Recent Posts

Is harvesting illegal under CAN SPAM

This issue comes up repeatedly, as many people have read the CAN SPAM act and believe that CAN SPAM specifically prohibits sending mail to harvested address. This is not how I read the law.
The FTC publishes a CAN SPAM Compliance Guide for Businesses that only mentions harvesting in the context of criminal penalties for violations. They list the following 7 main requirements of CAN SPAM.

Gmail image caching update

Late last year Gmail started caching images on their servers, breaking open tracking in some circumstances. This image caching was good for senders, in that images were back on by default. But it was also bad for senders because it broke dynamic content and didn’t allow for tracking of multiple opens by the same recipient.
According to a new blog post by Moveable Ink this issue has now been resolved and Google is respecting cache headers so senders who are using dynamic content or want to track multiple opens can do so.

What goes into successful email campaigns?

Campaign Monitor analyzed over 2.2 million campaigns and came up with some rules of thumb for effective email marketing.

Horses, not zebras

I was first introduced to the maxim “When you hear hoofbeats, think horses not zebras” when I worked in my first molecular biology lab 20-some-odd years ago. I’m no longer a gene jockey, but I still find myself applying this to troubleshooting delivery problems for clients.
It’s not that I think all delivery problems are caused by “horses”, or that “zebras” never cause problems for email delivery. It’s more that there are some very common causes of delivery problems and it’s a more effective use of time to address those common problems before getting into the less common cases.
This was actually something that one of the mailbox provider reps said at M³AAWG in SF last month. They have no problem with personal escalations when there’s something unusual going on. But, the majority of issues can be handled through the standard channels.
What are the horses I look for with delivery problems.

Best practices: A Gmail Perspective

At M³AAWG 30 in San Francisco, Gmail representatives presented a session about best practices and what they wanted to see from senders.
I came out of the session with a few takeaways.

This month in email: February 2014

After a few months of hiatus, I’m resurrecting the this month in email feature. So what did we talk about in February?
Industry News
There was quite a bit of industry news. M³AAWG was in mid-February and there were actually a few sessions we were allowed to blog about. Gmail announced their new pilot FBL program. Ladar Levinson gave the keynote talking about the Lavabit shutdown and his new darkmail program. Brian Krebs won the Mary Litynski award for his work in investigating online security issues. The 4 major mailbox providers talked about their spam filters and spam filtering philosophy.
February was also the month where different companies evaluated their success or failure of products. LinkedIn announced the shutdown of their Intro product and Facebook announced the shutdown of their Facebook.com email service.
Security Issues
Cloudmark published their 2013 report on the Global Spam Threat and we discovered that the massive Target breach started through phishing. I also noticed a serious uptick in the amount of phishing mails in my own mailbox. There is new round of denial of service attacks using NTP amplification. We provided information on how to secure your NTP servers.
Address Collection
The Hip Hop group De La Soul released their entire catalog for free, online, using a confirmed opt-in email process. On the flip side, the M³AAWG hotel required anyone logging into the wifi network to give an email address and agree to receive marketing mail. We also discovered that some political mailing lists were being used in ways the politicians and recipients didn’t expect.
Email Practices
I talked about how to go about contacting an ISP that doesn’t have a postmaster page or a published method of contact. Much of that information is actually relevant for contacting ISPs that do have a contact method, too. Finally, I talked about how ISPs measure engagement and how that’s significantly different from how ESPs think it is.

Does CAN SPAM apply to individual prospecting emails

Two different people on two different mailing lists asked very similar questions recently. Are people who send individual prospecting emails required to comply with CAN SPAM.
My opinion (not a lawyer, don’t play one on TV, didn’t stay at a Holiday Inn last night) is that CAN SPAM does not mention anything about volume, and any individual unsolicited email that has a “primary purpose” of advertising is required to include a physical postal address and a way to unsubscribe.
My other take on it is for individual prospecting emails failing to comply with CAN SPAM is like speeding. It’s illegal, and you can get in legal trouble by doing it, but everyone does it and few people get caught.

ISP relations in a nutshell

Senders: You’re blocking our mail, why?
Receivers: Because you’re spamming, stop spamming and we won’t block you.
Senders: But we’re not spamming. What do you mean we’re spamming! How could we be spamming, we’re not sending spam!
Receivers: You’re doing all these things (generating complaints, sending to dead accounts, hitting spam traps, not bounce handling, etc) that makes your mail indistinguishable from spam.
Senders: But we can’t tell what we’re doing wrong unless you give us more data!
Receivers: OK, fine. Here are FBLs, postmaster pages, sender access to support people. Now, stop spamming.
time passes
Receivers: It’s costing us how much to provide support to senders?!?! And after years of giving them lots of data it’s still the same problems over and over again? We’re not a charity, we’re going to control our costs and stop providing so much personal support.
And that, readers, is why receivers are pulling back from providing the data they used to.

More denial of service attacks

There are quite a lot of NTP-amplified denial of service attacks going around at the moment targeting tech and ecommerce companies, including some in the email space.
What does NTP-amplifed mean? NTP is “Network Time Protocol” – it allows computers to set their clocks based on an accurate source, and keep them accurate. It’s very widely used – OS X and Windows desktops typically use it by default, and most servers should have it running.
NTP is a UDP based service, like DNS, one that works by sending a packet to a server and the server sending a packet back rather than opening a persistent connection to the server as TCP based services (e.g. SMTP, HTTP, …) do. That simpler protocol means that it’s easy for me to send a request to an NTP server with a false source address, claiming I’m someone else – and the NTP server will send it’s reply back to that fake source address rather than to me. So if I want to DoS someone by flooding their network with packets I can send NTP requests to a public NTP server claiming to be the victims server. The NTP server will send the replies back to the victim – and it’ll be almost impossible for the victim, or the NTP server, to trace where I’m sending those request packets from.
As a malicious attacker that already sounds good – but it gets better. The size of a reply is often bigger than the size of a request, sometimes a lot bigger. If I choose the request I make carefully I can easily make sure the reply is at least an order of magnitude bigger than the request. So for every megabit of forged requests I sent to NTP servers, the victim might see at least 10 times that hitting their servers. That’s amplification.
What can you do about it? If you’re running NTP servers that will respond to requests from the general Internet, you ideally need to lock those down so that they’ll only respond to requests from your own clients. You can use the instructions and information at the open NTP project to check to see if you’re running open NTP servers and use the templates provided by Project Cymru as a basis to secure your NTP servers and appliances.
What can you do to prepare for this sort of attack? Have monitoring in place, so that you’re notified if there are large volumes of unexpected traffic. Overprovision your bandwidth, if possible, to give you more time to react. Block “large” (>90 bytes for IPv4, >110 for IPv6) UDP packets with a source or destination port of 123 as far upstream as possible, and all UDP packets that have both a source port of 123 and a destination port of 80 or 25 – this shouldn’t affect legitimate use of NTP by your users. Consider having your production servers use NTP servers operated by you, rather than public NTP servers – that way, if they’re targeted you can block any traffic that looks like NTP to them without affecting their time synchronization. Research DoS mitigation providers – different providers have different strengths and cost structures, and they can be much more reasonably priced if you talk to them before an attack rather than during one.
What if you’re targeted by this sort of attack? If you’re not a sysadmin, stay out of your sysadmins way and make sure there’s coffee, food and a quiet place without interruptions available. If you are a sysadmin, talk to your upstream NOC. They’re in a much better place, in information, resources and knowledge, than you to help mitigate. Reach out to your peers who are also being attacked and offer to share information. Look at Cisco’s mitigation advice. The attack will probably target your publicly visible website. If so, consider moving that to another network (or behind a commercial DoS mitigation provider) so that your production servers and customer portal web presence isn’t impacted.
More information

Get an email address, by any means possible

Neil has a post up about the “opt-in” form that we were all confronted with when logging into the hotel wifi at M3AAWG last week. They aren’t the only hotel asking for email addresses, I’ve seen other folks comment about how they were required to provide an email address AND opt-in to receive email offers before they were allowed onto the hotel network. Mind you, they’re paying the outrageous fees for hotel internet and still being told they must provide an email address.
The addresses given by people who wouldn’t opt-in willingly aren’t going to be worth anything. These are not people who want your mail, they’re only giving you an address because they’re being forced to do so.
I know it is so tempting for marketers to use any methods to get an email address from customers. I recently was dealing with a very poorly delivering list that looked purchased. There were clear typos, invalid domains, non-existent domains, the whole nine yards. Over 20% of the mail was bouncing and what did get delivered wasn’t going to the inbox. I was working through the problem with the ESP before they went to talk to the customer. To my eye, the list looked purchased. Most times lists just don’t look that bad when they are actually opt-in lists. The ESP insisted that the addresses were being collected at their brick and mortar stores at point of sale. I asked if the company was incentivizing address collection, but the ESP didn’t know.
Eventually, we discovered that the retailer in question had set performance indicators such that associates were expected to collect email addresses from 90% of their customers. No wonder the lists looked purchased. I have no doubt that the pressure to give an email address caused some customers to just make up random addresses on the fly. I also wouldn’t be surprised if some associates, after failing to meet the 90% goal, would just enter random addresses in “on behalf of” the customer.
Email is a great way to stay in touch with customers. It is an extremely cost effective and profitable way to market. The caveat is that customers have to want that mail. Coercing a customer to give you an address doesn’t make your marketing better. It just makes your delivery harder. That lowers your overall revenue and decreases profits.
Quantity is not the be all and end all of marketing. This company? They have a great email marketing program, but their address collection is so bad hardly anyone gets to see the mail in the inbox, even the people who would be happy to receive the mail.
For email delivery quality trumps quantity every time.