Recent Posts

We're all targets

Last week, another email provider announced their systems had a security incident. Mandrill’s internal security team detected unusual activity and took the servers offline to investigate. While there’s no sign any data was compromised or servers infiltrated, Mandrill sent an email to their customers explaining the incident was due to a firewall rule change.
Email service providers are a high value target for hackers, even if all they have is email addresses. Selling the email addresses is extremely profitable for hackers who can either sell the list outright or sell access to the list. In addition to gaining access to the email addresses, hackers often use the ESP to send these messages essentially stealing the ESP’s reputation to deliver the spam.
It was just over four years ago when a number of major ESPs were targets of a large attack and multiple ESPs were compromised. Earlier this month, three people were arrested for their roles in the attack. While the attacks four years ago were primarily spear phishing attacks, the security incident at Mandrill shows that hackers and botnets are actively probing the ESP’s network looking for access or known vulnerabilities. Spear phishing is an attempt to gain unauthorized access to a system by specifically targeting an individual, group, or organization. The scam attempts to have the user to click a link to infect their computer and network or capture their user id and password via a fake website. The scam email may appear to be sent from the company’s security or human resources department, but the email is either forged or another user’s account has been compromised.
Just because recent arrests have been made does not mean the threat is over. Systems often change, are upgraded, and are integrated with many additional services and systems can become vulnerable. Security will never be a set and forget policy. In the last 12 months there has been two significant vulnerabilities discovered, first Heartbleed and second was POODLE. Security professionals from all industries had to react quickly to secure their systems and hackers immediately began probing for systems that were unpatched. GFI reports there were over 7,000 vulnerabilities discovered in 2014 with 24% of them being rated as high severity. Security must not only cover servers, but the transmission of the data internally and with third-party vendors, and the workstations of employees.
IT and security professionals must be ever vigilant in protecting their network and their customers data. SANS Institute provides a number of security control best practices including a document on Data Protection. The control recommendations range from quick wins to advanced considerations such as monitoring all traffic leaving the organization and being able to detect any unauthorized or unusual transfer of data, blocking access to file transfer protocols and file sharing websites, performing annual reviews of all keys, certifications, and security procedures.
One of the best ways to help the entire industry to be secure is to be transparent and open when incidents happen. Mandrill has published a blog post with the results of their investigation.

Recipients need to be able to unsubscribe

The The Canadian Radio-television and Telecommunications Commission (CRTC) announced today that Plentyoffish Media paid a $48,000 fine for CASL violations. According to the CRTC news release, Plentyoffish Media was failing to allow consumers to unsubscribe from mail in compliance with CASL.
CASL requires that any commercial electronic email message contain an easy and free unsubscribe mechanism. Plentyoffish sent mail to its members without an unsubscribe mechanism. According to their webpage (HT: Sanket) there were some messages that users were unable to opt-out of without closing their account.

When spam filters fail

Spam filters aren’t perfect. They sometimes catch mail they shouldn’t, although it happens less than some people think. They sometimes fail to catch mail they should.
One of the reason filters fail to catch mail they should is because some spammers invest a lot of time and energy in figuring out how to get past the filters. This is nothing new, 8 or 9 years ago I was in negotiations with a potential client. They told me they had people who started working at 5pm eastern. Their entire job was to craft mail that would get through Hotmail’s filters that day. As soon as they found a particular message that made it to the inbox, they’d blast to their list until the filters caught up. When the filters caught up, they’d start testing again. This went on all night or until the full list was sent.
Since then I’ve heard of a lot of other filter bypass techniques. Some spammers set up thousands of probe accounts at ISPs and would go through and “not spam” their mail to fool the filters (ISPs adapted). Some spammers set up thousands of IPs and rotate through them (ISPs adapted). Some spammers register new domains for every send (ISPs adapted). Some spammers used botnets (ISPs adapted)
I’m sure, even now, there are spammers who are creating new techniques to get through filters. And the ISPs will adapt.

Thoughts on Hotmail filtering

One of the new bits of information to come out of the EEC15 deliverability discussions is how Hotmail is looking at engagement differently than other webmail providers.
Many webmail providers really do look at overall engagement with a mail when making delivery decisions. And this really impacts new subscribers the most. If there is a mailing where a lot of subscribers are engaged, then new subscribers will see the mail in their inbox. Based on what was said at the webinar earlier this week engagement has no effect at Hotmail outside of the individual user’s box.
I’ve certainly seen this with clients who’ve tried trimming subscriber lists but that doesn’t really help get mail moved from the Hotmail bulk folder to the inbox.

Instead of subscriber lists, Hotmail is really looking at bounces. They’re watching the number of nonexistent accounts senders are mailing to and they’re counting and a sender hits too many bad addresses and that is a major hit to their reputation.
All of this makes remediation at Hotmail challenging. Right now, we can remediate a bad reputation at a lot of ISPs and the filters catch up and mail starts flowing back to the inbox. Hotmail has set up a system that they say is “hard for spammers to game.” This seems to translate into hard for legitimate senders to fix their reputation.
Hotmail is, IMO, the current tough nut in terms of deliverability. Develop a bad reputation there and it’s difficult to fix it. I’m sure it’s possible, though.

Tweets from engagement and deliverability webinar

Want to see some of the tweets shared during the EEC Deliverability and Engagement webinar on March 17? Check out what was said as it happened.

Mythbusting deliverability and engagement

Yesterday I published an article talking about an engagement webinar hosted by the EEC and DMA. I made a couple predictions about what would be said.

Delivery and engagement

Tomorrow is the webinar Mythbusters: Deliverability vs. Engagement. This webinar brings together the ISP speakers from EEC15, plus Matt from Comcast, to expand on their comments. There’s been some confusion about the impact of engagement on delivery and whether or not senders should care about recipient engagement.
My opinion on the matter is well known: recipient engagement drives delivery to the inbox at some providers. I expect tomorrow we’ll hear a couple things from the ISPs.

thirty.years.com

Thirty years ago this Sunday, symbolics.com was registered – the first .com domain. It was followed, within a few months, by bbn.com, think.com, mcc.com and dec.com.
Symbolics made lisp machines – symbolics.com is now owned by a domain speculator.
BBN is a technology R&D company who’ve worked on everything. If I had to pick one thing they were involved with it’d be the Internet Message Processor – the router used on the very first Internet nodes. They are still around, as a division of Raytheon.
Think.com made some amazing massively parallel computers. Their hardware group was bought out by Sun, who were bought out by Oracle and think.com now redirects to a broken error page at oracle.com.
Mcc.com were the first – and for a while, the largest – computing research and development consortium in the US. They did groundbreaking work on everything from silicon to AI. Their domain is now a generic parked page owned by a domain speculator.
Dec.com were Digital Equipment Corporation – creators of the PDP, VAX, Alpha and StrongARM processors, amongst many other things. They were a huge company when I worked for them designing Alpha CPUs in the mid 90s, then they were acquired by Compaq, then HP, then split up. Their domain is now a personal website.
It took nearly three years to reach 100 registered .com domains and nearly 10 years to reach 9,000.
As of this morning there are 116,621,517 domains registered in .com, from (64 zeros).com to (64 letter z).com, out of a possible total of more than two googol – so there’s still a domain there for you.
221,848 of those domains in .com mention “mail”.

Updated M3AAWG Best Practices for Senders

M3AAWG has published a new version of the Senders Best Common Practices document and the contains a lot of new information since the original publication in 2008. The new document covers how to vet ESP customers, considerations when selecting a dedicated or share IP to send mail, and includes best practices on a number of technical processes.
The Senders Best Common Practices document is targeted at deliverability teams and email marketers. Any company that is sending marketing emails, using an Email Service Provider, or provides an email enabled platform, it’s always good to go back and periodically review your system to ensure nothing was missed and to stay up-to-date on all new recommendations.
A few of the recommendations include the use of the List-Unsubscribe header, publishing a clear WHOIS for domains used for sending mail, and how to process non-delivery report messages.
The List-Unsubscribe header provides an additional way for users to opt-out of email messages. Gmail and Outlook.com both use the presence of the list-unsubscribe header to provide a one-click button to allow the user to unsubscribe from the mailing list. Often enough, if a user cannot find an opt-out link, they’re marking the message as spam. Allowing a recipient to unsubscribe easily is critical to maintaining good delivery reputation.
A WHOIS is query to determine who is the registered user or assignee of a domain name. During a session at the most recent M3AAWG meeting, it was announced that spammers throw away 19 million domains per year. When a postmaster or abuse desk receive a complaint, they’ll often query to see who owns the domain the email was sent from or who owns the domains used in the hyperlinks. If the WHOIS record is out of date or set to private, this limits the ability for the postmaster or abuse desk to reach out to the owner of the domain.
Processing non-deliver reports is critical to maintaining a high delivery reputation. Many ESPs have an acceptable-use-policy that includes a bounce rate. Mailjet recommends a bounce rate of less than 8% and Mandrill recommends less than 5%. If a system is not in place to remove the hard bounces from your mailing list, the sender’s reputation will quickly deteriorate.
The Senders Best Common Practices document can be downloaded at M3AAWG.org.

February 2015 – The month in email

This was a short and busy month at WttW!

We attended another great M3AAWG conference, and had our usual share of interesting discussions, networking, and cocktails. I recapped our adventures here, and shared a photo of the people who keep your email safe while wearing kilts as well. We also commended Jayne Hitchcock on winning the Mary Litynski award for her work fighting abuse and cyberstalking.