Recent Posts

Arrests in ESP data breach

The FBI announced today arrests of three people in the ESP data breaches from the compromises of various ESPs a few years ago.
Krebs on Security: Feds Indict Three in 2011 Epsilon Hack
Department of Justice: Three Defendants Charged with One of the Largest Reported Data Breaches in U.S. History
After stealing over a billion addresses from 8 ESPs, the lists were monetized through affiliate marketing. The owner of the affiliate program was one of the people arrested.
More on Monday.

Engagement, ISPs and the EEC

There’s been some controversy over some of the things said by the ISPs at the recent EEC meeting. Different people interpret what was said by the ISPs in different ways. The EEC has set up a webinar for March 17 to clarify and explain what was meant by the ISPs.

CRTC fines Compu-Finder $1.1 million for CASL violations

The Canadian Radio-television and Telecommunications Commission (CRTC) is the principle agency tasked with enforcing Canada’s anti-spam law. Today they issued a Notice of Violation to Compu-Finder including a $1.1 million dollar fine for 4 violations of CASL. The violations include sending unsolicited email and having a non-working unsubscribe link. According to the CRTC, complaints about Compu-Finder accounted for 26% of all complaints submitted about this industry sector.
This is the first major fine announced under CASL.
One of the first things that jumped out at me about this is the action was taken against B2B mail. There are a lot of senders out there who think nothing of sending unsolicited emails to business addresses. In my experience, many B2B senders think permission is much less important for them than B2C senders. I think that this enforcement action demonstrates that, at least to the CRTC, permission is required for B2B mail.
The other thing that jumped out is that given the extent of the complaints (26%) the financial penalties were only slightly more than 10% of the $10M maximum penalty. It seems the CRTC is not blindly applying the maximum penalty, but is instead actually applying some discretion to the fines.
I’ve looked for the actual notice of violation, but haven’t been able to find a copy. If I find it, I will share.

Ransomware email protected by DMARC

Virus bulletin has an interesting post about DMARC and how some criminals are protecting their emails with DMARC.

How to send better emails: engagement

Today Direct Marketing News hosted a webinar: ISP Mythbusters: How to Send Better Emails. The speakers were Matt Moleski, the Executive Director of Compliance Operations from Comcast and Autumn Tyr-Salvia, the Director Of Standards And Best Practices from Message Systems.
The webinar went through a series of myths. After Autumn introduced the myth, Matt commented on it and explained why the statement was, or was not, a myth. Throughout the webinar, Matt clearly explained what does, and does not, get mail delivered. Don’t let the Comcast after Matt’s name fool you. He is very active in different fora and discusses filtering strategies with experts across the ISP industry. His insight and knowledge is broadly applicable. In fact, many of the things Matt said today were things I’ve heard other ISPs say over and over again.
One of the very first things he said was that ISPs want to deliver mail their customers want. They want to give customers the best inbox experience possible and that means delivering mails customers want and keeping out mails customers don’t. He also pointed out that recipients complain to the ISPs when they lose wanted mail, perhaps even more than they complain about spam.
He also touched on the topic of engagement. His message was that absolutely engagement does matter for inbox delivery and that engagement is going to matter more and more as filtering continues to evolve. There has been some discussion recently about whether or not engagement is an issue, with some people claiming that some ISP representatives said engagement doesn’t matter. The reality is, that engagement does matter and Matt’s words today only reinforce and clarify that message.
Matt did say is that ISPs and senders have a bit of a disconnect when they are speaking about engagement. ISPs look at engagement on the “macro” level. They’re looking to see if users delete a mail without reading it, file it into a folder, mark it spam or mark it not spam. Senders and marketers look at engagement on a much more finite level and look at interactions with the specific emails and links in the email.
When discussing the relationship between senders and ISPs, he pointed out that both senders and ISPs have the same goal: to personalize the customer experience and to give customers a great experience. As part of this, ISPs are mostly aligned when it comes to blocking principles, but each ISP responds slightly differently. ISPs do adhere to best practices for handling incoming email, but those practices are implemented based on the individual company and handles incoming mail in ways that better supports their company specifically.
Matt talked about Comcast’s Postmaster pages and says they try to give feedback to senders before putting a block in place. He mentions that invalid recipients and poor list hygiene as the fastest way to be blocked or throttled when sending to Comcast. He also said that the core filtering rules at Comcast are static. Changes are mostly “tweaks around the edges.”
During the Q&A portion, Matt took a number of questions from the audience.

Engaging emails for better delivery

MessageSystems is sponsoring a webinar hosted by Direct Marketing discussing engagement as part of delivery.

Friday fun stuff

Between the rampaging llamas and a photo optical illusion the internet has been a silly, silly place the last 24 hours.
I have a little present for folks. I hinted there may be pictures from Kilt Day at M³AAWG in an earlier post.
There are, and all of the subjects have granted permission for me to share the photos here. Follow me below the cut.

A must read on engagement

I really can’t add anything to what Chad wrote in Opens, Clicks, And Blocks In The Third Age Of Email Deliverability

Aetna, phishing and security

We’ve just gotten home from M³AAWG and I’m catching up with a lot of the administrative stuff that’s gotten ignored while we were soaking up the tons of information from some of the smartest Internet security folks around. One of the tasks I’m working on is checking on our recent bills from our health insurance provider. Their website seems to be down, so I called them up and asked them if it was down or if something was broken on my end.
They did confirm there was a problem with the site “earlier today” but then started asking me for my account information. They’ve promised to email me a new password because of reasons.
One of the things about M³AAWG is that concentrated discussions about spam and online criminals and security can make everything feel so fragile and security so inadequate to protect us against criminals. I start thinking that everything is compromised. It doesn’t help that websites fail just at the time when I start trying to figure out if my personal information leaked out.
In the course of trying to figure out if there is something wrong at Aetna and if my personal information is safe, I find an article about how poor security is for health companies. “Health companies flunked an email security survey—except Aetna.” Apparently, out of all the health companies out there, Aetna are the only ones fully implementing DMARC on all their mail streams.
The problem is that for the mail I received from Aetna, the visible From: address is AetnaeBilling@aetnagroupbilling.com. This is one of the major vulnerabilities of DMARC. How can I, as a recipient, tell that this is officially mail from Aetna? Any phisher could register “aetnabilling.com” or “aetnagoupbilling.com” or “aetnaebilling.com” and publish DMARC records and use those records to phish customers. Even worse, aetnagroupbilling.com isn’t a SSL registered website.
This is exactly the type of setup a phisher would use to gain access to people’s health insurance accounts. And Aetna offers the ability to draft payments directly from a business checking account, so breaking into the billing account also offers some level of access to the business money.
Do I think this is a phish? No.
Do I think the average person would be able to tell that? No.
There’s got to be a better way to secure folks online.

Salesforce SPF and now DKIM support

Salesforce has published a SPF record for sending emails from Salesforce for years and with the Spring ’15 release, they will provide the option to sign with DKIM.
The SPF record is straight forward, include:_spf.salesforce.com which includes _spf.google.com, _spfblock.salesforce.com, several IP address blocks, mx, and ends with a SoftFail ~all.
Salesforce Knowledge Article Number: 000006347 goes in-depth with information regarding their SPF Record.