Industry News & Analysis

Marketing automation plugins facilitate spam

There’s been an explosion of “Google plugins” that facilitate spam through Gmail and G Suite. They have a similar set of features. Most of these features act to protect the spammer from spam filtering and the poor reputation that comes from purchasing lists and incessantly spamming targets. Some of these plugins have all the features of a full fledged ESP, except a SMTP server and a compliance / deliverability team.

I’ll give the folks creating these programs credit. They identified that the marketers want a way to send mail to purchased lists. But ESPs with good deliverability and reputations don’t allow purchased lists. ESPs that do allow purchased lists often have horrible delivery problems. Enter the spam enabling programs.

From the outside, the folks creating these programs have a design goal to permit spam without the negatives. What do I mean? I mean that the program feature set creates an environment where users can send spam without affect the rest of their mail.

The primary way the software prevents spam blocking is using  Google, Amazon or Office 365 as their outbound mail server. Let’s be frank, these systems carry enough real mail, they’re unlikely to be widely blocked. These ISPs are also not geared up to deal with compliance the same way ESPs or consumer providers are.

There seem to be more and more of these companies around. I first learned of them when I started getting a lot of spam from vaguely legitimate companies through google mail servers. Some of them were even kind enough to inform me they were using Gmail as their marketing strategy.

I didn’t realize quite how big this space was, though. And it does seem to be getting even bigger.

Then a vendor in the space reached out looking for delivery help for them and their customers. Seems they were having some challenges getting mail into some ISPs. I told them I couldn’t help. They did mention 3 or 4 names of their competitors, to help me understand their business model.

Last week, one of the companies selling this sort of software asked me if I’d provide quotes for a blog article they were writing. This blog article was about various blocklists and how their software makes it such that their customers don’t really have to worry about blocking. According to the article, even domain based blocking isn’t an issue because they recommend using a domain completely separate from their actual domain. I declined to participate. I did spend a little time on their website just to see what they were doing.

This morning a vendor in the space joined one of the email slack channels I participate in asking for feedback on their software. Again, they provide software so companies can send spam through google outbound IPs. Discussions with the vendor made it clear that they take zero responsibility for how their software is used.

I don’t actually expect that even naming and shaming these companies facilitating spam will do anything to change their minds. They don’t care about the email ecosystem or how annoying their customers are. About the best they could do is accept opt-out requests from those of us who really don’t want to be bothered by their customers. Even that won’t really help, even domain based opt-outs are ineffective.

What needs to happen is companies like Google, Amazon and Microsoft need to step up and enforce their anti-spam policies.

Gmail: You agree not to, and not to allow third parties or Your End Users, to use the Services: to generate or facilitate unsolicited bulk commercial email;

Office 365: When using Microsoft Online Services, you may not:  […] Use the Services to transmit, distribute, or deliver any unsolicited bulk or unsolicited commercial e-mail (i.e., spam)

Amazon: You will not distribute, publish, send, or facilitate the sending of unsolicited mass e-mail or other messages, promotions, advertising, or solicitations (like “spam”), including commercial advertising and informational announcements. You will not alter or obscure mail headers or assume a sender’s identity without the sender’s explicit permission. You will not collect replies to messages sent from another internet service provider if those messages violate this Policy or the acceptable use policy of that provider.

Ideally, the folks providing these services will have all the tools regular ESPs do. I’m sure many of them do have a subset of those tools. But whether or not these issues are big enough to notice or deal with – as opposed to the other outbound issues they have to deal with – remains to be seen.

Of course, if the issues are big enough, the ISPs will take action and quickly. For instance, last week a poster on mailop pointed out Microsoft was the #1 spam ISP on Spamhaus’ list. A MS rep on the list responded and said they were notifying the appropriate people. This morning when I looked in preparation for this post, Microsoft was #1. When I just went to go get a screenshot, Microsoft wasn’t on the list any longer.

I know many people in the anti-abuse space are working on messaging abuse of the future. Calendar invites are one of the emerging issues. I just hope they don’t forget to address this B2B spam that goes out of its way to hide from current anti-spam services and technology.


Social marketing

The following showed up in my mailbox a few moments ago

I commented to Steve that social marketing was about connecting with people, and businesses aren’t people. That’s why social marketing for B2B is hard: there are no people involved. Or, as he pointed out, B2B in the social space is bot to bot marketing.

Of course, there aren’t literal bots behind most brands. In the B2C space, brands have cultivated a social media presence that personifies the business in a way that appeals to their consumers. But that’s the brand projecting onto people and responding to people. When a business tries to connect to a business, it’s just two puppets talking.

Sure, there are small businesses where there isn’t the case. But generally businesses aren’t on social media to consume marketing. They’re on social media to generate marketing. They aren’t targets because you can’t market to a puppet.


Of course, consumers aren’t on social media to absorb marketing, either, but there’s a bigger pool there. Even more importantly, most people on social media are there to relax and be entertained. They’re not thinking necessarily about what they need, they’re just out to be, well, social. In this context, they’re open to marketing and the right brand personification.

Business folks are either on social media as brands and have goals and work to do so they’re focused on their goals. Or they’re on social media to interact with colleagues or keep up with industry news. In this situation they may be open to marketing. But, the pool of potential customers is smaller. Brands don’t have to just find the right company, they also have to find the right person inside that company.


This isn’t to say businesses can’t successfully market to other businesses in the social space. They do. But they’re still marketing to people. Social media is about a social environment. Treating it solely as an advertising space misses the point of social media and risks alienating potential markets.


This does apply to email as well. Even when you’re marketing in the B2B space, you’re still contacting people. And the rules of permission still apply – no matter how hard B2B marketers try and tell us B2B is different. B2B isn’t different. If anything permission is much more important. Consumer mail providers are constrained in their filtering because they have a diverse user base. Businesses are less constrained because the user base is more uniform and there is no expectation that the business is going to let employees do anything they want with email.

While there are hundreds, if not thousands, of companies selling business addresses, it’s not OK. You’re still entering someone’s space, you need to respect that. Many B2B marketers don’t. And those of us who are your targets owe you nothing when you annoy us.


Mike might be spamming, but why?

I’ve been talking a lot about ongoing B2B spam. That is, where senders drop your address into some sort of automation, that sends mail from gmail or amazon and just spams and spams and spams. This is what my mailbox looked like this morning

Yes, every one of those emails is sent to the same address. “you are still using the address laura-info@…” Well, no, actually. That was the original address I used as part of our contact on the first iteration of the WttW website. I stopped using that address somewhere around 2002? 3? It’s been a very long time in any case.

Folks, B2B spam is still spam. It doesn’t matter if you register a new domain and use Gmail as your outbounds as a way to avoid filters.

It doesn’t matter…

… if it’s to a business address.

… if you think it’s relevant to the recipient.

… if you correctly de-dupe your list.

… if it doesn’t look like this in the recipients mailbox.

This is a blatant example that makes it clear Mike is a spammer. I was going to write about how I was sure that Mike would tell you he was a real business person, selling a real product. Then I tried to go to his website after pulling off everything after the domain name. It redirects to Facebook. … mmmkay. We’ve just passed legitimate business to out and out spammer.

Now I’m intrigued

I drop the domain name into Google to see what that can tell me about it. 3rd hit is Scamdex showing an exact copy of the message I got. Hey, that’s a public link, so I clicked on it. That, too redirected to Facebook.

Hrm… So what’s going on here? Why is Mike sending out so much crap without a real website on it? I suspect that someone bought a Really Old List. More than 15 years old. My guess is, they went to a company that offered data hygiene services. In this case, the data hygiene is spamming out dozens of email to the addresses on the list. Any clicks, even on the unsub or report this links is added to a list of live users. The cleaned list then goes through a few more iterations of the spam / clean. Then it goes through a few iterations of “real” mail where complainers and non responders are removed. Then it’s dubbed “clean” and can be moved to any ESP out there.

They’ve taken off the dead addresses. They’ve taken off the people who will complain. What they’ve got left is a list that doesn’t look bad to metrics. I mean opens and clicks are going to be low, but, eh, no one has ever lost their ESP simply due to low open and click rates. (this is where one of you jumps in and tells me a horror story of being cut off… I’m pretty sure there were other factors involved, even if the final message to you was ‘low open and click rates’.)

What’s the point

Well, my initial point was going to be that mail like this was still spam, even if it advertised a legitimate company. But I was doing the lookups and research as I was writing the blog post so it kinda went off the rails when I discovered it wasn’t a real company. Then I started wondering about what they could be doing and why they were doing this.

What’s the point of the email?  Best I can come up with is list hygiene. There may be something with the phone number, as well, but there’s no way I’m calling it to find out. If anyone does, feel free to comment.



Domain management

Yesterday one of the bigger ESPs had their domain registration lapse. This caused a whole host of problems for their customers. It was resolved when someone completely unrelated to the company paid the registration fee.

It happens. Most of us know about cases where email or domains were lost due to renewal failures. The canonical case is one person at the company handles renewals, and leaves or is off when renewal comes up. The payment is missed, the domain goes back to the registrar and everything falls apart.

This happens at big companies and it happens at small companies. This is the kind of public facing problem that should make all of us look at how our own domains are managed. A few questions to ask.

  1. What domains do we own and use? Is there a list somewhere?
  2. What department owns the domains / brand?
  3. Who maintains the registrations?
  4. When do your domains expire?
  5. Who is the backup maintainer?
  6. Who has passwords and access?
  7. Who can make changes?
  8. Are we using any domains that we don’t own?
    1. What are they?
    2. Why don’t we own them?
    3. Should we own them?
  9. Who gets emails and alerts from our registrar?
  10. Who should get emails and alerts from the registrar?

These are only some of the questions to ask. Of course, not every person inside the company needs to know all these details. But domains are critical and so some people should know. Personally? If I had “director” or higher in my title, I’d be asking these questions and more.

Domain information should be in the “hit by a bus” file. It’s too important an issue to drop if the person currently handling it is hit by a bus.

No Comments

Healthcare, eh?

I’m deeply disappointed in the vote out of the Senate today.

We’re a small business. We have paid for our own health insurance since 2002. We’re very lucky – neither of us has any major issues. Before ACA went into effect I worried about what would happen if one of us were to become sick. Would we fall afoul of our lifetime limits? Due to a rare cancer, my mother hit those back before I graduated college. Would our coverage be pulled because I didn’t mention the broken wrist from when I was 3? There were so many questions, and so many unknowns.

I watched the cost of our insurance go up and up. We bought a house in the Bay Area, and our health insurance was nearly 2/3 of our mortgage payment. Every year the price went up a little more, and the benefits went down.

Then ACA happened. I could stop worrying about lifetime limits and rescission. Our premiums dropped by hundreds of dollars a month. The costs of our monthly prescriptions plummeted to near zero.

Then Trumpcare and massive amounts of turmoil in the markets. Our group provider cancelled our policy and I’ve spent the last two months or so working with insurance agents to get ourselves covered. Our provider gave us 60 days notice. It wasn’t enough to ensure continual coverage. We were finally approved last week, with better coverage and lower premiums than we were paying pre-ACA.

I worry, though, about what happens to us if Trumpcare passes. Will premiums go back to where they were preACA? Will the small business market just evaporate? I don’t need a tax cut near as much as I need to know that the healthcare markets will be stable.

I want to focus on the things I’m good at. I know there’s a certain amount of administrative overhead related to being a small business owner and that these things are unavoidable. But still, there doesn’t seem to be any real benefit to blowing up health care in this underhanded fashion.

We are some of the folks who will get a tax break – not a huge one but we will be a beneficiary. I don’t think it will be enough to counter the jump in premiums – even if the premiums just go back to where they were pre-ACA.

I know policy is hard; I do it for a living. I know it’s not fun to watch the sausage being made – I grew up in DC. ACA has issues. But from my point of view the current healthcare debate is doing nothing to actually fix the issues. Instead, they’re making everything worse. Long term? We have options and money; we’ll probably be fine. But there are a lot of people who don’t have the options we do, and they’re going to be hurt.

This is bad policy, bad lawmaking and bad for small businesses like mine.

No Comments

Implied permission

Codified into law in CASL, implied permission describes the situation where a company can legally mail someone. The law includes caveats and restrictions about when this is a legitimate assumption on the part of the company. It is, in fact, a kludge. There isn’t such a thing as implied permission. Someone either gives you permission to send them email or they don’t.

We use the term implied permission to describe a situation where the recipient didn’t actually ask for the mail, but isn’t that bothered about receiving it. The mail is there. If it has a particularly good deal the recipient might buy something. The flip side of not being bothered about receiving mail, is not being bothered about not receiving mail. If it’s not there, eh,  no biggie.

Implied permission isn’t real permission, no matter what the law says.

Now, many deliverability folks, including myself, understand that there are recipients who don’t mind getting mail from vendors. We know this is a valid and effective way of marketing. Implied permission is a thing and doesn’t always hurt delivery.

However, that does not mean that implied permission is identical to explicit permission. It’s one of the things I think CASL gets very right. Implied permission has a shelf life and expires. Explicit permission doesn’t have a shelf life.

Implied permission is real, but not a guarantee that the recipient really wants a particular email from a sender, even if they want other emails from that sender.

Permission isn’t binary.

In the marketing space we talk about permission as if it’s a binary status. Either we have permission to send email or we don’t. But that doesn’t reflect the complexity of marketing programs. Maybe a recipient wants a password reset email and the occasional social alert, but doesn’t want the weekly newsletter. One recipient might be OK with 3 emails a day, while another would like one a week.

It’s a rare case where this granular permission is collected upfront. And there’s good reason for that, too much choice overwhelms and it’s better to limit options.

Opens aren’t permission.

We’ve fallen down a hole where opens have turned into this proxy for permission. I think that’s why so many people freak out when they discover that sometimes spamtraps will load image pixels or follow links in emails. But following a link or loading an image isn’t permission. It might be interest. It’s even interest from the person running the spamtrap, but not necessarily the good kind of interest.  Or it could simply be that the user needs their password so they opened the password mail.

An open / image load is not permission. At best it means that the recipient can load images in emails they open. Maybe they actually even enjoy it and will enjoy future emails. But it’s not permission. Now, from enough engagement data we can assume that the recipient wants to receive email. But that’s still implied permission at best.

Now what?

What is we keep doing what we’re doing. Making the best decisions about marketing programs with the information we have. It’s all we really can do in the now. But, as we look to how we want our marketing to grow and improve we must look at the whole picture. Marketers have the data to make good decisions, but only if they ask the right questions.




1 Comment

I’m not a customer any more

We recently moved co-working spaces, after 8 or 9 years in the same place.  I’ll be up front here, we left Space A because I was annoyed with them. I’ve been increasingly unhappy with them for a while, but moving is a pain so just put up with them. But their most recent rent increase along with the lost packages, increasing deposit requirements and revolving door of incompetent staff finally drove us to find a new co-working space.

On the 15th of the last month of our contract, I started receiving marketing emails from Space A. I just deleted a couple of them but finally decided I didn’t want to ever see their name again. I tried to unsubscribe.

Gotta give them credit. Checkboxes for everything, except some of them are to opt-in and some of them are to opt-out. This is the kind of interface marketers use to confuse folks and limit the actual number of opt-outs. I’ll admit, the first time I tried to opt-out, I probably did it wrong. But, I know CAN SPAM says they have 10 days, and I know many marketers take advantage of that so I wait a while and keep deleting the messages that show up in my mailbox.

That was late June. By early July I realize it’s been more than 10 days and I’m still getting mail from them. So I click another opt-out link. This time I notice I need to uncheck most boxes, but check the bottom one. OK, fine, you got me, I didn’t read and didn’t correctly opt-out the first time. This time I will.

I continue to receive email. I continue to delete the email. We run our own mail system so I don’t have the benefit of a this-is-spam button, but you can bet if I did I would have used it, on every message I received after my first attempt to opt-out.

This week, after getting yet more mail, I start digging. What ESP are they using that’s bungling the opt-out process? Ah. I know that ESP. So I send in a complaint to abuse@ESP asking them to please make their customer stop mailing me. I also go, once again, to the preference page and submit an opt-out request. Because, hey, maybe third time is a charm?

12 hours later I get yet another mail from them. Really? REALLY? OK. Now I’m moving from annoyed to irate. First step: figure out if I know anyone working at said ESP. Ah, right, them. I have a lot of respect for this colleague, so I send a heads up pointing out that their customer isn’t honoring unsubscribes and can they take a look at what might have broken in their unsubscribe process.

This morning they tell me they looked into my subscription and have not registered any opt-out request until the one this week. The other two? Not recorded in their system. “Does this match your recollection of what happened?” No. No it doesn’t. I know I clicked on unsub links at least 3 times and only one of those clicks is recorded.

At this point, I’m pretty sure I’ll be suppressed by the ESP so I won’t have to get mail from Space A any longer. That fixes the annoyance on my end. But I can’t help thinking about how horrible this interaction was, both from a deliverability perspective and from a customer perspective.

As a deliverability consultant

I understand why they added me to their mailing list immediately before our contract ended. As a customer, I was regularly interacting with them. Now that we were on our way out the door, they were losing that touchpoint. Good marketing says you use all the touchpoints, so adding me to their list makes sense.

I understand that opt-outs break down and sometimes don’t work correctly. They shouldn’t, but they do.

Overall, they didn’t really do anything wrong from a deliverability or marketing perspective. Maybe 3rd time really was the charm and I should have just waited another two weeks before raising a stink about getting mail from them.

As a former customer

I am a former customer because of how they treated me. I wasn’t happy with them and had many a troubling set of interactions with their corporate office over the years. For a long time, they had competent onsite staff that were friendly and helpful, so that made it tolerable. More recently, those staff were gone. They were replaced with an ever changing group of people who weren’t very helpful and weren’t around for more than a few weeks at a time. Additionally, corporate kept raising our rents and charging us “deposits” to cover … something. I’m still not sure why we needed to give them a few hundred dollars in deposits, when we were long term customers and they had permission to charge our credit card every month. Clearly they care nothing for me as a customer, as they just waved us out the door. 

Adding me to their mailing list after I left is just insulting. It didn’t make me want to come back or continue using their services. All it did was convince me that I’m just a piece of data and they don’t care about anything other than how much money they can extract from me.

Most small business owners use some sort of service for email. A lot of companies will just use Google Apps or Office365. Both of these companies provide users with access to a “this is spam” button. Even though the button doesn’t generate a FBL email, it does register in the reputation engines of both providers. I am sure that the average business owner would have availed themselves of the “this is spam” button. I would have in their shoes. This has the effect of both preventing the user from seeing future mail from the sender, but also harms the sender’s overall reputation.

Does it matter?

I will certainly never recommend Space A to anyone looking for space. The way they treated us at the end of our relationship guarantees that. Is this going to matter? Not really. Sure, multiple folks come to me looking for advice on starting small businesses, but me not recommending an international corporation with a multi-billion dollar market cap isn’t going to matter to them. It’s unlikely that even if every former customer in my position were to do the same they wouldn’t even notice.

But for companies that aren’t such market behemoths even a few poor word of mouth recommendations may hurt them. A few people hitting “this is spam” because they tried to opt-out and it didn’t work could hurt delivery.

Context does matter. Details do matter. How you interact with customers affects brand reputation and deliverability. I’m sure that Space A has a carefully planned marketing campaign and it works more than it doesn’t. I’m also sure I’m going to be telling folks that their service is not great and their marketing verges on spamming. They won’t care. But at least I’ll protect other small businesses from them.


Online communities and abuse

A few weekends ago we met a friend for coffee in Palo Alto. As the discussion wandered we ended up talking about some of the projects we’re involved in. Friend mentioned she was working with a group building a platform for community building. We started talking about how hard it is these days to run online groups and communities. One of the things I started discussing was what needed to be built into communities like this to prevent abuse and damage.

It’s a sad fact of online life that trolls exist and have been a part of online life since before Usenet. My perception is this is getting worse. It’s not that there wasn’t harassment in the past. There was. 20 years ago, I managed to annoy some random woman on a newsgroup back in ’96 or ’97. This resulted in months of harassing phone calls to me at home and work, my boss at home and work, the head of the rescue group I volunteered with. The police were involved, but there wasn’t much they could do. There’s still not much police do about online threats.

Now it seems worse. People are getting physically threatened. Women and activists are driven from their homes because someone online decided to attack / doxx / frighten them. We have online platforms that allow hate speech and threats and don’t provide sufficient tools for users to protect themselves. For all the good that comes from the Internet, there’s an awful lot of bad.

A big part of the issue is anonymity. Real anonymity online is hard, as evidenced by how quickly CNN tracked down the real life identity of a Reddit user. They did that in less than 24 hours, without the benefit of any private information. But partial anonymity is pretty easy. It’s trivial for anyone to register any number of twitter accounts, or reddit accounts. I recently heard the term “weaponized anonymity” and it accurately describes the situation. (I don’t agree with all of the opinions in that article, but I think the definition is useful.)

Before my harasser, I was pretty open online with where I worked and volunteered. I think I even had my physical location (at least city and state) on my webpage. Afterwards, I stripped as much info from the space I had control over. I thought about creating a new online identity, but decided that it was both a lot of work and wouldn’t be that effective. It’s near impossible to hide online now.

These are issues we have to address. Unfortunately, too many community platforms (twitter, I’m looking at you) don’t have controls in place to allow users to block harassment. At the volume of users some online communities have there is simply no way to put a human in the loop to deal with every complaint. There’s also a ‘x said, y said’ problem, where abusers claim they’re the victim when called on their behavior. The Mary Sue has an article on a recent example. In some cases, harassment goes back for years and the story is too complicated for an abuse desk worker to absorb in the short time they have to deal with an issue.

I certainly don’t have the answers. But I know that when we’re building online software we have to start prioritizing user safety and privacy. Too many online spaces don’t have walls or fences or locks. That’s a good thing because it lets people find communities. But it is a bad thing because there are folks out there who disrupt communities as a hobby. Anyone building community software needs to think how they and their software will handle it if one of their users is targeted.

These are discussions that need to happen. Those of us with experience in the online abuse space need to be involved and contribute where we can.

No Comments

5 answers you need before mailing old addresses.

From the archives: Mailing old addresses: 5 questions to ask first

James asked the question on twitter:

If you haven’t mailed an address in 5-10 yrs, would you include it in a re-engagement mail?

A number of people responded that addresses that old should not be mailed. I think the answer is more complex than can be handled in 140 characters.

Five to ten years is a very long time. Think about what you were doing 10 years ago. It’s easy right now, 10 years ago as a nation we were still reeling from the September 11 attacks. On a more personal note, Steve and I were just making the decision to start Word to the Wise. But what about 5 years ago? I can’t remember what we were doing or what our business goals and limitations were.

If you’re going to mail addresses that were collected 5 or 10 years ago, you must give some thought to a number of questions.

1. How has my target market changed in the last 5 – 10 years? How likely is it that customers from then would be interested in my products now?

People grow and change. As we move through different life stages, we have different needs and shop for different products. When thinking about whether or not to send mail to those old addresses, think about customer demographics. Is someone who wanted your product in the past also going to want your product now? What life stages are you targeting?

If you can honestly say that your product has a 10+ year target market, then mailing old customers may be acceptable. But if you focus on a narrow demographic it’s possible that your former customers are no longer interested in anything you have to offer, no matter how compelling the copy.

2. What do I have to offer a customer from 5 – 10 years ago? Is my current product line likely to interest them?

Just as people grow and change, businesses grow and change as well. When we first started Word to the Wise a lot of my consulting was directed at senders who were having blocklist problems and often didn’t have permission to send the mail they were sending. We didn’t have to talk about bulk folders, as most major ISPs hadn’t adopted the bulk folder yet. We didn’t have to talk about Feedback loops or “this is spam” buttons because such things didn’t exist yet. They primarily wanted to know how I could help them get and stay off the RBL or SBL.  In contrast, most of my current customers are opt-in senders who want information about how to engage users and get a better responses to their email.

Sure, old customers may be interested in new products and re-establishing contact with an old vendor. Others may have no interest at all. Some small percentage having an interest in your product isn’t sufficient. You need to be sure that a large percentage of recipients are going to want your new product.

3. How long does my product last? Are older customers still interacting with my product? Or have they forgotten I even existed?

There are pieces of software I’m using from 5 or 10 years ago. I’d be fine with a re-engagement email letting me know about other offers they have. But there are also bits of software I downloaded, tried and promptly forgot. I’d be annoyed if the vendor tried to email me. That really nifty pepper mill we bought 6 years ago? Love to hear from them about new stuff. That random kitchen gadget gathering dust in the back of a drawer? Not so much.

So much of making decisions about email is gauging how receptive recipients are to your message. When trying to decide to email very old customers, it’s important to understand your previous customer base.

4. What value am I bringing to the recipient? Do I have something new to offer? Can I push a new product or new launch?

The core of email deliverability is sending mail that your recipients want to receive. If you’re contacting recipients that haven’t heard from you in years, you need to put extra effort into making the email relevant for their lives. One of the ways you can do that is to share your excitement with a new product line, or a re-brand of your company.

Another way to make the email relevant is to make the email informative. Talk to the recipient about how you’ve changed in the intervening years and how your products can help the recipient. Your old customers are more likely to accept your intrusion if you have useful information for them  with your old customers

5. Where did I get these email addresses? Do I have a good audit trail for them?

This is where we get to those pesky details. Do you actually know where the addresses came from? Do you have even a partial audit trail. Can you tell what product was bought by the address? Do you know when the address was entered into your database? Do you even know if these are addresses of customers or not?

In my experience, most companies don’t have good audit trails for older addresses. They don’t know where the addresses came from. They don’t know if they’re actual customers. These are the things that cause re-engagement to fail totally.

You should NEVER mail old addresses unless you can identify where the address came from and the specific purchase that address is associated with. If you don’t have that data, then your delivery is going to be awful. You can only aspire to get into the bulk folder. More likely, you’re going to end up with mail blocked at many ISPs.

For the sake of argument, let’s say you do have that data. Someone at your company set up a database that captured everything you may need to mail old customers.

It’s not enough to have the audit data, you should take a deep dive into the data itself. How many of the addresses are at any of the dozens of domains that have retired in the last 10 years? How many are,, or None of these domains exist any longer. How many are, or These are domains that were popular long ago, but are no longer in wide use. It’s unlikely your customer still has that address.

Still thinking about mailing that list, because it’s mostly or addresses? That may still risk your delivery. Old addresses at major domains are sometimes turned into spamtraps and mailing these addresses may result in blocking. Even running the addresses through one of the ‘list cleaning’ vendors may not protect you from delivery problems related to old addresses.

Statistics show that 30% of email addresses are abandoned by their owners in a year. That means that even 5 years back only about 20% of those addresses are still in use by your customers. The others are abandoned, turned into spamtraps or just won’t deliver. If 80% of your list goes into a black hole, how much does each sale have to be to make it profitable to contact those old customers?

Each question should take an average business quite a bit of time to answer. The first 3 questions are about the intersection between you and your customer. They’re about you, the business, honestly evaluating your product (then and now), your target market (then and now) and the chance that you will meet their needs now as you met them then. The fourth question is about what you want to tell your old customers. But none of those questions are even worth asking unless you know you have a database worth sending to. And even if you do, will the ROI on a mailing be enough to justify the expense to put together an effective re-engagement campaign?



People are the weakest link

All of the technical security in the world won’t fix the biggest security problem: people. Let’s face it, we are the weakest link. Adding more security doesn’t work, it only causes people to figure out ways to get around the security.

The more secure you make something, the less secure it becomes. Why? Because when security gets in the way, sensible, well-meaning, dedicated people develop hacks and workarounds that defeat the security. Don Norman

This isn’t news to anyone in the security space. Even those of us who are reasonably aware of security issues can still have problems. A few weeks ago I clicked on a phishing link. It was a delivery notification. I’d just ordered something online. It looked plausible. I clicked the link. Lucky for me there wasn’t drive-by malware on the site.

A few years ago, there were a number of email people arguing that two factor authentication (2FA) would fix the security problems. Steve wrote a couple blog posts here explaining why that was unlikely. (Defending against the hackers of 1995, What is Two Factor Authentication, Two Factor Authentication)

What is two factor authentication?

The older blog posts talk about 2FA, but a quick review for folks. 2FA requires two separate factors to identify a user. Many people describe this as “something you know and something you have.” A user might know their password and have access to a phone that will receive a SMS one time code.  Many online services currently offer two factor authentication. Google even provides an authenticator app people can run on their cell phone. Companies that want to offer 2FA using that app can. I set up 2FA for a service over the weekend – it was as simple as taking a picture of a QR code and typing the resulting number into the website.

What’s the problem?

The problem is that it is possible to subvert 2FA. Back in 2011 attackers hacked one of the major 2FA vendors and stole the master keys. A little while later, some government contractors reported attempts to break in potentially using this information.

Now we’re using multiple forms of 2FA, so it’s more secure, right? No.

TechBeacon has a recent article looking at some of the ways that 2FA has been compromised. Most of these involve a human making a decision and taking an action to subvert security through different channels.

For me, one of the most interesting links is a blog post from Justin Williams earlier this month. His cellphone number was transferred, against corporate policy, to another phone. The hacker then used the 2FA to transfer money out of his PayPal account.  This situation is why I cringe when I hear about a service rep bypassing policy to help out a user. Every time this turns out OK it’s great. But it’s also training customer support that it’s OK to make exceptions. No, it’s not. Even when it’s the saddest sob story you’ve ever heard.

Companies train users to be victims

Also this month a health insurance company sent a USB stick to users. The accompanying letter instructed users to plug the web key into their computer. No. Just No. This is training users to be victims when some attacker decides to do the same thing.

Marketers are another big part of the problem with training users to be victims. I wrote about this almost exactly a year ago in Working around email security. Steve walked through how many banks and retailers use cousin domains earlier this year. I saw another example just recently, prompting me to create a meme to share on Facebook.

Security and usability

For many years, there was a belief that security and usability were contradictory. Increasing security leads to less usability. There is certainly some of that in play still. But I think many of us in the email marketing space need to start thinking a little more about security. We are responsible for presenting our brand in the inbox world. Do we want to train our users that every email comes from a different domain? All the authentication and DMARC policies in the world won’t protect us from cousin domains. Marketers that use cousin domains are setting their brands and consumers up for failure.

A brand that is consistent in its sending and authentication not only develops good reputation for delivery, they also help innoculate users against attacks by third parties. Marketing departments can take the lead in creating a more secure environment online. Building security into messaging streams is more than just technical authentication, it’s about the whole message and domains and consistency. Every marketer needs to think about how they’re presenting their brand. How many different domains are you using in your marketing campaigns? How easy would it be for a bad guy to register a similar one?

Don’t set your users up for failure.

No Comments
  • OTA joins the ISOC

    The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella. “The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.No Comments

  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment

  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments