Recent Posts

Back to the office!

I’m back in the office after a busy June. The 2 continent, 3 city tour was unexpectedly extended to a 4th city thus I was out most of last week as well.
What was I doing? We spent a week in Dublin, which is an awesome and amazing city and I love it a little bit more every time we visit. After Dublin I jetted off to Chicago, where I spoke at ActiveCampaign’s first user conference.
The talk I did for ActiveCampaign was about how we’re in the middle of a fundamental shift in how email is filtered, particularly at the consumer ISPs. In order reach the inbox. we need to think beyond IP or domain reputation. We need to stop thinking of filters as a way of sorting good mail from bad mail. I touched a little on these concepts in my What kind of mail do filters target? blog post.
The shift in filtering is changing how email reaches the inbox and what we can and should be monitoring. At the same time, the amount of data we can get back from the ISPs is decreasing. This means we’re looking at a situation when our primary delivery fixes can’t be based on feedback from the filters. This is, I think, going to be an ongoing theme of blog posts over the next few months.

The next trip was to spend 2 days onsite at a client’s office. These types of onsite training are intense but I do enjoy them. As this was mostly client specific, there isn’t much I can share. They did describe it as a masterclass in deliverability, so I think it was also intense for them.
That was the planned 2 continent, 3 city tour. The last city was a late addition of a more personal nature. We headed downstate to join my cousin and her family in saying goodbye to my uncle. He was an amazing man. A larger than life, literal hero (underwater EOD, awarded the silver star) whom I wish I had known better. Most of what I remember is how much he loved and adored my aunt.
I’ll be getting back into the swing of blogging over the next few days. It’s good to be back and not looking at traveling in the short term.

What's up with microsoft?

A c/p from an email I sent to a mailing list.
I think we’re seeing a new normal, or are still on the pathway to a new normal. Here’s my theory.
1) Hotmail made a lot of underlying code changes, learning from 2 decades of spam filtering. They had a chance to write a new codebase and they took it.
2) The changes had some interesting effects that they couldn’t test for and didn’t expect. They spent a month or two shaking out the effects and learning how to really use the new code.
3) They spent a month or two monitoring. Just watching. How are their users reacting? How are senders reacting? How are the systems handling everything?
3a) They also snagged test data along the way and started learning how their new code base worked and what it can do.
4) As they learned more about the code base they realized they can do different and much more sophisticated filtering.
5) The differences mean that some mail that was previously OK and making it to the inbox isn’t any longer.
5a) From Microsoft’s perspective, this is a feature not a bug. Some mail that was making it to the inbox previously isn’t mail MS thinks users want in their inbox. So they’re filtering it to bulk. I’ll also step out on a limb and say that most of the recipients aren’t noticing or caring about the missing mail, so MS sees no reason to make changes to the filters.
6) Expect at least another few rounds of tweak and monitor before things settle into something that changes more gradually.
Overall, I think delivery at Microsoft really is more difficult and given some of the statements coming out of MS (and some of the pointed silence) I don’t think they’re unhappy with this.

June is travel month!

A quick post to say that posting will be light the next few weeks. I’m off later this week to visit Dublin. After I get back from that I’m headed to Chicago to speak at ACTIVATE hosted by Active Campaign. If you register by tomorrow you can use the code ACTIVATE and get in for $200. It’s looking like a good conference.
I’ll be speaking about deliverability, specifically how email filtering is all sorts of changing. My focus is on how the common “deliverability” techniques aren’t as effective in the new filtering environment. I’ll also be talking about further changes I see coming and how to address them.
After Chicago I’m onsite at a client’s for 2 days in Florida.
Basically, my June is booked. Both Steve and I will be blogging as we get inspired or have something to say. Overall, though, I’m giving myself time off from blogging through the end of the month.

List the world!

We often say that a blacklist has “listed the world” when it shuts down ungracefully. What exactly does that mean, and why does it happen?
Blacklists are queried by sending a DNS lookup for an A record, just the same as you’d find the address of a domain for opening a webpage there. The IP address or domain name that’s being queried is encoded in the hostname that’s looked up.
For example, if you wanted to see whether the IP address 82.165.36.226 was listed on the SpamHaus SBL you’d ask DNS for an A record for the hostname 226.36.165.82.sbl.spamhaus.org. If that returns an answer, the IP address is listed. If it doesn’t, it isn’t.
If a blacklist returns an answer for any IP address (or domain) you ask it about it’s “listing the world” or “listing the internet”, saying that everyone you ask about is listed.
Sometimes this is done intentionally as an attempt to get people to stop using a blacklist. If it blocks all your mail, you’ll stop using it. Unfortunately, that never works. Most blacklists aren’t used to block mail, they’re used as part of a scoring based spam filter. And a blacklist that’s poorly run or unmaintained enough that it shuts down ungracefully probably wasn’t trusted much, so added a very small spamminess value to a spam filters score … so nobody notices when they start listing every address.
More often it’s done when a blacklist is abandoned, leaving it’s base domain name to expire.
When a domain expires it reverts to the control of the registrar and eventually is resold, typically to a domain squatter. (A domain squatter is someone who buys up domains when they become available and hopes to sell them on at vastly inflated prices).
Both the registrar and the squatter really want to resell the domain, for a lot of money. But while they control the domain they might as well make tiny amounts of money from it. The way they do that is to run advertising on the site, typically with low end banner or text ads (cheap to serve, low standards as to where they can be run) along with a link to “Buy This Domain For A Lot Of Money!”.
Every bit of traffic that went to websites in the expired domain is valuable to them – every misdirected open from someone looking for the expired content is now an advertising view. They don’t know what hostnames in the domain were actually in use. www.example.com and example.com are a safe bet, but there may also have been forums.example.com, webmail.example.com, chat.example.com and so on …
They don’t know, or care, what hostnames were in use. They just want as many page views as possible to inflate the tiny amount of money they’re getting from their text ads.
So they set up wildcard DNS for the domain, pointing it at a webserver that’s configured to show a domain-specific advertising page for any hostname pointed at it.
*.example.com -> 192.0.2.25
That means that forums.example.com will resolve to 192.0.2.25, as will www.example.com.
And so will 226.36.165.82.nfn.example.com – so anyone using nfn.example.com as a blacklist will get a valid A record response for any IP address the look up. It “listed the world”.

Whitelisting is dead

A decade or so ago I was offering whitelisting services to clients. It was pretty simple. I’d collect a bunch of information and do an audit on the customer’s sending. They’d get a report back identifying any issues that would limit their chances at acceptance. Then I’d go and fill in the forms on behalf of the client. Simple enough work, and it made clients feel better knowing their mail was whitelisted at the various ISPs.
When email filters were less complex and more binary, whitelists were a great way for receivers to identify which senders were willing to stand up and be held accountable for their mail. Over time, whitelists became much less useful. Filtering technology progressed. Manual whitelisting wasn’t necessary for ISPs to sort out good mail from bad.
The era of whitelisting is over.
In fact, three of the major whitelist providing ISPs were AOL, Yahoo, and Verizon; all three are now a part of OATH. The Verizon whitelist page now redirects to postmaster.aol.com. New requests to signup for the AOL whitelist are rejected with the message that AOL whitelisting is no longer available or necessary. Yahoo has a “new IP review” form rather than a whitelisting form.
Whitelisting is dead.
Even the various certification and whitelisting services have mostly gone away. Both Habeas and Goodmail failed to achieve a profitable exit event. Of course, Return Path is still around, but they have built a platform of tools and services unrelated to whitelisting or certification.
Now senders are going to have to focus on sending mail that people ask for and want in order to make it to the inbox.

Another day another dead blacklist

FADE IN
EMAILGEEKS.SLACK.COM #email-deliverability
It is morning in the channel. The regular crowd is around discussing the usual.
JK, smart, competent head of deliverability at an ESP asks: Anyone familiar with SECTOOR EXITNODES listings and have insight into what’s going on if listed?
ME: Uh, that’s the Tor Exit Nodes list. They think your IP is used by Tor. That’s all sorts of weird. Let me do some digging.
5 minutes of google searches, various dig commands and a visit to the now non-existent sectoor.de website show that the sectoor.de domain expired and is now parked.
ME (back in channel): It looks like the blacklist domain expired and is now parked. So they’re listing the world and nothing to worry about. Not your problem, and not anything you can fix.
JK: Like a UCEProtect fiasco – not just us but everyone?
ME: No, more like the spamcannibal fiasco. The domain expired and so it’s listing the world.
ME: The world would be a better place without MXToolbox worrying about every stupid blocklist. Or even if they would follow the blocklist RFC check for expired domains before panicking the world.
SCENE

What does mitigation really mean?

It is a regular occurrence that senders ask filters and ISPs for mitigation. But there seems to be some confusion as to what mitigation really means. I regularly hear from senders who seem to think that once they’ve asked for mitigation that they don’t have to worry about filtering or blocking at that ISP for a while. They’re surprised when a few weeks or even days after they asked for mitigation their mail is, one again, blocked or in the bulk folder.

Botnet activity warning

A bit of advice from the folks at the CBL, posted with permission and some light editing. I’ve been seeing some folks report longer connection times at some places, and this might explain some of it. It’s certainly possible, even likely, that the large ISPs are getting a lot of this kind of traffic.

A botnet, likely a variant of cutwail, has been for the past several years been specializing in using stolen credentials, doing port 25/587 SMTP AUTH connections to the spoof’d users server, and attempting to relay thru the connection to elsewhere. They will also, in some cases, attempt to log into the MX IP using a brute force attack against the email address. Other miscreants try the same thing with IMAP or POP or even SMTPS.
If they manage to compromise an email account, they use the account to send spam. For corporate accounts they can steal employee identities, request wire transfers, and send out corporately authenticated spam. If they get it, game over, the whole account is compromised and they can and do wreak havoc.
This has been going on for a couple of years, and now is the largest volume of spam from botnets. Cutwail is not the only botnet doing AUTH attacks, but appears to be the most prolific. Attacking POP and IMAP appears to be more recent, and is more related to spear-phishing (spamming executives) and other bad things.
In the last month or two, the behavior has changed a bit. The infections are trying to establish as many connections simultaneously as it can get away with. This is similar behavior to ancient or unpatched versions of qmail. This is swamping some servers by tying up a significant number (or even all) of the TCP sockets available.
The CBL is recommending that folks check their mail servers. If the mail server has a “simultaneous connection per IP limit”, it should be set to some limited number. If it’s not set then set it. Otherwise, your server is at risk for being unable to handle real mail. Make sure your IMAP and POP are secured as well as they are being targeted, too.
The XBL can also help with this. But securing your server is the first step.

SpamCannibal is dead

The SpamCannibal blacklist – one that didn’t affect your email too much but which would panic users who found it on one of the “check all the blacklists!” websites – has gone away.
It was silently abandoned by the operator at some point in the past year and the domain registration has finally expired. It’s been picked up by domain squatters who, as usual, put a wildcard DNS record in for the domain causing it to list the entire internet.
Al has more details over at dnsbl.com.
If you run a blacklist, please don’t shut it down this way. Read up on the suggested practice in RFC 6471. If you just can’t cope with that consider asking people you know in the industry for help gracefully shutting it down.
Blacklist health checks
If you develop software that uses blacklists, include “health check” functionality. All relevant blacklists publish records that show they’re operating correctly. For IP based blacklists that means that they will always publish “127.0.0.2” as listed and “127.0.0.1” as not listed. You should regularly check those two IP addresses for each blacklist and if 127.0.0.1 is listed or 127.0.0.2 isn’t listed immediately disable use of that list (and notify whoever should know about it).
For IPv6 blacklists the always listed address is “::FFFF:7F00:2” and the never listed address is “::FFFF:7F00:1”. For domain-based blacklists the always listed hostname is “TEST” and the never listed hostname is “INVALID”. See RFC 5782 for more details. (And, obviously, check that the blacklists your software supports out of the box actually do implement this before turning it on).
If you use someone else’s blacklist code, ask them about their support for health checks. If your mail filter doesn’t use them you risk either suddenly having all your mail go missing (for naive blacklist based blocking) or having some fraction of wanted mail being delivered to your spam folder (for scoring based filters).

UCEProtect and GDPR fallout

First thing this morning I got an email from a client that they were listed on the UCEProtect Level 3 blacklist. Mid-morning I got a message from a different client telling me the same thing. Both clients shared their bounce messages with me: