Recent Posts

You're kidding me

All the authentication and DMARC in the world can’t save you from stupid.
I just got a survey request from my bank. Or, at least, it claimed to be from my bank.

Phishing increasingly sophisticated

Phishing is an online threat that’s been around for more than 20 years. I initially heard of it in relation to spammers taking over an AOL account to send out spam. These days phis is more dangerous and more sophisticated. Phishing is not just used to send spam. It’s used to take over elections; it’s used to steal millions of dollars. Experts estimate that globally phishing costs companies over 9 billion dollars a year.
Even in the last two weeks we’ve seen 2 major phishing incidents. One targeted Google Docs, one targeted Docusign. Reading the news reports these are different than many of the more common phishing attacks and, to me, represent an evolution in standard phishing techniques.

The Google attack in early May was an evolution in getting access to a Google account. Instead of directing users to a fake Gmail login page, the phish asked users to allow “Google Docs” (actually an app controlled by the phisher) to access to their Google account.
I’m sure all of you have used an app or website that lets you login with Facebook or Gmail or Twitter. This is all done with a protocol called OAuth. OAuth is also how you give access to mailbox management tools like I discussed a few weeks ago. Basically, OAuth lets users grant access and permission to a site or application using a second site without revealing their username and password. (It’s more complicated than I want to discuss, but if you’re looking for some information check out some of the sites I’ve found: wikipedia, Varonis blog, Digital Ocean knowledge base, or just search google for oauth.)
The switch from asking for a password to asking for access is, to my mind, a significant change. Now we have to be aware of what we’re authorizing and make sure that app isn’t malicious.
The Docusign phish is another evolution. As I was looking at the phish I received yesterday I realized that it was sent to a tagged address. A tagged address only Docusign had. None of my other, heavily phished, addresses received the phish. None of Steve’s addresses received the phish. This wasn’t a widespread spray and pray phishing attack. The phishers targeted Docusign users. Yesterday afternoon, Docusign confirmed that someone stole user addresses.
This is a switch from just randomly looking for victims to targeting users of a specific service.
Phishing attacks look for the weakest links to gain access to computers, information, and money. The weakest links are always humans. Phishers have adapted to security measures for the last 20 years. There is zero reason that they won’t continue to adapt.

Shibboleet

Using unique addresses for signups gives me the ability to track how well companies are protecting customer data. If only one company ever had an address, and it’s now getting spam or phishing mail, then that company has had a data breach. The challenge then becomes getting the evidence and details to the right people inside the company.
In one case it was easy. I knew a number of people inside the company and knew they would take it seriously and pass it on to the folks in the best place to deal with it. I did. They did. They got their systems secured and notified customers and it was all taken care of.
Other cases aren’t as easy.
Many years ago I got mail from my credit card company to a unique address. This was long before SPF or DKIM and the mail contained links different from the company’s main domain. I called them up to see if this was real or not. They told me it wasn’t, because tier 1 support are trained to tell users everything is suspicious. Eventually, though, it became clear this wasn’t a phish, it was just bad marketing by the company.
A few years ago I reported a possible breach to representatives of a company while at a meeting. Coincidentally, the address only their company had started getting phishing and spam during the conference. I brought it up to them and followed their directions for reporting. They asserted the leak wasn’t on their end, but to this day I get multiple spams a day to that address. They claimed that the spammer was someone I was friends with on their website, but they could never quite demonstrate that to my satisfaction. I treat that site as only marginally secure and take care with the information I share.
After Target was breached they emailed me, out of the blue, to the address I use at Amazon. There was some level of partnership between Amazon and Target and it appears Amazon shared at least part of their database with Target. I talked with security folks at Amazon but they told me they had no comment.
Of course, on the flip side, I know how challenging it is to sort through reports and identify the ones that are valid and ones that aren’t. When I handled abuse@ we had a customer that provided a music sharing program. If a connection was interrupted the software would attempt to reconnect. Sometimes the connection was interrupted because the modem dropped and a new person would get the IP address while the software was trying to reconnect. This would cause a flood of requests to the new person’s computer. These requests would set off personal firewalls and they’d contact abuse to tell us of hacking. There wasn’t any hacking, of course, but they’d still argue with us. One of my co-workers had a nickname for these folks that was somewhat impolite.
We had to implement some barriers to complaints to sort out the home users with personal firewalls from the real security experts with real firewalls that were reporting actual security issues. So I get that you don’t always want or need to listen to J. Random Reporter about a security issue.
Sometimes, though, J. Random Reporter knows what they’re talking about.

Yeah, I spent the morning trying to get support at a company to connect me to security or pass a message along. Too bad there isn’t a security shibboleet.

April 2017: The Month in Email

April was a big travel month for us. I went to Las Vegas for meetings around the Email Innovations Summit and to New Orleans, where Steve spoke on the closing keynote panel for the EEC conference.
I wrote several posts this month about privacy and tracking, both in email and in other online contexts. It’s increasingly a fact of life that our behaviors are tracked, and I wrote about the need for transparency between companies and those they are tracking. More specifically, I talked about the tradeoffs between convenience and security, and how people may not be aware that they are making these tradeoffs when they use popular mailbox tools like unroll.me. The folks over at ReturnPath added a comment on that post about how they handle privacy issues with their mailbox tools.
Steve contributed several posts this month. First up, a due diligence story about how service providers might look more closely at potential customers for their messaging platforms to help curtail spam and other fraudulent activity. He also looked at the history of “/8” IP blocks, and what is happening to them as the internet moves to IPv6. Steve also added a note about his new DMARC Validation tool, which rounds out a suite of free tools we’ve made available on our site. And finally, he showcased a particularly great email subscription experience from Tor.com — have a look!
I highlighted another post about companies doing things right, this one by Len Shneyder over at Marketingland. In other best practices news, I talked about bounce handling again (I mentioned it last month too), and how complicated it can be. Other things that are complicated: responding to abuse complaints. Do you respond? Why or why not?
Our friends at Sendgrid wrote a great post on defining what spammers and other malicious actors do via email, which I think is a must-read for email marketers looking to steer clear of such activity. Speaking of malicious actors, I wrote two posts on the arrest of one of the world’s top email criminals, Peter Levashov, and speculation that he was involved in the Russian hacking activity around the US elections. We’re looking forward to learning more about that story as it unfolds.

ESPC meeting

Yesterday I had the pleasure of attending my first ESPC semi-annual meeting. I was scheduled to talk on a panel about list hygiene with a couple vendors. Because some folks didn’t make it, I also sat on the panel talking about blocklists.
It was a fun day. I got to meet and talk with some colleagues I haven’t seen in an age. And I met some new faces and had interesting interactions.
One bonus from the day is I really got the chance to talk with some of the list hygiene vendors that were on the panel with me. Afterwards, we spent a good hour just discussing the space and the players in it. I learned a lot from that conversation. Previously, I’d kept the list hygiene vendors at arms length. My experiences with them and with their products weren’t very positive. My experience has primarily been with clients who have used these services and not gotten what they thought they were paying for. I have also seen some internet-abusive behavior from a few. Many years ago a few of the companies approached me for deliverability advice as they were running into consistent blocking.
All of these things led me to the conclusion that it was a part of the email space I didn’t want much to do with.
Yesterday, though, I learned that there were vendors in the space that focused very much on being a net benefit to the overall network. Both Webbula and Kickbox, who were on the panel with me, have policies and processes designed to make it unattractive for spammers to sign up for their services. We did agree there were problems with some of the vendors in the space, but I realized that some is not all.
It was a good meeting, I’m glad I went.

Text to Image ratios in email

One of the questions I get from folks about delivery is what the optimal text to image ratio there should be in an email. I’ll be honest, I hate this question. Why? Because the question is actually irrelevant. I’ve seen companies with a single image and no text get to the inbox. I’ve seen companies with no images get to the inbox. The text to image ratio is not going to make or break delivery.
Sending mail that the user expects and wants is the crucial part of delivery. If the user wants a single image? That’s the right ratio. If the user wants a readable message with images turned off? That’s the right ratio. Fretting about 20/80 or 18.5/81.5 or 43.256666/56.743334 is getting buried in details and missing the bigger picture.

Emails should be readable. These days, being readable on mobile is critical. This is the single best argument I can think of against one-image emails. And there are still folks who read email with images off by default. Being one of them, I think it gives me insight other delivery folks lack. If I am engaged with a brand, how do I show it outside of loading images? What kinds of things let the brand know I’m still a happy recipient?
If anyone tells you that your delivery problems are the result of a bad text to image ratio, run away. There is zero chance that’s actually true. Filters aren’t going to just look at the ratio and block ratios that fall into a certain range.
What filters are going to do is take the text to image ratio as part of the fingerprint of an email stream. They’re going to recognize certain factors about emails that users like, and factors about emails that users don’t like. Some of these factors will be things like the text to image ratio. But the “wrong” ratio isn’t why mail is being filtered. Mail is being filtered because the recipients aren’t interacting with it enough and the ratio is just one part of the way the ISP identifies it.
Stop fretting over your exact text to image ratios. The right, or wrong, ratio isn’t a true factor in delivery. Instead, focus on creating an email stream that users want, expect, and engage with. This starts with address collection, but collecting accurate addresses isn’t enough. You also need to provide value to them.
Sending mail users want is the key to reach the inbox. Doing that takes time and investment by the sender.

… and bad acquisition practices

I talked last week about how incentivizing people to sign up for your mailing list could be effective when it’s done well.
This week I’m staying at a Large International Hotel Chain and I’ve got a great example of what happens when it’s done poorly.
The “free” wifi requires you to join the hotel’s loyalty programme. I’ve done that in the past, so I login with my email address and password. Nope, the email address isn’t what you log in with, it’s an obscure nine digit number (but I only discover this after assuming I’d forgotten my password and attempting the password recovery dance, which doesn’t work).
OK, new loyalty programme account time. I create a new throwaway^W tagged email address and cough up some contact information. I get a welcome email. It has a Reply-To: address of, literally, “REPLYTOADDR”.
The newly created account also doesn’t actually get me in to the hotel wifi. I’m probably not going to be a terribly receptive recipient when they start emailing me at that address about what a great hotel they are. I’ll just unsubscribe. Any reasonable recipient not in the email industry will probably hammer the “this is spam” button until the mail goes to their spam folder and doesn’t come back.
On a somewhat related note, I have line-of-sight to a nearby discount mall. They have free public wifi and “me@privacy.net” already has an account on it in the name of “Eric”. I wonder how much email they send Eric?

Off to EEC next week

We’ll be in New Orleans next week for the EEC conference. Steve will be on the closing keynote panel taking about subscription bombing. Say hi! while you’re there!
Happy Friday!

Privacy and tracking

“I can’t believe you are wearing one of those,” they said while sneering at the Pebble watch I was wearing. Yes, that’s how someone introduced themselves to me at a conference last year. Apparently, I’m not allowed to wear smartwatches, or something. It wasn’t clear what their problem was or why they thought that was a good opening line. Best I can figure, it was some commentary on the hypocrisy of me wearing a smartwatch and claiming to be pro-privacy.

Every Download a Confirmation

We often talk about confirmed opt-in (aka “closed-loop opt-in” or “double opt-in”) as the gold standard for address acquisition for permission-based mail.
It’s not the only way to gather permission, and in some ways it’s a rather blunt tool that can discourage people from completing a sign-up process if it’s done badly – the confirmation email isn’t sent immediately, it goes to the recipients spam folder, they don’t have any reason to go and look for it, …
When it’s done well, though, it’s excellent.
Tor.com, the site for science-fiction and fantasy operated by publisher Macmillan, just did it very well with an ebook giveaway.
Last year they published Every Heart a Doorway, a novella that won several awards and caused quite a bit of buzz in the SFF community, partly because it’s very good and partly because it’s author, Seanan McGuire, has some serious social media chops. The sequel, Down among the Sticks and Bones, is being released in the next month or two.
Perfect timing for a time-limited giveaway of the first book, tied to signing up for their mailing list.

The signup form is on a page dedicated to the giveaway that talks about the book and sets some expectations about the mailing list. The form itself makes it very clear that you’ll need to enter a real email address to get the ebook download, so me@privacy.net is less likely to subscribe.
People aren’t required to sign up for the mailing lists to get the download. This isn’t a barter, a mailing list signup for a book, rather it’s putting the opportunity to sign up for the mailing lists in front of people who are self-selected to be interested in the content. That probably reduces the “how many people signed up” metric somewhat, but I bet the “how many new subscribers are still signed up in a month” numbers will look very healthy.
It provides some options. Do you want weekly content? Monthly? Both? You know that you’re not going to end up on a thrice-daily list from Macmillan and all their affiliates.
The confirmation email landed in my inbox within a few seconds after I clicked the “Sign Me Up” button. That’s important. If it takes even a few minutes I might have moved on, and wouldn’t be looking for the confirmation mail if it had ended up in my bulk folder.

And the confirmation mail isn’t a “click here to confirm your subscription” yawnfest. The subject line is “Download EVERY HEART A DOORWAY by Seanan McGuire Now” and the body content is on-brand and includes the front cover of the book.
Way more compelling.
It’s still solid informed consent from me, and confirmation that I, the owner of the email address, want on the list. (And, yes, the download link has 56 bytes of opaque hex-encoded data in it, so I know they’re tracking that.)
This is how it should be done.
(And, if you like fantasy you should head over to Tor and sign up for their promo. Seanan writes some amazing things, and I’m not just saying that because she’s a friend.)