercial electronic message. Give an app an email address? Any email from that app is a commercial electronic message. Receive bank statements? That email is a commercial electronic message. Use your email account to make an appointment at your doctor’s office? The confirmation email is a commercial electronic message. Reset your password on your iCloud account? The reset email is a commercial electronic message.
Just because a message is commercial does not make it non-personal. Some very personal emails come through commercial services. Emails a lot of people might not want to be public, even aggregated and anonymized.
But it’s not just the commercial messages that are an issue. The services have access to the email account. I looked through all 3 services to figure out if they are looking at all the mail and just taking data from commercial mail, or if they’re just looking at commercial mail. Best I can tell is that they’re reading all mail coming into the account, but only saving data from commercial mail. Or so they say.
For instance, unroll.me claims they do not keep copies of any emails sent to their users. But according to a post on yCombinator, unroll.me is keeping copies of every mail sent to and sent from accounts associated with unroll.me.
I worked for a company that nearly acquired unroll.me. At the time, which was over three years ago, they had kept a copy of every single email of yours that you sent or received while a part of their service. Those emails were kept in a series of poorly secured S3 buckets. A large part of Slice buying unroll.me was for access to those email archives. Specifically, they wanted to look for keyword trends and for receipts from online purchases. karlkatzke
If this is true, there are major issues here. Why are they saving outbound mail? This has nothing to do with incoming commercial mail and tracking trends. There’s no reason to save the outbound messages as it has nothing to do with what commercial email companies are sending. How secure are these S3 buckets?
Notice, too, that the services never discuss how they are identifying commercial messages. They just say they’re only monitoring commercial messages. But what criteria identifies a message as commercial vs. one that identifies a message as personal? I can think of a couple ways to ID commercial messages, but all of them are fraught with false negatives and false positives. Of course, the services fall back on “commercial” and rely on users believing that the service has a magic way to avoid identifying personal email as commercial.
The main takeaway from this is that if you give a third-party access to your mailbox you’re giving them the keys to the kingdom. If you care about your privacy or the security of your personal information you need to be aware of what their actual business model is – that it’s “selling data based on the email you receive” not “cleaning up your mailbox”, for instance. You also need to convince yourself that you completely trust the third party with your data – not just their stated use of it, but also their operational competence and dedication to data security.
Note: Return Path has commented with a statement on how they inform users about info collection and what they do to protect user privacy.
I had a number of very good talks with folks at the Email Innovations Summit earlier this week. I’m still digesting it all. It’s clear that getting to the inbox isn’t a solved problem. Around a decade ago I figured that the explosion of complaint feedback loops would make my job obsolete. That more data would mean anyone could manage delivery. That’s not the case for a couple reasons. The biggest is that filters don’t look just at complaints and there aren’t FBLs for all the other factors.
For whatever reason, many companies are still struggling with delivery.
Even more interesting is how changes in filters and inboxes are making it harder to measure delivery. In some ways I feel like we’re losing ground on inbox measurement. Filters changes and will keep changing, both to address emerging threats and to meet the needs and wants of subscribers. Gone are the days where Panels have their problems. Seed lists have their problems. There’s a longer blog post here, but it’s nearly the weekend and I’ve had a long week.
Hope you have something great planned.
Made it back from Vegas late last night. It was a great trip, even though I wasn’t officially attending the conference. I did get a chance to see old friends and meet some new people. The Women of Email board had our first in person meeting and we’re working on some exciting things over the next few months. Our mentor program is well underway and we have been placing speakers at various conferences.
I can hardly wait to share some of what we’re doing and our plans as they finally come together. We’ve made a difference even in stealth mode, and I’m so proud of my fellow board members. They’ve done great things already, and they’re only just getting started.
One of the high points of the trip for me was dinner with an amazing bunch of women in the space. Some I’ve known for a while, but many were new faces. It was great.
In two weeks I head to EEC to watch Steve talk about the subscription bombing problem and some of the lessons we’ve learned over the last few months.
A “/8” is a block of 16,777,214 usable IP addresses. That’s a big fraction of the entire IPv4 address space – about 1/224, in fact. Each one is all the addresses that begin with a given number: 10.0.0.0/8 is all the IP addresses that begin with “10.”, “126.96.36.199/8” (or “184/8” for short) is all the IP addresses that begin with “184.” and so on.
How are they used? You can see in this map of the entire IPv4 Internet as of 2006.
In the early days of the Internet /8s were given out directly to large organizations. If you look near the middle-top of the map, just left of “MULTICAST” and above “DISA” you can see “MIT”.
The Massachusetts Institute of Technology got into the Internet game pretty early. This is the first map I have where they appear, in June 1970:
The Laboratory for Computer Science at MIT were assigned the 188.8.131.52/8 block sometime around 1977, according to RFC 739, though it looks like they may have been using it since at least 1976.
By 1983 (RFC 820) it belonged to the whole of MIT, rather just the CS Lab, though you have to wonder how long term that was supposed to be, given the block was named “MIT-TEMP” by 1983 (RFC 870). According to @fanf (who you should follow) it was still described as temporary until at least the 1990s.
But no longer. MIT is upgrading much of their network to IPv6, and they’ve found that fourteen million of their sixteen million addresses haven’t been used, so they’re consolidating their use and selling off eight million of them, half of their /8. Thanks, MIT.
Who else is still sitting on /8s? The military, mostly US, have 13. US Tech companies have 5. Telcos have 4. Ford and Daimler have one each. The US Post Office, Prudential Securities, and Societe Internationale de Telecommunications Aeronautiques each have one too.
One is set aside for use by amateur radio.
And two belong to you.
10.0.0.0/8 is set aside by RFC 1918 for private use, so you can use it – along with 192.168.0.0/16 and 184.108.40.206/12 – on your home network or behind your corporate NAT.
And the whole of 127.0.0.0/8 is set aside for the local address of your computer. You might use 127.0.0.1 most of the time for that, but there are 16,777,213 other addresses you could use instead if you want some variety. Go on, treat yourself, they’re all assigned to you.
noun. research and analysis of a company or organization done in preparation for a business transaction
It’s a term that’s been around for five centuries or so. Originally it meant the effort that was necessary for something, but it evolved into a legal term for “the care that a reasonable person takes to avoid harm to other persons or their property“.
More recently it’s evolved to mean “the research that a company should perform before engaging in a financial transaction“.
One aspect of that is doing at least a bare minimum of research on a customer before you let them take advantage of your reputation.
I just got some SMS spam from a short code, advertising two domains – 29designx.us and customlogocoupon.us. It’s SMS spam, so there’s no hidden content, no affiliate tags, just the bare domains. One spam has both domains in it, the other has 29designx.us twice.
According to the company that operates the SMS gateway this is a dedicated short code, not a shared code. In ESP terms that’s kinda equivalent to a customer on a dedicated IP address rather than one sharing a pool. Except much more so – short codes are a scarcer resource than IP addresses, with the US having fewer short codes in total than some ESPs have IP addresses.
What would 60 seconds of due diligence have told the SMS provider about this customer?
Let’s start by looking at the two websites.
They’re clearly built from the same template. Same annoying animation, same fake sale countdown timers, same live chat window.
The live chat was answered by Harvey (who is a real person, one I managed to annoy by talking with him through multiple live chat windows on their different sites simultaneously). Different ‘phone numbers though – 1-866-212-2217 for the coupon site vs 1-619-942-5964.
Then lets look at whois for the domains:
Domain Name: 29DESIGNX.US
Registrant Name: Mildred Smith
Registrant Organization: 29designs
Registrant Address1: 1854 Valley View Drive (that’s in Kansas)
Registrant City: Boston
Registrant State/Province: MA (not Boston, Massachusetts)
Registrant Postal Code: DN3 6GB (see note)
Registrant Country: UNITED KINGDOM (nor the United Kingdom)
Registrant Country Code: GB
Registrant Phone Number: +92.3233000306 (nor Pakistan)
Registrant Email: firstname.lastname@example.org (gmail? rhiannon != Mildred)
Registrant Application Purpose: P1 (= business registration)
Registrant Nexus Category: C11
Domain Name: CUSTOMLOGOCOUPON.US
Registrant Name: Antonio R. Flores
Registrant Organization: Oranges Records & Tapes (see note)
Registrant Address1: 4243 Marie Street Annapolis (doesn’t exist)
Registrant City: MD
Registrant State/Province: MD
Registrant Postal Code: 21401
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.4108498868
Registrant Email: email@example.com (seven digit number, huh?)
Registrant Application Purpose: P3 (= personal website)
Registrant Nexus Category: C11
That’d make me suspicious enough to put the customer on hold and maybe doing a little actual investigation of them before allowing them to send. That’s the due diligence an ESP or SMS provider should do.
Laura is in Las Vegas today, so I have a little spare time. Let’s do the next level of investigation to find a little more. Nothing fancy, just some creative use of Google.
“DN3 6GB” is an interesting UK postcode. Not because Doncaster – the South Yorkshire town that “DN3” would imply – is particularly interesting, nor because of the fact that DN3 6GB doesn’t exist, despite being syntactically correct.
No. It’s interesting because it is the first postcode in a test suite for validating UK postcodes via regular expression so it’s all over developers forums and FAQs when people are talking about valid UK postcodes. Not only a fake, but a manually created fake.
“Orange’s Records and Tapes” is interesting too. It’s an odd looking business name to have attached to a logo design company. And the mention of “Tapes” looks rather dated. It seems to be a Chicago-based record store (or, possibly, small chain) that either went out of business or was bought out and the name abandoned quite some years ago. It’s still on some easily available lists of business names, though.
And it’s also in output from fakenamegenerator.com – a handy little site that generates fake names, email addresses, employer names, birth dates, credit card numbers and everything else you might want to have as test data. That makes me pretty sure that everything about customlogocoupon.us is fake.
Reverse whois search suggests that the same “Mildred Smith” also registered 29design.us, paperx.us, 99videos.us, 29designs.us and 99videoz.us. As well as the similarity in domain names, the sites that are up are using the same template as the first two sites and selling services in much the same style. And appear to use equally fake registration data.
We still have the ‘phone numbers published on the original sites…
The 866 number on customlogocoupon.us shows up in the contact information for logoventure.com and logoventure.net. They’re a small graphic design and flash animation company, consisting of Russell Bryant, Jessica Sandler, George Isaacson and Jason somebody. No Antonio R. Flores, and it’s a much more restrained site than the customlogocoupon.us hyperactivity.
The 619 number from 29designx.us shows up on animationsharks.com. Which is a little better designed, but still has the same live chat box manned by Harvey. (Hi, Harvey!). It’s been mentioned elsewhere in the SMS spam context too.
There’s no useful contact information on the site, and the domain registration data is falsified via Domains by Proxy (reasonable for a personal site, a bad sign on a business site).
My best guess is that animationsharks.com / 29designx.us / 29design.us / 29designns.com are the SMS spammers, while logoventure.com are a customer of theirs.
Hidden by CSS on the animationsharks.com site is a list of services, support and postal contact information that’s identical to that of a legitimate corporate animation studio based out of Boston. It’s possible that they just ripped off the site of another company, but it’s also possible it’s a side-job, something done by an ex-employee…
But that’s all I have time to look at now. Back to work.
Legitimate mailers need to distinguish themselves from spammers. One important piece of that is knowing what spammers do. SendGrid has put together some information on common scams and techniques spammers use to get email delivered.
Some of these terms, like doxxing and swatting, are not specifically email related. However, they are used against people who are fighting abuse on the Internet. People who are actively investigating darker portions of the internet face real danger. Brian Krebs has made some of the harassment he’s received public. I know other people in the space have been harassed but don’t make it so public.
I think it’s valuable for marketers to understand the malicious and criminal end of mail. It makes some filtering decisions less random when you know the types of bad traffic that the filters are trying to stop. The SendGrid document is a fantastic first stop to learn about them.
I sent in a complaint to an ESP earlier today. This was mail from a major UK retailer to an address that is not used to sign up for mail. It’s part of an ongoing stream of spam related to UK services and products. I believe most of this is because one of the data selling companies has that address associated with someone who is not me.
I did explain I believed this was a purchased address but I’m wondering if I will get a response. The address isn’t one of those I regularly use so there isn’t a connection between “Laura, deliverability person” and “Laura, spam victim.” There are some industry folks who go out of their way to respond to my complaints. That’s always rewarding.
On a more theoretical level, I can make good arguments for responding and good arguments for not responding.
Why not respond?
- It takes too much time. Back when I was managing the abuse desk for a large network provider, I had 3 people working under me. Between the 4 of us, we could handle a little over 2000 complaints per month. We tried to respond to all complaints, but it did slow down the amount of time it took to process issues. We were also stuck reading and responding to complaints that came in after we’d fixed the problem. This led to an important design point for Abacus: it should be easy to respond to all complaints about an issue and there should be an automatic response to people reporting closed issues.
- Blowback. Not every from address is valid and the abuse desk may end up spamming. This happens when people don’t trust the abuse desk to correctly handle the complaint. Or when they think the address might be simply list washed. An abuse desk should not send mail automatically to forged email addresses.
- Complainants want to argue. This particularly happens when a complainant wants one action to happen, but the abuse desk doesn’t do that. There is also a segment of the population who will argue word choices – like using double opt-in vs. single opt-in. The reporter is angry and wants to take it out on someone and, hey, the abuse desk answered so that is who they are going to argue with.
- Publicity. Bad PR is never fun and “poor” responses can go public. Back when I was abuse, I remember one situation where someone I knew and thought was trustworthy sent in a complaint. I handled the complaint and actually sent him back a response explaining what we did and what we were unable to do. Next thing I know, the email I wrote is published to USENET and boss is calling me on the carpet. What I failed to notice is that buried in the 5th paragraph of the email, after the 4 pages of whois and trace route data, the complainant said they might make any response public. I didn’t read that far, because I saw the headers, knew the issue, handled it and didn’t need all the details. That was one of the last times I responded to anyone, even if I “knew” them.
- Politeness. This is really specific to manual complaints. The complainant has taken the time to compose an email alerting you to a problem. It’s just polite to respond.
- Publicity. Handling abuse issues can be good publicity for a company. There are still some old timers who fondly remember the emails from Afterburner and his crew of minions. Those emails were great publicity and gave the ISP a good reputation in the anti-abuse community.
- Transparency. Transparency in abuse handling lets the wider community know that issues are taken seriously. Without responses, the reporters are left wondering if their report was received or read.
Often the only response people get from a complaint is that the mail stops. That’s not bad, I mean, that’s usually what they wanted. But there are a small number of people who are not reporting spam to make their own mail stop, but instead are reporting spam to help the overall email ecosystem. I don’t know how to separate A from B but it would be nice if there were a way to do so.