Industry

Deliverability Summit Amsterdam

We’ll be speaking at the Deliverability Summit in Amsterdam on April 24th and 25th.

Google and Alignment Update

Earlier this month, I published a post about some changes with how Google is displaying information related to authentication in their “View Original” page. There’s one condition I apparently didn’t report and it brought up a question earlier today.

What Spamtraps Tell Us

Many blocklists use spamtraps to detect poor sending practices and will cite spamtrap hits as the reason for the blocks. Senders legitimately fear spamtraps showing up on their lists because of this. If spamtraps weren’t used by blocklists no one would really care about them. They’re just another kind of bad address.

Do spamtraps exist?

One of the folks on the Email Geeks slack asked me a question last week that I thought was really insightful and has a somewhat nuanced answer.

Are Complaints Weighted?

I’ve been doing a lot of my question answering over on the Email Geeks slack and have decided to bring some of the answers over here. Today’s question:

Effects of the Yahoo and Google Changes

In October 2023, Yahoo and Google announced new standards for sending bulk mail to their systems. For bulk senders these changes included requiring aligned authentication and publishing a DMARC record and complying with the List-Unsubscribe RFC. The ISPs also formally announced complaints must stay below a threshold of 0.3%. At the time of the announcement, they said enforcement would start in February 2024. As with many things, this enforcement deadline was pushed as ESPs explained the challenges to meet the deadlines.

Stop using Entrust for your BIMI Certificates

In July I talked about how Entrust was mistrusted by, well, pretty much everyone due to a years long series of security and trust violations.

The Future of Deliverability

There always seems to be appetite from folks to read the tea leaves and follow up with predictions about what the future holds. I mean, how many folks in the US are obsessively refreshing polls for the last few weeks? (American’s: don’t forget to vote on Tuesday!)

No, Gmail did not just break all open tracking

I was avoiding commenting on the email open tracking bad take that seems to be going viral round the more gullible corners of LinkedIn.

The Economics of Cold Outreach

It’s time we talk about cold outreach mail. In the last 2 years the volume and aggressiveness of cold outreach mail seems to have exploded. There are dozens of companies out there who are selling services to companies to facilitate cold outreach. My own sales mailbox is full of requests from companies to help them solve their delivery problems.

A series of red arrows pointed left and one green arrow pointing right.

DMARC is the newest of the authentication protocols. It compares the domain in the From: address to the domains authenticated by SPF and DKIM. If either SPF or DKIM pass and they are in the same organizational domain as the domain in the From: address then the email is authenticated with DMARC.

The gentleman with the excellent hat is Иван IV Васильевич, The Great Sovereign, Tsar and Grand Prince of all Russia, Vladimir, Moscow, Novgorod, Tsar of Kazan, Tsar of Astrakhan, Sovereign of Pskov, Grand Prince of Smolensk, Tver, Yugorsk, Perm, Vyatka, Bolgar and others, Sovereign and Grand Prince of Novgorod of the Lower Land, Chernigov, Ryazan, Polotsk, Rostov, Yaroslavl, Beloozero, Livonia, Udoria, Obdoria, Kondia and Master of all the Siberian Lands and Northern Countries.

A common complaint about the advice or answers any deliverability person gives is that the generic answer to questions is: It Depends. This is frustrating for a lot of folks because they think they’re asking a simple question and so, clearly, there should be one, simple, clear answer.

Deliverability matters because we are the conscience of our companies. We are the ones who tell our companies, and particularly the marketing team, no. We’re the ones looking out for the health of our company reputation, the recipient’s inbox and the email ecosystem as a whole.

Mailbox providers want happy recipients

Mailbox providers want their users to be happy with the mail they receive and the service they get. That’s driven by stark business reasons: acquiring new users is costly, happy users bring in revenue – whether directly, or indirectly via advertising – and their word of mouth helps bring in more users, and hence more revenue. That’s still true when the email service is bundled as part of a larger package, such as broadband service or domain registration.

Welcome to deliverability week. I want to especially thank Al for doing a lot of work behind the scenes herding this group of cats. He’s an invaluable asset to the community.

What is Deliverability Week? Al Iverson decided it should happen, and asked a bunch of deliverability folks to share some of their thoughts about the deliverability industry – why do we do this? where did we come from? what’s next?

No, Google doesn’t hate responsive design

I’ve seen a bunch of folks panic about some phrasing in Google’s Email sender guidelines.

Deliverability Summit 2024

We just got back from Amsterdam a couple of days ago, after attending the Deliverability Summit.

Looking back, looking forward

Six years ago today I wrote here “Spam isn’t going away“, talking about systemic problems at Google, Cloudflare and Amazon and in India.

Are you a grown-up sender?

Yes, it’s another yahoogle best practices post.

Google divide their requirements for senders into those sending more than 5,000 messages a day, and those sending less.

Yahoogle FAQs

Just a very, very short post with links to the Yahoo and Google requirements FAQs. Given I can’t ever remember them I’m guessing lots of y’all can’t either.

Answers to your questions about the new Yahoo and Google technical requirements

On January 9th at 6pm GMT, 1pm EST and 10am PST I’ll be speaking with Nout Boctor-Smith of Nine Lives Digital about the new Yahoo and Google technical requirements.

A cartoon by twisteddoodles. An email says "you've got mail" and a human responds "what is it".
<p>The email replies "a Black Friday sale" and the human asks "who?"</p></p>
<a class=

Wildcards and DKIM and DMARC, oh my!

If you’re an ESP with small customers you may have looked at the recent Google / Yahoo requirements around DMARC-style alignment for authentication and panicked a bit.

Deferrals at Microsoft

If you’re seeing a lot of “451 4.7.500 Server busy. Please try again later” from Office365 this morning you’re not alone.

When Asking a Question

A lot of beginner questions about email delivery aren’t about broad strategies for success, or technical details about authentication, or concerns about address acquisition. They’re something like:

New Requirements for Bulk Senders

UPDATE: You need to authenticate with both DKIM and SPF.

History

Return Path was a major driver for the establishment of Feedback Loops (FBLs) back in the mid to late 2000s. They worked with a number of ISPs to help them set up FBLs and managed the signup and validation step for them. In return for providing this service to senders and receivers, they used this data as part of their certification process and their deliverability consulting. Return Path had a strong corporate ethos of improving the overall email ecosystem that originated from the CEO and permeated through the whole organization.

They Must Have Changed Something…

One of the most common refrains I hear from folks with delivery problems is that the filters must have changed because their mail suddenly started to go to the bulk folder. A few years ago, I posted about how even when there is no change in the sender’s behavior, reputation can slowly erode until mail suddenly goes to the Gmail bulk folder. Much of that still applies – although the comments on pixel loads (what other folks call ‘open rates’) are a bit outdated due to changes in Gmail behavior.

Is this email address disposable?

As a consumer there are several different sorts of email address that are described as “disposable” or “temporary”.

Trekkie Monster. He’s obsessed by social media and isn’t owned by Children’s Television Workshop.

What is a Cookie?

I’m not talking about biscuits, nor about web cookies, at least not exactly.

Is email dead?

These last few years have been something, huh? Something had to give and, in my case, that something was blogging. There were a number of reasons I stopped writing here, many of them personal, some of them more global. I will admit, I was (and still am a little) burned out as it seemed I was saying and writing the same things I’d been saying and writing for more than a decade. Taking time off has helped a little bit, as much to focus on what I really want to talk about.

Gmail Program for Election Mail

A few months ago, Google made a splash in the political press and the email marketing space when they asked the FEC the following question:

Confidential to ESPs

Dear Colleagues at ESPs,

We have a problem. More specifically, YOU have a problem. You have a spam problem. One that you’re not taking care of in any way, shape or form.

When best practices don’t work

I started out with the best intentions to get back into the swing of things with blogging more regularly. But between MAAWG recovery, COVID recovery and life it’s not worked out that way.

The gang is trickling in

It’s been a few years since we’ve actually made it to a MAAWG. We missed much of 2018 and 2019 due to our international move. Then 2020 San Francisco conflicted with a personal engagement. Then, well, pandemic hit and it’s been virtual and then we were moving and … wow, it’s been busy!

ESPs need to step up their compliance game

I don’t send a lot of spam complaints generally. Mostly I block and move on. There are some companies, though, that I offer the professional courtesy of sending a complaint or a report to their abuse@ address. Former clients, friends and colleagues generally get that courtesy.

Message not compliant with the RFCs

Every once in a while we’ll see a rejection from Yahoo that says RFCs 554 5.0.0 Message not accepted due to failed RFC compliance. What does that mean and what can we do about it?

Apple MPP reporting and geolocation

A while back I wrote about Apple Mail Privacy Protection, what it does and how it works. Since MPP was first announced I’d assumed that it would be built on the same infrastructure as iCloud Private Relay, Apple’s VPN product, but hadn’t seen anything from Apple to explicitly connect the two and didn’t have access to enough data to confirm it independently.

Apple MPP

You’ve probably heard about Apple Mail Privacy Protection. Email marketing chat has been all a-twitter about it since it was announced in June.

About the Apple thing

A lot of folks are talking about Apple’s recent announcement about building privacy protection into email. I have somewhat stayed out of the conversation and I’m not sure what I really think about it. This is a change to how a lot of folks use email and no one really likes change.

What’s the best opt-in method?

Kickbox interviewed a bunch of us to find out what methods of opt-in we recommend. Go check it out.

Current events and filters

That was a longer than intended hiatus from blogging. I’ll be honest, though, talking about email just seemed so trivial in the face of what was and is continuing to happen. I posted this over on slack, earlier, and Steve pointed out I should make it public on the blog. It’s as good a way as any to come back to the blog.

#ltdelivery: Maintaining reputation

At tomorrow’s #ltdelivery session we’ll continue talking about session: Maintaining and warming up reputations.

Lets Talk Delivery

Hope everyone had a good break.

The Let’s Talk Delivery sessions are restarting. I’ve set up a schedule and a page where you can subscribe to invites. Our next session is September 16th and we’re talking Reputation: Warmup, developing and nurturing. We talked a little last week about identity and you can follow along with the notes.

Let’s Talk: Reputation

The next 3 or 4 Let’s Talk sessions are going to be all about reputation. We’ll start with a general overview of reputation and identity, then move on to specific kinds of reputation (IP, domain, URL, content), then we’ll talk about how to create, maintain and repair reputation. Still working on the outline, but I’m pretty convinced this will be at least 3 sessions.

Let’s Talk: Engagement part 2

Our next #letstalk deliverability session will be Wednesday July 1 at 17:00 GMT and 09:00 pacific. We’ll be continuing the Engagement discussion as we didn’t get to all of the questions folks asked. And my best intentions of following up with them got derailed for a host of reasons. Easy enough to continue the discussion where we left off and answer the remaining questions.

Mailcon Webinar: June 25th, 10am pacific

I will be joining my Women of Email co-founders at a webinar hosted by Mailcon on Thursday June 25.

Let’s Talk: Bounce handling

Next Let’s Talk session is June 17 with the topic of bounce handling. As always: 5pm Dublin, noon Eastern, 9am Pacific. Send an email to laura-ddiscuss@ the obvious.

Let’s Talk: Engagement

I’m working on a more formal schedule for the Let’s Talk events and hope to have that out over the next few days. Meanwhile, we’re moving ahead with the next talk: Engagement!

Let’s Talk: FBLs

Next Delivery Discussion Wednesday, May 20. We’ll be talking FBLs.

I’ve been reviewing the recording of last week’s call. A few folks have reached out and asked that their comments not be shared, so I am working out next steps. The good news is that the recording worked well and I’m learning new skills.

Spamtraps resources

We had a well attended call yesterday, almost 40 people showed up. I did get a recording but need to work out some editing before sharing it. What did you do during the pandemic? I learned lots of new things and spent way to much time relearning all the virology and immunology I forgot after leaving the lab…

Let’s Discuss: Spamtraps

Our next Delivery Discussion is May 6 at 5pm Irish time, noon eastern and 9am pacific. We’ll be talking about spamtraps. Drop me an email at laura-ddiscuss@ the obvious domain to get an invite.

Deliverability is nuanced

The deliverability discussion calls are going well and I’m going continue to host them on a biweekly basis. Next call will be May 6th, 5pm Ireland time, noon Eastern and 9am Pacific time. Still doing invites manually, so drop me an email at laura-ddiscuss@ the obvious domain.

Machine learning resources

Thanks to everyone who joined the deliverability discussion on Friday. I realised after I scheduled that it was Good Friday and that may have limited some folks’ ability to join.

Spamhaus DBL errors

Sometime in the last few days, ~~Spamhaus seems to have started issuing a block message if someone queries the DBL with an IP address.~~ folks started seeing an uptick in error messages that mention Spamhaus saying:

Whose side are you on?

A few weeks ago I was on an industry call. We were discussing some changes coming down the pike at the ISPs and filter providers. These changes are going to cause some headache at ESPs and other places that do email but don’t provide mailboxes. During the call I ended up explaining why what the ISPs were doing made sense and how it fit in with their mission and customer needs.

Let’s do it again

Given the success of our initial call, let’s try it again. This time Friday April 10, 5pm Ireland time, 12 noon Eastern and 9am Pacific. Same as before, send me an email to laura-ddiscuss@ the obvious domain and I’ll send you an invite. I’m trying to move the days around to catch folks who couldn’t make Wednesday.

Misinformation on filters

I’ve seen reports that someone is asserting that utm=COVID19 in URLs results in all mail going to bulk at multiple ISPs. This is the type of thing that someone says is true and dozens of folks believe it and thus a “deliverability phact” is born. For a plethora of reasons, this doesn’t pass the sniff test. Don’t believe everything you read on the internet.

Discussion Session

More than 30 people joined our delivery discussion from last Wednesday evening (Irish time). Thanks to all who joined and participated.

Deliverability discussion

Lots of folks are socialising distantly these days, so I thought I’d try a scheduled deliverability discussion over video. Given the time difference, I’ll log on in the evening Irish time which makes this daytime for most of the US folks.

It’s a near silent St. Paddy’s day here in Ireland. We took a walk along the canal and took in the silence. On the way back, our neighbour’s kids had decorated their front window and I had to take a picture.

Authentication at Office365

This is a followup from a post a few weeks ago about authentication changes at Office365. We have some more clarity on what is going on there. This is all best information we have right now.

Deliverability mythbusting

Recently had the pleasure of sitting down with Jillian Bowen and talking about deliverability for her podcast.

Back at it

Back at the office after traveling to visit a bunch of our US friends recently. A lot of news, both in and out of the email space, happened while we were gone. The biggest stories are outside the email space and I will admit to following the coronavirus news probably closer than I should. (My graduate work was done across the hall from one of the major avian epidemic monitoring labs. This is the kind of thing we discussed at lunch and over beers.)

Address verification doesn’t fix any real problem

Would you trust an address verification company that used twitter spam to advertise their product?

The OSI Seven Layer Model

In the 1970s, while the early drafts of the Internet were being developed, a competing model for networking was being put together by the ISO (International Organization for Standardization).

Some Microsoft thoughts

Right at the end of January, Microsoft appears to have made couple of changes to how they’re handling authentication. The interesting piece of this is that, in both cases, Microsoft is taking authentication protocols and using them in ways that are slightly outside the spec, but are logical extensions of the spec.

Your first M3AAWG meeting

It’s that time of year again where nearly all my client calls involve the question, “are you going to be at M3AAWG SF?” Up until last year, the answer was always yes. But now it’s not a brief drive up the peninsula and a BART ride into the city, it’s a transatlantic plane flight.

Troubleshooting: part 3

As I continue to think about how people troubleshoot email delivery I keep finding other things to talk about. Today we’re going to talk about the question most folks start with when troubleshooting delivery. “Did ISP change something?”

What about the email client?

There are a lot of folks in the email industry that take issue with my stance that DMARC is not a viable solution to phishing. DMARC, at it’s absolute best, addresses one tiny, TINY piece of phishing.

Same MX, different filters

One of the things I do for clients is look at who is really handling mail for their subscribers. Steve’s written a nifty tool that does a MX lookup for a list of domains. Then I have a SQL script that takes the raw MX lookup and categorizes not by the domain or even the MX, but by the underlying mail filter.

Bad marketing automation, part deux

Back in April I wrote about some poor marketing automation that ended up spamming me with ‘cart abandonment’ emails when the issue was the company’s credit card processing went down. That post has now been scraped by the spammers Moosend and they keep sending me… poorly targeted automated spam.

Testing and data driven decisions

There’s a lot of my education in the sciences that focused on how to get a statistically accurate sample. There’s a lot of math involved to pick the right sample size. Then there’s an equal amount of math involved to figure out the right statistical tests to analyse the data. One of the lessons of grad school was: the university has statistics experts, use them when designing studies.

Troubleshooting delivery problems

Everyone has their own way of troubleshooting problems. I thought I would list out the steps I take when I’m trying to troubleshoot them.

Happy New Year

Well, it’s 2020. The start of a new year and a new decade, or not depending on what number theory you use to count decades. Personally, I think we, as pattern loving humans, just happen to love numbers that end with 0 and we’re going to consider it special whether or not it’s the actual end or start of a decade.

Authentication

Some notes on some of the different protocols used for authentication and authentication-adjacent things in email. Some of this is oral history, and some of it may be contradicted by later or more public historical revision.

Google IP reputation bad

This morning hundreds of delivery folks logged into their Google Postmaster Tools account to see their IP reputation was bad.

It’s not marketing… it’s harassment

Many years ago, we bought a VMWare license to manage the various virtual machines running our business infrastructure. As part of our move to Dublin, we decommissioned our cabinet and moved all of services into various bits of the cloud. This meant that when our VMWare support contract came up for renewal we declined the renewal.

4 beelion emails

Sendgrid announced their volumes for Black Friday and Cyber Monday:

It’s the email time of year…

I’m basically waiting for the various ESPs to announce Just How Much Mail they’ve sent over the last 4 days. Early information from one ESP shows a hefty percentage over the amount they sent last year, and that amount had many, many, many zeros in it.

There’s something about bounces

I’ve shared a version of this image repeatedly. I think it was only my Facebook friends that got the stick figure screaming in frustration, though.

Phishing evolves beyond DMARC

The phishing attack against Sendgrid is still going on. Most of the mail and the websites are being hosted on Linode. I’ve still not gotten to see what one of the sites looks like, as Linode is getting the sites down before I click on the links.

ESP being phished is a Black Friday cataclysm

There is currently a phishing attack against a major ESP. The mail came through what I presume was a compromised account hosted at one of the providers. It’s just as possible this was a domain set up for the sole purpose of phishing, though.

the word spam with a checkmark next to it.

Saw a new disclaimer on mail sent to an address harvested off our website today:

Mentally modelling filters

When we talk about filters, we often think there is one filter. But, in many cases there are multiple stages of filters, each examining mail in a different way.

Microsoft and SmartScreen

There was another thread on mailop today about email filtering. This one was about Microsoft and SmartScreen. After watching a bunch of folks make lots of comments about what SmartScreen was, and get it wrong, I waded in.

Details matter

I field a lot of delivery questions on various online fora. Often people try and anonymise what they’re asking about by abstracting out the question. The problem is that there are very few answers we can give in the abstract.

Microsoft and SPF

Many deliverability folks stopped recommending publishing SPF records for the 5322.from address to get delivery to Microsoft. I even remember Microsoft saying they were stopping doing SenderID style checking. A discussion on the emailgeeks slack channel has me rethinking that.

Why is DMARC failing?

Multiple times over the last few weeks folks have posted a screenshot of Google Postmaster tools showing some percentage of mail failing DMARC. They then ask why DMARC is failing. Thanks to how DMARC was designed, they don’t need to ask anyone this, they have all the data they need to work this out themselves.

New Deliverability Resource

The nice folks over at Postmark shared a new deliverability resource last week. The SMTP Field Manual. This is a collection of SMTP responses they’ve seen in the wild. This is a useful resource. They’re also collecting responses from other senders, meaning we can crowdsource a useful resource for email deliverability folks.

False 550 responses from Verizon

This week there was a reported uptick in user unknown responses for verizon email addresses. The specific response folks were seeing was:

Conferences and Pac Man

On the emailgeeks slack channel someone asked for advice about going to conferences. There were lots of great suggestions. I threw in the Pac Man Rule and realised a lot of folks haven’t heard of it before.

Spam is never timely nor relevant

One of the ongoing recommendations to improve deliverability is to send email that is timely and relevant to the recipient. The idea being that if you send mail a recipient wants, they’re more likely to interact with it in a way that signals to the mailbox provider that the message is wanted. The baseline for that, at least whenever I’ve talked about timely and relevant, is that the recipient asked for mail from you in the first place.

Should you publish a DMARC policy statement?

DMARC is a protocol that makes it very, very simple to shoot yourself in the foot. Setup is tricky and if you don’t get it exactly right you risk creating deliverability problems. The vast majority of companies SHOULD NOT publish a DMARC policy with p=reject or p=quarantine for their existing domains.

Spamming for deliverability

This morning I woke up to a job offer. I hear a number of other email deliverability folks received the same job offer.

When you can’t get a response

I’ve seen a bunch of folks in different places looking for advice on what to do when they can’t get a response from a postmaster team, or a filtering company. I was all set to write yet another post about how silence is an answer. Digging through the archives, though, I see I’ve written about this twice already in the last 18 months.

Yahoo having problems

Yahoo seems to be having some massive system issues the last 24 hours or so. DNS has been down, mail was down. I’m seeing reports things are coming back now, but there’s a lot of backed up mail traffic and the congestion may take a few hours to resolve.

To no-reply or not

One of the ongoing arguments in deliverability is whether or not to use no-reply in the From address of email marketing. There are very strong opinions on both sides. I’ve even had people ask me to comment or ask me to back up their particular point of view.

DMARC doesn’t fix phishing

Over the last few weeks I’ve had a lot of discussions with folks about DMARC and the very slow adoption. A big upsurge and multiple Facebook discussions were triggered by the ZDNet article DMARCs abysmal adoption explains why email spoofing is still a thing.

There are a lot of reasons DMARC’s adoption has been slow, and I’m working on a more comprehensive discussion. But one of the absolute biggest reasons is that it doesn’t actually fix phishing.

Cox: no more new email addresses

A few days ago Cox disabled email address account creation for their domain.

Blogging as thinking

Blogging has been a major part of our outreach and education here at WttW. It’s also the place where I work through some of my ideas. Most of what I do, particularly these days, is education. That means I need to be able to clearly model things in my head and explain that model to other folks.

Google Postmaster is Back

Late last night folks started mentioning they were seeing data trickled into Google Postmaster tools. This morning, some of the domains for some of my clients are showing data.

More Google issues

Not necessarily more but more information about the current Google Postmaster Tools (GPT) outage. I’ve been reliably informed by folks inside Google that they’re aware of the outage and are working on it.

I took a class

… but it’s not what you might think.

A few months ago we bought a Victorian terrace built right around the turn of the 20th century. Our first inclination was to zip it up in as much insulation as we could to bring a 19th century house up to 21st century standards. Then we took a class.

Google problems

It’s been a bit of a problematic week for Google. In the last few days they’ve had a number of outages or problems across different services. There was a major outage of Google Calendar. All email, including some spam, was delivering to the primary tab instead of the correct tab. Additionally, Google postmaster tools hasn’t been updated in over a week.

Barracuda update

The Barracuda twitter account has been very helpful and responsive to the issue. A few hours ago they tweeted that the problem should have been fixed.

Increase in Barracuda IP blocks

A number of folks are talking about a significant uptick in Barracuda IP blocks over the last few days. These blocks appear to be affecting wide ranges of IPs across multiple networks.

Raising the standard

Last week news broke that Mailchimp had disconnected a number of anti-vaccination activists from their platform and banned anti-vax content. I applaud their decision and hope other companies will follow their lead in banning harmful content from their network.

End of an era

A few weeks ago, Return Path announced they were being purchased by Validity, who also own BrightVerify. Last week, they had a round of layoffs. According to sources inside the industry, Validity is closing the New York headquarters and Indianapolis offices and layoffs involved more than 170 staff members.

Their network, their rules

Much of the equipment and wires that the internet runs on is privately owned, nor is it a public utility in the traditional sense. The owners of the property have a lot of leeway to do what they like with that property. Yes, there are standards, but the standards are about interoperability. They describe things you have to do in order to exchange traffic with other entities. They do not dictate internal policies or processes.

Apple one time email addresses

At WWDC 2019 Apple announced “Sign in with Apple.” This is a service that allows iOS users to log into different applications with private, dedicated email address. When developers send mail to that address, Apple will forward it to the email address associated with the users AppleID. App developers that offer any third party log in will be required to also offer AppleID log in.

ESPs are failing recipients

Over the last few years I’ve reduced the complaints I send to ESPs about their customers to almost nothing. The only companies I send complaints to are ones where I actually know folks inside the compliance desk, and I almost never expect action, I just send them as professional courtesy.

Google Suspicious Link Warnings

A number of folks in the sender space are reporting intermittent “This link may be suspicious” warnings on their emails. I first heard about it a few weeks ago from some clients. One wasn’t sure what was going on, the other found a bunch of malware uploaded into their customer accounts.

Techdirt lawsuit settled

Back in 2017 Techdirt wrote a series of articles about Shiva Ayyadura. Shiva claims he invented email. (narrator voice: he didn’t). I wrote about the lawsuit when it was dismissed on First Amendment grounds. The parties cross appealed, and have been in settlement talks for 18 months.

What’s up with gmail?

Increasingly over the last few months I’ve been seeing questions from folks struggling with reputation at Gmail and inbox delivery. It seems like everything exploded in the beginning for 2019 and everything changed. I’ve been avoiding blaming it all on TensorFlow, but maybe the addition of the new ML engine really did fundamentally change how things were working at gmail.

Rethinking public blocklists

Recently, a significant majority of discussions of email delivery problems mention that neither the IPs or domains in use are on any of the public blocklists. I was thinking about this recently and realised that, sometime in the past, I stopped using blocklists as a source of useful information about reputation.

Congratulations Return Path

Return Path acquired by Validity

ESPs and deliverability

There’s an ongoing discussion, one I normally avoid, regarding how much impact an ESP has on deliverability. Overall, my opinion is that as long as you have a half way decent ESP they have no impact on deliverability. Then I started writing an email and realised that my thoughts are more complex than that.

The Commission finds that nCrowd, Inc. committed one violation of paragraph 6(1)(a) and one violation of paragraph 6(2)(c) of Canada’s Anti-Spam Legislation (the Act) in relation to commercial electronic messages sent to recipients in Canada. The Commission also finds that Brian Conley is liable, under section 31 of the Act, for those violations. Accordingly, the Commission imposes an administrative monetary penalty of $100,000 on Brian Conley. CRTC

The commission’s report is well worth a read as it discusses many of the things I’ve noticed from spamming operations over the years. It’s pretty standard business practice for spammers to have a complex set of sorta but not really different businesses. They all interact and share data, but not legal liability. They’re mostly treated as one business by the principles and there’s no real dedication to any one brand name.

When marketing automation goes bad

Friday I attempted to make a purchase online. I go through the selection and checkout process … up through the payment choices. When I pick pay by credit card I get an error message that says “credit card expiration date wrong.” All very strange because I’ve not put in a credit card number or expiration date.

TLS and Gmail delivery

I’m seeing some questions about TLS and Gmail. Folks are seeing a correlation between sending without TLS and the mail going to bulk.

Explicit consent

I’m working on a blog post about correlation and causation and how cleaning a list doesn’t make it opt-in and permission isn’t actually as outdated as many think and is still important when it comes to delivery. Today is a hard-to-word day, so I headed over to twitter. Only to find someone in my personal network re-tweeted this:

The many meanings of opt-in

An email address was entered into our website

An email address was associated with a purchase on our website.

Email filters and small sends

Have you heard about the Baader-Meinhoff effect?

The Baader-Meinhof effect, also known as frequency illusion, is the illusion in which a word, a name, or other thing that has recently come to one’s attention suddenly seems to appear with improbable frequency shortly afterwards (not to be confused with the recency illusion or selection bias). Baader–Meinhof effect at Wikipedia

There has to be an corollary for email. For instance, over the last week or so I’ve gotten an influx of questions about how to fix delivery for one to one email. Some have been from clients “Oh, while we’re at it… this happened.” Others have been from groups I’m associated with “I sent this message and it ended up in spam.”

AMP and Gmail

Yesterday,Gmail announced they’re rolling out AMP support in their web client, with support for mobil coming soon.

Shared environments

In the email system there are all sorts of different belief systems. One contingent will have you believe that IP reputation is the be all and end all of delivery. Get a decent IP reputation, and the clouds will part, angels will sing and your mail will reach the inbox. This group of folks often recommends every sender should have their own dedicated IP address. Anything less is just admitting your mail will never reach the inbox.

Phishing and authentication

This morning I got a rather suspicious message from a colleague on LinkedIn.

We successfully worked out of a well fitted out home office for years. But part of the move to Dublin was about changing our lifestyle. Last week we took possession of our new office and today our new monitors arrived.

Email news today

Ironport have rolled out an update to their rule engine which has a bug causing mail problems. According to discussion on the mailop list, the new rule engine is folding the header with a line feed (LF) rather than a carriage return (CRLF). This is breaking things, including DKIM signatures. Ironport is aware of the issue. I expect an updated rollout shortly.

Verizon Media Postmaster Site

Marcel brought up in the comments that Verizon Media has a postmaster site. https://postmaster.verizonmedia.com/

AOL postmaster site poof

We knew this day would come, but somehow it doesn’t make it any easier.

Email verification vendor leaking marketer data

I’ve been waiting for this to happen. An email verification vendor has left their database of 800 million email addresses along with detailed individual data. unprotected on the internet. Bob Diachenko reported the discovery yesterday on his blog. Wired also ran an article (An Email Marketing Company Left 809 Million Records Exposed Online) based on his findings.

Audiences, targeting and signups

A few weeks ago we closed on our new house in Dublin. This weekend we’re going to one of those ‘home shows’ where people try and sell you all sorts of things for your home. We know there are some things we want to do with the house so we’re headed out to the convention centre this weekend. Tickets are “free” but they ask for contact information, including an email address.

Gmail, machine learning, filters

I’m sure by now readers have seen the article from Gmail “Spam does not bring us joy — ridding Gmail of 100 million more spam messages with TensorFlow.” If you haven’t seen it, go read it. It’s not often companies write about their filtering philosophy and what tools they’re using to manage incoming bad mail.

This is pretty clear evidence that AOL accounts are being transferred to the Oath / Verizon Media / Yahoo backend.

Share your average bounce rates

The question came up on slack this morning about bounce rate benchmarks. What are the normal / average bounces that different ESPs see? Does region matter? What’s acceptable for bounce rates?

One subscription should equal one unsubscription

One of the side effects of using tagged addresses to sign up for things is seeing exactly what companies do with your data once they get it.

Spamtraps on the brain

I really dislike whomever it was that coined the term pristine spamtraps. I get what they were trying to do, explain the different kinds of spamtraps and how different traps get on your list in different ways. Except… any type of trap can end up on your list in any way.

Filters working as intended

One of the toughest deliverability problems to deal with is when mail is blocked or going to spam because the filters are working as intended. Often the underlying issue is a lack of permission.

Recycled addresses, spamtraps and sensors

A few hours ago I was reading an ESP blog post that recommended removing addresses after they were inactive for a year because the address could turn into a spamtrap. That is not how addresses turn into spamtraps and not why we want to remove active addresses. Moreover, it demonstrates a deep misunderstanding of spamtraps. Unfortunately, there are a lot of myths and misunderstandings of spamtraps in general.

Automated link checking getting more sophisticated

As the volume and severity of malicious email increases, filters are increasingly following links in emails. This is really nothing new. Barracuda and other filters have been inspecting links automatically for years. From what I’ve seen there does seem to be some level of risk analysis based on domain reputation. That makes sense, not only is following links computationally expensive, it can also delay mail receipt.

How much has changed and will change

I was on a call with a client today and they wanted to talk about the handshake agreement about bounce handling I mentioned last week. As I started to really talk about it, I realised how much has changed in the years since that meeting.

What’s a bounce?

Bounces and bounce handling is one of those topics I’ve avoided writing about for a long time. Part of my avoidance is because there are decades of confusing terminology that hasn’t ever been really defined. Untangling that terminology is the first step to being able to talk sensibly about what to do. Instead of writing a giant long post, I can break it into smaller, more focused posts.

How accurate are reports?

One of the big topics of discussion in various deliverability circles is the problems many places are seeing with delivery to Microsoft properties. One of the challenges is that Microsoft seems to be happy with how their filters are working, while senders are seeing vastly different data. I started thinking about reporting, how we generate reports and how do we know the reports are correct.

Mailbox providers

The other day I tweeted that I often used the term “receivers” to describe receiving MTAs.

Reputation is in the eye of the beholder

A few years ago reputation was generally recognised as one thing. If a sending reputation or IP reputation was good in one place it was likely good in other places. Different entities mostly reputation using the same set of signals albeit slightly tweaked to meet their own needs. More recently there is a divergence in how reputation is measured, meaning delivery can be vastly different across entities.

Targets and measures

Welcome 2019

It’s the beginning of a new year and everyone is breaking out posts either reviewing the previous year or making predictions for the next year. I’ve done both over the years.

Temporary fixes

If your mail goes back to spam within a month of “fixing” a delivery problem, then you never really fixed the problem. You just evaded filters for a short time. The filters caught up and the problem is definitely your mail.

Gmail tab weirdness

Lots of reports today about mail being delivered to unusual tabs today. Mail that normally goes to promotions is in updates, updates are in the inbox, things like that.

Never 100% inbox

No matter how great an email program deliverability is, no one can guarantee that 100% of the email sent will reach the recipient’s inbox. Why? Recipients can make decisions about where mail goes in their own inbox. Every mail client has a way for users to control where mail is delivered.

How much is too much?

Anecdotally I’m hearing a few different things about recent mail sends.

Successful sends on Black Friday

Last year a number of ISPs mentioned the Black Friday email volume was congesting their systems and causing delays. While anecdotally it seems that volume is up over last year I also haven’t heard any ISPs talking about congestion. Likewise, most of the delivery folks I’ve spoken too today and over the weekend are saying there were no major problems.

Ready. Set…

Email addiction survey

The great folks over at Zettasphere and Emailmonday have released their Email Addiction Survey. Nothing surprising in the data that I can see, although I suspect one particular data point is going to surprise folks.

Return Path FBL page down

As of 6pm UTC the fbl.returnpath.com website is down. Return Path are aware of the issue and are working to fix it. I haven’t seen any estimated time to fix.

Why aren’t they answering my emails?

Anyone actively handling deliverability issues has had the experience of submitting a ticket or email and receiving no response. Alternatively, we get a boilerplate response that seems to not address the question. It happens to me, it happens to colleagues, it happens to everyone. One of the biggest challenges we face is taking that lack of response and channeling it into action items for our customers and clients.

Thinking about filters

Much of the current deliverability advice focuses on a few key ideas:

Transactional mail can be spam

Marketers have a thing about transactional mail. In the US, transactional mail is exempt from many of the CAN SPAM regulations. If they label a mail transactional, then they can send it even when the recipient has opted-out! The smart marketer looks for opportunities to send transactional mail so they can ~~bother~~ spam get their brand in front of people who’ve opted out.

Resources for safer conferences

The MAAWG conference was held in Brooklyn a few weeks ago. Many positive discussions and sessions happened at the conference. But there was an incident of harassment during the conference where one participant assaulted multiple other attendees during late evening activities. I’m not going to speak too much to what happened as I wasn’t there. What I will say is that I am proud of my friends and colleagues who stepped up to make sure that the targets of the harassment made it safely to their rooms. I’m also pleased that the conference pulled the harasser’s badge and banned him from the conference in short order.

Spamhaus DBL

Over the last few months I’ve gotten an increasing number of questions about the Spamhaus DBL. So it’s probably time to do a blog post about it.

Twilio acquires Sendgrid

Woke up this morning to the news that Sendgrid has been acquired by Twilio in an all stock deal. This fills a gap in Twilio’s platform, they didn’t seem to have any email capability before.

Good morning DMARC

I’m thinking I may need to deploy DMARC report automation sooner rather than later.

2018 JD Falk Award … a mailing list

It’s M³AAWG time. Even though we’re not there, I’m getting regular updates from friends and colleagues who are there. Yesterday, was the presentation of the 2018 JD Falk award. The award recognises “a particularly meritorious project undertaken by a dedicated individual or group reflecting the spirit of volunteerism and community building.” In this case, the award went to a group of people on the “BEC mailing list.”

Fun with spam filters

I recently had a challenging travel experience in the Netherlands, trying to get from Schipol airport to a conference I was speaking at. As part of my attempt to get out of the airport, I installed UBER on my phone. There were some challenges with getting UBER to authorise my phone number, so I tried linking it to my Gmail account.

All filters are not equal

Many questions about delivery problems often assume that there is one standard email filter and the rules are the same across all of them. Unfortunately, this isn’t really the case.

Zoho, phishing and who’s next?

ZDnet reports that Zoho’s problems with phishing aren’t over. Their report states that Zoho is being used as a pipeline to exfiltrate data from phished accounts.

Schroedinger’s email

The riskiest email to send is that very first email. It’s a blank slate. Even if you’re sending confirmation messages, you don’t really know anything about how this email is going to affect your reputation.

Evolution of policy

Last week, I talked about policy, using some different blocklist policies as examples. In that post I talked about how important it is that policy evolve. One example of that is how we’ve been evolving policy related to companies that get listed on Purchased Lists and ESPs. Who is listed has evolved over time, and we’re actually looking at some policy changes right now.

Being in infosec for so long takes its toll. I've come to the conclusion that if you give a data point to a company, they will eventually sell it, leak it, lose it or get hacked and relieved of it. There really don't seem to be any exceptions, and it gets depressing.
Read More

Thoughts on policy

A particular blocklist, once again, listed a major ESP this week. Their justification is “this is our policy.” Which is true, it is their policy to list under these circumstances. That doesn’t make it a good policy, or even an effective policy. It’s simply a policy.

Complaints, contacts and consequences

Yesterday the CRM system Zoho suffered an unexpected outage when their registrar, TierraNet suspended their domain. According to TechCrunch, Zoho’s CEO says there was no notification to the company and that the company had only 3 complaints about phishing.

Hitting the ground running

We’ve landed in Dublin and are back at work. Blogging will pick up as I get back into the swing of things.

Changes are coming…

We’ve been blogging here about email for 11 years now. My first post was published August 29, 2007. In that time, we’ve published more than 2300 posts, and written probably millions of words. For years we have blogged multiple times a week.

Can I get access to Google Postmaster tools if I’m using an ESP?

The answer is almost certainly yes, but there are definitely cases where it the answer is no.

Your idea will not work. Here is why it won’t work.

Matthew Green reminded me of an old bit of spam lore.

The Problem With Affiliates

If I see BarkBox I think Spam.

That’s because, despite their marketing team effort, facebook and banner ad budget, the main place I see them advertised is via spam in my mailbox.

Wildfires and deliverability

A few weeks ago we took a drive down I5 to attend a service at Bakersfield National Cemetery. Amid the acres and acres of almond farms there were patches of black from recent grassfires. Typical but boring California landscape. Wildfires are a hugely destructive but continual threat in California. Growing up on the east coast, I never really understood wildfires. How can acres and acres and square miles just burn?
Having lived in California for almost as long as I lived on the east coast, I understand a bit better. In some ways, I have to. Even living right on the bay, there’s still some risk of fire. Like the grass fire a few miles from here across the street from the FB headquarters a few years ago. Further up the hills, there’s an even bigger risk of fire. Every driver can see the signs and precautions. Fields have plowed firebreaks around the edges. CAL FIRE posts signs alerting the public to the current fire risk status.

What do wildfires have to do with deliverability?
I associate wildfires and deliverability together because of a radio show I did a few years ago. It was pitched as a “showdown” between marketers and deliverability. I was the representative of deliverability. During the conversation, one of the marketers mentioned that deliverability people were too focused on the worst case scenario. That we spoke like we expected a fire to break out at any moment. His point was that deliverability spent too much time focused on what could happen and not enough time actually just letting marketers send mail.
His overall point was deliverability people should put out the fires, rather than trying to prevent them in the first place.
I thought about that conversation during the long drive down I5 the other day. I saw the firebreaks plowed into fields at the side of the road. And I saw the patches of blackness from fires reach along the highway where there were no firebreaks.
There are a group of marketers who really hate the entire concept of deliverability. Their point of view is that deliverability is hampering their ability to make money. I’ve even heard some of them assert they don’t care if 70% of their mail goes to the bulk folder. They should be allowed to send blasts of mail and deliverability shouldn’t tell them what they can do. Deliverability, so the complaint goes, is simply out to hurt marketers.
The only good deliverability is that which gets them unblocked when their behavior triggers IP based blocks. When the field is burning down, they’d like us to come spray water on it. And then go away and let them keep throwing lit cigarettes out their car windows.
But that’s not all that firefighting is about. Much of the work is preventing fires in the first place. In the US, a lot of that work is done through building codes. There are mandates like smoke detectors, fuel free spaces around dwellings, and sprinklers for some buildings. Monitoring local conditions and enforcing burn bans are also a large part of what the fire service does.
I like the fire fighter motif a lot. Much of what deliverability does is actually about preventing the block. ESPs have building code like standards for what mail is good and what is bad and what can be sent on their networks. Many of us publicly speak and educate about good practices and preventing blocks in the first place.
Fire prevention is about risk management and understanding how little things add up. Deliverability is similar. All the little things senders do to improve their deliverability adds up to a lower risk of fire. Yes, things like listbombing happen where even the best deliverability advice wouldn’t have prevented it. But, overall, deliverability wants to help senders get their mail in front of the people who can act on it. Some of that advice, though, takes the form of risk management and saying no.

Microsoft using Spamhaus Lists

An on the ball reader sent me a note today showing a bounce message indicating microsoft was rejecting mail due to a Spamhaus Blocklist Listing.
5.7.1 Client host [10.10.10.10] blocked using Spamhaus. To request removal from this list see http://www.spamhaus.org/lookup.lasso (S3130). [VE1EUR03FT043.eop-EUR03.prod.protection.outlook.com]
The IP in question is listed on the CSS, which means at a minimum Microsoft is using the SBL. I expect they’re actually using the ZEN list. ZEN provides a single lookup for 3 different lists: the SBL, XBL and PBL. The XBL is a list of virus infected machines and the PBL is a list of IPs that the IP owners state shouldn’t be sending email. Both of these lists are generally safe to use. If MS is using the SBL, it’s very likely they’re using the other two as well.

Minimal DMARC

The intent of DMARC is to cause emails to silently vanish.
Ideally deploying DMARC would cause all malicious email that uses your domain in the From address, but which has absolutely nothing to with you to vanish, while still allowing all email you send, including mail that was sent through third parties or forwarded, to be delivered.
For some organizations you can get really close to that ideal. If you control (and know about) all the points from which email is sent, if your recipients are individuals with normal consumer or business mailboxes, their mailbox providers don’t do internal forwarding in a way that breaks DKIM before DMARC is checked and, most importantly, if your recipients are a demographic that doesn’t do anything unusual with their email – no vanity domain forwarding, no automated forwarding to other recipients, no alumni domain forwarding, no forwarding to their “real” mailbox on another provider – then DMARC may work well. As long as you follow all the best practices during the DMARC deployment process it’ll all be fine.
What, though, if you’re not in that situation? What if your recipients have been happily forwarding the mail you send to them to internal mailing lists and alternate accounts and so on for decades? And that forwarding is the sort that’s likely to break DKIM signatures as well as break SPF? And while everyone would advise you not to deploy DMARC p=reject, or at least to roll it out very slowly and carefully with a long monitoring period where you watch what happens with p-none, you have to deploy p=reject real soon now?
What can you do that’s least likely to break things, while still letting you say “We have deployed DMARC with p=reject” with a straight face?

Consent must be informed

In the deliverability space we talk about permission and consent a lot. All too often, though, consent is taken not given. Marketers and senders assume they have permission to send email, while the recipient is left expecting no email.

What is spearphishing?

As I’m writing this, I’m watching Deputy Atty General Rod Rosenstein discuss the indictments of 12 Russian military officers for hacking activities during the 2016 election cycle. One of the methods used to gain access to systems was spearphishing.
I think most of us know what phishing is, sending lots of emails to a wide range of people in an attempt to collect some credentials. These credentials are usually passwords to bank or email accounts, but can also be things like amazon or other accounts.
Spearphishing is an attempt to collect credentials from a specific person. The net isn’t thrown wide, to collect any credentials, rather individuals are targeted and researched. These attacks are planned. The targets are carefully researched and observed. The emails are crafted specifically for that target. If one set of emails doesn’t work, then they try again.
In terms of email marketing and deliverability, phishing is something detectable by many anti-spam filters. They’re sent in bulk, and they all look similar or identical to the filters. Spearphising isn’t as simple to detect with standard tools. What many organizations have done is try and combat this with warnings in the client. Like this one from gmail:

Security is becoming a bigger and bigger part of email filtering. I expect that as filters start addressing security more, we’ll see increased warnings like the above.
What can senders do?

The inbox is a moving target

The more I look at the industry, the more convinced I am that we’re in the middle of a fundamental shift in how email is filtered. This shift will change how we handle email deliverability and what tools we have and what information we can use as senders to address challenges to getting to the inbox.

Back to the office!

I’m back in the office after a busy June. The 2 continent, 3 city tour was unexpectedly extended to a 4th city thus I was out most of last week as well.
What was I doing? We spent a week in Dublin, which is an awesome and amazing city and I love it a little bit more every time we visit. After Dublin I jetted off to Chicago, where I spoke at ActiveCampaign’s first user conference.
The talk I did for ActiveCampaign was about how we’re in the middle of a fundamental shift in how email is filtered, particularly at the consumer ISPs. In order reach the inbox. we need to think beyond IP or domain reputation. We need to stop thinking of filters as a way of sorting good mail from bad mail. I touched a little on these concepts in my What kind of mail do filters target? blog post.
The shift in filtering is changing how email reaches the inbox and what we can and should be monitoring. At the same time, the amount of data we can get back from the ISPs is decreasing. This means we’re looking at a situation when our primary delivery fixes can’t be based on feedback from the filters. This is, I think, going to be an ongoing theme of blog posts over the next few months.

The next trip was to spend 2 days onsite at a client’s office. These types of onsite training are intense but I do enjoy them. As this was mostly client specific, there isn’t much I can share. They did describe it as a masterclass in deliverability, so I think it was also intense for them.
That was the planned 2 continent, 3 city tour. The last city was a late addition of a more personal nature. We headed downstate to join my cousin and her family in saying goodbye to my uncle. He was an amazing man. A larger than life, literal hero (underwater EOD, awarded the silver star) whom I wish I had known better. Most of what I remember is how much he loved and adored my aunt.
I’ll be getting back into the swing of blogging over the next few days. It’s good to be back and not looking at traveling in the short term.

What's up with microsoft?

A c/p from an email I sent to a mailing list.
I think we’re seeing a new normal, or are still on the pathway to a new normal. Here’s my theory.
1) Hotmail made a lot of underlying code changes, learning from 2 decades of spam filtering. They had a chance to write a new codebase and they took it.
2) The changes had some interesting effects that they couldn’t test for and didn’t expect. They spent a month or two shaking out the effects and learning how to really use the new code.
3) They spent a month or two monitoring. Just watching. How are their users reacting? How are senders reacting? How are the systems handling everything?
3a) They also snagged test data along the way and started learning how their new code base worked and what it can do.
4) As they learned more about the code base they realized they can do different and much more sophisticated filtering.
5) The differences mean that some mail that was previously OK and making it to the inbox isn’t any longer.
5a) From Microsoft’s perspective, this is a feature not a bug. Some mail that was making it to the inbox previously isn’t mail MS thinks users want in their inbox. So they’re filtering it to bulk. I’ll also step out on a limb and say that most of the recipients aren’t noticing or caring about the missing mail, so MS sees no reason to make changes to the filters.
6) Expect at least another few rounds of tweak and monitor before things settle into something that changes more gradually.
Overall, I think delivery at Microsoft really is more difficult and given some of the statements coming out of MS (and some of the pointed silence) I don’t think they’re unhappy with this.

June is travel month!

A quick post to say that posting will be light the next few weeks. I’m off later this week to visit Dublin. After I get back from that I’m headed to Chicago to speak at ACTIVATE hosted by Active Campaign. If you register by tomorrow you can use the code ACTIVATE and get in for $200. It’s looking like a good conference.
I’ll be speaking about deliverability, specifically how email filtering is all sorts of changing. My focus is on how the common “deliverability” techniques aren’t as effective in the new filtering environment. I’ll also be talking about further changes I see coming and how to address them.
After Chicago I’m onsite at a client’s for 2 days in Florida.
Basically, my June is booked. Both Steve and I will be blogging as we get inspired or have something to say. Overall, though, I’m giving myself time off from blogging through the end of the month.

Whitelisting is dead

A decade or so ago I was offering whitelisting services to clients. It was pretty simple. I’d collect a bunch of information and do an audit on the customer’s sending. They’d get a report back identifying any issues that would limit their chances at acceptance. Then I’d go and fill in the forms on behalf of the client. Simple enough work, and it made clients feel better knowing their mail was whitelisted at the various ISPs.
When email filters were less complex and more binary, whitelists were a great way for receivers to identify which senders were willing to stand up and be held accountable for their mail. Over time, whitelists became much less useful. Filtering technology progressed. Manual whitelisting wasn’t necessary for ISPs to sort out good mail from bad.
The era of whitelisting is over.
In fact, three of the major whitelist providing ISPs were AOL, Yahoo, and Verizon; all three are now a part of OATH. The Verizon whitelist page now redirects to postmaster.aol.com. New requests to signup for the AOL whitelist are rejected with the message that AOL whitelisting is no longer available or necessary. Yahoo has a “new IP review” form rather than a whitelisting form.
Whitelisting is dead.
Even the various certification and whitelisting services have mostly gone away. Both Habeas and Goodmail failed to achieve a profitable exit event. Of course, Return Path is still around, but they have built a platform of tools and services unrelated to whitelisting or certification.
Now senders are going to have to focus on sending mail that people ask for and want in order to make it to the inbox.

Another day another dead blacklist

FADE IN
EMAILGEEKS.SLACK.COM #email-deliverability
It is morning in the channel. The regular crowd is around discussing the usual.
JK, smart, competent head of deliverability at an ESP asks: Anyone familiar with SECTOOR EXITNODES listings and have insight into what’s going on if listed?
ME: Uh, that’s the Tor Exit Nodes list. They think your IP is used by Tor. That’s all sorts of weird. Let me do some digging.
5 minutes of google searches, various dig commands and a visit to the now non-existent sectoor.de website show that the sectoor.de domain expired and is now parked.
ME (back in channel): It looks like the blacklist domain expired and is now parked. So they’re listing the world and nothing to worry about. Not your problem, and not anything you can fix.
JK: Like a UCEProtect fiasco – not just us but everyone?
ME: No, more like the spamcannibal fiasco. The domain expired and so it’s listing the world.
ME: The world would be a better place without MXToolbox worrying about every stupid blocklist. Or even if they would follow the blocklist RFC check for expired domains before panicking the world.
SCENE

Botnet activity warning

A bit of advice from the folks at the CBL, posted with permission and some light editing. I’ve been seeing some folks report longer connection times at some places, and this might explain some of it. It’s certainly possible, even likely, that the large ISPs are getting a lot of this kind of traffic.

A botnet, likely a variant of cutwail, has been for the past several years been specializing in using stolen credentials, doing port 25/587 SMTP AUTH connections to the spoof’d users server, and attempting to relay thru the connection to elsewhere. They will also, in some cases, attempt to log into the MX IP using a brute force attack against the email address. Other miscreants try the same thing with IMAP or POP or even SMTPS.
If they manage to compromise an email account, they use the account to send spam. For corporate accounts they can steal employee identities, request wire transfers, and send out corporately authenticated spam. If they get it, game over, the whole account is compromised and they can and do wreak havoc.
This has been going on for a couple of years, and now is the largest volume of spam from botnets. Cutwail is not the only botnet doing AUTH attacks, but appears to be the most prolific. Attacking POP and IMAP appears to be more recent, and is more related to spear-phishing (spamming executives) and other bad things.
In the last month or two, the behavior has changed a bit. The infections are trying to establish as many connections simultaneously as it can get away with. This is similar behavior to ancient or unpatched versions of qmail. This is swamping some servers by tying up a significant number (or even all) of the TCP sockets available.
The CBL is recommending that folks check their mail servers. If the mail server has a “simultaneous connection per IP limit”, it should be set to some limited number. If it’s not set then set it. Otherwise, your server is at risk for being unable to handle real mail. Make sure your IMAP and POP are secured as well as they are being targeted, too.
The XBL can also help with this. But securing your server is the first step.

SpamCannibal is dead

The SpamCannibal blacklist – one that didn’t affect your email too much but which would panic users who found it on one of the “check all the blacklists!” websites – has gone away.
It was silently abandoned by the operator at some point in the past year and the domain registration has finally expired. It’s been picked up by domain squatters who, as usual, put a wildcard DNS record in for the domain causing it to list the entire internet.
Al has more details over at dnsbl.com.
If you run a blacklist, please don’t shut it down this way. Read up on the suggested practice in RFC 6471. If you just can’t cope with that consider asking people you know in the industry for help gracefully shutting it down.
Blacklist health checks
If you develop software that uses blacklists, include “health check” functionality. All relevant blacklists publish records that show they’re operating correctly. For IP based blacklists that means that they will always publish “127.0.0.2” as listed and “127.0.0.1” as not listed. You should regularly check those two IP addresses for each blacklist and if 127.0.0.1 is listed or 127.0.0.2 isn’t listed immediately disable use of that list (and notify whoever should know about it).
For IPv6 blacklists the always listed address is “::FFFF:7F00:2” and the never listed address is “::FFFF:7F00:1”. For domain-based blacklists the always listed hostname is “TEST” and the never listed hostname is “INVALID”. See RFC 5782 for more details. (And, obviously, check that the blacklists your software supports out of the box actually do implement this before turning it on).
If you use someone else’s blacklist code, ask them about their support for health checks. If your mail filter doesn’t use them you risk either suddenly having all your mail go missing (for naive blacklist based blocking) or having some fraction of wanted mail being delivered to your spam folder (for scoring based filters).

UCEProtect and GDPR fallout

First thing this morning I got an email from a client that they were listed on the UCEProtect Level 3 blacklist. Mid-morning I got a message from a different client telling me the same thing. Both clients shared their bounce messages with me:

#GDPR

Twitter has some opinions on #GDPR.

— @rianjohnson (Yes, the director of The Last Jedi)

I subscribed to what?

Tomorrow is GDPR day. That’s the day when the new Global Data Protection Regulations take effect in the EU. I’m sure everyone reading this blog has seen dozens, if not hundreds, of blog posts, articles, webinars, and guidance docs about how to comply. I’m not going to rehash it because, other folks know this better than me.
There are a some things I’m finding fascinating watching this whole GDPR thing.
First, the number of companies who have my addresses and I don’t know why. Take Newsweek (yes, the magazine people). They’re sending GDPR notifications to my LinkedIn address. I can’t figure out why they’re harvesting / buying addresses from LinkedIn. Then there’s SALESmango who are some company that started spamming me a few years ago and refuses to accept unsubscribe request. They’re sending me opt-in requests. Yeah, no, go away. I told you to stop, but wow, you won’t.
Another interesting piece is just how much I’ve signed up for over the last 18 – 20 years I’ve been using this set of addresses. Wow. So much mail. And, generally, I thought of myself as relatively careful in who I gave email addresses to. I don’t normally go around dropping addresses into forms but even a couple a month adds up over 20 years.
Then there are the companies violating CAN SPAM in one way or another. Sending mail to unsubscribed addresses and refusing to include an opt-out link are the two things I’ve seen regularly. Yeah, no. I think it’s safe to say that if I’ve opted out from receiving your mail, you should probably put my data away in a dark closet and not touch it again. But.. but.. but… But nothing. Go away. As for the lack of an unsubscribe link, get over yourself. You’re not that special. I don’t think that this really is something that counts for exemption.
Also, is there an official template? So many of these emails look identical. I have to give credit to whomever did it first. Because if plagiarism is the sincerest form of praise, you have an entire industry praising you.
Finally, it’s been amusing to watch the general frustration with all the GDPR mail. It seems many people are getting tired of the deluge. That’s OK, though, it should end by Saturday. Or so we can only hope.

OATH and Microsoft updates

I’ve seen multiple people asking questions about what’s going to happen with the Yahoo and AOL FBLs after the transition to the new Oath infrastructure. The most current information we have says that the AOL FBL (IP based) is going away. This FBL is handled by the AOL infrastructure. As AOL users are moved to the new infrastructure any complaints based on their actions will come through the Yahoo complaint feedback loop (CFL). The Yahoo CFL is domain based. Anyone who has not signed up for the Yahoo CFL should do so.
When registering you will need each domain and the selectors you’re planning on using. Yahoo will send an email with a confirmation link that needs to be clicked on within a short period of time in order to activate the FBL.
Microsoft’s SNDS program had an outage at the end of last week. That’s been fixed, but the missing data will not be back populated into the system. This has happened a couple times in the past. It seems the system gets a live feed of data. If, for some reason, the data is interrupted, then it’s gone and doesn’t get populated.

A little housekeeping

I’ve been blogging regularly for over a decade now, and for much of that time I’ve posted 5 days a week. For a lot of reasons I’m finding that schedule harder and harder to keep up with. Part of it is that this spring I took on more, and bigger, clients than I have in the past. This means a larger portion of my time is scheduled and committed than in the past. I also find myself wanting to write about bigger, more complex issues; stuff that takes longer than the 45 minutes – 2 hours I regularly spend on blog posts.
The last few months, I’ve been considering what to do about blogging. I could simply cut back the amount I write here. Except that regularly blogging forces me to think about what’s going on in the broader industry, and that’s important to me and I think makes me a better consultant. I could write a few short posts a week, and a bigger meatier post once or twice a month, but I’ve been me long enough to know that’s not the best solution. I could just keep going as I have been most of this year and just post when I have something to say and not worry about frequency.
I still don’t have the answer. Of course, there’s not a right answer, there’s just a move forward and do what works. I have a lot of travel coming up next month (including speaking at Activate: The ActiveCampaign Conference) so things might get wonky for a while. But, I’m not planning on giving up blogging.
One of the consequences of my time constraints is that I have handed comment moderation off to other folks. Comments might sit for longer than they used to before approval. They’re being processed, just a little more slowly than they have in the past. I don’t think it’s a big deal, it’s not like there’s a significant horde of commenters here. When I was moderating comments basically anything that contributed to the discussion and didn’t come from a forged email address was approved. The current policy is similar.
I am around on the email geeks slack channel, and am often talking about stuff on the deliverability channel.
Thus ends the housekeeping.

Want some history?

I was doing some research today for an article I’m working on. The research led me to a San Francisco Law Review article from 2001 written by David E. Sorkin. Technical and Legal Approaches to Unsolicited Electronic Mail (.pdf link). The text itself is a little outdated, although not as much as I expected. There’s quite a good discussion of various ways to control spam, most of which are still true and even relevant.

From a historical perspective, the footnotes are the real meat of the document. Professor Sorkin discusses many different cases that together establish the rights of ISPs to filter mail, some of which I wasn’t aware of. He also includes links to then-current news articles about filtering and spam. He also mentions different websites and articles written by colleagues and friends from ‘back in the day’ discussing spam on a more theoretical level.
CNET articles on spam and filtering was heavily referenced by Professor Sorkin. One describes the first Yahoo spam folder. Some things never change, such as Yahoo representatives refusing to discuss how their system works. There were other articles discussing Hotmail deploying the MAPS RBL (now a part of Trend Micro) and then adding additional filters into the mix a few weeks later.
We were all a little naive back then. We thought the volumes of email and spam were out of control. One article investigated the effectiveness of filters at Yahoo and Hotmail, and quoted a user who said the filters were working well.

Is purging always effective?

Data never dies

Anyone know why…

Countless questions about email troubleshooting start with “does anyone know why.” Unfortunately, most of these questions don’t contain enough detail to get a useful answer.

In the case of email, even the smallest redactions, like the IP address and the domain in question, can make it difficult for anyone to provide help. Details matter.
Every detail matters, sending IP and domain are just the beginning. Who’s doing the sending? What is their authentication setup? What IP are they using? How were the addresses collected? What is their frequency? What MTA is used? Are they linking to outside sites? Are they linking to outside services? Where are images hosted? Is the mail going to the bulk folder or being rejected? What ISPs or filters are involved?
The relevant questions go on and on and on.
We send fairly detailed question lists to clients. I regularly look at them to try and make them shorter. But the reality is these are questions that are relevant. Without enough information we simply cannot troubleshoot delivery problems.

How to hire an affiliate

Yesterday I talked about all the reasons that using affiliate email can hurt overall delivery. In some cases, though, marketing departments and the savvy email marketer don’t have a choice in the matter. Someone in management makes a decision and employees are expected to implement it.
If you’re stuck in a place where you have to hire an affiliate, how can you protect the opt-in marketing program you’ve so painstakingly built? Nothing is foolproof, but there are some ways you can screen affiliates.

Affiliate marketing overview

Most retailers have realized that sending unsolicited email is bad for their overall deliverability. Still, the idea they can send mail to people who never heard of them is seductive.
Enter affiliate email. That magical place where companies hire an agency, or a contractor, or some other third party to send email advertising their new product. Their mail and company reputation is protected because they aren’t sending the messages. Even better, affiliates assure their customers that the mail is opt-in. I’m sure some of them even believe it.
The reality is a little different from what affiliates and their customers want to believe.

SNDS issues and new Gmail

A bunch of folks reported problems with Microsoft’s SNDS page earlier today. This afternoon, our friendly Microsoft rep told the mailop mailing list that it should be fixed. If you see problems again, you can report it to mailop or your ESP and the message will get shared to the folks who can fix it.
The other big thing that happened today was Gmail rolled out their new inbox layout.
It’s… nice. I’ll be honest, I am not a big gmail user and have never been a huge fan. I got my first account way-back-during-the-beta. I used it to handle some of my mailing list mail. I could never work out how to get it to stop breaking threads by deciding to put some mail into the junk folder. I just gave up and went back to my shell with procmail (now sieve) scripts. I still have a couple lists routed to my gmail account, and the filtering is much improved – I can at least tell it to never bulk folder certain email.
The feature I’m really interested in is the confidential, expiring email. I’m interested in how that’s going to work with non-Gmail accounts. Within Gmail makes perfect sense, but I don’t think Gmail can control mail once it’s off their system.

My best guess is that Gmail will end up sending some type of secure link to recipients using non-Gmail mail servers. The message itself will stay inside Google and recipients will only be able to view mail through the web. That’s how the vast majority of secure mail systems work.
If anyone has the secure message already, feel free to send me a secure message. I’ll report back as to how it works.

No, I won't rate you!

Brick and mortar stores have tried to use feedback as a means of driving customer engagement for a while. Anyone who’s shopped at a big chain here in the US knows what I mean. You buy a pack of gum and end up with a 2 foot long receipt. At the bottom of the receipt there is a URL and bar code. The cashier circles the bar code and cheerfully tells you to go online and tell corporate about their service.
If you go to the website, they ask you for specific specific purchase information (time, date, store number, amount, cashier) and ask a bunch of questions about the store. Then, they offer you a chance to win something (gift card, something) if you’ll provide them with your personal information.
Note: This particular form does not allow you to continue at all unless you’ve filled in the information request. Even if you check “prefer not to answer” the page throws up an error message and tells you to provide a valid phone number.
More recently email marketers have jumped on the asking for feedback bandwagon. Over the last few weeks multiple companies have sent me emails asking how my visit to their website was. It… was a website? I mean I went to your website and checked my credit card bill, it told me how much I owed. Your tech support told me they couldn’t fix my problem over chat, I’d have to take my laptop in for repairs. My package arrived and if it didn’t you can be sure I would have reached out to you.
And it’s not just online services that do this. Hotels send followup surveys, which if you’re a frequent traveler turns into a full time job. Yes, I visited your hotel it’s very nice. If I’m in town and that’s where the conference I’m attending is hosted, I’ll probably be back.
I get it, the more chances you provide for people to interact with your brand the more engaged they are and the more likely they are to purchase from you. But a simple search of my mailbox shows over a dozen messages from companies over the last few weeks, all of them asking me for feedback on their services. I’d like a little less email, please. The bank, the mortgage company, the credit card company, the food delivery service I used, the clothing website, the travel website, the ride share service, the hotel… the list goes on and on.
If only a few companies did this, it wouldn’t be such a big deal. But as more and more companies adopt the triggered email followup (and the followup reminder and the final reminder and the final final reminder), recipients are going to get tired of the messages. Some of the requests don’t even have opt-outs, although the majority of the ones in my mailbox do.
I get that each company is only responsible for the mail they, in particular, are sending. But the user has a different frame of reference, and maybe it’s time to consider that using surveys and triggered emails to drive engagement may not be a long term sustainable business model. The rest of the companies out there using the same strategy are going to ruin it for everyone.

Laposte rejections

Update: The issue seems to have been resolved and Laposte say they’re no longer sending the 519 responses as of April 25th 2018.
Laposte.net are having a bad couple of weeks. There’ve been reports from customers of their IMAP service being unusable, with attempts to move or delete messages timing out and expected emails simply not arriving.
Several delivery friends have mentioned that they’re rejecting mail with errors that look like this:

Don't bother unsubscribing

In the early years of the spam problem, a common piece of advice was to never unsubscribe. At the time, this made a lot of sense. Multiple anti-spammers documented spammers harvesting addresses from unsubscribe forms. This activity tapered off around 2000 or so, although the myth persisted for much longer.

These days, there isn’t much harm in unsubscribing. I even spent a full month unsubscribing from spam at one of my dormant accounts (Yes, spam is still a problem). While the graph shows an initial increase in spam, levels dropped for the next few months. By the time I cancelled the account in 2017, spam levels were at very low. I don’t know if the decrease was due to the unsubscribing or if there were improvements in the filtering appliance the ISP used.
More recently the biggest problem is senders that don’t honor unsubscribes. There are a lot of reasons this can happen and they’re not all malicious. Still, too many companies don’t care enough to actually make sure their unsubscribe process is working. I’ve had way too many companies “lose” unsubscribe requests, sometimes years after I asked them to stop. I expect many of these cases are accidents. They switch ESPs and decide or forget or otherwise fail to transfer unsubscribes to the new ESP. But, in other cases, there doesn’t seem to be any ESP change. It appears the companies think that they can reactivate unsubscribes at some point (pro tip: there is no expiration on legally required unsubscribe requests).
All of this leads to my current recommendation: yeah, unsub if you feel like it, it’s unlikely to hurt, and it’s possible it will help. But, don’t expect them to actually work permanently. Companies just don’t care enough to make them permanent.

Widespread Microsoft phishing warnings today

People throughout the industry are reporting phishing notices in a lot of mail going through Microsoft properties this morning. I even got one in an email from one of my clients earlier today

Multiple people have talked to employees inside Microsoft, and I suspect their customers have been blowing up support about this. I know they’re aware, I suspect they’re frantically working on a fix.
Update 11 am PDT: It appears this filter is firing when mail has the word “hotmail” in it. This includes if non displaying text (like CSS) has the word in it. It feels like they were attempting to mitigate something and wrote a rule that wasn’t quite right. Still no word on a fix, but don’t panic.
Update 12:30 PDT: Reports are that the warning is gone. No word from Microsoft, but as long as things get fixed we don’t need it.

Change is coming…

A lot of email providers are rolling out changes to their systems. Some of these changes are so they will comply with GDPR. But, in other cases, the changes appear coincidental with GDPR coming into effect.
It seems, finally, some attention is being paid to the mail client. Over the last few years the webmail providers have tried to upgrade their interface. Many of the upgrades are about managing high volumes of email in a more efficient manner. Google uses tabs while Microsoft has sweep and focused inbox.
It’s about time the mail client got an overhaul. My Apple mail client doesn’t look all that different from the desktop client I was using back in the late 90s on OS/2 Warp back in the late 90s. In some ways the OS/2 client was actually more functional. And, well, I do miss a lot of the flexibility of mutt in the shell.
Today, Google announced to Google Suite administrators that they would be rolling out a major client overhaul. G Suite admins who want to can join the early adopter program in the coming week. Techcrunch has a sketch of what the new mailbox layout looks like, done by someone who says they saw a Google engineer working on a train.
What’s interesting about the sketch is it seems tabs are going away. Given how many senders hate tabs I’m sure this is a welcome relief. We’ll see, though, if there’s not more inbox management built into the new client or not. The nifty new features are “snooze” – hide this email for some period of time and bring it back at some point in the future. The other big thing is calendar access right from the mail client.
I expect, too, that as OATH: brings the Yahoo and AOL mailboxes under one banner, there will also be some changes there. All of this amounts to more uncertainty in the email delivery space. But we’ll get through, we always do.

Brand indicators in email

A number of companies in the email industry have been working on a way to better identify authenticated emails to users. One proposal is Brand Indicators for Message Identification (BIMI). A couple weeks ago, Agari announced a pilot program with some brands and a number of major consumer mail providers. These logos should be available in the Yahoo interface now and will be rolling out at other providers.

Updating the filtering model

One thing I really like about going to conferences is they’re often one of the few times I get to sit and think about the bigger email picture. Hearing other people talk about their marketing experiences, their email experiences, and their blocking experiences usually triggers big picture style thoughts.
Earlier this week I was at Activate18, hosted by Iterable. The sessions I attended were interesting and insightful. Of course, I went to the deliverability session. While listening to the presentation, I realized my previous model of email filtering needed to be updated.

A Minute of Email

Vala from Salesforce shared this infographic this morning.

(from Statista)
It estimates that in one minute on the 2017 Internet there were 25,000 tweets, 3.8 million google searches, 29 million SMS messages and 156 million emails sent.
Email is still a pretty vibrant messaging channel.

AOL Postmaster page changes

AOL has disabled the IP reputation check and the rDNS lookup on their postmaster pages. Given AOL isn’t handling the first mail hop any longer, this makes perfect sense. They simply don’t have the kind of data they did when they were handling mail directly from the sender MTA.
There’s no information, yet, on whether or not that functionality will be added / replicated over at Yahoo.

How long does it take to change reputation at Gmail?

Today I was chatting with a potential client who is in the middle of a frustrating warmup at Gmail. They’re doing absolutely the right things, it’s just taking longer than anyone wants. That’s kinda how it is with Gmail, while their algorithm can adapt quickly to changes. Sometimes, like when you’re warming up or trying to change a bad reputation, it can take 3 – 4 weeks to see any direct progress.This is a screenshot of IP reputation on Google Postmaster Tools. The sender made some significant changes in mail sending on some of their IP addresses starting in mid to late December. You can see, that the tools noticed and the reputation of those IPs bad to good fairly rapidly. It took a few more weeks of consistent sending for those two IPs to switch to yellow. And it took around another month for the reputation to flip to high.
Because this company is doing all the right things, and they’re seeing (as they describe it) some small amounts of improvement, I told them to give it another couple weeks. If they weren’t happy with their progress I could help them. But, frankly, until we can tell if this is something other than a normal warmup there isn’t much else to do.
When I got off the phone I felt very much like a doctor telling a patient to take two aspirin and call me in the morning. But, honestly, sometimes that is the right answer. Give it time.

Spam isn't going away

I got a piece of B2B spam last week that showed in several different ways why spam isn’t going away any time soon.
Systemic problems dealing with abuse at scale at Google. Ethics problems at Cloudflare. Problems dealing with abuse at scale at Amazon. Cultural problems in India, several times over.
Buckle up.

Yahoo fixed

The Yahoo bounce problem has been resolved. There were erroneous ‘554: this user does not have a yahoo.com account’ between March 14 and March 16. If you attempted to send mail and received this bounce during that time you can reactivate the address in your database. Most ESPs should be able to help you with this.
Moving forward, though, these bounces are valid and addresses should be removed from your list according to standard data hygiene processes.

The data are what they are

I’ve had a lot less opportunity to blog at the recent M3AAWG conference than I expected. Some of it because of the great content and conversations. Another piece has to do with lack of time and focus to edit and refine a longer post prompted by the conference. The final issue is the confidential nature of what we talk about.
With that being said, I can talk about a discussion I had with different folks over the looking at A/B testing blog post from Mailchimp. The whole post is worth a quick read, but the short version is when you’re doing A/B testing, design the test so you’re testing the relevant outcomes. If you are looking for the best whatever to get engagement, then your outcome should be engagement. If you’re looking for the best thing to improve revenue, then test for revenue.
Of course, this makes perfect sense. If you do a test, the test should measure the outcome you want. Using a test that looks at engagement and hoping that translates to revenue is no better than just picking one option at random.
That particular blog post garnered a round of discussion in another forum where folks disagreed with the data. To listen to the posters, the data had to be wrong because it doesn’t conform to “common wisdom.” The fact that data doesn’t conform to common wisdom doesn’t make that data wrong. The data is the data. It may not answer the question the researcher thought they were asking. It may not conform to common wisdom. But barring fraud or massive collection error, the data are always that. I give Mailchimp the benefit of the doubt when it comes to how they collect data as I know they have a number of data scientists on staff. I’ve also talked with various employees about digging into their data.
At the same time the online discussion of the Mailchimp data was happening, there was a similar discussion happening at the conference. A group of researchers got together to ask a question. They did their literature review, they stated their hypothesis, they designed the tests, they ran the tests. Unfortunately, despite this all being done well, the data showed that their test condition had no effect. The data were negative. They asked the question a different way, still negative. They asked a third way and still saw no difference between the controls and the test.
They presented this data at the conference. Well, this data went against common wisdom, too, and many of the session participants challenged the data. Not because it was collected badly, it wasn’t, but because they wanted it to say something else. It was the conference session equivalent of data dredging or p-hacking.

Overall, the data collected in any test from a simple marketing A/B testing through to a phase III clinical trial, is the answer to the question you asked. But just having the data doesn’t always make the next step clear. Sometimes the question you asked isn’t what you tested. This doesn’t mean you can retroactively find signal in the noise.
Mailchimp’s research shows that A/B testing for open rates doesn’t have any affect on revenue. If your final goal is to know which copy or subject line makes more revenue, then you need to test for revenue. No amount of arguing is going to change that data.

UPDATE: Spike in Yahoo unknown users

I still don’t have any solid information on the cause of the Yahoo bounces. I do know that folks inside Yahoo are looking into the issue.
However, multiple people (including my clients) are reporting that the addresses that are bouncing have very recent click and open activity. Other reports say these addresses deliver on a resend.
It looks like my advice yesterday was incorrect. I’m currently telling clients to continue mailing addresses for the time being.

Possible spike in Yahoo unknown users

Multiple folks are mentioning seeing an increase in “user unknown” responses from Yahoo. Some people are discussing this with Yahoo.
~~Right now, best advice is to believe these are accurate user unknowns.~~ UPDATE: There is increasing evidence these are not valid user unknowns. See next post.

Speaking in June

ActiveCampaign is hosting their very first user conference in Chicago in June. I am honored to be a part of their speaker lineup.
Early bird registration only $450 through April 30.

Happy International Women's Day

It’s International Women’s Day, and I thought I’d take a moment to mention some of the many, many women who have inspired me and helped me along the way. Some of them work in deliverability and compliance. Others are business colleagues. Still others are cheerleaders and inspiration. All of them make the world a better place.

What does good IP Reputation get you?

Today I was discussing some mailing list posts with an ESP colleague. He was telling me some interesting numbers he’d collected from different IP pools they maintain. He was testing routing mail through IPs based on subscription process and routing based on engagement metrics. The data showed that inboxing rates were similar across the test groups. As he put it, “IP reputation didn’t have much impact on inbox delivery.”

I’m not surprised. I’ve been talking for a while about how IP reputation is less important in reaching the inbox. In fact, it was almost 5 years ago now that I wrote The Death of IP Based Reputation. I updated it in 2015 with Deliverability and IP Reputation. Overall, IP reputation is a much smaller piece of reaching the inbox now than it has been in the past. I’ve talked about the reasons for this in the above posts. The short version is:

And… we're back

There was an unexpected break in blogging over the last 2 weeks. Between M3AAWG, a week of house guests and some upcoming big changes I didn’t get much writing finished. I started, and am still working on, about half a dozen different posts.
Thanks for your patience, we’ll get back to our regularly scheduled writing soon.

2017 Deliverability Benchmark report

Return Path has released their 2017 Deliverability Benchmark Report. I haven’t had a chance to look at it, but did download it earlier today.
EContent has a summary of the article up, with the headline Research Finds Email Senders with Strong Subscriber Engagement Are Likely to See Less Email Delivered to Spam. Useful data points they pulled out include:

Lack of blogging, in 3 images

Metric Monetization

As a digital channel, email provides a lot of different metrics for marketers to use. Not only can marketers measure things like open and click rates, but they can tie these numbers back to a particular recipient. This treasure trove of information leads to obsessing over making the numbers look good. For good deliverability senders want low bounce rates, low spamtrap rates, and high engagement rates.
These metrics are important because they’re some of the things that filters look at when making delivery decisions. We care about this data because the receiver ISPs care about the data. The ISPs care about this data because they are characteristics of wanted and/or opt in email.

Over the past few years a number of companies sell services selling good metrics.

Spring in San Francisco

And, of course, that means M3AAWG is coming to town. I’m speaking on two panels this conference and will be around starting mid-day Monday. Of course, half the fun of M3AAWG is watching the swarms of posts on Facebook of friends traveling to wherever.
Those of you visiting, weather is nice. Sadly (as we’re heading back into drought) we’re not expecting rain next week. And, we’re back up at the top of the hill – across the street at the Fairmont.
Looking forward to seeing everyone.

Following CAN SPAM isn't enough to reach the inbox

One of the top entries on the list of things deliverability folks hear all the time is, “But my mail is all CAN SPAM compliant!” The thing is… no one handling inbound mail really cares. Seriously. CAN SPAM is a law that is little more than don’t lie, don’t hide, and heed the no. Even more importantly, the law itself states that there is no obligation for ISPs to deliver CAN SPAM compliant mail.

Did the algorithm change?

When faced with unexplained deliverability changes one of the first questions many folks ask is “Did the algorithm change.” In many ways this is an meaningless question. Why? Because there are two obvious answers to the question.
A1: Of course it didn’t.
A2: Of course it did.
Both answers are correct, but they’re answering different underlying questions. When we understand how two diametrically opposed answers are both correct, we understand much more about filtering.

More on AOL transition to Oath Infrastructure

AOL posted on their blog today about changes to DMARC reporting and FBL messages as they continue to transition domains to the OATH infrastructure. As AOL domains go to the new infrastructure, DMARC reports for those domains will be included in the existing Yahoo DMARC reports.
After the MX migration is done, they’ll start migrating the actual user mailboxes. Right now, FBL messages for AOL properties are coming from AOL and will continue to do so until the actual mailbox is transitioned to the new infrastructure. Once the mailbox is transitioned, then any FBL emails from that address will come from the Yahoo infrastructure. The blog post at AOL suggests signing up for both AOL and Yahoo FBLs during this transition phase.
It does bring up an interesting question as to whether or not the combined FBL is going to be IP based, DKIM based or a mix of both. It sounds like at least during some part of the consolidation there will be a DKIM only FBL. It could be that there will be some expansion to an IP system in the future. Or, it could be that all FBLs from AOL addresses will be based on DKIM domain.

Where to get deliverability help

There are lots of places to get deliverability help, I thought I’d list some of them here so I have a post to point people to.

Of course, we provide deliverability consulting services and have done since 2001. Our customers are mostly large companies sending millions of emails a month. I focus mostly on complex problems that other deliverability folks haven’t solved. Overall I focus on understanding client programs and business needs as well as current deliverability situation. Once I have a picture of a client’s program, I craft solutions that work with their business processes and get mail to the inbox. We don’t sell tools or certification. Instead, we work with our clients to help them fix delivery and teach them how to analyze the data they already have.
The nature of the work I do is intensive and I limit the number of clients I have in order to provide personalized service. But that’s OK! We have 2000+ blog posts to answer questions. And, there are lots of other companies that provide deliverability help. Here’s a partial list of places to look for resources.

List-Unsub header

Benjamin asked in the comments where in the interface the “unsubscribe” or “block” popup appeared. This is the dialog box Microsoft uses when the add the “unsubscribe here” link at the top of a message. Screenshots taken today from my Hotmail account:
At this point we have 3 of the major webmail providers (Yahoo, Microsoft, Gmail) using List-Unsubscribe headers and at least one mobile client (Apple Mail). 20 years on it seems List-Unsubscribe is finally gaining traction.
Notice, too, that ISPs hold their own mail to the same standards as outside mail. This really is Microsoft offering to let me block everything from MSN News.

GDPR and Whois data

For folks who aren’t following the discussion about whois records and GDPR compliance there’s a decent summary at vice.com: What Is Going to Happen With Whois?

Yahoo List-Unsub header

Last week some folks were mentioning a spike in unsubscribes from Yahoo. This is being investigated.

Microsoft using the List-Unsubscribe header

An interesting observation from Brian Curry about how Microsoft is using the List Unsubscribe header in their interface. The short version is that Microsoft is only supporting mailto: links. They’re ignoring any List-Unsubscribe links that are a URL.
Here are some screenshots. When the sender is using a List-Unsubscribe <http://> header, Microsoft states that there is no information on how to help the user unsubscribe, so the offer to block the sender instead. Like in these two messages.
When the List-Unsubscribe header uses a mailto: link, Microsoft uses completely different language in the popup and does let the user know any future mail will go to the junk folder.

AOL MX Change update

The AOL postmaster team posted some information about the upcoming MX transition on their blog.

Still with the Microsoft problems

We took a quick trip to Dublin last week. I had every intention of blogging while on the trip, but… oops. I did get to meet with some clients, and had a great dinner while discussing email and delivery.

Coming back, I see a lot of folks still reporting delivery problems to Microsoft properties. I’ve been operating under the assumption this was temporary as kinks were worked out after the migration. I’m still pretty convinced not all of the problems are intentional. Even the best tested code can have issues that only show up under real load with real users. Reading between-some-lines tells me that the tech team is hard at work identifying and fixing issues. There will be changes and things will continue to improve.
With all that being said, I think it’s important to realize that delivering to the new system is not the same as delivering to the old system. This is a major overhaul of their email handling code, representing multiple years worth of planning and development inside Microsoft. It’s very likely that not all of the current delivery problems are the result of deployment. Some of the problems are likely a result of new standards and thresholds for reaching the inbox. What worked a year ago to get into the inbox just doesn’t any more.

AOL Changes

We’ve known for a while that AOL email infrastructure is going to be merging with Yahoo’s, but apparently it’s happening sooner than anyone expected.
The MXes for aol.com will be migrated to Yahoo infrastructure around February 1st. Reading between the lines I expect that this isn’t a flag day, and much of the rest of the AOL email infrastructure will be in use for a while yet, but primary delivery decisions will be made on Yahoo infrastructure.
The AOL and Yahoo postmaster teams are pretty smart so I assume they’ll have made sure that their reputation data is consistent, and be doing everything else they can do to make the migration as painless as possible. But it’s a major change affecting a lot of email, and I wouldn’t be surprised to see some bumpiness.
If you’ve done anything … unwise … with delivery to AOL addresses, such as hard-wiring MXes for delivery to aol.com, you should probably look at undoing that in the next week or so. I’m guessing the changeover will happen at the DNS level, so if you’ve nailed down delivery IPs for aol.com you might end up trying – and probably failing – to deliver to the old AOL infrastructure.

Oh, Microsoft

Things have been a little unsettled at Microsoft webmail properties over the last few months. A number of ESPs reported significantly increased deferrals from Microsoft properties starting sometime late in November. Others saw reduced open rates across their customer base starting in late October. More recently, people are noticing higher complaint rates as well as an increase in mail being dropped on the floor. Additionally, Return Path announced certification changes at the end of November lowering the Microsoft overall complaint rate to 0.2%, half of what is was previously.

Overall, sending mail to Microsoft is a challenge lately. This is all correlated with visible changes which may seem unrelated to deliverability, but actually are. What are the changes we know about?

That Should Be A Word

Google makes connections

One of the client projects I’m working on includes doing a lot of research on MXs, including some classification work. Part of the work involves identifying the company running the MX. Many of the times this is obvious; mail.protection.outlook.com is office365, for instance.

There are other cases where the connection between the MX and the host company is not as obvious. That’s where google comes into play. Take the domain canit.ca, it’s a MX for quite a few domains in this data set. Step one is to visit the website, but there’s no website there. Step 2 is drop the domain into google, who tells me it’s Roaring Penguin software.
In some cases, though, the domain wasn’t as obvious as the Roaring Penguin link. In those cases, Google would present me with seemingly irrelevant hosting pages. It didn’t make sense until I started digging through hosting documentation. Inevitably, whenever Google gave me results that didn’t make sense, they were right. The links were often buried in knowledge base pages telling users how to configure their setup and mentioning the domain I was searching for.
The interesting piece was that often it was the top level domain, not the support pages, that Google presented to me. I had to go find the actual pages. Based on that bit of research, it appears that Google has a comprehensive map of what domains are related to each other.
This is something we see in their handling of email as well. Gmail regularly makes connections between domains that senders don’t expect. I’ve been speaking for a while about how Gmail does this, based on observation of filtering behavior. Working through multiple searches looking at domain names was the first time I saw evidence of the connections I suspected. Gmail is able to connect seemingly disparate hostnames and relate them to one another.
For senders, it means that using different domains in an attempt to isolate different mainstreams doesn’t work. Gmail understands that domainA in acquisition mail is also the same as domainB in opt-in mail is the same as domainC in transactional mail. Companies can develop a reputation at Google which affects all email, not just a particular mail stream. This makes it harder for senders to compartmentalize their sends and requires compliance throughout the organization.
Acquisition programs do hurt all mail programs, at least at Gmail.

Happy 2018

This is the time of year when everyone starts posting their predictions for the coming year. Despite over a decade of blogging and close to 2500 blog posts, I have’t consistently written prediction articles here. Many years I don’t see big changes on the horizon, so there’s not a lot to comment on. Incremental changes are status quo, nothing earth shattering there. But I’ve been thinking about what might be on the horizon in 2018 and how that will affect email marketing.

November 2017: The Month in Email

We’re in the thick of the busiest time of the year for email. It’s been so busy, in fact, that we’ve seen some slowdowns and delivery issues across the email universe. It may be worth thinking about alternate strategies for end of year promotions beyond Black Friday and Cyber Monday.
I was delighted to chat with Julia Angwin for her ProPublica piece on subscription bombing and abuse prevention. Her piece is a good introduction to the topic, and very much worth reading.
ICYMI, I did a rough analysis of the data from our survey on Google Postmaster Tools. Stay tuned for more insights when I have a moment to explore this further.

[#INFOGRAPHIC] Email marketing trends 2018

It’s always an honor to be asked to provide quotes and thoughts with experts in the field. Sometimes the day to day gives me tunnel vision, but things like this give me the opportunity to think more globally. Hands down, though, the best part is seeing the final product and hearing what other folks have to say.
Go check out the full infographic.

Deliverability is critical for marketing

It is increasingly clear that successful email marketing programs measure and emphasize deliverability. No longer is deliverability the crisis management team called when everything breaks. They’re part and parcel of an effective email marketing team.
Today I watched a bit of the EIS livestream where acquisition marketers were discussing their processes. Everyone of them talked about things that are critical for deliverability as core to their business.

Microsoft MXs changed over

Today on MailOp it was announced that the migration of Microsoft freemail domains to the office 365 backend. Over the next week the mx*.hotmail.com mail servers will stop working. Check your settings, folks, and make sure you’re correctly querying DNS before sending.

Vodafone New Zealand: sorta shutting down

Vodafone NZ is shutting down mail handling for the following domains as of today, Nov 30, 2017.

It's not a technical problem

You can’t technical your way out of the bulk folder. I wrote that a year and a half ago, and it’s even more true today. Filters at the big webmail providers continue to evolve to meet new threats and new spamming techniques. Sending technically perfect mail won’t get your mail into the inbox. Recipients have to want the mail and interact with the mail for good delivery.

Cyber Monday volumes

Wow! Congrats to all the senders out there for sending So Much Volume that mail servers are full. I’ve even seen reports that STARTTLS connections are taking multiple seconds to establish at Gmail. The volume of mail that it takes to make Google slow down is impressive.

Of course, Gmail isn’t the only system exhibiting slow downs. Other major consumer webmail providers are also showing signs their servers are under heavy load. I’m seeing reports about both AOL and Microsoft accepting mail slowly. Oddly enough, I’ve not seen anything about Yahoo having issues. Maybe folks just never use yahoo.com addresses any more.
There may not be a fix for this. It is very possible receiving systems just do not have the capacity to handle the volume of mail folks want to send today. If senders have, collectively, decided to send more mail than max capacity there isn’t much that can be done. Maybe some very forward thinking ISPs have spare servers they can deploy, but it’s unlikely.
No major advice here, just a warning that receivers may not be able to access all the mail that’s currently being shoved at them. Nothing to do except retry, and perhaps hold off some “less urgent” sends until after normal business hours. Those of you who are sending Cyber Monday sales emails may just have to extend them to Tuesday in some cases.
EDIT: After I posted this, I saw problems with Yahoo (mail accepted but not making it to the inbox) and Earthlink as well.

Pie

Busiest email time of the year

Everyone ready for Black Friday and Cyber Monday campaigns? I know many retailers are already mailing, my inbox is exploding with offers. For me, this is often a quiet time of the year. As a strategist, most of my worked happened months ago. Now, it’s time for execution.
I wish everyone a successful week of mailing.
May your deliverability be high.
May your subject lines be correct.
May your personalization work.
May your strategy rock.

Catchall domains

Catchall domains accept any mail to any email address at that domain. They were quite common, particularly at smaller domains, a long time ago. For various reasons, most of them having to do with spammers, they’re less common now.

Most folks think catchall domains are only used for spamtraps. As a consequence, many of the address verification tools will filter out, or recommend filtering out, any address that goes to a catchall domain. They test this by trying to send emails to random addresses like sldqwhhxbe+ym7ajymw23gm0@clientspecific.domain.example.
But not all catchall domains are used for spamtraps. Every client here at WttW gets a domain assigned to them and those domains are catchalls. Emails to those domains go into a database for analysis. Clients (and I!) can create any LHS on the fly to test signups, look at mail flows. Having a catchall means we don’t have to actually configure any address so I can test multiple signups and encode the data about the signup in the to: address.
This works most of the time, at least until verification services mark those addresses as bad and they don’t get imported into the client’s processes. We have some workarounds, and can still get mail despite the services making assumptions.

SendGrid IPO

Congrats to the folks at SendGrid for raising over 130 million in their IPO yesterday. Also, cool stock symbol, bro.

Spike in Yahoo error codes

A number of people have mentioned over the last couple weeks that they’re seeing a spike in Yahoo rejecting mail with
554 delivery error: dd Requested mail action aborted
Discussions on various mailing lists indicate these messages are related to inactive accounts. Addresses that bounce at Yahoo with these codes should be handled as inactive addresses and removed from future mailings.

Permission and B2B spam

Two of the very first posts I wrote on the blog were about permission (part 1, part 2). Re-reading those posts is interesting. Experience has taught me that recipients are much more forgiving of implicit opt-in than that post implies.
The chance in recipient expectations doesn’t mean, however, that permission isn’t important or required. In fact, The Verge reported on a chatbot that will waste the time of spammers. Users who are fed up with spam can forward their message to Re:Scam and bots will answer the mail.
I cannot tell you how tempted I am to forward all those “Hey, just give me 10 minutes of your time…” emails I get from B2B spammers. I know, those are actually bots, but there is lovely symmetry in bots bothering one another and leaving us humans out of it.

Speaking of those annoying emails, I tweeted about one (with horrible English…) last week. I tagged the company in question and they asked for an example. After I sent it, they did nothing, and I continued to get mail. Because of course I did.
These types of messages are exactly why permission is so critical for controlling spam. Way more companies can buy my email address and add me to their spam automation software than I can opt-out of in any reasonable time frame. My inbox, particularly my business inbox, is where I do business. It’s where I talk with clients, potential clients, customers and, yes, even vendors. But every unsolicited email wastes my time.
It’s not even that the mail is simply unwanted. I get mail I don’t want regularly. Collecting white papers for my library, RSVPing to events, joining webinars all result in me getting added to companies’ mailing lists. That’s fair, I gave them an email address I’ll unsubscribe.
The B2B companies who buy my address are different. They’re spamming and they understand that. The vendors who sell the automation filters tell their customers how to avoid spam filters. Spammers are told to use different domains for the unsolicited mail and their opt-in mail to avoid blocking. The software plugs into Google and G Suite account because very few companies will block Google IPs.
I’ve had many of these companies attempt to pay me to fix their delivery problems. But, in this case there’s nothing to fix. Yes, your mail is being blocked. No, I can’t help. There is nothing I can say to a filtering company or ISP or company to make them list that block. The mail is unwanted and it’s unsolicited.
The way to get mail unblocked is to demonstrate the mail is wanted. If you can’t do that, well, the filters are working as intended.

Today is one of those days I just want to argue with all the subject headers of the marketing email I get.
Read More

Subscription bombing and abuse prevention

A few weeks ago ProPublica was the victim of a subscription bomb attack. Julia Angwin found my blog post on the subject and contacted me to talk about the post. We spent an hour or so on the phone and I shared some of the information we had on the problem. Julie told me she was interested in investigating this further problem further. Today, ProPublica published Cheap Tricks: the Low Cost of Internet Harassment.
For those of us deeply involved in the issue, there isn’t too much that comes as a surprise in that article. But it’s a good introduction to folks who may not be aware of the existence of subscription bombing.

Julia does mention something I have been thinking about: abuse and anonymity online. Can we continue to have anonymous or pseudonymous identities on the Internet? Should we?
One of the challenges a lot of companies are struggling with is that anonymity can protect oppressors as well as their targets. How do we support “good” anonymity without enabling “bad” anonymity? I’ve always thought anonymity was an overall good and the fact that it’s abused sometimes didn’t mean it should be taken away. Banning anonymity online might seem to fix the problem of abuse, except it really doesn’t and it comes with its own set of problems.
Let’s be honest, these are hard questions and ones that do need to be addressed. A lot of the tools abuse and security desks currently have rely on volume of complaints. This can result in the targets getting shut down due to false complaints while the perpetrators keep their accounts open. It means subscription bombs can target a few individuals and occur undetected for months.
Big companies in Silicon Valley love to rely on their algorithms and machine learning and AI and code to automate things. But the automation only works after you create working processes. Throwing code at the problem doesn’t work unless you have a picture of the scope of the problem. And a reliance on code ends up with Facebook asking people to upload nudes of themselves to prevent nudes on Facebook. Likewise, throwing cheap labor at the problem isn’t a solution, either.
I don’t have the answers, I don’t think anyone does. But we need to think harder about these problems and address them sooner rather than later. The internet is too important to let abusers break it.

Proofpoint acquires Cloudmark

Major industry news today as Proofpoint and Cloudmark announced a major acquisition deal. Proofpoint agreed to pay $110 million in cash to acquire Cloudmark. Prior to this acquisition, Proofpoint focused on business filters. Cloudmark’s focus was selling into large ISPs, including large cable providers, and mobile carriers. Proofpoint assured investors they will continue to supporting and developing the Cloudmark filters. At the same time they’re incorporating the Cloudmark Global Threat Network into their Nexus platform.
A few things came to mind when I saw the announcement.
Both companies focused on different types of email filtering. Proofpoint developed products for business, building filters that address spam but they did a lot more. Many of the filter features have nothing to do with blocking mail, but instead focus on other business critical functions like protecting intellectual property and maintaining compliance with various laws and regulations. Cloudmark, on the other hand, created filters that businesses could deploy to protect consumers as well as use in their business
With this acquisition we’re starting to see a consolidation of functionality. The distance between business filters and consumer filters continues to close.
Filtering isn’t just about spam, though.
This acquisition improves Proofpoint’s ability to filter things other than spam. Their announcement specifically calls out spear phishing and business email compromise (BEC) as problems. They are. Criminals steal billions of dollars from businesses through email attacks. These same types of attacks were employed in the 2016 US elections against candidates and parties.
It feels like we’re embarking on a new phase of security and compliance. Those tools we built to deal with spam and protect the internet from abuse generally worked. Our mail infrastructure isn’t falling down due to spam. Now we need to look forward to handling different kinds of abuse. The same people who stepped up to the plate in the early 2000’s to address spam are now looking at how to protect individuals online.
It’s a nice internet we’ve got here. Let’s see if we can keep it.

October 2017: The Month in Email

October was a busy month. In addition to on boarding multiple new clients, we got new desks, I went to Toronto to see M³AAWG colleagues for a few days, and had oral surgery. Happily, we’re finally getting closer to having the full office setup.

What is an office without a Grover Cat? (he was so pleased he figured out how to get onto it at standing height).

All of this means that blogging was pretty light this month.
One of the most interesting bits of news this month is that the US National Cybersecurity Assessments & Technical Services Team issued a mandate on web and email security, which Steve reviewed here.
In best practices, I made a brief mention about the importance of using subdomains rather than entirely new domain names in links and emails and even DKIM keys.
We’ve talked about engagement-based filters before, but it’s interesting to note how they’re being used in business environments as well as consumer environments.
We also put together a survey looking at how people use Google Postmaster Tools. The survey is now closed, and I’ll be doing a full analysis over the next couple of weeks, as well as talking about next steps. I did a quick preview of some of the highlights earlier this week.
Finally, a lot of industry news this month: Most notably, Mailchimp has changed its default signup process from double opt-in to single opt-in. This caused quite a bit of sturm und drang from all ends of the industry. And, in fact, a few days later they announced the default double-opt-in would stay in place for .eu senders. I didn’t get a chance to blog about that as it happened. In other news, the Road Runner FBL is permanently shuttered, and Edison Software has acquired Return Path’s Consumer Insight division. Also worth noting: Microsoft is rolling out new mail servers, and you’ll likely see some new — and potentially confusing — error codes.
My October themed photo is behind a cut, for those of you who have problems with spiders.

Gmail survey rough analysis

I closed the Google Postmaster Tools (GPT) survey earlier today. I received 160 responses, mostly from the link published here on the blog and in the M³AAWG Senders group.
I’ll be putting a full analysis together over the next couple weeks, but thought I’d give everyone a quick preview / data dump based on the analysis and graphs SurveyMonkey makes available in their analysis.
Of 160 respondents, 154 are currently using GPT. Some of the folks who said they didn’t have a GPT account also said they logged into it at least once a day, so clearly I have some data cleanup to do.
57% of respondents monitored customer domains. 79% monitored their own domains.
45% of respondents logged in at least once a day to check. Around 40% of respondents check IP and/or domain reputation daily. Around 25% of respondents use the authentication, encryption and delivery errors pages for troubleshooting.
10% said the pages were very easy to understand. 46% said they’re “somewhat easy” to understand.
The improvements suggestions are text based, but SurveyMonkey helpfully puts them together into a word cloud. It’s about what I expected. But I’ll dig into that data.
10% of respondents said they had built tools to scrape the page. 50% said they hadn’t but would like to.
In terms of the problems they have with the 82% of people said they want to be able to create alerts, 60% said they want to add the data to dashboards or reporting tools.

97% of respondents who currently have a Google Postmater Tools account said they are interested in an API for the data. I’m sure the 4 who aren’t interested won’t care if there is one.
47% of respondents said if there was an API they’d have tools using it by the end of 2017. 73% said they’d have tools built by end of Q1 2018.
33% of respondents send more than 10 million emails per day.
75% of respondents work for private companies.
70% of respondents work for ESPs. 10% work for retailers or brands sending through their own infrastructure.
That’s my initial pass through the data. I’ll put together something a bit more coherent and some more useful analysis in the coming week and publish it. I am already seeing some interesting correlations I can do to get useful info out.
Thank you to everyone who participated! This is interesting data that I will be passing along to Google. Rough mental calculation indicates that respondents are responsible for multiple billions of emails a day.
Thanks!

Google Postmaster Tools: Last Chance!

I’ll be closing down the Google Postmaster Tools survey Oct 31. If you’ve not had a chance to answer the questions yet, you have through tomorrow.
This data will be shared here. The ulterior motive is to convince Google to make an API available soon due to popular demand.

Edison acquires part of Return Path

Today Matt Blumberg announced that Edison Software acquired Return Path’s Consumer Insight division, current customers and some Return Path staff.
Congrats to everyone involved.

Mailchimp changes signup process

As of October 31, 2017 signup forms and popup boxes provided by Mailchimp will no longer default to a double / confirmed opt-in process.

RR FBL: it's officially dead

The Roadrunner Postmaster page says the FBL is deactivated.

RoadRunner FBL goes kaput

Road Runner is no longer providing a FBL starting today. Earlier this morning a couple ESPs were reporting a decrease in FBL messages from the RR FBL. A few hours later, a senior technical account manager confirmed on mailop that the FBL was ending today.
While the announcement says that folks can expect reports to trickle, at least one ESP has reported zero reports today.

Troubleshooting and codes

Microsoft is still in the process of rolling out new mail servers. One thing that is new about these is some new codes on their error messages. This has led to questions and speculations as to what is going on.

Tell us about how you use Gmail Postmaster Tools

One of the things I hear frequently is that folks really want access to Google Postmaster Tools through an API. I’ve also heard some suggestions that we should start a petition. I thought a better idea was to put together a survey showing how people are using GPT and how high the demand is for an API.
They’re a data company, let’s give them data.

I’ve put together a survey looking at how people are using GPT. It’s 4 pages and average time to take the survey is around 7 minutes. Please give us your feedback on GPT usage.
I’m planning on leaving the survey open through the first week in November. Then I’ll pull data together and share here and with Google.

Engagement filters for B2B mail

While I was doing some research for a client today I rediscovered Terry Zink’s blog. Terry is one of the MS email folks and he regularly blogs about the things MS is doing with Outlook.com and Office 365.
The post that caught my eye was discussing the Microsoft Spam Fighter program. The short version is that in order to train their spam filters, Microsoft asks a random cross-section of their users if the filters made the right decision about email. This data is fed back into the Microsoft machine learning engine.
As Terry explains it:

Desks and distractions

Our first real company purchase was a big. solid pair of desks. See, we owed a lot of money to the IRS, but if we bought some equipment we could decrease the amount we had to pay the IRS. So we invested in very nice, wooden desks that would hold heavy CRT monitors.
Things have changed over the years and we don’t have CRTs any more. And maybe it’s time to upgrade or replace our desks. We got my desk assembled this weekend and I have to say, I’m really pleased.

Steve wrote about our experiences Autonomous.ai‘s purchase process. I have to say I’m impressed with the build quality of the desks.
I’ll be happy when our office is rebuilt and everything is back in its place, but even now I’m enjoying working at my new desk.

September 2017: The Month in Email

Happy October! ‘Tis the season for “the scariest costumes to wear to an inbound marketing Halloween party”. Terrifying, right? A perfect occasion for spam-infused mai tais!

In other news from the blog in September, I wrote several posts about the Equifax breach, starting with the announcement of the compromise on September 7th and their utterly inadequate response, followed by more incompetence when they sent people to the wrong site to get assistance. I also noted some of the discussion around the various educational paths people working in information security have and why these are the wrong questions to ask.
Speaking of the various paths people take towards careers in email, I wrote a followup post on Shiva Ayyadurai, whose defamation suit around his claims to being the inventor of email was recently dismissed.
I wrote a few posts about Gmail, including a guide to improving Gmail delivery, and some specific advice on how to warm up your Gmail mailstream, which is somewhat different than other warmup processes. In other news on mail providers, it’s worth noting some recent changes Microsoft has made to various domains.
In best practices, Steve wrote about a nice series of emails we received following an online purchase and I wrote about properly monitoring your DMARC reports.
Every now and then, I like to return to the basics. My post on 10 Things Every Mailer Must Do is a handy overview to share with your team (or your customers, if you’re an ESP). If you’re having delivery challenges and haven’t tackled these top ten best practices, this is where you need to start. I wrote up some additional thoughts on how we think about deliverability that you might find useful as well.

Back from MAAWG

Had an all too short trip to M³AAWG. It was great to see old friends and meet new folks. I have lots to talk about and a poll to get into the field once I get caught up on client work.

While I’m deep in the depths of my inbox, I thought I’d share a bit of insight into the question of new domain vs. subdomain that often comes up.

MAAWG next week

I’ll be up in Toronto Tuesday and part of Wednesday for the M³AAWG meeting. If you’re there, say HI!

Way to go Equifax

Earlier this month I wrote about how we can’t trust Equifax with our personal data. I’m not sure we can trust them with a cotton ball. Today, we discover Equifax has been sending consumers worried about their personal information leaking to the wrong site.

Microsoft changes

There’s been quite a bit of breakage and delivery failure to various Microsoft domains this month. It started with them changing the MX for hotmail.co.uk, then the MX for hotmail.fr… and both these things seem to have broken mail. I also saw a report this morning that some of the new MXs have TLS certificates that don’t match the hostnames.

Thinking about deliverability

I was chatting with folks over on one of the email slack channels today. The discussion was about an ESP not wanting to implement a particular change as it would hurt deliverability. It led me down a path of thinking about how we think of deliverability and how that informs how we approach email.
The biggest problem I see is the black and white thinking.
There’s an underlying belief in the deliverability, receiving, and filtering communities that the only way to affect sending behavior is to block (or threaten to block) mail.

This was true back in the ancient times (the late 90’s). We didn’t have sophisticated tools and fast CPUs. There weren’t a lot of ways to handle bad mail other than to block. Now the landscape is different. We have many more tools and the computing capacity to quickly sort large streams of data.
At most places these days, blocking is an escalation, not a warning shot. Many places rate limit and bulk folder questionable mail as a first strike against problem mail. Sometimes the mail is bad enough to result in a block. Other times, it’s not bad enough to block, so it disappears into the bulk folder.
There’s a corresponding belief in the sending community that if their behavior doesn’t result in blocking then they’re acting acceptably. This isn’t true either. There are a lot of things you can do (or not do) that don’t help delivery, but will actively harm delivery. Likewise, there are things you can do that don’t actively harm delivery, but will help. All of these things add up to reaching the inbox.

About those degrees…

There is a meme going around related to the Equifax hack that points out an executive in charge of security doesn’t have a degree related to security.
Surprise! A lot of the folks who currently keep us safe on the internet don’t have degrees in security. They just didn’t exist when we were in school. I think Paul summed it up best:

Targeted advertising

A friend posted a link in IRC pointing at a couch at Wayfair.com. Now I have Wayfair.com ads following me around the internet.
ProPublica wrote an article about how Facebook lets advertisers micro target “jew haters” and other hate groups.
I received this postcard in the mail.
Targeted Advertising.

August 2017: The month in email

Hello! Hope all are keeping safe through Harvey, Irma, Katia and the aftermath. I know many people that have been affected and are currently out of their homes. I am proud to see so many of my fellow deliverability folks are helping our displaced colleagues with resources, places to stay and money to replace damaged property.
Here’s a mid-month late wrapup of our August blog posts. Our favorite part of August? The total eclipse, which was absolutely amazing. Let me show you some pictures.

Ok, back to email.
We’re proud of the enormous milestone we marked this month: ten years of near-daily posts to our Word to the Wise blog. Thanks for all of your attention and feedback over the past decade!
In other industry news, I pointed to some interesting findings from the Litmus report on the State of Email Deliverability, which is always a terrific resource.
I also wrote about the evolution of filters at web-based email providers, and noted that Gmail’s different approach may well be because it entered the market later than other providers.
In spam, spoofing, and other abuse-related news, I posted about how easy it is for someone to spoof a sender’s identity, even without any technical hacks. This recent incident with several members of the US presidential administration should remind us all to be more careful with making sure we pay attention to where messages come from. How else can you tell that someone might not be wholly legitimate and above-board? I talked about some of what I look at when I get a call from a prospective customer as well as some of the delightful conversations I’ve had with spammers over the years.
In the security arena, Steve noted the ongoing shift to TLS and Google’s announcement that they will label text and email form fields on pages without TLS as “NOT SECURE”. What is TLS, you ask? Steve answers all your questions in a comprehensive post about Transport Layer Security and Certificate Authority Authorization records.
Also worth reading, and not just for the picture of Paddington Bear: Steve’s extremely detailed post about local-part semantics, the chunk of information before the at sign in an email address. How do you choose your email addresses (assuming they are not assigned to you at work or school…)? An email address is an identity, both culturally and for security purposes.
In subscription best practices — or the lack thereof — Steve talked about what happens when someone doesn’t quite complete a user registration. Should you send them a reminder to finish their registration? Of course! Should you keep sending those reminders for 16 months after they’ve stopped engaging with you? THE SURPRISING ANSWER! (Ok, you know us. It wasn’t that surprising.)

Google Postmaster bad IP reputation

There are widespread reports this morning (9/11/17) that Google postmaster tools is showing bad IP reputation for IPs starting on 9/9. This issue is affecting just about everyone. Looking through my client’s postmaster pages, I’m seeing red for IP reputation on every client. Even my clients with generally good reputation are seeing bad reputation since 9/9.

This looks like a reporting or a display error on the part of Google. Many people who are reporting the bad IP reputation are not seeing any significant change in Gmail deliverability.
Looking through client data it appears that domain reputation reporting stopped on 9/8. I am seeing FBL reports for 9/9 and 9/10, for some but not all clients.
My current read on the situation is that something broke internally with the Gmail postmaster reporting. This does not currently appear to be affecting delivery of mail. (If anyone sees differently, drop me an email or tweet me @wise_laura).
I know folks are making sure Google knows. I know that some Gmail folks were directly notified and another Google person is active on Mailop. And we have confirmation that they are aware and are working on fixing it. I will let you know if I hear of a fix timeline.
EDIT: It’s been fixed. Google even fixed the older data. Same client, screenshot from this morning.

What's going on with your SBL listing?

This popped up on my Facebook memories this morning. I don’t post about client events very often, but given I can’t remember even what client this is, I don’t think I’m revealing too much info.
FB memory from a few years ago.

Equifax compromise and their insecure response

Today it was announced that someone infiltrated Equifax earlier this year and stole 143,000,000 identities. These identities include names, birthdates, and addresses, at a minimum. Details are available at your favorite news site.
What I want to talk about is the website they’ve put up to address the issue. This website is Yet Another Example of how the financial services industry trains users to be phishing victims.
Equifax set up a website for people concerned about the possibility of identity theft after this major data leak. The URL, as distributed by the press and linked to from Equifax’s own website is https://www.equifaxsecurity2017.com.
When I was first sent to the site, I thought it was a phishing site because there is absolutely no way to confirm this site is owned and managed by Equifax. Zero. In fact, there’s a lot of evidence that the site isn’t owned by Equifax. And most of the rest of the evidence relies on trusting that the hackers still don’t have some level of access to Equifax systems.

Spam-infused Mai-Tai

Happy Labor Day! Celebrate it with the perfect email-themed cocktail – a spam-infused Mai Tai, served in the traditional glass.
A speciality of the Duck Inn in Chicago, it’s made from a fat-washed dark rum:

A decade of blogging

August 2017 marks 10 years of blogging. In that time we’ve written almost 2200 posts. We’ve had millions of visitors.

Local-part Semantics

An email address has two main parts. The local-part is the bit before the @-sign and the domain is the bit after it. Loosely, the domain part tells SMTP how to get an email to the destination mailserver while the local part tells that server whose mailbox to put it in.
I’m just looking at the local part today, the “steve” in “steve@example.com”.
Talkin’ ‘Bout a Specification
The original specification for SMTP email delivery, RFC 821, specifies a few things about the local-part. It can’t be more than 64 character ascii characters long, and it must be wrapped in double quotes if it includes any punctuation. But that’s just syntax, nothing to do with what it means. It does mention that it’s case-sensitive: “steve@example.com” is not the same recipient as “sTeve@example.com”.
The specification for the structure of email messages, RFC 822, tells us a little more. It clarifies that the local-part is case-sensitive, with the sole exception of the “postmaster” account, which is required to be deliverable as “postmaster”, “POSTMASTER”, “POSTmasTER” or any other variant you like.

Aug 21, 2017

August mini-recess

Blogging will be light through the end of the month. We’re headed to Wyoming to see the eclipse this weekend. As well, with all of the current political events happening it’s hard to focus on email right now.
So basically I’m giving myself permission to not blog daily through the end of August. I’ll blog as I have stuff to say. Some of those might be copies and pastes from comments I’ve made in other spaces. I seem to be on FB quite a bit these days – sometimes even email related.
I’ve also been asking questions and discussing stuff on some mailing lists. I had a flash of insight about how I think about deliverability differently from other people and am talking with some colleagues about it to make sure I can explain it well.

Email address as identity

A few months ago I was talking about different mailbox tools and mentioned email addresses are the keys to our online identity. They are, email addresses are the magic key that authenticates us and opens access to different accounts.
The bad guys know this too. The Justice department recently announced a plea deal related to compromised email accounts. The individual in question gained access to faculty, staff and student email accounts. They then used access to these accounts to access Facebook, iCloud, Google, LinkedIn and Yahoo accounts.
https://twitter.com/pwnallthethings/status/897930523120738304
https://twitter.com/pwnallthethings/status/897931383431061504
https://twitter.com/pwnallthethings/status/897932050111406081
Mediapost published an article this week referencing a survey performed at this year’s BlackHat conference.

State of Email Deliverability

I had other posts in the pipeline, but saw a link to the Litmus 2017 State of Email Deliverability Report and decided that deserved a mention here.
There’s all sorts of interesting data there, and well worth a download and read. I was, of course, interested in the “most problematic subscriber acquisition sources.” Senders having blocking issues or blacklist problems in the past 12 months use list rental, co-reg and purchased lists more often than senders that didn’t have problems.

Senders acquiring addresses through list rental are 104% more likely to be blacklisted than senders not using list rental. And they’re 47% more likely to be blocked.
These stats are the primary reason that most ESPs don’t allow list rentals, purchased or co-reg lists. They cause blocking and blacklisting. The ESP ends up having to deal with lots of problems and clean up the mess.
I’m unsurprised that lead generation by giving something away (a report, ebook, whatever) is related to problems. Most of these forms do little to no data checking and accept any and all fake data. There are fairly simple ways to enforce better data, but that does limit the spread of the information.
I am surprised to see signup through direct mail and catalog sales is so bad. Unless maybe people don’t know how to say no when asked for an email address over the phone. I know it seems awkward to say no when asked for an email address. Maybe some folks are giving fake addresses. I sometimes say I don’t have email, or just tell them no, they don’t need one.
The white paper itself is well worth a read. Go download it yourself (but don’t give them a fake email address!).

Not a customer you want

Earlier this week one of my ESP clients contacted me. They have a new (potential?) customer dealing with some delivery challenges. Client was looking for advice on how to move the customer over and improve their delivery at the same time.
My advice was actually pretty simple: this isn’t a customer you want. Walk away.
I reached that conclusion about 10 seconds after I loaded the customer’s website. Because I know sometimes initial impressions are wrong, I did spend about 10 more minutes poking around. What I found did nothing to change my mind or convince me my initial impression was wrong. In fact, everything I found reinforced the belief that this was not a good customer for my client.
I sent my client an email explaining what I’d found and they agreed. Future deliverability problem averted!
Some of what I found inspired the conversations with spammers blog post from earlier this week. For instance, the website had two different signup forms, each pointing to a different ESP. Both links were dead.

Then I looked at the company’s whois record and found a bunch of cookie cutter websites, all with different domain names, all with the same broken subscription links.
I do this manually and I can’t fathom how you would automate this kind of checking. For me, it seems there absolutely needs to be a human in the loop. But I suspect that there are ways to automate these types of checks.
In any case, there’s a spammer looking for an email service provider. He’s having problems with IP reputation at his current ESP. He sends content and will even share with you the domain he’s using to collect email addresses. Pro tip: try and sign up for his mail before he signs your contract.

Conversations with spammers

It’s amazing how many spammers try and fool deliverability into accepting a questionable list. All too often they fall back on a story. The basic points: a company you’ve never heard of collected millions of email addresses on a website hosted on a low end VPS.

I’ve never heard of your company. We’re just that much better at marketing. This list is guaranteed 100% opt in. Subscribers are desperate to hear from us. The mail is vital and important. We had some problems at our last ESP, but that’s just because they don’t understand our business model. And we had a brief problem with complaints. But they weren’t real complaints. Our competitors are signing up for the list and complaining to hurt out business. It’s not a list problem, it’s that we’re so dominant they have to subvert us. That’s just because we’re that much better at their jobs than anyone else.
You’re looking for deliverability help. Well, yeah, sometimes Gmail delivery is bad, but that’s simply because we won’t pay Google money for advertising. Google is so afraid of us they deliberately filter all this spectacularly wanted email into the bulk folder. They have problems with us as a business. Oh, and we might, sometimes, occasionally have a minor problem with Yahoo. But, again, it’s because we threaten them and they don’t want to have to compete on a level playing field.
If they’re a potential customer, I tell them about our services and offer a proposal. Once some company I’ve never heard of tells me their bad delivery is because global companies are afraid of them, there’s really nothing I can do. They’re unlikely to listen to me explain reality to them.
Sometimes, though, this conversation happens because I’m consulting for an ESP or an Agency. They’ve brought me in to discuss deliverability with a customer or vendor. In those cases, it’s my job to keep going.
Your site doesn’t actually have a signup form. That’s because we’re in the middle of an upgrade cycle and had some problems with the back end. [Alternative: We stopped collecting new email addresses because of their deliverability problems and removed the form.] Your site has a signup form, and I signed up, but never got any mail from you. We disconnected the signup form while we handle our deliverability problems. [Alternative: That shouldn’t happen. We can forward you some messages instead.] I have received spam advertising your company. We had a rogue affiliate that we discovered was spamming and we cut them off.
No, this is direct from your IP space. Oh, well, you must have opted in and forgotten about it. [Alternative: We had a rogue sales guy, but we fired him for spamming.] Your company has only been in business for 3 years, this is an address I haven’t used since the ’90s. Oh, we probably bought a company that you opted into and so have permission that way.
That’s not really permission. Of course it is!
OK…. How can I help you. We want you to call Google / Yahoo / Hotmail and tell them we’re really a legitimate company that’s sending content and we shouldn’t be in the bulk folder.
What have you changed? Nothing! Why would we change anything? We’re great marketers. We have all these plans but need to get back to the inbox before we can implement them.
Um… there’s no filter setting for “laura says they’re a good sender.” They’re going to look for new sending patterns so let’s change a few things. Well, we recently removed 2/3 of our database, but it made no difference so we don’t know what else you think we can do.
Let’s talk about your technical setup.

July 2017: The month in email

August is here, and as usual, we’re discussing spam, permissions, bots, filters, delivery challenges, and best practices.

One of the things we see over and over again, both with marketers and with companies that send us email, is that permission is rarely binary — companies want a fair amount of wiggle room, or “implied permission” to send. There are plenty of examples of how companies try to dance around clear permissions, such as this opt form from a company we used to do business with. But there are lots of questions here: can you legitimately mail to addresses you haven’t interacted with in 5 years? 10 years? What’s the best way to re-engage, if at all?
We frequently get questions about how to address deliverability challenges, and I wrote up a post about some of the steps we take as we help our clients with this. These are short-term fixes; for long-term success, the most effective strategy is sending email that people want and expect. Engagement is always at the core of a sustainable email program.
We’ve also discussed the rise of B2B spam, and the ways in which marketing technologies contribute to the problem. B2B marketers struggle to use social and email channels appropriately to reach customers and prospects, but still need to be thoughtful about how they do it. I also wrote about some of the ways that marketing automation plugins facilitate spam and how companies should step up to address the problem. Here’s an example of what happens when the automation plugins go awry.
I wrote a few posts about domain management and the implications for security and fraud. The first was about how cousin domain names can set users up for phishing and fraud, and the second was a useful checklist for looking at your company’s domain management. We also looked at abuse across online communities, which is an increasing problem and one we’re very committed to fighting.
I also highlighted a few best practices this month: guidelines for choosing a new ESP and active buttons in the subject line for Gmail.
And finally, we celebrated the 80th birthday of the original SPAM. If you’re a regular reader of this blog, you probably already know why unwanted email is called SPAM, but just in case, here’s a refresher….

Another way Gmail is different

I was answering a question on Mailop earlier today and had one of those moments of clarity. I finally managed to articulate one of the things I’ve known about Gmail, but never been able to explain. See, Gmail has never really put a lot of their filtering on the SMTP transaction and IP reputation. Other ISPs do a lot of the heavy lifting with IP filters. But not Gmail.
While I was writing the answer I realized something. Gmail was a late entrant into the email space. AOL, Hotmail, Yahoo, even the cable companies, were providing email services in the 90s. When spam started to be a problem, they started with IP based blocking. As technology got better and content filtering became viable, improvements were layered on top of IP based blocking.

Gmail didn’t enter the mailbox market until the 2000’s. When they did, they had money, lots of hardware, and internal expertise to do content filtering. They didn’t start with IP based filtering, so their base is actually content filtering. Sure, there were some times when they’d push some mail away from the MTAs, but most of their filtering was done after the SMTP transaction. The short version of this is I never really pay any attention to IP reputation when dealing with Gmail. It’s just another factor. Unless you’re blocked and if you get blocked by Gmail, wow, you really screwed up.
Gmail does, of course, do some IP based blocking. But in my experience IP filters are really only turned against really egregious spam, phishing and malicious mail. Most email marketers reading my blog won’t ever see IP filters at Gmail because their mail is not that bad.
Other companies aren’t going to throw away filters that are working, so the base of their filters are IPs. But Google never had that base to work from. Their base is content filters, with some IP rep layered on top of that.
That’s a big reason Gmail filters are different from other filters.

Email pranks and spoofing

Earlier today a twitter user calling himself Email Prankster released copies of email conversations with various members of the current US administration. Based on his twitter feed, and articles from BBC News and CNN, it appears that the prankster forged “friendly from” names in emails to staffers.
A bunch of folks will jump on this bandwagon and start making all sorts of claims about how this kind of thing would be prevented if the Whitehouse and other government offices would just implement DMARC. Problem is, that’s not true. It wouldn’t have helped at all in this case. Looking at the email screenshots all of the mail seems to come from legitimately registered addresses at free email providers like mail.com, gmail.com, and yandex.com.
One image indicates that some spam filter noticed there may be a problem. But apparently SUSPECTED_SPAM in the subject line wasn’t enough to make recipients think twice about checking the email.

The thing is, this is not “hacking” and this isn’t “spear phishing” and it’s not even really spoofing. It’s social engineering, at best. Maybe.

Marketing automation plugins facilitate spam

There’s been an explosion of “Google plugins” that facilitate spam through Gmail and G Suite. They have a similar set of features. Most of these features act to protect the spammer from spam filtering and the poor reputation that comes from purchasing lists and incessantly spamming targets. Some of these plugins have all the features of a full fledged ESP, except a SMTP server and a compliance / deliverability team.
I’ll give the folks creating these programs credit. They identified that the marketers want a way to send mail to purchased lists. But ESPs with good deliverability and reputations don’t allow purchased lists. ESPs that do allow purchased lists often have horrible delivery problems. Enter the spam enabling programs.
From the outside, the folks creating these programs have a design goal to permit spam without the negatives. What do I mean? I mean that the program feature set creates an environment where users can send spam without affect the rest of their mail.
The primary way the software prevents spam blocking is using Google, Amazon or Office 365 as their outbound mail server. Let’s be frank, these systems carry enough real mail, they’re unlikely to be widely blocked. These ISPs are also not geared up to deal with compliance the same way ESPs or consumer providers are.
There seem to be more and more of these companies around. I first learned of them when I started getting a lot of spam from vaguely legitimate companies through google mail servers. Some of them were even kind enough to inform me they were using Gmail as their marketing strategy.

I didn’t realize quite how big this space was, though. And it does seem to be getting even bigger.
Then a vendor in the space reached out looking for delivery help for them and their customers. Seems they were having some challenges getting mail into some ISPs. I told them I couldn’t help. They did mention 3 or 4 names of their competitors, to help me understand their business model.
Last week, one of the companies selling this sort of software asked me if I’d provide quotes for a blog article they were writing. This blog article was about various blocklists and how their software makes it such that their customers don’t really have to worry about blocking. According to the article, even domain based blocking isn’t an issue because they recommend using a domain completely separate from their actual domain. I declined to participate. I did spend a little time on their website just to see what they were doing.
This morning a vendor in the space joined one of the email slack channels I participate in asking for feedback on their software. Again, they provide software so companies can send spam through google outbound IPs. Discussions with the vendor made it clear that they take zero responsibility for how their software is used.
I don’t actually expect that even naming and shaming these companies facilitating spam will do anything to change their minds. They don’t care about the email ecosystem or how annoying their customers are. About the best they could do is accept opt-out requests from those of us who really don’t want to be bothered by their customers. Even that won’t really help, even domain based opt-outs are ineffective.
What needs to happen is companies like Google, Amazon and Microsoft need to step up and enforce their anti-spam policies.

Mike might be spamming, but why?

I’ve been talking a lot about ongoing B2B spam. That is, where senders drop your address into some sort of automation, that sends mail from gmail or amazon and just spams and spams and spams. This is what my mailbox looked like this morning

Yes, every one of those emails is sent to the same address. “you are still using the address laura-info@…” Well, no, actually. That was the original address I used as part of our contact on the first iteration of the WttW website. I stopped using that address somewhere around 2002? 3? It’s been a very long time in any case.
Folks, B2B spam is still spam. It doesn’t matter if you register a new domain and use Gmail as your outbounds as a way to avoid filters.
It doesn’t matter…

Domain management

Yesterday one of the bigger ESPs had their domain registration lapse. This caused a whole host of problems for their customers. It was resolved when someone completely unrelated to the company paid the registration fee.
It happens. Most of us know about cases where email or domains were lost due to renewal failures. The canonical case is one person at the company handles renewals, and leaves or is off when renewal comes up. The payment is missed, the domain goes back to the registrar and everything falls apart.
This happens at big companies and it happens at small companies. This is the kind of public facing problem that should make all of us look at how our own domains are managed. A few questions to ask.

Online communities and abuse

A few weekends ago we met a friend for coffee in Palo Alto. As the discussion wandered we ended up talking about some of the projects we’re involved in. Friend mentioned she was working with a group building a platform for community building. We started talking about how hard it is these days to run online groups and communities. One of the things I started discussing was what needed to be built into communities like this to prevent abuse and damage.

5 answers you need before mailing old addresses.

From the archives: Mailing old addresses: 5 questions to ask first
James asked the question on twitter:

Happy 80th Birthday to SPAM

Not the kind we hate. The other kind. That’s best served over sushi rice.
80 years of SPAM

Searching for a new ESP?

250OK has compiled advice about what buyers should ask when looking at new ESPs. The advice from various folks is spot on.
Changing ESPs is a big undertaking, bigger than most people expect. It’s not like changing vendors for other services. It is a process and most of the time moving creates a short term dip in deliverability. I have a lot of theories and speculation as to why, but the evidence is pretty clear. I think Mike Hillyer summed it up best: “I think the most commonly missed question is ‘will changing ESPs truly affect the outcomes we are looking to change?’”
I also liked the answers to the question about using multiple ESPs. My view is that unless there are specific requirements for different mail streams the answer is no, don’t do it. And don’t think you can keep a “backup” ESP with “partially warmed IPs” and be able to turn it on as disaster recovery. Email doesn’t work that way.
It’s an article well worth a read.

Engagement drives deliverability

Return Path released an white paper today offering the Secrets of Successful Senders. I don’t think any of my readers will be surprised that it boils down to identity, reputation, and engagement. Return Path treats these as separate things and I understand why they do. I think however, that the identity and reputation are supporting players to the overarching issue of engagement.

When I’m dealing with clients and troubleshooting deliverability problems and offering solutions, I focus on the root cause. To me the root cause is almost always a data problem. Either there’s a problem with data collection or there’s a problem with data maintenance. These problems result in mail going to people who don’t really want or care about it.
Yes, identity is important. But, realistically, anyone mailing through a decent ESP has SPF and DKIM in place, at least on some level. There may be better ways to authenticate, but the boxes are checked.
Yes, reputation is important. But here’s the thing, reputation just means that the ISP knows how users are going to react to an email. Reputation isn’t some nebulous concept made up by ISPs. It’s an actual measurement. It quantifies the history of an IP or a domain or a mail stream and says we know that this IP sends wanted mail. We know that this domain sends mail our users ignore. It’s a history. Past performance does indicate future results.
Identity says who a sender is. Reputation tells us that sender’s history of sending. Those are the two factors that enable ISPs to make delivery decisions. Mail comes in and the ISP looks at it. They use identity to determine what reputation to assign to a mail. Reputation drives delivery, whether into the inbox or the bulk folder.

Summer 2017: Moving so fast

It’s been a busy summer so far! If you’ve been too busy to read the blog regularly, here’s an early summer wrap up of our posts from May and June.

A small but significant part of our consulting practice is helping people with delivery crisis situations, such as figuring out what to do if you’re listed on Spamhaus or other block lists, or getting delisted at AT&T. People also ask very specific questions about things like text to image ratio. We answer these directly for clients, on the blog generally, and in my Ask Laura column.
Most of what we do, however, is larger strategic work on creating smart email programs that are designed for deliverability. Our primary focus is to help marketers think about how to send email people want — and have asked — to receive. I went into detail on this in my post on how permissions trump metrics. We also help clients with what we call reading between the lines, or useful ways to think about collaboration between ESPs and their customers. Another enormous area of focus is helping people understand filters in a big picture — or gestalt — approach.
We also talk a lot about list purchasing, appending, and all the other ways people acquire email addresses without direct permission from recipients. Our most recent examples: a colleague who added me to a list they’d built from their LinkedIn contacts (using a wholly different email address), Steve’s experience trying to get hotel wifi, and lists passed between political campaigns. Spammers can generate lists that are “clean” enough to fool ESPs just long enough to get a send out the door.
Unwanted email is unwanted email, even when it’s in a B2B context. When someone reaches out “personally” to me to tell me how useful they think I will find their product or service for my business, that’s still SPAM, even if it’s coming from a personal address or a gmail address to try to get around filters. Even if it’s to say Hello from your LinkedIn BFF. Seriously?! More on permission here.
I often use unique email addresses when I interact with companies, and this shows me both when my address is purchased or shared without permission and when a company has a data breach. Sometimes this can be challenging to report, however, as illustrated (hilariously!) in my Shibboleet post.
In legislative news, the FTC would like to know if we still need CAN-SPAM, and other important feedback on the rule. Though it obviously has not entirely saved our inboxes from SPAM, there’s still a lot of good there. Our neighbors to the north have just announced a delay in one of the major provisions of their anti-SPAM legislation, the private right to action provision of CASL. Both the provision and the delay are interesting, so I went into some detail in my post.
Steve wrote several posts about DMARC, starting with The Philosophy of DMARC, which goes into detail about how the method evolved and the thinking behind it. He followed up with another lengthy post about how DMARC breaks, and a solution for that, the Authenticated Received Chain (ARC). He also posted a message from Fedex as an illustration of how DMARC doesn’t fix phishing.
In fact, phishing just keeps getting more and more sophisticated. And sadly, it seems that senders are not necessarily getting smarter in response.
Steve also wrote about how you can figure out (more or less) if a sender is using DKIM. He also added a useful explanation of protocol-relative URLs in email.
In industry news, I added some detailed information from AOL on the final bits of the Verizon migration and a note about how to handle bounces with disappearing domains.
The best part of my early summer was speaking on a few panels at the ESPC meeting and celebrating the one year anniversary of our Women of Email network with an in-person board meeting in Las Vegas. As someone who works mostly remotely, I very much enjoy coming together with colleagues to connect in person and share ideas and stories. Let me know if you know of any interesting events I should attend later this year.

Reading between the lines

Reading between the lines an important skill in deliverability.
Why? Over the last few years there’s been an increasing amount of collaboration between deliverability folks at ESPs and ISPs. This is great. It’s a vast improvement on how things were 10 years ago. However, there are still ongoing complaints from both sides. There probably always will be. And it’s not like a blog post from me is going to fix anything. But I see value in talking a bit about how we can improve our ability to collaborate with one another.

Delisting at ATT

ATT used to have a webform to use to request delisting. I’ve heard reports over the last few months that the form isn’t working. This week, the website hosting the form disappeared. I don’t know for sure, but this looks like this is either deliberate or there’s just no one in charge of the site and it got lost.
ATT provides an email address for delisting, too. Unfortunately, I’m also hearing they’re not responding to that address. There are two possible reasons. One, they’ve never answered and they just delist or not depending on stats. Two, they’re not monitoring that address, either.
In any case, the delisting isn’t working and I don’t know when it will be. I know some people have contacted ATT reps, so they are aware of the current issues. More as I find out.

FTC solicits CAN-SPAM feedback

The FTC (US Federal Trade Commission) is soliciting comments on CAN-SPAM legislation:
A. General Issues

DMARC doesn't fix Phishing

Not a new thing, but a nice example just popped up in my inbox on my phone.

But FedEx solved their entire phishing problem when they published a strict p=reject DMARC record, right?
This didn’t come from fedex.com. It came from another domain that looks vaguely like fedex.com – what that domain is doesn’t matter, as the domain it’s sent from isn’t displayed to the user on my phone mail client. Nor is it displayed to the user by Mail.app on my desktop, unless you turn off Mail → Preferences … → Viewing → Use Smart Addresses.

That lookalike domain could pass SPF, it could be used as d= in DKIM signing, it could even be set up with DMARC p=reject. And the mail is pixel identical to real mail from fedex.com.
On my desktop client I can hover over the link and notice it looks suspicious – but it’s no more suspicious looking than a typical ESP link-tracking URL. And on mobile I don’t even get to do that.
SPF and DKIM and DMARC can temporarily inconvenience phishers to the extent that they have to change the domain they’re sending from, but it’ll have no effect on the vulnerability of most of your audience to being phished using your brand.

Reaching targets, the wrong way

I’ve been increasingly annoyed by these drip automation campaigns. You know the ones I mean. Senders use some software to find some flimsy pretext to send a mail. Then there emails drop every few days. Sometimes this cycle goes on for months. Most of these messages violate CAN SPAM. It’s annoying. It’s illegal. It is spam.
I can even opt out of most of these messages, they don’t offer that ability.

Final migration of Verizon email addresses to AOL

AOL were kind enough to share some details about the shutdown of the Verizon mail system and the migration of @verizon.net email address to the AOL mail service:

CASL Private Right of Action Delayed

Today the Canadian Government announced they were suspending the provision that allows individuals to sue marketers for violations of CASL.
Under these provisions, individual Canadian consumers had a private right of action. Any Canadian could sue any company that sent mail violating the law. This part of the law upset many senders and marketers. I’m sure many are relieved at this delay in enforcement.

This delay has no effect on the other major CASL provision with a July 1, 2017 deadline.
On July 1 a 3 year waiver on implied consent collected prior to CASL will end. What does that mean? Implied consent is just what it sounds like. Under certain conditions, senders can assume they have legal consent to mail the recipient. These conditions are spelled out in Section 10(9) of the law. Implied consent expires after 2 years. However, companies were granted a 3 year waiver on this provision for email addresses collected prior to July 1, 2014.
The waiver allowed senders to continue mailing addresses with implied consent even after the 2 year expiration. This was to allow companies time to convert implied consent into express consent as to not lose recipients. There are about 3 weeks left for senders to get explicit permission to continue mailing addresses collected prior to July 1, 2014.
Additionally, as of July 1, 2017 CASL requires a parliamentary committee to review the law and its operation over the last 3 years.

Many senders are thrilled with the indefinite suspension of the PRA. It was, I think, one of the parts of the law that worried people the most. Allowing any citizen to sue someone who sent them mail they thought violated CASL? That concept struck fear into the hearts of many a legitimate marketer. I was never quite so sure it was going to be as bad as some thought.
A few years ago I had the opportunity to sit in a conference session with an individual from the Canadian government. They explained that there were significant barriers to individuals suing senders. Plaintiffs must file in provincial courts, not local ones. Second, defendants couldn’t be under investigation by the CRTC and a PRA at the same time. The presenter implied that CRTC had priority over any joint defendant. Finally, the plaintiff must prove actual damages. This is difficult for defendants that use a freemail provider like Gmail. There aren’t really damages in that case.
The overall gist of the session was that PRA in Canada was not that simple. Individuals wanting to sue had some bigger hoops to jump through than just filing something in small claims court. Nevertheless, I’m sure that many senders are relieved to hear the PRA is indefinitely suspended.

Women. Technology. Moving Forward.

A little over a year ago, Kristin Bond posted an article (reprinted here) looking at the diversity of speakers at marketing conferences. As with many articles pointing out gender issues in technology there was quite a bit of discussion about it on a related mailing list. Some of the comments were supportive and open to the idea that gender diversity is an overall good. Some of the comments, while well meaning, indicated the commenters didn’t understand some of the more systemic issues that result in conferences with speaker lists that consist primarily of white men.
Kristin, I, Jen Capstraw and April Mullen started talking privately about the issue. What I discovered during those conversations is that I wasn’t alone in how I felt about some spaces. Being a woman in tech I expect to feel left out in many places. When I go to a conference, or I participate in an online space or I meet up with colleagues in social situations, I expect that someone will say something sexist. As a woman I regularly feel like an outsider. What I didn’t realize is other women in those same spaces felt the same way. By not saying something I was missing an opportunity to find a supportive atmosphere with other women who also thought spaces were unfriendly or toxic to women.
But we didn’t just complain; we decided to take action. What would happen if we created a space to help conferences find women speakers? What would happen if we set up a framework for women to find mentors? What did we have to lose by trying? Thus, Women of Email™ was formed.

Disappearing domains

On May 31, British broadband provider EE discontinued service for a number of email domains: Orange.net, Orangehome.co.uk, Wanadoo.co.uk, Freeserve.co.uk, Fsbusiness.co.uk, Fslife.co.uk, Fsmail.net, Fsworld.co.uk, and Fsnet.co.uk.
These domains were acquired by EE as part of multiple mergers and acquisitions. On their help page, EE explains that the proliferation of free email services with advanced functionality has led to a decrease in email usage at these domains.
Yesterday, Terra.co.br announced they were discontinuing email to a number of their free domains as of June 30, 2017: terra.com, terra.com.ar, mi.terra.cl, terra.com.co, terra.com.mx, terra.com.pe, terra.com.ve, and terra.com.ec.

I’m not surprised to see these domains going away and I think we’ll see more of it going forward. The reasons are pretty simple. Mail is not an easy service to run. Mail doesn’t bring in a lot of money. Dedicated mailbox providers do a great job and the addresses from them are portable.

Random thoughts on spammers

I recently received a 419 spam that had a message at the top of the email.

Yup, a 419 spammer is trying to convince me there are millions of dollars waiting for me, but he won’t pay his software vendor 29.99 to comply with a license.
This is only the most recent in a long line of examples of spammers being cheap and attempting to steal services.
Back when I was working abuse almost every ISP had a story about a spammer who refused to pay their bill. Or spammers who were so high maintenance they cost the company money.
The company I worked for had a spammer that was on our system for far too long. Eventually they were cut off for non-payment and their hardware was confiscated. Still, the spammer came in and managed to remove the hardware before the building guards were alerted. It was disappointing, but at least they weren’t spamming off our network any longer.
Even now, ESPs share stories of customers who come in, spam and never pay their bill. Works for the spammer, they can get a few weeks of spamming in without having to pay for the service. They spew their stuff and leave a giant mess for the ESP to clean up. Next week, they’re on to the next ESP.
The real problem with this is that with enough ESPs and enough sends you can clean a list. This list can then be sold, or moved to a credible ESP without any of the tell tale signs of a purchased list. It’s so common it even has a name: waterfalling. It’s profitable, though, and there are enough small ESPs out there with little compliance experience that it can work.
I regularly get questions from folks who’ve worked themselves into a hole about swapping IPs or domains in order to get out of the hole. My answer is always the same. Changing identity might work in the short term, but it won’t work longer term. I also tell them that spammers have been trying to avoid filters for a lot longer than they have. Spammers are good at it, and still get caught in filters. Better to spend time trying to fix the underlying problem – typically users aren’t engaged with your mail – then trying to obfuscate who is sending the message to avoid filters.
Focus on sending good email that users want, rather than trying to avoid filters. That’s the key to getting into the inbox.

Phishing increasingly sophisticated

Phishing is an online threat that’s been around for more than 20 years. I initially heard of it in relation to spammers taking over an AOL account to send out spam. These days phis is more dangerous and more sophisticated. Phishing is not just used to send spam. It’s used to take over elections; it’s used to steal millions of dollars. Experts estimate that globally phishing costs companies over 9 billion dollars a year.
Even in the last two weeks we’ve seen 2 major phishing incidents. One targeted Google Docs, one targeted Docusign. Reading the news reports these are different than many of the more common phishing attacks and, to me, represent an evolution in standard phishing techniques.

The Google attack in early May was an evolution in getting access to a Google account. Instead of directing users to a fake Gmail login page, the phish asked users to allow “Google Docs” (actually an app controlled by the phisher) to access to their Google account.
I’m sure all of you have used an app or website that lets you login with Facebook or Gmail or Twitter. This is all done with a protocol called OAuth. OAuth is also how you give access to mailbox management tools like I discussed a few weeks ago. Basically, OAuth lets users grant access and permission to a site or application using a second site without revealing their username and password. (It’s more complicated than I want to discuss, but if you’re looking for some information check out some of the sites I’ve found: wikipedia, Varonis blog, Digital Ocean knowledge base, or just search google for oauth.)
The switch from asking for a password to asking for access is, to my mind, a significant change. Now we have to be aware of what we’re authorizing and make sure that app isn’t malicious.
The Docusign phish is another evolution. As I was looking at the phish I received yesterday I realized that it was sent to a tagged address. A tagged address only Docusign had. None of my other, heavily phished, addresses received the phish. None of Steve’s addresses received the phish. This wasn’t a widespread spray and pray phishing attack. The phishers targeted Docusign users. Yesterday afternoon, Docusign confirmed that someone stole user addresses.
This is a switch from just randomly looking for victims to targeting users of a specific service.
Phishing attacks look for the weakest links to gain access to computers, information, and money. The weakest links are always humans. Phishers have adapted to security measures for the last 20 years. There is zero reason that they won’t continue to adapt.

Shibboleet

Using unique addresses for signups gives me the ability to track how well companies are protecting customer data. If only one company ever had an address, and it’s now getting spam or phishing mail, then that company has had a data breach. The challenge then becomes getting the evidence and details to the right people inside the company.
In one case it was easy. I knew a number of people inside the company and knew they would take it seriously and pass it on to the folks in the best place to deal with it. I did. They did. They got their systems secured and notified customers and it was all taken care of.
Other cases aren’t as easy.
Many years ago I got mail from my credit card company to a unique address. This was long before SPF or DKIM and the mail contained links different from the company’s main domain. I called them up to see if this was real or not. They told me it wasn’t, because tier 1 support are trained to tell users everything is suspicious. Eventually, though, it became clear this wasn’t a phish, it was just bad marketing by the company.
A few years ago I reported a possible breach to representatives of a company while at a meeting. Coincidentally, the address only their company had started getting phishing and spam during the conference. I brought it up to them and followed their directions for reporting. They asserted the leak wasn’t on their end, but to this day I get multiple spams a day to that address. They claimed that the spammer was someone I was friends with on their website, but they could never quite demonstrate that to my satisfaction. I treat that site as only marginally secure and take care with the information I share.
After Target was breached they emailed me, out of the blue, to the address I use at Amazon. There was some level of partnership between Amazon and Target and it appears Amazon shared at least part of their database with Target. I talked with security folks at Amazon but they told me they had no comment.
Of course, on the flip side, I know how challenging it is to sort through reports and identify the ones that are valid and ones that aren’t. When I handled abuse@ we had a customer that provided a music sharing program. If a connection was interrupted the software would attempt to reconnect. Sometimes the connection was interrupted because the modem dropped and a new person would get the IP address while the software was trying to reconnect. This would cause a flood of requests to the new person’s computer. These requests would set off personal firewalls and they’d contact abuse to tell us of hacking. There wasn’t any hacking, of course, but they’d still argue with us. One of my co-workers had a nickname for these folks that was somewhat impolite.
We had to implement some barriers to complaints to sort out the home users with personal firewalls from the real security experts with real firewalls that were reporting actual security issues. So I get that you don’t always want or need to listen to J. Random Reporter about a security issue.
Sometimes, though, J. Random Reporter knows what they’re talking about.

Yeah, I spent the morning trying to get support at a company to connect me to security or pass a message along. Too bad there isn’t a security shibboleet.

April 2017: The Month in Email

April was a big travel month for us. I went to Las Vegas for meetings around the Email Innovations Summit and to New Orleans, where Steve spoke on the closing keynote panel for the EEC conference.
I wrote several posts this month about privacy and tracking, both in email and in other online contexts. It’s increasingly a fact of life that our behaviors are tracked, and I wrote about the need for transparency between companies and those they are tracking. More specifically, I talked about the tradeoffs between convenience and security, and how people may not be aware that they are making these tradeoffs when they use popular mailbox tools like unroll.me. The folks over at ReturnPath added a comment on that post about how they handle privacy issues with their mailbox tools.
Steve contributed several posts this month. First up, a due diligence story about how service providers might look more closely at potential customers for their messaging platforms to help curtail spam and other fraudulent activity. He also looked at the history of “/8” IP blocks, and what is happening to them as the internet moves to IPv6. Steve also added a note about his new DMARC Validation tool, which rounds out a suite of free tools we’ve made available on our site. And finally, he showcased a particularly great email subscription experience from Tor.com — have a look!
I highlighted another post about companies doing things right, this one by Len Shneyder over at Marketingland. In other best practices news, I talked about bounce handling again (I mentioned it last month too), and how complicated it can be. Other things that are complicated: responding to abuse complaints. Do you respond? Why or why not?
Our friends at Sendgrid wrote a great post on defining what spammers and other malicious actors do via email, which I think is a must-read for email marketers looking to steer clear of such activity. Speaking of malicious actors, I wrote two posts on the arrest of one of the world’s top email criminals, Peter Levashov, and speculation that he was involved in the Russian hacking activity around the US elections. We’re looking forward to learning more about that story as it unfolds.

ESPC meeting

Yesterday I had the pleasure of attending my first ESPC semi-annual meeting. I was scheduled to talk on a panel about list hygiene with a couple vendors. Because some folks didn’t make it, I also sat on the panel talking about blocklists.
It was a fun day. I got to meet and talk with some colleagues I haven’t seen in an age. And I met some new faces and had interesting interactions.
One bonus from the day is I really got the chance to talk with some of the list hygiene vendors that were on the panel with me. Afterwards, we spent a good hour just discussing the space and the players in it. I learned a lot from that conversation. Previously, I’d kept the list hygiene vendors at arms length. My experiences with them and with their products weren’t very positive. My experience has primarily been with clients who have used these services and not gotten what they thought they were paying for. I have also seen some internet-abusive behavior from a few. Many years ago a few of the companies approached me for deliverability advice as they were running into consistent blocking.
All of these things led me to the conclusion that it was a part of the email space I didn’t want much to do with.
Yesterday, though, I learned that there were vendors in the space that focused very much on being a net benefit to the overall network. Both Webbula and Kickbox, who were on the panel with me, have policies and processes designed to make it unattractive for spammers to sign up for their services. We did agree there were problems with some of the vendors in the space, but I realized that some is not all.
It was a good meeting, I’m glad I went.

Text to Image ratios in email

One of the questions I get from folks about delivery is what the optimal text to image ratio there should be in an email. I’ll be honest, I hate this question. Why? Because the question is actually irrelevant. I’ve seen companies with a single image and no text get to the inbox. I’ve seen companies with no images get to the inbox. The text to image ratio is not going to make or break delivery.
Sending mail that the user expects and wants is the crucial part of delivery. If the user wants a single image? That’s the right ratio. If the user wants a readable message with images turned off? That’s the right ratio. Fretting about 20/80 or 18.5/81.5 or 43.256666/56.743334 is getting buried in details and missing the bigger picture.

Emails should be readable. These days, being readable on mobile is critical. This is the single best argument I can think of against one-image emails. And there are still folks who read email with images off by default. Being one of them, I think it gives me insight other delivery folks lack. If I am engaged with a brand, how do I show it outside of loading images? What kinds of things let the brand know I’m still a happy recipient?
If anyone tells you that your delivery problems are the result of a bad text to image ratio, run away. There is zero chance that’s actually true. Filters aren’t going to just look at the ratio and block ratios that fall into a certain range.
What filters are going to do is take the text to image ratio as part of the fingerprint of an email stream. They’re going to recognize certain factors about emails that users like, and factors about emails that users don’t like. Some of these factors will be things like the text to image ratio. But the “wrong” ratio isn’t why mail is being filtered. Mail is being filtered because the recipients aren’t interacting with it enough and the ratio is just one part of the way the ISP identifies it.
Stop fretting over your exact text to image ratios. The right, or wrong, ratio isn’t a true factor in delivery. Instead, focus on creating an email stream that users want, expect, and engage with. This starts with address collection, but collecting accurate addresses isn’t enough. You also need to provide value to them.
Sending mail users want is the key to reach the inbox. Doing that takes time and investment by the sender.

Off to EEC next week

We’ll be in New Orleans next week for the EEC conference. Steve will be on the closing keynote panel taking about subscription bombing. Say hi! while you’re there!
Happy Friday!

Privacy and tracking

“I can’t believe you are wearing one of those,” they said while sneering at the Pebble watch I was wearing. Yes, that’s how someone introduced themselves to me at a conference last year. Apparently, I’m not allowed to wear smartwatches, or something. It wasn’t clear what their problem was or why they thought that was a good opening line. Best I can figure, it was some commentary on the hypocrisy of me wearing a smartwatch and claiming to be pro-privacy.

Mailbox tools are a security risk

On Sunday the NYTimes published an article about Uber’s CEO. One of the pieces of information that came out of that article is services like unroll.me sell information they scrape out of emails sent to their users.

Looking forward

I had a number of very good talks with folks at the Email Innovations Summit earlier this week. I’m still digesting it all. It’s clear that getting to the inbox isn’t a solved problem. Around a decade ago I figured that the explosion of complaint feedback loops would make my job obsolete. That more data would mean anyone could manage delivery. That’s not the case for a couple reasons. The biggest is that filters don’t look just at complaints and there aren’t FBLs for all the other factors.
For whatever reason, many companies are still struggling with delivery.
Even more interesting is how changes in filters and inboxes are making it harder to measure delivery. In some ways I feel like we’re losing ground on inbox measurement. Filters changes and will keep changing, both to address emerging threats and to meet the needs and wants of subscribers. Gone are the days where Panels have their problems. Seed lists have their problems. There’s a longer blog post here, but it’s nearly the weekend and I’ve had a long week.
Hope you have something great planned.

Quick Vegas trip review

Made it back from Vegas late last night. It was a great trip, even though I wasn’t officially attending the conference. I did get a chance to see old friends and meet some new people. The Women of Email board had our first in person meeting and we’re working on some exciting things over the next few months. Our mentor program is well underway and we have been placing speakers at various conferences.
I can hardly wait to share some of what we’re doing and our plans as they finally come together. We’ve made a difference even in stealth mode, and I’m so proud of my fellow board members. They’ve done great things already, and they’re only just getting started.
One of the high points of the trip for me was dinner with an amazing bunch of women in the space. Some I’ve known for a while, but many were new faces. It was great.
In two weeks I head to EEC to watch Steve talk about the subscription bombing problem and some of the lessons we’ve learned over the last few months.

Malicious email terms defined.

Legitimate mailers need to distinguish themselves from spammers. One important piece of that is knowing what spammers do. SendGrid has put together some information on common scams and techniques spammers use to get email delivered.
Some of these terms, like doxxing and swatting, are not specifically email related. However, they are used against people who are fighting abuse on the Internet. People who are actively investigating darker portions of the internet face real danger. Brian Krebs has made some of the harassment he’s received public. I know other people in the space have been harassed but don’t make it so public.
I think it’s valuable for marketers to understand the malicious and criminal end of mail. It makes some filtering decisions less random when you know the types of bad traffic that the filters are trying to stop. The SendGrid document is a fantastic first stop to learn about them.

Responding to complaints

I sent in a complaint to an ESP earlier today. This was mail from a major UK retailer to an address that is not used to sign up for mail. It’s part of an ongoing stream of spam related to UK services and products. I believe most of this is because one of the data selling companies has that address associated with someone who is not me.

I did explain I believed this was a purchased address but I’m wondering if I will get a response. The address isn’t one of those I regularly use so there isn’t a connection between “Laura, deliverability person” and “Laura, spam victim.” There are some industry folks who go out of their way to respond to my complaints. That’s always rewarding.
On a more theoretical level, I can make good arguments for responding and good arguments for not responding.

Vegas next week

All of you attending the Email Innovations Summit in Vegas, I’ll be around during the conference. Not attending or speaking this year, but I have some meetings with folks scheduled. I will also be around for the session arranged by the Women of Email presents “Rumpelstiltskin Marketers”

March 2017: The Month in Email

It’s that time again… here’s a look at our last month of blog posts. We find it useful to recap each month, both to track trends and issues in email delivery and to provide a handy summary for those who aren’t following along breathlessly every single day. Let us know if you find it useful too!

As always, I wrote about email filters. It’s so important to recognize that filters aren’t arbitrary — they’re detailed instructions that help meet specific user needs, and the more you are cognizant of that, the better you’ll be able to work with them. Additionally, filters aren’t perfect and likely never will be. False positives and false negatives are frustrating, but as long as spam is still a viable business for spammers, they’ll continue to figure out how to work around filters. As such, we can’t expect filters to be 100% accurate in determining what constitutes wanted and unwanted mail.
Part of this, of course, is due to the problem of fraudulent signups. Companies aren’t particularly vigilant about address acquisition and hygiene, and as a result, they’ll claim you “signed up” for their email when you did not. Some people believe that a confirmed opt-in (COI) will solve this problem, but our experience is companies are reluctant to leave revenue on the table, and that they will continue to mail to addresses that have not confirmed.
Address sharing and co-reg is also part of the problem. As we saw in the extensive RCM data breach, many major brands continue to work with third-party senders to send mail in ways that are quite clearly spam. And in more criminal activity, I looked at the rise of botnets and how some of those criminals were brought to justice. In other justice news, there’s been an indictment in the Yahoo breach and another CASL enforcement action.
I wrote a post about bounce handling and “relaying denied” error messages, which are quite rare. It’s useful to have an understanding of these and other error messages, since bounces are sometimes indicative of a larger technical issue, such as when AOL accidentally bounced all messages for a short period last week. Speaking of AOL, we noted that there’s no official timeline for the move from Verizon addresses to AOL addresses following the 2015 acquisition, but it may be worth considering asking your customers to update their addresses.
Spam and filters aren’t the only factors of course. It can be challenging to figure out the multiple factors that make up the black box of delivery. And of course, the most important part of delivery continues to be engagement, engagement, engagement.
I wrote a few posts this month on why I do what I do, and why it’s so important to me. First, I wrote about A Day Without A Woman, and my choice not to participate in offering advice and guidance for that day. The truth is that I enjoy sharing what I know and helping people solve problems. I was honored to be named one of 11 Innovators in Email, and I know that my volunteer work in the industry and my unpaid blogging work is a big part of that. It may sound corny, but I really do believe we are on the front lines of the fight of good vs. evil online, and despite the distractions of politics and world events, we must all continue to do our part.

Doing email right

Over on the MarketingLand website, Len Shneyder talks about 3 companies (Uber, REI and eBay) that do email right. In there he shows how the companies use email to further their business goals while understanding and meeting the needs of their customers.
Meeting the needs of recipients is the way to get your mail to the inbox. Send email that your users want, and they will tell the ISPs when they don’t get your mail. It’s sometimes hard to convince senders of this. Instead they want to tweak URLs or authentication or IPs or domains. But none of those things are what deliverability is all about. Deliverability is about the recipient. Deliverability is about the relationship between the sender and recipient.
Send to the right people – and the right people are those who have asked for and want your mail – and deliverability problems don’t materialize. Sure, every once in a while something might happen that throws mail into the bulk folder for one reason or another. But fighting to get to the inbox isn’t an every day thing. Instead, senders can focus on knowing their users and sending mail that makes them happy when it shows up in the inbox.

OTA joins the ISOC

The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella.
“The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.

News in the email space

Various things happening in the email space recently that are worth mentioning but don’t have enough to justify a whole blog post.
Verizon announced a new umbrella company for the AOL and Yahoo media properties, including things like Engadget, Huffington Post. Based on the various press articles I’ve seen this doesn’t appear to affect the email handling for either set of domains.

Fraudulent signups or spam?

This morning I got spam from a major data broker / ESP / credit reporting agency claiming I’d signed up on some college website. In the UK. To check my credit score.
Uh. No. No I didn’t.
Of course, it’s very possible someone did use my email address when signing up for something at a UK university. They probably got a t-shirt or free pizza out of it. But that doesn’t really matter to me. A certain credit agency is spamming me with irrelevant and horribly targeted advertisements for their services and claiming the mail is opt in.
I know that address is widely sold in the UK to “legitimate” marketers. It’s very possible that it was purchased by the spammer in question. Or, I dunno, maybe they’re the ones selling it. As a victim, I don’t really care why a company is spamming me.
Part of a sender’s job to make sure their data is accurate. And they failed.
But for this particular company, that’s par for the course. When I posted about this over on Facebook, I had multiple friends pointing out that this company regularly spams and sells spamming services.
Spammers gonna spam.

AOL accidentally hard bounces valid mail

Last night (Mar 29, 2017) between about 8pm Eastern and 9:30pm Eastern AOL suffered a technical issue. Every email sent to them received a “Recipient address rejected” reply. One example of the error message:
Mar 29 20:45:12 p2-lvmail11 lsb1-99-208-250/smtp[22251]: A88DFC2DBE9: to=<redacted@aol.com>, relay=mailin-01.mx.aol.com[64. 12.91.195]:25, delay=0.18, delays=0.01/0/0.14/0.03, dsn=5.1.1, status=bounced (host mailin-01.mx.aol.com[64.12.91. 195] said: 550 5.1.1 <redacted@aol.com>: Recipient address rejected: aol.com (in reply to RCPT TO command))
The issue was brought to AOLs attention and things were fixed rapidly after that. An AOL representative has stated that these were invalid replies and that addresses do not need to be removed from future emails.
Most of the ESPs are aware of this and are working to restore any bounced addresses to their users. At some places this requires manual intervention, so it’s taking some time to get all the addresses restored.
This is one of the reasons that our best bounce handling recommendations are not to remove an address for a single bounce – sometimes the ISPs have technical problems. Like the time a routing failure meant a major ISPs MX machines couldn’t reach their authentication servers to get the list of active users. Or the time all an ISPs MXs were removed from DNS. A lot of the internet is still managed manually, and despite extensive safeguards put in place bad things can, and do, still happen. Usually these problems are resolved quickly and mail starts flowing again.
Morning advice: Do not deactivate addresses that bounced at AOL last night.

What about the botnets?!

Botnets are a huge problem for a number of reasons. Not only are they used to send spam, they’re also used in criminal activities. One of the major challenges in dealing with botnets is finding and stopping the people who create and use them. Why? Because the internet is global and crime tends to be prosecuted within local jurisdictions.

Truth of Consequences

“If you want to use another means that violates the law, and every common definition of “spam”, then by all means, go ahead. You can enjoy fines and being added to the ROKSO database,” says a comment on my recent COI blog post. It’s both disconcerting and entirely predictable.

My post was a discussion of what to do with addresses that don’t confirm. Data tells us that there is some value in those addresses – that there are people who won’t confirm for some reason but will end up purchasing from an email. Using COI leaves some fraction of revenue on the table as it were. My post was a short risk analysis of things to think about when making decisions about continuing to mail to people who don’t confirm.
Mentioning COI often brings the only-COI-mail-is-not-spam zealots out of the woodwork, as it did in this case. In this case, we have the commenter first asserting that failure to do COI is a violation of CAN SPAM (it’s not). When this was pointed out, he started arguing with two people who have been actively fighting spam for 20 years (including running a widely used blocklist). Finally, he ends up with the comment asserting that anyone not using COI will end up on ROKSO. It’s as if he thinks that statement will fear other commenters into not having opinions. It can’t because everyone in the discussion, except possibly him, knows that it’s not true.
The worst problem with folks like the commenter is that they think asserting horrible consequences will make people cower. First off, people don’t react well to threats. Secondly, this is a hollow threat and most people reading this blog know it.
There are millions of mailing lists not using COI and have zero risk of ever getting on ROKSO. The only thing hollow threats do is make people not pay attention to what you have to say. Well, OK, and have me write a blog post about how those threats are bad because they’re completely removed from reality.
Exaggerating or lying about consequences is not just wrong, it’s stupid. “Do this or else BAD THING,” is awesome, up until someone decides they’re not going to do this and the bad thing never happens. It makes people less likely or pay any attention to you in the future. It certainly means your opinions and recommendations are not going to be listened to in the future.
I probably go too far the other direction. I can spend too much time contextualizing a recommendation. It’s one of the things I’m trying to get better about. No, client doesn’t need a 4 page discussion of the history of whatever, they just need 2 lines of what they should do. If they need the context, I can provide it later.
In order to effectively modify behavior consequences have to be real. Threats of consequences are meaningless. Any toddler knows this, and can quite accurately model when mom means it and when she’s just threatening.
Risk analysis is not about modifying behavior. It’s about analyzing a particular issue and providing necessary information so the company action understands potential consequences and the chance those risks will happen. The blog post about COI was not intended to modify anyone’s behavior. I know there are companies out there successfully maintaining two mail streams: one COI and one not. I know there are other companies out there successfully mailing only single opt-in mail. I know there are companies with complex strategies to verify identity and address ownership. And I smile every time I walk into a retail store and they ask me if my email address is still X and if I want to make any changes to it.
Lying about consequences does nothing to modify behavior. All it does is diminish the standing and audience of the liar. Be truthful about the consequences of an action or lack of action. Don’t make up threats in order to bully people into doing what you think is right. Sooner or later they’re going to realize that you don’t know what you’re talking about and start to ignore you.

Security, safety and the cavalry

In some ways it’s been really hard to focus on email for the last few months. There are so many more important issues in the world. Terrorism, Brexit, the US elections compromised by a foreign government, nuclear threats from multiple countries, the repeal of ACA, mass deportations and ICE raids here in the US. I find myself thinking about what to blog. Then I glance at the news and wonder if there’s any value in another blog post about deliverability.
Generally I’ve tried to keep politics and world events mostly off the blog. But sometimes events are such that I need to talk about them.
Last October I had the chance to speak at the Email Innovations Summit in London. Steve and I took the chance to spend some time doing tourist things in London – including a photo walk along the Thames.

As an American I’m always a little surprised by the security in London. I grew up a few miles outside of DC. I could talk about prohibited airspace and security measures before I was 10. London is so much more open than even the DC of my youth. The surprise there is that London has been a much bigger target and attacked more than any city in the US.
The last few times we were in London I noticed a bit more visible security. In 2013 it was armed security walking through Tube stations. Last year it was Underground trains that were one long car. They were a bit weird and visually disconcerting. The part that really made me think, though, was this was a way to stop people hiding explosives between cars and to facilitate evacuations if something happened.
Last night Steve and I were talking and I mentioned the attack in London didn’t seem like terrorism to me. And it didn’t, not really. He then pointed out that explosives and guns are difficult to come by in the UK and this was classic terrorism. Oh. Sometimes our cultural differences come out in the strangest places.
Thinking about bigger issues like this make it hard to focus on email. There’s a regularly shared joke in deliverability, “There’s no such thing as a deliverability emergency.” And there isn’t, not really. Yes, even if a whole range of IPs is listed on Spamhaus, it’s still not an emergency and there’s no fast response team to deal with it.
There are abuse issues that are higher stakes than getting to the inbox. Child abuse materials. Harassment. Privacy issues. Terror threats. Every online services company, particularly the social media companies, have to deal with these kinds of things. Many of them are dealing poorly. Others have employees who are doing their best, but lack the tools, support, and training to do it well. Many companies don’t understand why they need to police their customer base.
The reality is, though, that abuse on the net (as opposed to abuse of the net) is a huge issue that needs to be dealt with. These are not small issues. The Internet is global and there’s no internet police. Law enforcement in different jurisdictions have to work together with technology experts to address crime and harassment on the internet.
It may surprise you to hear that the people who create spam filters and try and protect your inbox are the same people who fight crime on the internet. Spam and email are a vital part of online crime, so it falls on the abuse team to work with and educate law enforcement about tracing the source of email. The people you never see in ops, and abuse and support are vital to protecting folks online.
During the closing talk at MAAWG the chair was discussing how we can protect our online spaces. He stated “There is no cavalry; no second wave. It’s us or no one.” That’s a huge thing. My friends and colleagues are the people who stand protecting users online. It feels like a huge burden, but it’s something we can do to make the world a better and safer place.

Spam complaints… ish

I know a lot of folks working at ESPs. For those I know well, I will usually send in reports. Sometimes they’re not spam reports per se. Often it’s just “hey, this sender shouldn’t have my address, might want to poke them.”
Sometimes it’s even more specific. A few years ago I spoke at a user conference for an ESP. I stayed at the hotel for one night, and the hotel now has my email address. Not a big deal, they’re on the coast and an easy drive from here. They’ll run specials for the locals, and I like it.
Enter in hotel B. I’ve never stayed at hotel B. I’m not sure who hotel B is. They’re also local and may be the same management. I don’t know. They sent me email to the address I’ve only given to hotel A. Not only that, the message is completely unreadable. Dark blue on brown… not exactly a great design choice.
I wasn’t going to send anything in to the ESP, but then I noticed that at the bottom of the email there is a notice that says “This email was sent to: %%emailaddr%%.” That looks suspiciously like this was an accidental send. The ESP folks there are colleagues, so I sent them an email into abuse@.

11 Innovators in the Email Game

Today AWeber published a link to 11 innovators in email marketing. I’m honored to be one of them.
I don’t really think of myself as a marketer, I’m a delivery person. My job, really, is to help clients devise email strategies (and overall digital marketing strategies) that result in inbox delivery. When I started, there were some significant divides between email marketing and deliverability. Often what was good marketing strategy was bad deliverability strategy. That’s not as true as it once was and now good deliverability advice is good marketing advice.
Thanks, AWeber!

Indictments in Yahoo data breach

Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo’s servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals.
Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.

Engagement, Engagement, Engagement

I saw a headline today:
New Research from Return Path Shows Strong Correlation Between Subscriber Engagement and Spam Placement
I have to admit, my first reaction was “Uh, Yeah.” But then I realized that there are some email marketers who do not believe engagement is important for email deliverability. This is exactly the report they need to read. It lays out the factors that ISPs look at to determine if email is wanted by the users. Senders have to deal with vague metrics like opens and clicks, but the ISPs have access to user behavior. ISPs can see if mail is replied to, or forwarded or deleted without reading. They monitor if a user hits “this-is-spam” or moves the message to their junk folder. All of these things are signals about what the users want and don’t want.
Still, there are the folks who will continue to deny engagement is a factor in deliverability. Most of the folks in this group profit based on the number of emails sent. Therefore, any message about decreasing sends hurts their bottom line. These engagement deniers have set out to discredit anyone who suggests that targeting, segmentation or engagement provide for better email delivery and getting emails to the inbox.
There’s another group of deniers who may or may not believe engagement is the key to the inbox, but they don’t care. They have said they will happily suffer with lower inbox delivery if it means they can send more mail. They don’t necessarily want to discredit deliverability, but they really don’t like that deliverability can stop them from sending.
Whether or not you want to believe engagement is a critical factor in reaching your subscribers, it is. Saying it’s not doesn’t change the facts.
There are three things important in deliverability: engagement, engagement, engagement.

Blackboxes and unknown effects

In my previous career I studied the effect of alcohol on developing embryos. It’s a bit weird I ended up in that field because embryological development always seemed to complex to me. And it was and is complicated. In a lot of ways, though, it was good training for deliverability. We dealt with a lot of processes that seem, on the surface, straightforward.
Fertilization happens, then you get a flat group of cells, those cells fold up into the neural tube, cells migrate around, things happen, limbs form, organs form and 21 days later you have a fluffy little chick.
The details in all those steps, though. They’re a bit more complicated, looking something like this:
There are lots of different things going on inside the embryo to take it from a single cell up to a complex multicellular being. Genes turn on, genes turn off at different times in development, often driven by overlapping concentration gradients. Genes turn each other and themselves on and off. It’s complex, though, and there are things that happen that we don’t quite understand and have to black box. “If I add this protein, or take this gene and that gene away… what happens?”
A lot of that is like what email reputation is these days. There isn’t one factor in reputation, there are hundreds or thousands. They interact with each other, sometimes turning up reputation, sometimes turning down reputation. We figure this out by poking at the black box and seeing what happens. Unlike development, though, delivery rules are not fixed. They are changing along the way.
It’s not simple to explain delivery and how all the moving parts interact with each other. We don’t always know that doing A will lead to X. Because A -> X is not a straight line and there are other things that impact that line. Those other things also impact A, X and each other.
Delivery is a tangled web. On the surface it seems simple, but when you start peeling back the layers you discover the jumble of factors that all interact with each other. It’s what makes this a challenging field for all of us.

International Women's Day

Today is International Women’s Day. In recognition of this day, there has been a call for a general woman’s strike. I thought long and hard about how I would participate in this event. Even yesterday I had no clear view of whether or not I would be working today.
As a self-employed woman, me not working today only hurts me and my clients. There’s no one to leave work for, I either do it before or after. It’s got to get done and it’s my responsibility to do it. But at the same time, I recognize the unpaid and underpaid work most women do and fully support the strike.
After much thought, I decided that my contribution to the strike would be to do what I needed to do for work. But that I would remove myself from public conversations about email today. I spend quite a bit of my time doing unpaid work that supports the email industry: standards work, answering questions in various fora, supporting different initiatives, writing documents, blogging about industry events. I won’t be doing any of that work today.
Yes, there are questions I could answer, advice I could give, industry events that I have comments and insight on. But today, today I’m not going to do any of that.

Verizon changes but no time line

Yesterday there was a lot of talk about Verizon moving out of email and transitioning all their customers over to the AOL backend. The source was a page in the Verizon help center about transitioning an email address. There is no date on the page, so it’s unclear when this is going to happen or when it started.
I posted about Verizon beginning this transition back in May of 2016: Changes coming to Verizon email. The wording on the AOL page I link to is very similar to the wording on the page that was passed around yesterday.
Without a date it’s hard to really provide any advice, other than to maintain your list hygiene (you do have list hygiene programs, right?) and remove addresses that hard bounce. Quite honestly, I don’t think this will really have any effect on delivery. It doesn’t appear these changes are happening all at once, and Verizon customers have the option to keep their verizon.net address. They’re just going to have to access it differently.
For companies that use an email address as a primary key for logins or accounts, it’s probably a good time to contact customers with a verizon.net address and ask them to update their address. That’s a good idea most of the time, but when we know changes are happening at a domain level, it’s a requirement.

Large companies (un?)knowingly hire spammers

This morning, CSO and MacKeeper published joint articles on a massive data leak from a marketing company. (Update: 2019: both articles are gone, a cached version of the CSOnline link is at https://hackerfall.com/story/the-fall-of-an-empire-spammers-expose-their-entire) This company, River City Media (RCM), failed to put a password on their online backups sometime. This leaked all of the company’s data out to the Internet at large. MacKeeper Security Researcher, Chris Vickery discovered the breach back in December and shared the information with Spamhaus and CSO online.
The group has spent months going through the data from this spammer. As of this morning, the existence of the breach and an overview of the extent of their operation were revealed by CSO and MacKeeper. Additionally, Spamhaus listed the network on the Register of Known Spamming Operations (ROKSO).

There are a couple interesting pieces of this story relevant to legitimate marketers.
The biggest issue is the number of brands who are paying spammers to send mail from them. The CSO article lists just some of the brands that were buying mail services from RCM:

February 2017: The Month In Email

Happy March!

As always, I blogged about best practices with subscriptions, and shared a great example of subscription transparency that I received from The Guardian. I also wrote about what happens to the small pool of people who fail to complete a confirmed opt-in (or double opt-in) subscription process. While there are many reasons that someone might not complete that process, ultimately that person has not given permission to receive email, and marketers need to respect that. I revisited an older post on permission which is still entirely relevant.
Speaking of relevance, I wrote about seed lists, which can be useful, but — like all monitoring tools — should not be treated as infallible, just as part of a larger set of information we use to assess deliverability. Spamtraps are also valuable in that larger set of tools, and I looked at some of the myths and truths about how ISPs use them. I also shared some thoughts from an industry veteran on Gmail filtering.
On the topic of industry veterans, myths and truths, I looked at the “little bit right, little bit wrong” set of opinions in the world of email. It’s interesting to see the kinds of proclamations people make and how those line up against what we see in the world.
We attended M³AAWG, which is always a wonderful opportunity for us to catch up with smart people and look at the larger email ecosystem and how important our work on messaging infrastructure and policy really is. I was glad to see the 2017 Mary Litynski Award go to Mick Moran of Interpol for his tireless work fighting abuse and the exploitation of children online. I also wrote about how people keep wanting to quote ISP representatives on policy issues, and the origin of “Barry” as ISP spokesperson (we should really add “Betty” too…)
Steve took a turn as our guest columnist for “Ask Laura” this month with a terrific post on why ESPs need so many IP addresses. As always, we’d love to get more questions on all things email — please get in touch!

Policy is hard

We’re back at work after a trip to M³AAWG. This conference was a little different for me than previous ones. I spent a lot of time just talking with people – about email, about abuse, about the industry, about the ecosystem. Sometimes when you’re in a position like mine, you get focused way too much on the trees.

Of course, it’s the focusing on the trees that makes me good for my clients. I follow what’s going on closely, so they don’t have to. I pay attention so I can distill things into useable chunks for them to implement. Sometimes, though, I need to remember to look around and appreciate the forest. That’s what I got to do last week. I got to talk with so many great people. I got to hear what they think about email. The different perspectives are invaluable. They serve to deepen my understanding of delivery, email and where the industry is going.

One of the things that really came into focus for me is how critical protecting messaging infrastructure is. I haven’t spoken very much here about the election and the consequences and the changes and challenges we’re facing. That doesn’t mean I’m not worried about them or I don’t have some significant reservations about the new administration. It just means I don’t know how to articulate it or even if there is a solution.
The conference gave me hope. Because there are people at a lot of places who are in a place to protect users and protect privacy and protect individuals. Many of those folks were at the conference. The collaboration is still there. The concern for how we can stop or minimize bad behavior and what the implications are. Some of the most difficult conversations around policy involve the question who will this affect. In big systems, simple policies that seem like a no-brainer… aren’t. We’re seeing the effects of this with some of the realities the new administration and the Republican leaders of congress are realizing. Health care is hard, and complex. Banning an entire religion may not be a great idea. Governing is not like running a business.
Talking with smart people, especially with smart people who disagree with me, is one of the things that lets me see the forest. And I am so grateful for the time I spend with them.

Naming Names

One of the things that regularly happens at email conferences is a bunch of representatives from various ISPs and sometimes deliverability companies get up on stage and entertain questions from the audience about how to get email to the inbox. I’ve sat in many of these sessions – on both sides of the stage. The questions are completely predictable.
Almost invariably, someone asks if they can quote the ISP representative, because there is this belief that if you connect a statement with an employee name that will give the statement more weight. Except it doesn’t really. People who aren’t going to listen to the advice won’t listen to it even if there are names attached.
A lot of what I publish here is based on things the ISP reps have said. In some cases the reps actually review and comment on the post before I publish it. I don’t really believe attaching names to these posts will make them any more accurate. In fact, it will decrease the amount of information I can share and will increase the amount of time it takes to get posts out.
Last night I was joking with some folks that I should just make up names for attribution. Al did that many years ago, coining the pseudonym Barry for ISP reps. Even better, many of the ISP employees adopted Barry personas and used them to participate in different online spaces. Barry A. says X. Barry B. says Y. Barry C. says W. Barry D.
It doesn’t matter what names I attach.
I think I’m going to start adding this disclaimer to the appropriate blog posts:
Any resemblance to persons living or dead should be plainly apparent to them and those that know them. All events described herein actually happened, though on occasion the author has taken certain, very small, liberties with narrative.
Because, really.

Network Abuse

Many years ago, back when huge levels of spam involved hundreds of thousands of emails, there was a group of people who spent a lot of time talking about what to do about abuse. One of the distinctions we made was abuse of the net as opposed to abuse on the net. We were looking at abuse of the network, that is activity that made the internet less useable. At the time abuse of the network was primarily spam; sure, there were worms and some malicious traffic, but we were focused on email abuse.
In the last 20 years, multiple industries have arisen around network abuse. I’m sitting at a conference with hundreds of people discussing how to address and mitigate abuse online. In the context of the early discussions, we’re mostly focused on abuse of the network, not abuse on the network.
But abuse on the network is an issue. It’s a growing issue, IMO. The internet has contributed to the rise and normalization of the alt-right. Social media is a medium used for abuse on the net. Incidents range from bullying of school kids to harassment of celebrities to sharing of child abuse material. All of these things are abuse on the net. They are an issue. They need to be addressed.
Today M³AAWG gave the 2017 Mary Litynski Award to Mick Moran from Interpol for his work in fighting child exploitation and abuse on the net. As I tweeted during the session, I have a phenomenal amount of respect for Mick and people like him who work tirelessly to protect children online. I don’t talk much about child abuse materials*, but I know the problem is there and it’s bad.

One of the discussions I’ve had with some folks lately is how we can better fight abuse on the net. Many of the tools we’ve built over the years are focused on volume – more complaints mean a more serious incident. But in the case of abuse on the net, or who is wrong. volume isn’t really an issue. It’s a hard problem to solve. It’s easy to create a system that lets the good guys get information, but it’s hard to create a system that also keeps the bad guys out and prevents gaming and is effective and values single complaints of problems.
Folks like Mick, and the abuse teams at ISPs all over the world, are integral to finding and rescuing abused and exploited children. Their work is so important, and most people have no idea they exist. On top of that, the work is emotionally difficult. Some of my friends work in that space, dealing with child abuse materials, and all of them have the untold story of the one that haunts them. They don’t talk about it, but you can see it in their eyes and faces.
We can do better. We should do better. We must do better.

*Note: Throughout this post I use the term “child abuse materials” to describe what is commonly called child pornography. This is because porn isn’t necessarily bad nor abusive and the term child porn minimizes the issue. It’s important to make it clear that children are abused, sometimes for years, in order to make this material.

It's that time of year again!

That time of year when my friends and colleagues join the annual migration to San Francisco for 3 days and 4 nights of messaging, mobile, malware, and midnight meetings. We’re headed up to the conference later today. Do stop by and say hi!

Truth, myths and realities

For a long time it was a known fact that certain ISPs recycled abandoned addresses into spamtraps. There were long discussions by senders about this process and how it happened. Then at a conference a few years ago representatives of ISPs got up and announced that they do not recycle addresses. This led to quite a bit of consternation about how deliverability folks were making things up and were untrustworthy and deceptive.

In the early 2000’s ISPs were throwing a lot of things at the wall to deal with mail streams that were 80 – 90% bulk. They tried many different things to try and tame volumes that were overwhelming infrastructure. ISPs did try recycled traps. I know, absolutely know, two did. I am very sure that others did, too, but don’t have specific memories of talking to specific people about it.
At that time, a lot of deliverability knowledge was shared through word of mouth. That turned into a bit of an oral history. The problem with oral history is that context and details get lost. We can use the story of the ISP that did/did not recycle traps as an example.
Deliverability folks talk about an ISP that recycles traps. They don’t mention how often it happens. Some folks make the assumption that this is an ongoing process. It’s not, but anyone who knows it’s not risks violating confidences if they correct it. Besides, if senders believe it’s an ongoing process maybe they’ll be better behaved. Eventually, the story becomes all ISPs recycle traps all the time. This is our “fact” that’s actually a myth.
Then an ISP employee goes to a conference an definitively states they don’t recycle traps. I believe he stated the truth as he knows it to be. That ISP moved on from recycled traps to other kinds of traps because there were better ways to monitor spam.
We were talking about this on one of the deliverability lists and I told another story.
[ISP] recycled addresses once – back when JD was there which must have been, oh, around 2005/6 or so. I heard this directly from JD. It wasn’t done again, but a whole bunch of people just assumed it was an ongoing thing. Since my knowledge was a private conversation between JD and me, I never felt comfortable sharing the information. Given the circumstances, I’ve decided it’s OK to start sharing that end of the story a little more freely.
No one set out to create a myth, it just happened. No one intended to mislead. But sometimes it happens.

Gmail filtering in a nutshell

Gmail’s approach to filtering; as described by one of the old timers. This person was dealing with network abuse back when I was still slinging DNA around as my job and just reading headers as a hobby.

Fun with opinions

Over the last few weeks I’ve seen a couple people get on mailing lists and make pronouncements about email. It’s great to have opinions and it’s great to share them. But they’re always a little bit right… and a little bit wrong.

January 2017: The Month in Email

Between client work and our national political climate, it’s been a very busy month around here and blogging has been light. Things show no sign of slowing down in February, so we’d love to hear from you with questions and suggestions of what you’d most like to see us focus on in our limited blogging time this month. We got a great question about how senders can access their Google Postmaster tools, and I wrote up a guide that you might find useful.

We’re also revisiting some older posts on often-requested topics, such as spamtraps, so feel free to comment below if there are topics you’d like us to address or update. One topic that comes up frequently, both on the blog and in our consulting practice, is about what to do when you’re on a blocklist. I revisited an old-but-still-relevant post on that topic as well.
On the Best Practices front, I wrote about how brands can use multiple channels to connect with customers and prospective customers to promote and enhance email delivery. I also took a moment to look back over 2016 and forward to 2017 in the realm of email security.
I continue to be annoyed by B2B spam, and have started responding to those “requests” for my time directly. Steve also wrote a long post about B2B spam, focusing on how these spammers are using Google and Amazon to try to work around reputation issues.
In case you missed it, I contributed some thoughts to a discussion on 2017 email trends over at Freshmail with my exhortation to “Make 2017 the year you turn deliverability into a KPI.”
I’m also still in the process of completing my 2017 speaking schedule, so I’m looking for any can’t-miss conferences and events you’d recommend. Thanks for keeping in touch!

What about the spamtraps?

I’ve been slammed the last few days and blogging is that thing that is falling by the wayside most. I don’t expect this to change much in the very short term. But, I do have over 1200 blog posts, some of which are still relevant. So I’ll be pulling some older posts out and sharing them here while I’m slammed and don’t have a lot of time left over to generate new content.
Today’s repost is a 2015 post about spamtraps.
Spamtraps are …
… addresses that did not or could not sign up to receive mail from a sender.
… often mistakenly entered into signup forms (typos or people who don’t know their email addresses).
… often found on older lists.
… sometimes scraped off websites and sold by list brokers.
… sometimes caused by terrible bounce management.
… only a symptom …

Conferences and Events?

What are readers favorite conferences and events around email and marketing? I’m starting to plan out my schedule for this year. I did a lot of talks at familiar places last year, and I’m looking to find some new places.
Tell me your favorite conferences in the comments.

Use all the channels

One of the hardest deliverability situations to address is when all mail from a certain sender is going to the bulk folder. I’ve had numerous clients come to me to address this situation over the years. Ideally, clients come to me before all their mail is going to bulk. Then we can make some tweaks and changes to their mail program, repair the reputation and then recover other addresses. We have knobs we can twist to fix things if some people are still getting messages in their inbox. We have data to measure.
When all mail is going to bulk, though, we lose access to the knobs and the data. There are zero complaints if mail is going to bulk. There are no opens or clicks, because many ISPs disable images and links in the bulk folder. Our normal “fixing reputation” tools are taken away from us.
Senders with all their mail going to bulk are faced with a profound challenge. How can they engage customers who are unengaged and who are not seeing mail at all? How can we fix deliverability when our normal tools and metrics are unavailable?
If we can get even a small percentage of recipients to go pull mail out of bulk or spam and move it to their inbox, then we’re well on our way to repairing reputation. But how can we get them to go look for the mail in the bulk folder. Recent Litmus research suggests that a significant percentage of folks regularly check their spam folder, but this isn’t always enough to repair reputation,
The question becomes how can the senders encourage recipients to go digging through their spam folder.
This is the point where I start quizzing clients on what other channels they use to communicate with their customers. I’ll run through the whole list: social media, snail mail, push notices through apps, SMS, website popups, Facebook ads. I work with them to identify users who are engaged with their brand and brainstorm ways to get those users to look for mail.
I’m always pleased to see large brands using these strategies. Just recently Blizzard used twitter to communicate with their users about email problems. They tweeted.
BlizzardTweet
The link takes you to the Blizzard support site. Where they give specific instructions on how to whitelist mail and what mail to whitelist.

One way to deal with B2B spam

We’ve been talking a lot about B2B spam recently. I’ve posted repeatedly, Steve wrote a post about it yesterday. It’s in the forefront of our minds because we’re dealing with just so much of it. Multiple emails a day asking for “just 10 minutes of your time.” Of course, the 10 minutes isn’t really just 10 minutes. Sure, the call might be 10 minutes, but there’s overhead to that call that will probably eat 20 – 30 minutes of time. That’s at best.
Because they’re using providers who don’t notice or don’t care about the spam, there’s little to be done. No one is going to stop them from mailing me. They are required to comply with the law, but 99% of the mail doesn’t. Which gave me an idea.
I’ve started replying to every incident of “just 10 minutes of your time” with a pleasant email thanking them for their interest in our CAN SPAM verification program. I point out that I have noticed at least one violation and we’re happy to consult with them on how to fix it for a fee.
Wait? You mean they’re not interrupting my time simply to receive a sales pitch? Well. Gee. I’m just replying to them.
It seems petty, but we’re less than 2 weeks into 2017 and I already have over a dozen of these “one time” emails. If history tells me anything, these same people will follow up in a week, and then 2 weeks, and then a month. Meanwhile, new people are going to be sending me a request for 10 minutes of my time, and their followups and in a month I’ll be getting a dozen emails a week. In two months I’ll be getting 2 dozen. In 3 months it will be 4 dozen.
And, yeah, most of these messages do violate CAN SPAM. Most of them by not including an unsubscribe links, which makes getting the mail to stop a challenge. There’s no way to unsubscribe, so it’s either answer it or just keep getting contacted. I wrote last year about the woman who continued to email me for months. She even announced she was going to call 911 because clearly I was injured and unable to answer her mail. Multiple times she promised to stop mailing me, but never did.
I do feel bad for many of these senders. They’ve been sold on a prospecting tool by vendors who fail to provide them with a minimal level of guidance. Even just mentioning that there are laws regulating email, and they should comply with them would be better than nothing.
In many ways I find this kind of spam more annoying than the viagra or the malware that ends up in my mailbox. Those can be selected and deleted pretty easily. These, however, have subject lines that look just like my legitimate business mail. I have to read them and figure stuff out. It’s a total PITA.
EDIT: And it’s not even effective according to some experts.

Google and Amazon and B2B spam

Many of the operational goals of a commercial spammer aren’t related to email delivery at all, rather they revolve around optimizing ROI and minimizing costs. That’s even more true when the spammer isn’t trying to sell their own product, rather they’re making money by sending spam for other companies.
Most legitimate network providers pay at least lip service to not allowing abusive behaviour such as spam from their networks, so a spammer has to make a few choices about what infrastructure to use to optimize their costs.
They can be open about who they are and what they do, and host with a reputable network provider, and build out mailservers much as any legitimate ESP would do. But eventually they’ll get blacklisted by one of the more reputable reputation providers – leading to little of their mail being delivered, and increasing the pressure on their provider to terminate them. They social engineer their provider’s abuse desk, and drag their feet, and make small changes, but eventually they’ll need to move to another provider. Both the delaying tactics and the finally moving are expensive.
Or they can host with a network provider who doesn’t care about abuse from their network, and do the same thing. But they’ll still get blacklisted and, unlike on a more reputable network, they’re much less likely to get any benefit of the doubt from any reputation providers.
Every time they get blacklisted they can move to a new network provider. That’s easy to do if your infrastructure is virtual machine based and moving providers just involves buying a new hosting account. But as anyone who’s heard the phrase “ramping-up” knows mail from new network space is treated with suspicion, and as they’re continually moving their mail won’t reach the inbox much.
Preemptively spreading the sources of your spam across many different IP addresses on different providers, and sending spam out at low enough levels from each address that you’re less likely to be noticed is another approach. This is snowshoe spam and spam filters are getting better at detecting it.
What to do? In order to get mail delivered to the inbox the spammer needs to be sending from somewhere with a good reputation, ideally intermingled with lots of legitimate email, so that the false-positive induced pain of blocking the mailstream would be worse than their spam. That’s one reason a lot of spammers send through legitimate ESPs. They’re still having to jump from provider to provider as they’re terminated, but now they’re relying on the delivery reputation of the shared IP pools at each new ESP they jump to. But that still takes work to move between ESPs. And ESP policy enforcement people talk to each other…
As a spammer you want your mail to be sent from somewhere with good reputation, somewhere you can use many different accounts, so your spam is spread across many of them, flying below the radar. Ideally you wouldn’t have any documented connection to those accounts, so your activity won’t show up on any aggregated monitoring or reporting.
If nothing in the mail sent out identifies you there is nowhere for recipients to focus their ire. And if recipients can’t tell that the hundreds of pieces of spam in their inbox came from a single spammer, they’re much less likely to focus efforts on blocking that mail stream.
Over the past couple of years I’ve seen a new approach from dedicated B2B spammers, the sort who sell “buy and upload a list, blast out something advertising your company, track responses, send multiple mails over a series of weeks” services to salespeople. They’re the ones who tend to have glossy, legitimate websites, talking about “lead nurturing”, “automated drip campaigns” or “outreach automation”.
They have each of their customers sign up for gmail or google apps accounts, or use their existing google apps accounts, and then the spammer funnels the spam sent on behalf of that customer through that google account. There’s no obvious connection between the spammer and the google account so there’s no risk to the spammer. Google is fairly unresponsive to spam complaints, so as long as the volume sent by each customer isn’t spectacularly high it’s going to be well below Google automation’s threshold of notice.
Google do record where mail that’s injected into their infrastructure in this way comes from, in the Received headers. But the spammers run their sending infrastructure – list management, message composition, tracking and so on – on anonymous, throwaway virtual machines hosted on Amazon’s EC2 cloud, so there’s nothing in the email that leads back to the spammer.
And, for recipients, that’s a problem. Spam filters aren’t going to block this sort of mail, as they can’t easily tell it is this sort of mail. It’s coming from Google MTAs, just like a lot of legitimate mail does. In terms of sheer volume it’s dwarfed by botnet sourced mail or dubious B2B manufacturing spam out of Shenzhen. But, unlike most of that, it’s in your inbox, in front of your eyeballs and costing you time and focus. And that’s much more expensive than network infrastructure or mailbox storage space.
I’m not sure what, if anything, Google or Amazon can do about it at scale, but it’s something that’s going to need to be dealt with eventually.
Meanwhile, if you receive some marginally personalized mail from a sales rep, one attempting to look like 1:1 mail, look at the headers. If you see something like this …

AOL FBL change

Reminder for folks, AOL is changing their FBL from address starting on Jan 17th.
The (in)famous scomp@aol.net is going away to be replaced by fbl-no-reply @ postmaster.aol.com. These messages will be signed with the d= mx.postmaster.aol.com.
Time to update your scripts!

If I can't tell, it's spam

Judging by the amount of B2B spams I’ve gotten this past week, a number of businesses got bright, shiny new email programs for Christmas. “Like to set up a call with you…” “Just need 10 minutes of your time to explore…” “Love to jump on a call and tell you about our product…”
That’s just the mail that comes into my personal address. There’s also a raft of mail coming into our contact address. The majority of those are trying to sell me FB or Twitter followers, although Instagram is rising in the ranks. Some of those messages are kinda funny, though. They try so hard to pretend there’s a real person who really did look at our website and who really has a comment.
Most of the time it’s pretty obvious that it’s not from a human. But every once in a while a message comes in that might be from a real person. I’ve finally decided that if I have any question if a message was written by a human or a bot, it will be treated as written by a bot.
Unfair? Maybe. But I’m a small business owner and a consultant; I don’t have tons of spare time to sit around letting folks pitch me on their business. I don’t think I’m actually that unusual when it comes to entrepreneurs. We’re busy, we don’t like distractions and we go out and search for the things we actually do need.

Sharing access to Google Postmaster Tools

As a delivery consultant, I always ask clients to share their Google postmaster reports with me. As Gmail is one of the bigger delivery challenges for a lot of senders, having access to the postmaster tools helps tease out issues. I had some issues earlier this week getting access to tools and so brought up a conversation on one of the delivery lists. The nice folks there helped me get it solved.
A few hours later someone asked me how do I get access and I thought that was a brilliant idea for a blog post today.

December 2016: The Month in Email

Happy New Year! We’re looking forward to some interesting new projects this year, both for our clients and for Word to the Wise. Stay tuned!
December was a slow month for blogging, with everything going on. But we’re back on the horse now and ready to blog for 2017.

List and subscription management continue to be hot topics, especially in the wake of the listbombing attacks earlier this year. Earlier this month, I presented a webinar on listbombing for the EEC and DMA to review the attacks and discuss best practices for companies to manage subscriptions. For Ask Laura, I wrote about the unsubscribe process and how senders can best manage those requests to keep their lists current and compliant.
With all the holiday mail flying around, Steve wrote up a good post about the challenges of DNS hosting and issues customers may have reaching your site. He also wrote about canonicalization, a process for comparing things to see if they are the same, which is useful for understanding how messages change during the delivery process. It’s important to understand how this works with DKIM, as that process specifically looks at changes to messages in delivery to validate them.
I wrote a post about how delivery at Gmail is a bit different from other mail providers, which can lead to intermittent delivery problems, and got some useful information in the comments about some upcoming process changes. And as always, unwanted email is SPAM. It doesn’t matter if you call it outreach or prospecting, or “here’s something you might find interesting!” Still SPAM.

Happy New Year!

Well, we mostly survived 2016. A year ago I was making predictions about how 2016 would be the year of email security. I was thinking of things like TLS and authentication and access to the inbox. It wasn’t out of the question, Gmail said they’d be turning on p=reject sometime mid-year. They also were suggesting that they would be putting more value on messages that aligned, even in the absence of a DMARC signature. The first still hasn’t happened, and the second doesn’t appear to be in place, either.

That doesn’t mean email security wasn’t a hot topic in 2016. In fact, the use of a private email server was a major topic during the US elections. We also had spear-phishing play a major role in the compromise of campaign systems. I didn’t talk much about that here when it happened, but news reports make it clear that Chairman Podesta and others were targeted for compromise. The NY Times has a more in depth article with broader context around the attacks and how emails were used to infiltrate a major political party.
The irony is with all the time spent talking about how insecure the private server was, that server wasn’t compromised. Instead, the compromise was at Gmail.
We all need to pay attention to our email and how we use it. It also means when we’re sending bulk and marketing email we need to consider the private and personal information we’re putting in messages. Do you send PII? Is there a way you don’t have to? What can we do to protect our brand and our users?
It’s not just bulk email we need to think about, either. Personal email can contain PII, or personal information. A common saying among some of my security friends is “never put in email anything you wouldn’t want to see on the front page of the Washington Post or NY Times.” That’s an easy thing to say, but the convenience of email makes it easy to share information that we may not want on the front page of either paper. Many of us aren’t actually targets of malicious activity so we don’t have to worry about being targeted the way elected and other officials are. But that doesn’t mean we are not at risk. It just means we’re at less risk than others.
Email is a frequent vector for malicious actors to access computers. Most, if not all of the major breeches in the last few years have started with a phishing attack of some sort. The attacks are planned out and sophisticated. This is not going to get better. The phishers are smart and plan the attacks. We also need to be more personally aware of security given the current political climate. We need to take steps to protect ourselves more than we have in the past.
Security is more important than ever and we all need to protect ourselves.

It's that time of year

I’m winding down blogging through the next week or so. I have a lot to say and blog about in the coming year, but I don’t think I’m alone in saying good bye and good riddance to 2016.
Happy Holidays to everyone, whatever events you may celebrate. I have to admit, it doesn’t feel very holiday around here. Part of that is we cut the cord a few months ago and we’ve not been subjected to the unending stream of Nutcracker music during commercials. We’ve also not been volunteering as stage crew for the local ballet school’s Nutcracker performance. There’s a definite dearth of Nutcracker music, which makes it seem less like the holiday season.
We did get our tree up this past weekend. I’ve got to admit, I’m really impressed the camera in my iPhone 7. It makes our tree look very festive (with a little help from Luminar)

Happy Holidays and a bright, shiny new year.

Poor delivery at Gmail but no where else

I’ve mentioned before that I can often tell what ISP is making filter changes by what my calls are about. The last few weeks it’s been Gmail where folks are struggling to get to the inbox. One of the things most clients and potential clients have mentioned is that they’re not having any problems at the other major ISPs.

Listbombing Webinar

Earlier this week I gave a webinar hosted by the EEC and the DMA discussing the listbombing problem. They will be making the recording available later this week and I will link to it then.
I wish I could say the issue was done and over with and that it was something we don’t have to worry about any longer. Unfortunately, that’s just not the case. Attacks are ongoing. Many of them are being caught and mitigated, but they’re still occurring.
We can’t let up our guard, though. Attackers will adapt to the mitigations and negate them.
And remember, listbombing is a sign that your subscription process is not collecting accurate data. If Evil Bob or Dumb Bob can give you Real Bob’s address then your data is all suspect. The problem is somewhat in the form, but it’s also in the whole process. What steps can you take to verify data without creating too much friction in the process?
This is an opportunity for forward thinking companies to reconsider their subscription and address acquisition processes. How do we get Bob’s address and information without Evil Bob or Dumb Bob giving us bad data and without contributing to the overall abuse online.

Industry news

Just some stuff going on around email that probably merit a mention but not a whole blog post.

Next Tuesday at 1 eastern I’ll be giving a webinar on the subscription bombing and discussing what companies can do to mitigate the problem.
Google is working on new “invisible” captchas, that separate out humans from bots without humans having to do anything.
EmailonAcid created an interactive puzzle email.
Return Path acquired Email Copilot. Then laid off approximately 60 employees citing restructuring (no links for this one, but emails were sent to customers and someone forwarded me a copy).
Mailchimp sent 1.5 billion emails on Black Friday, and published stats and information about how well they delivered and performed.

November 2016: The Month In Email

Happy December! Between #blackfriday, #cybermonday & #givingtuesday, pretty much everyone in the US has just survived a week of email from every brand and organization they’ve ever interacted with. Phew.

Is this still the best strategy for most senders? Maybe. But it’s always important to be adaptable and continue to evaluate and evolve your strategy as you move through the year.
As always, I continue to think about evolving our own strategies, and how we might best support senders and ESPs. One of the challenges we face when we talk to senders with deliverability questions is that so many of our answers fall into a nebulous “it depends” zone. We’re trying to articulate new ways to explain that to people, and to help them understand that the choices and details they specify at each point of their strategic planning and tactical execution have ramifications on their delivery. While “it depends” is still a correct answer, I’m going to try to avoid it going forward, and instead focus on exploring those choices and details with senders to help them improve deliverability.
In our community of deliverability and anti-abuse professionals, we are — as you’d expect — quite sensitive to unsolicited email that targets our industry. When an email circulates, even what seems like a reasonably well-thought-out email, it occasionally does not land well. Worse still are the various email-related product and service providers who try to legitimize B2B sales messaging as if it is something other than spam.
The takeaway from these discussions for senders is, as always: know your audience. This post about research from Litmus on millennials and spam is a great example of the kinds of things you might consider as you get to know your audience and how they prefer to communicate.
We also had a presidential election this month, one that made much of issues related to email, and it will be interesting to see how the candidates and parties use the email data they collected going forward.
In industry and security news, we saw over a million Google accounts breached by Android malware. We also saw some of the ramifications of a wildcard DNS entry from a domain name expiration — it’s an interesting “how things work” post if you’re curious. In other “how things work” news, we noted some of the recent changes AOL made to its FBL.
I answered an Ask Laura question about dedicated IP pools, and I have a few more queued up as well. As always, we want to know what questions are on the minds of our readers, so please feel free to send them over!

Google accounts breached

Over 1 million Google accounts breached by Android malware.
There are some folks I know who really can’t understand why I stick with Apple over Android. The above issue is a big one. Doing what we do, security is a major consideration. I don’t need my accounts, or other accounts I have access to, compromised. It’s not that Apple is 100% compromise proof, but there are more checks and balances in the pipeline.
On the deliverability front, I had a recent interaction with someone from iCloud. This is a colleague I’ve worked with for years now, following him through multiple job changes. A client was having some delivery issues with a shared IP, so I was asking if he could send me some data to help track down the problem customer. I have a habit of asking for subject lines when I’m trying to get data. It’s usually enough for an ESP to track down the problem, and they’re not a way for folks to track down spamtraps or recipients. The answer I got back was sorry, they couldn’t give me any information at all, even something minor like a subject line.
Apple takes user privacy seriously and are doing a lot to protect their users. Does that mean I spend too much money on hardware I could buy cheaper? Perhaps. But, I’ll pay a little more to work with a company that puts privacy at the center of their product suite.

Oracle buys Dyn

Last week Oracle announced they were buying Dyn. Interesting acquisition, but fills a spot in Oracle’s playbook to provide infrastructure.
None of the press releases I’ve seen about the acquisition mentions the Dyn email service platform. Oracle has at least two email platforms already (Eloqua and Responsys). It will be interesting to see what happens with email.

Don't forget the strategy

We’re two days out from the beginning of the Holiday Shopping Season here in the US. Three days out from one of the biggest retail shopping days of the year in the US. 5 days out from one of the biggest online shopping days of the year.
I’m sure everyone has their mail campaigns planned. Most of the messages are finished, just waiting for a tweak or the exact right image.
The challenge, during this time of year, is to actually think strategically about marketing. The challenge is to pay attention to what subscribers and ISPs are telling you. The challenge is to adapt to conditions on the ground, rather than just executing a strategy planned months ago.
I often joke that my job gets quiet around this time of the year. Most of my clients and customers are busy executing their strategy, not planning it. So much mail is being slung around that no one really has time to do any thinking about it. That is, of course, a gross exaggeration, smart email marketers are always considering strategy even as they’re in the middle of the holiday mailing season. They still pay attention, they adapt to the conditions, they get the mail through.
Just remember, 2016 is almost over. But we still have a lot of email to send first.

It depends… no more

The two most hated words in deliverability. Many people ask general questions about deliverability and most experts, including myself, answer, “It depends.”
There are a lot of problems with this answer. The biggest problem is that it’s led to the impression that there are no real answers about deliverability. That because we can’t answer hypothetical questions we are really just making the answers up.

The reason we use “it depends” is because the minute details matter when it comes to deliverability. Wether or not something will hurt or help deliverability depends on the specific implementation. Who’s doing the sending? What is their authentication setup? What IP are they using? How were the addresses collected? What is their frequency? What MTA is used? Are they linking to outside sites? Are they linking to outside services? Where are images hosted? The relevant questions go on and on and on.
I am going to stop saying it depends when answering generic deliverability questions. Instead I will be using the phrase “details matter.” Details do matter. Details are everything. Details drive deliverability.
Details Matter
The importance of details is why many deliverability people hedge their answers. The details do matter.
I will do my best to stop answering It Depends to deliverability questions. Instead, I’ll be answering with question and pointing out the details matter.

Recipients and the Spam Button

Earlier this week Litmus and Fluent hosted a webinar title “Adapting to Consumers’ New Definition of Spam.” This had a number of fascinating facts about email marketing, many of which should reassure folks.
Litmus has a blog post up highlighting some of the findings specific to millennials and email. Good news is millennials like getting mail from brands and interact with them regularly. Even better, they will rescue mail out of the spam folder.
The full whitepaper is available from Fluent: 2016 Consumer Perceptions of Email. I’ll be writing more about this over the interesting tidbits here over the next few weeks. But I really suggest people go download it and read it.

Targeted marketing done badly

There was quite a bit of content I cut out on my rant about parasites in the email ecosystem earlier this week. I had whole section on people who ask to connect on LinkedIn and then immediately send a pitch or scrape your address and add it to their marketing automation software and start spamming. Generally, the only reason I will drop someone off LinkedIn is because they do this.

Today, one of the deliverability mailing lists has been hopping over spam many folks in the industry received. The discussion started off simple enough, someone said “Is <companyname> spamming the industry?” People immediately chimed in that yeah, it did appear so.
A few people said they’d gotten the message and thought it was personal and were disappointed it wasn’t. Others weren’t sure why they were chosen to receive this message, or why some of their co-workers were chosen. A few of us didn’t get them. I didn’t.
This is a great example of marketing that was reasonably well planned, but a total fail for not knowing their audience. The product in question is an anti-abuse product. The company wants to reach people in the anti-abuse industry. They go off and find people in the anti-abuse industry and send them an email. Mail that seems personalized. It was a perfectly reasonable email. It asked questions and did get some people to engage with it by replying. They even appear to have done A/B testing on subject lines.
All solid marketing decisions. All great things to do.
But, the anti-abuse community is small, particularly the ESP anti-abuse community. We talk on mailing lists, IRC, LinkedIn, Facebook and Slack – and those are just the places I’m connected to. I’m sure there are other meeting places. The fact is, we’re a community and we do interact. If you’re going to try and do something like this, you have to expect that we’re going to realize you’re spamming. And many of us have very low tolerance for this kind of stuff.
A few years ago I worked with some senders who acquired most of their email addresses from technical conferences. They had a lot of delivery problems because a lot of their audience were the people who wrote and maintained filters. Spam the person who writes a spam filter and you may find yourself locked out from all of those filter users. I finally realized I couldn’t help those clients. No amount of technical perfection, personalization, looking like one-to-one mail or magic address cleaning is going to make this audience want your mail.
Marketing starts at understanding your audience. Permission is one of the better ways to understand your audience. Marketing to the anti-abuse crowd is a challenge. I can’t see any place where unsolicited email successfully fits into that plan.

New shiny

Arrived yesterday! Still working on setting it up, but it’s pretty slick so far.

Parasites hurt email marketing

As a small business owner I am a ripe target for many companies. They buy my address from some lead generation firm, or they scrape it off LinkedIn, and they send me a message that pretends to be personalized but isn’t really.
“I looked at your website… we have a list of email addresses to sell you.”
“We offer cold calling services… can I set up a call with you?”
“I have scheduled a meeting tomorrow so I can tell you about our product that will solve all your technical issues and is also a floor wax.”
None of these emails are anything more than spam. They’re fake personalized. There’s no permission. On a good day they’ll have an opt out link. On a normal day they might include an actual name.
These are messages coming to an email address I’ve spent years trying to protect from getting onto mailing lists. I don’t do fishbowls, I’m careful about who I give my card to, I never use it to sign up for anything. And, still, that has all been for naught.
I don’t really blame the senders, I mean I do, they’re the ones that bought my address and then invested in business automation software that sends me regular emails trying to get me to give them a phone number. Or a contact for “the right person at your business to talk to about this great offer that will change your business.”
The real blame lies with the people who pretend that B2B spam is somehow not spam. Who have pivoted their businesses from selling consumer lists to business lists because permission doesn’t matter when it comes to businesses. The real blame lies with companies who sell “marketing automation software” that plugs into their Google Apps account and hijacks their reputation to get to the inbox. The real blame lies with list cleansing companies who sell list buyers a cleansing service that only hides the evidence of spamming.
There are so many parasites in the email space. They take time, energy and resources from large and small businesses, offering them services that seem good, but really are worthless.
The biologically interesting thing about parasites, though, is that they do better if they don’t overwhelm the host system. They have to stay small. They have to stay hidden. They have to not cause too much harm, otherwise the host system will fight back.
Email fights back too. Parasites will find it harder and harder to get mail delivered in any volume as the host system adapts to them. Already if I look in my junk folder, my filters are correctly flagging these messages as spam. And my filters see a very small portion of mail. Filtering companies and the business email hosting systems have a much broader view and much better defenses.
These emails annoy me, but I know that they are a short term problem. As more and more businesses move to hosted services, like Google Apps and Office365 the permission rules are going to apply to business addresses as well as consumer addresses. The parasites selling products and services to small business owners can’t overwhelm email. The defenses will step in first.

Changes to AOL FBL

In a blog post today, AOL announced they are changing the from address on their FBL emails from scomp@aol.net to fbl-no-reply at postmaster.aol.com. This change will take place on January 16th, 2017.

While this may seem a minor change to announce so far in advance, it’s really not. Because AOL was the first FBL, there are many tool chains that have been kludged together to handle the messages. Many of these tool chains rely on “scomp” in the header to work.
This is as good a time as any to review your current FBL handling code. Are you handling FBL messages correctly? Is there anywhere in your code that does things based on scomp being in the header?
Actually, it’s a good time to take a step back and think about FBLs in general and what you should be doing with the mail. These aren’t just complaints, they are direct feedback from your recipients. Sure, they just have to hit a button, but it’s still feedback.
Do you listen to that feedback or just unsubscribe folks?
Do you pay attention to which campaigns, mailings and offers trigger higher levels of FBLs?
Do changes in FBL rates factor into your marketing strategy at all? Why not?
Do you even know what happens when a FBL email arrives at your sever? Are you sure?
All of these are useful questions to ask at any time. But now that some folks are having to touch the FBL code, maybe it’s a time to develop a strategy for FBL processing. Use that data to inform and improve your marketing.

Ask Laura: Will dedicated IP pools hurt delivery

Got questions?

With my travel / vacation in October, blogging has been light the last few weeks, including a brief hiatus of our Ask Laura series. I’m working hard for the next few editions of Ask Laura and will get those posts out soon.
We’ve been getting questions from readers for a while, but I want to encourage folks to contact us with more. What are your questions about email? Got a problem you’ve been looking for specific answers about, but can’t find any answer that seems to apply? Use our contact address to send it to me.
Upcoming articles include questions about using IP pools and answers to some questions about opt-out processes.
Looking forward to getting back into the swing of Ask Laura, so keep those questions coming.

Almost time to vote

I have to admit, the closer we get to election day the more distracted I’m getting. This will be the 8th presidential election I’m eligible to vote in and one I’m following closely. We even watched the 2nd debate live on the trip over to the UK.

As with the 2008 and 2012 election, email marketing is a huge portion of candidate strategy. Many companies have been tracking how the candidates are using email. Return Path has pulled together a lot of interesting data on their Election Archives, and many other ESPs have thrown their two cents in when it comes to election email.
When this election season started, feels like 10-gazillion years ago now, I started signing up for different candidate lists to see what they were doing with email. I quickly fell behind when so many Republican candidates through their hat in the ring. By that point, I knew other folks were monitoring email and reporting on email and decided to drop the project. I just couldn’t keep up and other people could do it better.
We did comment on the Trump campaign spamming foreign leaders. I think it’s important to realize that deliverability rules don’t get thrown out the window simply because you have an important name or are running for president. A few years ago, one campaign was SBLed on election night and their ESP cut them off. I happen to know the person running compliance there and they supported that candidate but policies are policies.
We also shared a post from someone speculating about how Secy Clinton had access to a private server. The speculation was somewhat wrong, in that the server was already there and set up for Pres. Clinton when he left office. But other than that, much of the other stuff that’s come out has made it clear that email in the State Department was a total mess. I still think a private server was way more secure than an @gmail.com or @aol.com account; it was absolutely more secure than a Yahoo.com account.
This election is important, so I encourage all my readers to get out and vote next Tuesday. There’s more to vote on than just the presidency, too. Here in California we have something like 17 ballot initiatives. Yay, Democracy?
I suspect many folks are in a similar boat and finding it hard to concentrate on things beside the election. So much feels up in the air and important and it’s like we’re all holding our collective breath. After being in the UK last month, I realized how much elections have consequences. The falling pound made it great for us as visitors. But it’s not all sunshine and roses as companies try and sort out how they can absorb a loss in buying power on the open market.
Go vote. It’s important.

October 2016: The Month in Email

We’ve returned from London, where I spoke at the Email Innovations Summit and enjoyed a bit of vacation. My wrap-up post also mentions an article I wrote for the Only Influencers site, which looks at questions I get asked frequently: “Why does spam make it to the inbox and our legitimate marketing email doesn’t? Should we just copy their tactics?”

In industry news, Yahoo caught our attention for two surprising moves: disabling forwarding and — much more disturbing — creating software for intelligence agencies to search customer email.
Some legal updates this month: The Second Court of Appeals upheld an earlier ruling that companies are in fact liable for the activities of their affiliates, including spam and fraudulent claims. This is important, as we often see spammers and cybercriminals use affiliates to distance themselves from these activities. We also saw another fine assessed for a violation of CASL, and noted with appreciation the transparency and thoughtful process that the Canadian Radio-television and Telecommunications Commission (CRTC) demonstrates in explaining their actions.
Another excellent report is the one created by the Exploratorium to explain their recent experience with being phished. It’s a good piece to share with your organization, in that it reminds us that these cybercriminals are exploiting not just our technology but our trust-based connections to our friends and colleagues. It’s important to raise awareness about social engineering as a part of information security. And speaking of email security, we were delighted to note that André Leduc received the 2016 J.D. Falk award this month at M³AAWG for his excellent work on this topic. It’s a fitting legacy to our friend, J.D., who died five years ago this month. We miss him.
Finally, we’d be remiss in observing Halloween without a post about zombies. Feel free to read it aloud in your spookiest voice.

Barracuda problems

Folks were posting earlier today noticing problems delivering to Barracuda hosted services. The good news is Barracuda has been updating their status page. As of now, the status page says things are improving.

It's beginning to look a lot like…

I had a call this morning discussing holiday email volumes.

I think many consumers now expect the deluge of emails that start in early November. I’m not sure all of them want it, but I think they expect it. We’ll, of course, be writing more about holiday volumes, mailing issues and such through the end of the year.
What are your plans for sending all the mail? How have experiences in previous holiday seasons affected your planning for this one? Tell me how you’re approaching things.

Anatomy of a successful phishing attempt

Earlier this year the Exploratorium was the victim of a phishing attack. They’ve posted an article on what happened and how they discovered and dealt with the issue.
But they didn’t just report on the attack, they dissected it. And, as is appropriate for a organization with a mission of education, they mapped out what they discovered during the investigation.

There are a couple of things that stand out to me about this attack. One is that of the more interesting pieces to me is that there was a delay between the compromise and the start of the attack. The Exploratorium calls it “the pivot” and describes it as the hacker deciding what to do next. The second is that the phisher actively interacted with the victim’s account. All new mail was sent to the trash automatically so she wouldn’t see incoming mail. Some mail was actively replied to so more people would click on the message. The phisher took steps to retain access to the account for as long as possible.
One thing that the Exploratorium didn’t see was any actual access to Exploratorium files or information. That may be because the Exploratorium itself wasn’t the target. Once a phisher / hacker has access to the email account, they have access to almost everything in your online life: calendars, bank accounts, credit accounts, the list goes on. Email addresses are our online identity and getting access to the address can open access to so much more.
Quite frankly it can happen to any of us. Earlier this week we received a phishing message that looked very plausible. It came from a law firm, mentioned a subpoena and even had an attachment personalized to our company. The attachment wasn’t opened so we were fine, but I can see how that kind of email might trick someone into getting infected.
We all need to be careful online. Email is a wonderful thing, but it’s insecure. It’s a great way for criminals to get into our space and wreck havoc on our computers and our lives.

2016 J.D. Falk Award

André Leduc received the 2016 J.D. Falk award this week at the Paris meeting of M³AAWG. He was recognized for spearheading two distinct projects.
The first was the Operation Safety Net – Best Practices to Address Online, Mobile, and Telephony Threats This 76 page report was written by global security experts. One of the major goals of the report was to discuss security in language accessible to policy makers and management. The report, newly updated in 2015, is available at the M³AAWG website. Making technical language accessible is, to my mind, one of the most important parts of getting security recommendations implemented.
In addition to his work in making security recommendations accessible, André was the lead architect behind the Canadian Anti-Spam Legislation. This legislation has greatly reduced the amount of spam received by Canadians. According to Leduc, CASL has improved permission practices by senders outside of Canada.
Congratulations to André.

And… we're back from London

The Email Innovations Summit in London was a good conference. Much smaller than Vegas, but with a number of very interesting talks. I got to meet a number of folks I’ve only known online and we had some interesting conversations at the conference and at the pub-track in the evenings.

I had so many grand plans for doing some work while in London. So many plans. And then I actually mostly disconnected and ignored anything I “should” be doing. Instead, Steve and I did some touristing, some relaxing, some family time and some connecting with his college friends. We also (over)heard a lot of conversations about the US Election. One night at dinner every table around us was talking about our candidates and what they thought of them. It’s always interesting to hear what non-Americans think about our country.
In addition to missing two debates, it seems we missed some online news, too. I think the biggest thing was another large DDoS attack against that took out many major websites. I’m starting to see some comments that spam levels were down during the attack, too, but haven’t dug into that yet.
I did have an article published in the Only Influencers newsletter last week: Marketers Can’t Learn from Spam. All too often marketers think spammers are better at unboxing because they see spam in their inbox. But spammers are just more criminal and spend a lot of effort trying to bypass filters. These aren’t lessons marketers can learn from.
Unfortunately, due to our London trip, we are going to miss M³AAWG in Paris, which starts today. Two weeks between conferences was exactly the wrong time for going to both. Never fear, many folks will be tweeting what they can using #m3aawg38.
We’re both slowly getting back into the swing (and timezone!) of back to work. Blogging will pick up over the next few days. And I have new castle pictures to share.

Yahoo disabled forwarding

Al posted about this over on his blog earlier this week. Yahoo has disabled the ability to forward email from one Yahoo account to an email account on a different system.
There is, of course, all sorts of speculation as to why forwarding has been disabled including speculation this has to do with holding on to accounts during the Verizon purchase. It’s certainly possible this is the case.
However, forwarding email is hard. Forwarding email on a large scale can result in spam blocks and delivery problems. It’s such an issue M3AAWG published a forwarding best practices document. It’s possible that Yahoo is making some changes on the back end to better implement the best practice recommendations. I don’t know, but it’s possible that Yahoo is telling the truth that they’re improving technology.

Email Innovations Summit next week

I’m headed to London this weekend to speak at the Email Innovations summit next Thursday. It will be an updated version of “How to Talk Tech for Marketers” that I debuted in Vegas earlier this year.
Expect blogging to be light for the next 2 weeks while I’m gone. There are a few things I have to post, but I’m going to try and unplug and for part of the time I’m out of town.

September 2016: The month in email

Happy October, everyone. As we prepare to head to London for the Email Innovations Summit, we’re taking a look back at our busy September. As always, we welcome your feedback, questions, and amusing anecdotes. Seriously, we could use some amusing anecdotes. Or cat pictures.

We continued to discuss the ongoing abuse and the larger issues raised by attacks across the larger internet infrastructure. It’s important to note that even when these attacks aren’t specifically targeting email senders, security issues affect all of us. It’s important for email marketers to understand that increased attacks do affect how customers view the email channel, and senders must take extra care to avoid the appearance of spam, phishing, or other fraudulent activity. I summarized some of the subscription form abuse issues that we’re seeing across the web, and noted responses from Spamhaus and others involved in fighting this abuse. We’re working closely with ESPs and policy groups to continue to document, analyze and strategize best practices to provide industry-wide responses to these attacks.
I was pleased to note that Google is stepping up with a new program, Project Shield, to help journalists and others who are being targeted by these attacks by providing hosting and DDoS protections.
I’m also delighted to see some significant improvements in email client interactions and user experiences. I wrote a bit about some of those here, and I added my thoughts to Al’s discussion of a new user interaction around unsubscribing in the iOS 10 mail client, and I’ll be curious to see how this plays out across other mail clients.
For our best practices coverage, Steve wrote about global suppression lists, and the ways these are used properly and improperly to prevent mail to certain addresses. I wrote about using the proper pathways and workflows to report abuse and get help with problems. I also wrote about the ways in which incentivizing address collection leads to fraud. This is something we really need to take seriously — the problem is more significant than some bad addresses cluttering up your lists. It contributes to the larger landscape of fraud and abuse online, and we need to figure out better ways to build sustainable email programs.
Is there such a thing as a perfect email? I revisited a post from 2011 and noted, as always, that a perfect email is less about technology and more about making sure that the communication is wanted and expected by the recipient. I know I sound like a broken record on this point (or whatever the 21st century equivalent metaphor of a broken record is….) but it’s something that bears repeating as marketers continue to evolve email programs.
We had a bit of a discussion about how senders try to negotiate anti-spam policies with their ESPs. Is this something you’ve experienced, either as a sender or an ESP?
In Ask Laura, I covered shared IP addresses and tagged email addresses, questions I get fairly frequently from marketers as they enhance their lists and manage their email infrastructures. As always, we welcome your questions on all things email delivery related.

Yahoo collaborating with US intelligence agencies

Today it was revealed that Yahoo has been scanning people’s email for the federal government.

Vague reports of Yahoo problems

A number of people, on different forums, have been asking if anyone is seeing a higher bounce rate than usual with Yahoo. Not sure exactly what’s going on here. As I understand it, folks are talking with Yahoo about it. If I hear anything more, I’ll share.
For now, though, if you’re seeing a small increase in Yahoo bounces (or other weirdnesses) others are seeing something odd, too.

Censorship and free speech online

One of the things I discovered yesterday while looking at Krebs on Security was that Google Alphabet has a program to provide hosting and dDOS protection for journalists. Project Shield, as it’s called, is a free service for approved applicants that keeps up websites that might be taken down otherwise. Eligible organizations include those providing news, information on human rights and monitoring elections.
This is something I hadn’t heard of before and my only reaction is good for Google.
Look, we’ve gotten to the point where attackers have resources beyond the scope that most of us can imagine. It’s expensive even for large organizations to manage and pay for the level of protection they need.
Even more importantly a lot of very important work is done by individuals or small organizations. Brian is a prime example of that. He does an incredible job investigating online crime on his own time. His site and his information is an invaluable resource for many. Losing his site, and losing his information would leave a huge hole in the security community. There are other folks in other spaces who, like Brian, don’t have the resources to protect themselves but do have important things to say and share.

I’m glad to see Google committing their resources and skills to help organizations protect themselves. It’s so important that this work is done and we don’t lose voices just because they can’t afford hundreds of thousands of dollars a year.
There has been abuse and harassment online for as long as I’ve been here. But it seems recently the size and severity of attacks have increased. And a lot of service providers are struggling with how to manage it and what their responsibilities are.
A few weeks ago Facebook deleted an iconic photo from the Vietnam era due to child nudity in the photo. That decision was reversed and discussed in many, many different places. One of the most interesting discussion happened on a friend’s Facebook feed. Many of the participants work at various online providers. They have to make these kinds of decisions and create policy to do the right thing – whatever the right thing is. It was very interesting to be able to follow the discussion and see how many different issues FB and other online providers have to consider when creating these types of policies.
I thing the thing I have to confront the most about the internet is how big it is. And how crucial it’s become to all sorts of issues. Social media can be a cesspool of abuse, there’s no question. But it can also be a force for good. I’m glad companies like Google are stepping up to preserve the good parts of the internet.

The Cyber and The Security

Cybersecurity has been on my mind lately. There is a lot of bad stuff going on, from giant dDOS attacks, to subscription bombing, to the ongoing low level harassment that some people have to deal with on a daily basis. I’ve written a lot about how I think marketers are going to have to step up and stop being a conduit for abuse. I do believe this. There are a lot of different issues to discuss but there are also many, many different stake holders in the issue of cybersecurity.
I’ve been on multiple calls with different groups over the last few weeks discussing the implications of the subscription attack and how it was carried out. The majority of my focus is email and how to protect senders from becoming a conduit for abuse. Other folks participating on the call are looking at what abuse is out there and how to stop it or minimize it.
One thing that came up on a recent call is that the bulk of dDOS traffic that took Brian Krebs’ website down was from various Internet of Things devices. Security cameras, DVD players, televisions, lightbulbs and other connected devices were part of the problem. It’s a huge issue, and one that cannot simply be mitigated by just ISPs and providers. But convincing individuals to secure their lightbulbs can be a challenge, we can’t even protect their computers completely. Convincing companies to stop providing default usernames and passwords or using the same keys for every device is another challenge.
These are big issues that we’re going to have to deal with.
Last night, with 100 million of my virtual friends and a small group of local ones, I watched the first Presidential debate. Part of the debate was about cyber security. To misquote Vice President Biden, “Cybersecurity is a big freaking deal.” We have nation states, and groups with the resources of nation states, conducting covert operations online. We have hacking, compromises, bonnets and other malicious activity occurring every, single day. And, the more complex the site and the more users it has the more likely it is to be compromised. Cybersecurity is a critical part of national security and our own individual security. We must take it seriously and we must address it.
Now, I’ll be honestI don’t think there is a solution to the problem. I think, though, that there are hundreds of things we can do as individuals, as companies, as nations, as volunteer organizations, as NGOs and as coalitions to solve different parts of the problem. We all need to think about what it is and who’s doing the bad stuff.
It’s common to think of hackers as lonely boys in basements who have too much time and too little to do. Back in the ancient days of the spam wars some folks referred to them as “chickenboners“: beer drinking rednecks who ate fried chicken and threw the bones on the floors of their trailers. The reality even then, though, was that many spammers ran businesses and made a lot of money. Admittedly, the descriptions of how the business was run are cringe inducing and full of illegal activity.
Now, much of the hacking is actually organized crime outside the US. This makes it hard to address successfully through legal channels.
It’s all very complicated. But I think we can agree security is a big deal. We are all part of the solution, by securing our sites and our personal devices. We’re also part of the solution by paying attention to the larger issues and events going on around us.

iOS List Unsubscribe Functionality

Al did a great post over on Spamresource about the how the new list unsubscribe function in the default mail client from iOS10. What’s been interesting to me is how much I’m hearing from ESP folks about how their customers want it gone.
If you don’t know what we’re talking about, in the default mail client on iOS10, Apple is now offering a way to unsubscribe from list mail by placing an unsubscribe link at the top of the message.

As you can see, this isn’t just for commercial mail, it’s in place for every mailing list that has a List-Unsubscribe header. (This is a screenshot from something I posted to OI this morning). For me, it’s somewhat intrusive. I’m on a lot of discussion lists – technical, marketing, business and even a couple social ones. Reading them on my phone has become a challenge, as every email in a thread contains the “unsubscribe” button now.
Luckily, you can dismiss the message for all posts to that mailing list by hitting the ⮾⮾⮾⮾x. Interestingly, once you’ve turned it off there seems to be no way to turn it back on for that list.
Senders have different complaints, however, they do not have to do with intrusiveness or usability issues.
I’ve heard complaints about placement and about how easy it makes it to unsubscribe. One person even stated that everyone knows the place for an unsubscribe is at the bottom of a message and it should never be at the top of a message. I find these arguments unpersuasive. Unsubscribing should be easy. Unsubscribing should be trivial. People should be able to stop getting mail on a whim. Particularly here in the US, where unsolicited mail is legal, being able to quickly opt-out is the only thing keeping some of our mailboxes useful.
I’ve also heard some concerns that are a little more understandable. One company was concerned that unsubscribes go directly to their ESP rather than directly to them. This is a somewhat more understandable concern. Good senders use unsubscribes as part of their KPIs and as part of their campaign metrics. They know how much an unsubscribe costs them and will use that as part of their metrics for defining a successful campaign. Still, though, it’s not that big a concern. ESPs are already handling these kinds of unsubscribes from providers like gmail and hotmail.
Almost 7 years ago I blogged about a sender who wanted an unsubscribe link in the email client. It was a bit of snark on my part. The interesting part, though, is that some senders want unsubscribe mediated in the client and others things it’s horrible. I think this tells me that there’s no universal right answer. It Depends might be the most hated statement in deliverability, but it is the absolutely the reality of the situation.

Security issues affect us all

I’ve been talking about security more on the blog. A lot of that is because the security issues are directly affecting many senders. The biggest effect recently has been on companies ending up on the SBL because their signup forms were the target of a subscription attack. But there are other things affecting online spaces that are security related. Right now not much of it is affecting email senders, but it’s good to be aware of.
DDOS attacks
There has been an increase in DDOS attacks against different companies and network. Some of the online game sites have been targeted including EA, Blizzard and others. A group called PoodleCorp is claiming responsibility for those attacks.
Another set of DDOS attacks hit Brian Krebs’ website this week. The site stayed up, but Akamai has told Brian they can no longer host his website. His website is down for now and the foreseeable future.
While this activity doesn’t affect marketers directly, it does tell us that there is active development happening on the less legal side of the internet. The volumes of the recent attacks have sent records. They’re also changing in scope and including new kinds of traffic in an effort to knock sites offline. Even more concerning, they appear to be systematically attempting to discover defenses in order to attack the internet as a whole.
Increase in Spam
Spam has been on the decrease over the last few years. Many of us were treating it as a mostly-solved problem. But a new report from Cisco Talos shows that trend is reversing and spam levels are increasing. Current levels are approaching those last seen more than 5 years ago. Cisco Talos has used a number of different sources of data, all showing an increase in spam directly and indirectly.

Upcoming events

Next month I’ll be in London for the Email Innovations Summit. This will be an updated version of what you need to know to talk with technical folks.
In early December I’ll be doing a DMA webinar discussing the subscription bombings. That’s still in the works.
I’m looking at some events for next year. I am planning on being at M³AAWG in San Francisco in February.
I’m looking at others, too. What are your favorite events?

Ongoing subscription form abuse

Last week Spamhaus posted information on the ongoing subscription attacks. They provided a more information about them that was not make public previously, including some information about the volume of mail some targets received.
Today SendGrid also blogged about this, going into a little more detail about why senders should care about this. They also provided a number of suggestions for how to mitigate the risk of being part of an attack.

There are a couple of things I think it’s important for folks to realize.

Spamhaus and subscription bombing

Spamhaus released a blog post today discussing the recent subscription bombing: Subscription bombing COI captcha and the next generation of mail bombs.
As I mentioned in my initial posts, this abusive behavior goes beyond spamming. This is using email to harass individuals. Spamhaus even mentions a potential service that can be used to do these kinds of mailbombing.
Things folks need to know is that this is not just about ESPs and commercial mail. One of the big targets was WordPress admin forms. As Spamhaus says:

Mail Client Improvements

There’s been extensive and ongoing development of email through the years, but much of it has been behind the scenes. We were focused on the technology and safety and robustness of the channel. We’re not done yet, but things are much better than they were.
The good part of that is there is some space to make improvements to the inbox as well. Over the last few months there have been a number of announcements from different mail client providers about how they’re updating their mail client.

Microsoft deprecating SmartScreen filters

At the beginning of the month Microsoft announced that they were deprecating the SmartScreen filters used by the desktop Microsoft mail clients. These are the filters used in Exchange and various version of Outlook mail. This is yet further consolidation of spam filtering between the Microsoft free webmail domains, Office365 hosted domains and self hosted Exchange servers. The online services (hotmail.com, outlook.com, Office365, live.com, etc) have been using these filters for a while. The big change now is that they’re being pushed down to Exchange and Outlook users not hosted on the Microsoft site.
EOP was developed for Outlook.com (and friends) as well as Office365 users. From Microsoft’s description, it sounds like the type of machine learning engine that many providers are moving to.
Microsoft has published quite a bit of information about these filters and how they work on their website. One of the best places to start is the Anti-spam Protection FAQ. Something senders should pay attention to is the final question on that page: “What are a set of best outbound mailing practices that will ensure that my mail is delivered?” Those are all things deliverability folks recommend for good inbox delivery.
Poking around looking at the links and descriptions, there is a host of great information about spam filtering at Microsoft and how it works.
A page of note is their Exchange Online Protection Overview. This describes the EOP process and how the filters work.

Ask Laura: Should I let my ESP give me a shared IP?

August 2016: The Month in Email

August was a busy month for both Word to the Wise and the larger world of email infrastructure.

A significant subscription attack targeted .gov addresses, ESPs and over a hundred other industry targets. I wrote about it as it began, and Spamhaus chief executive Steve Linford weighed in in our comments thread. As it continued, we worked with M³AAWG and other industry leaders to share data and coordinate efforts to help senders recover from the attack.
In the aftermath, we wrote several posts about abuse, blocklists, how the industry handles these attacks currently, and how we might address these issues going forward. And obviously this has been on my mind before this attack — I posted about ongoing problems with internet security, how open subscription forms contribute to the problem, and other ways that companies inadvertently support phishing operations.
I posted about the history of email, and recounted some of my earliest experiences, when I had a .bitnet and a .gov address. Did you use email before SMTP? Before email clients? I’d be curious to hear your stories.
Speaking of email clients, I did two posts about how mail gets displayed to the end user: Gmail is displaying authentication results, which should provide end users with a bit more transparency about how authentication is used to deliver or block messages, and Microsoft is partnering with Litmus to improve some of the display issues people face using Outlook. These are both notable — if this is not your first time reading this blog, you know about my constant refrain that delivery is a function of sending people mail they want to engage with. If the mail is properly formatted and displayed, and people have a high degree of confidence that it’s been sent from someone they want to get mail from, that goes a long way towards improving engagement in the channel.
On that note, I spoke at length with Derek Harding about how marketers might change their thinking on deliverability, and he wrote that up for ClickZ. I also participated in the creation of Adobe’s excellent Teaching the Email Marketer How to Fish document (no, not phish…).
Steve was very busy behind the scenes this month thinking about abuse-related topics in light of the SBL issues, but he wrote up a quick post about the Traffic Light Protocol, which is used to denote sensitive information as it is shared.
Finally, for my Ask Laura column this month, I answered questions about delivery and engagement metrics and about permissions with purchased lists. As always, if you have a general question about email delivery, send it along and I’ll consider it for the column.

NY Times on unsubscribing by email

More than a decade ago I was included in one of these. It wasn’t work related per se, but the address list included a lot of experienced, BTDT, names-on-RFCs technology folks.
Yeah, even they got stuck in the mess of replying all, unsubscribing, lecturing people about not replying to all. It was a mess, but funny given the names involved. #neverdothis #noreplytoall

Abuse, triage and data sharing

The recent subscription bombs have started me thinking about how online organizations handle abuse, or don’t as the case may be. Deciding what to address is all about severity. More severe incidents are handled first. Triage is critical, there’s never really enough time or resources to investigate abuse.

What makes an event severe? The answer is more complicated that one might think. Some of the things that ISP folks look at while triaging incoming complaints include:

How many blocklists do we need?

There’s been a discussion on the mailop list about the number of different blocklists out there. There are discussions about whether we need so many lists, and how difficult the different lists make it to run a small mail system (80K or so users). This discussion wandered around a little bit, but started me thinking about how we got to a place where there are hundreds of different blocklists, and why we need them.

There is a lot of history of blocklists, and it’s long, complicated and involves many strong and passionate personalities. Some of that history is quite personal to me. Not only do I remember email before spam, I was one of MAPS’ first few employees, albeit not handling listings. I’ve talked with folks creating lists, I’ve argued with folks running lists. For a while I was the voice behind a blocklist’s phone number.
The need, desire and demand for different lists has come up over the years. The answer is pretty simple: there are many different types of abuse. One list cannot effectively address all abusive traffic nor have policies that minimize false positives.
Lists need different policies and different delisting criteria. The SBL lists based on volume of email to addresses that are known to have not opted in to receive mail. The PBL lists IPs where the IP owner (usually an ISP) says that the IPs are not supposed to be sending mail by their policy. URIBL and SURBL list domains, not IPs. Some lists have delisting requirements, some let listees remove themselves.
The policies of listing and delisting are not one size fits all, nor should they be.
There are two widely used lists that have significantly different delisting policies: the SBL and the CBL.
The SBL focuses on IP addresses they believe are under the control of or supporting the services of spammers. They measure this by primarily relying on spamtraps, but they also accept forwarded mail from some trusted individuals. Getting delisted from the SBL means explaining to Spamhaus what steps were taken to stop the spam from coming. It’s a manual process with humans in the loop and can require significant business process changes for listees. (We’ve helped dozens of companies resolve SBL listings over the years, contact us if you need help.)
On the other hand, the CBL is a mostly automated list. It lists ources of mail that aren’t real mail servers sending real mail, but are sending a lot of stuff. As they describe it:

Traffic Light Protocol

If you’re sharing sensitive computer security information it’s important to know how sensitive a document is, and who you can share it with.
US-CERT and many other security organizations use Traffic Light Protocol as shorthand for how sensitive the information in a document is. It’s simple and easy to remember with just four colour categories: Red, Amber, Green and White. If you’re likely to come into contact with sensitive infosec data, or you just want to understand the severity of current leaks, it’s good to know that it exists.

Google takes on intrusive interstitials

Starting next January, Google will be modifying its mobile search results to lower the ranking of sites that use interstitials that interfere with the users experience. In a blog post announcing the change they explain:

Gmail showing authentication results to endusers

A bit of older news, but worth a blog post. Early in August, Gmail announced changes to the inbox on both the web interface and the android client. They will be pushing authentication results into the interface, so end users can see which emails are authenticated.

These are not deliverability changes, the presence or absence of authentication will not affect inbox delivery. And the gmail Gmail support pages clarify that lack of authentication is not a sign that mail is spam.
This isn’t a huge change for most ESPs and most senders. In fact, Gmail has reported more than 95% of their mail is authenticated with either SPF or DKIM. Now, Gmail does a “best guess” SPF – if it looks like an IP should be authorized to send mail for a domain (like the sending IP is the same as the MX) then it’s considered authenticated.
It’s good to see authentication information being passed to the end user.

Ongoing subscription attack

Brian Krebs posted a couple days ago about his experience with the subscription bomb over the weekend. He talks about just how bad it was over the weekend.

Spamhaus comments on subscription attack

Steve Linford, CEO of Spamhaus commented on my blog post about the current listings. I’m promoting it here as there is valuable information in it.

Improving Outlook Email Display

Today Litmus announced they had partnered with Microsoft to fix many of the rendering issues with Outlook. Congrats, Litmus! This is awesome. I know a lot of folks have tried to get MS to the table to fix some of the problems with Outlook. Take a bow for getting this off the ground.
According to Litmus, the partnership has two parts.

Are you (accidentally) supporting phishing

One of the themes in some of my recent talks has been how some marketers teach their customers to become victims of phishing. Typically I’m talking about how companies register domains “just for email” and then use those for bulk messages. If customers get used to mail from company.ESP.com and companyemail.com they’re going to believe that company-email.com is also you.
There are other ways to train your customers to be phishing victims, too. Zeltzer security walks us through a couple emails that look so much like phishing that it fooled company representatives. Go take a read, they give a number of examples of both good and bad emails.

I was a little frustrated that the examples don’t include headers so we could look at the authentication. But the reality is only a teeny, tiny fraction of folks even know how to check headers. They’re not very useful for the average user.
Security is something we should never forget. As more and more online accounts are tied to our email addresses those of us who market to email addresses need to think about what we’re teaching our recipients about our company. DMARC and other authentication technologies can help secure email, but marketers also need to pay attention to how they are communicating with recipients.

Learning to fish

I am honored to be included in the Learn to Fish document built by Adobe.

Email Marketing as News?

This afternoon I got mail. It’s clearly meant to be a tie-in to something. But, the thing is, I don’t know what.

That’s the problem with contextual marketing, you never really know if your target will understand the context.

BT Internet

I’ve been seeing reports for the last few weeks that a lot of folks are having problems getting mail into BT Internet. Many people are reporting the response

Beware the oversimplification

Setting up a DMARC record is the easy bit. Anyone can publish a record in DNS that will trigger reports to them. The challenge is what to do with those reports and now to manage them.
DMARC is a complex protocol. It builds on two other protocols, each with their own nuances and implementation issues. I’ve written in the past about what DMARC is, what you need to know to decide if you’re ready for DMARC and walking through whether or not you should publish DMARC. I’ve done talks where it’s taken me 20 minutes and dozens of slides to set up the context for explaining DMARC. Even experienced email folks can have moments where we get confused by some of the nuances.
DMARC is not a passive protocol. DMARC is an active protocol. Even with a p=none record, there is ongoing monitoring and work. Why consume reports if you’re not going to monitor them? The reports are there so that senders can monitor their authentication. If you’re not monitoring, then why waste cycles and bandwidth to receive them? Do you even know if your mail aligns? Can your mail server handle emails with attachments larger than 10MB? Does your mail server block .zip files? All of these things can cause your mail to be rejected and you won’t receive reports.
Postmark has a great post on DMARC and even has some examples of reports.
I know, I know, there’s a lot of fear mongering about how any company not publishing DMARC isn’t going to get to the inbox. We’re not there, yet. We likely won’t be there in the next few years. We may never get there. In any case, it’s much better to actually think about what you’re going to do with DMARC Plus, ISPs are already checking for DMARC style alignment even in the absence of a DMARC record. You don’t have to publish DMARC for this to happen, it already does.
I’ve said it before: publishing a DMARC record is a good idea. But every company needs to take minimal steps to figure out if publishing DMARC, even just to receive aggregate reports, is the right thing for them. It’s not right for every company or domain at the moment.

Internet security is national security?

This popped up on my FB feed yesterday.

What say you? Do we need to create a major effort to improve online security? What challenges do you see to making it work?
Edit: After I published this, I found an article stating that 3.7 million people had their personal health information compromised in a recent attack.

July 2016: The Month in Email

We got to slow down — and even take a brief vacation — in July, but we still managed to do a bit of blogging here and there, which I’ll recap below in case you missed anything.

At the beginning of the month, I wrote about email address harvesting from LinkedIn. As you might imagine, I’m not a fan. A permissioned relationship on social media does not equate to permission to email. Check out the post for more on mailing social media contacts.
Even people who are collecting addresses responsibly can face challenges. One of the most important challenges to address is paying attention to your existing subscription processes, testing them regularly, evaluating effectiveness and optimizing as needed.
Our most commented-upon post this month was a pointer to a smart writeup about Hillary Clinton’s email server issues. Commenters were pretty evenly split between those who agreed that they see this kind of workaround frequently, and those who felt like regulatory processes do a good job managing against this kind of “shadow IT” behavior. I wrote a followup post on why we see this kind of workaround frequently in email environments, even in regulated industries, and some trends we’re seeing as things improve.
In other election-related email news, we saw the challenges of campaign email being flagged as spam. As I pointed out, this happens to all campaigns, and is nothing unique to the Trump campaign. Still, there are important lessons for marketers here, too, in terms of list management, email content, frequency, and engagement — all of which are inextricably linked to deliverability.
Speaking of spam and engagement, Steve took a look at some clickthrough tracking revealed through a recent spam message I received — and why legitimate marketers should avoid using these sorts of URL referrers.
On the topic of authentication, I wrote a quick post about how seeing ?all in the SPF record tells me one thing: the person managing the record isn’t doing things properly. Need a refresher on authentication? Our most-read blog post of all time can help you out.
And as always, send me your interesting questions and I’ll be happy to consider them as I resume my Ask Laura column in August.

The history of email

My first access to “the internet” was through a dialup modem on a VAX at the FDA. I was a summer intern there through my college career and then worked full time after graduation and before grad school. My email address ended in .bitnet. I could mail some places but not others. One of the places I couldn’t send mail was to my friends back on campus.
A few of those friends were computer science majors, so one weekend they tried to help me troubleshoot things. . There were text files that they ended up searching through looking up how to send mail from .bitnet to .edu. But it was all a baffling experience. Why couldn’t it just work? I had email, they had email, why could we not talk?
I never did figure out how to send email to campus from .bitnet.
Eventually, the FDA moved from BITNET to the internet and I had a .gov address. I could send mail around just by getting the recipients’s address. But the mystery of why I could mail some .edus and not others still lingers. I wonder what our setup was that we couldn’t send mail. I’ll probably never know. I don’t even have enough details to explain the problem to someone who would know. I suspect the answer will be “bang paths” or “host.txt” files, but I really don’t know.

Changing deliverability thinking

Almost every email marketing program, at least those sending millions of emails per campaign, have delivery problems at one time or another. The problems seem random and unpredictable. Thus most marketers think that they can only address delivery problems, they can’t prepare or prevent them.
On the delivery side, though, we know deliverability problems are predictable. There are situations and events in a company’s marketing program that increase deliverability risks.
I talked a little bit about this with Derek Harding at a recent conference. I started talking about my ideas that deliverability is not random and that companies need to stop treating it as unpredictable. He pulled together a great article from our discussions. Head over to ClickZ to read about it: Take control of your email deliverability.

The predictability of deliverability is something I’m going to be writing more about in the coming months. This is, I think, the next challenge for email marketers. Figuring out how to incorporate deliverability into their overall marketing strategy. Successful programs need to take ownership of getting to the inbox. Deliverability isn’t an emergency, because it’s been planned for and managed throughout a program.

Brief blogging break

Sorry about the unexpected hiatus. I picked up a cold that really made me feel fuzzy and writing was an exercise in futility. I’ll be back Monday.
Meanwhile, Oracle bought another ESP (Bronto) when they bought NetSuite.

Working around email security

One of the common things I see as a delivery consultant is that companies do their best to set effective policies about email, but make it difficult to comply with those policies. It happens all the time. It’s one of the reasons that the tweets Steve shared about Sec. Clinton’s email server rang so true to me.

One of the commenters on that post disagrees, and uses banks and health care as an example.
Erik says:

Do you know where your signups are?

Here at Word to the Wise we sign up for a lot of email from our customers. There are multiple reasons we do this.

Politician sends spam, experiences consequences, news at 11

Over the weekend I’ve been seeing a number of over the top, hyperbolic blog posts about the Trump Campaign’s agency getting suspended from their ESP for spamming. Adestra suspended the Donald Trump campaign for “for committing some of the most egregious spamming in the history of the Internet in an effort to save his broke campaign.”
That quote about “most egregious spamming” is from some partisan website that is all about making Trump look bad. I did actually laugh out loud reading most egregious. Let’s be real here. This incidence of spamming doesn’t even make it into the top 100 of the ones I know about. And it’s not like I’m particularly well up on who’s spamming what.
This really is business as usual in the email space and particularly the political email space. Political sender, be they special interest groups or politicians, are sloppy with permission and will send mail to any email address they get their hands on. I talked about this last week: Spam Filtering is Apolitical

The Trump campaign isn’t the first political campaign to send spam. It wasn’t huge news in 2012, but the Romney campaign was doing some bad stuff with their email marketing. They were working with snowshoe spammers. They were listed on the SBL. They got cut off by their ESP.
While Spamhaus doesn’t keep historic records, I found a post from 2012 on the “Mainsleaze” about the Romney campaign / supporters and their use of spam as a campaign tactic. In the comments on that post a representative of Spamhaus says, “Entirely too many political operatives and some of those who work with them at ESPs feel entitled to ignore the usual rules and send opt-out bulk email to anybody they wish.” This is true, and something I’ve repeatedly mentioned on this blog.

June 2016: The Month in Email

We’re officially halfway through 2016, and looking forward to a slightly less hectic month around here. I hope you’re enjoying your summer (or winter, for those of you in the Southern Hemisphere).

About the Hillary Clinton email server thing…

I was going to say something about the issue with Hillary Clinton using an email server provided by her own staff for some of her email traffic, rather than one provided by her employer, but @LaneWinree already wrote pretty much what I’d have written, just better than I would have done.

Harvesting Addresses from LinkedIn

There seems to have been an uptick in the number of folks harvesting addresses from their LinkedIn contacts and adding them to mailing lists. I’ve been seeing this in my own mailbox. I’m getting added to different lists and because I used a tagged address I know these folks are harvesting from LinkedIn.
This behavior is really rude. Just because someone accepted your contact request on LinkedIn, doesn’t mean they want to be added to any mailing lists you may have. Let’s be honest, some people have hundreds or thousands of LinkedIn contacts. They’re not going to want to get mail from all of them.
This behavior risks your ESP account. I know of ESPs who have disconnected customers for importing all their LinkedIn contacts.
Of course, there are ways to effectively use your LinkedIn contacts. The short version is think about what you’re doing and how your mail will be received. Don’t grab all your contacts, be selective about who you choose. Have too many contacts to go through manually? That’s not an excuse, in fact, it’s an even bigger argument for not becoming a spammer.

I’ve previously written things you must consider when sending bulk mail to people who have connected with you on social networks.

Spam filtering is apolitical

It’s time once again for news organizations to pay attention to spam filters. This happens sometimes. Intrepid news organizations breathlessly report on how a particular ISP is blocking mail from a certain political figure our organization. I’ve written about political and activist lists being blocked or filtered before. Some of these posts are from the very early days of the blog even.

In 2007, AOL came under fire when their filters were blocking mail from Truthout.org. Truthout’s response was to yell, loudly, this was censorship and unfair. I talked about it in two blog posts: They’re not blocking you because they hate you and It really can be your email.
The reality is mail wasn’t blocked because AOL didn’t like Truthout or what they stood for. In fact, the folks I knew at the postmaster desk who handled blocking issues were more likely to support Truthout than try and censor them. But, the reality was that truthout.org was sending bad mail and it wasn’t wanted and so it got filtered. Don’t believe me? Carl Hutzler ran the AOL postmaster team and blogged about it at the time. His blog is gone, but archive.org has the full text.

Comodo, TLS certificates and business ethics

We run a lot of our own infrastructure at Word to the Wise. Our email and web presence runs on our own hardware, in our own cabinet in our own network space. Partly that’s because we’re all from very technical backgrounds, and can run them in a way that’s better suited to our needs than an off-the-shelf web service. Partly it’s so we can do things like add instrumentation to our inbound mail stream so we have easy access to information when diagnosing a customer’s delivery issues. But it’s also partly so we can keep up to date on protocols and software, and leaven our advice to clients with some first hand, real world experience.
One of those things is TLS certificates, for webservers and email servers.
We already used Comodo for code-signing certificates, so when their sales rep called me and offered some decent pricing of extended validation (EV or “green bar”) certificates in exchange for a three-year commitment that seemed like a good opportunity to experience the extended validation process.
I’ve written previously about how painful the process of getting a TLS certificate from a legacy certification authority such as Comodo is, but this post isn’t about that.
I mentioned a few months ago that our green bar TLS certificate would be going away. That was because Comodo didn’t honor their agreement with us. While we ordered three years of EV certificate from Comodo, paid them for three years of EV certificate and confirmed in writing with the sales rep that they would provide three years of EV certificate, after one year Comodo decided that they wouldn’t honor that agreement.
The sales rep was mysteriously “no longer with the company” and his sales manager decided that they’d keep the money, but not provide the agreed to certificates. After a dozen or so promised calls back or email replies from a “sales manager” to discuss “what they could do for us” didn’t happen, we gave up on Comodo and switched to using Lets Encrypt for our TLS certificates.
We’re very, very happy with Let’s Encrypt. The price of “free” is nice, but it’s the simplicity, reliability and general lack of having to deal with horrible sales reps that’s the best thing.
Apparently a lot of other Comodo customers thought the same thing, as Comodo seems to want to recapture those customers by pretending to be Let’s Encrypt. They filed trademark registrations for “Let’s Encrypt”, “Comodo Let’s Encrypt” and “Let’s Encrypt with Comodo”. Comodo is in the business of “trust” and “identity” and I can’t think of any behaviour of theirs more antithetical to that.
And, on an email note, Comodo also seemed to decide that they didn’t want their employees to know about this, nor to answer questions about it, and reportedly configured their email filters to reject email mentioning letsencrypt.org with “mail contains a virus”.

— from Peter Stenberger, on twitter
(Given Comodo are a major email filter vendor I hope that that’s just a local configuration used by Comodo themselves, not part of their public filtering products.)
We will no longer be using or recommending Comodo as a vendor.
(This post brought to you as an exercise in avoiding the question “What effect will brexit have on the email industry?”, as the answer “Global economic collapse would probably be bad for the email industry, yes.” seems a little simplistic.)

iOS mail supporting list-unsub header

Al over at SpamResource reports that the next generation of Apple’s iOS has support for the list unsubscribe header.
To the best of my knowledge, this is the first time an independent email client has built in support for the List-Unsubscribe header. Microsoft and Google support it, but only in their webmail system. Hopefully other mail clients will follow suit.

Role accounts

A question came up on a recent deliverability panel about role accounts.

About that permission thing

I wrote a few days ago about permission and how it was the key to getting into the inbox. It’s another one of those “necessary but not sufficient” parts of delivery. There are, however, a lot of companies who are using email without the recipient permission. These companies often contact me to help them solve their delivery problems. Often these are new companies who are trying to jumpstart their business on the cheap by using email.

The calls have a consistent pattern.

Ask Laura: Why is my video email blocked?

Looking forward in email

Len Shneyder writes about what we can expect to see in the near future email landscape.

Creating emails

Email is, still, primarily a written medium. This means that good copywriting is crucial. Today I opened up an email and the pre-header says:
Laura, should have get your Naturals Sample Bag.*Web Version

Wait. What?
Maybe they mean “should have got”? But that’s implying they’re sending out free sample bags to everyone. That can’t be right. But I can’t tell because with images off that’s the only text in the mail, except the footer and legal information.
When you load images you get a little more clarity. Apparently, making a big enough purchase trigger a bunch of samples to be included in your delivery. So the line possibly should be “Laura, get your natural samples bag.”
Maybe it was intentional. After all it did get me to load images to see what the email was about.

May 2016: The Month in Email

Summer, already? Happy June! Here’s a look at our busy month of May.

I had a wonderful time in Atlanta at the Salesforce Connections 2016 conference, where I spoke on a panel about deliverability. While in Atlanta, I also visited our friends at Mailchimp, and later spoke at the Email Innovations conference in Las Vegas, where I did my best to avoid “explaining all the things”. Since my speaking schedule for 2017 is filling up already, I’m sure I’ll have plenty of opportunity to explain many more of the things over the next year or so. Let me know if there’s an event that might be a good fit for me, either as a keynote speaker or on a panel.
Steve contributed a few technical posts on the blog this month. He mentioned that Google has stopped supporting the obsolete SSLv3 and RC4, and he explored the ARC protocol, which is in development and review, and which will be useful in extending authentication through the email forwarding process.
Meri contributed to the blog this month as well, with a post on the Sanders campaign mailing list signup process. We’ve written about best practices for political campaigns before, and it’s always interesting to see what candidates are doing correctly and incorrectly with gathering addresses and reaching out to supporters.
In other best practices coverage, I pointed to some advice for marketers about authentication that I’d written up for the Only Influencers list, a really valuable community for email marketers. I wrote about purchased lists again (here’s a handy collection of all of my posts on the topic, just in case you need to convince a colleague that this isn’t a great idea). I also wrote about how getting the technical bits right isn’t always sufficient, which is also something I’ve written about previously. I also discussed the myth of using the word “free” in the subject line. As I said in the post, “Single words in the subject line don’t hurt your delivery, despite many, many, many blog posts out there saying they do. Filters just don’t work that way. They maybe, sorta, kinda used to, but we’ve gotten way past that now.”
On a personal note, I reminisced about the early days of mailing list culture and remembered a dear online friend as I explained some of why I care so much about email.
In my Ask Laura column, I covered CAN SPAM and transactional opt-outs. As always, if you have a general question about deliverability that I can answer in the column, please let me know.

FCC notice of proposed rulemaking

The FCC recently published a notice of proposed rulemaking that will have an impact on how we fight abuse on the internet. M³AAWG has submitted a comment on the proposal (pdf link). All submissions can be found on the FCC website.

Memories of Spam in May

This morning on Facebook a friend posted a picture saying that 15 years ago was the very first anti-spam conference (Spamcon*). All we have are some blurry scans of pictures and coffee mugs.
.
That 550 sign belonged to the bar where the night out was held. It got bought by K & P and lived in their garden until it rotted away a few years ago. So many folks who are still active in the space, and so many folks who’ve moved on. Names I’d forgotten, faces I haven’t.
Many of those folks are still working in email. Some on the sending side, some on the tools and vendor side, some on the ISP side, some on the consulting side. That conference was one of the very first times people publicly gathered to talk about spam. There were other occasions, but most were invite only with hand picked representatives of specific companies.
At that first Spamcon I was freshly laid off from MAPS (now Trend Micro). I was considering what next. The thing is, I really liked the work I was doing. MAPS had me leading a team to provide abuse desk as an outsourced service. We had a very large network provider as a customer and we were handling all the mail that came into abuse@ there. It was a challenge, I was creating processes and documenting policy, trying to do more with less and managing my first team ever.
Much of what I do now, here, grew out of that position. It was clear even then there was a need for someone who could help navigate the challenges of email.
In the same thread another person posted pictures from a social night in DC during the FTC Spam Forum. More folks, some I have lost touch with and some who are still friends and colleagues.
We were so young. All of us.
This is yet another form of community that email created. Some of it was built over email, but a lot of it happened on USENET and IRC and local meetups. There were so many ways we built community using plain text and dialup. The technology has changed, and that community from a dozen years ago has changed but it’s still all the same deep down inside.

(* If, at any point, you see me type Spamconk instead of Spamcon please blame autocorrect. It’s being difficult and even tries to correct it when I go back and edit sentences.)

Why care about email?

I got my first email address in the very late 80s. I was an intern at a government agency. I learned a lot there: how to sequence DNA, how to handle radioactive material, how to handle human pathogens, and how to send email. I got my first non-work non-school address in the mid-90s. One of the first things I did was join some mailing lists.
One of them was a list for folks who had pet rabbits. I met a lot of people there, both online and in person. As with many people we meet through a shared interest as our interest wanes the relationships change. Some relationships were maintained, but some of us lost touch with one another. Moves, job changes, email address changes, they all affect our ability to maintain relationships online. I kept in touch with some, one was the maid of honor at my wedding and a few years ago I was the maid of honor at hers. I lost track of others.

Back from Vegas

Had a wonderful time at the Email Innovations conference last week. Got a chance to see some familiar faces and meet a lot of new ones.
There is so much new and interesting and exciting stuff going on in the world of email. I think we’re hitting another period for real growth and innovation that’s going to change what we see in our inboxes and how we use email.

SHOUTY CAPS!!!

Terminal_2__cat__80x32_
Over at Meh Glenn Fleishman has put together a fascinating two-parter on the history of using ALL CAPS for emphasis. And SHOUTING.

Time for Email Innovations!

After a great experience in Atlanta last week, with the Salesforce and Mailchimp folks, I’m heading off again today. This time it’s Las Vegas for the Email Innovations conference hosted by the Only Influencers group.
My talk is coming together nicely. It’s been a bit of a challenge to try and give enough detail to make sense while not overwhelming with technobabble. There were times when I was all

Thankfully I have some great folks around who talked me down and reminded me that there wasn’t a test and I could gloss over some of the details and still make sense. If you want a preview of part of my talk, check out my blogpost from last week at Only Influencers. Understanding the technical: authentication.
Hope to see you there! My talk is in the Education track after lunch on Thursday.

Comcast having a bad day

Comcast announced this morning that they’re having problems receiving mail and their customers are seeing significant delays.

We are currently experience an issue which is causing a significant delay in receiving email. This is not a good thing and we are very aware of the problem and are working hard to restore it.
Technical description for those who are interested:
A problem on a couple of the network switches caused our blob storage to get into a bad state. Lots of peering errors etc, this coupled with a bug in the blob storage vendors software is prolonging resolution. We have an incident bridge going with the team and the developers.
Official notice on Xfinity Forums

Deliverability session at Connections 2016

If you’re at Connections 2016 stop by our session at 3:00 in the Sidney Marcus Auditorium. Bring your pressing deliverability questions.

Phone call of the week

I received a message on our 800 number. “This is Mark from a-website.example. Your customers are complaining to me that they are not getting my mail. And you’re blocking mail from me. Explain this to me!”

I called him back and left a message: “I think you’re confused and I probably can’t help you.”
A few minutes later, Mark returns my call.
L: Hi, this is laura.
M: Who are you? You called me, you must be from Clearwire!
L: No, I’m not with Clearwire, I’m with WttW.
M: Then why is your phone number on the Clearwire website?
L: I don’t know, but this isn’t Clearwire. The Clearwire website is redirecting to Sprint. They got bought out a while ago.
M: Redirecting to Sprint? What does that mean? Your phone number is on Clearwire’s website. You must be with Clearwire.
L: No, really, I’m not.
M: Why is your phone number on their website?
L: I don’t know. But this is not Clearwire. (I start searching the blog because I remember some post somewhere about Clearwire.)
M: Well, who are you?
L: I run a delivery consulting firm. Is it possible you found my website and the blog post that says all clearwire.net addresses are being discontinued April 15, 2015?
M: They’re gone?
L: Yes, for more than a year now.
M: Oh.
scene
That blog post is the #1 google hit if you search for clearwire.net.

Changes coming to Verizon email

Last year Verizon bought AOL. As part of that merger some @verizon.net email is being migrated to the AOL backend. FAQs published by Verizon say this change is only affecting users in FL, TX and CA. Users will still have @verizon.net addresses but the backend and filtering will be managed by AOL.
This shouldn’t have a huge impact on commercial senders. However, one thing I did notice while reading through the FAQ is this:

April 2016: The Month in Email

We are finishing up another busy month at WttW. April was a little nutty with network glitches, server crashes, cat woes, and other disruptions, but hopefully that’s all behind us as we head into May. I’ll be very busy in May as well, speaking at Salesforce Connections in Atlanta and the Email Innovation Summit in Las Vegas. Please come say hello if you’re attending either of these great events.

Speaking of great events, I participated in two panels at EEC16 last month. We had a lot of great audience participation, and I met many wonderful colleagues. I wrote up some more thoughts about the conference here. I also had a nice conversation with the folks over at Podbox, and they’ve posted my interview on their site.
In the Podbox interview, as always, I talked about sending mail people want to receive. It always makes me roll my eyes a bit when I see articles with titles like “5 Simple Ways to Reach the Inbox”, so I wrote a bit about that here. In addition to sending mail people want to receive, senders need to make sure they are collecting addresses and building lists in thoughtful and sustainable ways. For more on this topic, check out my post on list brokers and purchased lists.
These same not-so-simple tricks came up again in my discussion of Gmail filters. Everyone wants a magic formula to reach the inbox, and — sorry to burst your bubble — there isn’t ever going to be one. And this is for a good reason: a healthy filter ecosystem helps protect all of us from malicious senders and criminal activity. The email channel is particularly vulnerable to fraud and theft. The constant evolution of filters is one way mail providers can help protect both senders and recipients — but it can be challenging for senders and systems administrators to keep up with this constant evolution. For example, companies sometimes even inadvertently filter their own mail!
I also wrote a bit about how B2B spam is different from B2C spam, and how marketers can better comply with CAN SPAM guidelines in order to reach the inbox. We also republished our much-missed friend and colleague J.D. Falk’s DKIM Primer, which is extremely useful information that was at a no-longer-active link.
One of my favorite posts this month was about “dueling data”, and how to interpret seemingly different findings around email engagement. We also got some good questions for my “Ask Laura” column, where we cover general topics on email delivery. This month we looked at “no auth/no entry” and the Microsoft Smartscreen filter, both of which are useful things to understand for optimizing delivery.
Finally, we are pleased to announce that we’ve joined the i2Coalition, an organization of internet infrastructure providers. They posted a nice introduction on their blog, and we look forward to working with them to help advocate and protect these important technical infrastructures.

Pete and Repeat

Pete and Repeat were on a boat. Pete fell out, who was left?

I was searching the blog for some resources today and these were the first two posts that showed up on the search results. I often feel like I’m repeating myself, but sometimes I am.

Trust the list broker

Over the years I’ve worked with companies who admit to me that they’ve purchased data at one point or another. Let’s face it, as bad a practice as it is, people and companies still think they can succeed in email marketing with purchased lists.
As part of the cleanup process, I start to ask questions about the list. Who did you buy it from? How were the addressees collected? Are these addresses shared with others? What did the seller tell you about the list.

Clients are rarely able to tell me about where the addresses are collected or if they’re shared.
It’s amazing to me how many companies choose to outsource the creation of such a valuable asset. They don’t know anything about it, but it’s a huge asset and so important they won’t let go when it doesn’t work.
Some of it is the sunk cost fallacy. But I think in some cases my clients don’t really believe the person who sold them the list wasn’t truthful. They really believe there is value in the list, if they can only unlock it.
Companies selling lists don’t really have any incentive to spend time or money making sure they have permission or that the lists are good. That’s just expense to them and returns no value. The value is in the number of addresses they can sell, not in the number of responsive addresses.
How many companies buy a list and immediately take it to a list cleansing service? Why should they? Shouldn’t the company SELLING the list make sure they’re selling deliverable addresses? Shouldn’t the seller spend the money for verification?
The very fact that so many companies believe they need to clean a purchased list speaks to the horrible quality of purchased lists. And, yet, companies are addicted to the idea of purchasing lists. They trust that the addresses are collected in a permission based manner. They believe when sellers tell them the addresses are good and valid – even when they see that 10 or 20 or 30% of the list is cleaned off by the list services.
List sellers won’t do the cleaning because they know they’re not providing the product. It’s a con and it’s a swindle and yet marketers still think they’re getting something of value from list sellers. And they still discover purchased lists are horrible in terms of deliverability and performance.

We joined the i2Coalition

Word to the Wise has joined the i2Coalition. Today they posted our introduction to their blog.
Why did we do it?
Email, and online spaces, are so important to modern life. We shop, bank, communicate, play and interact online. The internet has facilitated everything from political revolution to coffee dates and international friendships. Steve watched the Berlin Wall fall from his college dorm room over the internet. The internet was a major factor in the organization of the Arab Spring and other political movements. And sometimes we just meet people online. BBSes, usenet, email, and social networks let us connect with each other.
With that being said, too many people see online spaces as nebulous and “not real.” But the reality is that people genuinely connect, organize, and participate in online spaces. Those spaces need to be protected so these things can continue. The internet is, in many ways, a very special and unique place that has facilitated the growth of millions of communities. Unless we protect the infrastructure, these communities will fall apart and be useless.

Ask Laura: Is the SmartScreen Filter Really Smart?

Upcoming events for Laura

We’re more than halfway through April. Good: Taxes are finished. Bad: Wait? We’re well into Q2? How time files. With that realization, it seems like it’s a good time to share some of the places and events I’ll be at in May.
Salesforce Connections in Atlanta, GA. May 10 – 12. I’m a panelist for Deliverability Unplugged: How to Stay out of Email Jail and Other Best Practices on May 11. I’m sharing the panel with Mickey Chandler from SFMC and Melinda Plemel from Return Path. The session will be moderated by Rebecca McAdams from Forrester Research. Bring questions. I don’t think you really want to just listen to us show you slides, so come bearing questions.
As an aside, Salesforce is offering a discount of 50% off registration for Connections16 through April 22 if you use the promo code EQUALITY. Good on Salesforce for this.
Email Innovations Summit in Las Vegas, NV. May 17 – 18. Understanding your IT Department: What Non-Technical Brand Managers Need to Know about Email Security, DMARC , ISPs and Delivery. I’ve been working on this talk and, wow, there’s a lot of info I want to share. It should be a fun session, so stop by.
You can get a 15% discount off the cost of registration for Innovations by using my speaker code SPKATK

5 Simple Tricks to Reach the Inbox

I saw a post over on LinkedIn today. It was from an ESP, talking about their simple tips and tricks for getting into the inbox. The laughable bit was half the “tricks” had nothing to do with getting to the inbox, but rather were about enticing people to open the mail once it’s gotten to the inbox.
There are no “tricks” to getting to the inbox. There used to be some tricks. But the ISPs figured them out and protect against them.

Are you blocking yourself?

One thing that catches me up with clients sometimes is their own spam filters block their own content. It happens. In some cases the client is using an appliance. The client’s reputation is bad enough that the appliance actually blocks mail. Often these clients have no idea they are blocking their own mail, until we try and send them something and the mail is rejected.

Typically, the issue is their domains are the problem. We mention the domains in email, and the filters do what filters do. We work around this by abbreviating the domains or calling, it’s not a big deal.
It’s a great demonstration of content filters, though. The content (the client’s domain) is blocked even when it comes from an IP with a good reputation. In fact, with Gmail I can often tell “how bad” a domain reputation is. Most mail I send from WttW to my gmail address goes to the inbox, even when the client is reporting bulk foldering at Gmail. But every once in a while a domain has such a bad reputation that any mail mentioning that domain goes to bulk.
Most folks in the deliverability space know the big players in the filtering market: Barracuda, Cloudmark, ProofPoint, etc. Those same people have no idea what filters their company uses and have never even really thought about it.
Do you know what filter your company is using to protect employees from spam?

Network glitches and corrupted VMs

I had a bit of a interesting Friday. I was so glad it was finally the weekend. Saturday we did a bunch of errands, including go visit our servers. See, we’ve been upgrading infrastructure to implement a second type of backup system. Saturday we were doing the last set of upgrades so we could install over the weekend.
Yes, we do all our own networking and racking.

Saturday evening Steve is installing the new backup software. This is awesome backup software. It backs up the entire virtual machine. If we lose a virtual machine, we can just reload the entire thing and it will be back again.
Except while installing the software, there is a weird network glitch. Said network glitch caused the system to crash. The system crashes hard. The system crash corrupts some of the data on disk. The data on disk is our virtual machine files. Files are in read only mode and won’t fsck automatically.
We lose most of our production virtual machines. We’re off the air.

Possibly this was tragic, not ironic. I dunno, it’s been a long weekend.
We lost a bunch of production virtual machines to the disc corruption. We haven’t lost any data, but it’s taking some time to rebuild the machines and pull data from the other backup system and get it installed.
That means some of our websites and services, like tools.wordtothewise.com are down. It may mean you saw some bounces if you sent us mail over the weekend. Mail is back and we are communicating with the outside world again.
Steve’s working through our other services as fast as possible to get them back up and running.
(If massive server issues weren’t enough, one of the cats got a UTI so we’re having to pill her twice a day. Then last night managed to puke so hard she passed out briefly. Poor thing. She’s doing better this morning.)

What a week!

Yesterday, after 5pm, I was so happy. I was telling folks to have a great weekend. To take time off and relax. Have fun! Don’t work! Enjoy the weather!
Then someone pointed out it was only Thursday.

But! I got up this morning and got lots of happy Facebook notifications from friends about how TODAY was Friday. I was ready to have an awesome and productive day and go into the weekend with a clean todo list and a well planned next week.
Then I broke my mail client. Trying to add an attachment would crash everything. That got fixed that somewhere around noon.
So! I’ll just grab some lunch and get ready for a productive afternoon!
Then I broke finder.

Yes, that is a picture of my 27 inch monitor with hundreds of Windows opening. I was trying to delete some of the 39,000 .jpgs from my mail client. My finger slipped on the trackpad, though, and instead of “move to trash” I clicked “show in containing folder.” Ooops. I finally crashed finder manually and it restarted and didn’t try and reopen all the windows.
OK. Fine. I’ll go to the bank and pick up mail and drop off tax (ugh, ow) payments.
On the way there, construction screwed up traffic and it took me more than 20 minutes to go 2 miles. (It’s not a safe place to walk, or I would have). On the way back, I went the Other Way. Only to discover a firetruck across 4 lanes of traffic and half a dozen cop cars showing up to a very recent accident.
Then, while writing this blog post I managed to somehow move widgets around and lose them on the wordpress editor.
Apparently I should have taken my friend’s advice and just decided today was not a work day. Because, wow, was it a mess. What all this means is I’m not going to try and blog anything substantial. I’d probably make some total boneheaded mistake and that wouldn’t be any good.
Instead, I will share the song KFOG played every Friday at 5pm (before Cumulus decided to fire everyone). Because I am really in the need of this week to be over.
Have a good weekend. Next week will be better!

A DKIM primer resurrected

I was looking for some references today back in old blog posts. This means I discover some old links are dead, blog posts are gone or moved, and information is lost.
In this case it’s a post by J.D. Falk on deliverability.com. The link is dead (it looks like the whole website is dead), but I found a copy of his post and am reproducing it here. I don’t have permission, because I can’t get permission from him, but the content is extremely useful and I don’t want it lost.

Podbox Expert Interview Series

Last month I did an interview with Podbox about email, deliverability and how I became an email expert (breaking things, lots of breaking things… and having to pick up the pieces and fix them…)
Check out the interview over on their website.

I’ve been thinking a lot about history and longevity. Next year will mark 10 years of the Word to the Wise blog and 20 years of me entering the anti-spam / deliverability space. That’s a lot of time. When I first started fighting spam it was really about my mailbox and getting rid of the junk I was receiving. At the time, a lot of people thought it was silly to spend so much effort fighting spam.
But as time as gone on, email spam and fraud became a big deal. Criminals realized they could use spam to further their gains at the expense of people. Spam is a network problem. Spam is a danger.
Personally, I’ve moved away from fighting spam. I’m now working more on making and keeping email a useful tool. Yes, that does include commercial email. Yes, it does include bulk email. Helping people get the mail they want in their inbox is a part of keeping the email ecosystem healthy. It’s the part I can do and the part I am good at.
Seeing email become such an important part of commerce, communication and modern life has been a journey. I look forward to seeing where the next 20 years takes us.

My panels from #EEC16

I had the privilege to be a part of two panels at EEC16, with some of the best folks in the business.
The first panel was “Everything You Ever Wanted to Know About Deliverability, but Were Afraid to Ask.”
We had a lot of great audience questions.
The first question, which was awesome (and I don’t think planted) was: “What is the most important thing we can do to improve our deliverability?”
All of us had really similar answers: pay attention to your data and your acquisition. Deliverability starts with your data: good data = good deliverability, poor data = poor deliverability. How you acquire addresses is vital to any email program.
I’ve had dozens of sales calls with potential clients over the years. Most of them tell me lots of stuff about their marketing program. I hear details of engagement, data hygiene, response rates, CTRs, bounce handling. But very, very few people spontaneously tell me how they’re acquiring addresses. That’s so backwards. Start with acquiring addresses the right way. Deliverability is all in the acquisition step. Of course, you need to nurture and care for those subscribers, sent the right message at the right time and all the good things we talk about. None of that matters if you don’t start with good data.
Another question was about spamtraps. The panel had me take this one. I’ve written extensively about spamtraps and what they do and what they mean. The important thing to remember, though, is that a spamtrap is a signal. If you have spamtraps on your list, then there is a problem with your data acquisition. Somehow, people are getting addresses that do not belong to them on the list.
Spamtraps are a problem, but not for the reasons many people think they are problems. Folks get upset when their mail is blocked because of spamtraps. Blocking isn’t the only damage, though. For every spamtrap on a list that is one less responsive addresses. It’s one customer who you are not reaching. If there are spamtraps on a list, it’s likely there are deliverable addresses that don’t belong to your customers, too. These recipients are going to view that mail as spam. They didn’t sign up, they didn’t ask for it, they don’t want it. They’re going to complain, hurting your reputation. Too many of these recipients and delivery will suffer.
Spamtraps are a warning that something is wrong. That something is usually your data acquisition process.
Questions went on through the session and ranged from things like how to get mail to B2B inboxes and is there value in certification. We also had some insightful questions about authentication.
The second panel I was on was the closing keynote panel: “ISP Postmasters & Blacklist Operators: Defending Consumer Inboxes.” This was where I got to show my incoming mail chops, a bit. I was a last minute fill in for the panel and I am honored that Dennis and Len thought I could represent the incoming mail folks. It’s not like I’m out there writing filters, but I do pay attention to what the filter operators are saying and doing.
I think it is important for marketers to get a feel for what’s really going on at the ISPs. They aren’t trying to stop real mail, they’re trying to stop malicious mail. Matt from Comcast talked a lot about how marketers and ISPs share customers and the ISPs are trying to keep those customers safe and happy. Jaren discussed some of the decision making processes his company goes through deciding whether to err on the side of letting spam through or filtering good mail. Tom discussed how his blocklist works with some brands to help stop phishing attacks against those brands.
Overall, I think the session was a great success. The conference was great and I am looking forward to going back next year.
Were you at either panel? What did you think?
+eddc

Insight into Gmail filtering

Last week I posted a link to an article discussing how Gmail builds defenses to protect their users from malicious mail. One of the things I found very interesting in that article was the discussion about how Gmail deploys many changes at once, to prevent people from figuring out what the change was.
Let’s take a look at what Gmail said.

Ask Laura: Can you help me understand no auth / no entry?

Dear Laura,
I’m a little confused by the term “no auth / no entry”. Gmail and other major receivers seem to be moving towards requiring authentication before they’ll even consider delivery.
Does this just mean SPF and DKIM, or does this mean the much more stringent DMARC, as well?
Thanks,
No Shirt, No Shoes, No What Now?

Thoughts on filters

One of the questions we received during the EEC16 closing keynote panel was why isn’t there a single blocklist that everyone uses and why don’t ISPs share data more. It would be so much easier for senders if every ISP handled mail the same as every other. But the world isn’t that simple, and it’s not always clear which mail stream is spam and which is good mail.

Thoughts from #EEC16

EEC16 was my first Email Experience conference. I was very impressed. Dennis, Len, and Ryan put together a great program. I made it to two of the keynotes and both took me out of an email focused place to look at the bigger picture.

Patrick Scissons discussed his experiences creating marketing and advertising campaigns for good and to share messages. Some of the campaigns were ones I’d seen as a consumer, or on the news. One of the campaigns he talked about specifically was for the group Moms Demand Action, looking at sensible gun control in the US. The images and symbology used in those campaigns were striking and very effective.
Kelly McEvers talked about her experiences as a correspondent in the middle east during the Arab Spring. She is an engaging speaker, as one who does radio should be. Her overall message and theme was that sometimes events are such that you need to throw the list away and go with it. As someone who lives by “the list” and tries to make sure I’m prepared for every eventuality I found that a very useful message. Particularly when throwing away “the list” turned into some massively successful stories.
In terms of sessions, I found the email content session fascinating. I blogged about content in email last week and did some live tweeting, too. What really hit me after that session was that good marketing drives deliverability. Everything that Carey Kegel was talking about in terms of better marketing, sounded like things I recommend to clients to drive deliverability.
Back in 2012 I was writing posts about how delivery and marketing were somewhat at odds with each other. The premise was that marketing was about creating mindshare, and repeating a message so often a recipient couldn’t forget it. In email, repetition can cause recipient fatigue and drive delivery problems. But what I’m hearing now, from the leading minds of email marketers, is that email marketing works better if you send relevant and useful information to consumers. Recipients are key and you can’t just keep hammering them, you have to provide them with some value.
It seems marketing has finally come around to the delivery point of view.

March 2016: The Month In Email

Happy April! I’m just back from the EEC conference in New Orleans, which was terrific. I wrote a quick post about a great session on content marketing, and I’ll have more to add about the rest of the conference over the next week or so. Stay tuned!

Here’s a look at what caught our attention in March:
On the DMARC front, we noted that both Yahoo and mail.ru are moving forward with p=reject, and Steve offered some advice for ESPs and software developers on methods for handling this gracefully. I also answered an Ask Laura question about making the decision to publish DMARC. Look for more on that in this month’s Ask Laura questions…
Our other Ask Laura question this month was about changing ESPs, which senders do for many reasons. It’s useful to know that there will generally be some shifts in deliverability with any move. Different ESPs measure engagement in different ways, and other issues may arise in the transition, so it’s good to be aware of these if you’re contemplating a change.
In industry news, I wrote a sort of meta-post about how the Internet is hard (related: where do you stand on the great Internet vs. internet debate? Comment below!) and we saw several examples of that this month, including a privacy debacle at Florida State University. Marketing is hard, too. I revisited an old post about a fraud case where a woman sued Toyota over an email marketing “prank”. As always, my best practices recommendation for these sorts of things (and everything else!) really boils down to one thing: send wanted email.
Steve wrote extensively about SPF this month in two must-read posts, where he explained the SPF rule of ten and how to optimize your SPF records. He also wrote about Mutt, the much-loved command line email client, and marked the passing of industry pioneer Ray Tomlinson, who, in addition to his many accomplishments, was by all accounts a very thoughtful and generous man.
Finally, I occasionally like to take a moment and follow the twisty paths that lead to my spam folder. Here’s a look at how Ugg spams my email doppelganger, MRS LAURA CORBISHLEY. In other spam news, there’s a lot of very interesting data in the recent 10 Worst list from Spamhaus. Take a look if you haven’t seen it yet.

Don't mess with my email

One thing we tell clients is that people consider their mailbox a very personal space. They’re offended when people invade that personal space without permission, sometimes to an extent that doesn’t seem proportional to the scale of the offense. And we advise senders who have been invited into the inbox to treat it with respect.
Google don’t seem to realize that.
Today, they replaced one of the two “Send Mail” buttons (and the associated key sequence that people have in their finger memory) with one that silently attached a Minions mic-drop gif to the mail, and then hid any future replies to that mail thread. Quite apart from the fact that people use their gmail accounts for professional communications, this is also sabotaging what many people consider their most personal online space. (And, to make it worse, they had a bug such that sometimes the gif would also be added to mail using the other “Send Mail” button).
There’s No Way This Could Go Horribly Wrong.
drop
People were very, very unamused. Google had already pulled the feature by the time I heard about it this morning.
Never take peoples’ mailboxes for granted. Never.

Content is the new volume!

I’m having a great time here at #EEC16. Today is my visit and go to sessions day, since tomorrow I’m speaking at 2 different sessions.
I was lucky enough to get into the Customer Experience session presented by Carey Kegel of SmartPak and Loren McDonald of IBM Marketing Cloud. It was an interesting session.
If you don’t know, SmartPak is a brand focused on selling horse tack and supplements. They initially started off by creating packs of supplements for your horse. This is great for horse owners, as it means the barn staff just needs to add one pack to your horse’s feed. No measuring, no confusion, it’s simple and means your horse gets what they need.
First they started talking about the volume of email sent by SmartPak. Their mails aren’t that consistent, but they mail between 25 and 30 emails a month. Some months last year they mailed every day.
What they started seeing, though, is that the volume of marketing mail drove list churn. The biggest reason users gave for unsubscribing was “too much volume.” The more mail they sent, the more unsubscribes they saw. Even worse, more volume did not translate into revenue. As email volume went up, email performance decreased.
They tested adding content to emails. Just a block on the side of the email with links to content on their website. Adding the content links increased click through rates by 9% and revenue per email by 15%.
These results don’t require the content be in the emails. Using emails to drive recipients to already existing content on the website, including videos and surveys.
The session didn’t specifically discuss deliverability directly, but I think there were some clear deliverability benefits to content marketing. In fact, an email with no call to action, simply a post-purchase “what to expect” email had an open rate of 33%. These types of open rates help improve overall reputation and lead to more inbox deliveries.

The session really drove home how valuable content marketing is. One thing that was continually repeated during the session is that most marketers have the content already. Use email to drive users to the content you already have. Include that content in marketing mails. Meet the recipient’s needs and wants.
There are a couple takeaways I got from the session.

Ask Laura: Do I have to publish DMARC?

More Yahoo domains get DMARC'd

Yahoo is turning on p=reject for 62 of their international domains on March 28, 2016. These domains include:
y7mail.com
yahoo.at
yahoo.be
yahoo.bg
yahoo.cl
yahoo.co.hu
yahoo.co.id
yahoo.co.il
yahoo.co.kr
yahoo.co.th
yahoo.co.za
yahoo.com.co
yahoo.com.hr
yahoo.com.my
yahoo.com.pe
yahoo.com.ph
yahoo.com.sg
yahoo.com.tr
yahoo.com.tw
yahoo.com.ua
yahoo.com.ve
yahoo.com.vn
yahoo.cz
yahoo.dk
yahoo.ee
yahoo.fi
yahoo.hr
yahoo.hu
yahoo.ie
yahoo.lt
yahoo.lv
yahoo.nl
yahoo.no
yahoo.pl
yahoo.pt
yahoo.rs
yahoo.se
yahoo.si
yahoo.sk
yahoogroups.co.kr
yahoogroups.com.cn
yahoogroups.com.sg
yahoogroups.com.tw
yahoogrupper.dk
yahoogruppi.it
yahooxtra.co.nz
yahoo.ca
yahoo.co.in
yahoo.co.nz
yahoo.co.uk
yahoo.com.ar
yahoo.com.au
yahoo.com.br
yahoo.com.hk
yahoo.com.mx
yahoo.de
yahoo.es
yahoo.fr
yahoo.gr
yahoo.in
yahoo.it
yahoo.ro
These may cause some delivery issues with international Yahoo domains during the transition period. Anyone using these domains in mail not sent through the Yahoo interface is likely to experience increased bounces at ISPs who are respecting the p=reject request in the DMARC record.

Email nightmare for some FSU students

I mentioned yesterday that sometimes people and software screw up in ways that cause problems. Today I saw an article demonstrating just how bad these issues can be. Florida State University Housing Department sent detailed and confidential violation reports to tens of thousands of students.

The Internet is hard.

There are so many things that need to happen to make the Internet work. DNS entries need to be right. MXs need to be set up. Web servers need to be configured. And, let’s be honest, anyone who has ever run their own services on the Internet has flubbed a configuration.
We don’t think about it, because most of the time the configurations are handled by scripts and they do things right. But at some point someone needs to type in something and there’s a risk it will go horribly wrong. I’ve been digging into domain data for a client of mine today. I think I’m going cross-eyed over it. But I have found so many weird things that just mean someone isn’t paying attention to what they’re doing.
Like the domain that has a MX record that says:

I’m pretty sure the intention of the domain owner is to publish a null MX. But they added an extraneous “0” in there and ended up publishing something really weird. Even worse, the MTA that this client is using is listing this as a “delivered” email. I’m pretty sure that mail to that domain never left the MTA.
I’ve found horribly typoed MX domains for popular spam filters. I’ve found domains that have invalid characters in them. I’ve found domains that are totally a mess.
The vast majority of us have some story or other of the time we really broke things by accident. Like the time a very large ISP deleted their MX records. Or when a different ISP changed their internal forwarding and broke SPF authentication for everyone mailing that domain. Or when another ISP accidentally blocked every IP beginning with 6.
Sometimes I’m amazed that the Internet ever works. No matter how big it gets, there are actual people writing actual code and configurations. The number of things that have to happen to get packets from A to B is pretty impressive. We rarely ever notice the breakages, the people who run things are really good at their jobs. But sometimes poking in the grotty corners reminds me how easy it is to break things. It’s sometimes a wonder things actually work.

Ask Laura: Does changing ESPs hurt deliverability?

Things to read: March 9, 2016

It’s sometimes hard for me to keep up with what other people are saying and discussing about email marketing. I’ve been trying to be more active on LinkedIn, but there are just so many good marketing and delivery blogs out there I can’t keep up with all of them.

Here are a couple interesting things I’ve read in the last week.
Five Steps to Stay Out of the Spam Folder. Conceptually easy, sometimes hard to pull off in practice, these recommendations mirror many things I say here and tell my clients about delivery. The audience is in charge and your recipients are the best ally you can have when it comes to getting into the inbox.
Which states are the biggest sources of spam?. California and New York top the list, but the next two states are a little surprising. Over on Spamresource, Al points out the two next states have some unique laws that may affect the data. I just remember back in the day there were a lot of spammers in Michigan, I’m surprised there’s still a significant volume from there.
CASL didn’t destroy Canadian email. Despite concerns that CASL would destroy the Canadian email marketing industry, the industry is going strong and expanding. In fact, spending on email marketing in Canada was up more than 14% in 2015 and is on track to be up another 10% this year. Additionally, according to eMarketer lists are performing better because they’re cleaner.
A brief history of email. Part of the Guardian’s tribute to Ray Tomlinson, the person who sent the first email. Ray’s work literally changed lives. I know my life would be significantly different if there wasn’t email. Can you imagine trying to be a deliverability consultant without email? 🙂

Ray Tomlinson

Ray Tomlinson has passed away. Mainstream obituaries are going to focus on his being “the creator of email” or “the sender of the first email” or “the inventor of the @ sign in email addresses“.
All of which are true. He did send the first (networked) email. He did use the (otherwise mostly unused on TENEX) @ sign to separate user and host.
But he did a lot of other things with the basics of the modern Internet that are more important than the @-sign.

February 2016: The Month in Email

Happy March! Here’s a look back at our last month of email adventures.
It was a busy few weeks for us with the M³AAWG meeting in San Francisco. We saw lots of old friends and met many new people — all in all, a success, despite the M³AAWG plague we both contracted. Hot topics at the conference included DMARC, of course, and I took the opportunity to write up a guide to help you determine if you should publish a DMARC policy.
On the subject of advice and guidance, Ask Laura continues to be a popular column — we’ve had lots of interesting questions, and are always looking for more general questions about email delivery. We can’t tackle specifics about your program in this column (get in touch if we can help you with that directly) but we can help with questions like “Will our ESP kick us off for mailing purchasers?” or “Help! I’m confused about authentication.”
Continuing on the authentication front, I noted that Gmail is starting to roll out some UI to indicate authentication status to users. It will be interesting to see if that starts to affect user (or sender) behavior in any way. In other interesting industry news, Microsoft has implemented an Office 365 IP Delisting page. I also wrote a followup post to my 2015 overview of the state of ESPs and purchased lists — it’s worth checking out if this is something your business considers.
I wrote a post about security and backdoors, prompted by both the FBI/Apple controversy and by Kim Zetter’s talk at M³AAWG about Stuxnet. These questions about control and access will only get more complicated as we produce, consume, store, and share more data across more devices.
Speaking of predictions, I also noted my contribution to a great whitepaper from Litmus that explores the state of Email Marketing in 2020.
As always, we looked at some best practices this month. I wrote up some of my thoughts about data hygiene following Mailchimp’s blog post about the value of inactive subscribers. As always, there isn’t one right answer, but there’s a lot of good food for thought. And more food for thought: how best practices are a lot like public health recommendations. As with everything, it comes down to knowing your audience(s) and looking at the relationship(s), which, as you know, is a favorite subject around here.

Laura's Speaking Events early 2016

My speaking schedule is coming together for Q1 and Q2 this year.

Email Evolution Conference. March 30 – April 1. New Orleans, LA. I’ll be participating on the “All You Ever Wanted to Know about Deliverability (But Were Afraid to Ask)” panel Friday Morning. The other panelists are Chris Arrendale, Alyssa Nahatis and Matthew Vernhout. This panel should be quite a bit of fun, as we all know each other and have collaborated in the past. I’m looking forward to it. Come prepared with questions!
Salesforce Connections. May 10 – 12. Atlanta, GA. Another panel on deliverability, this time with Mickey Chandler from SFMC and Melinda Plemel from ReturnPath. We’ll each bet giving our 3 best tips to improve deliverability and then be taking questions from the audience. We have all been around a long time, in fact Mickey used to work for me at MAPS back in 2000. We’re all ready to answer those questions you’ve always had but never known who to ask.
Email Innovations Summit. May 17 – 19. Las Vegas, NV. Not a panel! I’ll be speaking about the technical things happening around email that will affect sending, marketing and deliverability. If you ever wanted to know how to talk to the technical folks this is the session to come to. I’ll be explaining some of the terminology and teaching attendees what they need to care about and what they just need to know exists. Register with my code (SPKATK) and save 15%.

Mandrill changes

Last week Mandrill announced that they were discontinuing their free services and all customers would be required to have a corresponding paid Mailchimp account.

Ask Laura: Will our ESP kick us off for mailing purchasers?

Email in 2020

Late last year Litmus invited me to contribute to a whitepaper they were putting together about email in 2020. Today, they released Email Marketing in 2020. I am honored to be included in the list of experts that they chose.
One of the things I find so so much fun in participating in this type of joint project is seeing what other people’s visions are. When Chad first contacted us, his request was very simple. He wanted 400-ish words on what we thought would change. We all approached it from our own perspectives. The final document really touches on a wide range of changes and gives an bright and rosy view of the future of email.
It’s hard to imagine I’ve had email for more than 25 years. It’s become such a fundamental and critical part of my life. I mean, sure I’m an email professional but it’s more than that. Some of my best friends I met over email. I’ve gotten multiple jobs based on my presence on email discussion lists. Steve and I met around email. One of the fun bits of M³AAWG is that I get to see friends I first met almost 20 years ago over email.
Email has really changed in the last decade. It is now a critical part of daily life for many people. Even social networking would be nowhere without an email address. Email really is the key to the digital kingdom. That’s not going to change.
Email being the key to the digital kingdom is a challenge. It lets nefarious people into our homes and into our lives and into our computers. A lot of very smart people are working on how to make email safer for us. I think it will be much safer in 2020, through the hard work and dedication of a lot of people.
I strongly encourage you to download the Email Marketing in 2020 white paper from Litmus. There is a lot of insight. It will be fun to see how much of what was said becomes reality.

Catching up from MAAWG SF

Had a great time a M³AAWG last week. So many familiar faces and a lot of new ones, too. I’ve got a lot of interesting stuff that I can share with readers over the next few days.
One of the things I have received permission to share is the new Office 365 IP delisting link. I botched the first time I posted it, so I’m going to try again. Office 365 IP Delisting Page. Many thanks to the Microsoft guys for getting this together for people.
While I’m talking about Microsoft, there is a bit of a problem with folks signing up with their FBL. Some people are finding that the process gets stuck and FBLs aren’t enabled. MS is aware of the issue and they are working on fixing it. As I know more I’ll share.
Unsurprisingly, authentication was a big topic of conversation, both in the hallways and in the sessions. There were some strong opinions stated. I think, though, that we’re pretty clear that we’re going to get to a more authenticated world. But we have some different opinions on how and how fast that’s going to happen.

Getting unblocked at Outlook.com

It’s been a crazy week here at M³AAWG. I have a lot of stuff to blog about, but I think one of the really important things to get out is the new unblock request page at Outlook / Hotmail.
https://sender.office.com
Submit your IPs and it will be reviewed.
(Apologies for the repeated bad links. I’m blaming con crud, lack of sleep and MSN/Hotmail/Office/Outlook for having so many domains I can’t keep them straight. I have finally gotten it right and tested it.)

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control. Apple letter to customers
Read More

Should you publish DMARC?

I’ve been hearing a lot lately about DMARC. Being at M³AAWG has increased that. Last night we were at dinner and heard from the next table “And they’re not even publishing DMARC!!!!”
I know DMARC is the future. I know folks are going to have to start publishing DMARC records. I also know that the protocol is the future. I am also not sure that most companies are ready for DMARC.
So lets take a step back and talk about DMARC, what it is and why I’m still a little hesitant to jump on the PUBLISH DMARC NOW!! bandwagon.

Thoughts on Data Hygiene

One of the big deliverability vs. marketing arguments has to do with data hygiene and dropping inactive users. Marketers hate that deliverability people tell them to let subscribers go after a long time of no activity from the subscriber.
Data hygiene is good. Email is not permanent and not forever, and the requirements for data hygiene in the email space are very different than the requirements in the postal mail space. There is no such thing as “dear occupant” in email. I mean, you can sent to occupant, but the occupant can then hit the this is spam button. Too many emails to “occupant” and mail goes to bulk instead of the inbox. These are real risks.
With that being said, there are a lot of things to consider when putting together a data hygiene program. You’re looking to remove people who are no longer interested in your brand as much as they are no longer interested in your mail. You’re trying to suss out who might have abandoned the email address you have for them. It’s complicated.
I’ve worked with a lot of clients over the years to implement data hygiene programs. Sometimes those programs were to deal with a bulk foldering issue. Other times clients have been trying to address a SBL listing. Still other clients were just looking for better control over their email and delivery. In all cases, my goal is to identify and classify their recipients into 3 groups: addresses we know are good, addresses we know are bad, and then addresses we don’t know about.
Good addresses get mailed. Bad addresses get dumped. The challenging bit is what do we do with the unknown addresses? That’s when we start looking at other data the client may have. Purchases? Website visits? What do we have to work with and what else do we know about the people behind the addresses. Once we’ve looked at the data we design a program to take the addresses we don’t know about and drop them into either the good or the bad bucket. How we do that really depends on the specifics of the company, their program and their data. But we’ve had good success overall.
There’s been a lot of discussion on hygiene this week, after Mailchimp published a blog post looking at the value of inactive subscribers. They found something that I don’t find very surprising, based on my observations across hundreds of clients over the years.

Gmail showing authentication info

Yesterday Gmail announced on their blog they would be pushing out some new UI to users to show the authentication and encryption status of email. They are trying to make email safer.
There are a number of blog posts on WttW for background and more information.

Q1 2016: Upcoming events

While we’re working on a Speaking Schedule page for my upcoming events, I’ll just update the blog. My schedule for Q1 and Q2 is coming together.
M³AAWG 36: San Francisco, February 16 – 18th. I’ll be up on Monday afternoon. No official speaking at this one, just sitting in the audience and listening. But stop by and say hi!
Email Evolution Conference: Hosted by the EEC, New Orleans, March 30 – April 1. I’ll be on the panel Everything You Always Wanted to Know About Email (But Were Afraid To Ask) with some of my favorite colleagues.
Email Innovations Conference: Las Vegas, May 18 – 19th. Understanding Your IT Department: What Non-Technical Brand Managers Need To Know about Email Security, DMARC, ISP’s and Delivery.

AOL broken (again)

I am, apparently, still one of the top hits when you Google for AOL. When things break at AOL, this means I get lots of contacts, comments and even phone calls from people looking for help.
I’m really not AOL support. (Really. I’m not. If you’re an AOL user I can’t help you log into your account. Please don’t call. Please don’t ask. Contact AOL directly.)
BUT! So many AOL users thinking I am means I learn about AOL problems fairly early in the cycle. As of this morning I’m getting a lot of reports that AOL is broken. I tried logging into my account and got the following:

On the delivery end mail is still being accepted. I can send mail to that particular account, even though I can’t log into it. But, senders may see lower engagement from AOL users until the issue is resolved.

Things you need to read: 2/5/16

Ask the Expert: How Can Email Marketers Stay Out of Gmail Jail and in the Inbox? The expert in question is an old friend of mine, Andrew Barrett. I met Andrew online in the late 90s, and we worked together (briefly) at MAPS. He was out of email for a while, but I’m pleased he came back to share his talents with us. The information in the article is valuable for anyone who struggles with getting to the Gmail inbox.
Unclutter Your Inbox, Archive & Keep Your Messages. Shiv Shankar talks about some new features at Yahoo Mail. With a simple click, you can archive email so it’s available to search, but not cluttering up your inbox. One of the things that jumped out at me from that article is that Yahoo is providing 1 TB of storage. That’s more than Google!
The EEC is doing a survey on the impact of CASL and want to hear from marketers. Go check out their blog post and take their survey.
Sparkpost has a guest blog from Alex Garcia-Tobar, co-founder of Valimail about common DKIM failures. I’ve met Alex a few times and I’ve always found him a pleasure to talk to. Alex is somewhat new in the email space, but he really gets some of the challenges in the authentication space. A lot of the issues he mentions in that blog post like lack of key rotation and shared keys are some of the technical debt I was talking about in my predictions for 2016 post.
What links have you read this week that are worth sharing?

January 2016: The Month in Email

Happy 2016! We started off the year with a few different “predictions” posts. As always, I don’t expect to be right about everything, but it’s a useful exercise for us to look forward and think about where things are headed.
I joined nine other email experts for a Sparkpost webinar on 2016 predictions, which was a lot of fun (see my wrap up post here), and then I wrote a long post about security and authentication, which I think will be THE major topic in email this year both in policy and in practice (see my post about an exploit involving Trend Micro and another about hijacked Verizon addresses). Expect to hear more about this 2016 continues.
My other exciting January project was the launch of my “Ask Laura” column, which I hope will prove a great resource for people with questions about email. Please let me know if you have any questions you’d like to see me answer for your company or your clients — I’ll obscure any identifying information and generalize the answers to be most widely applicable for our readers.
In other industry news, it’s worth noting that Germany has ruled it illegal to harvest users’ address books (as Facebook and other services do). Why does that make sense? Because we’re seeing more and more phishing and scams that rely on social engineering.
In best practices, I wrote about triggered and transactional emails, how they differ, and what to consider when implementing them as part of your email program. Steve describes an easy-to-implement best practice that marketers often ignore: craft your mails so the most important information is shown as text.
I re-published an older post about SMTP rules that has a configuration checklist you might find useful as you troubleshoot any issues. And a newer issue you might be seeing is port25 blocking, which is important if you are hosting your own email senders or using SMTP to send to your ESP.
Finally, I put together some thoughts about reporting abuse. We work closely with high-volume abuse desks who use our Abacus software, and we know that it’s often not worth the time for an individual to report an incident – but I still think it’s worthwhile to have the infrastructure in place, and I wrote about why that is.

Enter clickbait here

Yesterday I talked about how the truth matters in email marketing. But that’s not the only place the truth matters.
Today I found myself in a bit of a … discussion on Facebook. It ended up being a lesson in why you should never trust the clickbait headline. I also realized there are parallels with email best practices and how we share them with people.

The truth matters.

Call within the next 10 minutes…
Consumers with last names starting with O – Z can call tomorrow…
Only 5 seats left at this price!

All of these are common marketing techniques designed to prompt consumers to buy. It’s not a new idea, create a sense of urgency and people are more likely to buy.
I think some marketers are so used to making outrageous claims to support their marketing goals, that it doesn’t occur to them that the truth matters to some people.
There’s almost no better way to get me to send in a spam complaint than to send me an email with a claim about how I opted in.
Example:

Purchased lists and ESPs: 9 months later

It was about 8 months ago I published a list of ESPs that prohibit the use of purchased lists. There have been a number of interesting responses to that post.

ESPs wanted to be added to the list
The first iteration of the list was crowdsourced from different ESP representatives. They shared the info they had with each other. With their permission, I put it together into a post and published it here. Since then, I’ve had a trickle of ESPs asking to be added to the list. I’m happy to add any ESP. The only requirement is a privacy policy (or AUP) that states no purchased lists.
People reference the list regularly
I’ve had a lot of ESP deliverability folks send thanks for writing this post. They tell me they reference it regularly when dealing with clients. It’s also been listed as “one of the best blog posts of 2015” by Pardot.
Some 2016 predictions build on the post
I’ve read multiple future predictions that talk about how the era of purchased lists is over. I don’t think they’re wrong. I think that purchased lists are going to be deliverability nightmares on an internet where users wanting a mail is a prime factor in inbox deliverability. They’re already difficult to deliver, but it’s going to get worse.

Not everyone thinks this is a good post. In fact, I just recently got an comment about how wrong I was, and… well, I’ll just share it because I don’t think my summary of it will do it any justice.

More 2016 predictions

Gerald Marshall of Email Industries looked at over a hundred different 2016 predictions and organized them for us. Most predictions went into the segmentation and personalization and automation buckets. Only a few predictions were security related, which either means I’m ahead of the curve or on a different planet. Time will tell.

More predictions for 2016

This morning I had the pleasure of participating in the SparkPost 10 experts in 50 minutes webinar. I am honored to be included with such a smart group of forward thinking leaders in the email space.
The webinar was also live tweeted using #emailpros. I’ve put together some of my favorite tweets from today.
What was fun for me was listening to the similarities and differences in our views. Multiple people mentioned authentication and security. Other people focused on display and creatives. Privacy and big data was another theme through multiple speakers. Our Canadian representative gave us a good summary of CASL enforcement. We also had some insightful comments about how deliverability is changing for the B2B market.
I’m definitely stealing B2H. I tweeted B2Host, but also saw someone use B2Human. Both work. It’s a term that really captures what deliverability is about. The human behind the email address is critical for getting to the inbox. B2H! Beautiful.

Things you need to read

The email solicitation that made me vow to never work with this company again. When sending unsolicited email, you never know how the recipient is going to respond. Writing a public blog post calling you out can happen.
The 2016 Sparkies. Sparkpost is looking for nominations for their email marketing awards. Win a trip to Insight 2016!
5 CAN SPAM myths. Send Grid’s General Counsel speaks about CAN SPAM myths. Personally, asking for an email to unsubscribe is annoying. I never know if the unsubscribe request worked or not. Give me a link any day.
The most misunderstood statistic in email marketing. A good discussion of why raw complaint rates isn’t the metric the ISPs use, and how it can mislead folks about their email program.
Office 365 is expanding it’s DKIM signing. Terry Zink discusses the upcoming changes to how Office365 handles DKIM signatures. This is exactly the kind of changes I was talking about in my 2016 predictions post – background changes that are going to affect how we authenticate email. He even specifically calls out whether or not a particular signature is DMARC aligned or not.

What to expect in 2016

I don’t always do predictions posts, even though they’re popular. Most years I skip them because I don’t see major changes in the email space. And, I’m not the type to just write a prediction post just to post a prediction.
This year, though, I do see changes for everyone in the email space. Most of them center on finally having to deal with the technical debt that’s been accumulating over the past few years. I see ISPs and ESPs spending a lot of development effort to cope with the ongoing evolution authentication requirements.
When people started seriously looking at how to authenticate email, the first goal was getting organizations to implement the protocols. This was a practical concession; in order for a new protocol to be used it needs to be widely implemented. Phase one of authenticating email was simply about publishing protocols and getting organizations to use them.
During phase one, the organization that authenticated a mail hasn’t been important. In fact, the SPF spec almost guarantees that the ESP domain is the authenticated domain. In DKIM, the spec says any domain could sign as long as they could publish a public key in that domain’s domainkeys record.
ESPs took full advantage of this and lowered their own development overhead by taking most of the authentication responsibility on themselves. Their domains were in the 5321.from and they published the SPF records. Domains they control were in the d= and they generated and published the DKIM keys. Mail was authenticated without ESP customers having to do much.
We’ve hit the end of phase one. Most of the major players in the email space are authenticating outbound email. Many of the major players are checking authentication on the inbound. Phase one was a success.
We’re now entering phase two, and that changes thing. In phase two, SPF and DKIM are used as the foundation for user visible authentication. Neither SPF nor DKIM were designed to be user visible protocols. To understand what they’re authenticating you have to understand SMTP and email. Even now there are days when I begin talking about one of them and have to take a step back and think hard about what is being authenticated. And I use these things every day!
DMARC is the first of these end user visible protocols built on SPF and DKIM. It uses the established and widespread authentication to validate the user visible from address. This authentication requires that the d= value or the 5321.from address belong belong to the same domain in the visible from address. While you can pick whether the alignment between the visible from and the authentication is “strict” or “relaxed” you have no choice about the alignment.
Prior to DMARC no one really paid much attention to the domain doing the authentication. Authentication was a yes or a no question. If the answer was yes, then receivers could use the authenticated domain to build a reputation. But they weren’t really checking much in the way of who was doing the authentication.
In the push to deploy authentication, ESPs assumed the responsibility for authentication deployed ESPs took the responsibility and did most of the work. For many or most customers, authentication was as simple as clicking a checkbox during deployment. Some ESPs do currently let customers authenticate the mail themselves, but there’s enough overhead in getting that deployed that they often charged extra to cover the costs.
DMARC is rapidly becoming an expectation or even a full on requirement for inbox delivery. In order to authenticate with DMARC, the authenticating domain must be in the same domain space as the visible from. If senders want to use their own domain in the visible from, DNS records have to be present in that domain space. Whether it’s a SPF TXT record or a domainkeys record the email sender customer needs to publish the correct information in DNS. Even now, if you try to authenticate with DKIM through google apps, they require you to publish DNS records.
ESPs aren’t in a situation where they can effectively manage authentication alignment for all their customers. Hosting companies are in even worse shape when it comes to letting customers authenticate email. Developers are facing the fact they need to go back and rework their authentication code. Businesses are facing the fact they need to change their processes so customers can authenticate with DMARC.
It’s not just the infrastructure providers that are facing challenges with authentication. Senders are going to discover they can no longer hand authentication off to their ESPs and not worry about it. They’re going to have to get DNS records published by their own staff.
Getting DNS updates through some big companies is sometimes more difficult than it should be. I had one client a few years ago where getting rDNS changed to something non-generic took over a month. From an IT standpoint, changing DNS should require approvals and proper channels. Marketers may find this new process challenging.
And, if organizations want to publish reject policies for their domains, then they will have to publish records for every outside provider they use. Some of those providers can’t support DMARC alignment right now.
In 2016 a lot of companies will discover their current infrastructure can’t cope with modern authentication requirements. A lot of effort, both in terms of product development and software development, will need to be spent to meet current needs. This means a lot of user visible features will be displaced while the technical debt is paid.
These changes will improve the security and safety of email for everyone. It won’t be very user visible, which will give the impression this was a slow year for email development. Don’t let that fool you, this will be a pivotal year in email.

CBL issues

I started seeing some folks complain about false CBL listings a few hours ago. I’m now seeing the same folks saying the listings are being removed.
The symptoms look similar to what happened in November (mentioned here), but it appears the CBL team are on top of things and are working to rectify things quickly.

Email Innovations Summit in May 2016

I’ve been accepted as a speaker for the Email Innovations Summit in Las Vegas in May. This is a conference hosted by the folks behind the Only Influencers group and should be a great way to meet some of the leading minds in email marketing.
I’ll be speaking on some of the things I see changing in the email space and how that will affect email marketing as a whole. I think it will be great fun and look forward to meeting many of my OI colleagues.

Port25 blocking

A number of hosting providers are blocking outgoing port25. This has implications for a lot of smaller senders who either want to run their own mail server or who use SMTP to send mail to their ESP.

Security vendors and trust.

A big part of my predictions for 2016, that I’ll publish shortly, is that security is going to be a huge issue. I think we’re really going to see receivers expecting senders to have their houses in order when it comes to sending mail.
Of course, some filter companies need to get their houses in order to. Yesterday, a security researcher went public with problems in the TrendMicro anti-virus appliance. These vulnerabilities would let any email sender remotely execute code on the recipients machine with no interaction of the user. They also exposed all the passwords on the machine to the outside world.
Even worse, Trend doesn’t seem to understand the urgency to fix this. They have started releasing patches for the exploits, but there are significant problems with the patched versions as well.
If you’re a Trend user, you may want to consider other vendors for desktop security. I know that no security is perfect and that other vendors have problems, too. But shipping a password manager that exposes all passwords is just incompetence. It seems like a corporate lack of understanding of what their business is and how to actually create security software.
Even worse is that lack of urgency from the Trend folks as the security researchers are explaining the problem. I don’t care if the person receiving the report was the janitor, anything that says security exploit should be escalated to someone who can determine if the report is valid.
Compare Trend’s reaction to this to Juniper’s reaction to discovering a backdoor in their code in December. First off, Juniper found the exploit during a routine code review. That alone tells you Juiper is continually monitoring their code security. Second, Juniper was reasonably open about the issue, with executives posting blogs and security posting advisories talking about the issue. More importantly, they shared how they were going to fix it and prevent it from happening again.
Security is such a large issue right now. We have to be able to trust our vendors to do what they’re selling us. Every vendor is going to make mistakes and have vulnerabilities. No code and no developer is perfect. I do expect, though, that vendors will take exploits seriously and act fast in order to correct the problem. I’m not seeing that sense of urgency with Trend.

Spamhaus reports Verizon routing hijacked IPs

Late last week Spamhaus published a blog post detailing their investigation into Verizon routing millions of IP addresses hijacked by spammers.
The Spamhaus blog post goes into some detail about what hijacked routing is.

Facebook scams move to LinkedIn

There’s a fairly common Facebook scam where someone clones an account, then sends out friend requests to friends of that person. This actually happened to a friend over the holiday break. The only problem was that most of the folks who got friend requests were actually security people. Security people who thought it was very, very funny to play along with said scammer.
The scam account didn’t last long, partly because FB security is pretty good and partly because a few of the folks the scammer invited were FB employees. I’m sure, though, that for a brief moment the scammer thought he’d found the motherlode of scam victims.
Today I got a similar scam on LinkedIn. A very bare account with little in the way of information about who this was.

I don’t like connecting with these kinds of profile. But, the name does sound vaguely familiar. So I do a little Googling. And I find another LinkedIn profile for the same person, but this profile has a lot more info: A picture, a statement, 500+ connections, all the things one expects from a real person on LinkedIn.
So yes, Facebook scams have rolled over to LinkedIn. Be careful out there, folks. Pay attention to who you’re friending on all social media, not just FB or LinkedIn. Discretion is the better part of valor and all.

Random thoughts on reporting abuse

On IRC today, someone mentioned an Ars Technica article discussing how a research team tried to contact Xfinity about a security flaw in their home security system.

December 2015: The month in email

Happy 2016! We enjoyed a bit of a break over the holidays and hope you did too. Here’s our December wrap up – look for a year-end post later this week, as well as our predictions for the year ahead. I got a bit of a head start on those predictions in my post at the beginning of December on email security and other important issues that I think will dominate the email landscape in 2016.
DMARC will continue to be a big story in 2016, and we’re starting to see more emphasis on DMARC alignment as a significant component of delivery decisions. I wrote a bit more on delivery decisions and delivery improvement here.
December in the world of email is all about the holidays, and this year was no exception. We saw the usual mix of retailers creating thoughtful experiences (a nice unsubscribe workflow) and demonstrating not-so-great practices (purchased list fails). We took a deeper look at the impacts and hidden costs of list purchasing – as much as companies want to expand their reach, purchased lists rarely offer real ROI. And on the unsubscribe front, if you missed our discussion and update on unroll.me unsubs, you may want to take a look.
Steve wrote a detailed post looking at what happens when you click on a link, and how you can investigate the path of a clickthrough in a message, which is useful when you’re trying to prevent phishing, fraud, and other spam. In other malicious email news, the CRTC served its first ever warrant as part of an international botnet takedown.
In other industry news, some new information for both ESPs and recipients interested in feedback loops and a somewhat humorous look at the hot-button issues that divide our ranks in the world of email marketing. Please share any we may have missed, or any other topics you’d like us to address.

Happy Holidays

Blogging will be light (or non-existent) for the next week or so. I leave you with Valeria and her first Christmas tree from many years ago.
The kittens are older now, we can have a tree complete with lights AND ornaments.
See y’all in the new year!

New FBL information

A couple new bits of information for folks interested in participating in feedback loops.
If you’re an ESP, you’ll want to sign up for the two new FBLs that were released this month. XS4ALL and Telenor are now offering complaint feeds to senders.
If you’re a mail recipient and want the ability to report spam, try the new browser/MUA plugins for reporting spam released by the French anti-spam grup Signal Spam
These browser plugins allow recipients to report spam directly from a button in the browser. Signal Spam reports:
The button is working for the biggest webmails around, such as yahoo!, SFR, gmail, outlook, AOL, laposte, free, and is downloadable for Chrome, Safari and Firefox with this links :
Chrome
Safari
Firefox
These plugins are currently in beta, but should be released by the end of 2016.
For those folks who use our ISP information page, I haven’t yet added Telenor and XS4ALL to the pages of available FBLs. Part of that is because we’re looking at options to improve data presentation and ease of maintenance. The perl script that magically generated the summary page from other pages was great, until it hid itself on some VM somewhere and can’t be found. There are other things we want to maintain as public resources, so we’re looking into options. (wikimedia was one of our early attempts… it didn’t do what we needed). Anyone have a public KB or wiki package they particularly like?

DoorDash gets it

Increase in unsubscribes

UPDATE 12/17/2015 2:30PM Pacific: I heard from Josh, the CEO of Unroll.me. He says:

Holiday season

We’re 10 days out from Christmas, 9 days out from the end of binge-shopping-season (and 11 days out from return season). Unlike previous years, I haven’t heard of any significant delivery challenges. Most of what I’m hearing is the normal day-to-day stuff. There’s a little more of it, but nothing like in years past where ISPs melted down or giant companies got SBLed.
This is all good! This is progress and is great for senders.
Things here, and I’m pretty sure many other places are slowing down. We’re looking forward to next year, to new projects and clients, to new challenges and changes.
Blogging will probably be slow from now through the end of the year. I have stuff to talk about, but the issues are complex and I’m working on the best way to write about them. And I’m coming to the decision that writing might not be the best for certain posts.

Are you ready for DMARC?

The next step in email authentication is DMARC. I wrote a Brief DMARC primer a few years ago to help clear up some of the questions about DMARC and alignment. But I didn’t talk much about where DMARC was going. Part of the reason was I didn’t know where things were going and too much was unclear to even speculate.
We’re almost 2 years down the line from the security issues that prompted Yahoo to turn on p=reject in their DMARC record. This broke a lot of common uses of email. A lot of the damage created by this has been mitigated and efforts to fix it continue. There’s even an IETF draft looking at ways to transfer authentication through mailing lists and third parties.
For 2016, DMARC alignment is going to be a major factor in deliverability for bulk email, even in the absence of a published DMARC record.

What do you think about these hot button issues?

It’s been one of those weeks where blogging is a challenge. Not because I don’t have much to say, but because I don’t have much constructive to say. Rants can be entertaining, even to write. But they’re not very helpful in terms of what do we need to change and how do we move forward.
A few different things I read or saw brought out the rants this week. Some of these are issues I don’t have answers to, and some of them are issues where I just disagree with folks, but have nothing more useful to say than, “You’re wrong.” I don’t even always have an answer to why they’re wrong, they’re just wrong.
I thought today I’d bring up the issues that made me so ranty and list the two different points of views about them and see what readers think about them. (Those of you who follow me on Facebook probably know which ones my positions are, but I’m going to try and be neutral about my specific positions.)

BlueHornet spun off from Digital River

Earlier this week, the investment firm Marlin Equity Partners announced they purchased BlueHornet Networks from Digital River. BlueHornet has been around for quite a while. In 2004 they were acquired by Digital River and run as a wholly owned subsidiary.
Congrats to the folks working at BlueHornet.

November 2015: The month in email

As we head into the last month of the year, we look back at our November adventures. I spoke twice this month, first at Message Systems Insight in Monterey (my wrap-up post is here) and then with Ken Magill at the at the 2015 All About eMail Virtual Conference & Expo (a short follow-up here, and a longer post on filters that came out of that discussion here.). Both were fun and engaging — it’s always great to get a direct sense of what challenges are hitting people in the email world, and to help clear up myths and misconceptions about what works and doesn’t work in email marketing and delivery. I’m putting together my conference and speaking schedule for 2016 — if you know of anything interesting that should be on my radar, please add it in the comments, thanks!
In industry news, we noted a sharp uptick in CBL listings, and then posted about the explanation for the false positives. Steve wrote about an interesting new Certificate Authority (CA) called Let’s Encrypt, which looks to be a wonderful (and much-needed) alternative for certificates, and I put together some thoughts on SenderScore.
Steve and I did a few posts in parallel this month. First, Steve posted an interesting exercise in SPF debugging. Are you seeing mail from legitimate senders flagged as spam? This might be why. My investigative post was about ISP rejections, and how you can figure out where the block is occurring. In each case, you’ll get a glimpse of how we go about identifying and troubleshooting issues, even when we don’t have much to go on.
We each also wrote a bit about phishing. Steve posted a timely warning about spear phishing — malware attacks disguised as legitimate email from within your organization — and reminds all of us to be careful about attachments. With all of the more secure options for document sharing these days, it’s a lot easier to avoid the risk by maintaining a no-attachments policy in your company. And I wrote about how the Department of Defense breaking HTML links in email to help combat phishing. If your lists include military addresses (.mil), you may want to come up with a strategy for marketing to those recipients that relies less on a clickthrough call to action.
We amused ourselves a bit with a game of Deliverability Bingo, then followed up with a more serious look at the thing we hear all the time — “I’m sure they’ll unblock me if I can just explain my business model.” While an ESP abuse desk is unlikely to be swayed by this strategy, it is actually at the core of how we think about deliverability at Word to the Wise. Legitimate senders have many kinds of lists, many kinds of recipients, many kinds of marketing strategies, and many kinds of business goals. For us to help marketers craft sustainable email programs, we need to understand exactly what matters most to our clients.

Looking forward

The nice folks over at Sparkpost asked me and other email experts for some thoughts on what we think the most important issues in email will be in 2016.
I do think security is going to be a major, major change in delivery. From what I’ve seen there’s been a shift in the mindset of a lot of people. Previously a lot of folks in the email space were very accommodating to old systems and unauthenticated mail and were not quite ready to cut off senders that didn’t meet modern standards.

There were a lot of people who didn’t want to take any action that would break email. There are still a lot of people who think that breaking email is a bad thing and changes should be backwards compatible.
Then people started realizing not every change had to be backwards compatible.

There are a few reasons I think this attitude shift happened.

What happened with the CBL false listings?

The CBL issued a statement and explanation for the false positives. Copying it here because there doesn’t seem to be a way to link directly to the statement on the CBL front page.

Increase in CBL listings

Update: As of Nov 24, 2015 11:18 Pacific, Spamhaus has rebuilt the zone and removed the broken entries. Expect the new data to propagate in 10 – 15 minutes. Delivery should be back to normal.
The CBL issued a statement, which I reposted for readers that find this post in the future. I think it’s important to remember there is a lot of malicious traffic out there and that malicious traffic affects all of us, even if we never see it.
Original Post from 10am pacific on Nov 24

Mid-morning west coast time, I started seeing an uptick in reports from many ESPs and marketers that they were getting listed on the XBL/CBL. Listings mentioned the kelihos spambot.

Tell me about your business model

I posted Friday about how most deliverability folks roll their eyes when a sender starts talking about their business model.
The irony is that one of the first things I do with a client is ask them to tell me about their business model and how email fits into their business plan. Once I know that, I can help them improve their email sending to meet the requirements of ISPs, blocklists and recipients.
While most deliverability people don’t care about your business model, for me it’s essential that I understand it. I want to hear about it, all the details. Tell me about what you’re doing and together we’ll craft a strategy to make email work for you in your unique situation.
We have one goal for every client: their email gets to the inbox. But no two clients have the same problems so we tailor our advice specifically for their unique situation. We don’t have a 3-ring binder that we read a standard answer from when clients ask for recommendations for their email strategy. We use our own knowledge of email and our history in the industry to craft unique solutions to deliverability problems.
Your business model is disruptive? Great! We can help you get those disruptive emails into their inbox.
You have a niche social platform that uses email as part of your growth strategy? We’ll make sure users and future users see your email in their inboxes.
You have a SaaS platform and you want customers to be able to use email to communicate with their customers? We’ll help you craft the right policy for your business.
You’re a retail company and struggle to reach the inbox consistently? We’ve helped dozens of companies navigate email challenges. We’ve helped clients figure out how to effectively capture addresses at point of sale in brick and mortars. We’ve helped clients restructure their entire data flow.
We can help you too.
You bring us your business model and we’ll create a comprehensive strategy that gets your email into the inbox. What’s more, we’ll help you understand what factors relate to inbox delivery and train you how to handle most issues on your own. Once we’ve got you set up, a process that takes 3 – 6 months, you have everything you need to run an email program. Even better, when those rare, complicated issues come up we’ve got your back and can get your emails delivering to the inbox again.

Dealing with blocklists, deliverability and abuse people

There are a lot of things all of us in the deliverability, abuse and blocklist space have heard, over and over and over again. They’re so common they’re running jokes in the industry. These phrases are used by spammers, but a lot of non-spammers seem to use them as well.
The most famous is probably “I’m sure they’ll unblock me if I can just explain my business model.” Trust me, the folks blocking your mail don’t want to hear about your business model. They just want you to stop doing whatever it is you’re doing. In fact, I’m one of the few people in the space who actually wants to hear about your business model – so I can help you reach your goals without doing things that get you blocked.
A few months ago, after getting off yet another phone call where I talked clients down from explaining their business model to Spamhaus, I put together list of phrases that senders really shouldn’t use when talking to their ESP, a blocklist provider or an abuse desk. I posted it to a closed list and one of the participants put it together into a bingo card.

A lot of these statements are valid marketing and business statements. But the folks responsible for blocking mail don’t really care. They just want their users to be happy with the mail they receive.

Thoughts on SenderScore

Kevin Senne posted over on the Oracle blog about how we need to stop caring about SenderScore and why it’s not as useful a metric as it used to be.
I can’t argue with anything he’s said. I think there is way too much focus on IP reputation and SenderScore. There’s so much more to deliverability than just one or two factors.
In fact, if you’ve been to any of my recent webinars or talks you will probably have seen some version of this image in my slides:

Basically, just because you have a great SenderScore doesn’t mean you’re going to have good delivery. Likewise, having a poor SenderScore doesn’t mean your mail is destined to be undelivered.
I tell clients, and people who ask about SenderScore that it reflects the data that Return Path gets, run through their proprietary algorithms to come up with a score. And that score is relevant for those ISPs that pay attention to it. But most ISPs make the deliver or not deliver decision based on their own internal data, not on the IPs SenderScore.

When did the reject happen?

Earlier today I approved a comment from Mike on a post about problems at AOL from 2012. The part of the comment that caught my attention:

DOD breaks links in .mil clients

The Department of Defense is breaking HTML links in mail to .mil domains. This is part of the DoD’s attempt to curtail phishing.

Filter complexity

During the Q&A last week, I mentioned an example of a type of filter trying to demonstrate how complex the filters are. There was some confusion about what I was saying, so I thought I’d write a blog post explaining this.

Thanks for the great session

I had a great time answering questions at the 2015 All About eMail Virtual Conference & Expo today. Thanks so much to everyone who participated and asked questions. They were great and I’m sorry we didn’t have more time.
I did get some questions on twitter (@wise_laura) afterwards. One was about an example I gave to explain how filters are complex. There have been rumors going around recently that Gmail is filtering mail with more than 3 URLs in it. Let me just say right now THIS IS NOT TRUE emails with more than 3 URLs in them are being delivered just fine to Gmail.
There is a situation involving the number (and type) of URLs that I think are a useful example of the filter complexity happening at some places, like Gmail. I started working on it, but don’t quite have time to finish it today, but will keep working on and it should go up in the next day or so.
Thanks again to everyone who joined the session. You asked some great questions and I had fun answering them.

All About Email: Q & A session tomorrow

Live! Tomorrow! the 2015 All About eMail Virtual Conference & Expo. 12:30 Eastern, 9:30 Pacific. Come hear Ken ask me about email and contribute your own questions!
Want to ask about spamtraps? Purchased lists? How about engagement? Just want to listen to what myths other people are interested in asking about? Come and listen.

ESP attacks, again. Be wary.

There seems to be an uptick in phishing attacks that have an impact on ESPs recently.
Your CEO
The most critical one is targeted spear-phishing attacks that claim to be internal documents sent by senior staff within the company, e.g. from the company CEO.
It’s likely that the attached documents will compromise and backdoor your machine, and from their most of your internal network, using an infected document to load a remote administration tool (RAT) such as Netwire.
Be very, very wary of document attachments, especially in generic looking emails that you weren’t expecting, from senior people. Making sure your antivirus signatures are up to date is a great idea, but nothing will protect you as effectively as not opening the infected documents.
Your domain registrar
The other campaign I’m aware of is emails that claim to be abuse reports from registrars (e.g. opensrs, tucows, etc) aimed at domain registration contacts, claiming that a domain has been suspended and that the recipient should click on a link to “download a copy of complaints received”.
e.g.

October 2015: The month in email

When you spend most of your day working on email and spam issues, it starts to cross into all aspects of your life. In October, I was amused by authors who find names in spam, SMTP-related t-shirts on camping trips, and spam that makes you laugh. Maybe I need a vacation?
We were quite busy with conference presentations and client work this month, but took time to note the things that captured our attention, as always. We highlighted a few things we enjoyed reading around the web: Brian Krebs’ Reddit AMA, the results of Jan Schaumann’s survey on ethics in internet operations, and a great post on Usenet from Joe St. Sauver.
In industry news, we covered a few glitches that are worth noting, in case you missed them: Yahoo FBL confirmation emails, Google postmaster tools, Network Solutions email, and weird Lashback listings. Even though these have mostly been resolved, it’s useful to keep track of the types and frequency of these sorts of issues, as they can significantly impact your deliverability and may be useful as your clients or business stakeholders raise questions about campaign performance.
Steve contributed a few key technical posts this month, including a short post on IPv6 authentication issues, following up on the issues he outlined back in July. He also noted Gmail’s upcoming move to DMARC p=reject, which is notable for the ways they are are looking to mitigate risks with their ARC proposal. Finally, he wrote that it’s worth looking at false positives every now and then, as it can reveal interesting patterns in the ESP landscape.
Finally, a good suggestion from the best practices file: engagement through confirming user names, and a not-so-good plan for an app that’s sure to invite abuse and harassment.

Deliverability, email and lessons learned from Insight2015

Deliverability is a challenge, I think everyone who has ever tried to send bulk mail will acknowledge that. There are a lot of reasons for this. One of the big reasons is that there are bad players who spend a lot of time trying to get around filters. And a lot of these people are sending very bad mail. Phishing. Spear Phishing. Viruses. Malware.
Email is a prime vector for a lot of criminals.
A lot of deliverability discussions really gloss over the dangers, though. We don’t often think about it, because we’re not sending bad mail. But we still have to go through the same filters that ask: Is this message safe?
Security was a big deal at the recent Sparkpost / MessageSystems conference.

We have multiple measures of deliverability. Ones that we don’t even let in the door, and then we have ones that customers indicated that they don’t want to be delivered.
Read More

Insight 2015 and upcoming talks

In about an hour I will be heading down to Monterey to give a talk at the MessageSystems Insight 2015 conference.
I really wanted to go to the whole conference, as I’ve heard great things about previous ones. It just didn’t work with my schedule. I’ll be around this afternoon and tomorrow morning, though. So if you’re there, do drop by and say Hi!
If you’re not at Insight, but are interested in hearing me speak, you can join us on November 12 at the 2015 All About eMail Virtual Conference & Expo. Ken Magill will be interviewing me about email and delivery. The session is also very open to audience questions, so come with some of your own.

Truths and Myths about email deliverability

Ken Magill will be interviewing me on the Truths and Myths of Email Deliverability, November 12 at the 2015 All About eMail Virtual Conference & Expo. Ken has a bunch of questions he wants to ask me, but he’s also expecting to take a lot of questions from the audience as well.
Speaking of myths, there has been discussion lately about recycled spamtraps. Apparently, there are people who believe (believed?) that every ISP uses recycled spamtraps. When Hotmail and Gmail said recently they didn’t use recycled traps people got very upset that they believed something that was not true.
It’s a mess. There is so much about email that is like a version of telephone. One person says “hotmail uses recycled spamtraps” someone else repeats “big ISPs use recycled spamtraps” then then third person says “all ISPs use recycled spamtraps.” People try and correct this type of misinformation all the time but sometimes it’s hard to clarify.
So show up to our session and let Ken lob questions at me, lob some of your own and we can see what myths we can clear up.

Finally! Spam has a purpose

Author Julie Czerneda posted about some of her writing techniques on Jim C. Hines’ blog today. Julie is one of my favorite authors. She’s a biologist so her science writing flows well for me. Too many folks try to write biology and get little nitpicky details wrong and it can disrupt the whole book for me. I spend way too much time thinking about the actual biology and lose track of the plot.
One part of her post stood out and made me smile, though.

Weird Lashback listings

I’m seeing some reports from various ESP folks that they’re experiencing an increase in Lashback listings the last day or so. They have contacted and are working with Lashback to identify what might be going on, if anything.
I’ll update once I know more and have permission to share.

Brian Krebs answers questions

Brian Krebs did an AMA on Reddit today answering a bunch of questions people had for him. I suggest taking a browse through his answers.
A few quotes stood out for me.
Q: Why do you think organizations seem to prefer “learning these lessons the hard way”? It doesn’t seem to be an information gap, as most IT executives say security is important and most individual contributors share risks upward with specific steps that can be taken to remediate risks. Given the huge costs for some breaches, why do you think more organizations don’t take the easy, preventative approach?

88 Miles per hour!

A lot of advertisers are really getting into this whole Back to the Future Day thing. A number of companies are compiling emails related to the phenomenon.
MailCharts
Milled
What other ads have folks seen referencing Marty and his trip back?

DMARC News – Gmail p=reject and ARC

DMARC.org announced this morning that Gmail will be moving to publishing a p=reject DMARC record in June of next year, much the same as Yahoo and AOL have.
Unlike Yahoo and AOL, Gmail are giving those who will be affected plenty of time to prepare for any issues, and have waited until there are some potential ways to mitigate problems in the development pipeline.
The ARC proposal, mentioned in the announcement, is one of the more promising mitigation approaches, and the specification for it can be found here:
Authenticated Received Chain (ARC) (draft-anderson-arc-00)
Recommended Usage of the Authenticated Received Chain (ARC) (draft-jones-arc-usage-00)
And some background on the issues it intends to mitigate can be found here:
Interoperability Issues Between DMARC and Indirect Email Flows (draft-ietf-dmarc-interoperability-07)

Silly Spam

I was cleaning out my inbox over the weekend and found a spam that actually made me laugh.

Yes, it is spam advertising the “Official Greed[sic] Card Lottery.” It’s been 20 years since I’ve seen one of those!

Glitchy Google Postmaster tools

A bunch of folks today mentioned they were seeing poor reputation for formerly good reputations on Google Postmaster Tools. I’m seeing a lot of screen shots that look like this one.

It looks like something is going on over there that has nothing to do with actual reputation. Could be a reporting bug, could be a filtering problem. I’m not seeing people mention delivery problems, just that the reputation monitor is showing bad reputation.

Network Solutions email issues

According to twitter and mailop Network Solutions is having issues with inbound mail, with both TCP level disconnections and 451 deferrals.

Ethics in Internet Operations

In early September, I posted about a survey being done by Jan Schaumann regarding how sysadmins viewed their ethical obligations with regard to users. The results of this have now been published by Jan. He’s also shared his talk and slides on the data.
Well worth a look through the data. I took a quick run through of his talk and it looked interesting and is definitely going on my to-read list.

Confusing the engineers

We went camping last weekend with a bunch of friends. Had a great time relaxing on the banks of the Tuolumne River, eating way too much and visiting.
On Saturday I was wearing a somewhat geeky t-shirt. It said 554: abort mission. (Thank you MessageSystems). At some point on Saturday every engineer came up to me, read my shirt and then looked at me and said “That’s not HTTP.”
That lead to various discussions about how their junior engineers don’t actually know SMTP at all. Why? Because the SMTP libraries just work. Apparently the HTTP libraries aren’t that great, so folks have to learn more about HTTP to troubleshoot and use them.
I’m sure there’s a joke in there somewhere: A Kindle engineer, an Android engineer and a robot engineer walk into a campsite…
It did leave me thinking, though, about how it’s not that easy to run your own mail server these days. Gone are the days when running your own server was cost effective and easy. These days, there is just too much spam coming in. Crafting filters is a skilled job. It’s not that hard to run good filters. But to run good filters takes time to do well.
There are also a lot of challenges to sending mail. One of the discussions I had at the campsite was how hard it was to configure outbound mail. The engineer was helping a friend set up a website and trying to get the website to send notifications to the friend. But without setting up authentication the mail kept silently failing.
Of course, we do run our own mail server. But it’s our job and, in many ways, it keeps us honest. We don’t run many filters meaning we see what spammers are doing and can use our own experiences to better understand what commercial filters are dealing with.
For most people, though, I really think using a service is the right solution. Find one with filters that meet your needs and just pay them to deal with the headache.

Lost in the mists of time

Over on the Farsight Security blog Joe St. Sauver talks about some of the early days of online abuse, on usenet. Laura and I were on the periphery of early usenet abuse, mostly as users, but Usenet (and IRC) around then were the places we both started with email abuse.

Yahoo FBL confirmation problems

Over the last few months I’ve seen people complaining about losing the Yahoo FBL emails with verification codes. This seems to be intermittent and no one could really explain what was going on.
Dale Lopez, VP of operations for V12 group, shared that their operations group discovered that one issue with the missing verification emails has to do with the length of the From: address and a port25 default settings.
In Dale’s words:

Peeple, Security and why hiding reviews doesn't matter

There’s been a lot of discussion about the Peeple app, which lets random individuals provide reviews of other people. The founders of the company seem to believe that no one is ever mean on the Internet and that all reviews are accurate. They’ve tried to assure us that no negative reviews will be published for unregistered users. They’re almost charming in their naivety, and it might be funny if this wasn’t so serious.
The app is an invitation to online abuse and harassment. And based on the public comments I’ve seen from the founders they have no idea what kind of pain their app is going to cause. They just don’t seem to have any idea of the amount of abuse that happens on the Internet. We work with and provide tools to abuse and security desks. The amount of stuff that happens as just background online is pretty bad. Even worse are the attacks that end up driving people, usually women, into hiding.
The Peeple solution to negative reviews is two fold.

#EME15 and visiting Stockholm

Last month I had the pleasure of presenting a couple talks to APSIS customers at their Email Marketing Evolved conference in Stockholm. The first talk was about deliverability and how it’s changed over the years. The second was about looking at the future of email and communicating with users online as we move forward in the digital world.
The rest of the post is going to be a bit photo heavy, so here’s a cut tag.

September 2015: The month in email

September’s big adventure was our trip to Stockholm, where I gave the keynote address at the APSIS Conference (Look for a wrapup post with beautiful photos of palaces soon!) and had lots of interesting conversations about all things email-related.
Now that we’re back, we’re working with clients as they prepare for the holiday mailing season. We wrote a post on why it’s so important to make sure you’ve optimized your deliverability strategy and resolved any open issues well in advance of your sends. Steve covered some similar territory in his post “Outrunning the Bear”. If you haven’t started planning, start now. If you need some help, give us a call.
In that post, we talked a bit about the increased volumes of both marketing and transactional email during the holiday season, and I did a followup post this week about how transactional email is defined — or not — both by practice and by law. I also wrote a bit about reputation and once again emphasized that sending mail people actually want is really the only strategy that can work in the long term.
While we were gone, I got a lot of spam, including a depressing amount of what I call “legitimate spam” — not just porn and pharmaceuticals, but legitimate companies with appalling address acquisition and sending strategies. I also wrote about spamtraps again (bookmark this post if you need more information on spamtraps, as I linked to several previous discussions we’ve had on the subject) and how we need to start viewing them as symptoms of larger list problems, not something that, once eradicated, means a list is healthy. I also posted about Jan Schaumann’s survey on internet operations, and how this relates to the larger discussions we’ve had on the power of systems administrators to manage mail (see Meri’s excellent post here<).
I wrote about privacy and tracking online and how it’s shifted over the past two decades. With marketers collecting and tracking more and more data, including personally-identifiable information (PII), the risks of organizational doxxing are significant. Moreso than ever before, marketers need to be aware of security issues. On the topic of security and cybercrime, Steve posted about two factor authentication, and how companies might consider providing incentives for customers to adopt this model.

Tumblr Confirming Usernames

Today I received an email from Tumblr asking to confirm I still wanted the username I have there. I’ve not really been using Tumblr, I contributed a few things to the now-defunct Box of Meat, but I don’t really post there much.

I think this kind of engagement is great. Confirming user names will do a whole lot to allow Tumblr to release some claimed but unused names back into the pool. It will also actually help their deliverability and their engagement. If people do want to keep their tumblr names, then they have to click on the message. This means more clicks and better engagement and an overall reputation boost for Tumblr mail.

Privacy and being online

I have an email address that’s old enough to drink. It came to me today when I was discussing data hygiene. I mean, I have an email address that is old enough to drink! And it wasn’t even my first email address, it’s just the one I still have access to.
This realization led me down a path of what things have changed since I got that address.
I remember … DataSecurity_Illustration
… when things posted on the Internet weren’t around forever.
… when Google bought DejaNews and made USENET archives more available.

Spammers, eh?

I’m back from a fun and successful trip to the APSIS Email Marketing Evolved conference. Of course, this means I’m digging out my mailboxes and going through mail I’ve ignored for the past week. It’s amazing how the spam builds up when I’m not tending to it every day.

Do you run spam filters?

Jan Schaumann is putting together a talk on ethics in as related to folks managing internet operations. He has a survey and is looking for folks who wrangle the machines that run the internet. I’m copying his post, with permission, due to a slightly NSFW image on his announcement.

Your system; your rules

In the late 90s I was reasonably active in the anti-spam community and in trying to protect mailboxes. There were a couple catchphrases that developed as a bit of shorthand for discussions. One of them was “my server, my rules.” The underlying idea was that someone owned the different systems on the internet, and as owners of those systems they had the right to make usage rules for them. These rules can be about what system users can do (AUPs and terms of service) or what about what other people can do (web surfers or email senders).
I think this is still a decent guiding principle in “my network, my rules”. I do believe that network owners can choose what traffic and behavior they will allow on their network. But these days it’s a little different than it was when my dialup was actually a PPP shell account and seeing a URL on a television ad was a major surprise.
But ISPs are not what they once were. They are publicly owned, global companies with billion dollar market caps. The internet isn’t just the playground of college students and researchers, just about anyone in the US can get online – even if they don’t own a computer there is public internet access in many areas. Some of us have access to the internet in our pockets.
They still own the systems. They still make the rules. But the rules have to balance different constituencies including users and stockholders. Budgets are bigger, but there’s still a limited amount of money to go around. Decisions have to be made. These decisions translate into what traffic the ISP allows on the network. Those decisions are implemented by the employees. Sometimes they screw up. Sometimes they overstep. Sometimes they do the wrong thing. Implementation is hard and one of the things I really push with my clients. Make sure processes do what you think they do.
A long way of dancing around the idea that individual people can make policy decisions we disagree with on their networks, and third parties have no say in them. But those policy decisions need to be made in accordance with internal policies and processes. People can’t just randomly block things without consequences if they violate policies or block things that shouldn’t be blocked.
Ironically, today one of the major telcos managed to accidentally splash their 8xx number database. 8xx numbers are out all over the country while they search for backups to restore the database. This is business critical for thousands of companies, and is probably costing companies money right and left. Accidents can result in bigger problems than malice.

August 2015: The month in review

It’s been a busy blogging month and we’ve all written about challenges and best practices. I found myself advocating that any company that does email marketing really must have a well-defined delivery strategy. Email is such vital part of how most companies communicate with customers and potential customers, and the delivery landscape continues to increase in complexity (see my post on pattern matching for a more abstract look at how people tend to think about filters and getting to the inbox). Successful email marketers are proactive about delivery strategy and are able to respond quickly as issues arise. Stay tuned for more from us on this topic.
I also wrote up some deliverability advice for the DNC, which I think is valuable for anyone looking at how to maintain engagement with a list over time. It’s also worth thinking about in the context of how to re-engage a list that may have been stagnant for a while. A comment on that post inspired a followup discussion about how delivery decisions get made, and whether an individual person in the process could impact something like an election through these delivery decisions. What do you think?
As we frequently point out, “best practices” in delivery evolve over time, and all too often, companies set up mail programs and never go back to check that things continue to run properly. We talked about how to check your tech, as well as what to monitor during and after a send. Josh wrote about utilizing all of your data across multiple mail streams, which is critical for understanding how you’re engaging with your recipients, as well as the importance of continuous testing to see what content and presentation strategies work best for those recipients.
Speaking of recipients, we wrote a bit about online identity and the implications of unverified email addresses in regards to the Ashley Madison hack and cautioned about false data and what might result from the release of that data.
Steve’s in-depth technical series for August was a two-part look at TXT records — what they are and how to use them — and he explains that the ways people use these, properly and improperly, can have a real impact on your sends.
In spam news, the self-proclaimed Spam King Sanford Wallace is still spamming, despite numerous judgments against him and his most recent guilty plea this month. For anyone else still confused about spam, the FTC answered some questions on the topic. It’s a good intro or refresher to share with colleagues. We also wrote about the impact of botnets on the inbox (TL;DR version: not much. The bulk of the problem for end users continues to be people making poor marketing decisions.) In other fraud news, we wrote about a significant spearphishing case and how DMARC may or may not help companies protect themselves.

Do system administrators have too much power?

Yesterday, Laura brought a thread from last week to my attention, and the old-school ISP admin and mail geek in me felt the need to jump up and say something in response to Paul’s comment. My text here is all my own, and is based upon personal experience as well as those of my friends. That said, I’m not speaking on their behalf, either. 🙂
I found Paul’s use of the word ‘SysAdmin’ to be a mighty wide (and — in my experience — probably incorrect) brush to be painting with, particularly when referring to operations at ISPs with any significant number of mailboxes. My fundamental opposition to use of the term comes down to this: It’s no longer 1998.
The sort of rogue (or perhaps ‘maverick’) behavior to which you refer absolutely used to be a thing, back when a clean 56k dial-up connection was the stuff of dreams and any ISP that had gone through the trouble to figure out how to get past the 64k user limit in the UNIX password file was considered both large and technically competent. Outside of a few edge cases, I don’t know many system administrators these days who are able to (whether by policy or by access controls) — much less want to — make such unilateral deliverability decisions.
While specialization may be for insects, it’s also inevitable whenever a system grows past a certain point. When I started in the field, there were entire ISPs that were one-man shows (at least on the technical side). This simply doesn’t scale. Eventually, you start breaking things up into departments, then into services, then teams assigned to services, then parts of services assigned to teams, and back up the other side of the mountain, until you end up with a whole department whose job it is to run one component of one service.
For instance, let’s take inbound (just inbound) email. It’s not uncommon for a large ISP to have several technical teams responsible for the processing of mail being sent to their users:

Politics and Delivery

Last week I posted some deliverability advice for the DNC based on their acquisition of President Obama’s 2012 campaign database. Paul asked a question on that post that I think is worth some attention.

The FTC answers questions about CAN SPAM

The FTC posted answers to a number of questions about the CAN SPAM act.

Ashley Madison Compromise

Last month Brian Krebs reported that the Ashley Madison database was compromised. Ashley Madison is a dating site that targets married folks who are looking to have affairs. Needless to say, there is a lot of risk for users if their data is found on the released data. Today what is supposedly the Ashley Madison data was released.
The release of this data can have some significant impacts on the site members. Of course there’s the problem of credit card numbers being stolen, but that’s something most of us have to deal with on a regular basis. But there can also be significant relationship repercussions if/when a spouse discovers that their partner has registered on a site to have affairs.
When I first heard of the compromise I wondered if they had my data. You see, they have one of my spamtraps on their unsubscribe list. It just so happened that I visited an unsubscribe link, hosted by Ashley Madison (http://unsub.ashleymadison.com/?ref=2). This was during the time when I decided to unsubscribe from all the spam coming into one of my spamtraps. Is my email address going to be a part of this data dump? If my email address is there, what name do they have associated with it? This is the trap that gets mail addressed to multiple other people. Maybe it’s my email address but their name. Are they at risk for relationship problems or legal problems due to my attempt to unsubscribe?
Of course, Ashley Madison had no incentive to make sure their data was correct. In fact, they were sued for faking data to entice paying members. How much of the released data is false and will there be real harm due to that?
I expect in the next few days someone (or multiple someones) will put up a website where those of us who are curious can search the data. I just hope that people realize how much of the data is likely to be false. Even Arstechnica cautions readers from jumping to conclusions.

Pattern matching primates

Why do we see faces where there are none? Paradolia
Why do we look at random noise and see patterns? Patternicity
Why do we think we have discovered what’s causing filtering if we change one thing and email gets through?
It’s all because we’re pattern matching primates, or as Michael Shermer puts it “people believe weird things because of our evolved need to believe nonweird things.”
Our brains are amazing and complex and filter a lot of information so we don’t have to think of it. Our brains also fill in a lot of holes. We’re primed at seeing patterns, even when there’s no real pattern. Our brains can, and do, lie to us all the time. For me, some of the important part of my Ph.D. work was learning to NOT trust what I thought I saw, and rather to effectively observe and test. Testing means setting up experiments in different ways to make it easier to not draw false conclusions.
Humans are also prone to confirmation bias: where we assign more weight to things that agree with our preconceived notions.
Take the email marketer who makes a number of changes to a campaign. They change some of the recipient targeting, they add in a couple URLs, they restructure the mail to change the text to image ratio and they add the word free to the subject line. The mail gets filtered to the bulk folder and they immediately jump to the word free as the proximate cause of the filtering. They changed a lot of things but they focus on the word free.
Then they remove the word free from the subject line and all of a sudden the emails are delivering. Clearly the filter in question is blocking mail with free in the subject line.
Well, no. Not really. Filters are bigger and more complex than any of us can really understand. I remember a couple years ago, when a few of my close friends were working at AOL on their filter team. A couple times they related stories where the filters were doing things that not even the developers really understood.
That was a good 5 or 6 years ago, and filters have only gotten more complex and more autonomous. Google uses an artificial neural network as their spam filter. I don’t really believe that anything this complex just looks at free in the subject line and filters based on that.
It may be that one thing used to be responsible for filtering, but those days are long gone. Modern email filters evaluate dozens or hundreds of factors. There’s rarely one thing that causes mail to go to the bulk folder. So many variables are evaluated by filters that there’s really no way to pinpoint the EXACT thing that caused a filter to trigger. In fact, it’s usually not one thing. It could be any number of things all adding up to mean this may not be mail that should go to the inbox.
There are, of course, some filters that are one factor. Filters that listen to p=reject requests can and do discard mail that fails authentication. Virus filters will often discard mail if they detect a virus in the mail. Filters that use blocklists will discard mail simply due to a listing on the blocklist.
Those filters address the easy mail. They leave the hard decisions to the more complex filters. Most of those filters are a lot more accurate than we are at matching patterns. Us pattern matching primates want to see patterns and so we find them.

Phishing costs company $46 million

Brian Krebs posted about a tech firm that lost $46M dollars due to fraud. The company reported in its SEC filings that the money was lost when someone impersonated an employee and directed the finance department to transfer money to outside accounts.
This is becoming more common. In some cases, DMARC authentication may stop this kind of fraud. But DMARC has a lot of deployment challenges and can cause real mail to fail delivery. In other cases, criminals are using lookalike domains and they can be authenticated and pass DMARC.
This isn’t really a bulk mail issue. And it’s certainly not a deliverability issue. But it is a security issue and I think it’s important that folks are aware of this kind of online crime. Coincidentally, as I’m writing this, I’m chatting online with a compliance person at a cloud hosting company who is brainstorming policies to block phishing URLs on their site. Email is a major vector for abuse and those of us who manage sending need to be a part of the solution.

More Yahoo! Challenges

A lot of people are reporting they’re not getting confirmation emails when signing up for the new Y! FBL program. This is causing problems with folks attempting to transfer domains to the new FBL.
Will update when I hear anything.

Monitoring Your Mail Stream

One of the most important things for any mail sender to do is monitor their mail stream. There are a number of things that every mailer should pay attention to. Some are things to monitor during delivery, some are things to monitor after delivery. All of these things tell senders important information about how their mail is being received by their recipients and the ISPs.

July 2015: The Month in Email

Once again, we reviewed some of the ways brands are trying (or might try) to improve engagement with customers. LinkedIn, who frequently top lists of unwanted-but-legitimate email, announced that they’ll be sending less mail. Josh wrote about giving subscribers options for both the type and frequency of messages, and about setting expectations for new subscribers. In each case, it’s about respecting that customers really want to engage with brands in the email channel, but don’t want the permission they’ve granted to be abused. I also wrote a brief post following up on our June discussion on purchased lists, and as you’d predict, I continue to discourage companies from mailing to these recipients.

Ongoing Yahoo delays

I’ve been hearing from folks over the last few days that they’re seeing an uptick in deferrals from Yahoo! The deferrals are not uniform. ESPs report they’re seeing some, but not all, customers affected. Other ESPs aren’t seeing any changes.
It’s not just you. But it would be very worthwhile to dig into engagement and other stats. It’s possible this is a new normal at Yahoo! and they’re tightening filters to catch mail that doesn’t fit their standards but was previously difficult to filter.

Are botnets really the spam problem?

Over the last few years I’ve been hearing some people claim that botnets are the real spam problem and that if you can find a sender then they’re not a problem. Much of this is said in the context of hating on Canada for passing a law that requires senders actually get permission before sending email.
Botnets are a problem online. They’re a problem in a lot of ways. They can be used for denial of service attacks. They can be used to mine bitcoins. They can be used to host viruses. They can be used to send spam. They are a problem and a lot of people spend a lot of time and money trying to take down botnets.
For the typical end user, though, botnets are a minor contributor to spam in the inbox. Major ISPs, throughout the world, have worked together to address botnets and minimize the spam traffic from them. Those actions have been effective and many users never see botnet spam in their inbox, either because it’s blocked during send or blocked during receipt.
Most of the spam end users have to deal with is coming from people who nominally follow CAN SPAM. They have a real address at the bottom of the email. They’re using real ISPs or ESPs. They have unsubscribe links. Probably some of the mail is going to opt-in recipients. This mail is tricky, and expensive, to block, so a lot more of it gets through.
Much of this mail is sent by companies using real ISP connections. Brian Krebs, who I’ve mentioned before, wrote an article about one hosting company who previously supported a number of legal spammers. This hosting company was making $150,000 a month by letting customers send CAN SPAM legal mail. But the mail was unwanted enough that AOL blocked all of the network IP space – not just the spammer space, but all the IP space.
It’s an easy decision to block botnet sources. The amount of real mail coming from botnet space is zero. It’s a much bigger and more difficult decision to block legitimate sources of emails because there’s so much garbage coming from nearby IPs. What AOL did is a last resort when it’s clear the ISP isn’t going to stop spam coming out from their space.
Botnets are a problem. But quasi legitimate spammers are a bigger problem for filter admins and end users. Quasi legitimate spammers tend to hide behind ISPs and innocent customers. Some send off shared pools at ESPs and hide their traffic in the midst of wanted mail. They’re a bigger problem because the mail is harder to filter. They are bigger problems because a small portion of their recipients actually do want their mail. They’re bigger problems because some ISPs take their money and look the other way.
Botnets are easy to block, which makes them a solved problem. Spam from fixed IPs is harder to deal with and a bigger problem for endusers and filters.

Google Postmaster Tools

Earlier this month Google announced a new set of tools for senders at their Postmaster Tools site. To get into the site you need to login to Google, but they also have a handy support page that doesn’t require a login for folks who want to see what the page is about.
We did register, but don’t send enough mail to get any data back from Google. However, the nice folks at SendGrid were kind enough to share their experiences with me and show me what the site looked like with real data, when I spoke at their recent customer meeting.
Who can register?
Anyone can register for Google Postmaster tools. All you need is the domain authenticated by DKIM (the d= value) or by SPF (the Return Path value).
Who can see data?
Google is only sharing data with trusted domains and only if a minimum volume is sent from those domains. They don’t describe what a trusted domain is, but I expect the criteria include a domain with some history (no brand new domains) and a reasonable track record (some or all of the mail is good).
For ESPs who want to monitor all the mail they send, every mail needs to be signed with a common d= domain. Individual customers that want their own d= can do so. These customers can register for their own access to just their mail.
ESPs that want to do this need to sign with the common key first, and then with the customer’s more selective key.
How does it work?
Google collects data from DKIM and/or SPF authenticated mail, aggregates it and presents it to a Google user that has authenticated the domain.
How do I authenticate?

Gmail having issues

As of 7/22/15, 1:17 PM, Google reports the issue is resolved.

Over on the mailop list multiple people are reporting delivery problems to Gmail.
The Google status page confirms this:

“Maybe things aren’t broken-broken,” [Laura] said. “Maybe you could be doing a little better. We can sit down and talk with you about where you want to be. And then we can work with you to identify how you can get from where you are to where you want to be without hurting your deliverability.
“Email is a really special place because the consumer has so much more power than the marketer in terms of ‘yes/no’ decisions,” she said. “All of the other channels, the advertisers own and pay for. Being able to understand that you’re a guest [in the inbox] and you have to be a good guest in order to be invited back is where we come in and help you work through: ‘What does being a good guest mean?’” The Magill Report
Read More

Gmail Postmaster Tools for Senders

logo_2x Google announced new postmaster tools for senders sending to Gmail. The Gmail Postmaster Tools are to help “qualified high-volume senders analyze their email, including data on delivery errors, spam reports, and reputation.” The updated postmaster pages also include Gmail’s best practices for bulk senders.
Postmaster Tools by Gmail http://gmail.com/postmaster
Update: ReturnPath has a blog post that includes data and definitions for each of the data points.

New AOL Postmaster Pages

AOL has updated their Postmaster pages with a new design and new resources for senders who are sending to AOL. If you are sending to AOL, use the updated site to sign up for the feedback loop, request whitelisting, open a trouble ticket, or learn about the AOL error codes and bulk sending best practices.
AOL Postmaster Pages

June 2015: the Month in Email

Happy July! We are back from another wonderful M3AAWG conference and enjoyed seeing many of you in Dublin. It’s always so great for us to connect with our friends, colleagues, and readers in person. I took a few notes on Michel van Eeten’s keynote on botnets, and congratulated our friend Rodney Joffe on winning the prestigious Mary Litynski Award.
In anti-spam news, June brought announcements of three ISP-initiated CAN-SPAM cases, as well as a significant fine leveled by the Canadian Radio-television and Telecommunications Commission (CRTC) against Porter Airlines. In other legal news, a UK case against Spamhaus has been settled, which continues the precedent we’ve observed that documenting a company’s practice of sending unsolicited email does not constitute libel.
In industry news, AOL started using Sender Score Certification, and Yahoo announced (and then implemented) a change to how they handle their Complaint Feedback Loop (CFL). Anyone have anything to report on how that’s working? We also noted that Google has discontinued the Google Apps for ISPs program, so we expect we might see some migration challenges along the way. I wrote a bit about some trends I’m seeing in how email programs are starting to use filtering technologies for email organization as well as fighting spam.
Steve, Josh and I all contributed some “best practices” posts this month on both technical issues and program management issues. Steve reminded us that what might seem like a universal celebration might not be a happy time for everyone, and marketers should consider more thoughtful strategies to respect that. I wrote a bit about privacy protection (and pointed to Al Iverson’s post on the topic), and Josh wrote about when senders should include a physical address, what PTR (or Reverse DNS) records are and how to use them, testing your opt-out process (do it regularly!), and advice on how to use images when many recipients view email with images blocked.

Where can I mail a purchased list?

We’ve had a lot of comments over the last few weeks regarding our post on ESPs that don’t allow purchased lists. Most of them were companies adding their addresses to the list. But one comment needs a little more discussion, I think.

AOL starts using Sender Score Certification

Good news for Sender Score Certified IPs. Return Path recently announced that AOL has joined the list of ISPs offering preferential treatment to certified IPs.

Filtering more than spam

The obvious application of machine learning for email is to send spam to the junk/bulk folder. Most services use some level of machine learning for filters. Places like Gmail have extensive machine learning filters to filter spam and unwanted mail away from their users.
Some organizations are taking the filtering process a step further. Almost every mail client more advanced than PINE has the ability for users to create rules to sort mail into folders. Late last year, Office 365 rolled out a feature, Clutter that tracks how a user interacts with mail and filters unimportant mail. This allows each user to have their own filters, but without the overhead of having to create the filters.
The Clutter engine looks at both how the user interacts with mail and things it knows about the organization. For example, if Exchange is tied into Active Directory, then mail from a manager will be prioritized while mail from a co-worker may end up in the clutter folder.
Email is a critical business tool. A significant number of companies rely on email for internal and external communication. Many users treat their inbox as a todo list, prioritizing what they work on based on what’s in their mail box. Despite the needs of users, the mail client hasn’t really changed.
Over the last few years, we’ve seen different online services attempt to build a more effective email client. Some of these features were things like tabs and priority inbox at Gmail. Microsoft created the “sweep” feature for Outlook/Hotmail users to manage inbox clutter. Third parties have created services to try and improve the mailbox experience for their users.
Many of the email filters, up to this point, have really been focused on protecting users from spam and malicious emails. Applying that filtering knowledge to more than just spam, but to the different kinds of emails makes sense to me. I’ve always had a fairly extensive set of filters, initially procmail but now sieve, to process and organize incoming mail. But I kinda like the idea that my mail client learns how I filter messages and do the right thing on its own.
I’d love to see some improvements in the mail client, that make it easier to manage and organize incoming email. It remains to be seen if this is a feature that takes off and makes its way to other clients or not.

Google Apps for ISPs is gone

Google Apps for ISPs is being shut down. While this was a scheduled end of life, apparently some users weren’t notified (always keep the contact email address up to date at your vendor!) and other users were told that it would be discontinued in July and were surprised when their service was turned off a month earlier than they expected.
I’ve not seen any reports of mail bouncing due to this yet, but it’s likely that some consumer ISPs will be scrambling to migrate to new email providers and their inbound mail may be a mess for a while. If you see domain-wide problems at consumer domains, check to see if their MXes point at the google aspmx cluster.
It seems to be a rolling shutdown, and some ISPs have apparently had their service extended by a few days or weeks, so issues may start with some domains throughout the month.

Yahoo Feedback Loop

If you are utilizing the Yahoo Complaint Feedback Loop, you should have received an email today about an upcoming change to the CFL.
The message received was:
“On June 29, 2015, we will transition Yahoo Complaint Feedback Loop (CFL) administration from Return Path to Yahoo Customer Care.
We will continue sending spam reports during this transition. However, you will need to save existing CFL information as it will not be available after the transition.
To save the existing CFL information:

Another M3AAWG on the books

Another M³AAWG is over. It was great to see old friends, some of whom I’ve known for more than a decade. It was even better to meet new people who I’m sure will become old friends. The conference has grown so much bigger than my first MAAWG back in San Diego (MAAWG 3 in 2005). That was maybe a hundred people. Today M³AAWG has more members companies than were at the original conference.
I’m still processing all the information from the conference. I learned a lot of new things. I had some of my knowledge confirmed. I’ve had some of my beliefs challenged.
It’s always great to see everyone. And thank you for everyone who went out of your way to tell me you read the blog. It’s great to know that I’ve made some of you think and helped you learn and given you backup when you need to talk to bosses or customers.
Regular blogging resumes tomorrow.
Sláinte

Whirlwind that is M3AAWG

It’s been a great conference, and it’s only about half done. As is common at these conferences, I write down lots of things we should do and need to publish. The difference is now that we are growing I may have the time to put the polish on them and get them published.
Today’s keynote discussed the economics of botnet mitigation. Michel van Eeten from Delft University of Technology presented information compiled from some different datasets about botnets.
Good news
Botnet infection rates are relatively stable. They’ve not spiraled out of control like some people were predicting.
Interesting news
More than 50% of bot infections are contained on 50 ISPs in the entire world.
Bad news
Centers set up specifically to fix botnet infections don’t really have a big impact on infection cure rate.
Good news
ISP actions and walled gardens do have an impact on infection cure rates.
The biggest take away from the session is that ISPs are critical in both protecting from infection and helping users cure infection once it happens.

2016 Mary Litynski Award

The Mary Litynski Award is presented by M³AAWG to people who have done extensive work outside the public eye over a significant period of time. At the Dublin conference the award was presented to Rodney Joffe. A lot of other people will talk about Rodney’s accomplishments, including his role in the founding of Genuity, his work with the DMA in the early days of spam, his efforts against SMS spam and his efforts to secure the Internet infrastructure. But I have a much more personal perspective.
Rodney was seminal in changing my life and career path. Back in 1999, Rodney asked Steve to look into some DNS creativity he was testing. A few months later, Rodney invited Steve to join a new company he was founding based on that DNS creativity. We moved out the the Bay area and Steve started working for UltraDNS in early 2000.
Moving out to the Bay Area triggered my career shift into anti-spam and anti-abuse. I started working at MAPS (now Trend Micro) in their experimental consulting service division. We were the “carrot” end of the equation, where our job was to help companies minimize the abuse coming out of their networks.
After MAPS went through a round of layoffs in 2001, Rodney started recommending me as an email consultant to some of his connections in the marketing world. This work was a success and directly led to the founding of Word to the Wise and everything that flows from that.
M³AAWG has published a video where Rodney discusses his role in the history of spam and some of the other things he’s done to fight junk advertising (both fax and SMS spam). He sued junk faxers in small claims court. He was instrumental in getting SMS spam covered under the TCPA. He wrote the first global opt-out list supported by both the DMA and the ISPs and proved that global opt-out would never work. He literally pulled the plug on spamming customers.
Rodney says he’s “Not smart, just the guy who carries the bags of money and helps the smart people get things done.” I certainly don’t believe that is true. He has done things on the global scale to make the Internet a safer place for end users. But my appreciation is much more personal. I will forever be grateful to him for starting us on this path and the help and advice he gave us so many years ago.

May 2015: The Month in Email

Greetings from Dublin, where we’re gearing up for M3AAWG adventures.
In the blog this month, we did a post on purchased lists that got a lot of attention. If you’ve been reading the blog for any length of time, you know how I feel about purchased lists — they perform poorly and cause delivery problems, and we always advise clients to steer clear. With your help, we’ve now compiled a list of the ESPs that have a clearly stated policy that they will not tolerate purchased lists. This should be valuable ammunition both for ESPs and for email program managers when they asked to use purchased lists. Let us know if we’re missing any ESPs by commenting directly on that post. We also shared an example of what we saw when we worked with a client using a list that had been collected by a third party.
In other best practices around addresses, we discussed all the problems that arise when people use what they think are fake addresses to fill out web forms, and gave a nod to a marketer trying an alternate contact method to let customers know their email is bouncing.
We also shared some of the things we advise our clients to do when they are setting up a mailing or optimizing an existing program. You might consider trying them before your own next send. In the “what not to do” category, we highlighted four things that spammers do that set them apart from legitimate senders.
In industry news, we talked about mergers, acquisitions and the resulting business changes: Verizon is buying AOL, Aurea is buying Lyris, Microsoft will converge Office365/EOP and Outlook.com/Hotmail, and Sprint will no longer support clear.net and clearwire.net addresses.
Josh posted about Yahoo’s updated deliverability FAQ, which is interesting reading if you’re keeping up on deliverability and ESP best practices. He also wrote about a new development in the land of DMARC: BestGuessPass. Josh also wrote a really useful post about the differences between the Mail From and the Display From addresses, which is a handy reference if you ever need to explain it to someone.
And finally, I contributed a few “meta” posts this month that you might enjoy:

We gave you a chance…

Our formerly feral cat was diagnosed with hyperthyroid disease earlier this year. This week she went in for treatment with radioactive iodine. Now that she’s home, we have some minor safety precautions (mostly around keeping radiation out of landfills and minimizing our exposure) for the next 2 weeks.

In previous careers, both Steve and I have been licensed to work with radioactivity so we’ve been swapping stories. Today I remembered an incident recounted during training. One lab had ordered some radioisotope and then mistakenly thrown out the isotope with the packaging material. An honest, but very expensive, mistake. Part of the fix was to have all radiation orders go through a central office on campus. This office would handle the opening and recording of the material and then distributing it to the appropriate research lab. As Steve put it, “We trusted you but you messed up, so now we have to institute some controls.”
This actually is how a lot of email compliance is done, too. Companies are allowed to do what they’re going to do. If they do something bad, even by mistake, there is often a lot of expensive cleanup. After the cleanup, the network (either the ESP or ISP) puts in place processes to limit the chance of this kind of mistake in the future.
In the email space the processes usually involves a couple things. First, the sender needs to change their acquisition process. This change limits the bad addresses getting onto a list in the future. Second, the sender needs to address the bad part of their current list. This often involves purging and/or re-engaging non-responsive addresses.
The fixes are painful for everyone involved. But when cleanup is expensive, prevention is important.

Deliverability and IP addresses

Almost 2 years ago I wrote a blog post titled The Death of IP Based Reputation. These days I’m even more sure that IP based reputation is well and truly dead for legitimate senders.
There are a lot of reasons for this continued change.

Only spamtraps matter, or do they?

I received mail from Mitusbishi UK over the weekend, telling me that as a subscriber I was eligible to buy a car from one of their dealers, or something. I didn’t actually read the whole thing. While I am competent in a right hand drive, even when it’s a manual, it’s not something I want to try over here in the US.
The address the message came to is one that I’ve had for around 15 years now. But it’s not an address I’ve really ever used for anything. When I have used it, the address is tagged. The bare address has never been handed out.
When I sent the report in to SmartFocus, I commented this wasn’t an opt-in address and that it was, in fact, a spamtrap. Is it? Well, it certainly never signed up for UK car offers. Or any UK mail for that matter. I’ve never opted in to things with it. No one before me had the address.
I know why I mentioned it was a spamtrap… because sometimes it seems like the only way to get some senders to pay attention is if you call the address a trap. Mail to actual users is not a problem, it’s only mail to spamtraps that gets some compliance departments interested in an issue. Without the address begin labeled a spamtrap, the address is just marked as “complaint” and removed from further sends.
I wonder if we, and I include myself in that we, have made it harder to deal with spam by focusing on spamtraps rather than permission. Sure, we did it for a good reason – it’s hard to argue that an address that has never been used by a person signed up to receive mail. But now we have companies trying to create and monetize spamtrap networks because people care about spamtraps.
It’s a less conflict laden conversation when we can say “these addresses didn’t opt-in, they don’t exist.” But somehow “spamtrap” carries more weight than “bounce.” I’m not sure that’s a good distinction, bounces are all potential traps, and I do know some people go through their incoming logs and see what addresses they are bouncing mail to and then turn those addresses on.
Focusing on traps makes some conversations easier. But maybe we need to be having harder conversations with clients and senders and marketers. Maybe lack of spamtraps isn’t a sign of a good list. Maybe good lists are quantified by other things, like response and engagement and ROI.

Yahoo Mail Deliverability FAQ Updated

Yahoo has updated their FAQ and listed out a number of factors they use to determine if a mail message is spam.

Email can't be dead

Sitting in my drafts folder is a rant I wrote during one of the “email is dead” discussions. I think there’s a core of usefulness in my rant. The discussion was about how many click bait articles claim email is dead because people under 20 don’t have email accounts, or if they don’t, then they don’t check them.
Almost everything online is tied to an email account. Want Amazon prime? You need an email address. Want an Instagram account? you need an email address. Want access to Google docs? You need a gmail address. Want to buy almost anything off a website? You need an email address. Even for stuff that’s ostensibly displayed on mobile (event tickets, plane tickets, hotel check in info) they need an email address. Want to have access to iTunes? You need an email address. Want a blog hosted on blogspot? You need an email address.
Of COURSE people have email addresses. I will say that I’m finding myself using email a little less than I did. Facebook is a bit better at social networking than old school mailing lists and usenet. I mean, nothing will ever replace trn in my heart, but Facebook does remind me of usenet in some ways.
Oh, and yes, you mostly need an email address for Facebook (although I hear you can register an account with just a smartphone).
Email isn’t dead. Email isn’t going to die. Anyone who tells you otherwise is simply looking to monetize your clicks.

Clear and Clearwire.net

As of April 15th, Clearwire will no longer support their CLEAR Email/Clearwire Email services which include @clear.net and @clearwire.net mail domains. They were acquired by Sprint and these domains will bounce after April 15th 2015.
Many thanks to Anthony Chiulli from Salesforce for the tip.

It's the recipients

Most delivery problems to US ISPs boil down to sending mail to people who don’t want it or expect it. Sure, we do technical audits and find issues with how companies are sending mail. But all the technical correctness in the world isn’t going to make up for sending mail users complain about or don’t interact with.
Recently we were working with a client who was having some delivery problems for one mail stream. As we dug down into the issue, we discovered a couple things about the mail stream.

April 2015: The Month in Email

We started the month with some conversations about best practices, both generally looking at the sort of best practices people follow (or don’t) as well as some specific practices we wanted to look at in more depth. Three for this month:

Office365/EOP and Outlook.com/Hotmail will converge

Terry Zink posted two informative blog posts recently, the first being the change to unauthenticated mail sent over IPv6 to EOP and the second post about EOP (Office365 and Exchange Hosting) and Outlook.com/Hotmail infrastructure converging.
Exchange Online Protection (EOP) is the filtering system in place for Office 365 and hosted Exchange customers. Outlook.com/Hotmail utilized its own mail filtering system and provides SNDS/JMRP programs. EOP is setup for redundancy, failover, provides geo-region servers to serve customers, and has supported TLS for over a decade. Terry explains that Hotmail’s spam filtering technology is more advanced than EOP’s, but EOP’s backend platform is more advanced. The process to convert Outlook.com/Hotmail to use EOP’s filtering system started six months ago and is still a work in progress. Once completed, Outlook.com/Hotmail and Office365/EOP will share the same UX look and feel. The anti-spam technologies will be able to be shared between the two as they will share the same backend infrastructure.
Some of the challenges of merging the two systems include:

Email verification services

Just yesterday a group of delivery folks were discussing email verification services over IRC. We were talking about the pros and cons, when we’d suggest using them, when we wouldn’t, which ones we’ve worked with and what our experiences have been. I’ve been contemplating writing up some of my thoughts about verification services but it’s a post I wanted to spend some time on to really address the good parts and the bad parts of verification services.
Today, Spamhaus beat me to the punch and posted a long article on how they view email verification services. (I know that some Spamhaus folks are part of that IRC channel, but I don’t think anyone was around for the discussion we had yesterday.)
It’s well worth a read for anyone who wants some insight into how email verification is viewed by Spamhaus. Their viewpoints are pretty consistent with what I’ve heard from various ISP representatives as well.
In terms of my own thoughts on verification services, I think it’s important to remember that the bulk of the verification services only verify that an address is deliverable. The services do not verify that the address belongs to the person who input it into a form. The services do not verify that an address matches a purchased profile. The services do not verify that the recipient wants email from the senders.
Some of the services claim they remove spamtraps, but their knowledge of spamtraps is limited. Yes, stick around this industry long enough and you’ll identify different spamtraps, and even spamtrap domains. I could probably rattle off a few dozen traps if pressed, but that’s not going to be enough to protect any sender from significant problems.
Some services can be used for real time verification, and that is a place where I think verification can be useful. But I also know there are a number of creative ways to do verification that also check things like permission and data validity.
From an ESP perspective, verification services remove bounces. This means that ESPs have less data to apply to compliance decisions. Bounce rate, particularly for new lists, tells the ESP a lot about the health of the mailing list. Without that, they are mostly relying on complaint data to determine if a customer is following the AUP.
Spamhaus talks about what practices verification services should adopt in order to be above board. They mention actions like clearly identifying their IPs and domains, not switching IPs to avoid blocks and not using dozens or hundreds of IPs. I fully support these recommendations.
Email verification services do provide some benefit to some senders. I can’t help feeling, though, that their main benefit is simply lowering bounce rates and not actually improving the quality of their customers’ signup processes.

Political Fraud & Spam

The Conservative Party is one of the largest political parties in the UK. They’re center-right politically (by European standards), nationalist and pro-business. You’ll often see them called the Tory party or Tories – a pejorative nickname they acquired 350 years ago.
While they’re part of the ruling coalition today, there’s a general election coming up in the next couple of weeks and they’re, well, campaigning aggressively. A group of 500 small business owners co-signed a letter to the Telegraph (a mainstream UK newspaper that supports the Conservatives consistently enough that it’s widely known as the Torygraph) expressing strong support for Conservative economic policies and drumming up votes for the election.
So far, nothing unusual. So why am I talking about it? And why am I talking about it here, on an email blog?
As people began to look at the letter, the story began to unravel. First, the letter was published on the Telegraph website as a PDF – and the PDF metadata showed it had been written by the Conservative’s press office, not a group of small businesses.

https://twitter.com/GabrielScally/status/592476275362529280

Then it turned out that many of the signatories seemed to have signed it multiple times, each representing slightly different company names. Somebody didn’t dedupe their purchased list, it seems.
When contacted, many of the signatories denied signing anything. Several of them did mention receiving email (spam?) and clicking on a link.

Compromises and phishing and email

Earlier this month, Sendgrid reported that a customer account was compromised and used for phishing. At the time Sendgrid thought that it was only a single compromise. However, they did undertake a full investigation to make sure that their systems were secure.
Today they released more information about the compromise. It wasn’t simply a customer account, a Sendgrid employee’s credentials were hacked. These credentials allowed the criminals to access customer data, and mailing lists. Sendgrid has a blog post listing things customers should do and describing the changes they’re making to their systems.
Last month it was Mandrill. Today it’s Sendgrid. It could be anyone tomorrow.
Security is hard, there’s no question about it. Users have to have access. Data has to be transferred. Every user, every API, every open port is a way for a bad actor to attempt access.
While it wasn’t said directly in the Sendgrid post, it’s highly likely that the employee compromise was through email. Most compromises go back to a phish or virus email that lets the attacker access the recipient’s computer. Users must be ever vigilant.
We, the email industry, haven’t made it easy for users to be vigilant. Just this weekend my best friend contacted me asking if the email she received from her bank was a phishing email. She’s smart and she’s vigilant, and she still called the number in the email and started the process without verifying that it was really from the bank. She hung up in the transaction and then contacted me to verify the email.
She sent me headers, and there was a valid DMARC record. But, before I could tell her it wasn’t a phishing email, I had to go check the whois record for the domain in question to make sure it was the bank. It could have been a DMARC authenticated email, but not from the bank. The whois records did check out, and the mail got the all clear.
There’s no way normal people can do all this checking on every email. I can’t do it, I rely on my tagged addresses to verify the mail is legitimate. If the mail comes into an address I didn’t give the sender, then it’s not legitimate – no matter what DMARC or any other type of authentication tells me. But most people don’t have access to tagged or disposable addresses.
I don’t know what the answers are. We really can’t expect people to always be vigilant and not fall for phishing. We’re just not all present and vigilant every minute of every day.
For all of you who are going to tell me that every domain should just publish a p=reject statement I’ll point out DMARC doesn’t solve the phishing problem. As many of us predicted, phishers just move to cousin and look alike domains. DMARC may protect citi.com, but citimarketingemail.com or citi.phisher.com isn’t.
We’ve got to do better, though. We’ve got to protect our own data and our customer’s data better. Email is the gateway and that means that ESPs, with their good reputations and authentication, are prime targets for criminals.

Office365/EOP IPv6 changes starting today

Terry Zink at Microsoft posted earlier this week that Office365/Exchange Online Protection will have a significant change this week. Office365 uses Exchange Online Protection (EOP) for spam filtering and email protection. One of the requirements to send to EOP over IPv6 is to have the email authenticated with either SPF or DKIM. If the mail sent to Office365/EOP over IPv6 is not authenticated with SPF or DKIM, EOP would reject the message with a 554 hard bounce message. Most mail servers accept the 554 status code and would not retry the message. After multiple 5xx hard bounces to an email address, many mail servers would unsubscribe the user from future email campaigns. The update starting today April 24, will change the error status code for unauthenticated mail to EOP from a 554 hard bounce to a 450 soft bounce and a RFC-compliant and properly configured mail server would then retry the message.
Prior to April 24, 2015, EOP responds to unauthenticated mail with a status code of: “554 5.7.26 Service Unavailable, message sent over IPv6 must pass either SPF or DKIM validation”.

Another acquisition

Netsuite has entered an agreement to acquire Bronto. Congrats to the folks at Bronto.

Mistakes happen

As happens every Tuesday, the Magill Report was blasted into mailboxes all over the Internet. This Tuesday was extra special for some recipients, though. These recipients received a dozen or more copies of the newsletter.
Ken knows best practices and implements them rigidly in regards to his sending. He’s one of the very few standalone publishers that uses confirmed opt-in, for instance. But even with the best practices in place, sometimes bad stuff happens. From what little I’ve seen, this looks like some bit of software fell over somewhere.
In this case, there isn’t a lot to do. Sure, people are talking about it, but I don’t think anyone is treating this as anything other than an aberration or a software glitch. Ken doesn’t need to send out an apology and I suspect that he’s not lost a single subscriber due to this. People are willing to cut a sender a break when they have a long history of sending. I do expect we’ll see something about this in next week’s newsletter, possibly concluding with him looking for a new ESP.
Sending failures happen all too frequently. Some are embarrassing, some cause significant business problems. The biggest issues are when a send goes to addresses that shouldn’t be mailed, either unsubscribes, or bounces or inactives. These kinds of mistakes can drive blocks at ISPs and get the sender noticed by some blocklists.
The good news is that if it’s truly a one-off, then delivery may not be affected at all. And in cases where delivery is affected, problems tend to disappear quickly. Filters adjust and don’t take too much notice of a very short term aberration when there is a long term history of wanted email.

Where's AOL?

I hear almost nothing about AOL from clients and potential clients these days. I hear a lot from AOL users who are confused and don’t understand that I am not AOL support (I’m not. Really. I can’t help you.). But I hear almost nothing from clients.
There are three possibilities I can think of for this.

A series of tubes

The Internet and pundits had a field day with Senator Stevens, when he explained the Internet was a series of tubes.
I always interpreted his statement as coming from someone who demanded an engineer tell him why his mail was delayed. The engineer used the “tube” metaphor to explain network congestion and packets and TCP, and when the Senator tried to forward on the information he got it a little wrong. I do credit the Senator with trying to understand how the Internet works, even if he got it somewhat wrong. This knowledge, or lack there of, drove his policy positions on the issue of Net Neutrality.
In the coming years, I believe we’re going to be seeing more regulations around the net, both for individuals and for corporations. These regulations can make things better, or they can make things worse. I believe it’s extremely important that our elected officials have a working understanding of the Internet in order to make sensible policy. This understanding doesn’t have to be in their own head, they can hire smart people to answer their questions and explain the implications of policy.
Apparently I’m not the only one who thinks it is important for our elected officials to have a working knowledge of technology. Paul Schreiber put up a blog post comparing the website technology used by the current Presidential candidates. Do I really expect the candidate to be involved in decisions like what domain registrar or SSL certificate provider to use? No. But I do expect them to hire people who can create and build technology that is within current best practices.

March 2015: The month in email

Happy March! We started the month with some more movement around CASL enforcement from our spam-fighting friends to the north. We noted a $1.1 million fine levied against Compu-Finder for CASL violations, as well as a $48,000 fine to Plentyoffish Media for failing to provide unsubscribe links. We noted a few interesting things: the fines are not being imposed at the maximum limits, violations are not just on B2C marketing, but also on B2B senders, and finally, that it really just makes sense — both from a delivery perspective and a financial perspective — to comply with the very reasonable best practices outlined in CASL.

Thoughts on Gmail filtering

Gmail has some extremely complex filters. They’re machine learning based and measure hundreds of things about incoming mail. The filters are continually adjusting to changes and updating how they treat specific mail.
One consequence of continually adjusting machine learning filters is that filtering is not static. What passes to the inbox now, may not pass in a couple hours.
One of the other challenges with Gmail filters is that they look at all the mail mentioning a particular domain and so affiliate mail and 3rd party mail can affect delivery of corporate mail.
The good news is that continually adjusting filters adapt to positive changes as well as negative ones. In fact, I recently made a segmentation suggestion to a client and they saw a significant increase in inbox delivery at Gmail the next day.
Gmail can be a challenge for delivery, but send mail users want and mail does go to the inbox.

We're all targets

Last week, another email provider announced their systems had a security incident. Mandrill’s internal security team detected unusual activity and took the servers offline to investigate. While there’s no sign any data was compromised or servers infiltrated, Mandrill sent an email to their customers explaining the incident was due to a firewall rule change.
Email service providers are a high value target for hackers, even if all they have is email addresses. Selling the email addresses is extremely profitable for hackers who can either sell the list outright or sell access to the list. In addition to gaining access to the email addresses, hackers often use the ESP to send these messages essentially stealing the ESP’s reputation to deliver the spam.
It was just over four years ago when a number of major ESPs were targets of a large attack and multiple ESPs were compromised. Earlier this month, three people were arrested for their roles in the attack. While the attacks four years ago were primarily spear phishing attacks, the security incident at Mandrill shows that hackers and botnets are actively probing the ESP’s network looking for access or known vulnerabilities. Spear phishing is an attempt to gain unauthorized access to a system by specifically targeting an individual, group, or organization. The scam attempts to have the user to click a link to infect their computer and network or capture their user id and password via a fake website. The scam email may appear to be sent from the company’s security or human resources department, but the email is either forged or another user’s account has been compromised.
Just because recent arrests have been made does not mean the threat is over. Systems often change, are upgraded, and are integrated with many additional services and systems can become vulnerable. Security will never be a set and forget policy. In the last 12 months there has been two significant vulnerabilities discovered, first Heartbleed and second was POODLE. Security professionals from all industries had to react quickly to secure their systems and hackers immediately began probing for systems that were unpatched. GFI reports there were over 7,000 vulnerabilities discovered in 2014 with 24% of them being rated as high severity. Security must not only cover servers, but the transmission of the data internally and with third-party vendors, and the workstations of employees.
IT and security professionals must be ever vigilant in protecting their network and their customers data. SANS Institute provides a number of security control best practices including a document on Data Protection. The control recommendations range from quick wins to advanced considerations such as monitoring all traffic leaving the organization and being able to detect any unauthorized or unusual transfer of data, blocking access to file transfer protocols and file sharing websites, performing annual reviews of all keys, certifications, and security procedures.
One of the best ways to help the entire industry to be secure is to be transparent and open when incidents happen. Mandrill has published a blog post with the results of their investigation.

When spam filters fail

Spam filters aren’t perfect. They sometimes catch mail they shouldn’t, although it happens less than some people think. They sometimes fail to catch mail they should.
One of the reason filters fail to catch mail they should is because some spammers invest a lot of time and energy in figuring out how to get past the filters. This is nothing new, 8 or 9 years ago I was in negotiations with a potential client. They told me they had people who started working at 5pm eastern. Their entire job was to craft mail that would get through Hotmail’s filters that day. As soon as they found a particular message that made it to the inbox, they’d blast to their list until the filters caught up. When the filters caught up, they’d start testing again. This went on all night or until the full list was sent.
Since then I’ve heard of a lot of other filter bypass techniques. Some spammers set up thousands of probe accounts at ISPs and would go through and “not spam” their mail to fool the filters (ISPs adapted). Some spammers set up thousands of IPs and rotate through them (ISPs adapted). Some spammers register new domains for every send (ISPs adapted). Some spammers used botnets (ISPs adapted)
I’m sure, even now, there are spammers who are creating new techniques to get through filters. And the ISPs will adapt.

Thoughts on Hotmail filtering

One of the new bits of information to come out of the EEC15 deliverability discussions is how Hotmail is looking at engagement differently than other webmail providers.
Many webmail providers really do look at overall engagement with a mail when making delivery decisions. And this really impacts new subscribers the most. If there is a mailing where a lot of subscribers are engaged, then new subscribers will see the mail in their inbox. Based on what was said at the webinar earlier this week engagement has no effect at Hotmail outside of the individual user’s box.
I’ve certainly seen this with clients who’ve tried trimming subscriber lists but that doesn’t really help get mail moved from the Hotmail bulk folder to the inbox.

Instead of subscriber lists, Hotmail is really looking at bounces. They’re watching the number of nonexistent accounts senders are mailing to and they’re counting and a sender hits too many bad addresses and that is a major hit to their reputation.
All of this makes remediation at Hotmail challenging. Right now, we can remediate a bad reputation at a lot of ISPs and the filters catch up and mail starts flowing back to the inbox. Hotmail has set up a system that they say is “hard for spammers to game.” This seems to translate into hard for legitimate senders to fix their reputation.
Hotmail is, IMO, the current tough nut in terms of deliverability. Develop a bad reputation there and it’s difficult to fix it. I’m sure it’s possible, though.

Tweets from engagement and deliverability webinar

Want to see some of the tweets shared during the EEC Deliverability and Engagement webinar on March 17? Check out what was said as it happened.

Mythbusting deliverability and engagement

Yesterday I published an article talking about an engagement webinar hosted by the EEC and DMA. I made a couple predictions about what would be said.

Delivery and engagement

Tomorrow is the webinar Mythbusters: Deliverability vs. Engagement. This webinar brings together the ISP speakers from EEC15, plus Matt from Comcast, to expand on their comments. There’s been some confusion about the impact of engagement on delivery and whether or not senders should care about recipient engagement.
My opinion on the matter is well known: recipient engagement drives delivery to the inbox at some providers. I expect tomorrow we’ll hear a couple things from the ISPs.

Updated M3AAWG Best Practices for Senders

M3AAWG has published a new version of the Senders Best Common Practices document and the contains a lot of new information since the original publication in 2008. The new document covers how to vet ESP customers, considerations when selecting a dedicated or share IP to send mail, and includes best practices on a number of technical processes.
The Senders Best Common Practices document is targeted at deliverability teams and email marketers. Any company that is sending marketing emails, using an Email Service Provider, or provides an email enabled platform, it’s always good to go back and periodically review your system to ensure nothing was missed and to stay up-to-date on all new recommendations.
A few of the recommendations include the use of the List-Unsubscribe header, publishing a clear WHOIS for domains used for sending mail, and how to process non-delivery report messages.
The List-Unsubscribe header provides an additional way for users to opt-out of email messages. Gmail and Outlook.com both use the presence of the list-unsubscribe header to provide a one-click button to allow the user to unsubscribe from the mailing list. Often enough, if a user cannot find an opt-out link, they’re marking the message as spam. Allowing a recipient to unsubscribe easily is critical to maintaining good delivery reputation.
A WHOIS is query to determine who is the registered user or assignee of a domain name. During a session at the most recent M3AAWG meeting, it was announced that spammers throw away 19 million domains per year. When a postmaster or abuse desk receive a complaint, they’ll often query to see who owns the domain the email was sent from or who owns the domains used in the hyperlinks. If the WHOIS record is out of date or set to private, this limits the ability for the postmaster or abuse desk to reach out to the owner of the domain.
Processing non-deliver reports is critical to maintaining a high delivery reputation. Many ESPs have an acceptable-use-policy that includes a bounce rate. Mailjet recommends a bounce rate of less than 8% and Mandrill recommends less than 5%. If a system is not in place to remove the hard bounces from your mailing list, the sender’s reputation will quickly deteriorate.
The Senders Best Common Practices document can be downloaded at M3AAWG.org.

Engagement, ISPs and the EEC

There’s been some controversy over some of the things said by the ISPs at the recent EEC meeting. Different people interpret what was said by the ISPs in different ways. The EEC has set up a webinar for March 17 to clarify and explain what was meant by the ISPs.

Ransomware email protected by DMARC

Virus bulletin has an interesting post about DMARC and how some criminals are protecting their emails with DMARC.

How to send better emails: engagement

Today Direct Marketing News hosted a webinar: ISP Mythbusters: How to Send Better Emails. The speakers were Matt Moleski, the Executive Director of Compliance Operations from Comcast and Autumn Tyr-Salvia, the Director Of Standards And Best Practices from Message Systems.
The webinar went through a series of myths. After Autumn introduced the myth, Matt commented on it and explained why the statement was, or was not, a myth. Throughout the webinar, Matt clearly explained what does, and does not, get mail delivered. Don’t let the Comcast after Matt’s name fool you. He is very active in different fora and discusses filtering strategies with experts across the ISP industry. His insight and knowledge is broadly applicable. In fact, many of the things Matt said today were things I’ve heard other ISPs say over and over again.
One of the very first things he said was that ISPs want to deliver mail their customers want. They want to give customers the best inbox experience possible and that means delivering mails customers want and keeping out mails customers don’t. He also pointed out that recipients complain to the ISPs when they lose wanted mail, perhaps even more than they complain about spam.
He also touched on the topic of engagement. His message was that absolutely engagement does matter for inbox delivery and that engagement is going to matter more and more as filtering continues to evolve. There has been some discussion recently about whether or not engagement is an issue, with some people claiming that some ISP representatives said engagement doesn’t matter. The reality is, that engagement does matter and Matt’s words today only reinforce and clarify that message.
Matt did say is that ISPs and senders have a bit of a disconnect when they are speaking about engagement. ISPs look at engagement on the “macro” level. They’re looking to see if users delete a mail without reading it, file it into a folder, mark it spam or mark it not spam. Senders and marketers look at engagement on a much more finite level and look at interactions with the specific emails and links in the email.
When discussing the relationship between senders and ISPs, he pointed out that both senders and ISPs have the same goal: to personalize the customer experience and to give customers a great experience. As part of this, ISPs are mostly aligned when it comes to blocking principles, but each ISP responds slightly differently. ISPs do adhere to best practices for handling incoming email, but those practices are implemented based on the individual company and handles incoming mail in ways that better supports their company specifically.
Matt talked about Comcast’s Postmaster pages and says they try to give feedback to senders before putting a block in place. He mentions that invalid recipients and poor list hygiene as the fastest way to be blocked or throttled when sending to Comcast. He also said that the core filtering rules at Comcast are static. Changes are mostly “tweaks around the edges.”
During the Q&A portion, Matt took a number of questions from the audience.

Engaging emails for better delivery

MessageSystems is sponsoring a webinar hosted by Direct Marketing discussing engagement as part of delivery.

A must read on engagement

I really can’t add anything to what Chad wrote in Opens, Clicks, And Blocks In The Third Age Of Email Deliverability

Aetna, phishing and security

We’ve just gotten home from M³AAWG and I’m catching up with a lot of the administrative stuff that’s gotten ignored while we were soaking up the tons of information from some of the smartest Internet security folks around. One of the tasks I’m working on is checking on our recent bills from our health insurance provider. Their website seems to be down, so I called them up and asked them if it was down or if something was broken on my end.
They did confirm there was a problem with the site “earlier today” but then started asking me for my account information. They’ve promised to email me a new password because of reasons.
One of the things about M³AAWG is that concentrated discussions about spam and online criminals and security can make everything feel so fragile and security so inadequate to protect us against criminals. I start thinking that everything is compromised. It doesn’t help that websites fail just at the time when I start trying to figure out if my personal information leaked out.
In the course of trying to figure out if there is something wrong at Aetna and if my personal information is safe, I find an article about how poor security is for health companies. “Health companies flunked an email security survey—except Aetna.” Apparently, out of all the health companies out there, Aetna are the only ones fully implementing DMARC on all their mail streams.
The problem is that for the mail I received from Aetna, the visible From: address is AetnaeBilling@aetnagroupbilling.com. This is one of the major vulnerabilities of DMARC. How can I, as a recipient, tell that this is officially mail from Aetna? Any phisher could register “aetnabilling.com” or “aetnagoupbilling.com” or “aetnaebilling.com” and publish DMARC records and use those records to phish customers. Even worse, aetnagroupbilling.com isn’t a SSL registered website.
This is exactly the type of setup a phisher would use to gain access to people’s health insurance accounts. And Aetna offers the ability to draft payments directly from a business checking account, so breaking into the billing account also offers some level of access to the business money.
Do I think this is a phish? No.
Do I think the average person would be able to tell that? No.
There’s got to be a better way to secure folks online.

Back from M3AAWG

Last week was the another M³AAWG meeting in San Francisco. The conference was packed full of really interesting sessions and things to learn. Jayne’s keynote on Tuesday was great, and brought up a lot of memories of just what it was like to be fighting spam and online abuse in the mid to late 90s. It’s somewhat amazing to me that many of the people I first met, or even just heard about are still actively working to fight abuse and make the Internet safer.
Wednesday was another great keynote from Facebook, discussing security. Facebook is committed to sharing threat information and has started the ThreatExchange website as a hub for sharing data among large companies.
One thing that was amusing was during one talk someone mentioned YubiKey for managing logins. They said many people were sharing long strings of random keys that sometimes happen because someone has accidentally triggered the one time passcode. YubiKey is awesome, if sometimes ccccccdkhjnbitklrrtnhjrdfgdlhektfnfeutgtdcib inscrutable.
As has become a bit of a M³AAWG tradition lately, Wednesday was also kilt day. There may be pictures. For those of you planning to go to Dublin, Wednesday will be kilt day as well.
The conference was great, but ended on a bit of a down note. We received word that Wednesday night a long time friend, Ellen R., passed away due to complications from a stroke. The conference held a moment of silence for her at the end. Ellen was a friend as well as a colleague. She was around on IRC when we started this crazy experiment called Word to the Wise and was always helpful and insightful. She volunteered with, and then worked for, Spamcop and then volunteered with Spamhaus. Ellen will be very missed.
I started off the conference remembering all the friends I made back in the late 90s and ended it remembering and missing those who are no longer around. Email has been one amazing journey, and doesn’t look like it’s going away anytime soon.

Mary Litynski Award winner Jayne Hitchcock

This morning the Messaging, Mobile and Malware Anti-Abuse Working Group announced the winner of the Mary Litynski Award.
Congratulations to Jayne Hitchcock of WHO@ for her work over the last 2 decades fighting online abuse and cyberstalking.
I’ve never actually met Jayne, but I do remember following her story in the late 90s. She started off trying to protect people from being scammed by Woodside Literary Agency. In return for her work to inform and protect people the principals of Woodside set out on a multi-year harassment campaign against her.
This was in the late 90s and the Internet was very new. There weren’t any laws. There weren’t really abuse desks. We had to protect each other. Law enforcement didn’t know what to do with problems. There weren’t any laws against harassment online. The word “cyberstalking” was created by a reporter when describing what was happening to Jayne.
Jayne has been a force for good online and she and her volunteers help people who are victims of abuse online and cyberstalking. She’s been instrumental in getting anti-cyberstalking laws passed and helping law enforcement understand why online abuse is an issue and that it should be addressed.

What is an open?

I was having a discussion today with a few industry colleagues about engagement and open rates. It was a good discussion and inspired a couple blog posts. Engagement totally matters, Engagement affects deliverability, and ISPs should be the last of your concerns.
I think they’ve covered the engagement issue pretty well, but what I wanted to talk about was metrics, specifically opens. Open is a fairly simple word, and it’s used in email all the time. Recipients open email. Mailbox providers measure that open. Senders measure that open.
It’s critical to remember, though, that open rates as measured by free mailbox provider and open rates tracked by a sender are not really the same thing. They’re measured in very different ways, and there is not a 1:1 mapping between the two measurements.

Email Authentication in a nutshell

There are 3 types of authentication currently in use for email.

January 2015 – The Month in Email

It’s February already! January went fast, right? At WttW, we are gearing up for MAAWG SF later this month — will we see you there?
We started the year with a set of predictions about email. Mostly we think email will continue to be great at some things and not-so-great at other things, and we’ll keep fighting the good fight to make it better.
As always, I’m interested in filters and how spammers continue to work around them to reach the inbox. I also wrote about how the language of an email impacts delivery, and wrote an expanded response to a comment suggesting email filters should be illegal. You can guess where I stand on that (and if you can’t, perhaps you might read more about how email is an inherently malicious traffic stream…)
I also took a moment to point out a trend I’m really enjoying, which is the rise of content marketing (a.k.a. giving customers useful and interesting information they can’t find elsewhere). As I said in the post, I’ll be curious to see how ROI plays out with this strategy.
We also talked about some of the less exciting content we see in email, notably the infamous Murkowski Statement, by which a spammer declares “Nope! Nothing to see over here!”
Steve also pointed out some content shenanigans in the form of hidden preview text, with some additional clarification from the original marketer in the comments.
In industry news, the big story was that Microsoft has partially implemented DMARC for Office365, and was the first to make a public statement about the specific ways they’ve chosen to implement. In my post, I did a walkthrough of a message to illustrate a bit about how this works, which might be useful if you’re trying to wrap your head around DMARC implementations.
We also talked about consolidation in the ESP space, and got a number of comments from readers about who they think might be next. Shortly thereafter, Listcast was acquired by MailerMailer.
Josh noted a few major shutdowns: Yahoo China email services and the AHBL list. The latter explores the challenges inherent in decommissioning a blacklist, and there’s a good discussion in the comments, so you might check it out if you missed that earlier this month.
Josh also pointed to the Salesforce State of Marketing report, which is always a useful set of metrics about how marketers are using email and other channels. It’s definitely worth a read.

MessageSystems Acquires Port25

This morning MessageSystems announced they had acquired Port25 systems. These two platforms were some of the powerhouse brands in the email space. Momentum was the system used by big programs that needed precise control over all their mail from many different streams. Port25 was a lower cost but still powerful system that was accessible to many different size companies.
This acquisition gives MessageSystems the ability to address both market segments.
Port25 staff are all part of the acquisition and the software will continue to be developed and maintained as a separate product from the Momentum line. I, for one, am relieved to hear that. Port25 is a solid piece of software that meets the sending needs of many small and medium size companies.
Congratulations to the great folks at MessageSystems and Port25. I’m excited to see what happens with both programs under the same roof.

Amazon launching new email service WorkMail

Amazon is launching a new email service called Amazon WorkMail. Amazon already offers a Simple Email Service (SES) that allows customers to send outbound-only emails and unlike SES, WorkMail will be a full feature email, calendaring, and client management product. The new WorkMail mail service will compete with enterprise email solutions such as Microsoft Exchange Server. WorkMail will support the Microsoft Exchange ActiveSync protocol, something that Google disabled with Gmail in early 2013, and will include Mobile Device Management and Active Directory Integration. The new service will also utilize Amazon’s AWS Key Management Service that allows the customer to create and control their own encryption keys used to encrypt their data on AWS.
Amazon WorkMail will also scan all incoming and outgoing email for spam, malware, and viruses, however, it’s not clear yet if they are going with a third-party solution or will be creating their own filtering system.

Email filtering: not going away.

I don’t do a whole lot of filtering of comments here. There are a couple people who are moderated, but generally if the comments contribute to a discussion they get to be posted. I do get the occasional angry or incoherent comment. And sometimes I get a comment that is triggers me to write an entire blog post pointing out the problems with the comment.
Today a comment from Joe King showed up for The Myth of the Low Complaint Rate.

Deliverability, Return Path, List-Unsubscribe Header

Here are a few blog posts covering the email industry from Constant Contact, Return Path, and SpamResource.
Constant Contact posted a blog post about how they measure email deliverability on January 10^th. They started with just tracking bounce backs and using that metric to calculate deliverability but then moved to using seed list through a third-party and report that they get 97% deliverability. Read more at Constant Contact
On January 6^th, Return Path recapped their most read blog posts which includes covering Yahoo’s DMARC Reject Policy, Blacklist Basics, and GMails new FBL and Unsubscribe button. Read more at Return Path
Return Path and SpamResource both have an excellent write-ups about the preference change at Outlook.com/Hotmail regarding the List-Unsubscribe header. Microsoft, like Google, prefers to use mailto instead of http or other URI protocols for the List-Unsubscribe header.

Salesforce State of Marketing Report

Salesforce published their State of Marketing report last week. The report was compiled after receiving 5,000 responses to their questionnaire. Reading the report it is clear, email is critical to businesses. 73% of marketers believe email marketing is core to their business, 71% felt mobile marketing was core, and 66% of social media marketing was core to their business.
Other interesting figures are, 47% reported that the click-through rate as the most important email marketing metric and 23% didn’t know what device emails are read on.
Comparing the 2015 responses to the 2014 survey, email as a primary revenue source increased from 16% to 20%, email as a critical enabler of products and services increased from 42% to 60%, and email as an indirect impact of business performance decreased from 42% to 20%.
It is clear that email as a marketing tool will see increase usage in 2015. The report isn’t just reporting responses, it has several good recommendations such as doing a spring-cleaning of your email list and suggests sending a re-engagement campaign that invites subscribers to update their preference. This would give users the ability to opt-out as they may only have been interested in holiday deals and making it easy to opt-out will help prevent users from reporting the email as spam.

Office365 checking DMARC on the inbound

According to a recent blog post, Office365 is starting to evaluate incoming messages for DMARC. I talked a little bit about DMARC in April when Yahoo started publishing a p=reject message.

Yahoo China Email Services Shut Down

Via mailing lists and Al Iverson’s Spamresource blog, Yahoo China domains (yahoo.com.cn and yahoo.cn) are no longer accepting email. Yahoo announced in April of 2013 they are shutting down their email services in August of the same year and advises users to create new accounts with Alibana. While the domains still have valid MX records, they are no longer accepting mail. There is no direct mapping from Yahoo China addresses to Alimail (Alibana’s email service).
When attempting to send emails to these two domains, the reject will be a “550 relaying denied” message. Now would be a good time to update your lists and remove any yahoo.com.cn and yahoo.cn addresses.

Listcast acquired by MailerMailer

Listcast, an email list management service, has been acquired. MailerMailer will take over management and support of all Listcast customers effective immediately from Domainate, Inc.

Language as filtering criteria

A few months ago I was working on a delivery audit for a client who sends mail in multiple languages. We discovered that the language of an email has a significant delivery impact. The same email in different languages was delivered differently, particularly at Gmail. Emails in a language I don’t normally receive email in were delivered to my bulk folder.
Other folks have commented on similar things. Some filters really do look at preferred language of the recipient and treat mail in other languages as problematic. I don’t think that’s unreasonable. I do get a lot of foreign language spam and there’s no real way to stop it. Many countries don’t require opt-out links, and so there isn’t a clear way to even unsubscribe.
Writing in the recipient’s local language is one way to minimize inappropriate blocking, even when you have permission to send mail.

AHBL Wildcards the Internet

AHBL (Abusive Host Blocking List) is a DNSBL (Domain Name Service Blacklist) that has been available since 2003 and is used by administrators to crowd-source spam sources, open proxies, and open relays. By collecting the data into a single list, an email system can check this blacklist to determine if a message should be accepted or rejected. AHBL is managed by The Summit Open Source Development Group and they have decided after 11 years they no longer wish to maintain the blacklist.
A DNSBL works like this, a mail server checks the sender’s IP address of every inbound email against a blacklist and the blacklist responses with either, yes that IP address is on the blacklist or no I did not find that IP address on the list. If an IP address is found on the list, the email administrator, based on the policies setup on their server, can take a number of actions such as rejecting the message, quarantining the message, or increasing the spam score of the email.
The administrators of AHBL have chosen to list the world as their shutdown strategy. The DNSBL now answers ‘yes’ to every query. The theory behind this strategy is that users of the list will discover that their mail is all being blocked and stop querying the list causing this. In principle, this should work. But in practice it really does not because many people querying lists are not doing it as part of a pass/fail delivery system. Many lists are queried as part of a scoring system.
Maintaining a DNSBL is a lot of work and after years of providing a valuable service, you are thanked with the difficulties with decommissioning the list. Popular DNSBLs like the AHBL list are used by thousands of administrators and it is a tough task to get them to all stop using the list. RFC6471 has a number of recommendations such as increasing the delay in how long it takes to respond to a query but this does not stop people from using the list. You could change the page responding to the site to advise people the list is no longer valid, but unlike when you surf the web and come across a 404 page, a computer does not mind checking the same 404 page over and over.
Many mailservers, particularly those only serving a small number of users, are running spam filters in fire-and-forget mode, unmaintained, unmonitored, and seldom upgraded until the hardware they are running on dies and is replaced. Unless they do proper liveness detection on the blacklists they are using (and they basically never do) they will keep querying a list forever, unless it breaks something so spectacularly that the admin notices it.
So spread the word,

Email is inherently a malicious traffic stream

It’s something many people don’t think about, but the majority of the traffic coming into the SMTP port is malicious. Spam is passively malicious, in that it just uses resources and bothers people. But there is a lot of actively malicious traffic coming into the SMTP port. Email is used as a vector to spread viruses and other malware. Email is also used for phishing and scamming. Many of the major hacks we’ve heard about over the last few years, including those in the email space, started with a single user getting infected through email.
We talk a lot about delivery here with clients and primarily focus on making sure their mail looks as unlike malicious mail as possible. We focus on spam filters, but every piece of mail goes through filters that also look for viruses, phishes, malware and other malicious traffic.
Mail servers are under attack constantly. The only reason our inboxes are useful is through the hard work of many people to filter out the bad and keep users from seeing the bulk of the mess attacking them.

ESPs and consolidation

Earlier this week Bloomberg news reported that an anonymous source told them Verizon was looking to acquire or investigate a partnership with AOL. It didn’t take long for the Verizon CEO to quash the acquisition rumors. Acquisitions and partnerships have always been around in technology, this is nothing new. But it made me think a little bit about the acquisitions and mergers in the ESP space.
The last 2 years have seen unexpected purchases of ESPs. Oracle bought Eloqua. Deluxe acquired Vertical Response. IBM has acquired a number of players in the email space, including parts of mail.com, SilverPop and Pivotal Veracity. eBay acquired e-Dialog. Salesforce acquired ExactTarget. Big companies seem to use the acquisition process to acquire the technology needed to send mail to and on behalf of their customers.
I’ve heard some people claim this is the beginning of the end of the stand alone ESP. I disagree. I think there is enough market demand to support stand alone ESPs. But the market is crowded and there are a lot of ESPs out there. There will be some consolidation. Some ESPs will be bought, either for their technology or their staff. Some ESPs will change and add more features. Some big companies will decide to install big appliances to run their own marketing in house.
Things will change but that’s what happen as a market matures. And the ESP market is maturing.
Who do you think will be bought next?

Email predictions for 2015

Welcome to a whole new year. It seems the changing of the year brings out people predicting what they think will happen in the coming year. It’s something I’ve indulged in a couple times over my years of blogging, but email is a generally stable technology and it’s kind of boring to predict a new interface or a minor tweak to filters. Of course, many bloggers will go way out on a limb and predict the death of email, but I think that’s been way over done.

Even major technical advancements, like authentication protocols and the rise of IPv6, are not usually sudden. They’re discussed and refined through the IETF process. While some of these changes may seem “all of a sudden” to some end users, they’re usually the result of years of work from dedicated volunteers. The internet really doesn’t do flag days.
One major change in 2014, that had significant implications for email as a whole, was a free mail provider abruptly publishing a DMARC p=reject policy. This caused a lot of issues for some small business senders and for many individual users. Mailing list maintainers are still dealing with some of the fallout, and there are ongoing discussions about how best to mitigate the problems DMARC causes non-commercial email.
Still, DMARC as a protocol has been in development for a few years. A number of large brands and commercial organizations were publishing p=reject policies. The big mail providers were implementing DMARC checking, and rejection, on their inbound mail. In fact, this rollout is one of the reasons that the publishing of p=reject was a problem. With the flip of a switch, mail that was once deliverable became undeliverable.
Looking back through any of the 2014 predictions, I don’t think anyone predicted that two major mailbox providers would implement p=reject policies, causing widespread delivery failures across the Internet. I certainly wouldn’t have predicted it, all of my discussions with people about DMARC centered around business using DMARC to protect their brand. No one mentioned ISPs using it to force their customers away from 3rd party services and discussion lists.
I think the only constant in the world of email is change, and most of the time that change isn’t that massive or sudden, 2014 and the DMARC upheaval notwithstanding.
But, still, I have some thoughts on what might happen in the coming year. Mostly more of the same as we’ve seen over the last few years. But there are a couple areas I think we’ll see some progress made.

December 2014: The month in email

2014 has been a busy and exciting year at Word to the Wise (look for more on that in a year-end wrap-up post next week!) and this month was particularly thrilling for us as we officially doubled our size with the addition of Josh and Meri on our client services team.
If you’re a regular reader of our blog, you’ve probably spotted Josh’s byline on a few posts: Google’s Inbox Team answers questions on Reddit, which looks at what this new email client portends for both consumers and email marketers, and M3AAWG Recommends TLS, which reviews M3AAWG’s recommendation that mailbox providers phase out SSL encryption in favor of TLS. Look for more smart insights from Josh in 2015.
Steve contributed a post on the proper syntax for displaying a friendly email address, and a very helpful guide for generating useful test data that doesn’t compromise personally identifiable information from your actual customer data. He also detailed the brief DBL false positive from Spamhaus’ new “Abused-Legit” sub-zone and best practices for handling unrecognized responses.
I wrote about some of the subtleties inherent in how brands decide to “converse” with customers in email and other channels. We’ll just keep saying it: companies need to respect the inbox as personal space. I want to thank both Steve and Josh for picking up my slack on blogging. 7+ years is a long time to try and say new things on the blog and I needed a bit of a break.

Merry Christmas

A retro merry christmas from everyone at Word to the Wise!

Barracuda Email Security Service disruption

Starting around ~~10:15~~ 2:45 EDT this morning, the Barracuda Email Security Service is having a issues processing email for customers.
More information on Twitter and reddit

Google's Inbox Team answers questions on Reddit

The team behind Google’s new Inbox app did an “Ask us Anything” Q&A with reddit on December 3rd. The team consisted of a Product Manager, Designer, and Software Engineer and for two hours the team answered all sorts of questions.
Most of the questions were about new features or supporting additional email providers and it showed just how new this app is, it’s not quite ready to be your primary email client as Inbox only supports personal Gmail accounts. The Inbox team mentions they are working on supporting additional mail providers but does not give a timeline of when that would be available.
For email marketers, Google Inbox shares the same HTML sanitizer and media queries that Gmail does and when asked about email filtering it was mentioned that the direct marketing community would benefit by having a place for their emails within the Promos tab. They describe the Promo tab as

Our new team members

This has been a busy year here at Word to the Wise. We started out launching our new website in Q1 and have been busily growing our client base. In order to meet the increased demand for our expertise, we’ve brought in new team members.
Meri has been working with us for a few months, helping me with client research and generally keeping my schedule under control. She was previously in ops at some large ISPs.
Josh started last week; he comes to us with a strong technical background and experience building teams. He was previously at Mansell Group (now Whatcounts). Josh will be working on client projects and helping us build out our team. Josh will also be contributing to the blog, look for his first post later this week.
We’re so excited to have both Meri and Josh at WttW. This is a big, exciting step forward in our company and we’re so glad they’ve decided to join us.

November 2014 – the month in email

Over the years, we get many of the same questions again and again. This isn’t a complaint; it’s a useful opportunity for us to check in and see if the technologies, policies and best practices have evolved over time, or if our previous recommendations still stand. One example this month of something that has changed (the situation has improved a bit): Using URL shorteners and one that has not: The Best Time to Send Email.

Congestion at Verizon

Yahoo! finally found their broken cable (I had no idea Yahoo had fiber) and fixed it. Now, I’m seeing a lot of reports that Verizon is accepting mail very, very slowly. Some folks are reporting no more than 20 messages a minute. This could be due to congestion, and just an underpowered system, or it could be some purposeful throttling on Verizon’s end.
In any case, this is affecting a lot of senders and not just the marketing end of things.
Updates as I get them.

My holiday email prediction

I was on IRC with a group of ESP delivery specialists last week and one of them was looking for something to blog about. I suggested a list of holiday predictions. Not that I have a huge number of holiday predictions, but I did come up with one.
During the holiday season at least one retailer will decide that they have information so important that they will ignore my opt-0ut request and add me to their holiday blast list.
So what’s your holiday email prediction?

Yahoo problems

I’m seeing scattered reports today that a lot of places are seeing backed up queues to Yahoo. They’ve had some problems over the last few days and seem to be still recovering. It’s looking like it’s something internal to Yahoo. One set of error messages I’ve seen reported by numerous people is: “451
4.3.2 Internal error reading data.”
It’s not you, and it’s not spam related. But it is putting a crimp in a lot of companies attempts to send lots of email ahead of black friday and cyber monday.

Changing the email client

We’re in the thick of hiring and next week is Thanksgiving, so blogging is going to be very light for the next two weeks.
One thing I have noticed is that lately there are attempts to “change how people interact with email.” Google released their Inbox product. And today I saw a post about an IBM attempt to change email and how people use it as a tool.
I find as I juggle more and more incoming email that most email clients just don’t cope with the whole process well. For a long time I could use my inbox as a todo list and manage what needed to be done. With the company growing and changing, an inbox todo list is just not as workable as it used to be. Maybe the Verse client from IBM is one solution.
I’m glad people are looking at how to improve the email client. Fundamentally, the client I’m using now is not that much different than the GUI client I was using at MAPS back in 2000 and 2001. Sure, it’s visually different, but the functionality isn’t much different.
A few years ago I blogged that people should look at building new email interfaces. I’m glad that some companies are actually looking at the interface and rethinking how people interact with email. Who knows, maybe we’ll end up with some specialized clients that are featured around getting work done by email and other clients focused around a more casual use of email, like shopping and networking.

Cloud sending with Momentum from MessageSystems

Earlier this week MessageSystems announced a new cloud platform, SparkPost, letting smaller companies have access to the power of the MessageSystems’s Momentum platform.
MessageSystems announced this at their user conference in San Diego. There was a lot of great information from ISPs and Momentum customers presented at the conference. If you get a chance check out the conference tweet stream (#msusercon) and the tweets by their director of Industry Relations Len Schneyder.
Now everyone can use the Momentum engine to send mail and take advantage of the features designed for large companies to communication with their millions of customers.

STARTTLS and misplaced outrage

About a month ago someone posted a heavily elided screenshot that they claimed was evidence of their ISP, AT&T, sabotaging SMTP connections being sent over their network, meaning that anyone could sniff their passwords and traffic.
This is it:

Most email people looking at that saw the asterisks in the banner and went “Oh. That’s not the ISP tampering with the traffic, the person running the mailserver doesn’t know how to configure their PIX firewall.”
It’s a very, very, very, well known issue.
But some groups who should know better, such as Ars Technica and the EFF, don’t seem to understand – even when they know about PIX fixup – that this isn’t tampering by intermediate ISPs, it’s just the operator of the mailserver in question not knowing how to configure his firewall. And it’s not a general attempt by consumer ISPs to “tamper with email encryption”, it’s just the operator of one mailserver not knowing how to configure his firewall.
PIX is a simple NAT/firewall appliance from Cisco. It’s a reasonable firewall, but it has some quirks. One of them is it’s “MailGuard” or “SMTP fixup” feature. When that’s turned on, it intercepts SMTP traffic and “sanitizes” it, to protect the mailserver from hostile traffic. To do this, it does a couple of things. One is that it blocks any attempt at sending a command that’s not one of the bare basic SMTP commands, by intercepting them and rejecting them with the error “502 5.5.2 Error: command not recognized”. The other is that it hides the software that’s running on the mailserver, removing any mention of it from the banner string sent when you connect. In fact, it replaces any character other than “2” or “0” with an asterisk.
I had an old PIX that I’ve not used in years, so I thought I’d set it up to show you. Here it is, being guarded by Freddy Chimpenheimer.

I set it up as though it was protecting our mailserver.
Here’s what happens when I connect to the mailserver with the PIX configured correctly:

And here’s what happens when I configure the PIX to use “fixup protocol smtp 25” and try and connect to the mailserver again:

Looks pretty similar to the “ISP tampering with the traffic” screenshot this all started with. I’m using an older PIX firmware image (I really didn’t want to spend the time and money to upgrade my PIX) so it errors out on EHLO, rather than just on STARTTLS. And because this old firmware doesn’t support EHLO, you also don’t see it using “XXX” to block out the string “STARTTLS” in the response to EHLO – the line in the original that says “250-XXXXXXXXA” said “250-STARTTLSA” before the PIX censored it.
Now I have those screenshots I’m going to disconnect my PIX and put it back in the pile of spare networking gear.
So the whole issue is just a mailserver operator who has a badly misconfigured firewall in front of his mailserver, nothing more.

Email problems are costly

Last week Zulily released their quarterly earnings. Their earnings’ report was disappointing, resulting in a drop in their stock prices. The chairman of the company told reporters on a conference call that part of the reason for the drop in earnings were due to deliverability problems “at a large ISP.”

October 2014 – The Month in Email

October was action-packed at WttW. We wrapped up some big and interesting client projects (look for some case studies soon!), attended another great M³AAWG conference, and made an exciting announcement that we’re hiring a deliverability specialist. The combination of these frees up some more of my time for blogging, which I’ve really missed. Look for more from me in November and December.

The best time to send email

This subject comes up over and over again. Many senders are convinced that there is a best time to send email. Countless research hours have been dedicated to finding that best time to send email. Numerous blog posts discuss what the best time to send email is.
From my perspective, there are better places for senders to spend time than figuring out what the exact right time is.But, senders still ask when the best time to send mail is.
There are a lot of reasons I can come up with as to why there’s no best time to send email. But the really big one is that when you send a mail has no impact on when it gets delivered. There are multiple steps between hitting the send button and the mail being delivered to the inbox totally outside the control of the individual sender.
Email is designed as “store-and-forward.” This means there are potential delays at multiple steps inside the process.
Sending queues are called queues for a reason. Emails are sent out individually, particularly when an ESP uses VERP as part of its sending. There is actually a time overhead for making a connection to a recipient server and sending the email.
Receivers have queues, too. They can only accept so many incoming connections at a time. They have limited resources to accept all the mail their users want.
Receivers may delay mail between accepting it at the MX and delivering it to the inbox. This isn’t ideal and it’s not usual, but it can happen.
Recipients using IMAP accounts may not check mail regularly. They may only collect mail a few times a day.
These are only a few of the reasons that send time doesn’t necessarily equate with delivery time. Of course, 99% of the time email is mostly instantaneous. The internet is robust enough that a message sent is delivered seconds later. I see it happen all the time, when colleagues and I send email during calls. But, when mail fails, it sometimes fails spectacularly. Back in the dark ages (of the early 90s) I had an email that took almost a year to get to the recipients. Best I can tell, it got stuck somewhere in the depths of a machine in the middle of the university mail system. Eventually that system fell over and someone noticed and rebooted it (maybe it was walled up somewhere?). The reboot shook my message out of where ever it was stuck.

Superstition, correlation and reality

I’m not a huge baseball fan, probably a side effect of growing up in a city with no MLB team. But I do enjoy the social aspects of rooting for local teams when they’re winning big games. Last night I was following the World Series score online and switched over to watch the last inning. I posted something about the game on FB just about 30 seconds before the Giant’s outfield bobbled what should have been a single (at best). I immediately posted an apology, “Sorry about that, shouldn’t have said anything!”
Do I really think that my post somehow cursed two outfielders and caused them to bobble a simple play? No, of course not. But it is a very human response. In fact, there’s an entire advertising campaign centered around the the weird things people do while watching sports.
There is a lot of superstition in email delivery, too. I think that’s a combination of filtering necessarily being a black box, human’s built in tendency to see patterns in random data, and a need to be able to control and affect outcomes.
Figuring out cause and effect in the real world is not trivial. In my research days we set out to control as many confounding factors as possible so we could demonstrate the cause and the effect. That’s really hard to do when you’re not at a lab bench. In the real world, we can’t always control things directly. Instead, we have to rely on statistics and representative (or non-representative) samples.
Delivery isn’t even close to a science and one of the major issues is that filters are always changing. I’ve certainly seen occasions where multiple clients, or colleagues, were having problems delivering to one ISP or another. One of my clients made a change and saw their delivery improve. They patted themselves on the back for figuring out the problem. At the same time, though, other folks saw their delivery improve without making any changes. I can’t always convince people that whatever they did had nothing to do with their delivery improving.
The flip side is I can’t always convince people to stop doing somethings that they don’t need to do. I see a lot of mail with both DomainKeys and DKIM signatures. In most cases both signatures have the same selectors. DomainKeys is deprecated. No one, and I mean no one with a modern email system, is checking DomainKeys without checking DKIM. Senders can safely stop signing with DomainKeys and have nothing happen. It doesn’t matter, lots of ESPs and sender sign with both. They’re not going to change it. I’ve had multiple groups tell me they’re afraid to stop signing because it might hurt their delivery.
The reality is I didn’t make the Giant’s outfield bobble the ball because I posted to FB that I was watching the bottom of the 9th inning. The reality is that DomainKeys is deprecated and there’s no benefit to signing with both DomainKeys and DKIM. The reality is we are humans and we are inherently superstitious. Most of the times our superstitions are harmless. But sometimes they cause us more work than we need to do and provide no tangible benefits.

Disposable addresses

Both Steve and I have blogged about how we use tagged addresses to monitor and manage our incoming mail. This is not something unique to our system, but rather a feature that’s existed in many mail systems for a long time. Many unix systems support tagged addresses out of the box, but there are also commercial MTAs and even some webmail services that support tags.
Gmail offers “+ addressing” where users can use unique tags after their username. This gives every gmail use an unlimited number of addresses to use. Any address gets leaked or compromised, and you can set filters to ignore future mail to that particular tagged address.
Yahoo offers up to 500 unique addresses per account. Initially this was a service provided by OtherInbox, now owned by Return Path, but it’s not clear if that’s still the case.
Spamgourmet has been offering disposable addresses since 2000. Their system has a built in limit on the number of emails a particular email will receive, which can help control the incoming volume.
Spamex is another provider of disposable addresses that’s been around for years and is providing services that allow recipients to control their incoming mail.
New on the scene is MeAndMyID.com who popped up in the comments here today. They are offering disposable addresses, free for a lifetime, if you sign up soon.
There are also the “short term” or “open inbox” disposable addresses like Malinator or 10 Minute Mail
I find disposable addresses invaluable for sorting through the mail coming into my account. A bank email to an address I didn’t give the bank? It’s a phish. A pizza hut email to an untagged address? Not real. Target emails to an address only given to Amazon? Amazon is selling or giving addresses away in violation of their privacy policy. Unexpected email from a vendor, but to a tagged address? Time to unsubscribe as I’ve lived this long without their mail.

Spam, Phish or Malware?

Some mornings I check mail from my phone. This showed up this morning.

My first thought was “oh, no, Pizza Hut is spamming, wonder who sold them my address.”
Then I remembered that iOS is horrible and won’t show you anything other than the Friendly From and maybe it was some weird phishing scheme.
When I got to my real mail client I checked headers, and sure enough, it wasn’t really from Pizza Hut. I’m guessing actually malware, but I don’t have a forensics machine to click the link and I’m not doing it on anything I can’t wipe (and have isolated from the rest of my network).
The frustrating thing for me is that this is an authenticated email. It not from Pizza Hut, the address belongs to some company in France. Apparently, that company has had their systems cracked and malware sent through them. Fully authenticated malware, pretending to be Pizza Hut, and passing authentication on various devices.
Pizza Hut isn’t currently publishing a DMARC record, but in this case, a DMARC record for Pizza Hut wouldn’t matter. None of the email addresses in the headers point to Pizza Hut.
I spent last week listening to a lot of people discussing DMARC and authentication and protecting people from scams and headers. But those all the protocols in the world won’t protect against this kind of thing. Phishing and malware can’t be fixed by technology alone. Even if every domain on the planet published a p=reject policy, mail like this would still get through.

Three things marketers should do when domains are retired

A few weeks ago I was alerted to a domain change for INGDirect. The ingdirect.com domain is being retired and all users are migrating to the capitalone.com domain. As part of this change usernames are NOT being transferred, so if you have @ingdirect.com addresses on any B2B mailing list, you will need to drop those addresses and find the new contact information for the subscriber.

Gmail announces new "Inbox" product

Gmail announced today on their blog a new product “Inbox” to help make the inbox more useful and more of a center of activity.
“We get more email now than ever, important information is buried inside messages, and our most important tasks can slip through the cracks—especially when we’re working on our phones. For many of us, dealing with email has become a daily chore that distracts from what we really need to do—rather than helping us get those things done.”
Inbox lets people organize their emails to help them get things done. Creating tasks, organizing threads and discussions, all of that can now be done in this new application.

Bounces at Verizon

There have been lots of reports of Verizon rejecting valid email addresses for a few hours this morning. They seem to have fixed things now but you probably want to make sure you didn’t suppress those addresses.

M3AAWG Boston

The tri-annual procession of Facebook friends and colleagues to a disclosed location to talk about messaging, abuse and prevention started over the weekend. For me, this M³AAWG conference marks the beginning of a new chapter. We’re hiring, and even before the conference officially started I’ve had some productive conversations with people about what we’re looking for and how we see the company growing. M³AAWG is always a little like a reunion. I’ve been working with some of the people present for more than a dozen years, and some I’ve known for even longer. The conference is work, they mean the “working group” part of their name, but it’s also a time to create and maintain the community that keeps our online messaging from being overwhelmed. If you’re here, drop by and say hi (and don’t forget to visit my session on Thursday afternoon)! Otherwise, watch this space as I share what insights I can about the information presented.

We're growing… and hiring

The last year has been a time of growth here at Word to the Wise. You’ve seen some of this in our new website and branding. The result of this investment in the company has translated to more, and more interesting, consulting work.
It’s possible you’ve noticed that I’ve not been blogging as much over the last couple months. Steve’s picked up the slack admirably and posted a number of great technical posts. In all honesty, though, I’ve missed the chance to talk about email topics here on the blog. It’s not that I’ve been avoiding blogging, I’ve just been very busy handling our growing client base.
In order to better meet the demand for our services, we’re hiring our first deliverability consultant. We’re looking for a self starter with strong communications skills, understands email and delivery and who can adapt to a fast changing environment.

ISP filters are good for marketers

A throwback post from 2010 Attention is a limited resource.
Marketing is all about grabbing attention. You can’t run a successful marketing program without first grabbing attention. But attention is a limited resource. There are only so many things a person can remember, focus on or interact with at any one time.
In many marketing channels there is an outside limit on the amount of attention a marketer can grab. There are only so many minutes available for marketing in a TV or radio hour and they cost real dollars. There’s only so much page space available for press. Billboards cost real money and you can’t just put a billboard up anywhere. With email marketing, there are no such costs and thus a recipient can be trivially and easily overwhelmed by marketers trying to grab their attention.
Whether its unsolicited email or just sending overly frequent solicited email, an overly full mailbox overwhelms the recipient. When this happens, they’ll start blocking mail, or hitting “this is spam” or just abandoning that email address. Faced with an overflowing inbox recipients may take drastic action in order to focus on the stuff that is really important to them.
This is a reality that many marketers don’t get. They think that they can assume that if a person purchases from their company that person wants communication from that company.

Does volume cause blocking?

There seems to be a never ending debate about volume and how it affects delivery and revenue. I regularly get questions asking if ISPs block senders just for volume.
The answer is no. Unless you’re actually sending enough mail to overwhelm the incoming infrastructure, something that’s difficult on today’s internet, you’re unlikely to be blocked due to simply sending a high volume of mail.
Sending mail recipients don’t want, or mail that looks like spam, that will get the mail blocked or filtered.

Yahoo.com on FCC wireless "do not mail" list

Update: As of mid-morning pacific time on 10/7 yahoo.com has been removed from the FCC list.
As part of CAN SPAM the FCC maintains a list of wireless domains that require proof of permission to send mail to. Recently, various email folks noticed that yahoo.com was added to this list.
According to the law, senders have 30 days to meet the permission standards for any recipients at domains on the FCC list. In practical terms what this means is that the FCC and Yahoo have 30 days to fix this error and get yahoo.com off the list. Based on conversations with people who’ve talked to Yahoo and the FCC this is in the process of happening.
This isn’t the first time a non-wireless domain has been added to the FCC list.
As a sender what should you do with your yahoo.com subscribers?
Right now, nothing. There is a 30 day grace period between when a domain goes on the FCC list and when senders need to comply. I have every expectation that this will be removed in less than 30 days.
But what if it’s not?
In that case you will need to segregate out yahoo.com subscribers in 30 days and not mail them until the domain is removed from the FCC list. While I can’t actively suggest ignoring the law, it’s unlikely that the FCC is going to start coming after senders for mailing yahoo.com addresses once the 30 days are up.
More information: Al Iverson’s Spam Resource.

Email marketing not dead yet

If Forrester research is to be believe, email marketing is feeling better. In fact, it seems email marketing is more effective than ever.

Marketing pet peeves

Loren McDonald has a great post over at Mediapost listing his email marketing pet peeves. I particularly love this because he includes those things annoy him as a subscriber.
Most of what annoys me as a subscriber is sloppy marketing. Really is it so hard to actually check what you’re sending and who you’re sending it to?

This was a notice from Ello telling me that they’d get to my request for an account “at some point.” There were two fails here. The first is very obvious from the To: line. The second is even worse. I have an Ello account, I’m not waiting. Apparently they pulled their “current user” file and added it to the “waiting user” file and then mailed all of them a notice the accounts were getting turned on, albeit slowly.
The footer of the mail made it clear they knew they were spraying and praying:

September 2014: The Month in Email

September was another busy month for us, but Steve stepped up and wrote a number of really interesting posts on email history, cryptography, and current technical issues in the email landscape.
We started the month with a look at the various RFCs that served as the technical specifications for developing message transfer protocols in the 1970s. It’s really fascinating to look at the evolution of these tools we use every day 40 years later. We followed up with a second post on the origins of network email, which is a great primer (or refresher) on the early days of email.
Steve’s four-part series on cryptography and email started with an in-depth look at how the industry is evolving with respect to encryption and privacy issues. He then introduced us to Alice and Bob (or reintroduced those of us who have been following the adventures of the first couple of cryptography), and described symmetric-key and public-key encryption. His next post described message signing, and how DKIM is used to manage this. He finished up the series with a post on PGP keys.
In industry news: Spamcop is shutting down its email service. There shouldn’t be any major impact on senders, but the post has some specific notes on DMARC implications. We also noted an interesting mail routing suggestion on Twitter, and wrote a post on using Mail.app for this.
In other DMARC news, we wrote about DMARC and report size limits, which might be useful information, depending on your configuration. We also launched a new DMARC tool to help senders understand who is publishing DMARC. Let us know what you think and if you’re finding it useful.
We couldn’t let a month go by without mentioning filters. We looked at a sector we don’t usually discuss, corporate filtering, and went in-depth on a much-misunderstood topic, content filtering.
Finally, Laura offered a webinar on a favorite topic, deliverability, in conjunction with the AMA and Message Systems. If you missed it, you can watch the recorded version here, or just take a peek at some of the reaction via Twitter.

Spamcop mail changes

Spamcop is shutting down it’s email service. While anyone could report spam using Spamcop, the system also provided users email addresses behind the Spamcop filters. This shut down should have no major impact on senders. Email addresses in use will still be accepting email, but that mail will simply be forwarded to another address, instead of users being able to access it through POP or IMAP.
The one problem some senders may have is IF they are solely authenticating through SPF and they are publishing a p=reject DMARC statement. This may result in some of the mail being rejected at the forwarding mail server, like AOL, Yahoo and other services respecting DMARC policy statements.
User forwarded mail will be coming from 68.232.142.20 (esa1.spamcop.iphmx.com) and 68.232.142.151 (esa2.spamcop.iphmx.com). If you don’t want to apply DMARC policy to known forwarded mail, those are the IPs to special case.

What about the bots?

M³AAWG published a letter to the FCC addressing the implementation of CSRIC III Cybersecurity Best Practices (pdf link)
The takeaway is that of the ISPs that contribute data to M³AAWG (37M+ users), over 99% of infected users receive notification that they are infected.
I hear from senders occasionally that they are not the problem, bots are the problem and why isn’t anyone addressing bots. The answer is that people are addressing the bot problem.

B2B email filtering

I’ve written about B2B filtering in the past, but I don’t blog too much about corporate filtering overall. The reason for this is that the corporate landscape is a lot broader and less consistent than the consumer space. That makes it much more difficult to tell senders how to handle corporate filtering, because each corporation is different.
But as I think I about it, I realize that’s not necessarily true. In the corporate space there are a few big filtering providers, a couple major hosting systems and a major open source package. While the overall goals of business filtering are slightly different, many businesses have similar goals for their inbound filtering.

Think you know about deliverability?

Check out the tweets from my AMA webinar sponsored by Message Systems today.
Thanks to the AMA and Message Systems for having me.

Reminder: AMA webinar

Today is the last day to sign up for the AMA webinar hosted by MessageSystems and listen to me talk about the future of deliverability.
I hope to see you there!

Dealing with compromised user accounts

M³AAWG is on a roll lately with published documents. They recently released the Compromised User ID Best Practices (pdf link).

Content based filtering

Content filtering is often hard to explain to people, and I’m not sure I’ve yet come up with a good way to explain it.
A lot of people think content reputation is about specific words in the message. The traditional content explanation is that words like “Free” or too many exclamation points in the subject line are bad and will be filtered. But it’s not the words that are the issue it’s that the words are often found in spam. These days filters are a lot smarter than to just look at individual words, they look at the overall context of the message.
ISP_tolerances
Even when we’re talking content filters, the content is just a way to identify mail that might cause problems. Those problems are evaluated the same way IP reputation is measured: complaints, engagement, bad addresses. But there’s a lot more to content filtering than just the engagement piece. What else is part of content evaluation?

IP Reputation

A throwback post from a few years ago on IP reputation.

Who didn't invent email?

Who didn’t invent email? Shiva Ayyadurai.
He’s not the only one – I didn’t invent email either, nor did Abraham Lincoln, Boadicea or Tim Berners-Lee. So why mention Shiva?
He claims that in 1978 when he was 14, he took some courses in programming. His mum worked for the University of Medicine and Dentistry of New Jersey, and one of her colleagues challenged him to write an electronic mail system. And he did just that, creating a basic messaging system in FORTRAN, based on the existing paper memo format, ending up with a non-networked electronic mail system with similar functionality to mainstream applications that were in use well over a decade earlier.
That’s pretty impressive, and is the sort of thing that’ll look good on a college application form. (When I was 13 I designed and implemented a chassis dynamometer management unit that Shell’s research division used to test fuel and lube oil performance over virtual driving tracks – dozens of pages of 6502 assembly code, and you can be sure I put that on my college application form).
Some years later, in 1982, Shiva applied for and was granted a certificate of copyright registration on that piece of software. A copyright is not a patent – it recognizes and protects the expression of the work, not the idea underlying the work. There’s no real bar for copyright, other than it being a piece of work you created yourself – I automatically own copyright to anything I create, including software I’ve written and this blog post. Registering a copyright on a work, whether it be software or anything else, is a trivial exercise in bureaucracy – you fill in a form, you pay a registration fee, it gets rubber stamped. What is protected by the copyright is the work – in this case the software source code – itself, not the ideas, not the name of the package, nothing else. (I have copyright on my software package, Abacus. That doesn’t mean that I invented the Abacus.)
Meanwhile, Shiva moved into email marketing, founded a small ESP, and seems to be doing quite nicely (although a journalist who looked can’t find much evidence of the ESP being successful, or even existing, other than a lawsuit it filed against IBM and American Express for misappropriation of trade secrets in 2005).
Back in 2011, though, things started to get weird. Shiva started to use this copyright filing, and the fact that he used the title “EMAIL” on the filing, to support a claim that he was “the inventor of email”. It’s a compelling human interest / tech story to journalists whose knowledge of email and internet history is vague, so it got quite a bit of coverage.
(Shiva makes an image of his copyright certificate available: http://www.vashiva.com/images/vashiva_patent3_enl.jpg. Note that the URL describes it as a “patent”, rather than a copyright filing.)
It was quickly debunked. It didn’t pass the sniff test. Technical blogs started asking how the Washington Post and other press had fallen for this. The Washington Post clarified that pretty much all the significant claims in the original article were untrue.
It didn’t go away, though. Two-and-a-half years later, there’s a series of articles in the Huffington Post, pitching the same story, this time with a few unpleasant twists in it’s approach. It’s got a glossy infographic, filled with provably false claims. It has the feel of a professional PR campaign, rather than an article written by a reporter. Sure enough, it’s written by Larry Weber, a high powered PR guy (CEO of RacepointGlobal – who “build the right influencer relationships for your brand” – and CEO of Weber Public Relations Worldwide). There are at least five article in the series, all written by different people, but having oddly similar phrasing.
Shiva’s ESP, EchoMail, and their current branding is based around his (false) claim to be the “Inventor of Email”, so there’s clearly money as well as ego at stake. Neither Larry Weber nor the Huffington Post mentioned that Larry Weber is also on the board of EchoMail.
So we’re going through the debunking process again. I was going to write more, but others are way ahead of me.

Changing your email address

Over at Mediapost, Loren McDonald talks about how hard it’s been to change his email address when his employer got bought out.

August 2014: The Month in Email

Isn’t August the month where things are supposed to slow down? We’re still waiting for that to happen around here… it’s been great to be busy, but we’re hoping to continue to carve out more time for blogging as we move into the fall.
August
As usual, we reported on a mix of industry trends and news, the persistence of spam, and did a deep dive into an interesting technical topic. Let’s start there: Steve wrote a post explaining Asynchronous Bounces (yes, it’s a GNFAB), with some examples of how they’re used and how they can cause operational problems.
In industry news, we did a roundup post of some Gmail changes and a followup post on security issues with non-Latin characters in addresses. We also celebrated the long-awaited release of a wonderful resource from MAAWG that I am very proud to have helped author, the white paper Help! I’m on a Blocklist! (PDF link). We receive dozens of these calls every week, and though we are always happy to help people solve urgent delivery crises, we spend most of our consulting time and attention working with people to build sustainable email programs, so this document is a great “self-service” resource for people looking to troubleshoot blocklist issues on their own.
In other industry and MAAWG-related news, we noted that the nomination period for the J.D. Falk award has opened (you have just a few more days, procrastinators) and took a moment to reminisce about our friend J.D. and his incredible contributions to the field.
On the topic of creating, sending, and reading more attractive email, we posted some resources from Mailchimp and crowdsourcing templates from Send With Us. We also incorrectly reported on a not-actually-new interface from AOL, Alto. Interesting to note that there’s been so little followup from AOL (and almost no post-launch coverage) in the two years since launch.
We also touched on a few myths: email saves trees and low complaint volume is good.
And finally, in November of 2013, I unsubscribed from every possible email I received on a specific account. I followed up on that briefly in a Part 2 post, and this month went back and wrote a Part 3 followup. Spoiler alert: spam is still a problem. Of course, we got some comments that we were probably doing it wrong, so Unsubscribe Barbie showed up to add her thoughts. We try not to be snarky around here, but sometimes we just don’t try very hard.

The origins of network email

The history of long distance communication is a fascinating, and huge, subject. I’m going to focus just on the history of network email – otherwise I’m going to get distracted by AUTODIN and semaphore and facsimile and all sorts of other telegraphy.

Electronic messaging between users on the same timesharing computer was developed fairly soon after time-sharing computer systems were available, beginning around 1965 – including both instant messaging and mail. I’m interested in network mail, though, so we need to skip forward a few years.
You need a network. And a community.
Around 1968 the initial plans for “ARPANET”, a network to link the various ARPA-funded computers together were underway. Local mail between users on the same system was already a significant part of the nascent community.

Email History through RFCs

Many aspects of email are a lot older than you may think.
There were quite a few people in the early 1970s working out how to provide useful services using ARPANET, the network that evolved over the next 10 or 15 years into the modern Internet.

They used Requests for Comment (RFCs) to document protocol and research, much as is still done today. Here are some of the interesting milestones.
April 1971 [rfc 114]RFC 114 A File Transfer Protocol.[/rfc] One of the earliest services that was deployed so as to be useful to people, rather than a required part of the network infrastructure, was a way to transfer files from one computer to another. In the [rfc 114]earliest versions[/rfc] of the service I can find it could already append text to an existing file. This was soon used for sending short messages, initially to a remote printer from where it would be sent by internal mail, but soon also to a mailbox where they could be read online.
August 1971 [rfc 221]RFC 221 A Mail Box Protocol, Version-2[/rfc] had this prescient paragraph:

Email design resources

One of the more frequent questions I get that I can’t answer is how to design a good email. Design is just not my strong point and outside actually getting the HTML right, what an email looks like doesn’t have a whole lot to do with delivery. It was pointed out to me today that the nice people over at Mailchimp have a resource page for designing emails. It’s a good mix of theory and explanation and some code examples.
Very useful if you’re trying to create pretty HTML emails from scratch.

Who pays for spam?

A couple weeks ago, I published a blog post about monetizing the complaint stream. The premise was that ESPs could offer lower base rates for sending if the customer agreed to pay per complaint. The idea came to me while talking with a deliverability expert at a major ESP. One of their potential customer wanted the ESP to allow them to mail purchased lists. The customer even offered to indemnify the ESP and assume all legal risk for mailing purchased lists.
While on the surface this may seem like a generous offer, there aren’t many legal liabilities associated with sending email. Follow a few basic rules that most of us learn in Kindergarten (say your name, stop poking when asked, don’t lie) and there’s no chance you’ll be legally liable for your actions.
Legal liability is not really the concern for most ESPs. The bigger issues for ESPs including overall sending reputation and cost associated with resolving a block. The idea behind monetizing the complaint stream was making the customer bear some of the risk for bad sends. ESP customers do a lot of bad things, up to and including spamming, without having any financial consequences for the behavior. By sharing in the non-legal consequences of spamming, the customer may feel some of the effect of their bad decisions.
Right now, ESPs really protect customers from consequences. The ESP pays for the compliance team. The ESP handles negotiations with ISPs and filtering companies. The cost of this is partially built into the sending pricing, but if there is a big problem, the ESP ends up shouldering the bulk of the resolution costs. In some cases, the ESP even loses revenue as they disconnect the sender.
ESPs hide the cost of bad decisions from customers and do not incentivize customers to make good decisions. Maybe if they started making customers shoulder some of the financial liability for spamming there’d be less spamming.

A new way of reading email

Fastcompany reports that AOL has a new webmail client “Alto” that changes how email is read and received.

Yes, spam is actually still a problem

I hear a lot of people claim that spam isn’t really a problem any more. That filters are so good that the average user doesn’t see a lot of spam and if they do get “legitimate” mail that they can just opt out.
These are great sounding arguments, the problem is that those arguments aren’t always true.
There is an address I stopped using for commercial mail around 1997 and all mail around 2002. It still gets hundreds of emails a month.
Those hundreds of emails a month are despite the fact that the address is behind commercial spam filters. It’s been on “flamers lists.” It’s on the “do not mail” list that came with the “Millions CD.”
In addition, I am very open with clients (and their affiliates) that this is a “spam trap” address. I’ve handed it out to dozens and dozens of companies over the years describing it as my spam trap address.
In November 2013, I unsubscribed from every single email received at that account – at least those that had unsubscribe links.
What does the mail volume look like now?

If anything unsubscribing made the volume problems worse. In the best case it lowered the volume briefly to something approaching 10 emails a day.
There are currently over 500 messages I’ve received so far in August. These are messages advertising companies like Laura Ashley, MetLife, Military.com, Quibids, Walk In Tubs, Sainsbury’s, Bloomburg, Fidelity, Oral B, Lasix Vision Institute, Virgin Broadband, ClickNLoan, Timeshares, iMotors, Walmart, oil changes, Experian, Credit monitoring, Life insurance, ADT, CHW Home Warranty, Health Plans of America, Bosley Hair Solutions, Jillian Michaels Online, restaurant coupons, credit cards, SBA loans, and that’s before we get to the Garcinia cambogia, herbal viagra and clearly fraudulent stuff.
This account, that hasn’t been subscribed to anything in more than 10 years is getting hundreds of unasked for emails a month, even with the benefit of commercial filters. It appears to be being sold or traded in multiple countries (Laura Ashley, Virgin Broadband and Sainsbury’s are all in the UK). I don’t want this mail. I have tried to stop getting this mail.
Yes, spam is still a problem.

Email saves trees!

The arrival of my first spam email was a bit of a shock. I’d been on the internet for years by that point and had never seen junk mail in my inbox. Of course, the Internet was a very different place. The web was still a toddler. There was no email marketing industry. In fact, there wasn’t much commerce on the web at all. Much of the “surfing” I did was using gopher and ftp rather than the fancy new web browser called NCSA Mosaic. To share pictures we actually had to send printouts by postal mail.
It wasn’t just getting spam that was memorable (oh, great! now my inbox is going to look like my postal box, stuffed full of things I don’t want), it was the domain name: savetrees.com. Built into the domain name was an entire argument defending spam on the grounds of environmental friendliness. By sending spam instead of postal mail we could save the earth. Anyone who didn’t like it was morally corrupt and must hate the planet.
Why do I mention this history? During a discussion on a list for marketers earlier this week, multiple people mentioned that email marketing was clearly and obviously the much more environmentally sound way to do things. I mentioned this over on Facebook and one of my librarian friends (who was one of the people I was email friends with back in those early days) started doing her thing.
She posted her findings over on the Environmental News Bits blog: The comparative environmental impact of email and paper mail. It’s well worth a read, if only because a lot of companies have really looked into the issue in great detail. Much greater detail than I thought was being put into the issue.
I shared one of the links she found, the 2009 McAfee study, with the email marketing group discussing the issue. (You may want to put down the drinks before reading the next line.) It was universally panned as marketing and therefore the conclusions couldn’t be trusted.
Anyone who pays any attention knows that nothing we do and none of the choices we make are environmentally neutral. Plastic bags were supposed to save trees from becoming paper bags, but turned into an environmental mess of their own.
Simple slogans like “email saves trees” might make marketers feel better, and may have gained Cyberpromo a strong customer base in the early days. But the reality is different.

Protecting users from look-alike accounts

Gmail recently started accepting mail (and calendar invitations) with non-Latin characters. A lot of fraudulent emails use non-Latin characters as a way to fool users. Google is on top of these security issues, however, and is now throwing away some mail with non-Latin characters.

Nominations for the J.D. Falk Award

J.D. Falk was one of the first names I encountered when learning how to read headers and report spam back in the mid-90s. He was one of the folks leading the fight against spam and actively trying to improve the Internet. When I was hired by MAPS I got to work with J.D. and a number of other big-names. One of the things that really surprised me was that this “internet elder” I had imagined was younger than me and with much bluer hair.
After MAPS imploded, J.D. and I carved out separate careers. He went to work at a number of major mailbox providers and I started delivery consulting. Our paths crossed occasionally, usually at conferences, but we also were on a number of mailing lists together. I kept an eye on J.D and his impact on email delivery. In fact, J.D. was responsible for a lot of the modern anti-spam techniques implemented at ISPs.
Eventually, he moved to Return Path where he worked on their Receiver Support group; even as he continually argued against the false sender / receiver dichotomy that so many people endorse.
M³AAWG, with financial support from Return Path, created the J.D. Falk award to recognize people who work to create a better online world. Nominations for the 3rd annual J.D. Falk award are now open. The M³AAWG website has more details.

Email templates

SendwithUs is crowdsourcing and open sourcing email templates. These are tested templates submitted by the SendwithUs community and run through the Litmus testing suite.
If you’re in the market for a template, or want to share a great template you’ve designed, check out the SendwithUs project.

Low complaint rates are not always good

Digging another old blog post out of the archives. In November 2011, I talked about how part of the Holomaxx complaint against Microsoft and Yahoo said that their complaint rates were below 0.5% and 0.1%. The argument was that if their complaint rates were low, then the mail must not be spam.

Some email related news

A couple links to relevant things that are happening in email.
M³AAWG released the Help! I’m on a Blocklist! (PDF link) doc this week. This is the result of 4 years worth of work by a whole lot of people at M³AAWG. I was a part of the working group (“doc champion” in M³AAWG parlance) and want to thank everyone who was involved and contributed to the process. I am very excited this was approved and published so people can take advantage of the collective wisdom of M³AAWG participants.
In other announcements, Gmail announced today on their Google+ page that that they were putting a new “unsubscribe” link next to the sender name when mail is delivered to the Promotions, Social or Forums tab. This appears to be the official announcement of the functionality they announced at the SF M³AAWG last February. It likely means that all users are currently getting the “unsubscribe” link. What Gmail doesn’t mention in that blog post is that this functionality uses the “List-Unsubscribe” header, not the link in the email, but I don’t think anyone except bulk mailers really care about how it’s being done, just that it is.
Also today Gmail announced they were going to recognize usernames with non-Latin or accented characters in the name. Eventually, they claim, they’ll also allow people to get Gmail addresses with accented characters.

July 2014: The month in email

We continue to be busy with really interesting client work. Look for some new posts and white papers to come out of this research over the next few months, but for now blogging has been a bit light while we’re working hard. In parallel with our busy times, we have also been pondering the ways in which the email world illustrates the classic bon mot “plus ça change, plus c’est la même chose”, and we’ve been revisiting some posts from a few years ago to examine this.
We started July with a nod to a good subscription experience just as CASL, the Canadian Anti-Spam Legislation went into effect on Canada Day. While companies have another 17 months to put these provisions into practice, it’s a good reminder that periodic re-engagement with customers can be very effective in helping you maintain high-quality subscriber lists. We talked a bit more about CASL here and what protections the law intends.
In stark contrast, we posted about an organization that is doing a less-than-stellar job making sure they’re only sending wanted email. The Direct Marketing Association is a terrific resource and member organization for marketers across industries and channels, but their email marketing practices don’t always live up to their mission of “Advancing and Protecting Responsible Data-Driven Marketing”, and we explored some ways in which they might improve this.
Those of you who have been reading this blog for any time at all know that we tend to talk about wanted mail and unwanted mail rather than the more general category of spam. Marketers tend to think their mail can’t possibly be spam if it’s not offering Viagra or phishing for credit card information, but that’s not really the point — if a customer doesn’t want to read your email about new mountain bikes, even if they bought a mountain bike from you three years ago, that’s unwanted email. Here’s a post we revisited about why customers might not want your mail, and a new post about engagement.
One risk of sending unwanted email, of course, is that customers complain, and that will affect your delivery going forward. We revisited a post about feedback loops, and also talked a bit about addressing delivery problems as they come up rather than waiting for them to resolve on their own (mostly, they won’t!)
I also proposed a bit of a thought experiment around monetizing the complaint stream, and followed up with a second post. There are some good points in the comments of those posts, but mostly I think it’s an interesting solution to addressing risk and abuse at ESPs.
Finally, Steve wrote a short post about our new mail servers and how quickly spammers descended as we set those up. It’s a constant battle!

4 email marketing myths

Tom Sather speaks about 4 email marketing myths that just won’t die. Tom has it absolutely right, these are things people believe that not true.

How useful are feedback loops

Things are extremely busy here and blogging is going to be light for a few weeks. I’ll be reposting some older blog posts that are still relevant for today’s email senders.
Today’s post is a repost from November 2008. I look at the whys and hows of FBLs, address some of the objections people had to them and discuss how senders should deal with FBL mail.
There has been a very long, ongoing discussion on one of my mailing lists about whether or not feedback loops are a net good or a net harm. I believe, overall, they are a net good, but there are people who believe they are not. The biggest objection is that the lawyer mandated redaction of the To: address combined with the fact that some users use the “this is spam” button to delete unwanted email, makes it difficult for some FBL recipients to sort out the real issues from the cruft.
Redaction can be a problem for some senders, particularly for the small mailing list hosted as a hobby or contribution to the community. In order to effectively deal with FBL emails, a sender needs to have tools on the email sending side and on the FBL receiving side. This is often more overhead than the volunteer list maintainer wants to handle. Unfortunately, these senders are a minority and therefore their issues are often not addressed by the ISPs.
Some of the objections and complaints about “broken” or “useless” FBLs come from people who do not really have any history for the FBLs, where they are, what they were designed for and who their target audience is. A bit of history may help explain why things are how they are.
The First FBL
The “this is spam” button evolved from the “notify AOL” button. This button was a way email recipients could notify AOL staff about any number of problems, including threats, viruses and other unwanted emails. As time went on, this was changed to “this is spam” to encourage users to report more spam so the AOL would have the data to make delivery decisions. Eventually, AOL made the decision to share that data with some senders and ISPs. The lawyers made the decision to redact the “To:” address, but not make any other changes to the message because they believe they should not be sharing subscriber email addresses with third parties. As some people correctly point out, the lawyers are not interested in hearing from non lawyers about changing this. It is possible that another lawyer may be able to put together a position paper and convince them this stance is overly cautious. I am pretty sure, though, that no one without a legal degree will be given any audience from them.
Given the success of the AOL FBL and the demand from both ESPs and ISPs for FBLs, other ISPs started offering FBLs as well. Many of them also redacted the To: address, either just following AOL’s lead or under advice of their own counsel.
That means, as senders, we are in a situation where we really cannot make the ISPs change what they’re doing. We can either adapt our own mailing practices to cope with them or we can forego the data provided by the FBL. One of the challenges in choosing to shun the whitelist at AOL that in order to qualify for whitelisting, you have to accept a FBL. For ISPs, who want to whitelist their outgoing MTAs, but have customers sending mail, maybe running small mailing lists, or who are forwarding mail to their ISP account, this can be a problem. However, any ISP needs some sort of abuse desk automation, and this automation should be able to handle FBLs. This can also be a problem for small ESPs or companies doing in-house email marketing. They buy something off the shelf to handle mail (or install mailman) that does not do VERP or otherwise enter the specific address in the email. When faced with a redacted email they cannot do anything with the complaint.
What does the FBL email tell the FBL recipient?
This really depends on what role the FBL recipient plays in the mail transport system. Bandwidth and network service providers use the FBL as an aggregate tool. They really only deal with FBL complaints if there is a change in complaint volume about an IP, they don’t treat each complaint as a valuable source of information. Typically what happens is that an ISP abuse desk notices a spike in complaints. After investigation, they may discover that a customer machine is compromised. They then notify the customer, the customer patches or disconnects the machine and the problem is fixed.
ESPs tend treat the FBL as an unsubscribe mechanism as well as a way to monitor customers. A few FBL complaints are not necessarily a sign that the sender is spamming, but once a threshold is reached the ESP delivery / abuse team addresses the issue. Spammers can get FBLs and often use them as a way to clean lists of complainants. Some really dirty spammers even suppress those complainants from all their lists.
Is a FBL useful?
This is really something that someone else cannot tell you. Some companies find FBLs to be extremely useful, even after they have had to make investments in software (either off the shelf like our Abacus software, or something custom written internally) to send mail that will survive the FBL redaction process and to handle the actual FBL email. Some companies find the FBLs to be more trouble than they are worth. The question, however, is really one only the sender can answer.
Overall, I think FBLs are more helpful than they are harmful. They do require investment on both sides of the transaction, but does encourage senders and receivers to cooperate with one another.

Clarification on monetizing complaints

There has been quite an interesting discussion in the comment stream of my earlier post about monetizing the complaint stream. I’ve found all the perspectives and comments quite interesting.
There is one thing multiple people have brought up that I don’t necessarily see as a problem. They assert that this idea will only work if all ESPs do it because customers can just say, “Well, Other ESP will let us do this and not charge us.” I don’t quite understand why this is an issue. Customers already do this. In fact, sometimes the assertion is actually true.
There are ESPs that let customers spam. There will always be ESPs that let customers spam. This is not new. Changing a pricing model isn’t going to change this.
As I was envisioning the monetization process, ESPs who wanted to do this could actually offer multiple tier pricing. The customer can choose a lower price point for their overall mail program, while assuming the cost of their recipients complaining. Or the customer can choose a higher price point and let the ESP absorb the cost of handling complaints. In either case, the customer would still have to meet the ESP’s standards for complaints and comply with their TOS.
Clearly I’m seeing the idea and industry differently than a lot of my readers. I’m interested to hear the thought process behind this so I can better understand the objection.

Monetizing the complaint stream

What if ESPs (and ISPs, for that matter) started charging users for every complaint generated? Think of it like peak pricing for electricity. In California, businesses can opt for discounted power, with the agreement that they are the first companies shut off if electrical demand exceeds supply. What if ESPs and ISPs offered discounted hosting rates to bulk senders who agreed to pay per complaint?
I see pricing scheme something like this.

Facts about engagement

It is reality that ISPs look at the population of recipients that a mail stream is going to.
It is reality that they evaluate the activity of that population.
It is reality that ISPs treat senders that are sending to a significant number of email addresses that have not been logged into or accessed recently negatively.
If you’re having delivery problems, looking at the recipients and their activity is part of troubleshooting the issue and identifying a path back to the inbox.
You can use web and purchase data as a measurement of engagement IF you have, at some point, directly linked the email address and the user.
If you don’t have something that demonstrates a direct link between the person and the address, then it’s a crapshoot as to whether or not that email address belongs to who you think it belongs to.
Happy Friday everyone. It’s been a week.

Don't wait to address delivery problems

One of the worst ways to deal with blocking issues is to ignore them and hope your mail magically moves from the bulk folder back into the inbox. While this does happen as ISPs and filter companies update their filters, it’s not that common and it’s usually the result of a sender actually cleaning up their sending processes and improving the quality of the mail they send.
Do not ignore blocks. What I generally tell people is that it takes at least as long to repair a bad reputation as it took to get that bad reputation in the first place. If you wait months before actually addressing delivery problems, you’re not going to make a change and have the filters react in hours.
This doesn’t mean that every block is a business crisis. Blocks happen and they do go up and down based on thresholds and automatic monitoring scripts and content. But if a block happens consistently for 4 or 5 days in a row it is time to look at what you’re doing. Don’t just focus on the sidelines and little stuff, either. Look at your marketing program and the mail you’re sending.

The DMA: Email marketing or spam?

A few weeks ago, I signed up for a webinar from the DMA. As is my normal process I used a tagged address. I don’t remember any notification that I would be signing up for mail, and I generally do look for those kinds of things. I also know a lot of webinars are used to drive sales processes and I prefer not to waste sales time if I’m not actually looking to purchase.
In recent weeks I have gotten an ongoing stream of marketing messages from the DMA. I’ve tried to opt-out, but the DMA don’t actually want me to opt-out. Each marketing message is a different type of message from a different list. Each list must be opted out of individually.
First it was Conferences, then it was Education, then it was Awards, then Events. I’m trying to figure out what’s next and how many more times the DMA is going to get to spam me before I just turn that address into a spam trap.
And before you tell me that I can’t make an address a spam trap, think about that a little bit. I never opted this mail in to receive anything but the webinar confirmation. I’ve dutifully opted out each and every time the DMA has mailed me. I’ve even tried to opt-out of all mail. Unfortunately, the DMA has placed the “opt-out of all mail” behind a registration wall, one I cannot get to as I do not have (or want) a DMA account.
DMASignOn
The DMA is sending me mail I did not request and do not want. They have made it impossible for me to determine how much mail I will get. They have made it difficult for me to opt-out of all their mail.
This is an example of bad email marketing. I’m sure that the DMA will tell me this is all permission based email. I disagree. This is an example of the DMA taking permission. This is not an example of a sender asking for permission. I didn’t give permission to be added to all these DMA lists, and I have no way to actually revoke the permission that they took from me.
I signed up for a second webinar with this email address, one related to CASL. The irony is that the DMA’s behavior here is a violation of a number of points of CASL. First, there was no clear opt-in notice on the website. Second, CASL requires parity between opt-in and opt-out. If I opt-in once then I should be able to opt-out once. CASL puts an end to this opt-in once, opt-out dozens of times process.
I wish I could say I was disappointed in the DMA. But I’m barely surprised. Their track record is poor and they have typically fallen on the side of “I have consent until you force me to acknowledge that I don’t.” In this case, the DMA is demonstrating that quite clearly. They will keep spamming and spamming and spamming. I have no doubt were I to actually register an account, they would continue to spam me with “account notifications” that I was unable to opt-out of because they are transactional, membership messages.

Happy 4th of July

We’re off to eat hot dogs and ice cream and watch fireworks with KarlTheFog.
Have you met KarlTheFog? We visited him earlier this month and I took some pictures.

June 2014: The month in email

Each month, we like to focus on a core email feature or function and present an overview for people looking to learn more. This month, we addressed authentication with SPF.
We also talked about feedback mechanisms, and the importance for senders to participate in FBL processes.
In our ongoing discussions about spam filters, we took a look at the state of our own inboxes and lamented the challenge spam we get from Spamarrest. We also pointed out a post from Cloudmark where they reiterate much of what we’ve been saying about filters: there’s no secret sauce, just a continuing series of efforts to make sure recipients get only the mail they want and expect to receive. We also looked at a grey area in the realm of wanted and expected mail: role accounts (such as “marketing@companyname.com”) and how ESPs handle them.
As always, getting into the Gmail inbox is a big priority for our clients and other senders. We talked a bit about this here, and a bit more about the ever-changing world of filters here.
On the subject of list management, we wrote about the state of affiliate mailers and the heightened delivery challenges they face getting in the inbox. We got our usual quota of spam, and a call from a marketer who had purchased our names on a list. You can imagine how effective that was for them.
And in a not-at-all-surprising development, spammers have started to employ DMARC workarounds. We highlighted some of the Yahoo-specific issues in a post that raises more questions.
We also saw some things we quite liked in June. In the Best Practices Hall of Fame, we gave props to this privacy policy change notification and to our bank’s ATM receipts.
We also reviewed some interesting new and updated technology in the commercial MTA space, and were happy to share those findings.

Incorrect rejection messages

At least one ESP and Spamhaus are currently investigating bounce messages at a couple ISPs incorrectly pointing to Spamhaus as the reason for the block. The bounce messages are taking the form:

Spam disclaimer of the day

Things are extremely busy here so blogging is not getting quite the attention it should. I hope to return to more extensive posts soon. Meanwhile, you’ll have to put up with short posts.
Today is a disclaimer I received in a spam. This is one of my addresses that has, somehow, ended up on UK-specific lists.

Ever changing filtering

One of the ongoing challenges sending email, and managing a high volume outbound mail server is dealing with the ongoing changes in filtering. Filters are not static, nor can they be. As ISPs and filtering companies identify new ways to separate out wanted email from unwanted email, spammers find new ways to make their mail look more like wanted mail.
This is one reason traps are useful to filtering companies. With traps there is no discussion about whether or not the mail was requested. No one with any connection to the email address opted in to receive mail. The mail was never requested. While it is possible for trap addresses to get on any list monitoring mail to spam traps is a way to monitor which senders don’t have good practices.
New filtering techniques are always evolving. I mentioned yesterday that Gmail was making filtering changes, and that this was causing a lot of delivery issues for senders. The other major challenge for Gmail is the personalized delivery they are doing. It’s harder and harder for senders to monitor their inbox delivery because almost every inbox is different at Gmail. I’ve seen different delivery in some of my own mailboxes at Gmail.
All of this makes email delivery an ongoing challenge.

Outlook 365 having a bad day

I’ve seen scattered reports today that some mail to the Outlook 365 servers is failing. This has been confirmed by ZDNet. Only folks with a Office 365 account can log in and see the status messages, but there are some folks on the mailop list posting updates from the website.
Attempts to mail to affected domains results in this response:

Delivering to Gmail

Gmail is a challenge for even the best senders these days.
With the recent Gmail changes there isn’t any clear fix to getting open rates or inbox delivery back up. Some of it depends on what is causing Gmail to filter the mail. Changing subject lines, from name, from address may get mail back to the inbox in the short term, but it only works until the filters catch up.
What I am seeing, across a number of clients, is that Gmail is doing a lot of content reputation and that content reputation gets spread across senders of that content. That means you want to look at who is sending any mail on your behalf (mentioning your domain or pointing at your website) and their practices. If they have poor practices, then it can reflect badly on you and result in filtering.
From what I’ve seen, these are very deliberate filtering decisions by Google. And it’s making mail a lot harder for many, many senders. But I think it is, unfortunately, the new reality.

Role accounts, ESPs and commercial email

There was a discussion today on a marketing list about role accounts and marketing lists. Some ESPs block mail to role accounts, and the discussion was about why and if this is a good practice. In order to answer that question, we really need to understand role accounts a little more.

Filtering secret sauce

It seems one of the most asked questions I hear from people is about filters and what the secret sauce is.

In an effort to more closely observe the group’s buying habits and personal behaviors, a growing number of corporations are turning to tag and release programs to study American consumers, sources confirmed Friday. The Onion
Read More

Authenticating with SPF: -all or ~all

What is SPF?

Sender policy framework (SPF, RFC 7208) is an authentication process that ties the 5321.from (also known as the mail from, envelope from or return path) to authorized sending IP addresses. This authorization is published in a TXT record in DNS. Receivers can check SPF at the beginning of a SMTP transaction, compare the 5321.from domain to the connecting IP address and determine if that IP is authorized to transmit mail.

Updates to commercial MTAs

Last week Message Systems announced the release of Momentum 4. This high volume MTA has a large number of features that make it possible for large volume senders to manage their email and their delivery. I had the opportunity to get a preview of the new features and was quite impressed with the expanded features. Improvements that caught my eye include:

Stop telling me how great Spamarrest is

Late last year, Al wrote a piece discussing how Spamarrest lost a court case. In the comments on that piece I described how much I really detest Spamarrest because of all the spam I get from Spamarrest users. Every few weeks, someone notices that post again and points it out to Spamarrest users who then come over here to tell me how wonderful Spamarrest is for them.
I Get It. You like Spamarrest because it keeps spam out of your inbox.
The problem is Spamarrest (and any other challenge response setup) contributes to spam in my inbox. I have addresses that get forged into spam all the time. When that happens, I get dozens of Spamarrest challenges, clogging up MY inbox.
I don’t want to do your spam filtering for you. I really don’t. And if you ask me if you should receive a piece of email, I am going to tell you yes. I did that for a while; when I got a challenge from someone I’d answer it in the affirmative. Eventually I got tired of it and sent all mail from @spamarrest.com to /dev/null.
Am I missing out on corresponding with some brilliant and wonderful people? Maybe. But from my perspective, 100% of the confirmation requests I receive from Spamarrest are spam. I’m just thankful that Spamarrest makes it easy to identify and throw away their requests so I don’t have to handle someone else’s spam load in addition to my own.
This is a long way to say I’m closing comments on the older Spamarrest post, so don’t bother telling me what a great spam filter it is. The same thing that makes it a great spam filter for you makes it a total source of spam for me.

Spam filters and mailbox usage

It’s no secret that I run very little in the way of spam filters, and what filters I do run don’t throw away mail, they just shove it into various mailboxes.
Looking at my mailboxes currently I have 11216 unread messages in my mail.app junk folder, 10600 unread messages in my work spam assassin folder and 29401 messages in my personal spam assassin folder (mail getting more than +7 on our version of spam assassin gets filtered into these folders). I went through and marked all of my messages read back in mid-January. That’s a little over 50,000 messages in a little over 5 months or slightly more than 2700 spams a week.
But these are messages I don’t have to deal with so while they’re somewhat annoying and a bit of “wow, my addresses are everywhere” they’re not a huge deal. I have strong enough filters for wanted mail that I can special case it.

Are FBLs required for a clean mail stream?

A few years ago I would have said that a good mailer could have a good mailing program without necessarily participating in FBL programs. I’m not convinced that’s true any longer. As the mailbox providers and ISPs develop more complex filtering methodologies, it’s important for senders to get any possible feedback from recipients. That press on the this-is-spam button may not actually mean the mail is spam, but it does mean that recipient really didn’t like the message.
Getting the feedback lets a sender fine tune their sending processes and better target what their recipients want to receive.
I do think that senders need to know what users are saying about their email. When users hit the T-i-S button then that is valuable information about how the recipients think about the mail. Senders really on top of things can use positive data (opens and clicks) and negative data (FBLs and unsubscribes) to monitor how wanted their email is and make adjustments to their sending stream.

Spammers react to Y! DMARC policy

It’s probably only a surprise to people who think DMARC is the silver bullet to fixing email problems, but the spammers who were so abusing yahoo.com have moved on… to ymail.com.
In the rush to deploy their DMARC policy, apparently Yahoo forgot they have hundreds of other domains. Domains that are currently not publishing a DMARC policy. Spammers are now using those domains as the 5322.from address in their emails. The mail isn’t coming through any yahoo.com domain, but came through an IP belonging to Sprint PCS.

This is just one example of how spammers have reacted to the brave new world of p=reject policies by mailbox providers. If only the rest of us could react as quickly and as transparently to the problems imposed by these policy declarations. But changing software to cope with the changes in a way that keeps email useful for end users is a challenge. What is the right way to change mailing lists to compensate for these policy declarations? How can we keep bulk email useful for small groups that aren’t necessarily associated with a “brand”?
The conversation surrounding how we minimize the damage to the ecosystem that p=reject policy imposed hasn’t really happened. I think it is a shame and a failure that people can’t even discuss the implications of this policy. Even now that people have done the firefighting to deal with the immediate problems there still doesn’t seem to be the desire to discuss the longer effect of these changes. Just saying “these are challenges” in certain spaces gets the response “just deal with it.” Well, yes, we are trying to deal with it.
I contend that in order to “just deal with it”, we have to define “IT.” We can’t solve a problem if we can’t define the problem we’re trying to solve. Sadly, it seems legitimate mailers are stuck coping with the fallout, while spammers have moved on and are totally unaffected.
How is this really a win?

May 2014: The month in email

It’s been a busy and exciting month for us here.
Laura finished a multi-year project with M3AAWG, the Messaging, Malware and Mobile Anti-Abuse Working Group (look for the results to be published later this year) and continued working with clients on interesting delivery challenges and program opportunities. Steve focused on development on the next version release of Abacus, our flagship abuse desk tool, which will also be available later this year.
And as always, we had things to say about email.
The World of Spam and Email Best Practices
We started the month with a bit of a meta-discussion on senders’ fears of being labeled spammers, and reiterated what we always say: sending mail that some people don’t want doesn’t make you evil, but it is an opportunity to revisit your email programs and see if there are opportunities to better align your goals with the needs of people on your email lists. We outlined how we’ve seen people come around to this position after hitting spamtraps. That said, sometimes it is just evil. And it’s still much the same evil it’s been for over a decade.
We also wrote a post about reputation, which is something we get asked about quite frequently. We have more resources on the topic over at the WiseWords section of our site.
Gmail, Gmail, Gmail
Our friends over at Litmus estimate Gmail market share at 12%, which seems pretty consistent with the percentage of blog posts we devote to the topic, yes? We had a discussion of Campaign Monitor’s great Gmail interview, and offered some thoughts on why we continue to encourage clients to focus on engagement and relevance in developing their email programs. We also wrote a post about how Gmail uses filters, which is important for senders to understand as they create campaigns.
SMTP and TLS
Steve wrote extensively this month about the technical aspects of delivery and message security. This “cheat sheet” on SMTP rejections is extremely useful for troubleshooting – bookmark it for the next time you’re scratching your head trying to figure out what went wrong.
He also wrote a detailed explanation of how TLS encryption works with SMTP to protect email in transit, and followed that with additional information on message security throughout the life of the message. This is a great set of posts to explore if you’re thinking about security and want to understand potential vulnerabilities.
DKIM
Steve also wrote a series of posts about working with DKIM (DomainKeys Identified Mail), the specification for signing messages to identify and claim responsibility for messages. He started with a detailed explanation of DKIM Replay Attacks, which happens when valid email is forwarded or otherwise compromised by spammers, phishers or attackers. Though the DKIM signature persists (by design) through a forward, the DKIM specification restricts an attacker’s ability to modify the message itself. Steve’s post describes how senders can optimize their systems to further restrict these attacks. Another way that attackers attempt to get around DKIM restrictions is by injecting additional headers into the message, which can hijack a legitimately signed message. If you’re concerned about these sort of attacks (and we believe you should be), it’s worth learning more about DKIM Key Rotation to help manage this. (Also of note: we have some free DKIM management tools available in the WiseTools section of our site.)
As always, we’re eager to hear from you if there are topics you’d like us to cover in June.

The more things change

I was doing some research about the evolution of the this-is-spam button for a blog article. In the middle of it, I found an old NY Times report about spam from 2003.

Yahoo FBL problems

Multiple ESPs are reporting that the volume of Yahoo! FBL reports have slowed to a trickle over the last 24 or so hours. While we don’t know exactly what is going on yet, or if it’s on track for being fixed, there does seem to be a problem.
There has been some ongoing maintenance issues with the Yahoo! FBL, where requests for updates and changes weren’t being handled in a timely fashion. Informed speculation was the resources needed to fix the FBL modification weren’t available. The interesting question is if Y! will commit the resources to fix the FBL. I could make arguments either way. But Yahoo! gets the benefit of the this-is-spam button whether or not they send a complaint back to the sender.
5/21 5pm: Both Yahoo and Return Path (who administer the Y! FBL) are aware of the problem and are working on it.
5/21 6:30pm: Reports are flowing again according to multiple sources.

Email templates using Grunt

A Grunt workflow for designing and testing HTML email templates with SCSS.

It's about the spam

Tell someone they have hit a spamtrap and they go through a typical reaction cycle.
Denial: I didn’t hit a trap! I only send opt-in mail. There must be some mistake. I’m a legitimate company, not a spammer!
Anger: What do you mean that I can’t send mail until I’ve fixed the problem? There is no problem! You can’t stop me from mailing. I’m following the law. My mail is important. I’ll sue.
Bargaining: What if I just send mail to some recipients? What if I hire an email hygiene company to remove traps from my list?
Acceptance: What can I do to make sure the people I’m mailing actually want to be on my list?
Overall, my problem with the focus on spamtraps (and complaints to a lesser extent) is that these metrics are proxies. Spamtraps are a way to objectively monitor incoming email. Mail sent to spamtraps is, demonstrably, sent without permission of the address owner. This doesn’t mean all mail from the same source is spam, but there is proof at least some of the mail is spam.
If there is enough bad mail on that list, then reworking the subscription process may be necessary to fix delivery.

IP reputation and email delivery

IP reputation is a measure of how much wanted mail a particular IP address sends. This wanted mail is measured as a portion of the total email sent from that IP. Initially IP reputation was really the be all and end all of reputation, there was no real good way to authenticate a domain or a from address. Many ISPs built complex IP reputation models to evaluate mail based on the IP that sent the mail.
These IP reputation models were the best we had, but there were a lot of ways for spammers to game the system. Some spammers would create lots of accounts at ISPs and use them to open and interact with mail. Other spammers would trickle their mail out over hundreds or thousands of IPs in the hopes of diluting the badness enough to get to the inbox. Through it all they kept trying to get mail out through reputable ESPs, either by posing as legitimate customers or compromising servers.
These things worked for a while, but the ISPs started looking harder at the recipient pool in order to figure out if the interactions were real or not. They started looking at the total amount of identical mail coming from multiple IP addresses. The ISPs couldn’t rely on IP reputation so they started to dig down and get into content based filtering.
As the ISPs got better at identifying content and filtering on factors other than source IP, the importance of the IP address on inbox delivery changed. No longer was it good enough to have a high reputation IP sending mail.
These days your IP reputation dictates how fast you can send mail to a particular ISP. But a high reputation IP isn’t sufficient to get all the mail in the inbox. It’s really content that drives the inbox / bulk folder decisions these days.

Generally IPs that the ISP has not seen email traffic from before start out with a slight negative reputation. This is because most new IPs are actually infected machines. The negative reputation translates to rate limiting. The rate limiting minimizes people getting spam while the ISP works out if this is a real sender or a spammer.
Some ISPs put mail in the inbox and bulk foldering during the whitelisting process. In this case what they’re doing is seeing if your recipients care enough about your mail to look for it in the bulk folder. If they do, and they mark the mail as “not spam” then this feeds back to the sender reputation and the IP reputation.
If you’re seeing a lot of bulk foldering of mail, it’s unlikely there’s anything IP reputation based to do. Instead of worrying about IP reputation, focus instead on the content of the mail and see what you may need to do to improve the reputation of the domains and URLs (or landing pages) in the emails.

Thoughts on Gmail and the inbox

Over the last few months more and more marketers are finding their primary delivery challenge is the Gmail inbox. I’ve been thinking about why Gmail might be such a challenge for marketers. Certainly I have gotten a lot of calls from people struggling to figure out how to get into the Gmail inbox. I’ve also seen aggressive domain based filtering from Gmail, where any mention of a particular domain results in mail going to the bulk folder.
It’s one of those things that’s a challenge, because in most of these cases there isn’t one cause for bulk foldering. Instead there’s a whole host of things that are individually very small but taken together convince Gmail that the mail doesn’t need to be in the inbox.
A pattern that I’m starting to see is that Gmail is taking a more holistic look at all the mail from a sender. If the mail is connected to an organization, all that mail is measured as part of their delivery decision making. This is hurting some ESPs and bulk senders. I’ve had multiple ESPs contact me in the last 6 months looking for help because all their customer emails are going to bulk folder.
Gmail’s filtering is extremely aggressive. From my perspective it always has been. I did get an invite for a Gmail account way back in the day. I moved a couple mailing lists over to that account to test it with some volume and discussion lists. I gave up not long after because no matter what I did I couldn’t get gmail to put all the mail from that list into the tag I had set up for it. Inevitably some mail from some certain people would end up in my spam folder.
Gmail has gotten better, now they will let you override their filters but give you a big warning that the message would have been delivered to spam otherwise.

What are mailers to do? Right now I don’t have a good answer. Sending mail people want is still good advice for individual senders. But I am not sure what can be done about this ESP wide filtering that I’m starting to see. It’s possible Gmail is monitoring all the mail from a particular sender or ESP and applying a “source network” score. Networks letting customers send mail Gmail doesn’t like (such as affiliate mail or payday mail, things they mentioned specifically at M³AAWG) are having all their customers affected.
I suspect this means that ESPs seeing problems across their customer base are going to have to work harder to police their customers and remove problematic mail streams completely. Hopefully, ESPs that can get on the Gmail FBL can identify the problem customers faster before those customers tank mail for all their senders.

April: The month in email

April was a big month of changes in the email world, and here at Word to the Wise as we launched our new site, blog and logo.
DMARC
The big story this month has been DMARC, which started with a policy change Yahoo made on April 4 updating their DMARC policy from “report” to “reject”. We began our coverage with a brief DMARC primer to explain the basics around these policy statements and why senders are moving in this direction. We shared some example bounces due to Yahoo’s p=reject, and talked about how to fix discussion lists to work with the new Yahoo policy. We gathered some pointers to other articles worth reading on the Yahoo DMARC situation, and suggested some options for dealing with DMARC for mail intermediaries. Yahoo issued a statement about this on April 11th, explaining that it had been highly effective in reducing spoofed email. We also noted a great writeup on the situation from Christine at ReturnPath. On April 22nd, AOL also announced a DMARC p=reject record. We talked a bit about who might be next (Gmail?) and discussed how Comcast chose to implement DMARC policies, using p=reject not for user email, but only for the domains they use to communicate directly with customers. We expect to see more discussion and policy changes over the next few weeks, so stay tuned.
Spamtraps
We wrote three posts in our continuing discussion about spamtraps. The first was in response to a webinar from the DMA and EEC, where we talked about how different kinds of traps are used in different ways, and, again, how spamtraps are just a symptom of a larger problem. Following that, we wrote more about some ongoing debate on traps as we continued to point out that each trap represents a lost opportunity for marketers to connect with customers, which is really where we hope email program managers will focus. And finally, we tried to put some myths about typo traps to rest. As I mentioned in that last post, I feel like I’m repeating myself over and over again, but I want to make sure that people get good information about how these tools are used and misused.
Security
We started the month by saying “Security has to become a bigger priority for companies” and indeed, the internet continued to see security breaches in April, including the very serious Heartbleed vulnerability in SSL. In the email world, AOL experienced a compromise, which contributed to some of the DMARC policy changes we discussed above. In a followup post, we talked about how these breaches appear to be escalating. Again, we expect to hear more about this in the next weeks and months.
Best Practices
Ending on a positive note, we had a few posts about best practices and some email basics. We started with a pointer to Al Iverson’s post on masking whois info and why not to do it. Steve wrote up a comprehensive post with everything you ever wanted to know about the From header and RFC5322. I talked about how companies ignore opt-outs, and why they shouldn’t. I shared a really good example of a third-party email message, and also talked about message volume. And finally, we talked about how and why we warm up IP addresses.
Let us know if there’s anything you’d like to hear more about in May!

The true facts of spam traps and typo traps

I’m seeing an increase in the number of articles stating wildly wrong things about spam traps. Some have started claiming that typo traps are new. Or that typo traps are newly used by Spamhaus. These claims make for great copy, I guess. Wild claims about how the evil anti-commerce self-appointed internet police are actively trying to trap marketers get clicks. These claims also reinforce the martyr complex some senders have and gives them something to commiserate about over drinks at the next email conference.
I strongly recommend ignoring any article that claims Spamhaus started using typo traps in December 2012. In fact, you can immediately dismiss absolutely everything they have to say. They are wrong and have proven they can’t be bothered to do any fact checking.
I can’t figure out why so many people repeat the same false statements over and over and over again. They’re wrong, and no amount of explaining the truth seems to make any difference. I went looking for evidence.
First, I asked on Facebook. A bunch of my contacts on Facebook have have been running spam traps for a long time. Multiple people commented that they, personally, have been using typos to track spam since the late ’90s. These typos were on both the right hand side of the @ sign (the domain side) but also on the left hand side of the @ sign (the username).
Then, I looked through my archives of one of the anti-spam mailing lists and I see a Spamhaus volunteer mentioning that he had already been using typo traps in 2007. I asked him about this and he pointed out these are some of his older traps and had been around for many years before that mention.
Of course, we’ve written about typo domains used by an anti-spam group to catch spam.
The truth is, typo traps are not new and they’re not a new set of traps for Spamhaus. I’ve talked about traps over and over again. But I’m seeing more and more articles pop up that make verifiably wrong statements about spam traps. Here are a few facts about spam traps.

DMARC and organizations

Comcast recently published a statement on DMARC over on their postmaster page. The short version is that Comcast is publishing a DMARC record, but has no current intentions to publish a p=reject policy for Comcast user email. Comcast will be publishing a p=reject for some of their domains that they use exclusively to communicate with customers, like billing notices and security notices.
Comcast does point out that Yahoo! and AOL’s usage of p=reject is “not common usage.”
This is something a lot of people have been arguing loudly about on various mail operations lists and network lists. DMARC is about organizational identity. In fact, I was contacted about my DMARC primer and told that I didn’t mention that it’s not about domains, it’s about organizations.
The way I read the DMARC spec, it is all about organizational identity. The underlying theme being that the domain name is linked to a particular organization and everyone using email at that domain has some official relationship with that organization. I’ve always read the spec mentally replacing organization with corporate brand. This was for brands and organizations that strictly control how their domains are used, who can use those domains and how the mail is sent with those domains.
I never expected any mailbox provider or commercial ISP to publish a p=reject message as it would just break way too much of the way customers use email. And it did break a lot of legitimate and end user uses of email. Many organizations have had to scramble to update mailing list software to avoid bouncing users off the lists. Some of these upgrades have broken mailbox filters, forcing endusers to change how they manage their mailboxes.
Even organizations see challenges with a p=reject message and can have legitimate mail blocked. At M³AAWG 30 in San Francisco I was talking with some folks who have been actively deploying DMARC for organizations. From my point of view anyone who wants to publish a DMARC p=reject should spend at least 6 months monitoring DMARC failures to identify legitimate sources of email. The person I was talking to said he recommends a minimum of 12 months.
This is just an example of how difficult it is to capture all the legitimate sources of emails from a domain and effectively authenticate that mail. For a mailbox provider, I think it’s nearly impossible to capture all the legitimate uses of email and authenticate them.
It remains to be seen if the other mailbox providers imitate Yahoo! and AOL or if they push back against the use of DMARC reject policies at mailbox providers. Whatever the outcome, this is a significant shift in how email is used. And we’re all going to have to deal with the fallout of that.

AOL admits to security breach

According to Reuters AOL has admitted there was a breach of their network security that compromised 2% of their accounts. Users are being told to reset their passwords, and security questions.
AOL started investigating the attack after users started reporting an uptick in spam from aol.com addresses. This spam was using @aol.com addresses to send mail to addresses in that user’s address book.
According to the AOL mail team, they are still investigating the attack, but they do not believe financial information was compromised. Their statement reads in part:

Is gmail next?

I’m hearing hints that there are some malware or phishing links being sent out to gmail address books, “from” those gmail addresses. If that is what’s happening then it’s much the same thing as has been happening at Yahoo for a while, and AOL more recently, and that triggered their deployment of DMARC p=reject records.
It’s going to be interesting to see what happens over the next few days.
I’ve not seen any analysis of how the compromises happened at Yahoo and AOL – do they share a server-side (XSS?) security flaw, or is this a client-side compromise that affects many end users, and is just being targeted at freemail providers one at a time?
Does anyone have any technical details that go any deeper than #AOLHacked and #gmailhacked?

More on spam traps

A couple weeks ago I had a discussion with Ken Magill of the Magill Report about spam traps. He had moderated a webinar about spam traps and I publicly contradicted some of the statements made about spam traps. He contacted me and interviewed me for an updated article about traps for his newsletter. The next week he had a rebuttal from Dela Quist of Alchemy Worx, taking anti-spammers (and presumably me) to task for pointing out that some folks use typos as spam traps. This week, Derek Harding of Innovyx continues the discussion about traps and how they are a reality that senders need to deal with.
Spam traps are a reality and they’re not going away at any foreseeable point in the future. No entity that actually cares about blocking spam is going to give up the information that spam traps provide them. Not A Single One. They are some of the original tools in the filtering arsenal and they have proven their use and reliability for people trying to keep inboxes useable.
Dela focused on typos in his rebuttal to Ken, but typos aren’t the real issue. The real issue is that any address acquisition technique (and I do mean any) is subject to errors. Those errors end up directing mail at people who didn’t ask for it. If there are too many errors or mail to too many of the wrong addresses, that will result in delivery problems.
Yelling at the people monitoring the accuracy of your email marketing doesn’t make your marketing any better. It doesn’t stop mail from going to the wrong people. It doesn’t actually help anything.
My focus is on helping marketers market better. My focus is on helping folks sending email get that mail to the inboxes of people who want it. I don’t really care if my clients hit traps, traps are, as Derek said, “the canary in the coal mine.” What I really want is to make sure every person who asked for mail from my clients gets that mail. Every trap on the list? That is a lost sale, a lost touch, a lost opportunity. The traps are just the addresses we know are wrong. If there are traps on a list, then it is guaranteed there are deliverable addresses that belong to someone who is not a customer. This generally means two lost customers, the one who isn’t getting the mail they asked for and the one who is getting mail they never asked for.
Traps are a way to quantify missed opportunities, but they’re not the only missed opportunities. If mail is going to traps, it’s not going to your real customers. That is why marketers should care about traps.

AOL publishes a p=reject DMARC record

Yesterday I mentioned that there were reports of a compromise at AOL. While the details are hazy, what has been reported is that people’s address books were stolen. The reports suggest lots of people are getting mail from AOL addresses that they have received mail from in the past, but that mail is coming from non AOL servers. In an apparent effort to address this, AOL announced today they have published a p=reject DMARC record.
I expect this also means that AOL is now checking and listening to DMARC records on the inbound. During the discussions of who was checking DMARC during the Yahoo discussion, AOL was not one of the ISPs respecting DMARC policy statements. I’m not surprised. As more information started coming out about this compromise, I figured that the folks attacking Yahoo had moved on to AOL and that AOL’s response would be similar to Yahoo’s.
My prediction is that the attackers will be trying to get into Outlook.com and Gmail, and when they do, those ISPs will follow suit in publishing p=reject messages. For those of you wondering what DMARC is about, you can check out my DMARC primer.

AOL compromise

Lots of reports today of a security problem at AOL where accounts are sending spam, or are being spoofed in spam runs or something. Details are hazy, but there seems to be quite a bit of noise surrounding this incident. AOL hasn’t provided any information as of yet as to what is going on.

AOL problems

Lots of people are reporting ongoing (RTR:GE) messages from AOL today. This indicates the AOL mail servers are having problems and can’t accept mail. This has nothing to do with spam, filtering or malicious email. This is simply their servers aren’t functioning as well as they should be and so AOL can’t accept all the mail thrown at them. These types of blocks resolve themselves.
Update Feb 8, 2016: AOL users are having problems logging in. Word to the Wise cannot help you. Please do not contact us for help. Contact AOL directly.

Yahoo Statement on DMARC policy

Yesterday Yahoo posted a statement about their new p=reject policy. Based on this statement I don’t expect Yahoo to be rolling back the policy any time soon. It seems it was incredibly effective at stopping spoofed Yahoo mail.

Dealing with DMARC for Mail intermediaries

I’ve been getting some mail and calls from folks looking for help on resolving the issue of DMARC bouncing. Some of these calls are from ESPs, but others are from SAAS providers who have users that have signed up with yahoo.com addresses and are now dealing with mail from those users bouncing, even when mail is going back too those users.
None of the solutions are really great, but here are a couple options.
1) Prohibit users users from sending with @yahoo.com header-from addresses. This will be challenging for some companies for all sorts of reasons. I have seen a number of people suggest switching to @hotmail.com or @gmail.com addresses. This only works as long as Gmail and Hotmail/Outlook don’t start publishing p=reject policies. It’s unclear if they’re even considering this at all, but it may happen.
2) Rewrite the header-from address from @yahoo.com to something you control. One thing I’ve been suggesting to customers is set up a specific domain for rewriting, like @yahoo.ESP.com. This domain would need to forward mail back to the @yahoo.com users, which does add another layer of complexity as these addresses will become spam magnets. Thus the forwarding IP should be on a distinct and separate IP, to prevent interference with other systems. Note, too, that any users sending to these reply addresses from a domain protected by DMARC p=reject will bounce.
If you have questions or want to ask specifically about what to do in your setup, I’ve blocked out some time in my schedule next week for companies. If you want more information about this please contact me to for available times, information requirements and pricing.

Yahoo DMARC articles worth reading

There are a bunch of them and they’re all worth reading.
I have more to say about DMARC, both in terms of advice for senders and list managers affected by this, and in terms of the broader implications of this policy decision. But those articles are going to take me a little longer to write.
How widespread is the problem? Andrew Barrett publishes numbers, pulled from his employer, related to the number of senders using @yahoo.com addresses in their commercial emails. Short version: a low percentage but a lot of users and emails in raw numbers.
What can mailing list managers do? Right now the two answers seem to be stop Yahoo.com addresses from posting or fix your mailing list software. Al has posted how he patched his software to cope, and linked to a post by OnlineGroups.net about how they patched their software.
A number of people are recommending adding an Original Authentication Results header as recommended in the DMARC.org FAQ. I’m looking for more information about how that would work.
For commercial mailers, there doesn’t seem to be that much to do except to not use @yahoo.com address as your header-From address. Yes, this may affect delivery while you’re switching to the new From address, but right now your mail isn’t going to any mailbox provider that implements DMARC checking.
One other thing that commercial mailers and ESPs should be aware of. Depending on your bounce handling processes, this may cause other addresses to bounce off the list. Once the issue of the header-From address is settled, you can reactivate addresses that bounced off the list due to authentication failures since April 4.

Fixing discussion lists to work with new Yahoo policy

Al has some really good advice on how to fix discussion lists to work with the new Yahoo policy.
One thing I would add is the suggestion to actually check dmarc records before assuming policy. This will not only mean you’re not having to rewrite things that don’t need to be rewritten, but it will also mean you won’t be caught flat footed if (when?) other free mail providers start publishing p=reject.

Example bounces due to Yahoo p=reject

There are a number of different bounces that people are reporting due to Yahoo publishing a DMARC record of p=reject. I decided to put some of those bounces here so confused users could find out what they needed to do.
Comcast

A brief DMARC primer

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. What DMARC does is allow domain owners to publish policy statements in DNS telling receiver domains what to do with messages that do not authenticate. In addition, DMARC introduces the concept of “domain alignment.” What this means is that the authentication has to be from the same domain (or a sub-domain) as the address in the header-from: line. The idea behind DMARC is that organizational owners can use SPF and DKIM authentication to authenticate their actual domain in the header-from line. This moves authentication from a important but behind the scenes technology out to an end user visible technology.

Welcome to our new site

We’re very excited and pleased to launch our redesigned website and blog.
As you can see, we have a new logo and an official color scheme. In addition to the cosmetic changes, we’ve improved the underlying structure. We have pages dedicted to our offerings, including Abacus and information about our consulting services.
We’ve also consolidated a lot of the information spread across different website. The ISP Information page is updated and current (finally! all the Goodmail references are gone). And the ISP specific pages are here instead of over on the wiki.
Two features we’re quite excited about are our wiseWords and wiseTools.
wiseWords is our place to publish more in depth articles about email, delivery and the Internet than the blog. Over time, I expect this to grow to encompas a full email knowledge base. We’ve also published some white papers for download.
wiseTools is the umbrella for our useful email tools, including the tools published at emailstuff.org. They’re still at emailstuff.org, but they’re also here at tools.wordtothewise.com.
We’ve done our best to make sure links transfer from the old site to the new one, but feel free to contact us if you find a broken link.
You may find your first comment on the new blog goes into moderation the first time you post. But once you’ve been approved, comments won’t go through moderation a second time.
Our new website is just the first of many new things we are hoping to roll out in the coming months.

Marketers, we have a problem

And that problem is security.
Much of what marketing does is build profiles of customers by collecting huge amounts of data on every customer. That data collection is facilitated by compliant customers that provide all sorts of personal data just because they’re politely asked by a retail clerk.
There will always be people who comply with data requests, but I expect more customers to be wary of sharing information at the register.
I’m not the only one, a recent NY Times blog post from one of their security researchers: Stop asking me for my email address. She discusses how much information companies ask for and how complacently consumers hand it over without asking about security.

Spamtraps, again.

The DMA and EEC hosted a webinar today discussing spam traps. Overall, I thought it was pretty good and the information given out was valuable for marketers.
My one big complaint is that they claimed there were only two kinds of spam traps, and then incorrectly defined one of those types. They split spam traps into “pristine” and “recycled.” Pristine traps were defined as addresses that never belonged to a user, but were seeded out on the internet to catch people harvesting addresses off websites.
While dropping addresses on websites is one way people create spam traps, there are uncounted numbers of traps that receive spam (even from some big name brands) that have never been published anywhere. One very common source of trap addresses is Usenet message IDs. I don’t think anyone can really say these were seeded in an effort to catch people harvesting, they were part of posting to Usenet. Another common source of trap addresses is spammers creating email addresses; they take the left hand side of every address on a list and pair that with all the unique right hand sides of the same list. Massive list growth with a chance that some of those addresses will be valid.
I’ve talked about different kinds of spamtraps in depth previously and how the different traps are used in different ways. I also talked about how those different types of traps tell the recipients different things.
Another critical thing to remember about traps is they are not the problem. Spamtrap hits are a symptom of a larger problem with your list acquisition process. Every spam trap on your list is a failure to actually connect with a recipient. If you’re using an opt-in method to collect addresses traps mean that either a user didn’t really want to opt in or you managed to not accurately collect their information.
One of the things I get frustrated with when dealing with potential customers is their laser like focus on “getting the traps off our list.” I really believe that is not the right approach. Just getting the traps off is not going to do anything to improve your delivery over the long term. Instead of focusing on the traps, focus on the reasons they’re there. Look at how you can improve your processes and address collection so that you actually get the correct addresses of the people who really do want that mail.
Other posts about spam traps

Anon whois information

I’ve talked before about reasons not to hide commercial domains behind whois proxies. Al found another one: if you use a proxies you cannot list your domains with abuse.net. Al has a good write up of whois, and why this is important. So go there and read it.

March 2014: The month in email

What did we talk about here on the blog in March? It seems we talked a lot about Gmail but also looked at some CAN SPAM issues.
Gmail
When it comes to innovating in the inbox, Gmail is leaps and bounds ahead of the pack. They made some improvements to their image caching process and are now respecting cache headers, so marketers can update images and track multiple opens. They also started rolling out grid view in the promotions tab, giving marketers a way to show pictures to recipients rather than text subject lines. I wrote about their views on senders best practices as presented at M³AAWG 30 in San Francisco. Then there was ongoing news about their new FBL. Many ESPs started getting approval notices for joining their FBL and Sendgrid published an open letter about how the FBL has been helping them identify bad players on their network.
CAN SPAM
Oddly enough I wrote two different posts about CAN SPAM, which seems like a lot for as little as I managed to blog in March. One discussed if CAN SPAM applied to individual prospecting emails (yes, but really, violating that is like speeding most people aren’t going to get caught or punished) and the other looked at the rules surrounding harvesting.
Delivery
I talked about how domains need to be warmed up, not just IP addresses. And how there are lots of common causes for delivery problems, and too many people go for the edge cases without ruling out the normal cases first.
Odds and ends
The other posts don’t really lend themselves to easy classification. I talked delivery on Tech Talk. I amused myself by posting a link to horribly done spam and a bit of a snarky summary of the current state of ISP Relations. I linked to a blog post pointing out that social engineering is still alive and well in the hackers toolkit and another one looking at effective email marketing strategies.

Sendgrid's open letter to Gmail

Paul Kincaid-Smith wrote an open letter to Gmail about their experiences with the Gmail FBL and how the data from Gmail helped Sendgrid find problem customers.
I know a lot of folks are frustrated with Gmail not returning more than statistics, but there is a place for this type of feedback within a comprehensive compliance desk.

Domains need to be warmed, too

One thing that came out of the ISP session at M³AAWG is that domains need to be warmed up, too. I can’t remember exactly which ISP rep said it, but there was general nodding across the panel when this was said.
This isn’t just the domain in the reverse DNS of the sending IP, but also domains used in the Return Path (Envelope From) and visible from.
From the ISP’s perspective, this makes tons of sense. Some of the most prolific snowshoe spammers use new domains and new IPs for every send. They’re not trying to establish a reputation, rather they’re trying to avoid one. ISPs respond by distrusting any mail from a new IP with a new domain.

Gmail promotions tab improves for marketers

The official Gmail blog announced today that they’re testing a new way of displaying emails in the Promotions tab. This display method will show users a featured image instead of the normal subject line.
Email marketers that want to take advantage of this should visit the Gmail developers pages for information on how to set a featured image for Gmail.
More innovation from Gmail in the mailbox. This one feels pretty consumer friendly, although I still have memories of XXX spam from years ago showing rather explicit images. Gmail must have a lot of confidence in their filtering to push image display to the inbox.

Gmail FBL update

Last week Gmail started contacting ESPs that signed up for their new FBL with more information on how to set up mailings to receive FBL emails.
One of the struggles some ESPs are having is the requirement for DKIM signing. Many of the bigger ESPs have clients that sign with their own domains. Gmail is telling these ESPs to insert a second DKIM signature to join the FBL.
There are a couple reasons this is not as simple or as doable as Gmail seems to think, and the challenges are technical as well as organizational.
The technical challenges are pretty simple. As of now, not all the bulk MTAs support multiple signatures. I’ve heard that multiple signatures are being tested by these MTA vendors, but they’re not in wide use. This makes it challenging for these ESPs to just turn on multiple signatures. For ESPs that are using open source software, there’s often a lot of customization in their signing infrastructure. Even if they have the capability to dual sign, if they’re not currently using that there is testing needed before turning it on.
None of the technical challenges are show stoppers, but they are certainly show delayers.
The organizational challenges are much more difficult to deal with. These are cases where the ESP customer doesn’t want the ESP to sign. The obvious situation is with large banks. They want everything in their infrastructure and headers pointing at the bank, not at their ESP. They don’t want to have that second signature in their email for multiple reasons. I can’t actually see an ESP effectively convincing the various stakeholders, including the marketing, security and legal staff, that allowing the ESP to inset a second signature is good practice. I’m not even sure it is good practice in those cases, except to get stats from Gmail.
Hopefully, Gmail will take feedback from the ESPs and change their FBL parameters to allow ESPs to get information about their customers who sign with their own domain.

Busy week

This week has been incredibly busy with business stuff and I’ve not had a lot of time to sit and think about blogging. Blogging will be light for the next few days while I catch up.

Tech Talk Podcast

Last week I had the pleasure of sitting down and talking delivery and email with W. Jeffery Rice of Brickstreet software. He’s posted a review and the recordings at Brickstreet and the UR Business Network.

Spammers make me laugh…

When they can’t work their spam ware.
{rtf1ansiansicpg1252deff0deflang1033{fonttbl{f0fnilfcharset0 Calibri;}} {*generator Msftedit 5.41.21.2510;}viewkind4uc1pardsa200sl276slmult1lang9f0fs22 Dear Sir,par My clients wants to invest huge cash .Please do reply if interested no dime needed from you.par Regardspar john Gagapar }

Gmail image caching update

Late last year Gmail started caching images on their servers, breaking open tracking in some circumstances. This image caching was good for senders, in that images were back on by default. But it was also bad for senders because it broke dynamic content and didn’t allow for tracking of multiple opens by the same recipient.
According to a new blog post by Moveable Ink this issue has now been resolved and Google is respecting cache headers so senders who are using dynamic content or want to track multiple opens can do so.

Horses, not zebras

I was first introduced to the maxim “When you hear hoofbeats, think horses not zebras” when I worked in my first molecular biology lab 20-some-odd years ago. I’m no longer a gene jockey, but I still find myself applying this to troubleshooting delivery problems for clients.
It’s not that I think all delivery problems are caused by “horses”, or that “zebras” never cause problems for email delivery. It’s more that there are some very common causes of delivery problems and it’s a more effective use of time to address those common problems before getting into the less common cases.
This was actually something that one of the mailbox provider reps said at M³AAWG in SF last month. They have no problem with personal escalations when there’s something unusual going on. But, the majority of issues can be handled through the standard channels.
What are the horses I look for with delivery problems.

Best practices: A Gmail Perspective

At M³AAWG 30 in San Francisco, Gmail representatives presented a session about best practices and what they wanted to see from senders.
I came out of the session with a few takeaways.

This month in email: February 2014

After a few months of hiatus, I’m resurrecting the this month in email feature. So what did we talk about in February?
Industry News
There was quite a bit of industry news. M³AAWG was in mid-February and there were actually a few sessions we were allowed to blog about. Gmail announced their new pilot FBL program. Ladar Levinson gave the keynote talking about the Lavabit shutdown and his new darkmail program. Brian Krebs won the Mary Litynski award for his work in investigating online security issues. The 4 major mailbox providers talked about their spam filters and spam filtering philosophy.
February was also the month where different companies evaluated their success or failure of products. LinkedIn announced the shutdown of their Intro product and Facebook announced the shutdown of their Facebook.com email service.
Security Issues
Cloudmark published their 2013 report on the Global Spam Threat and we discovered that the massive Target breach started through phishing. I also noticed a serious uptick in the amount of phishing mails in my own mailbox. There is new round of denial of service attacks using NTP amplification. We provided information on how to secure your NTP servers.
Address Collection
The Hip Hop group De La Soul released their entire catalog for free, online, using a confirmed opt-in email process. On the flip side, the M³AAWG hotel required anyone logging into the wifi network to give an email address and agree to receive marketing mail. We also discovered that some political mailing lists were being used in ways the politicians and recipients didn’t expect.
Email Practices
I talked about how to go about contacting an ISP that doesn’t have a postmaster page or a published method of contact. Much of that information is actually relevant for contacting ISPs that do have a contact method, too. Finally, I talked about how ISPs measure engagement and how that’s significantly different from how ESPs think it is.

Does CAN SPAM apply to individual prospecting emails

Two different people on two different mailing lists asked very similar questions recently. Are people who send individual prospecting emails required to comply with CAN SPAM.
My opinion (not a lawyer, don’t play one on TV, didn’t stay at a Holiday Inn last night) is that CAN SPAM does not mention anything about volume, and any individual unsolicited email that has a “primary purpose” of advertising is required to include a physical postal address and a way to unsubscribe.
My other take on it is for individual prospecting emails failing to comply with CAN SPAM is like speeding. It’s illegal, and you can get in legal trouble by doing it, but everyone does it and few people get caught.

ISP relations in a nutshell

Senders: You’re blocking our mail, why?
Receivers: Because you’re spamming, stop spamming and we won’t block you.
Senders: But we’re not spamming. What do you mean we’re spamming! How could we be spamming, we’re not sending spam!
Receivers: You’re doing all these things (generating complaints, sending to dead accounts, hitting spam traps, not bounce handling, etc) that makes your mail indistinguishable from spam.
Senders: But we can’t tell what we’re doing wrong unless you give us more data!
Receivers: OK, fine. Here are FBLs, postmaster pages, sender access to support people. Now, stop spamming.
time passes
Receivers: It’s costing us how much to provide support to senders?!?! And after years of giving them lots of data it’s still the same problems over and over again? We’re not a charity, we’re going to control our costs and stop providing so much personal support.
And that, readers, is why receivers are pulling back from providing the data they used to.

ISPs speak at M3AAWG

Last week at M3AAWG representatives from AOL, Yahoo, Gmail and Outlook spoke about their anti-spam technologies and what the organizations were looking for in email.
This session was question and answers, with the moderator asking the majority of the questions. These answers are paraphrased from my notes or the MAAWG twitter stream from the session.
What are your biggest frustrations?
AOL: When senders complain they can’t get mail in and we go look at their stats and complaints are high. Users just don’t love that mail. If complaints are high look at what you may have done differently, content does have an effect on complaints.
Outlook: When we tightened down filters 8 years ago we had to do it. Half of the mail in our users inbox was spam and we were losing a steady number of customers. The filter changes disrupted a lot of senders and caused a lot of pain. But these days only 0.5% of mail in the inbox is spam. Things happen so fast, though, that the stress can frustrate the team.
Gmail: Good senders do email badly sometimes and their mail gets bulked. Senders have to get the basic email hygiene practices right. Love your users and they’ll love you back.
What’s your philosophy and approach towards mail?
AOL: There is a balance that needs to be struck between good and bad mail. The postmaster team reminds the blocking team that not all mail is bad or malicious. They are the sender advocates inside AOL. But the blocking team deals with so much bad mail, they sometimes forget that some mail is good.
Yahoo: User experience. The user always comes first. We strive to protect them from malicious mail and provide them with the emails they want to see. Everything else is secondary.
Gmail: The faster we stop spam the less spam that gets sent overall. We have highly adaptive filters that can react extremely quickly to spam. This frustrates the spammers and they will give up.
Outlook: The core customer is the mailbox user and they are a priority. We think we have most of the hardcore spam under control, and now we’re focused on personalizing the inbox for each user. Everyone online should hold partners accountable and they should expect to be held accountable in turn. This isn’t just a sender / ESP thing, ISPs block each other if there are spam problems.
What are some of your most outrageous requests?
We’ve been threatened with lawsuits because senders just don’t want to do the work to fix things. Some senders try to extort us. Other senders go to the advertising execs and get the execs to yell at the filtering team.
Coming to MAAWG and getting cornered to talk about a particular sender problem. Some senders have even offered money just to get mail to the spam folder.
Senders who escalate through the wrong channels. We spent all this money and time creating channels where you can contact us, and then senders don’t use them.
Confusing business interests with product interests. These are separate things and we can’t change the product to match your business interest.
What are your recommendations for changing behaviors?
Outlook: We provide lots of tools to let you see what your recipients are doing. USE THE TOOLS. Pay attention to your recipient interaction with mail. Re-opt-in recipients periodically. Think about that mail that is never opened. Monitor how people interact with your mail. When you have a problem, use our webpages and our forms. Standard delivery problems have a play book. We’re going to follow that playbook and if you try to get personal attention it’s going to slow things down. If there’s a process problem, we are reachable and can handle them personally. But use the postmaster page for most things.
Gmail: Get your hygiene right. If you get your hygiene right, deliverability just works. If you’re seeing blocking, that’s because users are marking your mail as spam. Pay attention to what the major receivers publish on their postmaster pages. Don’t just follow the letter of the law, follow the spirit as well. Our responsibility, as an ISP, is to detect spam and not spam. Good mailers make that harder on us because they do thinks that look like spammers. This doesn’t get spammer mail in more, it gets legitimate mail in less. Use a real opt-in system, don’t just rely on an implied opt-in because someone made a purchase or something.
Yahoo: ESPs are pretty good about screening their customers, so pay attention to what your ESPs are saying. Send mail people want. Verify that the email addresses given to you actually belong to people who want your mail. Have better sender practices.
What do you think about seed accounts?
The panel wasn’t very happy about the use of seed accounts. Seeds are not that useful any longer, as the ISPs move to more and more personalized delivery. Too much time and too many cycles are used debugging seed accounts. The dynamic delivery works all ways.
When things go wrong what should we do?
AOL: Open a ticket. We know we’ve been lax recently, but have worked out of our backlog and are caught up to date. Using the ticketing system also justifies us getting more headcount and makes everyone’s experience better. Also, don’t continue what you’re doing. Pausing sending while you’re troubleshooting the issue. We won’t adjust a rep for you, but we may be able to help you.
Gmail: Do not jump the gun and open a ticket on the first mail to the spam folder. Our filters are so dynamic, they update every few minutes in some cases. Be sure there is a problem. If you are sure you’re following the spirit and letter of the sender guidelines you can submit a ticket. We don’t respond to tickets, but we work every single one. When you’re opening a ticket provide complete information and full headers, and use the headers from your own email address not headers from a seed account. Give us a clear and concise description of the problem. Also, use the gmail product forum, it is monitored by employees and it’s our preferred way of getting information to the anti-abuse team. Common issues lots of senders are having will get addressed faster.
Outlook: Dig in and do your own troubleshooting, don’t rely on us to tell you what to fix. The support teams don’t have a lot of resources so use our public information. If you make our job harder, then it takes longer to get things done. But tell us what changes you’ve made. If you’ve fixed something, and tell us, our process is different than if you’re just asking for a delisting or asking for information. When you’ve fixed things we will respond faster.
How fast should users expect filters to respond after making changes?
Filters update continually so they should start seeing delivery changes almost immediately. What we find is people tell us they’ve made changes, but they haven’t made enough or made the right ones. If the filters don’t update, then you’ve not fixed the problem.

Still catching up

I had planned to get some more information out from M3AAWG sessions last week, including the Gmail session and the ISP session. But, I am still catching up with other work.
I will say this, though, implementing a preference center will not solve delivery problems when you are sending from an IP with no reverseDNS.
Tomorrow. Tomorrow I will have content. (Stop laughing. Really. Just stop)

FB email, put a fork in it

Today Facebook quietly put a bullet in the heart of it’s email program. Instead of running mailboxes, mail to Facebook addresses now simply forwarded to the users primary email address. Color me unsurprised.

Gmail pilots new FBL

Yes, it’s true. Gmail announced last Thursday at M3AAWG that they were piloting a new Feedback loop.
The Gmail FBL is currently for ESPs only. The announcement during MAAWG was that only MAAWG ESP members were eligible. They are requiring a DKIM signature for the FBL, but ESPs using individual customer d= values can get a FBL based on IPs. They are also not providing ANY information that reveals the complainer. Gmail’s intention is only to give ESPs feedback so that ESPs can prevent abuse. They are not giving feedback so complainers can be removed.
The email has a .csv attachment that has 3 columns: date, identifier and complaint rate.
The identifier is an ESP provided customer identifier. One of the ESPs I talked to said they were adding an X-header into their emails.
I’ve heard from beta testers that there is a minimum of 100 complaints before you’ll get any report.
Reports are sent daily if there is sufficient traffic to trigger them.
If you’re a MAAWG member, check the senders list for the signup URL.

Massive new phishing run

It seems while the experts are meeting to figure out how to stop spam, the spammers are exploiting new ways to spam. This morning my mailbox had over 100 messages with either the subject “market report” or “eviction notice.” What headers I checked showed this was from a botnet, sent to dozens of addresses at my domains.

So much to write about

This was a great MAAWG conference and there are a couple sessions I can write about. There were multiple sessions where representatives from various blocking groups and ISPs talked about what they block on. I have extensive notes and will be writing things up in the next few days.
The awesome folks at Mailchimp brought t-shirts for us.

Lavabit and darkmail

The M3AAWG keynote address today was a talk from Ladar Levinson about the shut down of Lavabit mail service after receiving demands from the NSA to hand over their SSL keys.
@maawg tweeted different quotes from the session. There is a conflict between privacy and security, and these are questions we need to resolve.
Ladar talked about his potential new service called darkmail, which pushes encryption back to the user level. I think there is relevance to this, as many online services are used for political and other organizing. As someone said to me last night, some of the people using our service could be killed if we don’t protect their privacy. He wasn’t speaking of the US residents, but people in places like Ukraine or Arab countries or other places undergoing violent revolutions.
Privacy is important, how we treat privacy is important. Handing over SSL keys to governments strikes me as a big problem.

Brian Krebs wins the Mary Litynski award

A little late, but I’ve been in sessions most of today. M3AAWG announced this morning that Brian Krebs won the 2014 Mary Litynski award. This award is given to people who work tirelessly to make the internet a better place.
I first had the pleasure of listening to Brian give the keynote address at a MAAWG conference many years ago. His ability to infiltrate some major spam operations and online forums for criminals is amazing. He’s also had retaliation attempts, including being SWATed and having heroin delivered to his house.
If you get a chance to hear Brian speak, I strongly encourage you to do so. His knowledge is outstanding and his speaking style is entertaining. I’ve learned a lot from Brian over the years and I’m pleased he won this award and that M3AAWG recognized his contribution to stopping abuse online.
M3AAWG press release

Using confirmation to get good email addresses

For 25 hours the group De La Soul is releasing their entire catalog for free online. What none of the articles are mentioning is that they’re using this to build their database of email addresses in a way that’s going to result in a clean database of high value email addresses.
How are they doing that? By making sure the addresses belong to their fans before they actually give fans access to the catalog. Yes, they are using confirmation as part of their signup process.
If you go to their website: wearedelasoul.com you’re asked for an email address so they can send the downloads to you.

The fine print is the interesting bit:

M3AAWG conference next week

Next week is M3AAWG 30 in San Francisco. We’ll be there and are very excited to see the familiar faces and meet new people.
I recently had someone ask me what would I recommend to someone going to their first M3AAWG conference. My recommendation to anyone in the sender or marketer space is to go to some of the talks that are not about email delivery. Go to the sessions that talk about malware or SMS or anything other than just email delivery. For anyone in the ISP space go to a session focused on mobile or email sending. Use this time to learn about something totally different than what you do every day.
Another question I get frequently from senders is if the people from the ISPs are open to sitting down and talking with senders about the senders’ email problems. Generally, the answer is no. Most of the time, the ISP has no knowledge of who you are and what mail you’re sending, so all they can say is “send me an email with the IPs and I’ll take a look at it.” That’s it.
We’ll be in the city starting Monday afternoon, and I always enjoy meeting readers. Stop by and introduce yourself.

Target breach started from email

According to Brian Krebs the compromise of Target’s POS system probably originated with a phishing attack against one of Target’s vendors. This attack compromised credentials of the HVAC vendor and possibly allowed the hackers entrance into Target’s systems.
Interestingly, Brian mentions Ariba, a company I’ve been forced to deal by a large customer of ours. I’m not sure if there really is an attack vector where a vendor can get access through Ariba to the internal systems of the customers. However, my experience with Ariba has been frustrating and problematic, so I’ll be happy to believe their security is as broken as their email.
Email is a great way to interact with people and companies. It’s great for growing communities and businesses. But it is also a way for attackers to get access to your computer and the websites you interact with. Protect yourself, and your company, by running security software. And, please, don’t open attachments or click on links in emails and provide usernames and passwords.

Engagement, it's not what you might think

Most delivery experts will tell you that ISPs measure recipient engagement as a part of their delivery. That’s absolutely true, but I think there’s a language difference that makes it hard for senders to understand what we mean by engagement.
ISPs, and other filtering companies, profile their user base. They know, for instance, who logs in and checks mail every day. They know who checks mail every 20 seconds. They know who gets a lot of spam. They know who hasn’t logged in for months. They know who accurately marks mail as spam and who is sloppy with the this-is-spam button. They know if certain recipients get the same mail, it’s likely to be spam.
Engagement at the ISPs is more about the recipient engaging with their email address and the mail in their mailbox then it is about the recipient engaging with specific emails.

More on Newsmax and spam to political lists

Things are getting stranger and stranger with Newsmax and the politicians they’re managing lists for. Earlier this week, recipients on Scott Brown’s list received emails with the subject line “5 Signs You’ll Get Alzheimer’s Disease.” The advertisement was for products and information from Dr. Blaylock, a contributor to Newsmax Health. Scott Brown told the political reporter at WMUR in New Hampshire that he did not authorize this email was cutting ties with Newsmax
Newsmax contacted me after I posted about unexpected email to the Herman Cain mailing list. They wanted to make it clear to me that their mailings were all double opt-in and that they adhered to all best practices. They also said that select advertisers were allowed to put ads in the body of messages from the politician to their supporters.
It seems, though, that may not be the whole truth. After I received the message from Newsmax, I signed up on caintv.com to see if they really were using double opt-in. While it is very possible that Mr. Cain was using double opt-in during the campaign, he isn’t any longer. I started receiving emails immediately, with neither a welcome message or a confirmation message.
In the case of Scott Brown’s list, the advertisement wasn’t from an outside advertiser, the advertisement was for a Newsmax columnist. And the ad wasn’t in the body of a message to supporters, it was the message to supporters. Mr. Brown has this to say about his likeness and mailing list being used by Newsmax.

Contacting an ISP that doesn't have a postmaster page

How do you contact an ISP about a block that doesn’t have a postmaster page? While there’s no one answer, I do have some suggestions.
Start by contacting the postmaster@ or abuse@ addresses. For smaller ISPs, the same people handling outbound abuse are the people handling inbound filtering.
When you contact them have the following:

Problems with Yahoo FBL

There are a couple problems I’ve been alerted to with the Yahoo FBL today.
The first comes from Michael Ellis and is about broken FBL reporting at Yahoo.

Update on Herman Cain advertising male enhancement drugs

Shawn Studer from newsmax.com contacted me today with a statement about the Herman Cain mailing list.

Does email have a guarantee of delivery?

A client asked me earlier this week what SLAs ISPs provided for email delivery. The short answer is that there isn’t a SLA and that the only guarantee is that the email will get there when it gets there.
But as I was mentioning this to Steve, he pointed out that there was a recent change in the RFCs for email. In both RFC 821/2 and RFC 2821/2 (the original email related RFCs and the update in the early 2000’s) the RFCs stated that once a receiving MTA accepted an email that that MTA was required to either delivery the mail or generate an asynchronous bounce. While this isn’t a standard SLA, it does mean that a 2xy response after DATA meant the email would either be delivered to the user or be sent back to the sender. Despite the RFC requirements some receivers would still drop mail on the floor for various reasons, sometimes intentionally and sometimes not.
RFC 5321/2, the current SMTP standard, still says that once a server accepts the mail it must not lose that mail ‘for frivolous reasons.’ The RFC goes on to admit, though, that in recent years, SMTP servers are under a range of attacks and dropping mail on the floor is not frivolous in those cases.

Repurposing addresses

Multiple news sources are reporting that Herman Cain, republican presidential hopeful from 2012. Maddow on Herman Cain’s new business model. Apparently, his email address list is for rent by just about anyone, including companies selling cures for erectile dysfunction.

Where did you get my address?

Both Steve and I are trying to get answers from Amazon, Target and Epsilon about how Target acquired our Amazon specific email addresses. Target phone reps told us the mail we got was a phish, Epsilon is refusing to acknowledge Target is a customer and Amazon has promised us “they’re looking into it.”
Meanwhile, an address of mine was transferred from one customer of an ESP to another customer of the same ESP. At first I was told I must have signed up for the mail; as proof I was provided with the data I supposedly signed up. When I explained no that wasn’t true, the abuse desk told me they had discovered there was a mistake and that “These two clients use the same 3rd party ESP and they had mixed the files.” I’m not actually sure who “they” refers to, but as long as they’ve untangled the files I am not going to argue. The sad part is that it took an escalation to Return Path (the IP sending the mail is certified) to get anyone to actually respond to my report of an address given to Company A being mailed by Company B.
On the flip side, mail showed up today that actually had a link for “how was I added?”

When you click on the link it shows exactly where the address came from and when it was added to the list.

It would be great if more companies provided this information to their recipients. I think it would probably decrease spam reports and make consumers feel more comfortable about how companies are collecting and using information.

Spamhaus on ESPs

Promoted from yesterday’s comments, Spamhaus comments on my discussion of filtering companies getting tired of ESPs.
You hit the nail square on, Laura.
As Laura knows but many here might not, I am with the Spamhaus project. At one time I was leading efforts to clean up ESP spam. I am not deeply involved with ESP listings any longer. I can however testify that ESPs ask Spamhaus volunteers for a great deal of information about their SBL listings, considerably more than most ISPs or web hosting companies. Certain team members avoid ESP listings except in extreme cases because they don’t want to spend that much time on one SBL.
Whilst I was doing many ESP listings, I attempted to provide requested information, often at great length, with mixed results. In one notable case, an ESP that I provided with a report on hits from that ESP’s IPs on our spamtraps took that report and turned around their entire business. They had been an average ESP: not worse than most ESPs, but not better either. It’s been about three years now. This ESP is now in any list of the least spam-friendly two or three ESPs in the business. I’m honored to have been able to contribute to that change, am delighted at the results, and have learned a great deal from that ESP’s abuse team, which is superb.
That hasn’t happened often, though. I’ve provided similar reports to a number of other ESPs; I try not to play favorites. It is Spamhaus policy not to treat ISPs, ESPs, web hosts, and others whose IPs are listed for spamming differently except based upon our observations of which responds to spam issues effectively and which do not. I would also rather see a spam problem fixed than a spammer terminated just to move somewhere else and continue to spam.
The spam flow from many ESP customers that I reported to the ESP dropped, then slowly rose to previous and often higher levels. There are strings of SBL listings as a spam problem is mitigated, then inexplicably (according to the ESP) comes back. I do not find most of those recurrences inexplicable. I conclude, in many cases, that the ESP is unwilling to do the proactive work necessary to catch most spam before it leaves their IPs, even when they know what needs to be done.
To make matters clear, the ESP representatives that I communicate with are not usually to blame for this problem. Their managers and the policymakers at the ESP are to blame. The decisionmakers at the ESP are not willing to require paying customers to adhere to proper bulk email practices and standards and enforce permanent sanctions against most who fail to do so.
Granted, some customers resist not because they are deliberately spamming non-opt-in email addresses, but because they think that quantity (of email) is more important than quality. Such customers don’t want to see lists shrink even when those lists are comprised largely of non-responsive deadwood email addresses. Such customers send a great deal of spam and annoy a great many of our users, who really do not care whether the spam problem is due to carelessness or deliberate action.
In other cases, of course, ESP customers resist following best practices because they cannot. They are mailing email appended and purchased lists. If they don’t maintain some sort of plausible deniability about the sources of those lists, they know that we will list their IPs (at the ESP and elsewhere) and refuse to remove those listings til they do.
In either case, an ESP that is unwilling to impose sanctions on customers whose lists persist in hitting large numbers of spamtraps after repeated mitigation attempts needs to fire those customers. Otherwise it is failing to act as a legitimate bulk emailer. Such ESPs must expect to see their IPs blocked or filtered heavily because they deliver such large quantities of spam compared to solicited email.

Abuse it and lose it

Last week I blogged about the changes at ISPs that make “ISP Relations” harder for many senders. But it’s not just ISPs that are making it a little more difficult to get answers to questions, some spam filtering companies are pulling back on offering support to senders.
For instance, Cloudmark sent out an email to some ESPs late last week informing them that Cloudmark was changing their sender support policies. It’s not that they’re overwhelmed with delisting requests, but rather that many ESPs are asking for specific data about why the mail was blocked. In December, Spamcop informed some ESPs that they would stop providing data to those ESPs about specific blocks and spam trap hits.
These decisions make it harder for ESPs to identify specific customers and lists causing them to get blocked. But I understand why the filtering companies have had to take such a radical step.
Support for senders by filtering companies is a side issue. Their customers are the users of the filtering service and support teams are there to help paying customers. Many of the folks at the filtering companies are good people, though, and they’re willing to help blocked senders and ESPs to figure out the problem.
For them, providing information that helps a company clean up is a win. If an ESP has a spamming customer and the information from the filtering company is helping the ESP force the customer to stop spamming that’s a win and that’s why the filtering companies started providing that data to ESPs.
Unfortunately, there are people who take advantage of the filtering companies. I have dozens of stories about how people are taking advantage of the filtering companies. I won’t share specifics, but the summary is that some people and ESPs ask for the same data over and over and over again. The filtering company rep, in an effort to be helpful and improve the overall email ecosystem, answers their questions and sends the data. In some cases, the ESP acts on the data, the mail stream improves and everyone is happy (except maybe the spammer). In other cases, though, the filtering company sees no change in the mail stream. All the filtering company person gets is yet another request for the same data they sent yesterday.
Repetition is tedious. Repetition is frustrating. Repetition is disheartening. Repetition is annoying.
What we’re seeing from both Spamcop and Cloudmark is the logical result from their reps being tired of dealing with ESPs that aren’t visibly fixing their customer spam problems. Both companies are sending some ESPs to the back of the line when it comes to handling information requests, whether or not those ESPs have actually been part of the problem previously.
The Cloudmark letter makes it clear what they’re frustrated about.

Target did indeed do a blast to customers to offer one year of free credit monitoring. The problem is scammers are also on the prowl and are sending out similar emails.
Target even says it has identified and stopped at least 12 scams preying on consumers via email, Facebook and other outlets.CNN: Did you get an email from Target?
Read More

Target "acquires data"

It was our priority to inform as many guests as quickly as possible. Relevant emails were pulled from a variety of sources.
@AskTarget
Read More

First BACN, now SCRAPPLE

There is a lot of mail that goes out to recipients that’s not really spam, but isn’t fully wanted. To describe these different kinds of mail, people have invented pork-product related terminology. Ham and bacn are both used to describe wanted mail, although possibly not wanted right now.
Now we have SCRAPPLE. It seems over the weekend a number of members of the Science Fiction Writers Association received email from someone asking them to consider one of his writings for an award. Reading through the tweets, this person typed hundreds of email addresses out of the SFWA directory into their mail client. And then sent mail to that list.
Recipients of that mail then went to twitter to complain about abuse of their email addresses in this way. Being writers, they discussed what word that would describe “something like spam, but not really.”
@talkwordy came up with Scrapple. Now, for those of you who don’t live in a very small part of the mid-Atlantic region, you may not know what scrapple is. Scrapple is a loaf pork product made from, well, scraps of pig. It often has a weird greenish tinge to it, presumably from the liver. My grandmother, having grown up in that small part of the mid-Atlantic region, used to eat it when she could find it. Usually it was in small, country diners where the waitresses call you darlin’ or hun.
By the end of the discussion the definition of scrapple was: Unwanted email from a person you know, which is annoying but not completely irrelevant to your interests, often manual address list creation.
There you have it. Scrapple joins bacn, ham, spam, and spim to describe different kinds of email.

iMessage Spam

iMessage is the Apple messaging system that lets folks send short messages to one another over WiFi. In December I received my first iMessage spam.
I’m not even really sure how to report it or how to report it to.
Mobile spam is a hot button issue right now, but the tools just aren’t around to control SMS, iMessage and TXT spam like there is with email. And even though sending unsolicited messages to a mobile device is against several laws here in the US, there does seem to be a core of spammers that continue to send.

CASL and existing opt-in addresses

The Canadian Anti-Spam law takes effect this summer. EmailKarma has a guest post by Shaun Brown that talks about how to handle current opt-in subscribers under the law.

And we're back

Happy New Year!
I am back and ready to talk email with folks.
December is always a busy time, both between the holidays and all associated personal stuff, but also for delivery consulting. There are senders that suddenly discover their email going to the bulk folder and needing help and assistance. But now it’s January and email marketing gets a brief break.
The beginning of the new year and the lull after the Christmas season marketing storm is a good place for folks to think about marketing and email goals for the upcoming years. Many senders get so wrapped up in the day to day details of email that they fail to think strategically about email and their business.
It works much that way for me, as well. I hate it when my clients have bad delivery and do everything I can to fix their problems. If their mail isn’t getting to the inbox, then it’s as much my problem as theirs. I’m thinking and working to get to the root of their problem and come up with solutions to get their mail sent. This sometimes means my own strategic planning gets pushed aside while I focus on client needs. January is a fun time of year for me, because it’s all a little more relaxed and I can look at the new year and how to improve services and share more of my knowledge with folks.
You’ll start to see some of those improvements in the upcoming months. I’ll also be blogging regularly. We should be getting some research and white papers out over the next few months. I’ll be catching up on the Google privacy cases and updating on some other email related lawsuits.
2014 is looking like a year of growth and excitement.

Responsys bought by Oracle

Being on the west coast, I’m usually not yet awake when the 9am eastern press releases go out. So I’m often late on BREAKING NEWS!! in the email industry.
This morning it was the news that Oracle bought Responsys. Most news reports seem to agree that the purchase price was $1.5B, although a couple places are putting that at a lower figure of “about $1.39B.”
In any case, congrats to Responsys shareholders for getting a premium on their stock price.

ROKSO

ROKSO is the Register of Known Spamming Operations. It is a list of groups that have been disconnected from more than 3 different networks for spamming. ROKSO is a little bit different than most of the Spamhaus lists. The listings themselves talk more about the background of the listees and less about the specific emails that are the problem.
Many ISPs and ESPs use ROKSO during customer vetting processes.
Networks can be listed on ROKSO without any mail being sent from those networks. These listings are as much about just categorizing and recording associated networks as they are about blocking spam.
Spamhaus does not accept delisting requests for ROKSO records. In order to be delisted from ROKSO there must be a 6 month period with no spam traceable to the ROKSO entity. After that 6 months the listee can petition for a review of the record. If the spam has stopped their record is retired.
In my experience there is often a lot of research put into each ROKSO record and not all that information is made public.
The only time a record is changed is if Spamhaus is convinced they made a mistake. This does happen, but it’s not that common. Given the amount of research that goes into a ROKSO record, there is a fairly high burden of proof to demonstrate that the information is actually incorrect.
It is possible to get delisted off ROKSO. In all of the cases I know about, the listed entity either got out of email altogether or they radically changed their business model.

That unsubscribe time of year

Like many people, I make purchases online. This usually means the vendor adds me to their mailing list. I normally don’t care, that mail all filters to my “commercial” folder (my own personal version of tabs) and I can browse it at my leisure.
At this time of year, though, email marketers go into a bit of overdrive and that folder fills with 20 – 30 or more emails a day. The volume is no so much of a problem, but it can get annoying to try and find mail I want in all the crud from random vendors.
In some cases, I don’t even know who the company is or why they have my address. Today’s example was a florist in Maryland. Eventually I figured out I’d purchased from them back in 2007 to send flowers to a colleague when her mother passed away. Apparently, they’re doing so badly they need every dollar they can find.
What it does mean, though, is that I unsubscribe from more mail in December than I do through the rest of the year. I don’t mind the occasional mail, even weekly is no big deal. But when that frequency drastically increases, or someone has not bothered to mail me for 5+ years, I just don’t want that mail anymore.
Dana Perino used the term ‘unsubscribe Tuesday‘

The power of email marketing

Email is a helluva drug. That must be why I’m sitting here in a hotel room in Chicago where it’s minus something-a-lot outside and the roads are full of ice, salt and dingy snow.
It seemed like such a great idea at the time. Virgin America sent me an email advertising a 20% off sale for 20 hours. Al has been bugging us to come visit him in Chicago for months and I could get a storming deal on tickets. I poked around various websites and found a decent deal on a mini-suite at a hotel in downtown, just a block off Michigan Avenue.
It will be fun! The lights! Christmas Shopping! Maybe see some snow!
Well, we got the lights. We got to watch Christmas shoppers hurry along the avenue. We got to see the ice on the lake and throw snowballs. We even got to walk outside in a gentle snowfall on Saturday.
I realized, though, that I no longer have outerwear appropriate for midwest winters. I remember my years in Madison fondly, but I seem to have forgotten that I lived in 2 – 4 layers between September and March. I have forgotten that gloves and a scarf are not a fashion accessory, but are a necessity.
It was email marketing that reminded me of all that. And I have my fill of cold and snow and ice for a while.
Had a great time in the city, and Al was a wonderful host. But I’m ready to go back to my warm California, where as a friend of mine commented, “we keep the snow in the mountains where you can visit it.”

Unsubscribe preference centers

I unsubscribe from a lot of opt-in lists around this time of year. I’m generally unbothered by a couple emails a week from companies I’ve purchased from in the past. But, a lot of these companies drastically increase their volume mid-November. I may not be averse to 3 emails a week, but that absolutely does not mean I want 2 emails a day.

FAQ about opens and Gmail caching

I had hoped to blog about something else today, but this still seems to be a big concern for a number of people. There are a lot of questions running around, some of which we don’t have answers to, others of which we have answers based on some evidence.
It’s important to remember that we’ve seen Gmail roll things out and then roll things back and do phased transitions during deployment. What various people are reporting about images and caching and headers are accurate at the time they are tested. But they may not be accurate tomorrow or in a week or in a month.
I’ve also discovered through this process that a lot of different providers use significantly different image tracking in order to record image loads. Some of these techniques seem to be more resistant to Google’s new image loading process than others.
Why is this all so important?
Image tracking has become a fundamental part of email marketing. It’s something that can be measured, and so a lot of marketers evaluate the effectiveness of an email send based partially on open rate.
How does open tracking work?
For open tracking, ESPs inject a uniquely tagged image into the email. When the recipient opens an email and has images on, the email client calls to the sender server and asks the sender server for all the images in the email. When the tagged image is returned to the recipient, the server records an “open.”
How does caching break open tracking?
Caching means that only the first load of an image is provided by the sender’s server. Subsequent loads of an image are served by the caching proxy. Caching proxies are nothing new; they just haven’t affected email enough in the past for us to have to talk about it.
Why are some people reporting zero problems?
The first load of a unique image always happens. Some folks don’t measure repeat opens, so they’re not even noticing any changes in their reporting thus are saying they’re seeing no problems.
What else is image tracking used for?
Image tracking can also be used for device detection by reading the “user-agent” string that each device returns. Gmail is currently rewriting the “user-agent” string thus breaking all device detection. The string is unique enough that it would be possible to tag those opens as “opened through gmail web interface.” Gmail may decide to pass through the user agent in the future, the HTTP standard does allow for that.
Image tracking can also be used for geolocation. Some senders use the location of an IP address to return images relevant to a user’s location. The accuracy of geolocation is totally dependent on the accuracy of the IP to location database used; it is a best guess of the user’s location. Gmail is currently not passing through the user’s IP address when requesting the original image. I don’t expect them to start, given they also don’t reveal user IPs when Gmail web users send mail. This falls in the same category of privacy protection.
Is there a workaround?
I have heard of a few people claiming they have a fix. The problem is all of the fixes I have seen involve doing things that violate the HTTP RFCs. For instance, the “fix” or “workaround” discussed at E-Mail Marketing Tipps is to not send back an image at all. This is working now to track repeat opens, but Gmail may adapt and block this as well. It’s also possible that Gmail may decide people trying to “work around” Gmail’s cache should be blocked outright for violating the HTTP spec.
Where can I find more information?
Other blog posts on the issue, including research on what people have seen.

More info about Gmail image caching

A lot of people are discussing the new Gmail image caching around the web.
This doesn’t yet appear to be rolled out across all of Google’s network, so some people in different parts of the world are reporting different behaviors. This is leading to a little bit of confusion, as folks are reporting things like seeing multiple opens for a single image. These reports are clearly accurate, but may only be an artifact of a slow rollout across the network.
There are a couple bullet points I think are important.

Gmail deploys image proxy servers

This afternoon Justin Foster of LiveClicker posted to the OnlyInfluencers list asking about Gmail rewriting links.

Private whois records hide spammers and help bring down a registrar

I’ve talked in the past about how many spam filters, ISPs and blocklists treat domains that are registered behind privacy protection. I’ve written about how many commercial domains behind privacy protection are used for fraud. I’ve written about multiple legal cases where the courts ruled against companies using privacy protected domains in email. I’ve even gone so far as to claim hiding domains behind privacy protection is what spammers do.
Legitimate email marketers do not hide their domains behind privacy protection services.
Spammers absolutely do hide behind privacy protection services. And because of how privacy protection works, we really don’t know which domains are used by one spammer versus another spammer. ICANN gave us a little bit of insight into just how many domains a spammer registers when they terminated Dynamic Dolphin (pdf link). This is a situation that has been brewing for most of 2013. I wrote about the notice of contract breach back in October. This morning Brian Krebs wrote a blog post saying that ICANN had terminated the agreement with Dynamic Dolphin for failing to cure the breach as noticed back in October.
If you read through the timeline, ICANN has some interesting information about privacy protected domains at Dynamic Dolphin. Data about privacy protected domains was requested from the very beginning.

Do Gmail tabs hurt email marketing?

Earlier this year, Gmail rolled out a new way for users to organize their inbox: tabs. Tabs were an attempt by Gmail to help Gmail users organize their mail, particularly programmatically generated email like social media alerts and marketing mail. While many of us took a wait and see approach, a number of email marketers took this as one of the 7 signs of the apocalypse and the end of email marketing as we know it.
Dozens of marketers wrote article with such titles as “7 ways to survive Gmail tabs” and headlines that declared “Thanks to Gmail’s new tabs, promotional e-mails are now shunted off to a secondary inbox. If you rely on e-mail marketing, you should be worried.” Marketers large and small responded by sending emails to recipients begging them to move marketing mail out of the promotions tab and into the inbox.
A number of bloggers, reporters and marketers, myself included, tried to tame the panic. Not because we necessarily supported tabs, but because we really had no insight into how this would affect recipients interacting with email.
This week Return Path published a whitepaper on the effect of Gmail tabs on email marketing (.pdf link).
Not only did Return Path’s research show little negative effect of tabs, they actually saw some positive effects of tabs on how recipients interact with commercial email. Overall, the introduction of tabs in the gmail interface may be a improvement for email marketers.

Hotmail having a bad day

Looks like Hotmail / Microsoft is having a rather bad day. Their DNS seems to be intermittent. While they were down a while ago they were returning SERVFAIL for some DNS lookups, including MX lookups.
For senders who have the DNS data in their recursive resolvers, this will have no impact. For senders who either don’t have the data cached or who have the data expire before the servers come back online there may be a transient increase in the number of bounces at Microsoft domains (Hotmail, Outlook, MSN.com, office365.com and the Microsoft corporate domains including microsoft.com and their other domains like xboxone.com).

Unsubscribing from spam, part 2

Yesterday I posted about why the reasons a lot of people give for not unsubscribing from spam are mostly wrong. Unsubscribing from spam doesn’t seem to confirm your address and it doesn’t seem to increase your spam load.
But does that mean you should unsubscribe from spam? I’m not sure about that.
I’ve been working on a project where I am unsubscribing from every message coming into one of my email addresses. Weeks into that process I’m not seeing a huge decrease in the amount of mail that address is receiving. In some cases I’m unsubscribing from the same senders multiple times a day and have been for close to 3 weeks.
While unsubscribing doesn’t increase your spam, I’m also not sure it decreases your spam, either. But I’ll have full data and numbers demonstrating that in a few more weeks.
What can have an effect on the amount of spam you get is complaining about spam, at least according to Brian Krebs.

Can someone explain to me…

What this disclaimer means?

You are receiving this email because you have a customer relationship or have opted-in to an email list managed by the Emailing Entity listed below. This email was not sent to you by the company or website identified in the offer above, for which we have a separate business relationship. We have represented to such company or website that we have the affirmative right to email you with an offer on their behalf.
Read More

Payday loan mail

Mickey has a great story of what happened when he gave a lead gen company his email address. Over 200 emails in 2 weeks from companies that seem unrelated to the signup company.
It’s this behavior by PayDay senders that causes their mail to be filtered and has caused many, many ESPs just to prohibit that kind of mail on their systems. It’s very much the ugly underbelly of email marketing.

GitHub signup

GitHub is a site where developers can share code with one another. It is widely used by open source developers. Their user base is made up of geeks and people who want a lot of control over their mailbox.
Their email signup process reflects the sensibilities of their market, without being difficult to manage or understand.

What happens when you apply for a PayDay loan

From NPR.
I’ve had clients over the years who were email marketing agencies selling leads to lenders. Their delivery is horrible, even when they’re doing all the “right things” for email. I’ve come to the conclusion that PayDay lenders are a lot like lawyers: “95% of them give the rest a bad name.”
PayDay loans are the one area where content trumps everything else, and so much of the content out there is bad, it can ruin delivery for everything. The NPR article speaks to why that is.

Eggs, ham, sausage and spam.
Some say the Internet is for porn; but you know that in truth the Internet is for spam. As communication technologies got cheaper, the cost of grabbing a megaphone and jamming it up against the aching ear-drums of an advertising-jaded public collapsed: Meanwhile, the content-is-king mantra of the monetization mavens gridlocked the new media in an advertising-supported business model. The great and the good of the Academy have been fighting a losing battle against the Anglo-Saxon hucksterization model for the past thirty years: But the sad truth is that the battle’s lost. The tide of war was turned in Beijing and New Delhi, when the rapidly industrializing new superpowers climbed on the MAKE MONEY FAST band-wagon and gave free reign to the free market, red in tooth and claw – just as long as the sharp bits were directed outwards. And today the entire world is still drowning in a sea of attention-grabbing unregulated unethical untruthful spamvertising.
Spam, ham, sausage and spam.
Rule 34, Charles Stross
Read More

Looking for message labs help?

There’s a common bounce error from the Message Labs’ filtering appliance that goes no where.

Getting spamcop summary reports

1) Create a spamcop account at http://www.spamcop.net/w3m?action=ispsignupform, once you get your password mailed to you, login to the account.
2) Request reports by clicking on “request reports” http://www.spamcop.net/mcgi?action=reqroute. Spamcop takes most formats of IP addresses that people normally use.
3) Reports will come in aggregate and look like:

This month in email: October 2013

What did we talk about in October? Let’s take a look back over this month.

Changes at Spamcop

Earlier this week some ESPs started asking if other ESPs have seen an uptick in Spamcop listings. The overwhelming answer (9 of 11 ESP representatives) said yes. I’ve also had clients start to ask me about Spamcop listings. All in all, there seems to be some changes at Spamcop that means more senders are showing up on the Spamcop radar.
Luckily, Spamcop provides us some insight into their data processing. If you look at the current monthly volume graph, we can see some very interesting changes in data.

The DMA responds

Stephanie Miller has posted over on the DMA blog explaining just what went down with the mailing that got the DMA SBLed over the weekend.
Ken Magill has a pair of articles about the email from the DMA. Oops: DMA spams Spamhaus and others and What we can learn from the DMA.

Compromising a Mail Client

Your entire work life is in your work mail client.
All the people you communicate with – co-workers, friends, family, vendors, customers, colleagues.
Every email you send. Every email you receive. Any files you attach or receive.
If someone can compromise your mail client, they can see all that.
They can save copies of all your emails, data-mine them and use them for whatever purpose they like. They can build a view of your social network, based on who you exchange emails with, and a model of who you are, based on what you talk about.
That companies like Google do this for “free”, advertising supported webmail shouldn’t be much of a surprise by now – but your corporate email system and your work email is secure, right?
What if an attacker were to set up a man-in-the-middle attack on your employees? Install malware on their iPhone, such that all traffic were transparently routed through a proxy server controlled by the attacker?
Or they could use a more email-centric approach, configuring the compromised mail client to fetch mail from an IMAP server controlled by the attacker that took the employees credentials and passed them through to their real corporate IMAP server – that would let the attacker completely control what the compromised user saw in their inbox. As well as being able to read all mail sent to that user, they could silently filter mail, they could deliver new mail to the users inbox directly, bypassing any mail filters or security. They could even modify the contents of email on-the-fly – adding tracking links, redirection URLs or injecting entirely new content into the message.
Similarly, the attacker could route all outbound mail through a man-in-the-middle smarthost that copied the users credentials and used them to send mail on to their real corporate smarthost. As well as being able to read and modify all mail sent the attacker could also use that access to send mail that masqueraded as coming from the user.
Sounds like the sort of thing you’d expect from criminal malware? Not quite. What I’ve just described is Intro, a new product from LinkedIn.
LinkedIn will be asking your users to click on a link to install a “security profile” to their iPhones. If they do, then LinkedIn will have total control over the phone, and will use that to inject their SMTP and IMAP proxies into your users mailstreams. The potential for abuse by LinkedIn themselves is bad enough – I’ve no doubt that they’ll be injecting adverts for themselves into the mailstream, and their whole business is based on monetizing information they acquire about employees and their employers. But LinkedIn have also been compromised in the past, with attackers stealing millions of LinkedIn user credentials – if they can’t protect their own users credentials, I wouldn’t trust them with your employees credentials.
You might want to monitor where your employees are logging in to your servers from – and suspend any accounts that log in from LinkedIn network space.
Edit: Bishop Fox has looked at Intro too, and come to similar conclusions. TechCrunch too.

The J.D. Falk award 2013

M³AAWG awarded the second J.D. Falk award today in Montreal. The winner was Gary Warner from the University of Alabama.
Gary has been involved in fighting abuse and online crime since the 1990s. He developed the Center for Information Assurance and Joint Forensics Research at the University. This is an education program that not only teaches students about online threats and how to fight them, but collaborates with both industry experts and law enforcement.
You can check out Gary at his blog or on twitter.

Experian selling data to identity thieves

If you’re not following or reading Brian Krebs, you should be. He does some of the best investigative reporting in the email, security and internet space. Today’s blog post is a disturbing look into the data selling and identity theft industries. Brian details evidence that shows Experian (yes, that Experian) has been selling consumer data to identity thieves.

Misdirected email

While this does seem to be more common with gmail addresses, it’s not solely limited to gmail. I’ve written about this frequently.

Everything leaks eventually

We have a role address we use to receive support requests from users of our Abacus ticketing system – they’re typically abuse or security desk administrators at ISPs or ESPs, inside corporate firewalls and protected by multiple layers of security and malware protection.
We’ve been using it since around 1997, so we’ve had a good, spam-free run, but in the past few days it’s started receiving botnet originated malware.
If you give an email address to other people, eventually it’ll leak and start receiving spam and malware.

Looking for some experiences…

… with emailreg.org. A client of mine asked today if it was worth registering domains with emailreg.org as a whitelisting process. I’ve asked a few delivery folks for their feedback, but I was wondering what the broader email community thought. Does registering there help delivery to domains behind barracuda processes? Drop me a line on our contact page or add your experiences in the comments.
I normally reject comments with fake or forged email addresses. Because this may be sensitive and some commenters may want to be anonymous, I’ll let anonymous comments through if they’re clearly not forging someone else’s address.

No, I'm really not Christine

Got this to one of my accounts recently.

Congratulations and welcome to emailinform.

SORBS – back soon

If you’ve tried to get an address delisted from SORBS this week you’ll have found that their site is degraded, and there’s no way to request delisting.
They’ve been dealing with some very nasty database / hardware problems and while they’re fixing those the externally visible SORBS services are running in a read-only mode (where the list is published, but IP addresses can’t be added or removed).
The migration to new infrastructure is going well, and unless something unexpected happens I’d guess they’ll be running normally some time tomorrow.

Happy Sweet 16, Yahoo.

Yahoo mail turns 16 today, and in celebration Yahoo is giving all their mail users presents.

Delivery is about helping you succeed

I was talking with another delivery person today who’s dealing with a customer struggling with some issues. As most of these discussions go, we get to the part where we have to tell the customer that what they’re doing looks problematic from the outside. And then the customer gets all upset and angry and starts complaining to account reps or managers or executives.
The challenge of delivery is working with clients who don’t want to hear they have to change what they’re doing. Some senders deflect better than a 3 year old caught with her hand in the cookie jar.
I think all of us in the delivery space, or at least most of us, want our customers and clients to succeed in their email goals. We want you to have a great mailing program. But when your delivery is having problems, getting to a great mailing program means doing something differently.
These changes can be hard, both in terms of thinking differently about email and how it works and about business models. Some business models make it extremely difficult to use emails. We understand that. We don’t make the rules, we just explain them.
We want your mail to work.

This message is sent in compliance with the new email bill section 301. Under Bill S.1618 TITLE III passed by the 105th US Congress, this message cannot be considered SPAM as long as we include the way to be removed, Paragraph (a)(c) of S.1618, further transmissions to you by the sender of this email may be stopped at no cost to you by sending a response of “REMOVE” in the subject line of the email, we really will remove you immediately.
Read More

When did you check your security last?

A few years ago security and breach protection was all the topic of the day in the email space. There were some high profile break ins at ESPs and data companies and everyone was looking at their security. Companies were vocal and public about their security enhancements. Many in the email industry even used the term “advanced persistent threats.”
Security seems to have taken a back seat to Yahoo releasing user names, and Gmail introducing tabs in the inbox and all the myriad of tiny details that we feel we have some control over.
But security still should be at the forefront of our minds. Just today Adobe announced a major compromise resulting in both a customer information leak and a source code theft.
It serves as a reminder to all of us that security threats are ongoing and we cannot become complacent.

This month in email: September 2013

Looking back through the month of September there were a couple things talked about on the blog.

Google wiretapping case, what the judge ruled

Yesterday I reported that the judge had ruled on Google’s motion to dismiss. Today I’ll take a little bit deeper look at the case and the interesting things that were in denial of the motion to dismiss.
Google is being sued for violations of federal wiretapping laws, the California invasion of privacy act (CIPA) and wiretapping laws in Florida, Pennsylvania and Maryland. This lawsuit is awaiting class certification for the following groups.

Judge sides with plaintiff, refuses to dismiss wiretapping suit against Google

Judge Koh published her ruling on Google’s motion to dismiss today.
It’s a 43 page ruling, which I’m still digesting. But the short answer is that Google’s motion was denied almost in total. Google’s motion was granted for two of the claims: that email is confidential as defined by the California Invasion of Privacy Act (CIPA, section 632) and dismissal of a claim under Pennsylvania law.

Yahoo trying to cope with misdirected email

Techcrunch says Yahoo is announcing a new “this is not me” button for email sent to recovered addresses.

Recycled Yahoo addresses and PII leaks

Infoweek interviewed a number of people who acquired new Yahoo addresses during Yahoo’s address recycling and reuse process. It seems that at least for some small percentage of former Yahoo users, there is a major risk of information going to the wrong people.

Does mail volume contribute to blocking?

There are two extreme opinions I see among marketing agencies and email senders when it comes to volume.
One group seems to think that volume alone triggers blocks. Another group thinks volume never affects delivery.
As with many things in delivery reality is at neither extreme.
Sending lots of mail isn’t the problem. Sending lots of mail your recipients aren’t interested in getting is the problem. Last year during the US political elections the Obama campaign, for instance, sent lots and lots of mails. Their list was an order of magnitude larger than the Romney campaign and there were days they were sending 10s of mails per subscriber. It was a deluge. But they were smart, and they did a lot of data mining and they did it in a way that got recipients to act on the mail. That mail was a deluge, but it was a wanted deluge by most of the receivers.
For a lot of vendors, too, increasing volume does increase response and revenue and all the things you want to drive with email marketing. But there will be people who don’t like the increase in volume. If they’re not valuable customers, no great loss. If they are valuable customers, then the increase in volume may drive a decrease in revenue.
In terms of inbox delivery, it’s not the volume it’s how wanted the mail is. Send wanted, interesting and engaging mail, you can send dozens of times a day.
No, volume alone doesn’t contribute to delivery problems.

SpamArrest Loses in Court

Internet law expert Eric Goldman points out that winning anti-spam lawsuits is hard. SpamArrest just learned that the hard way, he explains. If you weren’t aware, SpamArrest (whose website proclaims “SPAM ARREST WORKS!”) is a vendor of a Challenge/Response-based anti-spam filtering system. The way that works is, if you’re using a C/R-based system, any time somebody sends you an email, the system sends the person back a “challenge” email that the sender must now respond to, usually by clicking on a link. By engaging in this “response,” the sender is proving that they’re not a robot. The theory being that by doing so, the sender must not be a spammer. It’s a flawed system, for multiple reasons. First, the internet is global, and it’s possible for bad guys to very cheaply hire people from a far away land to click these links all day long, every day. Even worse, legitimate senders aren’t going to take the time to bother to click through these links; they’re going to write it off as too time intensive. Do you really think Amazon is going to bother responding to challenge requests, to push through your shipping notification? For years, I’ve been telling senders to ignore C/R challenge emails, because it’s a self resolving problem, those people don’t want to receive emails, so let those people not get their emails. Even worse than that, those of us who actually care about the email ecosystem find C/R abhorrent because of its inherent backscatter problem. Spammers forge sending addresses. C/R systems send challenge emails back to those forged sending addresses. Thus, unrelated people often receive C/R challenge emails, when they didn’t even initiate the original message. It doesn’t solve the spam problem; it just exchanges spam mail for misdirected junk mail. I’m not a fan of SpamArrest, but I’m also not a fan of anything that makes it hard to use legal means to go after people sending unsolicited email. So my emotions are mixed on this one. Regardless, I wouldn’t be happy if I were one of the 600 SpamArrest users who received the alleged spam message in question. And with regard to the rest of their users, I worry that bad guys will now interpret the court’s ruling as making it acceptable to set up “C/R approval farms” and respond to every challenge message received. This would seriously undermine both SpamArrest’s business strategy and anti-spam strategy. And to the rest of the anti-spam community, allow me to echo something Eric says in his article: Anti-spammers don’t win in court just by showing up.

ISP Relationships

Delivra has a new whitepaper written by Ken Magill talking about the value (or lack thereof) of relationships with ISPs. In Ken’s understated way, he calls baloney on ESPs that claim they have great delivery because they have good relationships with ISPs.
He’s right.
I get a lot of calls from potential clients and some calls from current clients asking me if I can contact an ISP on their behalf and “tell the ISP we’re really not a spammer”. My normal answer is that I can, but that there isn’t a place in the spam filtering process for “sender has hired Laura and she says they’re not a spammer.” I mean, it would be totally awesome if that was the case. But it’s not. It’s even the case where I’m close friends with folks inside the ISPs.
I’m pretty sure I’ve told the story before about being at a party with one of the Hotmail ISP folks. There was a sender that had hired me to deal with some Hotmail issues and I’d been working with Barry H. (name changed, and he’s not at Hotmail any more) to resolve it. During the course of the party, we started talking shop. Barry told me that he was sure that my client was sending opt-in mail, but that his users were not reacting well for it. He also told me there was no way he could override the filters because there wasn’t really a place for him to interfere in the filtering.
Even when folks inside the ISPs were willing and able to help me, they usually wouldn’t do so just because I asked. They might look at a sender on my request, but they wouldn’t adjust filters unless the sender met their standards.
These days? ISPs are cutting their non-income producing departments to the bone, and “sender services” is high up the list of departments to cut. Most of the folks I know have moved on from the ISP to the ESP side. Ken mentions one ISP rep that is now working for a sender. I actually know of 3, and those are just employees from the top few ISPs who are now at fairly major ESPs. I’m sure there are a lot more than that.
The reality is, you can have the best relationships in the world with ISPs, but that won’t get bad mail into the inbox. Filters don’t work that way anymore. That doesn’t mean relationships are useless, though. Having relationships at ISPs can get information that can shorten the process of fixing the issue. If an ISP says “you are blocked because you’re hitting spam traps” then we do data hygiene. If the ISP says “you’re sending mail linking to a blocked website” then we stop linking to that website.
I have a very minor quibble with one thing Ken said, though. He says “no one has a relationship with Spamhaus volunteer, they’re all anonymous.” This isn’t exactly true. Spamhaus volunteers do reveal themselves. Some of them go around openly at MAAWG with nametags and affiliations. A couple of them are colleagues from my early MAPS days. Other do keep their identities secret, but will reveal them to people they trust to keep those identities secret. Or who they think have already figured it out. There was one drunken evening at MAAWG where the nice gentleman I was joking with leaned over and says “You know I am elided from Spamhaus, right?” Uh. No? I didn’t. I do now!
But even though I have the semi-mythical personal relationship with folks from Spamhaus, it doesn’t mean my clients get preferential treatment. My clients get good advice, because I know what Spamhaus is looking for and can translate their requirements into solid action steps for the client to perform. But I can think of half a dozen ESP delivery folks that have the same sorts of relationships with Spamhaus volunteers.
Overall, relationships are valuable, but they are not sufficient to fix inbox delivery problems.

Questions on Google lawsuit post

A couple questions in the previous discussion thread about the Google privacy case. Both concern permission granted to Google to scan emails.
Google’s stance about this is fairly simple.
Gmail users give explicit permission for their mail to be scanned.
People who send mail to Gmail users give implicit permission for their mail to be scanned.
The plaintiff’s lawyers are alleging that some subset of gmail users – specifically those at Universities that use Google apps and ISP customers like CableOne – did not give explicit permission for their mail to be scanned by Google. They’re also arguing no senders give permission.
In addition to the lack of permission, the plaintiffs lawyers are arguing that Google’s behaviour is in violation of Google’s own policies.
Google thinks scanning is part of the ordinary course of business and they’re doing nothing wrong.
This is an interesting case. I think anyone who knows about email understands that the people who run the mail server have the ability to read anything that goes through. But a lot of us trust that most postmaster and admin types consider it unprofessional to look at mail without a decent reason. There are good reasons an admin might need to go into a mail spool.
Automated filtering is simply a part of life on the internet these days. Mails have to be scanned for viruses, spam and, yes, they are scanned for targeted advertising. I’m not convinced Google is outside the norm when they say that any emails sent through Google is personal information given too Google and therefore Google can use that information in accordance with their policies.

Patent trolling, meet RPost

Yesterday I mentioned Ubicomm and their patent trolling based on an ancient Xerox patent they acquired earlier this year. I think the mere fact that Xerox sold the patent says all we need to know about how applicable it is.
The other patent troll in the email space right now is RPost. Steve did a blog post about RPost patent trolling about a year ago.
This summer, RPost’s legal team started calling different companies in the email space. I got a call the first week in July. After introducing himself as their lawyer and reassuring me he was not sending me legal threats, he started to ask all sorts of questions about our technology. I declined to answer any of them.
The lawyer then said he had some paperwork to send me and asked for an email address. I told him we do not accept legal service by email and that he could send me any relevant paperwork to our address of record. If I had any questions about RPost having a real product, it was answered when the lawyer didn’t tell me that RPost technology is all about secure delivery of legal papers.
Others in the email space started reporting similar calls and letters from RPost around the same time.
It’s been 2 months (almost to the day) since RPost’s lawyer called me and we have yet to receive anything from them. Clients of mine, however, have received papers from RPost. The papers instruct recipients to read RPost’s patents and notify RPost if they are infringing.
Yes, RPost are such cheapskates they expect their target companies to do the work identifying any potential infringement. Or possibly it’s just that they have so little money they can’t afford to pay their legal team. Certainly my experience is that telling them to send us postal mail is enough expense? time? to stop them from moving forward.
My recommendations to anyone receiving a letter from RPost (or anyone else claiming patent infringement) are pretty simple.

Flush your DNS cache (again)

This time it appears that DNS for major websites, including the NY Times, has been compromised. Attackers put in DNS entries that redirected visitors to a malware site. The compromise has been fixed and the fake DNS entries corrected.
However, people may still have the old data in their DNS caches and security experts are suggesting everyone flush their DNS cache to make sure the fake data is gone.
The Washington Post has an article explaining DNS hijacking.

Yahoo releases user names

According to TechCrunch, Yahoo has started notifying people if their desired username is available. For users who asked for names that aren’t available now, Yahoo has a solution. They will be keeping wishlists for users for the next 3 years. If those usernames are abandoned and expire, Yahoo will notify people by email.
Any sender using email as an account key (either for resetting passwords or granting access) should be careful about releasing accounts to Yahoo users. Yahoo has established a new header type (Require-recipient-valid-since, currently going through the IETF standards process) to minimize the chance that the wrong people get access to other accounts tied to a recycled mailbox.
For those of us who didn’t put in some addresses we, too, can create username wishlists, we’re just going to pay $1.99 for the privilege.

Spam illustrated

Portraits of Spammers
It’s been a long week, so enjoy some art (and spam). Next week we’ll get back to discussing the many faults of Gmail. And senders. And receivers. And, well, everyone has faults. And email is Dead. Tabs killed it.

Gmail tabs … good for marketers?

It appears to be Google’s turn as the subject of most of my blog posts these days.
Consumerist had a post up today talking about the new Gmail tabs. Interestingly enough, they’re quoting an Ad Age article that says the new tabs are not hurting engagement.

Gmail promotions tab

Chad White explains why you shouldn’t ask recipients to move mail from the promotions tab to the inbox.

Lavabit shuts down

Lavabit is a secure mail system. Today their CEO announced he was shutting down the service immediately.

Are the new Gmail ads email?

I’ve seen lots of opinions over the last few weeks about whether or not the new ads in the Gmail promotions tab are email or not.

Ads in the Gmail Tabbed Inbox

One of the features of the new Gmail tabbed inbox is email-like ads placed by Gmail.

Inbox challenges and dull email in the tabbed inbox

Getting to the inbox is becoming a greater and greater challenge for many marketers. According to Return Path, 22% of opt in mail doesn’t make it to the inbox.
The challenge to marketers is that a lot of opt in mail isn’t important to the recipient. Sure, they’re happy enough to get it if they notice it, but if it’s not there then they don’t care. They’ll buy from an email ad, but it might not be something they’ll seek out. Recipient behaviour tells the ISPs that the mail isn’t all that important, and a lot of it is just background noise so the ISP not delivering it to the inbox doesn’t matter.
Email marketing is like the Girl Scout of the Internet. If the Girl Scout shows up at your doorstep, you’re probably going to buy those 3 boxes of thin mints. But if she doesn’t, that’s OK. If you really want the cookies, you’ll find the co-worker who is taking orders for his daughter. Or you’ll find the table outside the local coffee shop. The Girl Scout showing up on your doorstep makes it more convenient, but she’s not critical to get your fix. Of course, the bonus of the Girl Scout on the doorstep is that a lot of people who won’t go find the cookies will buy when she’s on the doorstep.
A lot of email marketing triggers purchases that recipients would make anyway. They think they might want a particular product, and when they get that coupon or discount or even just a reminder they make the purchase. The email triggers the purchase of a product the buyer intends to purchase anyway. Some email marketing trigger purchases of things the recipient didn’t know existed, but is so enticing after one email they can’t live without. Some email marketing triggers an impulse purchase. In most of these categories, if mail doesn’t show up in the inbox, the recipient really doesn’t miss it.
Many marketers, despite loud protests that all their mail is important and wanted, know this. That’s why so many marketers are having conniptions about the new Gmail tabbed inbox. They’re losing access to the impulse.
From the data I’ve seen, tabs are effecting email marketing programs. Some programs are seeing more revenue, some are seeing less. I think it really remains to be seen what the long term effects are. For many recipients the new tabbed inbox is a new way to interact with their email. Change is hard, and there is a period of adaptation whenever an interface changes. We really don’t know what the long term effect of tabs on sales will be. Sales may go back to previous levels, sales may increase over previous levels, sales may decrease from current levels or sales may stay at their current levels. The full effect isn’t going to be obvious for a while.
It does mean, though, that email marketers need to step up their game. Email marketing in the age of a tabbed inbox might be less about the impulse purchase and more about cultivation and long term branding.

Too much email on the brain

Last night I was cruising through our local news website. I see the headline New SPF guidelines coming our way.
My first thought was, “Wow, SPF made the paper?” Now, I live in the SF Bay area so there are a lot of technology related stories that hit our paper which might not see the light of day in other areas. But, still: new SPF guidelines hit the local paper before I’ve heard about it? That seems a little strange.
Then I notice that it’s in the “Living” section. That’s even stranger.
Oh, well, if there’s new SPF stuff, I’d better click and see what is going on with SPF. The internal headline is Beauty Tuesday: New SPF guidelines accompanied by a picture of sunscreen. It was only then I realized it wasn’t about sender policy framework but was about sun protection.
A bit of a moment for me.
Happy Friday, everyone.

Return Path releases inbox benchmark study

Earlier this week Return Path released their quarterly inbox placement benchmark study, and the results aren’t good.
According to this data, 22% of opt-in emails are not making it to the inbox. An interesting note is that 25% of email from social networks never makes it to the inbox. This is a challenge for social networks, but I’m not sure many individuals care. For a lot of people, if they don’t get mail from a social network it doesn’t really matter. They’ll either log into the network and get it, or they’re not really engaged with the network. And, when networks try to increase the amount of mail they send, that can turn into a problem as well.
Overall, the failure of mail to get into the inbox is a problem for senders. The underlying issue is that ISPs want to deliver mail the recipient wants. But much of the email out there, including marketing and social network updates, is mail the recipient is fine with getting, and equally fine with not getting.

SNDS News

A number of people have mentioned over the last week or so that they’re seeing a lot of outages, failures and general ickiness with SNDS. I contacted Microsoft and asked about it. SNDS has been undergoing some upgrades and improvements and the outages were not intended to be end user visible. They’re going to keep a closer eye on things, while they finish the upgrades.
The good news in all of this is that SNDS is being upgraded and maintained. SNDS is still a functioning part of the Microsoft infrastructure, and this is good news for anyone who uses it as a data source.

New unsubscribe methods in the news

The folks at The Daily Show, who brought us the wonderful term “High Volume Email Deployer” so very long ago, are once again leading the way in new unsubscribe technology. Unsubscribe by television.

Meanwhile, the folks at The Daily Mash have a different unsubscribe suggestion.

VerticalResponse acquired

The acquisition of email service providers continues. Last week Deluxe (yes, the check printing people) acquired Vertical Response. This appears to be positioning themselves to improve their collection of business services to include email marketing.

One letter off…

I’m working on a blog post about the new Gmail tabbed inbox and the messages Gmail is inserting into the promotions tab. The messages aren’t showing up on most of my accounts, so I logged into an infrequently used account of mine. Ads are there, I got my screenshots and some data about the behaviour of the messages. So far so good.
I also discovered that at least two other women are using my address. One of them apparently ordered a bunch of wedding stuff from David’s Bridal shop using my email address. I hope Kirstie got her special order in time.
The other case is more interesting. I found dozens of emails in my inbox from what appeared to be friends including me in their email forward chain.
The Comic Sans. The FW:FW:FW:FW:FW subject lines. The horribly drawn cartoons. The inspirational messages. The prayer requests. The invites to bridge night. The followup demands that I reply to their invites for bridge night. The sad emails that I didn’t go to bridge night. There were emails from grandchildren. Questions about where I’d been and if I moved. Prayer chains. The messages go on and on.
Looking back through my inbox, this has been going on since sometime late in 2012. (Told you this was an infrequently used account). I looked and looked and I think I figured out what happened. A woman named Helen appears to to have an email address one letter off from mine (string@ vs stringsstring@) and one of her church friends tried to reply to her and dropped the ‘s’ from the email address. Once she did that, everyone else just kept hitting “reply all” and are including me in their forward chain.
It’s not commercial, it’s not spam. It’s just a bunch of people mistyping an email address and sending mail to someone they don’t know. I’m kinda glad it was a bunch of church ladies rather than Carlos Danger sending … well… Carlos Danger type messages.
People get email addresses wrong sometimes. It happens (ask me about the time I almost got my mailserver blocked because I mistyped an address while sending mail to a blocklist maintainer and hit a trap address by mistake…). The problem is that it can overwhelm an uninvolved person’s mailbox, even when it’s not commercial. Sure, if I was logging in to this account more often I’d probably have shut it down, but if they were paying attention they would have realized Helen is never replying to anything they send.
I kinda feel the same about commercial mailers that send me mail over and over and over again. I never open it, I never reply to it, I never respond to it. I wonder if there is actually anyone actually sending the mail, or if there’s just a lonely mailserver bricked up in a wall somewhere continually sending out spam.
Don’t be the bricked up server in the wall. Pay attention to what your recipients are doing.

Spamhaus answers marketer questions

A few months ago, Ken Magill asked marketers, including the folks at Only Influencers to provide him with questions to pass along to Spamhaus. Spamhaus answered the first set in March, but then were hit with the Stophaus attack and put answering further questions on hold. Last week, they provided a second set of answers and this week they provided a third.
Nothing in there is surprising, but it’s worth folks heading over and reading.
There are a couple useful things that I think are worth highlighting.
When discussing spamtraps and how Spamhaus handles the traps.

Growing your list carefully

Karl Murray wrote a great set of recommendations for growing an email marketing list. I really can’t think of anything I would have said differently. Touching customers and getting contact information from them is great, but there are situations where this gets bad addresses. Too many bad addresses can impact delivery.
So how do you grow your list without falling into a delivery trap? The specific recommendations, as always, depend on your specific situation. But knowing how bad addresses get onto your list will allow you to implement mitigation strategies that actually work.

Sending mail to the wrong person, part eleventy

Another person has written another blog post talking about their experiences with an email address a lot of people add to mailing lists without actually owning the email address. In this case the address isn’t a person’s name, but is rather just what happens when you type across rows on they keyboard.
These are similar suggestions to those I (and others) have made in the past. It all boils down to allow people who never signed up for your list, even if someone gave you their email address, to tell you ‘This isn’t me.” A simple link in the mail, and a process to stop all mail to that address (and confirm it is true if someone tries to give it to you again), will stop a lot of unwanted and unasked for email.

Barracuda filters clicking all links

Earlier this month I mentioned that a number of people were seeing issues with multiple links in emails being clicked by Barracuda filters. I invited readers to contact me and provide me with any information or evidence they had. Not only did a number of senders contact me, but one of the support reps at Barracuda also contacted me.
At issue is a part of the Barracuda email filter call the intent filter. There are 3 different modules to this filter.

TWSD: Mail known spam trap addresses

One of the things we all “know” is that if spammers get their hands on spamtrap addresses then they’ll stop sending mail to those addresses. This is true for a lot of spammers, but sadly it’s not true for all.
I don’t think it’s any secret that I consult for all types of mailers, from those who just need a little tune up to those who want me to help them avoid filters and blocking. During some of these consulting projects, I use my own spam folder as research and provide information on the spam that I am receiving from them.
A few years ago I was working with a company who hires a lot of different affiliates to send acquisition email. A few of their affiliates had really poor practices and they were trying to figure out which affiliates were the problem. I handed over a number of mails from my personal spam traps, in order to help them identify the problem affiliate.
I told them, and their affiliate, what my spamtrap addresses were. And, for many years I stopped receiving that particular spam. But, over the last few weeks I’ve seen a significant uptick in spam advertising my former client.
I’m certainly not trying to convince anyone that handing over spamtraps is a good thing. But there is at least some evidence out there that they’re not even competent enough to permanently remove traps. I really have to wonder at how sloppy some marketers are, too, that they’ll hire spammers and not at least hand over a list of addresses they know are bad addresses to mail.
I really thought spammers were smarter than that. I am, apparently, wrong.
EDIT: Of course, mailing this spamtrap gets them nothing but a little ranty blog post here. It doesn’t result in blocking, or disconnection from their ISP or their ESP or anything else. I suspect if there was actually an affect, like, say, I started forwarding this mail to Spamhaus or other filtering companies, they might stop mailing this address. Anyone want a 20 year old, slightly used spam trap?

A new twist on confirmation

I got multiple copies of a request to “confirm my email address” recently. What’s interesting is the text surrounding the confirmation request.

Happy 4th of July

Judging by my inbox and the spam filter here on the blog spammers have taken the week off. We’re mostly following suit here, and I won’t be blogging the rest of the week.
To all my fellow American residents, enjoy the day off and the fireworks. Be careful if you are setting some off and live in a dry area, fires are scary.

Strangers, connections and social media

One of the major challenges of social media is letting people connect with folks they don’t know while preventing abuse. Most of the major social networks are trying.
Let’s look at LinkedIn and the tools they give users to stop abuse. Overall, they are pretty good about stopping their platform from being abused, but don’t have many processes to stop folks from harvesting connection addresses off LinkedIn and then adding those addresses to marketing lists. Does it happen frequently? No. But it does happen.
I have a pretty liberal “accept an invite” policy on LinkedIn. If people want to connect with me there and they have real profiles and they’re in a relevant space, I generally accept their invites. This means there are times when I connect with people I don’t know. I’m OK with this, LinkedIn is a great way to meet an interact with colleagues. It also means that sometimes people connect with me, take my information and add it to their marketing lists.
This morning I got an invite from Greg Williams. The name and profile looked like one I’d seen before, so I dug through my mail to see why this raised my hackles. I figured it out. Greg is president of some Tuscon area scholarship fund. A year or so ago he decided to ask all his LinkedIn connections to donate thousands of dollars to his non-profit. I decided this was not a connection I really needed on LinkedIn and removed him.
I don’t really have a connection with Mr. Williams. We didn’t go to the same schools, we don’t work in similar fields. LinkedIn tells me that we have two connections in common. I know nothing about him except that the last time I connected with him on LinkedIn he decided to take this as an invitation to spam me with money requests for his foundation. A foundation he didn’t really tell me anything other than “we give money for scholarships.”
Even more crazy is that Mr. Williams sent me an invite that says “I trust you and I’d like you to be part of my LinkedIn network.” I’m not sure who you are or who you think I am, but I don’t think you know me well enough to trust me.
I’m not against reconnecting with Mr. Williams again, but I want to be sure he understands that just because we connect on LinkedIn doesn’t mean I want to be added to his begging list. I looked for a way through LinkedIn to send Mr. Williams a response. But I can’t. My two choices are to ignore him or report spam. I think I’ll ignore him, for now.
One thing LinkedIn does to stop this problem is get feedback from users. When I click Ignore on the invite I get the opportunity to tell LinkedIn “I don’t know this person.” Hopefully, telling them I don’t know this person will stop future invites.
Social networks are a great thing and allow people to connect and create communities and interact with one another. Stopping users from abusing other members of the network is an important part of that community building framework.

Barracuda clicking all links in emails

A number of people have asked me recently if I know anything about appliances clicking all the links in emails. Some of those people have asked specifically about Barracuda, some have just asked if I knew of any filters that clicked links.
The answer is, yes, there are cases where spam filters have followed all the links in an email. One of the filters that I know has done this in the past is Barracuda. Based on discussions with the different people who are reporting this behavior, it does seem that this is happening more often. One person did mention that they were primarily seeing this with mail where the click domains were different from the From: domains.
I’m still working on getting more information from folks, and will update if I hear anything more. I’m also working on some advice for folks who get caught in this.
If you have experience with Barracuda (or other spam filters) clicking all the links in an email, drop me an email (contact)

Yahoo retiring user IDs: why you shouldn't worry

A couple weeks ago, Yahoo announced that they were retiring abandoned user IDs. This has been causing quite a bit of concern among email marketers because they’re not sure how this is going to affect email delivery. This is a valid concern, but more recent information suggests that Yahoo! isn’t actually retiring abandoned email addresses.
You have to remember, there are Yahoo! userIDs that are unconnected to email addresses. People have been able to register all sorts of Yahoo! accounts without activating an associated email account: Flickr accounts, Yahoo groups accounts, Yahoo sports accounts, Yahoo news accounts, etc,. Last week, a Yahoo spokesperson told the press that only 7% of the inactive accounts had associated email addresses.
Turning that around, 93% of the accounts currently being deactivated and returned to the user pool have never accepted an email. Those addresses will have hard bounced every time a sender tried to send mail to that address.
What about the other 7%? The other 7% will have been inactive for at least a year. That’s a year’s worth of mail that had the opportunity to hard bounce with a 550 “user unknown.”
If you’re still concerned about recycled Yahoo userIDs then take action.

Timely and appropriate mail

I woke up this morning to an exploding twitter and FB feeds with lots of friends cheering the defeat of DOMA and Prop 8. Apparently some companies are getting into the act as well.
(Behind a cut because some of this may be slightly NSFW in some places)

Spammers already abusing Vine

Spammers have already figured out how to abuse the new twitter video service (VINE) to make money. I wish I could say I was surprised, but spammers (and scammers) are some of the earliest adopters of technology out there. They adopt it and try to extract as much money as possible before the property owners can catch up and implement anti-abuse technology.
Too few companies actually build products with anti-abuse technology built in. This costs them and the victims money.

Fake DNSBLs

Spamhaus ~~recently~~ announced a few years ago that they have discovered a company that is pirating various blocklists, relabeling them and selling access to them. Not only is the company distributing the zones, they’re also running a “pay to delist” scheme whereby senders are told if they pay money, they’ll be removed from the lists.
The fake company does remove the listing from the fake zones, but does nothing to remove the IP from the original sender. This company has been caught in the past and was blocked from downloading Spamhaus hosted zones in the past, but have apparently worked around the blocks and are continuing to pirate the zone data.
It’s not clear how many customers the blocklist has, although one ESP rep told me they were seeing bounces referencing nszones.com at some typo domains.
No legitimate DNSBL charges for delisting. While I, and other people, do consult for senders listed on the major blocklists, this is not a pay for removal. What I do is act as a mediator and translator, helping senders understand what they need to do to get delisted and communicating that back to the blocklist. I work with senders to identify good, clean addresses, bad address segments and then suggest appropriate ways to comply with the blocklist requirements.

What is a dot-zero listing?

Some email blacklists focus solely on allowing their users to block mail from problematic sources. Others aim to reduce the amount of bad mail sent and prefer senders clean up their practices, rather than just blocking them wholesale. The Spamhaus SBL is one of the second type, using listings both to block mail permanently from irredeemable spammers and as short term encouragement for a sender to fix their practices.
All a blacklists infrastructure – and the infrastructure of related companies, such as reputation monitoring services – is based on identifying senders by their IP addresses and recording their misbehaviour as records associated with those IP addresses. For example, one test entry for the SBL is the IP address 192.203.178.107, and the associated record is SBL230. Because of that they tend not to have a good way to deal with entities that aren’t associated with an IP address range.
Sometimes a blacklist operator would like put a sender on notice that the mail they’re emitting is a problem, and that they should take steps to fix that, but they don’t want to actually block that senders mail immediately. How to do that, within the constraints of the IP address based blacklist infrastructure?
IP addresses are assigned to users in contiguous blocks and there’s always a few wasted, as you can’t use the first or last addresses in that range (for technical / historical reasons). Our main network consists of 128 IP addresses, 184.105.179.128 to 184.105.179.255, but we can’t put servers on 184.105.179.128 (as it’s our router) or 184.105.179.255 (as it’s the “broadcast address” for our subnet).
So if Spamhaus wanted to warn us that we were in danger of having our mail blocked, they could fire a shot across our bow without risk of blocking any mail right now by listing the first address in our subnet – 184.105.179.128 – knowing that we don’t have a server running on that address.
For any organization with more than 128 IP addresses – which includes pretty much all ISPs and ESPs – IP addresses are assigned such that the first IP address in the range ends in a zero, so that warning listing will be for an address “x.y.z.0” – it’s a dot-zero listing.

DMARC: Please Be Careful!

(Cross posted from Spam Resource.)
Every couple of days, somebody new pops up on the DMARC-Discuss mailing list to ask some question or share an observation. It’s great to see people interested and joining the conversation. Clearly, DMARC interest and adoption are growing. What’s really frustrating, though, is that for about a quarter of the new subscribers, their first mailing list message goes to the spam folder in my Gmail account. It has become sort of an intelligence test I apply to new subscribers — I’ve stopped digging those messages out of the spam folder. I’m figuring that if they can’t figure out how to implement a DMARC record, or they don’t understand that it’s not really compatible with mailing lists nor is it meant for hobbyist domains, then I think perhaps they’ve got some things they’ve got to figure out before they’re ready to join the discussion.
To that end, let me take a moment to jot down some recommendations for folks who are considering implementing DMARC.

Just… make it stop

It used to be when I’d send in a complaint to an ESP, I’d want them to take it seriously. To actually fix their customer problems. To stop their customers from spamming. To fix the broken process that resulted in their customer thinking I asked for email.
These days? These days I just want the ESP to suppress my address and make the mail stop. Even better would be suppressing the address from their entire customer base – the only addresses I send in complaints for these days are traps.
Sadly, there are ESPs out there that can’t manage to stop customers from spamming people who have reported the spam. But, I am forever the optimist and keep sending the complaints when I think someone will care.

Handling SNDS requests

I’ve been working with a new client on getting them signed up for FBLs, whitelists and other sorts of monitoring. One of the places I recommended to them was signing up for the Hotmail Smart Network Data Services (SNDS) program. It’s been a while since I’ve gone through the process, so I decided to sign up our network space to give up to date instructions from to clients.
As part of the process, Microsoft confirms the request with the network owner. This is smart, it prevents the wrong people from getting access to delivery data. They use public records (ARIN and IP Whois data) to figure out the “network owner” and send an email to that person. In my case, the mail was sent to a role account at Hurricane Electric (he.net).
I asked for access, filling in “this is Laura from Word to the Wise and I am looking for access to our space.” The email address in the request was my @hotmail.com address. A few minutes later I checked my inbox to find an email from he.net.

About the @ sign

The @ sign is ubiquitous online. We use it and we don’t think about it. But the history of the @ sign is more complicated than we realize.

URIBL having a bad day

Multiple lists have been discussing DNS failures for URIBL.com over the last few hours. This is causing some serious mail problems for folks, both on the inbound and the outbound.
URIBL has a note on their home page (which is unreachable for some folks).

Salesforce buying Exacttarget

Reports today say that Salesforce is buying Exacttarget for around 2.5 billion dollars.

Gmail's new inbox tabs. News at 11.

Yesterday Gmail announced a change to their UI. This new UI lets users configure tabs in their inbox for different sorts of email. This change has greatly upset some marketers. Yesterday I heard it described as war on marketers, as a conspiracy to stop all email marketing and as a horrible injustice to legitimate marketers. I even saw a few people call for an organized boycott of Google AdWords.
While I do appreciate many of us don’t like change, I can’t quite jump on the histrionic bandwagon. This change isn’t Google declaring war on marketers. Google is, at the end of the day, a marketing company. They live and die by marketing dollars. And before you ask, I don’t really think email marketers can organize a boycott that actually has any real impact on Google’s bottom line and causes them to change their interface.
There are a lot of reasons I don’t think this is the actual end of the world and that marketers should just take a deep breath and chill.
The tabbed interface is really just Priority Inbox v. 2. Priority inbox was rolled out a few years ago and there was quite a bit of noise about how that was going to make email marketing more difficult. While getting email to the inbox at Gmail is a challenge for many marketers, I don’t think Priority Inbox is the underlying reason. I think Gmail has gotten a lot stricter on filters, particularly content filters thus making it harder for borderline mail to get to the inbox instead of the bulk folder.
The tabbed interface is just another way of organizing mail in the inbox. Mail is not moved to any different folders, it’s still in the inbox. Users can enable or disable the settings as they desire and all of the mail stays in their inbox.
The interface is not on by default. Users have to actually go in and turn on the setting. For users who don’t set up filters anyway, it’s unlikely they’re going to take advantage of the tabs. I did take a look at the configuration settings. Gmail tries to make it clear what kinds of mails will end up in what tabs by telling you what From: addresses currently in your inbox will end up in a tab if you enable it.
Overall, I don’t think this is really going to cause horrible repercussions to email marketers. In fact, this does seem to offer some benefit to email marketers that use consistent branding. According to Mickey Chandler at Exacttarget, the interface “not only display[s] the number of new emails in the tab, but [also displays the] names of the brands whose mails are in that tab.” This is a good thing for marketers, who now have the chance to get their name in the inbox interface.
One thing I did notice, too, was that when I enabled tabs, Gmail presented me with more advertising in the “promotions” tab and provided no advertising in any other tabs.

Michele Bachmann Announces She's Done

U.S. Representative Michele Bachmann (R-Minnesota) announced today that she’s not going to seek re-election in 2014.
Last time around, the race between her and Minnesota businessman Jim Graves was very close. Mr. Graves lost by a very narrow margin. Graves had already announced his intention to take on Ms. Bachmann again next year. As the news came out on Bachmann’s decision, both camps made it clear that they think their person would have won the rematch. Just yesterday, Minnesota Public Radio explained that Graves seemed to be facing “an uphill battle vs. Bachmann.” At the same time, recent polling by the Graves campaign showed him slightly ahead of Bachmann. The race certainly would have been very close, but it was looking to be a scenario much like last time around, which, at the end of the day, Ms. Bachmann did end up winning.
So if she’s got at least a fair shake at winning, why wouldn’t she take it all the way? Well, that’s what brings us to why I’m writing about this here. It seems that Bachmann’s failed 2012 presidential campaign was accused of stealing the email list of Network of Iowa Christian Home Educators (NICHE) back in 2011. In a bit of an attempt to re-write history, they later came to an after-the-fact settlement to label the action a “rental” and NICHE received a $2,000 payment from the Bachmann campaign.
And that’s just one of multiple ethics issues Minnesota’s face of the Tea Party is facing. In March, her attorney confirmed that Bachmann is under investigation by the Office of Congressional Ethics for alleged misuse of campaign funds. One of her own 2012 presidential campaign staffers, Peter Waldron, filed a complaint that Ms. Bachmann’s campaign improperly used leadership PAC funds to pay campaign staff. There were further allegations regarding payment of staffers and attempting to require exiting staffers to sign non-disclosure agreements prohibiting them from talking to police or attorneys. And the FBI is now said to be involved.
I’ve consulted for multiple email service providers who have told me how challenging it can be to work with political senders. At least one ESP prohibits this kind of mail outright, out of frustration with candidates regularly playing fast and loose with permission. PACs, parties, candidates and other groups seem to buy, sell or trade lists constantly, and as a result, spam complaints and blocking would often follow. Thus, it doesn’t surprise me to see Ms. Bachmann’s campaign engaging in something email list-related that they probably thought was just common usage, when the rest of us in the email community would find that use unwelcome and unethical. (And it’s not just her party guilty of this kind of thing.)

Can I join…

On a post from earlier this week, John asks about joining the blocklist doc I mentioned. This is actually a document coming out of M3AAWG and you must be a member of M3AAWG to participate. If you are a member, you can log into the website and join the working group.
This document will be made available to the public once the membership and the board approves it.

Thanks, Al

A giant, very public thank you to Al for volunteering to mind the blog while Steve and I made an emergency trip to the UK. There was once or twice I noticed something that I thought “I should take a second and blog about this” only to discover Al was way ahead of me and had already posted it.
Both of us picked up some sort of ugly cold while we were there so it will be a couple days before blogging will be back to normal here.

Auto-opt-in?

Bronto’s Chris Kolbenschlag frames the discussion well: He purchased from an online retailer, they assumed he wanted to receive followup emails, and thus, those emails did eventually commence.
This is something I’ve had a lot of experience with. Working for an e-commerce service provider from later 2000 through mid 2006, I was the guy setting permission policy, dealing with spam complaints and advising on deliverability issues, primarily regarding email lists built over time from online store purchasers. There was an opt-in checkbox on the platform’s checkout pages, and it was up to the client as to whether or not it was pre-checked (“opted-in”) by default. Most clients pre-checked it by default.
My experience was, from a deliverability perspective, this kind of auto opt-in didn’t really present issues. People didn’t tend to forge addresses when purchasing, and people tended not to report mail as spam when it’s coming from somebody they just did business with.
I’m not saying it’s the wisest way to do things, by any means. If you have any other deliverability challenges at all, this kind of thing could likely add to them. And is it the most consumer friendly way to run things? I don’t think so. In my humble opinion, it’s always better to wait for the consumer to sign up on their own. But I’m not one of those aggressive marketer types.
And of course, the laws governing email permission vary by locale.

The FBI in my Inbox?

It’s alarming to read that, depending on whom you believe, the FBI feels it has the legal right to access your email messages without having to obtain a search warrant. I know I don’t have anything particularly damning in my personal email account, but it’s the principle of the matter that’s the problem. (And consider errors and leaks. Nothing in my email inbox is going to send me to jail, but it could contain many other things of a sensitive nature. Financial information. Industry dialog. Customer communication. Et cetera. Keeping that out of anybody else’s possession is the best way from anything leaking or being misused.
The bummer is that there doesn’t seem to be any way for the average joe user like you or me to do anything about it. According to that Marketwatch article, you could download all your email messages to your hard drive (clunky), encrypt emails when sending them (even more clunky), or move to an “off shore” email service (which simply exchanges one privacy concern for another).
The only bit of good news is that at least in the four states of the Sixth Circuit (Kentucky, Michigan, Ohio, Tennessee), the Warhsak ruling prohibits the FBI from obtaining email messages without a warrant. The bad news is, that seems to apply only to those four states.

Get reading for SMiShing?

I received my first phishing attempt via text message today. Apparently that’s called SMiShing, and it’s a thing. Sadly, I’m too busy to have the guy follow up with his promised phone call to try to get my Gmail password from me, but I did take a moment and report it to 7726, just in case that’ll do good to help protect somebody else in the future.
Also, apparently I have a G-Email account. Is that the kind of email account you get from the company who used to own NBC?

Image Hosting on a Different Domain?

Fridays are a busy day in the land of deliverability, so I don’t have a lot of time to come up with a specific post for today. But, I thought this might interest folks here — the other day, a client asked me about using CDNs (content delivery networks) to host HTML email content, and I blogged up a quick reply over on my work blog.
(It’s true! Fridays are the new Mondays.)

Spams, Scams, and Senders

Over on the Magill Report, Stephanie Colleton from Return Path shares her thoughts on how to tell whether or not an email message is legitimate.
Let’s add to that some more thoughts from Return Path’s Lauren Soares.
Then let’s add to that some of my own thoughts specifically for email senders.
Every company sending email today ought to:

Pump-and-dump Spam is Back!

Commtouch’s latest “Internet Threats Trend Report” suggests that penny stock spam has returned:

AOL Updates Spam Filtering

Over on the AOL Postmaster blog, Lili Crowley announced yesterday that AOL has made changes to their spam filtering system. Specifically, more senders may be subject to blocking with CON:B1 errors. AOL’s website explains that CON:B1 errors indicate that an IP address is being blocked “due to a spike in unfavorable e-mail statistics.” This strongly suggests that a sender blocked with a CON:B1 error message has a negative sending reputation. This is yet another data point as to how ISPs have been tightening up spam filtering and reputation requirements over the past few years. What you might have been able to deliver five years ago, you might not be able to get delivered today.

SMS Spam is Down?

Cloudmark says, yes, SMS gift card spam is down, thanks to recent action taken by the Federal Trade Commission. Read more over on PC World. I’m very glad to see this. I ended up on the list of one of those spammers and they were driving me nuts. Thank goodness for Google Voice’s report spam functionality.
What can you do to stop SMS spam? If you use Google Voice, and the SMS messages are coming to your Google Voice number, just report it as spam inside of the GV interface. If it’s coming directly to your cell number, not via GV, then you can forward the message to 7726 (SPAM). It’s a clunky, multi-step process, however. And does it actually result in anything happening? Hard to say. I don’t yet have any proof that SMS spam reports to a provider are quick to result in blocking, as is the case with email spam. I suspect it still can’t hurt to report SMS spam, though. The more reports, the more likely a provider will be driven to take action.

Palau: Spam Haven? No, but…

Over on his blog, John Levine offers up a review of the history of the .PW TLD (top-level domain). The context: Recently relaunched, .PW has perhaps immediately become a spam haven. John mentions that at least one receiver is already treating mail referencing .PW as “block on sight.” Incidentally, John’s not the only friend of mine complaining about a recent uptick of spam referencing the .PW TLD.
Based on what I’ve heard so far, my guess is that more, widespread blocking of mail referencing .PW domains seems likely.
Deja vu? It feels like .biz all over again.
May 6, 2013 update: John Levine adds, “I don’t think I’ll be unblocking mail from .PW anytime soon.”

Temporary Hiatus

Had a family emergency so the blog will be on hiatus for a couple weeks.

SNDS is back

For years now, Microsoft has maintained Smart Network Data Services (SNDS) for anyone sending mail to Hotmail/Outlook/Live.com. This is a great way for anyone responsible for an IP sending mail to hotmail to monitor what traffic Hotmail is seeing from that IP address.
This morning I got up to a number of people complaining that logins were failing on the website and the API was down. I contacted the person behind SNDS and they confirmed there was a problem and they were fixing it.
Sometime this afternoon it was possible to login to the SNDS interface again, so it looks like they did fix it.
A bit of a warning, though, don’t expect to see any of the data from the last few days. There seems to be something with SNDS that means that when the service is down data isn’t collected or available. In the past when there have been problems, older data was not populated when the service came back.

If you want to spam, don't be stupid

Some random UK email marketing company that I’ve never heard of harvested my address off of LinkedIn (yes, it’s my LinkedIn specific address) and is now spamming me advertising their cheap email marketing services. There were a lot of things about this particular mail that really annoyed me. The annoyance wasn’t just spam in a folder that shouldn’t have spam, it’s that the spam itself was badly done.
The thing is, they could have done this in a way that didn’t annoy me enough to blog about them being spammers. A teeny, tiny amount of effort and an ounce of empathy for their recipients and I wouldn’t have anything to blog about today.
If you want to spam, don’t be stupid. How can you avoid being stupid?
1) Send only one email and make it clear in the message this is a one time (or limited time) email. Don’t just randomly harvest addresses off a website, like Submission Technology did today, and add all those addresses to your marketing list. Spam is an interruption and an annoyance. And if spammers had any sense they’d limit the amount of time they spent annoying and interrupting recipients.
2) Target your email correctly and don’t be lazy. This morning’s mail from Submission Technology was advertising their UK specific marketing programs. They have my LinkedIn profile, they know I’m on the other side of the US from the UK.
3) Don’t lie about where you got my name. In this case, I know Submission Technology harvested it off LinkedIn because that’s the address they are sending it to. And, in fact, in the email they sent they mention they are sending this to me because we’re connected on LinkedIn. The problem is, I can find no trace of a connection between us on LinkedIn. And, yes, I did look because I generally drop connections that add me to their mailing lists.
One part of my anger at this particular spam is that they’ve appropriated a tagged email address of mine and added it to their marketing lists. That’s breaking my filtering.
After doing a little research into their company and their practices, though, I have to wonder if they’re going to sell my address. It seems that Submission Technology sells addresses to their customers, among other product offerings. Is this address that I’ve dedicated to handling LinkedIn specific emails really now going to end up getting spam from UK companies?
Based on multiple online reports (Andy Merrett and Ben Park) it doesn’t even look like unsubscribing will be sufficient to get this mail to stop.
One of the most amusing bits links that showed up was a comment on a post here from 2008. It seems that they spammed Steve Linford and were SBLed for it. I’m only guessing that since they’re not still listed they’ve figured out how to suppress Steve’s address at least.
Sending unsolicited email can be a problem for bulk senders; you risk alienating your potential customers, getting blocked and developing a poor reputation. Some of those problems can be mitigated by not being stupid.

Password security

Many of us have lots of accounts on various networking sites, but how much attention do we pay to password security?
If you haven’t heard, someone managed to compromise the Associated Press’ twitter account today. Not only was the account compromised, but they put out a fake tweet claiming that there were explosions at the White House and President Obama was injured.
A funny prank? Maybe. But tweets like this have a real world effect. For instance, the stock market plunged 140 points after the initial reports, rebounding when people realized it wasn’t true.
It’s not clear how the AP twitter password was compromised. There are many possibilities including classic social engineering through to compromised machines inside AP with password sniffers on them.
The lesson here is that we’re all targets, even ‘soft’ seeming targets like social media accounts. Practice safe computing.

Evaluating usability at an ESP

Clients and random people often ask me to recommend an ESP based on “the best delivery.” I usually point out that most of the reputable ESPs are similar in terms of their delivery. There aren’t many widely used reputation services that block based on ESPs unless there is long term and ongoing problem from the ESP.
This is even more true when the ESP uses dedicated IPs for customers. ESPs that use shared IPs can have poor delivery if they don’t effectively police customers and lower the reputation of all their IP addresses.
My normal comment about ESPs is to find a price point and feature set that meets the client’s needs. Clickmail has a good post about how to evaluate an ESP for usability.

Boston police using email to warn residents

Jaclyn Reiss tweets:
Town of Watertown email blast sent just now says stay in home, follow police instructions, local businesses should NOT open
Email is not dead, not even close.
Stay safe, Boston.

Social media the Home Depot way

I’ve been following Richard the Cat on Twitter for a while. It’s the story of a family and their trials and tribulations with their yard as told by their cat.
The twitter feed (and Richard’s tumblr) are a product of the Home Depot marketing department. And it’s great. Richard has awesome comments on his humans and their struggle to create a happy yard. The tweets are low key and not overly home depot branded, but every Richard tweet I see, I think about the yard and things we might need from Home Depot.
And, of course, who on the internet doesn’t love a cat meme?
To my mind this is one of the better examples of brand social media. There is a theme. The tweets and tumblr does remind followers of the brand – Richard is an orange cat after all. The process is participatory, followers can upload cat photos on the Tumblr and tweet with Richard on Twitter.
Social media is social; a two way street. A lot of brands fail with the social part in that they treat it as a one way street. Home Depot doesn’t do that with Richard.

Confirmation is too hard…

One of the biggest arguments against confirmation is that it’s too hard and that there is too much drop off from subscribers. In other words, recipients don’t want to confirm because it’s too much work on their part.
I don’t actually think it’s too much work for recipients. In fact, when a sender has something the recipient wants then they will confirm.
A couple years ago I was troubleshooting a problem. One of my client’s customer was seeing a huge percentage of 550 errors and I was tasked with finding out what they were doing. The first step was identifying the source of the email addresses. Turns out the customer was a Facebook app developer and all the addresses (so he told me) were from users who had installed his apps on Facebook. I did my own tests and couldn’t install any applications without confirming my email address.
Every Facebook user that has installed an application has clicked on an email to confirm they can receive email at the address they supplied Facebook. There are over 1 billion users on Facebook.
Clicking a link isn’t too hard for people who want your content. I hear naysayers who talk about “too hard” and “too much drop off” but what they’re really saying is “what I’m doing isn’t compelling enough for users to go find the confirmation email.”
This isn’t to say everyone who has a high drop off of confirmations is sending poor content. There are some senders that have a lot of fake, poor or otherwise fraudulent addresses entered into their forms. In many cases this is the driving factor for them using COI: to stop people from using their email to harass third parties. Using COI in these cases is a matter of self protection. If they didn’t use COI, they’d have a lot of complaints, traps and delivery problems.
The next time you hear confirmation is too hard, remember that over 1 billion people, including grandparents and the technologically challenged, managed to click that link to confirm their Facebook account. Sure, they wanted what Facebook was offering, but that just tells us that if they want it bad enough they’ll figure out how to confirm.
HT: Spamresource

Images at Yahoo

For a while, Yahoo was giving preferential “images always on” treatment to Return Path Certified senders. The tricky part of this was the senders had to register a DKIM selector key with Yahoo. I had a lot of (somewhat rude) things to say about this particular design decision.
Over the last few months, a number of senders have complained about being unable to update their selector keys with Yahoo. (Insert more rude comments about how broken it is to use the selector as a part of reputation.) Around the same time, a few of us have noticed that Yahoo seems to be turning on a lot of images by default. A few of the ESP delivery folks collaborated with me on checking into this. They could confirm that images were on by default for some of their customers without certification and without selector key registration.
Earlier this week, Return Path sent out an email to users that said that Yahoo would no longer be turning images on by default for Return Path Certified IPs.

Don't leave that money sitting there

The idea of confirming permission to send mail to an email address gets a lot of bad press among many marketers. It seems that every few weeks some new person decides that they’re going to write an article or a whitepaper or a blog and destroy the idea behind confirming an email address. And, of course, that triggers a bunch of people to publish rebuttal articles and blog posts.
I’m probably the first to admit that confirmed opt-in isn’t the solution to all your delivery problems. There are situations where it’s a good idea, there are times when it’s not. There are situations where you absolutely need that extra step involved and there are times when that extra step is just superfluous.
But whether a sender uses confirmed opt in or not they must do something to confirm that the email address actually belongs to their customer. It’s so easy to have data errors in email addresses that there needs to be some sort of error correction process involved.
Senders that don’t do this are leaving money on the table. They’re not taking that extra step to make sure the data they were given is correct. They don’t make any effort to draw a direct line between the email address entered into their web form or given to them at the register or used for a receipt, and their actual customer.
It does happen, it happens enough to make the non-tech press. Consumerist has multiple articles a month on some email address holder that can’t get a giant company to stop mailing them information about someone else’s account.
Just this week, the New Yorker published an article about a long abandoned gmail address that received over 4000 “legitimate” commercial and transactional emails.

4 things the new outlook ads tell us about email

Microsoft has a new TV ad showing how trivial it is to remove unwanted email from the inbox. Various busy people use the “sweep” and “delete” functions to clean up mail. The commercial even have a segment counting up the hundreds of emails deleted.
This tells me a few things.

Goodbye Mr. Ebert

The Chicago Sun Times announced earlier today that Roger Ebert passed away today. Mr. Ebert was a legendary film critic, who hosted multiple shows over the last few decades.
His influence wasn’t just in the film arena, though. Mr. Ebert was an active participant online. In fact it was Roger Ebert, in 1996 at the Conference of World Affairs in Boulder Colorado, that coined “The Boulder Pledge.”

Marketo files for IPO

Marketo filed documents for a $75M IPO yesterday.

Maybe the sky is only falling a little bit

There was quite a bit of breathless reporting last week about the DoS against Spamhaus and how it was large enough to break the Internet. As the postmortem has gone on, a few things are becoming clear.

Post-mortem on the Spamhaus DOS

There’s been a ton of press over the last week on the denial of service attack on Spamhaus. A lot of it has been overly excited and exaggerated, probably in an effort to generate clicks and ad revenue at the relevant websites. But we’re starting to see the security and network experts talk about the attack, it’s effects and what it tells us about future attacks.
I posted an analysis from the ISC yesterday. They had some useful information about the attack and about what everyone should be doing to stop from contributing to future attacks (close your open DNS resolver). The nice thing about this article is that it looked at the attack from the point of view of network health and security.
Today another article was published in TechWeekEurope that said many of the same things that the ISC article did about the size and impact of the attacks.
What’s the takeaway from this?

Internet Storm Center on the Spamhaus DOS

The Internet Storm Center (ISC) has a blog post up discussing the DOS attack against Spamhaus. They do confirm they saw traffic approaching 300Gbps against Spamhaus. They also point out that most people probably never knew.

Spamhaus answers about the recent DoS attack

Answers about recent DDoS attack on Spamhaus

More on the attack against Spamhaus and how you can help

While much of the attack against Spamhaus has been mitigated and their services and websites are currently up, the attack is still ongoing. This is the biggest denial of service attack in history, with as much as 300 gigabits per second hitting Spamhaus servers and their upstream links.
This traffic is so massive, that it’s actually affecting the Internet and web surfers in some parts of the world are seeing network slowdown because of this.
While I know that some of you may be cheering at the idea that Spamhaus is “paying” for their actions, this does not put you on the side of the good. Spamhaus’ actions are legal. The actions of the attackers are clearly illegal. Not only is the attack itself illegal, but many of the sites hosted by the purported source of the attacks provide criminal services.
By cheering for and supporting the attackers, you are supporting criminals.
Anyone who thinks that an appropriate response to a Spamhaus listing is an attack on the very structure of the Internet is one of the bad guys.
You can help, though. This attack is due to open DNS resolvers which are reflecting and amplifying traffic from the attackers. Talk to your IT group. Make sure your resolvers aren’t open and if they are, get them closed. The Open Resolver Project published its list of open resolvers in an effort to shut them down.
Here are some resources for the technical folks.
Open Resolver Project
Closing your resolver by Team Cymru
BCP 38 from the IETF
Ratelimiting DNS
News Articles (some linked above, some coming out after I posted this)
NY Times
BBC News
Cloudflare update
Spamhaus dDOS grows to Internet Threatening Size
Cyber-attack on Spamhaus slows down the internet
Cyberattack on anti-spam group Spamhaus has ripple effects
Biggest DDoS Attack Ever Hits Internet
Spamhaus accuses Cyberbunker of massive cyberattack

Some content is just bad; but it doesn't have to be

There are a few segments in the marketing industry that seem to acquire senders with bad mailing practices. Nutraceuticals, male performance enhancing drugs, short term or payday loans and gambling have a lot of senders that treat permission as optional. The content and the industry themselves have garnered a bad reputation.
This makes these industries extremely difficult for mailers who actually have permission to send that content to their recipients. Working with this kind of sender, sometimes it seems impossible to get mail delivered to the inbox, no matter what the level of permission. Even when it’s double confirmed opt-in with a cherry on top, all the care in the world with permission isn’t enough to get inbox delivery.
This doesn’t have to be the case. Look at the porn industry. Early on in the email marketing arena there was a lot of unsolicited image porn. A Lot. So much that complaints by recipients drove many ISPs to disable image loading by default. The legitimate porn companies, though, decided unsolicited image porn was bad for the industry as a whole. Porn marketers and mailers adopted fairly strong permission and email address verification standards.
It was important for the porn marketers that they be able to prove that the person they were mailing actually requested the email. The porn marketers took permission seriously and very few companies actually send photographic porn spam these days. Even the “Russian girls” spam doesn’t have not safe for work images any longer.
Because of their focus on permission, in some cases revolving around age of consent in various jurisdictions, the porn industry as a whole is not looked at as “a bunch of spammers.” Porn content isn’t treated as harshly as “your[sic] pre-approved for a wire transfer” or “best quality drugs shipped overnight.”
Just having offensive content isn’t going to get you blocked. But having content that is shared by many other companies who don’t care about permission, will cause delivery headache after delivery headache. This is true even when you are the One Clean Sender in the bunch.

Spamhaus answers questions

Lost in all of the DOS attack news this week is that the first installment of Spamhaus answering questions from marketers in Ken Magill’s newsletter.
It’s well worth a read for anyone who is interested in hearing directly from Spamhaus.
One quote stood out for me, and it really sums up how I try to work with clients and their email programs.

dDOS spreads to the CBL

Spamhaus has mostly mitigated the dDOS against the Spamhaus website and mailserver, but now the CBL is under attack. They have been working to get that under protection as well, but it’s taking some time.
Right now there are no public channels for delisting from the CBL. The Spamhaus Blog will be updated as things change, and I’ll try and keep things updated here as well.
UPDATE: Cloudflare talks about the scope of the attack

Spamhaus under major dDOS

Late last night I, and a number of other folks, received mail from Spamhaus informing us of a major denial of service attack against their servers. The attack is so bad that the website and main mailserver is currently offline.
DNS services, including rsync and the mirrors, are up and running.
Spamhaus is working to bring the mailserver and website back up, and are hoping to have it up later today.
If there are any critical or particularly urgent SBL issues today, contact your ESP delivery team. The folks who were contacted do have an email address for urgent issues. This is not an address for routine queries, however, and most listees are going to have to wait until normal services are restored to have their listing addressed.
If there is something particularly urgent and your ESP or delivery team does not have a contact address, you can contact me an I can see what I can do.
UPDATE: Most of the IPs people have sent me are actually XBL/CBL listings. But right now the CBL webserver is responding slowly due to the DOS.
If you want to look up a listing without using the Spamhaus website you can use the “host” or “dig” command line tools. To do this reverse the digits in the IP address and append zen.spamhaus.org on the end.
So for the IP 10.11.12.13 you would query 13.12.11.10.zen.spamhaus.org

Bad Neighborhoods on the Internet

Of the 42,000 Internet Service Providers (ISPs) surveyed, just 20 were found to be responsible for nearly half of all the internet addresses that send spam.

Network World on Spamhaus

Spamhaus warns marketers to keep email databases tidy

Hear me talk about improving delivery

Tom Sather (ReturnPath) and I will be speaking on Thursday at a webinar hosted by the Association of Business and Media Companies.
How to Boost Email Marketing Response Rates

Logging in to unsubscribe

I have been talking with a company about their unsubscribe process and their placement of all email preferences behind an account login. In the process, I found a number of extremely useful links about the requirements.
The short version is: under the 2008 FTC rulemaking senders cannot require any information other than an email address and an email preference to opt-out of mail. That means senders can’t charge a fee, they can’t ask for personal information and they can’t require a password or a login to unsubscribe.
I’ve talked about requiring a login to unsubscribe in the past here on the Word to the Wise blog.
Let them go
Questions about CAN SPAM
One click, two click, red click, blue click
How not to handle unsubscribes
I’m not the only person, though, that’s written about this.
The FTC has written about it in the FTC CAN SPAM Compliance Guide for business

Questions about Spamhaus

I have gotten a lot of questions about Spamhaus since I’ve been talking about them on the blog and on various mailing lists. Those questions can be condensed and summed up into a single thought.

Spamhaus Speaks

There’s been a lot of discussion about Spamhaus, spam traps, and blocking. Today, Spamhaus rep Denny Watson posted on the Spamhaus blog about some of the recent large retailer listings. He provides us with some very useful information about how Spamhaus works, and gives 3 case studies of recent listings specifically for transactional messages to traps.
The whole thing is well worth a read, and I strongly encourage you to check out the whole thing.
There are a couple things mentioned in the blog that I think deserve some special attention, though.
Not all spam traps actually accept mail. In fact, in all of the 3 case studies, mail was rejected during the SMTP transaction. This did not stop the senders from continuing to attempt to mail to that address, though. I’ve heard over and over again from senders that the “problem” is that spamtrap addresses actually accept mail. If they would just bounce the messages then there would be no problem. This is clearly untrue when we actually look at the data. All of the companies mentioned are large brick and mortar retailers in the Fortune 200. These are not small or dumb outfits. Still, they have massive problems in their mail programs that mean they continue to send to addresses that bounce and have always bounced.
Listings require multiple hits and ongoing evidence of problems. None of the retailers mentioned in the case studies had a single trap hit. No, they had ongoing and repeated trap hits even after mail was rejected. Another thing senders tell me is that it’s unfair that they’re listed because of “one mistake” or “one trap hit.” The reality is a little different, though. These retailers are listed because they have horrible data hygiene and continually mail to addresses that simply don’t exist. If these retailers were to do one-and-out or even three-and-out then they wouldn’t be listed on the SBL. Denny even says that in the blog post.

Filtering is not just about spam

A lot of filters started out just as filters against spam. But over the years they’ve morphed into more general blocks against dangerous or problematic email. There’s a lot of crime and bad behavior on the internet, much of it using email as a conduit or vector. Filtering is so much more than stopping spam now. It’s as much, or more, about stopping crime.
Email filters are essential to protect us from scammers. Sometimes I forget this, and then I read about a grandmother getting swindled by a Nigerian scammer and ending up dead.
There are real consequences to poor filtering and there is real crime facilitated by email. It’s easy to forget this as we deal with the email that gets caught in filters when they shouldn’t.
Filters are one of the first lines of defense against online crime.
Not only does filtering stop crime, but they also keep email working. An unfiltered mail stream is an ugly, unreadable, unworkable mess.

NJABL blocklist closed for good

The NJABL blocklist has shut down for good. The zone files are empty and are expected to stay that way for a while.
Anyone using NJABL, either for yes/no delivery decisions or as part of a scoring system, should remove that blocklist from their setup.

Censoring email

It seems some mail to Apple’s iCloud has been caught in filters. Apparently, a few months ago someone sent a script to a iCloud user that contained the phrase “barely legal teen” and Apple’s filters ate it.
The amount of hysteria that I’ve seen in some places about this, though, seems excessive. One of my favorite quotes was from MacWorld and just tells me that many of the people reporting on filtering have no idea how filters really work.

Opting customers in to new programs

Recently, I started getting “1 sale a day!” emails from buy.com. I’ve made purchases from Buy in the past and generally have been content to get emails from them. They’re not always relevant, but hey, it’s relatively non-intrustive marketing.
When they started this new program, they just started mailing: no warning, no introduction, nothing. So I decided to opt out of this mail.
Buy.com has a preference center, and while I was there, I opted out of all email marketing. Why? Because a company that is going to randomly add me to new (daily!) marketing lists is a company I don’t trust any more.
A lot of folks have complained about Amazon doing the same thing. Amazon started a daily deals program and opted in a lot of people without warning, without introduction and without permission.
I get why companies do this. It’s a lot easier to ask for forgiveness than permission. It lets them sell things to people who might never opt-in to that program. And in many areas of direct marketing, consumers have no rights to make the marketing stop. They have no tools to make the marketing stop.
Email is different from many direct marketing channels, though. Many consumers have the tools to make mail stop (filters, this is spam buttons, changing their email address completely) and they do take advantage of them.
Given a marketers job is to extract as much revenue from customers as possible, they can’t respect recipients. They have to treat them as money dispensing machines. But at least in email recipients have some ability to opt-out of the transactions.

Earthlink opens up FBL

Earlier this week I was at MAAWG and one of the Earthlink postmaster folks stopped me to tell me that Earthlink was now accepting non-ISP applications to their Feedback Loop.
In order to apply for the Earthlink FBL send an email to fblrequest@abuse.earthlink.net with the IP addresses and the FBL email address.

Fast and loose

Politicians often play fast and loose with permission and data. This can cause them all sorts of problems with email delivery at major ISPs. I really expect that politicians buy, sell, transfer, spindle, mutilate and fold data. If they can use it to further their goals, they will. And, many of the consumer protection and privacy laws don’t apply to political groups.
The news that Representative Bachman may have known that some of her mailing list was taken and used by others is a surprise even to me. I talked with a few ESP reps, though, and they told me that this was mostly par for the course and that they often have a lot of delivery and compliance issues with their political clients. Many have had to suspend or terminate political clients, and a couple people mentioned SBL listings.
This isn’t a problem with just one side of the political spectrum, it seems endemic in how the game is played.

Happy Valentines Day

From our friends at Mashable, Buzzword Valentines.
My favorite

Spamming to hide fraud

An interesting article at NetworkWorld last month, describing spam bombs to victims of fraud and identity theft to hide the transactions and notifications from financial institutions.

The challenge of Gmail

A lot of my sales inquiries recently are about getting good inbox delivery at Gmail. I’ve mentioned before, I can usually tell when an ISP changes things because they suddenly become the subject of a great many phone calls.
In this case, Gmail seems to have turned up their engagement filters and is sending a lot more mail to the bulk folder. I have also noticed other people are blogging about Gmail delivery problems. Al eventually determined that it was mailings sent from other IPs that were degrading the delivery of his customer’s emails.
Gmail, more than the other major ISPs, seems to not be weighting IP reputation very heavily these days. They’re looking at domain reputation and they’re using all mentions of a domain in that reputation. A lot of senders, some of them spammers, segregate their email streams (acquisition, marketing, transactional) across IP addresses in order to stop poorly performing mails from harming delivery of other emails they’re sending. But Gmail’s current filtering scheme seems designed to focus on domain reputation and minimize the impact of IP reputation.
This is making the Gmail inbox tough to reach for a lot of mailers these days. Even in cases where the mailer isn’t hiring affiliates or actively partitioning mail, if a domain is seen frequently in spam then delivery for that whole domain is hurting. Signing with DKIM and publishing a DMARC record may help. But the reality right now is that there doesn’t seem to be a silver bullet into the Gmail inbox.

DMARC makes it a year

Yesterday DMARC.org announced that in a year DMARC protects over 60 million mailboxes worldwide.

They really think we're stupid

New player in the DMARC space

Over on the DMARC-Discuss list, Comcast announced they had turned on DMARC validation and companies that publish DMARC records should start receiving reports from Comcast.

A Spam Blast from the Past

A couple of days ago an ex-employee of Opt-In Inc., was kind enough to do a Reddit AMA answering questions about their experience working with Steve Hardigree in the “legitimate” email marketing industry, back in the early 2000s.
The whole thing is worth a read, but I thought I’d share some of his more interesting answers here.
Everyone knows everyone

Address leak leads to phishing

A number of people in the industry are reporting getting phishing emails to addresses they used at DocuSign.
There were initial reports of a DocuSign data breach back in December. Now it appears DocuSign is being used as a phishing target.

How difficult is it to get on whitelists?

Today’s question comes from Leslie J.

Just how difficult is it for a small business that runs a highly compliant mailing system to find
their way onto whitelists at the big freemail/spam filter providers?
It seems utterly impossible meaning man hours are completely wasted messing around with subjects and content when if the same business sends the very same message through any number of well know ESPs, the message will hit the inbox like the Mafia are in charge of the shooting match.
Read More

Email verification – what are we verifying

One of the ongoing discussions in the email space is the one about address verification. Multiple companies have sprung up to do “real time” email address verification. They ensure that addresses collected at the point of sale are valid.
But what does valid mean? In most of these contexts, valid means that the addresses don’t bounce and aren’t spam traps. And that is one part of validating email addresses.
That isn’t the only part, though. In my opinion, an even more important thing to validate is that the email address belongs to the person giving it to you. The Consumerist has had an ongoing series of articles discussing people getting mis-directed email from various companies.
Today the culprit is AT&T, who are sending a lot of personal information to an email address of someone totally unconnected to that account. There are a lot of big problems with this, and it’s not just in the realm of email delivery.
The biggest problem, as I see it, is that AT&T is exposing personally identifiable information (PII) to third parties. What’s even worse, though, is that AT&T has no process in place for the recipient to correct the issue. Even when notified of the problem, support can’t do anything to fix the problem.

Does CAN SPAM require multiple opt-outs on emails?

Today’s Wednesday question comes from M. B.

My company sometimes sends mail to our list on behalf of 3rd parties. A recent 3rd party told us that CAN SPAM requires the email contain their opt-out link as well as ours. Is this correct?”
Read More

Looking for questions

After a brief hiatus, I’d like to bring back the Wednesday question series. I have a few questions from before the hiatus that I’ll be answering over the next few weeks. But I’d like a few more to answer.
So bring on your questions. Send them to me at Jan15@contact.wordtothewise.com, tweet them to me @wise_laura or drop them here in the comments.

Color me unsurprised

Groupon and other Daily Deals programs struggling to find a sustainable business.

Long posts and little time to write them

It seems I’ve hit the wall on short and easy blog posts to write recently. There’s a lot I want to talk about like the recent changes at Spamhaus, filtering in the upcoming year and where I see the industry going, some thoughts on DKIM and how folks are using it. All of these things, though, will take some focused writhing time. And right now most of my focused writing time is spent on customer work.
I don’t even have time to read other blogs to comment on things folks are saying.
So blogging is likely to be light over the next few weeks, although I’m going to try very hard to get posts up 3 times a week.

More on the Yahoo exploit

Exacttarget’s Carlo Catajan talks about the Yahoo exploit. My own mailbox seems to indicate this hole is closed.

Links for 1/7

Chris K. at Bronto blogs about in-store address collection and delivery issues. Chris is right, the Spamhaus issue isn’t going away any time soon. And companies collecting addresses in store / at point of sale really need to figure out how to make sure that their data capture is accurate. That means addressing everything from customers giving the wrong address to typos and other transcription errors.
Gene M. at Forbes asks Is Constant Contact the Best E-Mail Marketing Service?. I’m not sure Constant Contact is the best, but it’s nice to see that some people do realize that the occasional compliance incident just means that the ISP is actually monitoring things.
Matt B from Return Path posts his predictions for the new year. While I don’t always do predictions, I agree with all of his.
The Next Web says that Yahoo users are being compromised by an XSS exploit. I have noticed a lot more virus from Yahoo users over the last 2 days, including one person who said their account was broken into while she was on the ski slopes. It may not be exactly an XSS hack, but something is broken at Yahoo and the spammers seem to be somehow getting around Yahoo’s outbound filters.

Hotmail issues

A number of people, both at ESPs and on the mailops mailing list, are reporting problems at Hotmail. The most common reports are senders getting

Winding down for the holidays

I’m frantically trying to get a couple client projects finished before next week so blogging will probably be light until the New Year.

Phones part of SMS botnet

Spammers have been moving into the phone market for a long time. Just recently security firms have discovered an Android botnet. This botnet sends viruses over SMS, and when a link in the SMS is clicked, the phone is infected with the virus which then sends more SMS.
The technology for blocking and reporting SMS spam is comparable to email blocking technology 10 or 12 years ago. There just aren’t many tools for people to use to control this spam. M³AAWG is addressing mobile spam, but it still seems that the volumes are increasing without much recourse. Even the 7726 reporting number doesn’t seem to stop the spam (nor remove per-text charges).
At least in the beginning of the email spam problem, we didn’t have botnets. Now, at the beginning of the curve for SMS spam, we already have self replicating botnets. I’m afraid the good guys might be behind on this issue.
Then again I might just be cranky because SMS spammers woke us up at 4:30 am.
Infoworld article
TNW article
PCWorld article

Volume! Volume! Volume!

Saw a series of tweets this morning from random consumers about holiday marketing volume.

There is no bat phone

I don’t have much to add to Al’s post about the lack of people to call at different ISPs to get mail delivered. I will say there was a time some ISPs had staff that would deal with senders and blocking problems. But those positions have gradually been eliminated over the last 2 or 3 years. In some cases the employees left for greener pastures, in others they were subject to layoffs and budget cuts. In most cases, though, the employees were not replaced.
ISPs have moved to complex and multi-tired spam filtering. They’ve removed the ability of most employees to actually interrupt the filtering and special case a sender. Getting mail delivered is about sending mail that recipients want. It’s not about who you know. It’s about how much recipients like your mail.

Troubleshooting tools

There have been a number of comments on my post about Hotmail moving to SPF authentication having to do with troubleshooting authentication failures. I have been helping clients troubleshoot these issues, and am able to take on new clients to solve authentication problems. Contact me for more information.
Of course, many of these issues can be solved with access to the right tools. Steve’s been working on a number of tools that may help the troubleshooting process and we’ve recently launched them on Emailstuff.org. The website itself contains a number of DNS and data related tools we use for investigations and thought we’d share with the public at large.
One of the really useful tools is the SPF record expander. Plug in any domain, like google.com, and see what IP addresses they authorize to send mail.

TWSD: Adapt to filters

This morning the new Yahoo! CEO posted about changes to Yahoo! mail. I logged into one of my Yahoo accounts to check and see if I had access to the new Yahoo! mail client yet. I don’t, but I did notice that spammers have adapted to the new Yahoo model of disabling filters in the mail folder. Most of the mail in my inbox has, at the very top of the message “Click not spam to enable links!”
My favorite has to be the animated gif of how to click “not spam.”
Spammers spend so much time and energy compensating for filters, hopping IP addresses, rotating through domains, and specially creating mail for different ISPs. I have to wonder, though, if they would waste less time by sending opt-in mail.

Confirming addresses for transactional mail

A colleague was asking about confirming transactional mail today. It seems a couple of big retailers got SBLed today for sending receipts to spamtraps. I talked a few weeks ago about why it’s important to let people unsubscribe from transactional email, and many of those same things apply to confirming receipts.

Fun with Subject lines

Courtesy of Think Geek (who have some of the best use of symbols in subject lines I’ve seen).

Hotmail moves to SPF authentication

Hotmail has recently stopped using Sender ID for email authentication and switched to authenticating with SPF. The protocol differences between SenderID and SPF were subtle and most senders who were getting a pass at Hotmail were already publishing SPF records.
From an email in my inbox from September:

Data, data, elections and data

One of the interesting stories coming out of the recent US Presidential election is how much data the Obama Campaign collected about voters, volunteers and donors. Today Politico talks about how valuable that data is, and how many Democrats want to get their hands on it.

Confirming website registrations

Confirming email addresses during a website registration process is a good practice. It stops people from creating fake accounts, abusing resources and using that site as a mechanism for harassment. But simply sending out a confirmation mail is not sufficient to prevent problems, particularly when everything about the process assumes that unconfirmed registrations are actually valid and not problem accounts.
I’ve had a couple recent experiences with companies attempting to use email confirmation, but failing pretty miserably. In each case a website set up a process where a user could register an account on the site. Both sites required confirmation of the registration email addresses as part of the process. But in each case there were some major failures that result in non-customers getting email.
Tomorrow I’ll talk about those two specific cases. I’ll also provide specific suggestions on how not to fall into the same trap and actually send opt-in email.

For the spammer that has everything

Sales are everywhere on Black Friday, even in the spammer underground.

HT: Brian Krebs

Thanks

It’s thanksgiving here in the US and most of us are off eating way to much food with family and friends. But that doesn’t mean I can’t take a few minutes to give thanks.
I am thankful for reasonably effective spam filters.
I am thankful for ESPs and ISPs who actually take action on complaints.
I am thankful for the unsung folks who keep email useful.
I am thankful for my readers who tell me they enjoy, even if they don’t agree with, my blog posts.
For all my US readers, enjoy your holiday. For all my non-US readers, check back Monday for more posts.

Delivery emergencies and the holidays

There is a lot of contention between ISPs and senders at the best of times. As we move into the holiday season, retailers are increasing their email marketing, sometimes quite significantly. This causes more delivery issues as recipients and MTAs react to the increased volume.
At many non retail companies, however, the pace of work slows down. There are distractions and office parties and people taking long lunches to finish their holiday shopping. Non-critical departments are not staffed for official holidays like Thanksgiving and Christmas Day.
This means that delivery issues may not be responded to as quickly as senders might like. Just this morning I got a call from someone who wants his delivery issues to be fixed by tomorrow. I’m sorry, even if I were to treat this as an emergency, there is work and investigation that needs to be done at the ISP end, and they’re not necessarily going to have a staffed delivery desk on Thanksgiving day. And even if they do have a staffed desk, it’s possible the staff won’t be focused and issues won’t be handled as fast as they might otherwise be.
I’d love to help, but there’s a limit to what I can do. Filtering decisions are made by the ISP, or their filter vendor, and sometimes they don’t happen as fast as we’d like. It’s frustrating for senders to have to deal with, but these are the realities of email delivery.

Yahoo changes

Thanks to tips by a couple blog readers and some clients, I have been looking into Yahoo disabling links in the bulk folder. It does appear Yahoo is no longer allowing users to click on links in emails that Yahoo places in the bulk folder.
In fact, some of the spam in my Yahoo mailbox even has a notice about this.

Facebook blocking spam: parallels to email filtering

Last month a Dangerous Minds posted numbers that indicated their Facebook posts were reaching fewer users. They suggested that this was a conspiracy by Facebook to make more money and soak small publishers with “exorbitant” advertising fees. I didn’t pay that much attention to it. I use Facebook to communicate with friends. The only commercial entities I “like” or are “friends” with are small local businesses that I shop at.
Today, I see a tweet from Ben Chestnut that looked intriguing.

Is Spamhaus still relevant?

Today’s Wednesday question comes from a recent discussion on the Only Influencers mailing list. One of the participants asked “Is Spamhaus relevant and necessary? Are they willing to work with marketers?”

Return Path announces new abuse prevention service

Return Path announced a new product this morning, designed to help mailbox providers stop outbound abuse.

Gmail sending out warnings for 512 bit DKIM keys

As an update to yesterday’s post, Gmail is contacting postmasters at domains signing with 512 bit keys to warn them of the upcoming changes. This message also clarifies “DKIM keys failing.” Messages signed with 512 bit keys or less will be treated as unsigned by Gmail in the next week or so.

Is Google failing DKIM keys shorter than 512 bits?

Today’s Wednesday question comes from Andrew B. and got pushed to Thursday so I could check a few more facts.

Data Driven Email (and other) Marketing

The frequency of emails from the Obama campaign ended up being a talking point for pundits and late night talk show hosts. Jon Stewart of The Daily show even asked President Obama about email directly during his October 18th interview. (Video, email question at the 5:56 mark)

How long is your DKIM key?

While we were at M³AAWG, Wired published an article talking about how simple it was to crack DKIM keys. I didn’t post about it at the time because it didn’t really seem like news. DKIM keys smaller than 1024 are vulnerable and not secure and the DKIM spec does not recommend using keys smaller than 1024. When I asked the DKIM-people-who-would-know they did tell me that the news was that the keys had been cracked and used in the wild to spoof email.
Fair enough.
If you are signing with DKIM, use a key 1024 or longer. Anything shorter and your risk having the key cracked and your mail fraudulently signed.
This morning M³AAWG published recommendations on keeping DKIM keys secure.

Marketing and storms

Never let it be said that marketers can’t take advantage of anything. In this case, there was a lot of commercial email mentioning Hurricane Sandy sent over the last few days. The emails themselves mapped into a number of broad categories.
Informational: Emails from hotels, airlines and east coast businesses keeping customers updated about their current status. Emails from many banks also fell into this category. Generally these emails offered information about reservations, flight statuses and cancellations. In the case of banks, customers were also told about loosening of overdraft and other policies.
Sales: Some retailers used the storm as an excuse for a storm. American Apparel sent out an email advertising a 36 hour sale for residents in states on the hurricane path. This prompted some recipients to complain about the tastelessness of the advertising.
Relief efforts: A number of companies sent out emails encouraging subscribers to donate to relief efforts. In many cases these companies are located in or have employees directly affected by the storm. Some of these companies offered discounts or bonuses to people who donated to relief efforts.
Spam: Finally, I would be remiss in not pointing out that spammers and scammers come out in force after most natural disasters. Spammers took full advantage of the storm, too and were sending out lots of mail mentioning the storm. Mailchimp dedicated a full blog post to looking at the amount of spam mentioning the storm and its impact on email delivery.
Return Path has an analysis of some of the Sandy related mailings and how they performed both between categories (although Return Path didn’t categorize them like I did) and within categories. It’s well worth a read to see how different approaches worked.
Email is a great way to communicate with people. The breadth of emails going out about or referencing the storm are a testament to that.

Storms, outages and email

There’s been quite a bit of discussion about how Hurricane (Superstorm?) Sandy has affected email delivery over the last week. There are a couple things that may affect delivery at a number of domains.
Receiving mailservers hosted in facilities that lost power or connectivity for one reason or another. Most of these issues seem to be resolved now, although a number of places are still on generator power. There are also a number of facilities where employees and customers went above and beyond the call of duty to keep those facilities running. Peer1 got a lot of press for their bucket brigade, but they’re not the only company that kept running despite power outages, flooding and horrible conditions.
Routing hardware went down in a number of places. Again, mostly because of the power outages. Router failures can mean that some mail can’t get from A to B, even if both A and B are up and functioning. As with the servers, these problems seem mostly under control.
Recipients don’t have power or internet at home. In fact, I think this is one of the bigger marketing challenges. Recipients can’t get their mail because they don’t have power or internet. This is probably going to have a bit of a longer term affect on email. Even when folks get their email back, the latest sale email from their favorite vendor isn’t necessarily going to be what they are looking for in their inbox. Even if they are looking for that sale email, they’re going to have a mailbox with days worth of email to sort through.
None of this is a long term problem. It’s mostly temporary. But marketers can expect lower open and click rates during the storm cleanup and restoration phase.

It's Thursday: AOL must be having problems

And, in fact, they are.
This time I’m seeing random reports of FBL failures. Some folks are seeing a significant (more than 50%) decrease in FBL emails. Other folks are reporting FBL reports that aren’t really FBL reports, but instead look like failed code output.
If you’re seeing this kind of problems it’s not just you.
As always, people at AOL are working to fix things and cooperating with people in the sending community who are having this problem. In other news, I found out last week that the one Really Smart Mail Guys I thought was still there is still at AOL but is no longer in their mail division. That means that the guys who built the AOL version of Skynet have left it to its own devices. Be afraid. Be Very Afraid.

Poisoning Spamtraps

Today’s question comes from Dave in yesterday’s comment section.

I wonder if spammers might submit harvested addresses to big-name companies known to not use confirmed opt-in just to poison what they believe might be spamtraps?
Read More

Harvesting and forging email addresses

For the contact address on our website, Steve has set up a rotating set of addresses. This is to minimize the amount of spam we have to deal with coming from address harvesters. This has worked quite well. In fact it works so well I didn’t expect that publishing an email address for taking reader questions would generate a lot of spam.
Boy, was I wrong. That address has been on the website less than a month and I’m already getting lots of spam to it. Most of it is business related spam, but there’s a couple things that make me think that someone has been signing that address up to mailing lists.
One is the confirmation email I received from Yelp. I don’t actually believe Yelp harvested my address and tried to create me an email account. I was happy when I got the first mail from Yelp. It said “click here to confirm your account.” Yay! Yelp is actually using confirmations so I just have to ignore the mail and that will all go away.
At least I was happy about it, until I started getting Yelp newsletters to that address.
Yelp gets half a star for attempting to do COI, but loses half for sending newsletters to people who didn’t confirm their account.
I really didn’t believe that people would grab a clearly tagged address off the blog and subscribe it to mailing lists or networking sites. I simply didn’t believe this happened anymore. I know forge subscribing used to be common, but it does appear that someone forge signed me up for a Yelp account. Clearly there are more dumb idiots out there than I thought.
Of course, it’s not just malicious people signing the address up to lists. There are also spammers harvesting directly off the website.
I did expect that there would be some harvesting going on and that I would get spam to the address. I am very surprised at the volume and type of spam, though. I’m getting a lot of chinese language spam, a lot of “join our business organization” spam and mail claiming I subscribed to receive their offers.
Surprisingly, much of the spam to this address violates CAN SPAM in some way shape or form. And I can prove harvesting, which would net treble damages if I had the time or inclination to sue.
It’s been an interesting experience, putting an unfiltered address on the website. Unfortunately, I am at risk of losing your questions because of the amount of spam coming in. I don’t think I’ve missed any, yet, but losing real mail is always a risk when an address gets a lot of spam – whether or not the recipient runs filters.
I’m still pondering solutions, but for now the questions address will remain as it is.

MAAWG presents the first J.D. Falk award

Last week at MAAWG went much like all MAAWG conferences go: too much to do, too many interesting panels to attend, too many people to connect and work with, a plethora of very interesting keynote speakers and a total lack of sleep. Most of what happens at MAAWG is not public, but some of the events are.
One of the things that I can talk about is the J.D. Falk award. This award was established by MAAWG, Return Path and J.D.’s family to recognize people who work, usually behind the scenes and without fanfare, to enhance the Internet and protect end users. I sat on the award committee and we had a number of nominations for very worthy work. But the nomination that stood out was the one for Tom Grasso. Tom was the driving force behind the creation of the DNS Changer Working group. He was responsible for connecting experts from throughout the Internet industry, including ISPs, anti-virus vendors, and the broader security community to prevent the Internet for going dark for hundreds of thousands of infected individuals.
I am very proud of the decision the committee made. The bar has been set high for future recipients. Tom did an amazing job convincing lots of players to work together. His involvement definitely made the internet better for everyone, not just those infected by Rove Digital’s malware. What he did is a model for private / public partnerships in the future.
I don’t think I could say it better than the MAAWG press release, so I’ll just end with that.

Retrying mail to AOL

I’m working on stuff for MAAWG so I’m really not all that up on what’s happening in the world of email recently. A lot of folks are commenting on my AOL post, and I’m hearing that queues are backing up and emptying as AOL makes changes.
One thing people have been asking me is if they should retry mail to the addresses that are bouncing. I say yes, absolutely. Some of the error messages are related to real filters, but there seems to be quite a bit of slop in the filters these days. I think, though, that the recipients do exist and removing the addresses from future mailings is premature.

Mail problems at AOL

We cannot help endusers troubleshoot AOL connection problems. Please do not call. Please do not write. You need to talk to AOL. We are not AOL. We cannot help you.

Can I assume consumer and business filtering is the same?

Today’s question comes from Steve B.

I wondered if you know much about hosted email providers such as google apps, Microsoft and yahoo.
I have seen a rise in number of people using them to provide their corporate email service. I am using the same logic that the rules governing delivery to gmail will effect those using google hosted email for example. For Microsoft i have been using Hotmail due to the SmartScreen filters. Would you agree with that logic?
Read More

Want to learn about Networking and the Internet?

You can trust the “experts” that populate Facebook.

Or you can take An Introduction to Computer Networks from Stanford University.

Handling replies to bulk mail

This week’s Wednesday question comes from Ryan W.

I’ve been noticing a few e-mail accounts who reply to our e-mail sends with spammy type replies such as, “hey this is intense…..(link)” what do you think should we be removing those e-mails from our mailing?
Read More

Return Path partners with Symantec

Today Return Path announced a partnership with Symantec to improve their anti-phishing product. Return Path is incorporating the Symantec Trusted Domain List into their authentication and filtering product to help customers protect their brands. Press Release
Phishing scams affect everyone, and having a brand that is used in phishing can reduce consumer trust in that brand. Protecting brands in email has been one of the more difficult challenges facing the email community. With the adoption of DKIM and DMARC by major brands and ISPs it has become easier to track and address phishing.

October?

I had a realization a few days ago that next week is October. Where did the year go? Blogging is likely to be light in October, I’m at multiple conferences (OTA next week, MAAWG at the end of the month).
Please stop by and introduce yourselves if you’re at either conference. I always love to meet readers.

Thinking of increasing email frequency for the holidays?

Then you have to read this post by Dayne Shuda on EmailCritic. How to handle Email Frequency During the Busy Holiday Season.

What causes Spamhaus CSS listings

Today’s Wednesday Question comes from Zaib F.

What causes the Spamhaus CSS listing in your experience other than Sender using multiple sets of IPs, to look as if they are a valid sender. Do you think a Spamtrap plays a role?
Read More

Links: September 24, 2012

Last week Return Path announce a new set of email intelligence products. One of their new products offers customers the chance to actually see how (some subset of) their customer base interacts with mail directly. It moves beyond simply looking at probe mailboxes and actually looks inside the mailbox of recipients.
Spamhaus has listed bit.ly on the Domain Blocklist (DBL) for allowing spammers to abuse their redirector service. Spammers have been abusing bit.ly for a while, and I’m a little surprised it’s taken so long for a listing to happen. Steve wrote a post last year about URL redirectors and offered suggestions on what to do to avoid blocking problems when using a URL shortening service.
Real Insights has a very interesting post on why it should be “hard” to subscribe to your mailing list. There are also a number of good suggestions about the subscription process itself. Definitely worth a read.

Is Amazon SES a reputable place to send mail from

On the first installment of our Wednesday question series, I chose a question from twitter.

Thanks for your questions!

Thanks, everyone, who submitted questions to laura-questions@wordtothewise.com. We’ve gotten some great questions to answer here on the blog. I’m working through the emails and contacting folks if I have questions. I’ll be answering the first question on Wednesday.
I also did have someone harvest the address off the website and send me non-CAN SPAM compliant spam to it. I have to admit, I didn’t expect someone to harvest the address at all, but especially not within 12 hours of posting an address. Particularly someone who’s not harvested our contact address previously. I also am considering how much content I could get detailing taking the spammer to court in CA for violating CAN SPAM and the CA anti-spam statute.

RFC-i blocklist shutting down

The RFC-ignorant blocklist announced on 9/15 that it will be shutting down service.
I commend Derek and his team for how they’re handling the shut down. All too many blocklists have been shut down due to owner burnout with disastrous consequences. Most of these lists did things like listing the whole world or just pulling domains out of the roots. Both types of shutdown methods cause problems for unrelated entities. In one case, a major DNS provider was dealing with what looked like a DOS attack after one blocklist shut down.
I’ve certainly had my differences of opinion with the folks behind RFC-i over the years, but I commend them for announcing the shut down ahead of time and gracefully shutting down RFC-i.

Ask Word to the Wise

One of the challenges of writing a blog for 5 years is making sure we’re providing information our readers really want. I figure the easiest way to do that is to have you ask us questions about the things you want to know.
You can ask questions in the comments here, send them to laura-questions@wordtothewise.com or tweet them to me @wise_laura.

Let them go!

Unsubscribing should be so simple. Even if someone signed up for mail, senders should let them go when they unsubscribe. Unfortunately, there are a lot of senders that make it difficult to unsubscribe. In fact, many companies are still hiding unsubscribe links behind login pages.

Open Relays and Mail Sinks

Email is a “store and forward” protocol. The sender doesn’t connect directly to the recipient to send the mail with just one network hop, rather the sender connects to a mailserver (usually referred to as an “MTA”, short for Mail Transfer Agent) and sends the message there. Once that MTA has received the message it sends it on to another MTA, and so on until it reaches the recipient.
Mail clients typically don’t have any intelligence built in to them to decide which MTA to send an email to. Instead they’re configured to blindly send every message to one particular local MTA, the smarthost, which then does all the proper SMTP work to decide where to send it on to.

Just Block It

I tend to go back and forth about reporting spam these days. On one level I know that it’s all a numbers game, and policy enforcement is more about the quantity of complaints than the quality. Knowing this I don’t often send in complaints. I do make a few exceptions: when I know the policy enforcement team or when it’s a current or former client.

Equivocating about spamtraps

What is a spamtrap? According to a post I saw on Twitter:

Dr. Livingston, I presume?

I linked to Al’s post about misdirected emails and how annoying it is for people who receive emails. I’ve previously talked about the problems associated with not handling misdirected emails properly.
It’s really annoying getting email that you never signed up for. For instance, one of my email addresses gets quite a bit of misdirected email. Oddly enough, much of this mail comes addressed to “Mrs. Christine Stelfox” and advertises various services. The problem is, I’m not Mrs. Christine Stelfox and I don’t live in the UK.
I’ve been getting this misdirected email for a while. In fact, I’ve even tried to track down the source of this just to make it stop. But I can’t seem to get that to happen. The senders tell me simply that I opted in, and that if I want to opt-out, here’s a link. Sometimes I have more luck contacting ESPs, but not always.
In fact, recently I reported spam to Mrs. Stelfox to a European based ESP. I got a response from their delivery head, who asked a lot of questions about the email address. What kind of spamtrap was it? How long had I had it? Is it possible it’s a recycled address? It’s really not, though. It’s an address I’ve had since early 1994, and it’s not really a trap as I still actually use if for some me. But I’ve not used it for commercial email since sometime in the late ’90s. And I’ve certainly never claimed to be a Mrs. Stelfox.
This really isn’t a case where I forgot I signed up. This isn’t a case where someone had the address before me. This is either some confused person using my address or some company in the UK selling my email address as belonging to someone else. I’ve tried to track this down in the past to get off the list of whomever is selling this address. But I’ve never had any luck.
There isn’t a lot of recourse here. I can continue to unsubscribe the addresses, but that doesn’t resolve the underlying problem. The underlying problem is that many marketers think it’s acceptable to purchase (or append) email addresses with no regard for the fact that sometimes their data suppliers are wrong.
It’s not just this one address, either. Another one of my email addresses is being sold as “Mrs. Laura Corbishley” of the UK as well. Sometimes I get the same spam to Mrs. Christine Stelfox and Mrs. Laura Corbishley. Other times I get different spams to each address, possibly because Mrs. Stelfox is behind some commercial email filters and Mrs. Corbishley isn’t.
Misdirected emails are annoying. They’re a problem for the people who keep getting them and can’t make them stop. It’s really important that ESPs, companies that send email and companies that sell email addresses have some way to make that mail stop. It doesn’t matter that half a dozen ESPs have put Mrs. Stelfox in their suppression list. Senders are still purchasing that data and are wasting their money. I am still getting spam.

Misdirected email

Al has another post about another company sending mail to a customer that gave an email address that didn’t belong to them. The person receiving the misdirected email has no effective way to make it stop, and is getting more and more frustrated with the ongoing spam. (Consumerist article)

5 Years

It’s been 5 years since my first post here at Word to the Wise. 5 years and over 1150 posts.
In that time I’ve written about a lot of topics relevant to email delivery.
I’ve talked about permission and why it’s a relevant part of email delivery. I’ve discussed spamfilters and why understanding how they work improves the decisions senders make about email delivery. I’ve talked about blocklists and filters and how they are a part of the email landscape senders have to navigate. I’ve talked about reputation and engagement relevance.
I’ve also talked about the things that show up in my own mailbox. Like some of the spam I receive. I’ve even used that to point out what spammers do.
Steve‘s written quite a bit here, too. Often his articles are much more technical, like how he tracks down spammers.
We’ve written about legal cases, including e360 v. Spamhaus, which was the subject of my inaugural post. I also followed the case of Holomaxx v. Hotmail and Yahoo. And, of course, how different countries create and enforce anti-spam laws.
I have no idea how many words I’ve written in the last 5 years, but Steve swears to me it’s enough to write a book about email delivery. However many words I’ve typed into the ether, it really is the folks who participate here in conversation, who email me directly with questions and comments, who stop me at conferences and tell me how much they like reading the blog that keep me writing. I’ve enjoyed blogging way more than I thought I would, but I wouldn’t enjoy it half as much if readers didn’t enjoy it, too.
Thanks so much for reading here over the past 5 years. It’s been a lot of fun.

Who are Rpost?

Rpost are an email service provider of sorts. You may not have heard of them, as they focus on a fairly niche market – electronic contract and document delivery. Their main services are “Registered Email” – which provides the sender of the message with proof that the recipient has read the message, and proof of the content of the message, and “Electronic Signatures” – which allows users to send documents signed cryptographically, or with a real signature scrawled with a mouse. This is all the sort of thing that would be mildly useful for exchanging contracts via email rather than by fax. Laura and I talked with them some years ago, and decided it was a reasonably useful service, but one that would be difficult to monetize.
They’ve recently started claiming infringement on their patents, so I thought I’d take a look at their actual product to see what it had evolved into.
Their current website has some very visible bugs in it’s HTML, and while it mostly looks pretty, the workflow isn’t terribly compelling. I signed up for a free account and sent myself an email. I saw the word “patented” and lists of trademarks prominently on many of the pages.
There’s no obvious way to see messages I’ve sent through their web interface, nor is there any inbox or way to see delivery status from the web interface. Rather you’re sent email to your real email account about each message. Rpost were originally focusing on MUA plugins, and that seems to still be their main approach, with the web interface more of an afterthought. They list 22 MUA plugins, in their Apps marketplace. They don’t have one for Mail.app (the MUA shipped with OS X) nor for any other Mac mail client. They do list a client for iPhone, but clicking on it shows that it’s not been released yet. Web interface it is, then.
I’d assumed that the proof of reading would be handled in the same way other “secure” messaging services tend to work – the email sent contains a link to a web page, and opening that link (optionally after entering a password) to see the real message is the “proof” that the mail was read. It turns out that’s not the case. The full message is in the email that’s sent. The “proof” that it was read is our old friend the single pixel tracking gif. It’s standard open-tracking, nothing more, with all the accuracy and reliability issues that implies. I also get mail telling me about the delivery (subject, recipient, timestamp, message-id) and a promise that I’ll get a “RegisteredReceipt™” in two hours.
On the technical side of things, RPost are using SPF correctly. They are not using DKIM to authenticate the message, nor any sort of in-band cryptography such as S/MIME or PGP. They’re including Return-Receipt-To, Disposition-Notification-To and X-Confirm-Reading-To headers, in the hope that the recipients MUA will send a notification to one of them. Most MUAs don’t – it’s considered a privacy / security violation, generally. I wonder if the RPost MUA plugins make your MUA respond to one of those?
Using opaque cookies in the Return-Receipt-To: etc. email addresses makes sense, as you can then use receipt of mail to one of those addresses as “proof” that the recipient opened the email. Unfortunately, the email addresses RPost use in those fields are trivially derived from the Message-ID – you take the local part of the Message-ID and add “read@rpost.net” on the end. And RPost include the Message-ID of the message in the notification they send to the sender. So it would be very easy for an unscrupulous sender to send a fake notification that would make it appear the recipient had opened an email when they hadn’t.
There are several email specification violations in the mail sent – the Resent-Message-ID is truncated, and syntactically invalid, the Resent-Date field is syntactically invalid, the email addresses used in the Return-Receipt-To, Disposition-Notification-To and X-Confirm-Reading-To fields are a little broken – in a way that I’m pretty sure leaves them syntactically invalid. The body of the message is HTML, and it violates basic HTML specifications – it has invalid comments, and it nests entire HTML documents inside paragraphs – “… <p><html><head><meta content type></head><body> … stuff …</body></html></p> …”.
One of the important things to do when sending email that you want to be delivered is to try and look like legitimate email, and not like spam. As well as the syntax issues, the mail uses unusual capitalization of several headers (“to:” is valid, but you’ll always see “To:” in legitimate email) and it sends the message as HTML only, not as multipart mime with a plain text alternative. All those things give the mail sent via RPost a spamassassin score of 4.4, with a squeaky clean subject and body. It wouldn’t take much in the message provided by the user to push that the extra 0.6 to reach a SpamAssassin score of 5.0 and end up in the junk folder.

Spamhaus dDOS

I got mail late last night from one of the Spamhaus peeps telling me that they were under a distributed Denial of Service (dDOS) attack. This is affecting email. Incoming email is delayed and they’re having difficulty sending outgoing email. This is affecting their responses to delisting queries.
They are working on mitigation and hopefully will be fully up and running soon.
Updates when I get them.
Update (8/29/2012): mail to Spamhaus should be back.

Metrics, metrics, metrics

I’ve been sitting on this one for about a week, after the folks over at IBM/Pivotal Veracity called me to tell me about this. But now their post is out, so I can share.
There are ISPs providing real metrics to senders: QQ and Mail.ru. Check out Laura Villevieille’s blog post for the full details.

AOL bounces and false positives

A number of people have been seeing an increase in AOL bounces over the last few days. Some of these are the new rejection 554/421 CON:B1 message. This is, basically, you’ve topped our thresholds, back off.
The other one is a bit more interesting. The error message a lot of people are seeing is 554/421 RLY:SN. Senders should only be getting this error message when they are sending email from a banned address.

Do you have child subscribers?

Al has a short, but informative, post up on Spam Resource about privacy groups filing complaints with the FTC about companies violating the Children’s Online Privacy Protection Act (COPPA). Companies who are alleged to have violated COPPA include Nickelodeon, McDonalds and General Mills.
The underlying issue appears to be the presence of “send to a friend” links maintained on kid focused websites. The consumer advocates are alleging that kids don’t understand that when they send things to their friends what they’re sending is actually advertising.
I talk a lot about informed consent, but don’t often touch the idea of consent from minors. But this is a good reminder that there are other laws than CAN SPAM involved when dealing with children.

Reporting email disposition

Most regular readers know I think open and click through rates are actually proxy measurements. That is they measure things that correlate with reading and interacting with an email and can be used to estimate how much an email is wanted by the recipients.
The holy grail is, of course, having ISPs report back exact metrics on what a user did with an email. Did the user read it? Did it stay open on their screen a long time? Did the user just mark it read or throw it away? What happened to the message. Marketers would love this information.
It’s unlikely the ISPs will ever provide this information to marketers. Take away all the technical challenges, and there are some significant ones there are still social challenges to making this data available. Current user contracts protect the privacy of the user, local laws prohibit sharing this data. And, there is the vocal group of privacy advocates that will protest and raise a big stink.
I’m not sure why email is gets the special treatment of expecting the channel owners to provide detailed disposition data. In no other direct marketing venue is that information collected or provided. TV stations can’t tell advertisers whether or not someone watched a commercial, fast forwarded through it or got up to grab a beer from the fridge. The post office can’t tell direct mail marketers whether or not a recipient read the mail or just dumped it in the big recycling bin the post office provides for unwanted messages. Billboard owners can’t tell advertisers how many people read the billboard.
Since we can’t get exact read rates from ISPs, what do we do? We look at proxy numbers.
Read rate directly measures who opened the message. Open rate is a proxy. It’s who displayed images in the message.
Read rate can be measured only by people who have access to the user’s inbox. The ISPs can measure read rate because they have full access to the mailbox, but this requires the user to access the mailbox through webmail or IMAP. Some third party mailbox addons can measure it, but this requires the cooperation of the mailbox owner. If the mailbox owner doesn’t install the reporting tool, then the 3rd party doesn’t have access to the data. Only groups with access to the end users mailbox can measure this rate.
Open rate can be measured by people who have access to the server images are hosted. Senders and ESPs and 3rd parties can measure it if they provide unique image IDs or tracking pixels in their emails. Open tracking does require the cooperation of the recipient – they have to have images on. No images on, no open tracking. Ironically, ISPs cannot measure open rate, because they have no access to the image hosting servers.
Click rate can be measured by people who have access to the server that hosts the website. The same people who can measure opens can measure clicks. Some ISPs can measure clicks, Hotmail used to pass every URL through a proxy they hosted and they could count clicks this way. AOL controls the client so they could measure number of clicks on a link. I’ve heard trustworthy folks claim that ISPs are measuring clicks and that they’re not measuring clicks (any of the Barry’s want to comment?).
Without controlling the inbox, though, senders have to rely on proxy measurements to judge the effectiveness of any particular campaign. But at least email marketers have proxies to use for measurement.

The perils of politics

I’ve talked a little bit about political and activist mail in the past. In general, I believe political mailers tend to be aggressive in their address collection techniques and sloppy in acquiring permission.
For the most part, politicians can get away with aggressive email marketing in a way that commercial emailers can’t always. The laws for commercial email don’t really apply to political emails. Politicians and activists don’t have to comply with CAN SPAM. They don’t even have to stop mailing if you opt-out. They don’t have to identify themselves the way commercial emailers do. They trade, sell, barter and borrow voter data, including email addresses.
This doesn’t mean the politicians don’t get blocked. They most certainly do suffer delivery consequences to their behaviour.
Well, today I saw another article talking about the pitfalls of political mailings. According to US News, a number of people who are unlikely to be Republican supporters were reporting that they were spammed by the Romney campaign.
The Romney campaign says it wasn’t them, and that they are only sending mail to people who signed up to receive it. This is possible, the article at US News says that the signups came from an IP address that is part of the Tor network. What is Tor? Tor is a way to hide your location on the internet. Ever watch a crime show and see the master geek track a bad guy all over the world by IP address? That’s basically what Tor does.
It’s very possible someone did find a list of email addresses of people guaranteed to be angry about getting mail from the Romney campaign. It’s very possible they used Tor nodes to submit those addresses the campaign lists. It’s been known to happen, and it’s not like this election is getting any less contentious as we get closer to November.
Forged subscriptions are a problem for every activist and political mailing list. But most of them don’t take any steps to protect themselves from maliciousness. Welcome emails, confirmation emails, audit trails, monitoring can help minimize the chance of subscribing a lot of people who don’t want that mail. Most political and activist groups won’t take that step, though. They’d rather increase lists by any means necessary without adding any controls on making sure those addresses are valid.
The irony is that the first thing activists blame when they do have email delivery problems is their political opponents forging addresses into their list. But they still push back against actually implementing controls and protections against the practice.
As with many things, politicians want to have their cake and eat it too. They want the extra volume that comes from indiscriminate signups, but don’t think that should cause them any problems. It doesn’t work that way in the real world, though.

Spamming the wrong person

Chris from Cloudmark tracks a UK text spammer.

Asking smart questions

Your mail is being blocked or deferred and you’d like to know why.
Before you ask someone “why?” you should have done these things:

Now, in a new paper in the Journal of Economic Perspectives, Justin Rao of Microsoft and David Reiley of Google (who met working at Yahoo) have teamed up to estimate the cost of spam to society relative to its worldwide revenues. The societal price tag comes to $20 billion. The revenue? A mere $200 million. As they note, that means that the “‘externality ratio’ of external costs to internal benefits for spam is around 100:1. Spammers are dumping a lot on society and reaping fairly little in return.” In case it’s not clear, this is a suboptimal situation. The Atlantic
Read More

Outlook.com in practice

I’ve seen a few people talking about outlook.com and how it’s working. There aren’t many insights here but there are a couple.

More on Yahoo and Engagement

A friend of the blog contacted me earlier today and pointed out that the news that Dan posted about Yahoo and engagement that I blogged about last week was actually reported by George Bilbrey in a Mediapost article on August 1.

Yahoo looking harder at engagement

In a post this morning, Dan Deneweth from Responsys says he’s received confirmation from Yahoo that they have increased the value of engagement metrics when making delivery decisions.
The really great thing, for the ISPs, about engagement metrics is that they directly measure how much a particular email is wanted by recipients. There’s no guessing about it, it measures how engaged the recipient is with a mail. Even better is the fact that, unlike proxy metrics, engagement metrics are extremely difficult for the sender to manipulate. As a sender I can artificially lower complaints and bounces without improving the mail I’m sending. But I can’t improve engagement metrics without actually engaging my recipients.
As I wrote back in 2010:

Comcast blocking outgoing port 25

Comcast announced today they’re blocking outbound port 25 for their residential customers. What does this mean for email marketers? Not much, unless your home connectivity is through Comcast and then you’ll just need to follow Comcast’s directions in order to send mail. What does it mean for email receivers? It means a lot of us will be seeing a lot less spam from infected Windows machines.

Outlook.com

The big news in email today is Microsoft’s announcement of the next version of Hotmail: Outlook.com. This does appear to be an attempt to compete with a host of Google’s offerings. Not only does Outlook.com include Skype and access to social media accounts, but it also includes web app versions of Word, Excel and Powerpoint with 7GB of storage space.
I’m not sure how actively people will be grabbing Outlook.com addresses, as you can use hotmail.com addresses with the Outlook.com interface. Only time will tell, though, how this affects email marketing and spam filtering.

More about the mail.ru FBL

Len Shneyder has a really interesting post up about the mail.ru feedback loop and the broader message this sends about the intersection of social media and email marketing. Go read it!

Barack Obama vs Mitt Romney

@LorenMcDonald over at SilverPop has an interesting comparison of the email marketing habits of the two presidential campaigns:

Reputation is more complex than a single number

I checked our SenderScore earlier this month, as quite a few people mentioned that they’d seen SenderScore changes – likely due to changed algorithms and new data sources.

It sure looks like something changed. Our SenderScore was, for a while, zero out of a hundred. That’s as bad as it’s possible to get. I didn’t get a screenshot of the zero score, but I grabbed this a couple of days later:

Are ReturnPath wrong? No. Given what I know about the traffic from our server (very low traffic, particularly to major consumer domains, and a negligible amount of unavoidable backscatter due to our forwarding role addresses for a non-profit to final recipients on AOL) that’s not an unreasonable rating. And I’m fairly sure that as they get their new algorithms dialed in, and get more history, it’ll get closer. (Though I’m a bit surprised that less than 60 mails a day is considered a moderate volume.)
But all our mail is delivered fine. I’ve seen none of my mail bounce. It’s very rare someone mentions that our mail has ended up in a bulk folder. I’ve received the replies I’ve expected from all the mail I’ve sent. Recipient ISPs don’t seem to see any problems with our mail stream.
A low reputation number doesn’t mean you actually have a problem, it’s just one data point. And a metric that’s geared to model one particular sort of sender (very high-volume senders, for example) isn’t going to be quite as useful in modeling very different senders. You need to understand where a particular measure is coming from, and use it in combination with all the other information you have rather than focusing solely on one particular number.

Phishing and trust

Tom Sather has a great post up on the RP Email marketing blog discussing phishing. His point is that phishing lowers the overall trust in email marketing. He lists a number of things marketers should consider doing to counteract that loss of trust.
I rely heavily on the use of tagged addresses to deal with phishing in my own mailbox. If an email doesn’t come to the right address, then it’s immediately tossed as a phish. Unfortunately, as data leaks increase this is becoming less effective as a strategy.

J.D. Falk Award

This morning M³AAWG announced the creation of the J.D. Falk award to recognize and honor people like J.D. who work to make the Internet safer for all users.

Nameless and faceless

Ken Magill wrote about Spamhaus last week. In the article he commented about the volunteers.

New Feedback loop

There’s a new feedback loop at mail.ru. This is a DKIM based FBL (like Yahoo) and is designed primarily for ESPs. I am hearing there is an IP based FBL for ISPs in the works, but there isn’t a firm release date for that yet.
Senders and ESPs can signup for the new FBL at http://postmaster.mail.ru/. One caveat is that you must have a mail.ru account in order to get access to the stats page and there isn’t currently an English webmail page. I tried but couldn’t get online translators to work on the signup page.

Policing customers

In yesterday’s post about Cloudflare and Spamhaus Fazal comments that Cloudflare may have been asked by law enforcement to leave the website up.
This does happen and it’s not totally out of the question that’s what is going on with this particular website. But I used the malware C&C as an example of the poor behaviour condoned by Cloudflare, it’s certainly not the only bad behaviour. There’s also the issue that Cloudflare disavows all responsibility for the behaviour of their customers.

Cloudflare and Spamhaus

Spamhaus has been the subject of a lot of discussion the last few weeks. I touched on this a little in June when I blogged that a number of large brands were getting SBL listings.
But big brands are not the only companies with publicly discussed SBL listings.
Cloudflare, the content delivery network that grew out of project honeypot, has a number of SBL listings, covering at least 2 /18s and a /20. Representatives and customers of Cloudflare have been discussing the listings on twitter.
As a content provider, Cloudflare isn’t actually sending mail nor are they actually hosting the content. What they are doing is providing consistent name service and traffic routing to malicious websites. In fact, they’ve been providing services to a malware botnet controller (SBL138291) since May, 2012. They’re also providing services to a number of SEO spammers. Both of these actions are justification for a SBL listing, and Spamhaus has a history of listing providers protecting spammers.
Cloudflare claims they take action on all “properly filed complaints” and they may actually do that. But their reports require quite a bit of information and require consent for releasing information to 3rd parties. Looking at the website, it appears to me to be a site designed to discourage abuse reports and stop people from reporting problems to Cloudflare.
When you look at the Cloudflare business model it’s clearly one that will be abused. Cloudflare acts as a reverse proxy / pass through network that caches data from their customers. This protects the abusers webhosting setup and prevents people tracking the abuser from being able to determine the true host of a website. As a responsible internet citizen, Cloudflare should be disconnecting the customers hiding behind Cloudflare’s services.
Unfortunately, Cloudflare seems unwilling to actually police their customers. They’ve taken a totally hands off approach.
Let’s be frank. Cloudflare has been providing service to Botnet C&C servers for at least two months. It doesn’t matter that the abuser has the malware on a machine elsewhere, Cloudflare’s IP is the one that serves the data. I don’t care what you think about spam, providing service to malware providers is totally unacceptable. It’s even more unacceptable when you claim to be a security company. Nothing about malware is legitimate and the fact that Cloudflare is continuing to host a malware network command and control node is concerning at the very least.
Cloudflare (.pdf) is listed on Spamhaus for providing spam support services. The most obvious of these is providing service to a malware controller. And Spamhaus escalated the listings because they are allowing other abusers to hide behind their reverse proxy.

DNS Changer servers going offline

There are a whole host of different botnets. One botnet run by Rove Digital infected computers with viruses that changed their DNS settings, giving the botnet runners the ability to control how the infected computers viewed the Internet.
The criminals behind the DNS Changer virus were arrested in November of last year. The court ordered the Internet Systems Consortium (ISC) to operate replacement DNS servers for computers infected with the botnet viruses in order to give users a chance to clean and fix their computers.
That court order expires on Monday.
Anyone who is still infected with the DNS Changer malware will see their internet services greatly curtailed when the DNS servers go offline.
If you run Windows and you haven’t yet checked to see if you’re infected, you should do so soon. There are a number of websites you can visit that will tell you if you are actually infected with the DNS changer virus and if you are will give you information on how to fix your system.

Services, abuse and bears

A couple weeks ago I wrote a post about handling abuse complaints. As a bit of a throwaway I mentioned that new companies don’t always think about how their service can be abused before releasing it on the unsuspecting internet.
Today’s blog post by Margot Romary at the Return Path In the Know blog reminds me that it’s not always new companies that don’t think about abuse potential before launching services.

Report Spam button

Cloudmark has an interesting discussion about the Report Spam button and how it’s used.

Address verification

In the comments on my Address Verification in Real Time Ken asks:

Scam, Scam, Scam

One of the things that never ceases to amaze me about phishers is how incredibly creative they can be in writing text that encourages recipients to open their emails.
There have been two separate incident recently that inspired me to talk about phishing.
The first was watching viruses propagate through my local neighborhood mailing list. I live in Silicon Valley and we do have an email list for neighbors to talk, plan and generally share information. Last week one of the neighbors got infected with a virus, and their address started posting links to more viruses to the list. Over the weekend I watched half a dozen neighbors get infected and post more viruses to the list.
The second is the dozens of messages I’ve been receiving telling me there are naked photos of me on the Internet. They have a couple different forms. Some pretend to be concerned friends worried that my private photos have leaked. Others threaten legal action or that the police are investigating me. Still others tell me I’ve ruined a friendship by sharing these photos.
None of those things are true, of course. They’re all trying to get me to open a file and infect my machine with some virus or another.

A quick comment on commenting

I don’t have a published comment policy. Most people around here are polite enough I don’t think one is needed. There are a couple things I feel I should say, though.

Spamhaus changes

A number of ESPs are reporting an increase in SBL listings of big, well known brands. InterestingSBLs seems to confirm this.
Just on the month of June I see tweets reporting SBL listings for: Disney (again, and again) AAA Michigan, NRCC, the Mitt Romney campaign, Macy’s (again) Facebook, Walmart Brazil, Safeway, Bacardi.
What happened? I think there are a number of reasons for an increase in SBL listings of well known brands.
The first is that botnets are rapidly becoming a solved problem. That’s not to say that they’ve gone away, or that we should stop being vigilant about the spam and malicious mail coming out of them, but that there are more and better tools to deal with botnets than there have been in the past. That means that the folks at Spamhaus can look at different classes of unsolicited email.
I believe Spamhaus has some new mail feeds that let them see mail they were previously not seeing. Anyone who has multiple email addresses can tell you that the type of spam that one address gets is often vastly different than the type of mail another email address gets. When dealing with spamtrap feeds, that means that there is unsolicited mail that isn’t seen by the feed. I know there are companies who claim to have lists of hundreds of thousands of spamtraps, and I don’t doubt that some enterprising spammers have discovered Spamhaus spamtraps in the past. Adding new feeds means that Spamhaus will see spam that they were previously missing due to their traps being compromised.
As well as bringing up new feeds, I suspect Spamhaus has better tools to mine the data. This means they can see patterns and problem senders in a clearer way and list those that meet the Spamhaus listing criteria.
I’m not saying the Spamhaus standards have changed. Spamhaus has always said they will list anyone sending unsolicited bulk email. But, as with many organizations what they could do was limited by the available resources. That resource allocation has changed and they can deal with more senders.
What does all this mean for senders? In a perfect world it wouldn’t mean anything. Senders would actually be sending mail only to people who had asked to receive it. Senders would have good list hygiene and pull off abandoned addresses long before they could be turned into spamtraps.
But we all know this isn’t a perfect world. There are a lot of senders that have lists with years of cruft on them. And not all of those addresses on the list actually opted-in to receive that mail. Many of those senders have good stats, decent opens, low unknown user rates, and low complaint rates. But that doesn’t mean there aren’t problems with the lists. And those hidden problems may mean that just because you haven’t had a Spamhaus listing in the past doesn’t mean there isn’t going to be one in your future. It means senders who want to avoid SBL listings need to pay attention to list hygiene and dead addresses. It means the source of addresses and their audit trail is even more important than ever.
Meanwhile, ESPs are struggling to cope with the ongoing and increasing SBL listings.
EDIT: Mickey attributes some of the increase in listings to Spamhaus being better able to detect appended lists.

Dealing with complaints

There are a lot of people who abuse online services and use online services to abuse and harass other people. But handling complaints and handling the abuse are often afterthoughts for many new companies. They don’t think about how to accept and process complaints until they show up. Nor do they think about how bad people can abuse a system before hand.
But dealing with complaints is important and can be complicated. I’ve written many a complaint handling process document over the years, but even I was impressed with the Facebook flowchart that’s been passed around recently.

In the email space, though, all too many companies just shrug off complaints. They don’t really pay attention to what recipients are saying and treat complaints merely as unsubscribe requests. Their whole goal is to keep complaints below the threshold that gets them blocked at ISPs. To be fair, this isn’t as true with ESPs as it is with direct senders, many ESPs pay a lot of attention to complaints and will, in fact, initiate an investigation into a customer’s practice on a report from a trusted complainant.
There are a lot of legitimate email senders out there who value quantity over quality when it comes to complaints. But that doesn’t mean their lists are good or clean or they won’t see delivery problems or SBL listings at some point.

Not just you

This morning (9 or 10 am Pacific) my various mailing lists were lighting up with questions about Yahoo delays. A lot of people reported they were seeing Yahoo respond “420 Resources Unavailable, try again later” on connect.
What everyone wanted to know was is if other senders were seeing this.
The answer was a resounding YES.
And, in fact, Yahoo commented on Facebook around 2pm Pacific that they had a mail outage and were trying to bring services back up before close of business today.
As with many things, the Internet rumor mill is one of the fastest and astonishingly accurate sources of information about mail servers falling over.
I started hearing reports that queues were clearing mid-afternoon pacific, but not everyone is seeing that.
So, yes, Yahoo is having a bad day. And it’s not you, it’s not spam, it’s just that some of their mail servers fell over and they’re struggling to accept all the mail headed their way.
It happens.
If you’re interested in hearing more timely updates, I will often announce things like this on twitter when I hear about them.

Gmail filtering

Derek Harding has a pair of articles on ClickZ about Gmail giving their users information about why a particular email message was filtered.
What Gmail Teaches Us about Spam Filtering
Gmail Filtering: The Spam Disposition
Both articles are worth a read. They talk about what we know about Gmail and what we can infer from the data they provide to senders.

New Spamhaus lists

Spamhaus announced today they are publishing two new BGP feeds: Extended DROP and the Botnet C&C list. These lists are intended for use inside routers in order to stop all traffic to or from listed IP addresses. This is a great way to impact botnet traffic and hopefully will have a significant impact on virus infections and botnet traffic.
In other news I’ve been hearing rumbling about changes at Yahoo. It looks like they have changed their filters and some senders are feeling lots of pain because of it. It looks like senders with low to mid range reputations are most affected and are seeing more and more of their mail hit the bulk folder. This afternoon I’m hearing that some folks are seeing delivery improvements as Yahoo tweaks the changes.

Crowdsourced Investing and Spam

Kickstarter’s success has made a lot of people pay attention to the concept of crowdfunding. At it’s best, crowdfunding investment allows fans of an artist to send her money to directly support her work, and get something special out of it. At it’s worst, it’s photoshopped fake products, dubious consumer electronics and videogame projects from the implausible to outright scams.
Crowdfunding sites provide a fairly simple service: they allow people to list products on their website, provide a discussion forum and allow people interested in the project to pay money (after the crowdfunding site skims 5-10% off the top) to the project backers. The project backers promise something in return for the payment – from one or more of the actual product being developed, if it’s every released, down to a simple “thanks!’ on a website. That’s something that makes perfect sense in the original KickStarter artist fan-club world, but also allows attempts to fund tech startups to avoid SEC requirements on both the startup and the crowdfunding company. Those SEC requirements were put in place many years ago to make it more difficult for scam-artists to swindle people in the guise of investing in a worthless company…
What does this have to do with spam? Well, if you’re going to set up a spam campaign of some sort – whether it’s for a real product, or an outright scam – there are several things that are very useful to have: A website that looks plausible, and won’t be taken down by the webhost. A way to accept money, ideally via online credit card payments. And a way to control discussion about your product, so that you can maintain an appearance of legitimacy and build buzz, while keeping naysayers from dissuading potential customers would be perfect.
That’s exactly what the crowdfunding sites offer. Some of them – KickStarter, for one – are very aware of the potential for abuse. Not only do they do some basic checks potential projects for legitimacy, but they have – and enforce – acceptable use policies to deter bad behaviour. Others, like IndieGoGo, don’t.
I got this spam out of the blue:

Why does it take two weeks to process an unsubscribe?

Why does it take “10 business days” to process an unsubscription request?
It almost never does. An unsubscription request will often take effect instantly and it would be rare that it would take more than a few business days.
So why do some businesses say your email address will be removed “within 10 business days” when they know it’ll be almost immediate?
It’s better to underpromise and overdeliver. No recipient is going to be annoyed if they stop getting mail sooner than they were promised. But tell them they’ve been unsubscribed and will receive no more email, then have mail from you end up in their inbox the following morning and they may get mad.
Why “10 business days” in particular?
The US CAN-SPAM act says you have to honor unsubscription requests by then, so that’s the upper limit to what’s legal:

World IPv6 launch day

Today is world IPv6 launch day. A group of ISPs, network hardware manufacturers and web companies permanently enabled IPv6 for their products and services.
What’s this got to do with email? According to a post on the NANOG mailing list the very first email to arrive at the Comcast IPv6 mailserver was received a minute after the server was turned on. This email was spam and was caught by Cloudmark’s filters.
Comcast goes on to assure readers that more mail came in and not all of it was spam.
But, yes, the first email sent to Comcast over IPv6 was spam. Welcome to the future.

Things people hate about your email marketing

I found this article over on Hubspot, and I think it covers a lot of why people hate email marketing quite well.

Spamtraps are not the problem

Often clients come to me looking for help “removing spamtraps from their list.” They approach me because they’ve found my blog posts, or because they’ve been recommended by their ISP or ESP or because they found my name on Spamhaus’ website. Generally, their first question is: can you tell us the spamtrap addresses on our lists so we can remove them?
My answer is always the same. I cannot provide a list of spamtrap addresses or tell you what addresses to remove. Instead what I do is help clients work through their email address lists to identify addresses that do not and will not respond to offers. I also will help them identify how those bad addresses were added to the list in the first place.
Spamtraps on a list are not the problem, they’re simply a symptom of the underlying data hygiene problems. Spamtraps are a sign that somehow addresses are getting onto a list without the permission of the address owner. Removing the spamtrap addresses without addressing the underlying flaws in data handling may mean resolving immediate delivery issues, but won’t prevent future problems.
Improving data hygiene, particularly for senders who are having blocking problems due to spam traps, fixes a lot of the delivery issues. Sure, cleaning out the traps removes the immediate blocking issue, but it does nothing to address any other addresses on the list that were added without permission. In fact, many of my clients have discovered an overall improvement in delivery after addressing the underlying issues resulting in spamtraps on their lists.
Focusing on removing spamtraps, rather than looking at improving the overall integrity of data, misses the signal that spamtraps are sending.

Congrats!

Congratulations go out to Matt Blumberg for being named one of the top entrepreneurs for 2012 by Crain’s New York Business!

Permission.

The discussion of “permission” and “opt-in” is one that keeps popping up again and again. I am working on posting some more thoughts about permission and consent. While I’m still thinking about what new I can say, here is a list of articles Word to the Wise I’ve posted in the past on permission:

Another reason not to use no-reply@

A story from someone handling support at a UK company that regularly sends out transactional email with no-reply@company in the From: line.

The challenge of integrated marketing

There are dozens of ways for companies to interact with customers these days. Business Insider recently posted this infographic, only to realize that they’d left off Pintrest.

Return Path on Content Filtering

Return Path have an interesting post up about content filtering. I like the model of 3 different kinds of filters, in fact it’s one I’ve been using with clients for over 18 months. Spamfiltering isn’t really about one number or one filter result, it’s a complex interaction of lots of different heuristics designed to answer the question: do recipients want this kind of mail?

Delivery and marketing part 2

A while ago I wrote some thoughts about the conflicting requirements of delivery and marketing. I posted something similar over on the Only Influencers list, too. My thoughts generated a very interesting discussion, one that helped me clarify some of my somewhat random thoughts from earlier.
Marketing is about finding mindshare. One way you get mindshare is repetition. But people tune out repetition pretty quickly. Sending the same offers, the same copy over and over again means recipients start to tune things out. When recipients start tuning out mail, they may not bother opening it, they just read the subject line. If too many recipients start relying on the subject line then delivery can suffer.
Effective marketing relies on getting mail in front of the target audience. That’s the delivery component. Without inbox delivery, even the best marketing will not work.
No one will see marketing if it is in the spamfolder.
I don’t think you can cleanly separate delivery strategy from marketing strategy, but it’s important to realize they have different constraints and different pressures. When I talk about delivery with a client, I’m talking about getting mail into the inbox. And, most of the time, they’ve come to me because they’re not getting into the inbox and they have to make changes. The genius of their marketing is irrelevant, because no customers see it.
But once mail is in the inbox you can’t just ignore delivery, either. Sure, it becomes less of a pressure on the copy and the marketing strategy, until such time as the mail isn’t getting into the inbox any longer. Then it’s back to working on delivery and maybe having to implement some aggressive data hygiene. Back in the inbox and you can be aggressive on the marketing again.
Successful email marketing requires balancing the constraints of good delivery against the constraints of good marketing.

Fickle recipients

One of the tenets of good delivery is know your recipients. Woot.com seems to know their recipients.

Happy Friday.

Email is different

OMI responded to my post about data cleansing yesterday. She asked an interesting question:

Data Cleansing part 2

In an effort to get a blog post out yesterday before yet another doctor’s appointment I did not do nearly enough research on the company I mentioned selling list cleansing data. As Al correctly pointed out in the comments they are currently listed on the SBL. And when I actually did the research I should have done it was clear this company has a long term history of sending unsolicited email.
Poor research and a quickly written blog post led to me endorsing a company that I absolutely shouldn’t have. And I do apologize for that.
With all that being said, Justin had a great question in the comments of yesterday’s post about data cleansing.

Data Cleansing

According to Ken, Outward Media has productized a database of 300,000,000 email addresses that should never be mailed.

Why so many domains

There’s a company that advertises a lot on TV. The ads are well done, they tell a clear story in the 30 seconds. They feature a pretty and happy young woman dancing around. There is a great catchy tune. From all appearances it’s a successful ad campaign.
The point of the ad campaign is to drive traffic to a website where the domain owner can collect a lot of information and sell it on to advertisers. Every month or so, the landing URL changes. In watching this campaign over the last year or two, I’ve seen at least half a dozen different URLs used in the television ads. Now, it’s perfectly possible that this is part of an overall strategy, but I am not sure. The initial website is highlighted so clearly in the catchy tune, I can’t believe it is part of their marketing strategy.
Which leads me to wonder if there is a bigger problem with their advertising. Do they change domains so frequently because they’re seeing domain based blocking?

You opted in

One thing I get in some of the comments here and in some of the discussions I have with email senders is that no commercial emailer ever sends unsolicited email. That, clearly, at some point the recipient opted in to receive mail and if that person doesn’t want mail they shouldn’t ever give out their email address.
I have an old yahoo address that’s used primarily as my Flickr account login. I don’t believe I’ve ever given out the address to anyone or opted in to anything. Anything’s possible, this address was created sometime in 2006 or 2007 and I may have tossed it into a form to test something. It’s certainly not an address I ever actually use.
Earlier this week I checked mail on the account. There were almost 700 messages in there. It was pretty amazing how much garbage this unused, unshared address collected. Notice the “clever” use of foreign alphabets and the number of legitimate companies who have acquired this address or hired people to mail me on their behalf. I’m sure some of it is phishing, too.

AOL improving

I’m hearing from lots of folks that they’re seeing some improvement in delivery to AOL accounts.
As everyone can imagine, the AOL situation has been a common thread of discussion on many delivery lists. One person even commented at how fragile the AOL mail server seems. My own thoughts are a little different. The AOL mail system is notoriously complex and integrated. Many of the folks who built it have been laid off or otherwise moved on to other companies. I know there are still smart, competent people riding herd on the AOL mail servers, but I expect they don’t have the resources to do the ongoing maintenance and the fire fighting and all the other tasks that a mailserver handling billions of emails needs.
What this means is that the AOL mail system has been suffering from bit rot for at least 2 years. It is to the original designers’ credit that it’s taken this long before there were major problems like we’ve seen over the last week.

AOL: Still broken

I’m still hearing reports that AOL is still having problems accepting mail. I’ve also heard they’re still working on it. There is no information on when a fix may be finished.

Debating Appending

There was a session at the recent Email Insiders Summit that discussed appending. I wasn’t there, but I’ve been hearing about the session, including one description that involved the term ‘fist fight.’
I have found a couple articles about the session.
E-Append Comes Under Fire
Email Insider Summit Email Append Panel — The Day’s Hottest Debate
I encourage folks to read both articles and watch the video posted by Return Path. I agree with different points by folks on both sides of the debate. Appending can be a useful acquisition strategy for some companies. But we can’t pretend there’s any permission involved in common appending strategies.
Ignoring the lack of permission, I believe that the companies saying it is a successful strategy share some common factors.

AOL delivery problems

There have been ongoing reports this week from ESPs and ISPs that AOL is having problems accepting email. People are reporting difficulties connecting to AOL MTAs and random dropping of connections. Other people are reporting random rejection messages that make no sense. A number of folks are seeing rejections claiming that the reason is a new IP when that IP has successfully sent mail from that IP in the recent past.
AOL seems to be working on things, and some people are seeing improvements. If you’re seeing AOL problems recently, it’s not you. It’s them.
EDIT: AOL has asked senders to please reduce mail volume while they are resolving issues.

Five-Ten blacklist retired

The Five-Ten website has a notice that they have retired the blacklist. Five-Ten wasn’t the greatest list for blocking mail, they aggressively listed senders and there were a number of false positives against a standard mail stream. But it was useful as a touchpoint. If I had a client that wasn’t listed on Five-Ten that told me something about their normal practices.

Everybody wins!

There was a recent question on a mailing list during a discussion of spam and delivery problems. A number of folks who work in delivery were discussing how a bad address got on a list. Someone who works on the spam blocking end of things asked why do you care how a bad address got onto a mailing list?
For recipients, they usually don’t care. They just want the unsolicited mail to stop. It’s a position I have no problem with; I want the unsolicited mail to stop, too. But understanding why a particular sender is sending mail to addresses that never asked for it can be an important step in making it stop. Not by the receivers and the spam filters, they’ll just block the bad sender and move on. Or if they’re an ISP or ESP they’ll just throw the sender off for AUP violations and let the sender be somebody else’s problem.
In the broader context, though, this only changes the source of the spam. It doesn’t help the victim; the bad sender can always find another host and they will continue to mail people who never asked for that mail. And, in fairness to these senders, often they are mailing lists of mixed sources. Some of the addresses didn’t opt-in, and don’t want the mail, but a lot of addresses on their list did opt-in and do want their mail. Fixing their problem means they can mail people who want their mail. The sender is happy, the recipients are happy and the receivers are happy; everybody wins!
Everybody winning is something I can get fully behind.

Hunting the Human Representative

Yesterday’s post was inspired by a number of questions I’ve fielded recently from people in the email industry. Some were clients, some were colleagues on mailing lists, but in most cases they’d found a delivery issue that they couldn’t solve and were looking for the elusive Human Representative of an ISP.
There was a time when having a contact inside an ISP was almost required to have good delivery. ISPs didn’t have very transparent systems and SMTP rejection messages weren’t very helpful to a sender. Only a very few ISPs even had postmaster pages, and the information there wasn’t always helpful.
More recently that’s changed. It’s no longer required to have a good relationship at the ISPs to get inbox delivery. I can point to a number of reasons this is the case.
ISPs have figured out that providing postmaster pages and more information in rejection messages lowers the cost of dealing with senders. As the economy has struggled ISPs have had to cut back on staff, much like every other business out there. Supporting senders turned into a money and personnel sink that they just couldn’t afford any longer.
Another big issue is the improvement in filters and processing power. Filters that relied on IP addresses and IP reputation did so for mostly technical reasons. IP addresses are the one thing that spammers couldn’t forge (mostly) and checking them could be done quickly so as not to bottleneck mail delivery. But modern fast processors allow more complex information analysis in short periods of time. Not only does this mean more granular filters, but filters can also be more dynamic. Filters block mail, but also self resolve in some set period of time. People don’t need to babysit the filters because if sender behaviour improves, then the filters automatically notice and fall off.
Then we have authentication and the protocols now being layered on top of that. This is a technology that is benefiting everyone, but has been strongly influenced by the ISPs and employees of the ISPs. This permits ISPs to filter on more than just IP reputation, but to include specific domain reputations as well.
Another factor in the removal of the human is that there are a lot of dishonest people out there. Some of those dishonest people send mail. Some of them even found contacts inside the ISPs. Yes, there are some bad people who lied and cheated their way into filtering exceptions. These people were bad enough and caused enough problems for the ISPs and the ISP employees who were lied to that systems started to have fewer and fewer places a human could override the automatic decisions.
All of this contributes to the fact that the Human Representative is becoming a more and more elusive target. In a way that’s good, though; it levels the playing field and doesn’t give con artists and scammers better access to the inbox than honest people. It means that smaller senders have a chance to get mail to the inbox, and it means that fewer people have to make judgement calls about the filters and what mail is worthy or not. All mail is subject to the same conditions.
The Human Representative is endangered. And I think this is a good thing for email.

OOPS!

Y’know those days when it seems everything goes wrong? And you just can’t get it right? A couple companies who send commercial mail have had a day like that.
Yesterday I got an email at 6am from a vendor telling me there was a new, important update to download and install. I put it off because it’s software I don’t use very often and I’m waiting until we have a better idea of our hardware situation before loading too much stuff on my backup laptop. Three hours later, I got another email from the vendor telling me that the link in the email was wrong and here was the right link and they’re sorry for the bad email initially.
Fair enough, stuff breaks and process falls apart and sometimes there are customer facing screw ups. But this vendor wasn’t done! This morning I got a third email telling me that uh, the previous emails were only intended to go out to their Windows using customers, and that the didn’t currently have a Mac version of the software ready. And, well, they’ll email me as soon as they get the Mac version finished.
I made a comment about bad day for mailers and Steve pointed out that he’d gotten 3 different notifications from a shipping company and then a final fourth email that said the company was testing things and they’re sorry for sending multiple test messages out to their whole list this morning.
It’s not even Friday the 13th or anything.

Getting rid of the via at Gmail

There was a question submitted today about the verification process at Gmail.

Inbox rates and conversion rates

Jeanne Jennings published an interesting bit of research on open rates and inbox rates at ClickZ recently. Essentially she looked at two different industry studies and compared their results.
The first study was the Return Path Global Delivery Survey and the second was the Epsilon North American Trend Results. What Jeanne found is that while Return Path shows a decrease in inbox placement, Epsilon is seeing an increase in average open rate.

There are any number of reasons this could be happening, including simply different ways the numbers are calculated. I am not sure it’s just a numbers issue, though. Many of Epsilon’s clients are very big companies with a very experienced marketing team. The Return Path data is across their whole user base, which is a much broader range of marketers at different levels of sophistication.
I expect that the Epsilon data is a subset of the Return Path data, and a subset at the high end at that. It does hint, though, that when the inbox is less cluttered, recipients are more likely to open the commercial mail that does get in there.

Ask Ben Lerer anything

Ben Lerer, the co-founder of Thrillist, will be doing an “Ask Me Anything” on Reddit on Tuesday at 10 am.
What is an Ask me Anything? It’s a free wheeling discussion where someone agrees to answer any questions from anyone who posts on Reddit.
Who is Ben Lerer? Ben is the co-founder of Thrillist, a quite successful email business. I worked with Thrillist early on in their business. Their blend of quirky editorials and irreverence drive a very engaged recipient base and great email delivery. Join them tomorrow on Reddit to ask him anything.
Update: Here’s Ben’s AMA.

More than just getting past the filters

I’ve been feeling a little philosophical lately. My thoughts are meandering a lot around the whys and the deeper issues surrounding stuff, including email. It means I’m a bit more distracted and less focused than usual. And more prone to pose questions than usual. This was part of the introspection that led me to write the motivating people post last week. I’m trying to figure out how to motivate volunteers in two different realms. And there’s always the question of how do I present a solution to clients in a way that motivates them to take my advice. Sure, I get paid either way, but I really like it when clients take my advice and see success.
There are other places this mental meandering is taking me.
I’m currently working on a project for a client. This particular client is struggling to get mail delivered to a very mobile business audience. In the target field, people change jobs regularly and email addresses can change multiple times a year. One of the things I’m working on for them is how to get email to the right people, that is the people who opted in, when their addresses change so frequently.
This is delivery consulting, but this project really brings home how much more there is to delivery than avoiding filters. Filters are the least of this client’s problem. The real problem is the mobility of their audience. As I was thinking about how to address this issue of mobility, I realized that my job as a delivery expert has gone well beyond telling people how to get their mail past filters.
My job is much more about helping people succeed at what it is that they’re trying to do with email. How can email work for you and for your target audience?
Looking at the broader picture means I’m less likely to focus on the minutia of “spam words” and subject lines and best time of day to send. Sure, there are always tweaks to make in an email. There are always things to test. There are always changes to try. But the effect of those changes is not near as great as actually sending mail that meets the needs of the audience.
Often clients come to me so overwhelmed in the details they forget the bigger picture. I help them find that picture again. My job is much more than getting through the filters, it’s about finding success for clients.

One Click, Two Click, Red Click, Blue Click

I’ve seen a lot of discussion and arguments over the CAN SPAM rule about whether or not an unsubscribe needs to be a One-Click unsubscribe. It’s gotten so common, I have a stock email I use as a template when wading into such discussions. It’s probably useful for a lot of other people, too, so I thought I’d share.
The regs say:

Filters and windmills

A colleague of mine was dealing with a client who is experiencing some difficulty delivering to the bulk folder. Said client spent much of a one hour phone call repeating “This is not how a free society works!!”
After the call my colleague commented, “I refuse to get ranty about filter systems.”
I know that filters, and the people who write and maintain them, are a frequent scapegoat for senders. The filters are always the problem, not anything the senders do.
Now, I’ll be the last person who will claim spam filters are perfect, they’re not. Filters sometimes do unexpected things, sometimes they do boneheaded things, sometimes they are broken.
We can’t forget, though, that filters perform a vital role in protecting users from malicious emails. Phishing emails, scams, fake products, viruses are a constant threat. Many end users don’t need to worry about this because filters are so good. But an unfiltered account can get thousands of scams and spams a day (ask me how I know).
Most of us in the delivery space can tell when a filter is working as intended and when there’s an underlying problem. And when the filter is working as intended there’s not a lot of use complaining about them. Ranting about filtering systems often delays a resolution. Senders that focus on what they can control tend to have more success reaching the inbox than those senders that focus on ranting about filtering systems.
Tilting at windmills doesn’t get the mail through.

Motivating people

I’ve been thinking a lot about motivating people recently. What really motivates people to do things? Why do we make the choices we make? How do you convince people to do things when they’re unsure they want to do those things?
Let me give you an example. Friends of mine are fostering dogs for local rescues. A neighbor of theirs is trying to start a rescue herself. The neighbor is trying to motivate people by posting pictures of dead dogs in garbage bags. On one level, I get the neighbor’s point: that image is what motivates her to take action. But all that’s doing for other people, my friends included, is driving them away from working with her.
What she needs is a better grasp of how to motivate people. She needs to learn how to speak to people in a way that will motivate them to help her. Unfortunately, she thinks that what motivates her will motivate everyone, except it doesn’t. In fact, it’s doing the exact opposite for some people who are actually sympathetic to her cause.
What does this have to do with email?
I’m often surprised at how many marketing professionals can’t or won’t tailor their argument to their audience. Look at filters, many marketers have told me over the years about how mean ISPs are to them, how the ISPs make poor filtering decisions and how what should really happen is marketers should tell the ISPs to fix their filters.
In very few cases, though, have I seen a marketer actually try and talk to an ISP rep on their terms. It seems so simple to me: marketers are people who motivate people for a living so they should be able to market their own wants to ISPs. They just need to find the right message, but they don’t seem to be able to think about things from the ISP perspective.
I’m not sure I actually have an answer. But how do we motivate people to do things has been a major topic in my head recently. I think the best motivation is often to convince the other party that a given course is in their best interest. The tricky bit is selling that message.
How have you sold a message the other party didn’t want to hear?

Anti-Botnet Code of Conduct Published

The Communications Security, Reliability and Interoperability Council (CSRIC) published a Anti-botnet code of conduct for ISPs. This is a purely voluntary code for U.S. ISPs that want to mitigate the botnet threat to follow. You can download a full copy of the final report from the MAAWG website. The FCC has published a fact sheet about the report on their own website.

Delivery challenges increasing

Return Path published their most recent Global Deliverability report this morning. (Get the Report) This shows that inbox placement of mail has decreased 6% in the second half of 2011. This decrease is the largest decrease Return Path has seen in their years of doing this report.
To be honest, I’m not surprised at the decrease. Filters are getting more sophisticated. This means they’re not relying on simply IP reputation for inbox delivery any longer. IP reputation gets mail through the SMTP transaction, but after that mail is subject to content filters. Those content filters are getting a lot better at sorting out “wanted” from “unwanted” mail.
I’m also hearing a lot of anecdotal reports that bulk folder placements at a couple large ISPs increased in the first quarter of 2012. This is after the RP study was finished, and tells me increased bulk folder placement is more likely to be a trend and not a blip.
One of the other interesting things from the RP study is that the differences are not across all mail streams, but are concentrated in certain streams and they vary across different regions.

Why complain now?

There’s a concert promoter in London that’s been spamming me for years and years. Most of the time my spam filters take care of it and I never see their mail. Every once in a while, though, one of emails gets through and ends up in my inbox. Usually I move it to junk, curse at my filters for not getting it right and just go on with whatever I’m doing.
I suspect this is more common than not with most people. Those lucky enough to have a “this is spam” button can make the mail stop by clicking it. Others, like me, just have to delete it and move on.
Sometimes, though, I get to the point where I’ve had enough. I’ll send in a complaint to the sender or their provider.
I have to wonder, though, how many people react to email negatively and hit “this is spam” when they’ve been ignoring mail for a while. This can complicate the lives of senders (what doesn’t?) because the “this is spam” isn’t in reaction to a specific email, but happens due to circumstances outside of the sender’s control.
Delivery is an ever changing field, and it’s just getting more complex and harder as receiver tools get more sophisticated.

Comcast changes

I updated the Wiki a few weeks ago when I heard, but don’t think I posted anything here. Comcast has changed their delisting form page to http://postmaster.comcast.net/block-removal-request.html. The old form is currently non-functional. You can fill it in, but it’s unconnected to anything on the back end and it won’t result in an IP being delisted from the various Comcast blocklists.
My understanding is that the old form may come back to life at some point, but it’s much safer to use the new form and the new Comcast Postmaster Site.

Less can be more and more can be more

The Wall Street Journal reports that some large retailers are scaling back their email marketing. Benefits of sending less mail include higher open rates, lower unsubscribe rates and an increase in sales.

Targeted?

I think Newegg missed a critical bit of information when trying to entice a new purchase.

Data hygiene and bouncing zombies

There are a number of folks who tell me there can be no zombie addresses on their lists, they aggressively remove any address that bounces. The problem is that zombie addresses don’t bounce, at least not always. And even when ISPs say they have a policy to bounce email after a certain period of time with no access, that’s not always put into practice.
How do I know that ISPs don’t always deactivate addresses on the schedules they publish? Because I have seen addresses not be deactivated.
I have addresses in a lot of places that I go for long periods of time not checking. It’s rare that they’re taken from me or reject mail – most of the time they’re special test addresses I use when diagnosing issues. This post is based on my experiences with those addresses and how abandoned addresses are treated at some ISPs.
For Gmail I have two examples of addresses not being deactivated.
In July 2011, we set up a test address to look at how Gmail was handling authentication. We sent a matrix of different test emails to it, with valid and invalid SPF and DKIM signatures. We pulled the data from the account. I don’t know for certain when the last time I logged in, but it was August or September of last year. So we have an address that has been dormant since September 2011.
I just sent mail to the account and google happily accepted it.
Mar 2 07:03:22 misc postfix/smtp[11770]: 11CA12DED3: to=<wttwtestacct@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.127.27]:25, delay=1.8, delays=0.25/0.02/0.56/0.93, dsn=2.0.0, status=sent (250 2.0.0 OK 1330700602 x8si8608852pbi.66)
I have another google account (apparently) that my records show I set up sometime in 2010. The login info was saved October 2010. I don’t know when the last time I logged in was, but given I’d forgotten the existence of the account it’s a good bet that it has been more than a year. That account is also accepting mail as of today.
Mar 2 07:06:25 misc postfix/smtp[11836]: 8D90C2DED3: to=<phphendrie@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.127.27]:25, delay=1.6, delays=0.26/0.02/0.68/0.66, dsn=2.0.0, status=sent (250 2.0.0 OK 1330700785 a8si4075740icw.96)
For Hotmail I also have quite a bit of history and information. I signed up for my first Hotmail account in 1997. That was an account I used the address to post to usenet, but I didn’t actually use it for mail. I’d check it occasionally (usually when someone said in the newsgroup that they were going to email me) but it wasn’t an address I used regularly. As I moved from posting regularly in usenet, I started checking that account even less.
For a while, if I went more than 6 months checking my Hotmail account they would make me “re-claim” it. What would happen when I’d log in is I’d get a message along the lines of “well, we disabled this account due to inactivity, do you want it back?” I’d say yes, have to go through the setup process again and it would be my account. Mail was deleted during the disabling, and I am guessing they rejected anything new going to that account. I went through this dance for 4 or 5 years. I even had my calendar set to remind me to login every 6 months or so. There was some sentimental value to the address that kept me logging in. I have that same username at every major free ISP: Gmail, Hotmail, Yahoo and AOL, so it’s “my” address.
About 6 or 7 years ago, that behavior changed. I stopped getting the request to reclaim my account. Instead I could just log in. I’d still have mail (mostly spam as the address is on *lots* of lists and millions CDs). I still check it irregularly. I don’t have any idea when the last time I checked it was, but I think it’s been since at least November and probably longer back than that. Hotmail is still accepting mail for that address as well.
It’s anecdotal evidence, at best, but it ‘s the type of evidence that is acceptable even when it’s anecdotal. There are some addresses that are abandoned for long periods of time at the free mailbox providers and they’re are not all automatically pulled from the ranks of active addresses.
What does this mean for senders? It means that data hygiene has to go beyond just removing addresses that bounce. ISPs are not disabling addresses consistently enough for marketers to be able to trust that all addresses on their list are active just because they are accepting email.
This is the root of the recommendation to put in a hygiene program, this is why senders need to look at who is actually engaged with their brand and make some hard decisions about shooting zombies in the head.

Data hygiene

I talk about data hygiene with clients a lot. In my experience, poor data hygiene is the number one reason that legitimate, permission based marketing ends up in the junk folder. Too many marketers don’t remove abandoned addresses from their mailing lists. As the abandoned addresses build up, eventually the list accumulates enough zombie addresses that it looks similar to a spammer’s list.
I’ve talked in depth about zombie accounts previously (part 1, part 2, part 3, apocalypse) and they talk a lot more about why we have zombies accounts and why they’re just starting to be a bigger issue for marketers. Not only are we just starting to hit critical mass with zombie accounts, but ISPs are really starting to weigh engagement in their delivery decisions. Zombie accounts are not engaged with mail. Heck, they’re not even engaged with their own email addresses.
Many marketers, though, hate the idea of data hygiene. They hate thinking about losing a potential customer. They can show me numbers that say someone didn’t open an email for 18 months and then spent hundreds of dollars on a purchase. Or they can tell me that 10% of their revenue came from people who hadn’t opened an email in more than 12 months.
I don’t want to take those subscribers away from you, the ones who are engaged with your brand or your mail in some un-trackable way. But I do want to stop the zombies from eating your delivery.

Leap day email promotions

I’ve been seeing a number of companies send out email marketing special offers for Leap day. My favorite so far:
Celebrating Leap Day with Free Standard Ground Shipping on your $29 purchase

Back, still catching up

We’re back from MAAWG, but somehow I’ve not managed to catch up with everything from last week enough to have time to get back into the swing of blogging. I do have lots and lots of things to say, just not quite enough hours in the day to get them down on paper.
It was great to meet so many blog readers. I really appreciate each and every one of you that introduced yourselves and told me you read the blog. Not many people comment, so I don’t have a good feel for the number of readers. Hearing from readers was great!
MAAWG itself seemed lower key than it has been in the past, but I really think the organization is getting good work done. I strongly recommend people who haven’t been before to visit. There’s lots of great information about messaging, filtering and abuse prevention. They even have a new name! M3AAWG. (Messaging, Malware and Mobile are the 3 Ms)

Only Influencers blog talk radio

I had the privilege to talk with a bunch of experts on the Only Influencers Blog Talk Radio show this morning. The discussion centered around the perceived conflict between Marketing and Delivery.
The conversation was a good one, with a lot of different perspectives aired. I strongly recommend people who are interested in hearing multiple industry experts talking about email marketing and delivery listen to the podcast.
Once I get back from MAAWG I plan to talk a little more about delivery managers as fire fighters and why that is such a good metaphor for delivery.

Delivery events next week

Next week is MAAWG and I’ll be there talking about delivery, blocking and all sorts of things. If you’re going, be sure to stop by the Choose Your Own Delivery Adventure. It should be lots of fun!
Also next week on Monday I’ll be a guest on the Only Influencers blog talk radio show discussing Delivery versus Marketing.

Get a helmet

There’s been a lot of interesting reaction to Steve’s security post yesterday. A lot of people seem upset that we have pointed out one of the ways that ESPs may be getting compromised. Complaints range from the message being overly simplistic, through to complaints that we just don’t understand how much of an issue security is, through to complaints that we’re not pointing out that some ESPs actually are secure. Some people have even provided counter examples of how simple it is to compromise any company, so why are we picking on ESPs.
Security is a problem any company faces. Some industries are bigger targets than others, and ESPs have really jumped up the target list. ESPs are getting lists stolen. ESPs are getting reputations stolen.
There’s one ESP I know for a fact that has lost multiple customer lists 3 times. Three companies I get email from are hosted there. When all three of those tagged addresses started getting spam, the only logical assumption was that the ESP was compromised. Again. Those are companies I want to hear from, though, and I changed addresses on their sites after every breach. What’s distressing, though, is the total lack of response from either the customer or the ESP to my notices about the breaches. To be fair, the problem seems to have stopped more recently.
Silence and refusal to address an issue is a big problem. An address I gave a company on the Only Influencers list was stolen (I’m not going to say leaked because I actually trust them to not have violated their privacy policy) sometime back in early 2011. I didn’t notice right away because my spam filters were catching the mail, but eventually the spammers managed to get one into my inbox. When I saw it, I started checking and realized that address had been compromised a long time ago. I notified the company, with as much history of the address as I could. I ended my message with:

Browsers, security and paranoia

MAAWG is coming up and lots of us are working on documents, and presentations. One of the recent discussions is what kind of security recommendations, if any, should we be making. I posted a list of things including “Don’t browse the web with a machine running Windows.”
Another participant told me he thought my recommendation to not use a windows machine to browse the web was over the top and paranoid. It may be, but drive by malware attacks are increasing. Visiting big sites may not be enough to protect you, as hackers are compromising sites and installing malware to infect visitors to those sites. Some ad networks have also been used to spread malware.
Criminals have even figured out how to install malware on a machine from email, without the recipient having to click or open attachments.
Avoiding the internet from a machine running Windows is a security recommendation I don’t expect many people to follow, but I do not think security and anti-virus software is enough to protect people from all of the exploits out there.
Of course, there are a lot of reasons that one might be forced to use a particular browser or operating system. For instance, I was on the phone with my bank just today to ask if they supported Safari. They say they do, but there are some things that just don’t work. The customer service rep said that they recommend Internet Explorer to all their users. She then suggested I switch browsers. No thanks, I’ll deal with the broken website.
Compromises are a major threat, and criminals are spending a lot of time and money on creating ways to get past current security. No longer is “not clicking on malware” enough to protect users. When a security clearinghouse is compromised and used as a vector for a targeted attack against Google, none of us are safe. When a security company is compromised, none of us are safe.
I realize my recommendation to avoid browsing the web on a Windows based machine is more wishful thinking than practical. I also know that other browsers and operating systems will be targeted if enough people move away from currently vulnerable operating systems. And I know that a simple, offhand suggestion won’t fix the problem.
As someone who’s been online long enough to see the original Green Card spam I know that online dangers evolve. But I can’t help thinking that most of us aren’t taking the current threats seriously enough.

Spamhaus rising?

Ken has a good article talking about how many ESPs have tightened their standards recently and are really hounding their customers to stop sending mail recipients don’t want and don’t like. Ken credits much of this change to Spamhaus and their new tools.

What blogs are you reading besides mine?

It’s been a week. A very, very long week. Which means that at 4 on a Friday I’m grasping at straws for something interesting to write about. So I do what I do when I’m out of ideas, I look through the email related blogs I’m subscribed to.
A bunch of them are still active, but there’s a good dozen or so that haven’t been updated in months. I realize I’m getting most of my current news from Twitter (or, Facebook) not from my actual RSS feeds.
So what email / marketing / delivery / internet security related blogs are people reading these days? What should I add to my list to keep up to date on the pulse of the email industry?
EDIT: apparently the Akismet filter I use went berserk with the multiple links in comments. I think I’ve pulled everything they caught incorrectly. If you tried to post and it’s not showing, drop me an email at the obvious place.

Dear Email Address Occupant

There’s a great post over on CircleID from John Levine and his experience with a marketer sending mail to a spam trap.
Apparently, some time back in 2002 someone opted in an address that didn’t belong to them to a marketing database. It may have been a hard to read scribble that was misread when the data was scanned (or typed) into the database. It could be that the person didn’t actually know their email address. There are a lot of ways spamtraps can end up on lists that don’t involve malice on the part of the sender.
But I can’t help thinking that mailing an address for 10 years, where the person has never ever responded might be a sign that the address isn’t valid. Or that the recipient might not want what you’re selling or, is not actually a potential customer.
I wrote a few weeks back about the difference between delivery and marketing. That has sparked conversations, including one where I discovered there are a lot of marketers out there that loathe and despise delivery people. But it’s delivery people who understand that not every email address is a potential purchaser. Our job is to make sure that mail to non-existent “customers” doesn’t stop mail from actually getting to actual potential customers.
Email doesn’t have an equivalent of “occupant” or “resident.” Email marketers need to pay attention to their data quality and hygiene. In the snail mail world, that isn’t true. My parents still get marketing mail addressed to me, and I’ve not lived in that house for 20+ years. Sure, it’s possible an 18 year old interested in virginia slims might move into that house at some point, and maybe that 20 years of marketing will pay off. It only costs a few cents to keep that address on their list and the potential return is there.
In email, though, sending mail to addresses that don’t have a real recipient there has the potential to hurt delivery to all other recipients on your list. Is one or two bad addresses going to be the difference between blocked and inbox? No, but the more abandoned addresses and non-existent recipients on a list there are on a list, the more likely filters will decide the mail isn’t really important or wanted.
The cost of keeping that address, one that will never, ever convert on a list may mean losing access to the inbox of actual, real, converting customers.

DMARC: an authentication framework

A new email industry group was announced this morning. DMARC is a group of industry participants, including large senders, large receivers and relevant intermediaries working on a framework to reduce the harm from phishing.
DMARC is working on a standard to allow senders to publish sending policies and receivers to act on those policies. Currently, senders who want receivers to not deliver unauthenticated email have to negotiate private agreements with the ISPs to make that happen. This is a way to expand the existing programs. Without a published standard, the overhead in managing individual agreements would quickly become prohibitive.
It is an anti-phishing technique built on top of current authentication processes. This is the “next step” in the process and one that most people involved in the authentication process were anticipating and planning for. I’m glad to see so many big players participating.

What are you validating?

Al throws in his own two cents on the question of real time address validation.

Can you verify email addresses in real time?

In a recent discussion about spamtraps and address lists and data collection a participant commented, “[E]very site should be utilizing a real-time email address hygiene and correction service on the front end.” He went on to explain that real time hygiene prevents undeliverable addresses and spamtraps and all sorts of list problems. I was skeptical to say the least.
Yes, there are APIs that can be queried at some of the larger ISPs to identify if an account name is taken, but this doesn’t mean that there is an associated email address. Yes, senders can do a real time SMTP transaction, but ISPs are quick to block SMTP transactions that quit before DATA.
I decided to check out one service to see how accurate it was. I’m somewhat lucky in that I created a username at Yahoo Groups over a dozen years ago but never activated the associated email address. This means that the account is shown as taken and no one else can register that address at Yahoo. But the address doesn’t accept any mail.

Information sharing and the Internet

Many years ago I was working at the UW-Madison. Madison is a great town, I loved it a lot. One of the good bits was this local satire paper called The Onion. This paper would show up around campus on Wednesdays. Our lab, like many university employees and students, looked forward to Wednesday and the new humor The Onion would bring to us.
At the same time, I was internet friends with an employee of JPL. I’d met him, like I met many of my online acquaintances, through a pet related mailing list.
One Wednesday, The Onion published an article Mir Scientists Study Effects of Weightlessness on Mortal Terror. As this was the time when the Internet consisted of people banging rocks together, there was not an online link to Onion articles. But I was sure my friend at JPL, and all his friends, would appreciate the joke. That night I stayed late at the lab and typed the article into an email (with full credit to the Onion) and mailed it off to him.
As expected, the article garnered quite a few chuckles and was passed around to various folks inside JPL. What wasn’t expected was another friend, from totally different circles, sending me a copy of that same article 3 days later. Yes, in 1997 it took three days for information to be shared full circle on the Internet.
Information sharing is a whole lot quicker now, with things coming full circle in mere seconds. But that doesn’t make the information any more reliable and true. Take a recent article in ZDNet Research: Spammers actively harvesting emails from Twitter in real-time.
ZDNet links to a study published by Websense, claiming that email addresses on Twitter were available for harvesting.
That’s all well and good, but all ZDNet and Websense are saying is that email addresses are available for harvesting. I’ve not seen any evidence, yet, that spammers are harvesting and sending to them. This doesn’t, of course, mean they’re not, but it would be nice to see the spam email received at an address only shared on twitter.
Well, I have unique addresses and an un-spamfiltered domain. I went ahead and seeded a tagged address onto twitter. We’ll see if it gets harvested and spammers start sending to it. I’ll be sure to keep you updated.

Delivery and marketing, another view

In addition to posting some of my thoughts about how delivery and marketing have different and possible contradictory constraints, I asked folks on the Only Influencers list what they thought. They had some different perspectives, primarily being marketers. One person even welcomed me to the dark side.
The general response from the marketing side of things appeared to be that ISPs need to stop actually filtering marketing email. That would resolve the problems from the marketers perspective. I don’t necessarily think that will help. I believe if marketers had unfettered access to the inbox, most inboxes would be totally un-useable.
My thinking triggered other folks to consider delivery and marketing and what drives both. George Bilbrey, from Return Path, posted an article in Mediapost looking at why good delivery is an important part of a good marketing strategy.
George points out many marketers really do act as if delivery is separate and detrimental to good marketing.

The internet protests SOPA / PIPA

For those who don’t know, a number of major websites will be going offline tomorrow to protest SOPA and PIPA, including wordpress, reddit, Wikipedia and the cheezeburger sites. Tomorrow may be the most productive day ever on the modern internet. Google will also be linking to information about SOPA tomorrow.
I had some people ask me about the bills today and have been looking for explanations of the issues and why these laws are so problematic.

Is any data safe?

Today another major retailer announced their customer files were compromised. This company had clearly implemented some security that kept hackers from getting too much information. Passwords were hashed and credit card numbers were kept on a separate server, which does signal that the company designed with security in mind. Nevertheless, personal information was compromised.
Is there anyway to keep information safe if it’s accessible from the internet? Some of my uber-security conscious friends would say no. I am beginning to believe them.

Delivery versus marketing

I’ve been thinking lately that sometimes that what works for marketing doesn’t always work for delivery.
For instance in many areas of marketing repetition is key. Repeat a slogan and forge an association between the slogan and the product in the mind of the consumer. More repetition is better. Marketers can even go so far as using the same ad to drive consumer action. Television advertising is a prime example of this. Companies don’t create new content for every advertising slot, they create one or a few ads and then replay them over and over. The advertiser doesn’t even really care if the consumer consciously ignores the ads. The unconscious connection is still being made.
In the world of email delivery, though, having many or most recipients ignore advertising is the kiss of death. Too many unengaged users and filters decide that mail shouldn’t go into the inbox. These don’t even have to be ISP level filters, but Bayesian filters built into desktop mail clients.
Sending repetitive ads over email may be an effective marketing strategy, but may not be an effective delivery strategy.
Am I off base here and missing something? Tell me I’m wrong in the comments.

Content, trigger words and subject lines

There’s been quite a bit of traffic on twitter this afternoon about a recent blog post by Hubspot identifying trigger words senders should avoid in an email subject line. A number of email experts are assuring the world that content doesn’t matter and are arguing on twitter and in the post comments that no one will block an email because those words are in the subject line.
As usually, I think everyone else is a little bit right and a little bit wrong.
The words and phrases posted by Hubspot are pulled out of the Spamassassin rule set. Using those words or exact phrases will cause a spam score to go up, sometimes by a little (0.5 points) and sometimes by a lot (3+ points). Most spamassassin installations consider anything with more than 5 points to be spam so a 3 point score for a subject line may cause mail to be filtered.
The folks who are outraged at the blog post, though, don’t seem to have read the article very closely. Hubspot doesn’t actually say that using trigger words will get mail blocked. What they say is a lot more reasonable than that.

Return Path acquires OtherInbox

This morning Return Path announced they have acquired OtherInbox.
OtherInbox is a service that allows subscribers to create tagged email addresses and organize incoming mail. Acquiring OIB gives Return Path access to recipient behaviour that only the ISPs had previously.
According to the press release, Return Path will be using engagement data from OIB as another factor for Return Path Certification. I think this can only improve the scoring and reflect a more modern measure of wanted mail.
Congratulations to Return Path and OtherInbox.

Back in the USA

We’re back from our overseas adventures. I’m still wrapping my head around getting back to work. We had a great trip and did tons of fun stuff, including carrying torches through the streets of Edinburgh. I took almost 1000 photos which I’m slowly going through and posting on flickr.
I’ll get back to posting about email, but thought I’d share a couple of photos from Edinburgh behind the cut.

On Hiatus

I have my final call of 2011 in 6 minutes, so I decided to take a break from packing and wish everyone joyous and festive holiday, whatever you celebrate. We’re on hiatus through Jan 8th, but will return full of energy, single malt and ideas.
We didn’t get a tree up this year, so I have no photos of our cats playing tree ornament. So I share with you my friend Joanna’s cat, in his Christmas tree.

Spamming ESPs: the followup

Campaign Monitor contacted me about yesterday’s post. The phrasing I picked out of the spammers AUP matched their AUP quite closely. In fact, if you plug the AUP into Google, Campaign Monitor comes up as one of the first hits.
It was not Campaign Monitor I was talking about. In fact, the ESP I received the mail from is not on the first 8 pages of Google hits for the phrases I posted.
A similar thing happened when I posted about Dell spamming me. Dell has multiple ESPs, and one of their ESPs contacted me directly in case they were the ones Dell was spamming through. It was no surprise to me that they weren’t the ESP involved.
This is what good ESPs do. Good ESPs monitor their reputation and monitor what people are saying about them. Good ESPs notice when people claim they’re being spammed and effectively reach out to the complainers so they can investigate the claim.
Good ESPs don’t just rely on the complaint numbers to take action. They keep an eye out on social networks to see who might be receiving mail they never asked for.

Spamming ESPs

In my mailbox there is a definite uptick in spam from ESPs advertising their services.
Today’s email was from a company that has the following in their anti-spam policy:

Put a fork in it

When FB messaging was announced email marketers had a total conniption. There were blog posts written about how FB Messaging was going to kill email as we know it.
Now, slightly more than a year later marketers have declared FB Messaging dead.
Sometimes I think people spend way to much time believing their own press. FB messaging was never designed as a marketing platform. I said as much back in November 2010 when it was announced.

Political insanity with email

In one of the more boneheaded email related moves I’ve seen from a political group ever the Obama / Biden campaign has announced that people can go to their website, enter in the email address of a Republican friend, pay some money, and the campaign will send an email to your (soon to be ex-) friend on your behalf.

Email marketing OF THE FUTURE!

ISPs are continually developing tools for their users. Some of the newer tools are automatic filters that help users organize the volumes of mail they’re getting. Gmail released Priority Inbox over a year ago. Hotmail announced new filters as part of Wave 5 back in October.
All of these announcements cause much consternation in the email marketing industry. Just today there was a long discussion on the Only Influencers list about the new Hotmail filtering. There was even some discussion about why the ISPs were doing this.
I think it’s pretty simple why they’re creating new tools: users are asking for them. The core of these new filters is ISPs reacting to consumer demand. They wouldn’t put the energy into development if their users didn’t want it. And many users do and will use priority inbox or the new Hotmail filtering.
Some people are concerned that marketing email will be less effective if mail is not in the inbox.

Cyber Monday

There seemed to be a surge of email marketing trumpting Cyber Monday Sales in big, glossy lettering in the week before Cyber Monday – so much so that I was bored of the whole thing long before the sales actually started. I wondered whether there actually was a big increase in volume of mail, or whether it was just louder, pushier and more noticeable.
So I went through my inbox and categorized the legitimate email I received, pulling out the consumer adverts from the personal mail, work-related commercial mail and so on, and charted it for the past couple of months, broken down into adverts for books, software, “tech” – consumer electronics / computer equipment / software etc., and everything else.
The vertical grid marks each Monday, including the obvious spike on Cyber Monday, November 28th. The regular cycle of junk mail early in the work week, followed by quiet over the weekend is pretty clear. And sure enough, there’s a significant increase on Cyber Monday and the few days beforehand, dominated by consumer goods, tech and otherwise.
Excluding high traffic discussion lists, the mail I was sent over the period of this chart was:

SOPA / PIPA

I’ve not mentioned anything about the Stop Online Piracy Act (SOPA) and it’s companion bill the Protect Intellectual Property Act (PIPA) that are currently making their ways through Congress. Both bills put a lot of obligation on the ISPs to stop bad traffic on the Internet. Unfortunately, it seems no one writing the bill asked anyone with technical or operational experience for input. Many of the obligations are going to significantly impact ISP functioning and will probably degrade service for users.
The Messaging Anti-Abuse Working Group sent a letter to congress yesterday (PDF link), outlining the issues with SOPA and PIPA. I found it explained the bills and the flaws much better than many other summaries.

Email fingerprinting

I’ve had a lot of people ask me about what I mean by email fingerprinting. It means that I’m able to tell these 4 emails were all sent by the same entity. The domains are (mostly) different, the To: addresses are different, but I get hundreds of these emails a day.

Looking towards the future

I had the opportunity to go to a seminar and networking event hosted by Return Path yesterday evening. The topic was “Email trends in 2012” and it was presented by Tom Sather.
If any of you get the opportunity to go to a talk presented by any of the Return Path folks I encourage you to do so. They know their stuff and their presentations are full of good information.
One of the trends mentioned is the increase in reliance on domain reputation. It’s something I’ve been thinking about more and more recently. I wrote a little bit about it recently, but have focused more on the whole realm of content filtering rather than just domain reputation.
Domain reputation is where delivery is going. And I think a lot of senders are going to struggle with delivery as they find that IP reputation is not enough to get into the inbox.

Listen to me talk about filtering, blocklists and delivery

I did an interview with Practical eCommerce a few weeks ago. The podcast and transcript are now available.
I want to thank Kerry and the rest of the staff there for the opportunity to talk email and filtering with their readers.
Happy Thanksgiving everyone in the US.

We lie more in email than in person

People are more prone to lie over email than face to face.

Having the same conversation

This morning I was reading a blog post about the failure of the congressional super committee. The author commented

Email lost a mighty advocate

Last night J.D. Falk passed away from stomach cancer. For those of us who were privileged to know him, it was not unexpected but it is still a sad day.
CircleID has a memorial post up.
I’ve known of JD since I started in email in the late ’90s. I had the privilege of meeting him when we moved out to the bay area and he invited Steve and I to the “sushi cabal” – a biweekly get together. We then worked together at MAPS for a short time.
JD will be missed.
ETA: I’ll be adding links as I find them.
JD’s official memorial page: http://jdfalkmemorial.org/
Neil’s tribute: http://www.welikeballs.com/2011/11/jd-falk-bad-pictures-of-good-food.html
MAAWG memorial page: http://www.maawg.org/page/memorial-jd-falk
CAUCE memorial page: http://www.cauce.org/2011/11/jdfalk.html
The IETF expedites publishing of the RFC JD authored: http://www.virusbtn.com/news/2011/11_17.xml. Many thanks to the staff that made this happen. I am assured that JD was told of the publishing before he passed.
Return Path’s memorial. http://www.returnpath.net/blog/received/2011/11/remembering-j-d/
Tami Forman’s post. http://tamimforman.wordpress.com/2011/11/17/j-d-falk/

Silly Saturday Spam

I couldn’t resist posting the newest Nigerian 419 showing up in my mailbox.

Eleven – Eleven – Eleven

I’ve been hearing a lot of people wondering how many marketers were taking advantage of the “special” date today. I got two, and both managed to work in the number 11 into the offer. One offered 11 of their top selling products for $11 each. The other offered a fixed amount off a purchase, if you used the code “eleven” at checkout. And that particular offer expires at 11:11.
What other offers did people get?

More on Rove Digital

Brian Krebs has more on Rove Digital and the criminal connection to other scammers and spammers.

Biggest botnet takedown to date

Yesterday law enforcement officials arrested 6 people and charged them with running a massive internet fraud ring. Over 4 million PCs were part of the botnet.
According to the FBI

Audit trails are important.

One of the comments on my Spamtraps post claims that audit trails should be maintained by recipients, not senders.

The Social Side of Advertising

Most of the time when you’re sending bulk email you’re sending to a fairly anonymous list of email addresses. If you’re a good email marketer you’ve got a fairly good idea of their demographics, where the email addresses came from and maybe that they’ve purchased things from you in the past. But they’re still strangers – a “pre-existing business relationship” is not a relationship.
What would you do differently if all those recipients were people you knew? Friends, colleagues, family – people with faces and names and stories and real relationships with you, rather than a database query or a spreadsheet full of addresses? Would you send the same emails if you expected to be meeting some of the recipients for a drink after work the next day, or handing out candy with them this evening?
And on the flip-side of that… if a company wanted you to send a typical junk message to everyone you know – coming from “you” directly to the inboxes of all your friends, associates, colleagues and family – would you do it? If you would, how much cold, hard cash would you want to be paid for each message sent?
I really want to know what you think. Leave me a comment.

Where do subscribers come from?

Do you know all the ways subscribers can get on your lists?
Are you sure?
I recently used the contact form belonging to a marketing company to inform them that someone had stolen my email address from their database and I was receiving spam to the address only they had.
They had an opt-out link on the form, allowing me to opt-out of personal contact and a demo of their product. But that opt-out didn’t translate to not adding me to their marketing list.
When I contacted the person who was talking with me about the address leak, he told me it was the contact form that led to my address ending up on their marketing list. I asked, just to make sure, if I did remember to check the opt-out link. He confirmed I had, but there was an oversight when they updated their contact page and there was no opt-out for marketing mail.
I believe that the majority of delivery problems for real companies that “only send mail with permission” come from these types of oversights. The biggest problem with these oversights is how long they can go on until companies notice the effect. With the overall focus on aggregate delivery statistics (complaint rates, bounces, etc) oversights like this aren’t noticed until they cause some massive problem, like a SBL listing or a block at a major ISP.
The company involved in this most recent incident was very responsive to my contact and immediately corrected the oversight. But there are other companies that don’t notice or respond to the notifications individuals send. This leads to resentment and frustration on the part of the recipient.
Every company should have at least one person who can account for every address on their marketing list. Who is that person at your company?

Email in 2030

As predicted by Mark Brownlow. My favorite? You can still buy 1 million email addresses for $99. It’s still a bad idea.

Too much? Too little?

Mark Brownlow (who I haven’t linked to nearly enough lately) has insightful commentary on the frequency question.
I really don’t think marketers should be afraid of sending email frequently. There are people who appreciate a lot of email. But I do think marketers should be careful when sending frequently. Good delivery is all about your audience and what you have to offer them.
As Mark says:

Social media to improve email delivery

Mail delivered to the bulk folder is likely to continue landing in the bulk folder without intervention. Sometimes a sender can talk to the ISP involved and get mail moved back to the inbox. Sometimes a sender can make hygiene changes and get mail moved back to the inbox.
The most effective way to get mail delivered to the inbox, however, is for recipients to go into the bulk folder and mark the mail as “not spam.” Nothing is more effective at getting mail delivered to the inbox.
But there is a bit of a catch 22 there. If mail ends up in the bulk folder consistently, recipients tend to forget about it. Many people trawl through their bulk folder sporadically, if at all. If recipients aren’t engaged with mail and don’t know when they should see it, then they won’t miss it and won’t look for it.
So if mail is ending up in the bulk folder and recipients aren’t expecting it what can a sender do? One of the obvious answers is find another channel. Let recipients know through some channel besides email that they need to look in their bulk folder for a particular email.
In the past it was difficult to find non-email ways to connect recipients. I worked with customers who really had no other way to interact with recipients than email. They weren’t running a website, they didn’t have any other contact methods, they were really stuck. But a recent tweet from AppSumo shows how social media can be used to improve email delivery.

Is there really one way to email successfully?

I’ve been watching a bunch of folks discuss someone’s mailing practices. The discussion has been fascinating to me. I’m hearing from the conversation is that there are very specific rules regarding how every company should mail. And that anyone who deviates from those practices is heading down the path to failure. Doing it wrong.
This theme has come up before, when I’ve heard expert marketers comment that Groupon proved how wrong the “daily email is too much” advice was. My response to that is confusion. Who decided daily email was too frequent and wouldn’t work?
I come from a non-marketing background, so maybe I’m missing some essential bit of wisdom or context. But it strikes me that a lot of the rules (no daily email, never establish aggressive engagement metrics) are really stifling innovation. There seems to me to be an unwillingness to think about why it might work if a particular sender does something against the grain.
Of course, once something has proven a success, everyone jumps on the bandwagon. Half my potential clients over the summer told me they “want[ed] to be the next Groupon.” Most of them didn’t make it, though.
I look at email as having a massively diverse user base. There are lots of people who use email in ways I would never consider. There are lots of people who think the way I use email is wrong. Unlimited opportunities for smart marketers exist.
The more cynical part of my brain says that finding and developing an enthusiastic recipient base takes too much time. Companies want to be the “next groupon” or the “next facebook”. But they want to do it by copying the business model, not by being innovative and meeting some need that currently isn’t being serviced.
There are, of course, some models that are never going to work, like randomly harvesting addresses and sending spam. But I don’t think that means email marketing is dying, just that innovation and imagination might be.

Expectations

One of the themes I harp on with clients is setting recipient expectations. Senders that give recipients the information they need to make an informed subscription decision have much higher inbox and response rates than senders that try to mislead their recipients.
Despite the evidence that correctly setting expectations results in better delivery and higher ROI on lists some senders go out of their way to hide terms from recipients. I’ve heard many of those types of comments over the years.

More fun with visualization

The Yahoo visualization tool has been a lot of fun to watch. You can see how mail changes, see how subject line changes and even see when commercial mailers do major blasts.
One marketer described it to me as “Total marketing porn.”
I even took a screen shot of someone doing a drop of their “September Account Statement” to customers.

Yahoo email visualization tool

This is pretty awesome.
Visualize Yahoo! Mail
Make sure you click on the “Trending Keywords” on the left hand side of the image.

Engagement based delivery makes testing tricky

Yesterday I wrote about how important recipients are to achieving good delivery. The short version of yesterday’s post is that delivery is all about engagement, and how the ISPs were really focusing on engagement and proving custom user experiences.
This is great, for the user. Take the common example where a commercial list has some highly engaged recipients and a bunch of recipients that can take or leave the mail. The ISP delivers the newsletter into the inbox of the highly engaged recipients and leaves it in the bulk folder of less engaged recipients.
With user focused delivery people get the mail they are interested in where they can read it and interact it. People who have demonstrated a lack of interest for a topic or a sender don’t see that mail.
This can get complicated for those of us trying to troubleshoot deliver problems, though. I have a couple mail accounts I use for testing at various ISPs. Even though I do very little to try and personalize the account I am seeing behaviour that leads me to wonder if ISP personalizing the inbox experience is going to make it that much more difficult to troubleshoot delivery issues.
I have to wonder, too, where this leaves delivery monitoring services in the future. If delivery is personalized, how can you know that the delivery monitoring addresses are representative any longer? Is there even a “representative” mailbox any longer?

Hotmail fights greymail

I’ve heard a lot of marketers complaining about people like me who advocate actually purging addresses from marketing lists if those addresses are non-responsive over a long period of time. They have any number of reasons this advice is poor. Some of them can even demonstrate that they get significant revenue from mailing folks who haven’t opened an email in years.
They also point out that there isn’t a clear delivery hit to leaving those abandoned addresses on their list. It’s not like bounces or complaints. There isn’t a clear way to measure the dead addresses and even if you could there aren’t clear threshold guidelines published by the ISPs.
Nevertheless, I am seeing more and more data that convinces me the ISPs do care about companies sending mail that users never open or never read or never do anything with.
The most recent confirmation was the announcement that Hotmail was deploying more tools to help users manage “greymail.” I briefly mentioned the announcement last week. Hotmail has their own blog post up about the changes.
It seems my initial claim that these changes this won’t affect delivery may have been premature. In fact, these changes are all about making it easier for Hotmail users to deal with the onslaught of legitimate but unwanted mail.

Government and botnets

The US government is looking at telling ISPs how to deal with compromised customers and botnets.
They’re a bit late to the party, though. Most of the major commercial ISPs have been implementing significant botnet controls for many years now. Control involves a number of different techniques, but notification has been designed into the system from day 1.

Spot the CAN SPAM violations

I received this piece of unsolicited email today, to an address harvested off a website. How many CAN SPAM violations can you count?

Spammers and Google+

I have a google+ account, but don’t check it very often. There seems to be a significant amount of noise on the feeds and trying to keep up with all the people who added me to circles was driving all the real mail out of my gmail inbox.
This morning I realized the noise just got louder. It seems spammers are buying very, very old lists scraped from usenet and inviting everyone on those lists to join them on Google+. Yup, an address of mine that has not been used in 7 or 8 years and is not very publicly associated with me got a Google+ invite from someone I’ve never heard of before.
I know there have been a lot of complaints about spammers abusing Google+. I thought it was possible, but I didn’t realize they were actually purchasing email lists to load into Google and spam people.

Changes at Hotmail

Microsoft announced a number of changes to the Hotmail interface today. It doesn’t look like this will affect how mail is received, but will affect how users can interact with it.
As always, the best advice I can give you is send mail people want and like.

Are you ready for the next attack?

ESPs are under attack and being tested. But I’m not sure much progress in handling and responding to the attacks has been made since the Return Path warning or the Epsilon compromise.
Last week a number of email marketers became aware that attacks against ESPs and senders were ongoing. The shock and surprise many people exhibited prompted my Spear Phishing post on Friday.
The first round of phishing went out on Wednesday, by Friday they were coming from a different ESP. Whether this was a compromised ESP customer or employee it doesn’t matter. ESPs should have reaction plans in place to deal with these threats.
It’s been months since the first attacks. This is more than enough time to have implemented some response to reports of attacks. Yet, many people I talked to last week had no idea what they should or could be doing to protect themselves and their customers.
Last time the attacks were publicly discussed I was frustrated with many of the “how to respond” posts because few of them seemed to address the real issue. People seemed to be pushing agendas that had nothing to do with actually fixing the security holes. There were lots of recommendations to sign all mail with DKIM, implement 2 factor authentication, deploy validation certificates on web properties, or adhere to sender’s best practices.
None of those recommendations actually addressed the gaping security hole: Humans.

DKIM is Done

This was posted to the IETF DKIM Working Group mailing list this morning:

Spear phishing

It’s been about a year since people started publicly talking about spear phishing attacks against ESPs and major emailers. There was a lot of energy put into talking about how to protect against future attacks. I have to wonder, though, how much of that talk translated into action?
What processes do you have in place to protect your company against attacks?
If you’re at an ESP, do you have the ability to scan your outgoing stream for keywords or domains?
If you’re a brand, have you implemented restrictions on which employees have access to your databases?
What have you done since the last set of attacks? Are you vulnerable if new attacks start?
More information on ESP attacks:
Be on the lookout
Time for a real security response
Email attacks

Censorship, email and politics

Spamfiltering blocks email. This is something we all know and understand. For most people, that is everyone who doesn’t manage an email server or work in the delivery field or create spamfilters, filtering is a totally unseen process. The only time the average person notices filters is when they break. The breakage could be blocking mail they shouldn’t, or not blocking mail they should.
Yesterday, a bunch of people noticed that Yahoo was blocking mail containing references to a protest against Wall Street. This understandably upset people who were trying to use email as a communication medium. Many people decided it was Yahoo (a tool of the elites!) attempting to censor their speech and stop them from organizing a protest.
Yeah. Not so much.
Yahoo looked into it and reported that the mail had gotten caught in their spam filters. Yahoo adjusted their filters to let the mail through and all was (mostly) good.
I don’t think this is actually a sign of filters being broken. The blocked mail all contained a URL pointing to a occupywallst.com. I know there was a lot of speculation about what was being blocked, but sources tell me it was the actual domain. Not the phrase, not the text, the domain.
The domain was in a lot of mostly identical mail coming out of individual email accounts. This is a current hallmark of hijacked accounts. Spammers compromise thousands of email accounts, and send a few emails out of each of them. Each email is mostly identical and points to the same URL. Just like the protest mail.
There was also a lot of bulk mail being sent with that URL in it. I’ve been talking to friends who have access to traps, and they were seeing a lot of mail mentioning occupywallst.com in their traps. This isn’t surprising, political groups have some horrible hygiene. They are sloppy with acquisition, they trade names and addresses like kids trade cold germs, they never expire anything out. It’s just not how politics is played. And it’s not one party or another, it’s all of them. I’ve consulted with major names across the political spectrum, and none actually implement best practices.
As I have often said the secret to delivery is to not have your mail look like spam. In this case, the mail looked like spam. In fact, it looked like spam that was coming from hijacked accounts as well as spam sent by large bulk mailers. I suspect there was also a high complaint rate as people sent it to friends and family who really didn’t want to hear about the protests.
To Yahoo!’s credit, though, someone on staff was on top of things. They looked into the issue and the filter was lifted within a couple hours of the first blog post. A human intervened, overruled the algorithm and let the mail out.
I bet this is one of the few times anyone has seen that Yahoo does outbound filtering. Given it’s a politically charged situation, I can see why they assume that Yahoo is filtering because of politics and censorship. They weren’t though.
More on politics, filtering and censorship.

They’re not blocking you because they hate you
It really can be your email
More on Truthout
Another perspective on the politico article

MAAWG and email appending

In today’s Magill Report Ken says:

The only surprise in the Messaging Anti-Abuse Working Group’s statement last week condemning email appending was that it didn’t publish one sooner.
However, MAAWG’s implication that email appending can’t be accomplished without spamming is nonsense.
Read More

Mailing old addresses: 5 questions to ask first

James asked the question on twitter:

If you haven’t mailed an address in 5-10 yrs, would you include it in a re-engagement mail?
Read More

Denial

I come up against a lot of denial when talking with people about spam and email. It makes sense, nobody likes spam. Nobody wants to send spam. And I do understand the initial denial when they hear “you’re mail looks like spam” or “you spammed me.”
It often takes overwhelming evidence to convince some senders that their mail is spam. I’ve talked before about some of my clients who insist that I just “forgot” I signed up for their mail. But these aren’t the only excuses I hear.
A sender that denies all feedback about their mailing program isn’t a very good sender, though. The best thing any sender can do when faced with information is to think about why a recipient might not want their mail.
I often describe my role as a translator between marketers and IT folks. I can translate technology to marketing and back again. One of my other major roles, though, is translating uncomfortable or unwelcome recipient feedback. Many marketing programs have been significantly improved because the program maintainers took a minute to look at the feedback and use it.

MAAWG statement on email appending

MAAWG has published their position statement on email appending. It’s pretty explicit in it’s condemnation of the practice.

Spammer prosecuted in New Zealand

Today (well, actually tomorrow, but only because New Zealand is on the other side of the date line) the NZ Department of Internal Affairs added a 3rd statement of claim against Brendan Battles and IMG Marketing. This third claim brings the total possible fines to $2.1 million.
Brendan is a long term spammer, who used to be in the US and moved to New Zealand in 2006. His presence in Auckland was noticed by Computerworld when a number of editors and staffers were spammed. When contacted by the paper, Brendan denied being involved in the spam and denied being the same Brendan Battles.
New Zealand anti-spam law went into effect in September 2007. The Unsolicited Electronic Messages Act 2007 prohibits any unsolicited commercial email messages with a New Zealand connection, defined as messages sent to, from or within New Zealand. It also prohibits address harvesting.
The Internal Affairs department also appears to be investigating companies that purchased services from Brendan Battles.

By creating web domains that contained commonly mistyped names, the investigators received emails that would otherwise not be delivered.
Over six months they grabbed 20GB of data made up of 120,000 wrongly sent messages. BBC News
Read More

Silly spam subject line of the day

It’s Friday, it’s been a long week and while I have things to say I’m looking for some entertainment.
What are your favorite spam subject lines?
Here are some of mine:
“Having rock-like winky is easy”(OK, I admit, sometimes I’m 12 and “winky” makes me laugh)
“-Enlarge-your ~Penis up to 3 per month!” (Up to three what per month? And every month?)
“-Its all about the bra-” (From yourscalecars, advertising penis enlargement. Uh. Really?)
“!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!” (apparently spammers never got the memo that !! is bad in a subject line)
“Adventures of my giant mighty soldier” (uh. back to being 12)
“Aliens spotted” (I always thought aliens were striped)
“allergic to almonds or pecans?” (well, no, but thanks for trying)
“anxiety’s archduke Bourbaki’s” (uh. What?)
And, well, I’ve gotten through the a’s in my spamfolder and there are something like 200,000 messages still to go.
Do share some of your own in the comments!

20% of email read on mobile phones

According to data published by Litmus this week.

It's easy to be a sloppy marketer

Sometimes marketers are just sloppy.
Take, for example, an email I received today from a company.
I wasn’t expecting it (sloppy #1).
I never consciously signed up for it (sloppy #2). Apparently I’d bought a package they sold through Appsumo and they claim I asked for future offers. If I did, I didn’t mean to.
The email itself used a template from the sender’s ESP, but whomever wrote the copy didn’t actually proof read it (sloppy #3).

A recipient's view on engagement

I found a blog post from a technical type talking about email engagement. This is a non-marketing way to do things, and probably won’t work for many marketing programs. But I think good marketers should be listening to what their recipients say, even if it’s counter-intuitive.
Edit 9/15: the website seems to have expired so I changed the link to the google cache of the article.

What's the best ESP?

I often get clients and potential clients asking me to tell them what the absolute best ESP is.
“You’re an expert in the field, which ESP will give me the best inbox delivery?”
The thing is, there isn’t an answer to that question.
ESPs have expertise in sending large amounts of mail. All have staff that manage and monitor MTAs. Most have staff that provide advice on delivery issues. Many have staff that handle abuse complaints, FBLs and blocks.
What they don’t have is magic delivery fairies or bat phones into postmaster desks.
Simply moving mail to an ESP won’t give you delivery. For the most part, delivery is the responsibility of the sender, whether they send mail through an in house system or through an ESP.
Delivery is primarily about how recipients react to a particular mail stream. Send mail recipients want, interact with and relate to and you usually see good delivery. The IP addresses or infrastructure contribute but do not dominate the equation. Sending from an ESP won’t fix poor content, irrelevant mail or unengaged recipients.
I can hear everyone now shouting at their screen “What about shared IPs!!!?!?!” Yes, yes, if you use an ESP with shared IP addresses and the ESP gets a bad customer you may see poor delivery for a time because one of their other customers was bad. It’s a fact, it happens. Plus, if you use an ESP with dedicated IPs and the ESP gets a bad customer you may see poor delivery for a time because one of the other customers was bad and their IP is near yours.
So clearly the answer is to bring email in house. That way no other company can affect your delivery, right? Yes. Kinda.
Are you willing to invest money in hiring email and DNS savvy sysadmins? Invest money in a MTA designed to handle bulk mail? Invest in an expert who not only understands bounce handling, but can explain to your developers what a good bounce handling system must do? Invest in someone who can manage authentication like DKIM? Who can handle delivery issues and understands how to talk to ISPs? Invest in development to write a FBL processor?
For some companies, the internal investment is the right answer, and bringing mail in house makes business sense.
For a lot of companies, though, they just want to use email to communicate with customers. They don’t want to have to invest in multiple staff members (as it’s very rare to find a single person with all the various skill sets needed) to just send a weekly newsletter, or daily sales email. They need a tool that works, they don’t need to know how to sign up for a FBL, they don’t need to know how to handle bounces. They can outsource that work and focus on the communication value.
Finding the best ESP starts with finding out how you want to use email.
Question 1: What role does email play in my business?

Just go read here…

I wrote earlier this week about bad ways to evaluate and choose an ESP. It was all going to end today in an insightful and profound post telling all of you exactly how to find the best ESP.
Then Smartinsights published an insightful and useful article on choosing an ESP yesterday.
So, yeah, just go read what Jordie has to say. I have a couple other things to add, but I’ll drop those in another post.

I do not think that means what you think it means

Yesterday, I looked at the analysis of ESP delivery done by Mr. Geake. Today we’ll look at some of his conclusions.
“Being blacklisted most likely suggests that sender IP either sends out to a great deal of unknown or angry recipients.” That’s not how most blocklists work. Most blocklists are driven by spam traps or by the personal mailboxes of the list maintainers. The only blocklist that took requests from the public was the old MAPS RBL, and I don’t believe that is the case any longer.
Blocking at ISPs is often a sign of sending out a lot of mail to unknown or angry / unengaged recipients. But most ISPs don’t make their lists public. Some allow anyone to look up IP addresses, and if we had the IPs we could check. But we don’t, so we can’t.
“[…] if you share this IP with Phones4U then only 62% of your emails will be accepted by a recipient’s email server. That’s before they hit the junk filter. I wouldn’t want to pay for that.” This conclusion relies on the Sender Score “accepted rate” number. Accepted Rate is a figure I don’t rely on for much. I’ve never been able to reconcile this number with what client logs tell me about accepted rate. For instance, I have one IP address that has a 4.4% acceptance rate. But I know that 19 out of 20 emails from this IP do not bounce. In fact, it’s rare to see any mail from this IP bounce.
The one thing that Mr. Geake gets right, in all of this, is that if you’re on a shared IP address with a poor sender, then you share that sender’s reputation. Their reputation can hurt your delivery.
But a dedicated IP isn’t always your best bet, either. Smaller senders may not have the volume or frequency required to develop and keep a good reputation on an static IP. In these cases, sharing an IP address with similar senders may actually increase delivery.
For some senders outsourcing the email expertise is a better use of resources than dedicating a person to managing email delivery. For other senders, bringing mail in house and investing in staff to manage email marketing is better.
Tomorrow: how do you really evaluate an ESP?

Twisting information around

One of my mailing lists was asking questions today about an increase in invitation mailings from Spotify. I’d heard about them recently, so I started digging through my mailbox to see if I’d received one of these invites. I hadn’t, but it clued me into a blog post from early this year that I hadn’t seen before.
Research: ESPs might get you blacklisted.
That article is full of FUD, and the author quite clearly doesn’t understand what the data he is relying on means. He also doesn’t provide us with enough information that we can repeat what he did.
But I think his take on the publicly available data is common. There are a lot of people who don’t quite understand what the public data means or how it is collected. We can use his post as a starting off point for understanding what publicly available data tells us.
The author chooses 7 different commercial mailers as his examples. He claims the data on these senders will let us evaluate ESPs, but these aren’t ESPs. At best they’re ESP customers, but we don’t know that for sure. He claims that shared IPs means shared reputation, which is true. But he doesn’t claim that these are shared IPs. In fact, I would bet my own reputation on Pizza Hut having dedicated IP addresses.
The author chooses 4 different publicly available reputation services to check the “marketing emails” against. I am assuming he means he checked the sending IP addresses because none of these services let you check emails.
He then claims these 4 measures

[The harasser] was hitting me on email and twitter for more than [2100 messages], and the thing was, those all got past the filters I’ve got in place. So one obsessed crazy man with minimal technical skill and nothing but persistence outperforms all the spambots out there, at least on the scale of individuals, if not in breadth of attack.
PZ Meyers
Read More

Blocklist changes

Late last year we wrote about the many problems with SORBS. One of the results of that series of posts was a discussion between a lot of industry professionals and GFI executives. A number of problems were identified with SORBS, some that we didn’t mention on the blog. There was an open and free discussion about solutions.
A few months ago, there were a bunch of rumors that GFI had divested themselves from SORBS. There were also rumors that SORBS was purchased by Proofpoint. Based on publicly available information many of us suspected that GFI was no longer involved in SORBS. Yet other information suggested that Proofpoint may truly have been the purchaser.
This week those rumors were confirmed.

Are blocklists always a good decision?

One of the common statements about blocklists is that if they have bad data then no one will use them. This type of optimism is admirable. But sadly, there are folks who make some rather questionable decisions about blocking mail.
We publish a list called nofalsenegatives. This list has no website, no description of what it does, nothing. But the list does what it says it does: if you use nofalsenegatives against your incoming mailstream then you will never have to deal with a false negative.
Yes. It lists every IP on the internet.
The list was set up to illustrate a point during some discussion many years ago. Some of the people who were part of that discussion liked the point so much that they continued to mention the list. Usually it happens when someone on a mailing list complained about how their current spamfiltering wasn’t working.
Some of the folks who were complaining about poor filtering, including ones who should know better, did actually install nofalsenegatives in front of their mailserver. And, thus, they blocked every piece of mail sent to them.
To be fair, usually they noticed a problem within a couple hours and stopped using the list.
This has happened often enough that it convinced me that not everyone makes informed decisions about blocking. Sure, these were usually small mailservers, with maybe a double handful of users. But these sysadmins just installed a blocklist, with no online presence except a DNS entry, without asking questions about what it does, how it works or what it lists.
Not everyone makes sensible decisions about blocking mail. Our experience with people using nofalsenegatives is just one, very obvious, data point.

AOL Postmaster page hacked

Per Boing Boing: the AOL postmaster page was hacked over the weekend.
As of now the site is restored. But I’m hearing that all the scripts are still down. This means no one can open tickets, sign up for FBLs, apply for whitelisting or check the status of reports. I expect this will be fixed soon, but for now it looks like AOL issues are going to be impossible to resolve.

The sledgehammer of confirmed opt-in

We focused Monday on Trend/MAPS blocking fully confirmed opt-in (COI) mail, because that is the Gold Standard for opt-in. It is also Trend/MAPS stated policy that all mail should be COI. There are some problems with this approach. The biggest is that Trend/MAPS is confirming some of the email they receive and then listing COI senders.
The other problem is that typos happen by real people signing up for mail they want. Because MAPS is using typo domains to drive listings, they’re going to see a lot of mail from companies that are doing single opt-in. I realize that there are problems with single opt-in mail, but the problems depends on a lot of factors. Not all single opt-in lists are full of traps and spam and bad data.
In fact, one ESP has a customer with a list of more than 50 million single opt-in email addresses. This sender mails extremely heavily, and yet sees little to no blocking by public or private blocklists.
Trend/MAPS policy is singling out senders that are sending mail people signed up to receive. We know for sure that hard core spammers spend a lot of time and money to identify spamtraps. The typo traps that Trend/MAPS use are pretty easy to find and I have no doubt that the real, problematic spammers are pulling traps out of their lists. Legitimate senders, particularly the ESPs, aren’t going to do that. As one ESP rep commented on yesterday’s post:

A Disturbing Trend

Over the last year or so we’ve been hearing some concerns about some of the blacklisting policies and decisions at Trend Micro / MAPS.
One common thread is that the ESP customers being listed aren’t the sort of sender who you’d expect to be a significant source of abuse. Real companies, gathering addresses from signup forms on their website. Not spammers who buy lists, or who harvest addresses, or who are generating high levels of complaints – rather legitimate senders who are, at worst, being a bit sloppy with their data management. When Trend blacklist an IP address due to a spamtrap hit from one of these customers the actions they are demanding before delisting seem out of proportion to the actual level of abuse seen – often requiring that the ESP terminate the customer or have the customer reconfirm the entire list.
“Reconfirming” means sending an opt-in challenge to every existing subscriber, and dropping any subscriber who doesn’t click on the confirmation link. It’s a very blunt tool. It will annoy the existing recipients and will usually lead to a lot of otherwise happy, engaged subscribers being removed from the mailing list. While reconfirmation can be a useful tool in cleaning up senders who have serious data integrity problems, it’s an overreaction in the case of a sender who doesn’t have any serious problems. “Proportionate punishment” issues aside, it often won’t do anything to improve the state of the email ecosystem. Rather than staying with their current ESP and doing some data hygiene work to fix their real problems, if any, they’re more likely to just move elsewhere. The ESP loses a customer, the sender keeps sending the same email.
If this were all that was going on, it would just mean that the MAPS blacklists are likely to block mail from senders who are sending mostly wanted email.
It’s worse than that, though.
The other thread is that we’re being told that Trend/MAPS are blocking IP addresses that only send confirmed, closed-loop opt-in email, due to spamtrap hits – and they’re not doing so accidentally, as they’re not removing those listings when told that those addresses only emit COI email. That’s something it’s hard to believe a serious blacklist would do, so we decided to dig down and look at what’s going on.
Trend/MAPS have registered upwards of 5,000 domains for use as spamtraps. Some of them are the sort of “fake” domain that people enter into a web form when they want a fake email address (“fakeaddressforyourlist.com”, “nonofyourbussiness.com”, “noneatall.com”). Some of them are the sort of domains that people will accidentally typo when entering an email address (“netvigattor.com”, “lettterbox.com”, “ahoo.es”). Some of them look like they were created automatically by flaky software or were taken from people obfuscating their email addresses to avoid spam (“notmenetvigator.com”, “nofuckinspamhotmail.com”, “nospamsprintnet.com”). And some are real domains that were used for real websites and email in the past, then acquired by Trend/MAPS (“networkembroidery.com”, “omeganetworking.com”, “sheratonforms.com”). And some are just inscrutable (“5b727e6575b89c827e8c9756076e9163.com” – it’s probably an MD5 hash of something, and is exactly the sort of domain you’d use when you wanted to be able to prove ownership after the fact, by knowing what it’s an MD5 hash of).
Some of these are good traps for detecting mail sent to old lists, but many of them (typos, fake addresses) are good traps for detecting mail sent to email addresses entered into web forms – in other words, for the sort of mail typically sent by opt-in mailers.
How are they listing sources of pure COI email, though? That’s simple – Trend/MAPS are taking email sent to the trap domains they own, then they’re clicking on the confirmation links in the email.
Yes. Really.
So if someone typos their email address in your signup form (“steve@netvigattor.com” instead of “steve@netvigator.com”) you’ll send a confirmation email to that address. Trend/MAPS will get that misdirected email, and may click on the confirmation link, and then you’ll “know” that it’s a legitimate, confirmed signup – because Trend/MAPS did confirm they wanted the email. Then at some later date, you’ll end up being blacklisted for sending that 100% COI email to a “MAPS spamtrap”. Then Trend/MAPS require you to reconfirm your entire list to get removed from their blacklist – despite the fact that it’s already COI email, and risking that Trend/MAPS may click on the confirmation links in that reconfirmation run, and blacklist you again based on the same “spamtrap hit” in the future.

A brief guide to spamtraps

“I thought spamtraps were addresses harvested off webpages.”

“I thought spamtraps were addresses that were valid and now aren’t.”

Gmail abuse and postmaster addresses

A long time ago, Steve wrote a post about setting up abuse and postmaster addresses for Google hosted domains. Google has gone through a couple iterations of the interface since then, as you can see by the comment stream.
I checked with some people who have Google hosted domains and they have confirmed that abuse@ and postmaster@ addresses can be set up by creating a group. When you create the group you can then add yourself to the group and get the mail that comes into abuse@ and postmaster@.

The little things

It really amuses me when I get blatant spam coming from a network belonging to one of our Abacus customers. I know that the complaint will be handled appropriately.
It’s even better when the spam advertises the filter busting abilities of the spammer. I get a warm, fuzzy feeling to know that the spammer is going to be looking for a new host in the immediate future.

Who's your market?

A great post by the always insightful Mark Brownlow. Why Value Matters
I initially posted this because I found his illustrations very amusing. But then I thought about a number of conversations I had last week. Many of us in the email marketing arena can’t think like our recipients. We just don’t.
I think, sometimes, our inability to see email except as marketing can hamper our ability to connect with users. We spend so much time analyzing email we don’t always remember that it’s a tool. That there is an actual person at the other end of the transaction.
Marketers measure email campaigns primarily by dollars. And maybe there’s no other way to measure them. But, I can’t help but think that maybe we’re missing something.
And I think Mark may have hit that particular bullseye.

Return Path speaks about Gmail

Melinda Plemel has a post on the Return Path blog discussing delivery to Gmail.

Email Change of Address

How many readers have ever submitted an email change of address form? How many readers even know where to go to submit an email change of address form?
And I’m not talking about going to a particular retailer and saying “change my email address” I’m talking about using one of the companies that offer email change of address as a service. Where do they get their names and email addresses? I sure don’t know.
How many readers have actually purchased an email change of address service for one of your mailing lists? Do you know where the addresses came from?
I’m wondering how many people buy email change of address services, but have zero clue how to sign up for them. I mean, I know, you can go to FreshAddress or Experian and get ECOA services. But I don’t know how to tell either of them that I want to be included in their ECOA services.
So how do consumers get to be on a change of address list? And how opt-in is their participation?
One reason I ask is that a number of my clients have stumbled into serious delivery problems recently. Investigation generally points back to the ECOA service they used. So I’m wondering how actively and knowingly consumers are using ECOA services.

No one harvests email addresses any more

There are a lot of people who assert that “no one” actually scrapes websites for email addresses any longer. My experience indicates this isn’t exactly true.
We have a rotating set of email addresses on our contact page. Every day we push out a new email address. Every day we expire addresses that were pushed out 7 days ago.
I can say, with 100% certainty, that there are people harvesting addresses off websites. The ads are reasonably “targeted.” Most of them are offering increased traffic, or the ability to monetize the website. Some are offering work from home.
I suppose you could call these targeted mails. After all, what website owner doesn’t want more traffic? Who wouldn’t want to make hundreds of dollars a day from the comfort of their own couch? What website owner doesn’t want their site submitted to 2700 different search engines?
Targeted spam is still spam. And having a rotating, expiring contact address has kept the amount of spam coming into our contact address low enough that the contact address is actually useable. 10 spams a month (for a 7 day old email address) is much more manageable than 1000 emails a month (for a 4 year old email address).

Social marketing

I don’t follow many brands on twitter or facebook. Those that I do are local businesses we actually shop at. It’s been interesting watching these local groups use the social networks to market.
One is The Milk Pail Market in Mountain View. They have a reasonably active Facebook page. How have they been using social marketing?

Quote of the day

Still working on the Gmail document. I got a little stuck today writing it, and have put it aside to try and work through the stuck place.
There was a very long discussion on Only Influencers today about frequency and un-engaged recipients. Lots of interesting opinions and a lot of people strongly welded to their points of view. One of the best comments came from John Caldwell, though.

Are you sure? Part 2

There was a bit of discussion about yesterday’s blog post over on my G+ circles. One person was telling me that “did you forget you opted-in?” was a perfectly valid question. He also commented he’s had the same address for 20 years and that he does, sometimes forget he opted in to mail years ago.
As an anti-spammer with the idea that it’s all about consent, I can see his point. Anti-spammers, for years, have chanted the mantra: “it’s about consent, not content.” Which is a short, pithy way to say they don’t care what you send people, as long as the recipients themselves have asked for it.
This is the perfect bumper sticker policy. As with most bumper sticker policies, though, it’s too short to deal with the messy realities.
I’m not knocking consent. Consent is great. Every bulk mailer should only be sending mail to people who have asked or agreed to receive that mail.
But if your focus is on delivery and getting mail to the recipient’s inbox and getting the recipient to react to that mail then you can’t just fall back on consent. You have to send them mail that they expect. You have to send them mail that they like. You have to send them mail they will open, read and interact with.
If your permission based recipients are saying they forgot that they signed up for mail, that is a sign that the sender’s program is futile. These are people who, at one point or another, actually asked to receive mail from a sender, and then the mail they receive is so unremarkable that they totally forget about the sender.
Maybe that’s another reason the question “are you sure you didn’t forget you opted in” from clients bothers me so much. If I signed up and forgot that points to problems in your program, mostly that it’s totally unremarkable and your subscribers can forget.

Are you sure you didn't opt in?

Yes, really. I’m sure I didn’t opt-in.
I get a lot of spam. I get a lot of spam to addresses that aren’t used to sign up for mail. But it seems inevitable that when I bring up examples of receiving spam I inevitably get asked, “Are you sure you didn’t opt-in?”
On one level I can understand the question when I send in a complaint to an abuse desk and they’re dealing with a customer who swears all their mail is opt-in. It makes sense when an ESP is working to identify what may have happened so they can correct their customers’ behaviour.
But when it’s a client who has hired me to investigate their email delivery problems and I provide examples of spam sent to me? Why, WHY would I lie to you? Why would I claim I’m getting spam if I wasn’t? What use is that? How does me forgetting I subscribed actually help fix your delivery?
And even if I did forget, shouldn’t that be a sign that maybe there is some issue with your mail program that people sign up and forget?
I am not sure what causes clients to think I would tell them they’re spamming me when they’re really not. I certainly do tell clients when I opt-in and enjoy their mail while offering advice on how to improve their marketing program. I’m not sure what’s going through their heads when I say, “Oh, you (or your affiliate) is sending me a lot of spam,” that prompts them to ask, “Are you sure you didn’t opt-in?”

Skywriting to market email?

I’m so busy today getting caught up from the whirlwind of cousins this week. Yesterday, we took them to SF to do some touristy stuff. While sitting outside having some food and a drink, we noticed a ton of people staring up into the sky.
Livingsocial had hired some (very talented pilots) to do dot matrix skywriting as advertising.
It was quite impressive, actually. Mostly because the pilots were so technically precise, but also because they were conveying useful information in short phrases.
Besides the “Livingsocial loves you” shown here, we also saw deals and even a URL at one point. There was enough breeze over the bay that messages didn’t hang around long (the blur going from top left to bottom right is writing from the pass about 5 minutes earlier). But it was eye catching and there were tons of people taking photos.
It would be interesting to hear how effective a campaign this is. Does Livingsocial see signups as a result of skywriting? Or is this just general brand awareness on their part?
As an aside, the cousins said they received emails from both Livingsocial and Groupon, but that Groupon just sent so much mail it was getting annoying.

The perfect email

Email is a fluid and ever changing landscape of things to do and not do.
Over the years my clients have frequently asked me to look at their technical setup and make sure that how they send mail complies with best practices. Previously, this was a good way to improve delivery. Spamware was pretty sloppy and blocking for somewhat minor technical problems was a great way to block a lot of spam.
More recently filter maintainers have been able to look at more than simple technical issues. They can identify how a recipient interacts with the mail. They can look at broad patterns, including scanning the webpages an email links to.
In short, email filters are very sophisticated and really do measure “wanted” versus “unwanted” down to the individual subscriber levels.
I will happily do technology audits for clients. But getting the technology right isn’t sufficient to get good delivery. What you really need to consider is: am I sending email that the recipient wants? You can absolutely get away with sloppy technology and have great inbox delivery as long as you are actually sending mail your recipients want to receive.
The perfect email is no longer measured in how perfectly correct the technology is. The perfect email is now measured by how perfect it is for the recipient.

Still futile

As I mentioned last Thursday, both Yahoo and Microsoft filed oppositions to Holomaxx’s opposition to dismissal. Let me ‘splain… no, there is too much, let me sum up.
Holomaxx sued both Microsoft and Yahoo to force MS and Yahoo to stop blocking mail from Holomaxx.
The judge dismissed the initial complaint with leave to amend.
Holomaxx filed a first amended complaint.
Microsoft and Yahoo both argued that the first amendment complaint should be dismissed because it wasn’t fixed.
Holomaxx filed a motion in opposition to the motion to dismiss. Their arguments were reasonably simple.

Whatcounts acquires Blue Sky Factory

As has been announced across the email industry, Whatcounts has acquired Blue Sky Factory.

New FBLs

There are two new FBLs in production. Synacor and Fastmail.fm. I’ll be updating the Wiki and FBL page today.

Who leaked my address, and when?

Providing tagged email addresses to vendors is fascinating, and at the same time disturbing. It lets me track what a particular email address is used for, but also to see where and when they’ve leaked to spammers.
I’d really like to know who leaked an email address, and when.
All my inbound mail is sorted into “spam” and “not-spam” by a combination of SpamAssassin, some static sieve rules and a learning spam filter in my mail client. That makes it fairly easy for me to look at my “recent spam”. That’s a huge amount of data, though, something like 40,000 pieces of spam a month.
Finding the needle of interesting data in that haystack is going to take some automation. As I’ve mentioned before you can do quite a lot of useful work with a mix of some little perl scripts and some commandline tools.
I’m interested in the first time a tagged address started receiving spam, so I start off with a perl script that will take a directory full of emails, one per file, find the ones that were sent to a tagged address and print out that address and the time I received the email. I can’t rely on the Date: header, as that’s under the control of the spammer, and often bogus. But I can rely on the timestamp my server adds when it receives the email – and it records that in the first Received: header in the message.

The weak link in security

Terry Zink posts about the biggest problem with security: human errors. Everyone who is looking at security needs to think about the human factor. And how people can deliberately or accidentally subvert security.

Gmail shows authentication data to the recipient

Yesterday Gmail rolled out some changes to their interface. One of the changes is that they are now showing end users authentication results in the user screen.
It’s really the next step in email authentication, showing the results to the end user.
So how does Google do this? Google is checking both SPF and DKIM. If mail is authenticated and the authentication matches the from address then they display the email as:

If we click on “details” for that message, we find more specific information.
In this case the mail went through our outgoing mailserver to gmail.
Mailed-by indicates that the message passed SPF and that the IP address is a valid source of mail from wordtothewise.com.
Signed-by shows the domain in the DKIM d=. In this case, we signed with the subdomain dt.wordtothewise.com. That’s what happens when you sign using the domain in the From address (or a subdomain of it).
For a lot of bulk senders, though, their mail is signed using their ESP’s domain instead. In that case Gmail shows who signed the mail as well as the from address.

And when we click on “details” for that message we see:
This is an email from a sender using Madmimi as an ESP. Madmimi is handling both the SPF authentication and the DKIM authentication.
As an aside, this particular sender has a high enough reputation that Gmail is offering me an unsubscribe option in their interface.
Gmail is distinguishing between first party and third party signatures in authentication. If the mail is authenticated, but the authentication appears to be handled by a separate entity, then Gmail is alerting recipients to that fact.
What does this mean for bulk senders?
For senders that are signing with a domain that matches their From: domain, there is no change. Recipients will not see any mention of your ESP in the headers.
However, if you are using an ESP that is signing your mail with a domain they own, then your recipients will see that information displayed in the email interface. If you don’t want this to be displayed by Gmail, then you will need to move to first party signing. Talk to your ESP about this. If they’re unsure of how to manage it, you can point them to DKIM Core for an Email Service Provider.
Gmail blogpost about the changes
Gmail help page about authentication results

The Real Story

We’ve heard this story before.

Someone gives an email address to a company. That company sends them email via an ESP for several years.
Hackers break in to the ESP and steal a bunch of email addresses.
The original address owner starts getting targeted and random spam to that email address.
Read More

MAAWG: Just keeps getting better

Last week was the 22nd meeting of the Messaging Anti-Abuse Working Group (MAAWG). While I am prohibited from talking about specifics because of the closed door nature of the group, I can say I came out of the conference exhausted (as usual) and energized (perhaps not as usual).
The folks at MAAWG work hard and play even harder.
I came away from the conference feeling more optimistic about email than I have in quite a while. Not just that email is vital and vibrant but also that the bad guys may not be winning. Multiple sessions focused on botnet and crime mitigation. I was extremely impressed with some of the presenters and with the cooperation they’re getting from various private and public entities.
Overall, this conference helped me to believe that we can at least fight “the bad guys” to a draw.
I’m also impressed with the work the Sender SIG is doing to educate and inform the groups who send bulk commercial messages. With luck, the stack of documents currently being worked on will be published not long after the next MAAWG conference and I can point out all the good parts.
There are a couple specifics I can mention. One is the new list format being published by Spamhaus and SURBL to block phishing domains at the recursive resolver. I blogged about that last Thursday. The other bit is sharing a set of security resources Steve mentioned during his session.
If your organization is fighting with any messaging type abuse (email, social, etc), this is a great place to talk with people who are fighting the same sorts of behaviour. I do encourage everyone to consider joining MAAWG. Not only do you have access to some of the best minds in email, but you have the opportunit to participate in an organization actively making email, and other types of messaging, better for everyone.
(If you can’t sell the idea of a MAAWG membership to your management or you’re not sure if it’s right for you, the MAAWG directors are sometimes open to allowing people whose companies are considering joining MAAWG to attend a conference as a guest. You can contact them through the MAAWG website, or drop me a note and I’ll make sure you talk with the right folks.)
Plus, if you join before October, you can meet up with us in Paris.

New blocklisting process

There is a new type of blocking designed to interrupt the ability of users to click and visit phishing sites.
DNS Response Policy Zones allows companies running recursive resolvers to create a zone that will not resolve specific domains. This is a second layer of filtering, if a spammer manages to get an email with a malicious link into the inbox then the ISP can still protect the user from becoming a victim from the scam. For more detailed information about RPZ, check out the helpful slides published by ISC.
Two blocklists announced this morning that they were publishing lists in RPZ format so ISPs can import the data into their DNS recursive resolver. SURBL is currently offering their list as RPZ. Spamhaus is currently running a beta for the DBL in a RPZ format. If you’re a current DBL user, talk to Spamhaus about checking out their new format.

New security focused services

Steve’s been busy this week working on some new products.
You can see the first at Did Company Leak? This is a neat little hack that looks at social media reports to see if a there are reports of leaks, breaches or hacks and gives you a list of tweets that reference them. And, yes, I did really receive spam to two addresses stolen from iContact customers today.

Prepping for MAAWG

The June MAAWG meeting is next week. Both of us are working on various projects, documents and announcements for the meeting. This means light blogging, although we’ll post public announcements as they come out.
If you’re going to MAAWG be sure to stop by and say hi!

Gmail reports spear phishing attack

No one, it seems, is immune from account compromise attempts. Today Google reported they had identified a systemic campaign to compromise Gmail accounts belonging to “senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.”
Google offers a number of solutions for users, including the ability to add 2 factor authentication to your Gmail account. I strongly recommend anyone who uses Gmail to do this.
This isn’t a security blog, but email is one of the major vectors used to infect machines. We’ve seen numerous break ins targeting email senders and ESPs, resulting in customer and recipient data being stolen and then used for spam. Everyone who uses email needs to be aware of the risks and maintain their email account integrity. Be careful clicking links in emails. Be careful opening webpages. Keep your antivirus software up to date.
Everyone is a target.

First spam to Epsilon leaked address

This morning I received the first two spams to the address of mine that was compromised during the Epsilon compromise back in April. Actually, I received two of them. One was the “standard” Adobe phish email. The other was similar but referenced Limewire instead of Adobe.

Email filters

What makes the best email filter? There isn’t really a single answer to that question. Different people and different organizations have different tolerances for how false positives versus false negatives. For instance, we’re quite sensitive to false positives here, so we run extremely conservative filtering and don’t block very much at the MTA level. Other people I know are very sensitive to false negatives and run more aggressive filtering and block quite a bit of mail at the MTA level.
For the major ISPs, the people who plan, approve, design and monitor the filters usually want to maximize customer happiness. They want to deliver as much real mail as possible while blocking as much bad mail. Blocking real mail and letting through bad mail both result in unhappy customers and increase the ISP’s costs, either through customer churn or through support calls. And this is a process, filters are not static. ISPs roll out new filters all the time, sometimes they are an improvement and sometimes they’re not. When they’re not, they’re pulled out of production. This works both for positive filters like Return Path and negative filters like blocklists.
Then there is mail filtering that doesn’t have to do with spam. Business filters, for instance, often block non-business mail. Permission of the recipient often isn’t even a factor. Companies don’t often go out of their way to block personal mail, but if personal mail gets blocked (say the vacation plane ticket or the amazon receipt) they don’t often unblock it. But when you think about why a business provides email, it makes perfect sense. The business provides email to further its own business goals. Some personal usage is usually OK, but if someone notices and blocks personal email then it’s unlikely the business will unblock it, even if the employee opted in.
In the case of email filters, the free market does work. Different ISPs filter mail differently. Some people love Gmail’s filters. Other people think Hotmail has the best filtering. There are different standards for filtering, and that makes email stronger and more robust. Consumers have choices in their mail provider and spamfiltering.

The wonders of owning a business

We are a small company. We have some contractors that we bring in for projects, but generally everything that gets done here is done by us. Today was heavy lifting day. We started the morning by renting a truck and picking up our two shiny new database servers. Then we headed over to the colo facility to install them and pick up the dead server they’re replacing.
All this is a round about way to say that I have not actually thought about delivery at all today. I was going to blog about the filings in the Holomaxx v. Hotmail/Yahoo! case, which are due today. But they’ve not been filed as of 3pm Pacific.
Have a great weekend, and if I don’t see you Monday, have a wonderful afterlife.

It’d be nice to have a tool to uncover the zombie email addys, but until then, read this from @wise_laura: http://bit.ly/jxjZ9M Kelly Lorenz
Read More

Spam works

I got a spam today advertising spamming services that ended with a tagline that can be paraphrased: We managed to spam you, let us spam others on your behalf!
OK, so what they actually said was:

Email marketing firm smacked by the SEC

Yes, the SEC. Really.
Apparently the email marketing firm mUrgent, which provides services to the restaurant and hospitality industry also had a side business. According to the complaint filed by the SEC last month, they had an entire boiler room set up to sell shares for their non-existent IPO.
I’d never heard of this firm before, so I did a little digging. First step, check out their website.

Changes at Gmail

As I’ve said before, I can usually tell when some ISP changes their filtering algorithm because I start getting tons and tons of calls about delivery problems at that ISP. This past month it’s been Gmail.
There have been two symptoms I’ve been hearing about. One is an increase in bulk folder delivery for mail that previously was reliably hitting the inbox. The other is a bit more interesting. I’ve heard of 3 different mailers, with good reputations and very clean lists, that are seeing 4xx delays on some of their mail. The only consistency I, and my colleagues at some ESPs, have identified is that the mail is “bursty.”
The senders affected by this do send out mail daily, but the daily mail is primarily order confirmations or receipts or other transactional mails. They send bi-weekly newsletters, though, exploding their volume from a few tens of thousands up to hundreds of thousands. This seems to trigger Gmail to defer mail. It does get delivered eventually. It’s frustrating to try and deal with because neither side is really doing anything wrong, but good senders are seeing delivery delays.
For the bulk foldering, Bronto has a good blog post talking about the changes and offering some solid suggestions for how to deal with them. I’m also hearing from some folks who are reliable that Gmail may be rolling back some of the bulk foldering changes based on feedback from their users.
So if you’re seeing changes at Gmail, it’s not just you.

The answer is 42

I continually run into companies that don’t really have a goal or understanding of their email marketing program. They’ve never really asked questions about how they’re using email or even why email is the right answer. Lots of companies are also diving head first into email marketing or the social media craze without having thought about what their goals are and what they want to happen.
What regularly ends up happening to companies that jump in without a clear goal is they get into a situation where their delivery is bad. Then they read a lot of best practice advice on the net and try to implement all of it. Sometimes that works, but other times it doesn’t. Finally they hire me or another consultant to help them sort out where it all went pear shaped.
My consulting isn’t about rote recitation of common best practices. Instead, I want to know about a client’s business and what they think about email. The most frequent question I ask clients is: How does email fit into your business? What are your goals for your business? What is your value proposition?
Some of my clients can’t answer these question. They just tell me they want to use email and they don’t know what they’re doing and that’s why they hired me. Well, I can help them successfully send email, but I can’t help them decide what role email plays in their business. Those are the decisions my client needs to make. I can’t set their business goals for them.
When was the last time you actually sat down and just thought about your business goals? I know that sometimes it’s hard to find the time to look at your business and where it’s going. “Think about it? I’m too busy doing it!” But every business person needs to look at their business goals.
Once you’ve thought about your goals, think about your email marketing program. Is email helping you to reach those goals? How?
If you’ve reached your current business goals, what are your next ones? And how does email fit into those goals?
Sure, having an answer is good, but are you actually asking the right question?

Be on the lookout

I’m hearing more rumors of ESPs seeing customer accounts being compromised, similar to what happened with The Children’s Place.

Analysing a data breach – CheetahMail

I often find myself having to analyze volumes of email, looking for common factors, source addresses, URLs and so on as part of some “forensics” work, analyzing leaked emails or received spam for use as evidence in a case.
For large volumes of mail where I might want to dig down in a lot of detail or generate graphical or statistical reports I tend to use Abacus to slurp in and analyze all the emails, store them in a SQL database in an easy to handle format and then do the ad-hoc work from a SQL commandline. For smaller work, though, you can get a long way with unix commandline tools and some basic perl scripting.
This morning I received Ukrainian bride spam to a tagged address that I’d only given to one vendor, RedEnvelope, so that address has leaked to criminal spammers from somewhere. Looking at a couple of RedEnvelope’s emails I see they’re sending from a number of sources, so I decided to dig a little deeper.
I started by searching for all emails to that tagged address in my mail client, then copied all the matching emails to a newly created folder. Then I took a copy of that folder and split it into one file per email using a shell one-liner:

Customized for your profile?

With all the discussion about how daily deal emails are the silver bullet to making a profit on the Internet, I signed up for a couple of lists. Not only did I sign up for different lists, I also signed up for the same lists from different addresses.
One of those programs touts that they send me offers tailored to me. Except that the offers I get at Hotmail are different than the ones I get at Gmail are different from the ones I get elsewhere.
So how tailored is this really? In general there is no difference with how I interact with the mail in those various accounts, so that profile is the same. And, well, the person behind the addresses is all the same. If the ads were specially chosen for me, why am I getting different ones at different accounts? Is this particular marketer simply randomly assigning offers and claiming they’re targeted? How many other mailers claim to send ads tailored to my profile, and then just throw the profile out the window and send whatever they want to send today?
This isn’t to say that there aren’t a some marketers that do pay attention to recipient profiles. But I’m starting to wonder if the majority of “targeting” is more lip service than reality.
What do other people think?

What matters for reputation?

There is a contingent of senders and companies that seems to believe that receiver ISPs and filtering companies aren’t measuring reputation correctly. Over and over again the discussion comes up where senders think they can improve on how reputation is measured.
One factor that is continually repeated is the size of the company. I’ve even seen a couple people suggest that corporate net worth should be included in the reputation calculation.
The problem with this suggestion is that just because a company is big or has a high net worth or is on the Fortune500 doesn’t mean that the mail they send isn’t spam. I’ve certainly received spam from large, name brand companies (and organizations). I’ve also consulted with a number of those companies who bought or appended a list and then had to deal with the fallout from a Spamhaus listing or upstream disconnection.
Sure, there is a certain logic to company size and prominence being a part of a reputation calculation. For instance, my experience suggests consumers who recognize a brand are less likely to treat mail as “spam” even if they didn’t sign up for the mail in the first place. Certainly there are large brands (Kraft, FTDDirect, 1-800–Flowers, OfficeDepot) that have been caught sending mail to people who never opted in to their lists.
Many people don’t realize that company size and prominence are already factored into the reputation scores. No ISPs don’t look at a mail and, if it’s authenticated, add in a little positive because it’s part of a giant, name brand company. Rather, the recipients change how they interact with the mail. Even recipients who didn’t sign for mail from Office Depot may click through and purchase from an offer. Some recipients recognizing the brand will hit delete instead of “this is spam.”
All of these things mean that big brands have recognition that takes into account that they are prominent brands. Elaborate processes and extra reputation points given to big brands don’t need to happen, they’re already an innate part of the system.

Defending against the hackers of 1995

Passwords are convenient for the end user, but it’s too easy to lose control of them. People share them with other people. People write them down, where they can be read. People send them in email, and that email is easily intercepted. People’s web browsers store the passwords, so they can log in automatically. Worst of all, perhaps, people tend to use the same username and password at many different websites. If just one of those websites is compromised (or even run as a password collecting scam) then those passwords can be used to attack accounts at all of the others.
Two factor authentication that uses an uncopyable physical device (such as a cellphone or a security token) as a second factor mitigates most of these threats very effectively. Weaker two factor authentication using digital certificates is a little easier to misuse (as the user can share the certificate with others, or have it copied without them noticing) but still a lot better than a password.
Security problems solved, then?

What is Two Factor Authentication?

Two factor authentication, or the snappy acronym 2FA, is something that you’re going to be hearing a lot about over the next year or so, both for use by ESP employees (in an attempt to reduce the risks of data theft) and by ESP customers (attempting to reduce the chance of an account being misused to send spam). What is Authentication?
In computer security terms authentication is proving who you are – when you enter a username and a password to access your email account you’re authenticating yourself to the system using a password that only you know.
Authentication (“who you are”) is the most visible part of computer access control, but it’s usually combined with two other A’s – authorization (“what you are allowed to do”) and accounting (“who did what”) to form an access control system.
And what are the two factors?
Two factor authentication means using two independent sources of evidence to demonstrate who you are. The idea behind it is that it means an attacker need to steal two quite different bits of information, with different weaknesses and attack vectors, in order to gain access. This makes the attack scenario much more complex and difficult for an attacker to carry out.
It’s important that the different factors are independent – requiring two passwords doesn’t count as 2FA, as an attack that can get the first password can just as easily get the second password. Generally 2FA requires the user to demonstrate their identity via two out of three broad ways:

Security framework document published

The Online Trust Alliance has published a security framework for ESPs.
Overall, I think it’s a useful starting point. I don’t agree with all of their suggestions. Some of them are expensive and provide little increase in security. While others decrease security, like the suggestion to force regular password changes.
I think the most important part of the document is the question section. The key to effective security measures is understanding threats. Answering the self assessment questions and thinking about internal processes will help identify potential threats and their vectors.
The document is not a panacea, and even companies that implement all of their recommendations will still be open to attacks from other avenues. But it certainly is a very good way to open the security discussion.

Setting expectations at the point of sale

In my consulting, I emphasize that senders must set recipient expectations correctly. Receiver sites spend a lot of time listening to their users and design filters to let wanted and expected mail through. Senders that treat recipients as partners in their success usually have much better email delivery than those senders that treat recipients as targets or marks.
Over the years I’ve heard just about every excuse as to why a particular client can’t set expectations well. One of the most common is that no one does it. My experience this weekend at a PetSmart indicates otherwise.
As I was checking out I showed my loyalty card to the cashier. He ran it through the machine and then started talking about the program.
Cashier: Did you give us your email address when you signed up for the program?
Me: I’m not sure, probably not. I get a lot of email already.
Cashier: Well, if you do give us an email address associated with the card every purchase will trigger coupons sent to your email address. These aren’t random, they’re based on your purchase. So if you purchase cat stuff we won’t send you coupons for horse supplies.
I have to admit, I was impressed. PetSmart has email address processes that I recommend to clients on a regular basis. No, they’re not a client so I can’t directly take credit. But whoever runs their email program knows recipients are an important part of email delivery. They’re investing time and training into making sure their floor staff communicate what the email address will be used for, what the emails will offer and how often they’ll arrive.
It’s certainly possible PetSmart has the occasional email delivery problem despite this, but I expect they’re as close to 100% inbox delivery as anyone else out there.

You've got to be kidding me

Earlier this week I received an email to a work address I retired 4 or 5 years ago. The from and subject lines alone were enough to make me laugh and decide I had to blog about this particular spammer.

Another security problem

I had hoped to move away from security blogging this week and focus on some other issues. But today I see that both CAUCE and John Levine are reporting that there is malware spam coming from a Cheetahmail customer.
Looking at what they shared, it may be that Cheetahmail has not been compromised directly. Given mail is only coming from one /29, which belongs to one customer it is possible that only the single customer account has been compromised. If that is the case, then it’s most likely one of the Cheetahmail users at the customer got infected and their Cheetahmail credentials were stolen. The spammer then gained access to the customer’s Cheetahmail account. It’s even possible that the spammer used the compromised customer account to launch the mail. If this is the case, the spammer looked exactly like the customer, so most normal controls wouldn’t have noticed this was a spammer.
This highlights the multiple vectors these criminals are using to gain access to ESPs and the mailing systems they use. They’re not just trying to compromise the ESPs, but they’re also attempting to compromise customers and access their accounts so that the spammer can steal the ESPs hard won and hard fought sending reputation.
Everyone sending mail should be taking a long, hard look at their security. Just because you’re not an ESP doesn’t mean you aren’t a target or that you can get away with lax security. You are also a target.

Big botnet takedown

The Department of Justice and the FBI took aggressive action against the Coreflood botnet this week. They not only seized domain names and some hardware, they also received permission to actively respond to infected machines. This TRO allows the government to intercept and respond to infected computers. This essentially cuts off the botnet at it’s knees.
I haven’t heard any comments on the impact this takedown had on spam levels, but not all botnets are used for spamming. Other uses are for cracking, hosting scam and phishing websites and denial of service attacks.
This is the second major botnet takedown in recent weeks. These investigations and takedowns consume a lot of resources, but it’s good to see law enforcement getting involved. Filtering only goes so far and receivers can’t keep increasing their infrastructure indefinitely.

Epsilon – Keep Calm and Carry On

There’s been a lot of media coverage and online discussion about the Epsilon data breach, and how it should be a big wake-up call to email recipients to change their behavior.
There’s also been a lot of panic and finger-pointing within the email industry about What Must Be Done In The Future. Most of the “you must do X in response to the data loss” suggestions are coming from the same people and groups who’ve been saying “you must do X” for years, and are just trying to grab the coattails of the publicity about this particular incident, though.
Not many people seem to be talking honestly about what this will really mean to an individual recipient whose email address Epsilon lost, though. I’m going to try to answer some questions I’ve seen asked realistically, rather than with an eye to forwarding an agenda.
1. Who are Epsilon?
Epsilon are an Email Service Provider, or ESP. That means that they handle sending email on behalf of other companies. If you’re on a company’s mailing list – you’re getting regular newsletters or special offers or any sort of email advertising – the odds are very good that the company isn’t sending you that email themselves. Instead they’re probably contracting with one of hundreds of ESPs to send the email for them. This is a good thing, as sending email to a lot of people “properly” such that it’s delivered to them in a timely fashion, it’s sent only to people who want it and so on is quite difficult to do well and any ESP you choose is likely to be better at it than a typical company trying to start sending that bulk mail themselves.
2. What happened at Epsilon?
The what is pretty simple – somebody stole a list of names and email addresses of people who were being sent email via Epsilon. Nobody outside of Epsilon and law enforcement really know the details of how it was done, though lots of people are speculating about it.
3. Is this identity theft? Do I need to check my credit rating and so on?
No, it’s not something that’s going to lead to identity theft. All that was stolen was your name, your email address and some of the companies who send you email. Your postal address, credit card numbers, social security numbers and so on aren’t at risk, even if you’ve given those to the companies who are sending you email. The only information those companies passed to Epsilon were your name and email address, nothing more, so that’s all that was stolen.
4. Is this common?
Yes, it happens all the time. I use tagged email addresses when I give them to a company, and I’ve done so fairly consistently for the better part of two decades. That lets me track when email addresses are leaked, by who and to whom. Email addresses you give to a company leak to spammers all the time. That’s true for huge companies, tiny one-woman companies, tech-savvy companies, everyone.
5. How do email addresses leak from companies to spammers?
There are a lot of ways

Real. Or. Phish? Part 2

Steve mentioned the email he received yesterday from one of the companies that was compromised by the Epsilon attack and how difficult it was to determine if this was a real email from Marriott or a phish.
It’s not just over email where the companies are doing badly. Citibank appears to be attempting to notify me about the breach, but are doing it in a way that is indistinguishable from someone trying to get me to give them my banking information.
This morning I received a recorded message purporting to be from Citibank.
The number they’re calling from appears to belong to an outsourced debt collector. Some of the links I’ve found online indicate this is a valid number used by Citibank to collect debts. It’s not unreasonable they’d use current contractors or employees to make calls.
But, if I was a phisher trying to use the compromised data, I’d make sure my outgoing caller ID actually looked like a number Citi calls from. This might be real or it might not.
The message alerted me to a “problem with my credit card” and asked me to call a 866 number as soon as was convenient for me. The problem is that the number they asked me to call is not listed anywhere as belonging to Citibank. It’s not on their website nor not on the back of my credit card. This is suspicious at best, and anyone with any sense will not call that number, instead calling a number Citi publishes as belonging to them.
I could also visit a website to get more information. This site is different
from the website I use to do online banking but does redirect to what appears to be a valid Citibank website, complete with SSL certificate. This is better than an unrelated phone number.
About 30 minutes later I received a second phone call from the same Irving, TX phone number. This time someone was on the other end. She asked for Steve. As I normally do when I get a call on my phone for Steve I asked her what it was about.
She told me that it was about our credit card and she needed to talk to him.
I informed her we had been informed by our bank that our personal information had been compromised and that we would not be discussing anything related to banking over the phone. I also said if they needed to contact us they could use the physical address on the account.
Then the caller asks, “Are you his wife?” I explained, again, that I was not going to answer any questions and that all requests should be sent to us by mail.
“But I need to know so I can stop you from being called!” she says. This is exactly the kind of thing someone who was trying to social engineer information from us would say. I repeated my statement of not wanting to talk to anyone about our financial information and hung up.
The thing is, I really do actually think this was a legitimate call from Citi attempting to protect us. But, as with many things banks do, they are encouraging poor security on the part of the consumer. They’re sending me to a short website, which is similar to a what phishers do. They’re calling from random numbers, which is what phishers might do. They’re calling and asking for information over the phone, which is very bad. They’re training users to compromise security information.
Other people have received the Citi call, and have noticed how Citi is training customers to be victims.

The weakest link

Last week there was a rather detailed post on the attack at RSA. It is well worth a read because I think many of the techniques employed in the RSA attacks have been or will be employed against ESPs.
Early in the article, the author asks a question.

Time for a real security response

I’ve seen a number of people and blogs address the recent breaches at some large ESPs make recommendations on how to fix things. Most of them are so far from right they’re not even wrong.
One group is pointing at consumers and insisting consumers be taught to secure their machines. But consumers weren’t compromised here.
Another group is pointing to senders and insisting senders start authenticating all their email. But the failure wasn’t in authentication and some of the mail is coming through the ESP systems and is authenticated.
Still others are claiming that ISPs need to step up their filtering. But the problem wasn’t with the ISPs letting too much email through.
The other thing that’s been interesting is to watch groups jump on this issue to promote their pet best practices. DKIM proponents are insisting everyone sign email with DKIM. Extended SSL proponents are insisting everyone use extended SSL. But the problem wasn’t with unsigned email or website trust.
All of these solutions fail to address the underlying issue:
ESPs do not have sufficient security in place to prevent hackers from getting into their systems and stealing their customers’ data.
ESPs must address real security issues. Not security issues with sending mail, but restricting the ability of hackers to get into their systems. This includes employee training as well as hardening of systems. These are valuable databases that can be compromised by getting someone inside support to click on a phish link.
Not everyone inside an ESP needs access to address lists. Not everyone inside an ESP customer needs full access to address lists. ESPs must implement controls on who can touch, modify, or download address lists. These controls must address technical attacks, spear phishing attacks and social engineering attacks.
What’s happening here actually looks a lot like the Comodo certificate attack or the RSA compromise.
It’s time for the ESP industry to step up and start taking system security seriously.

Targeted attacks via email – phishing for WoW gold

You’re going to be seeing a lot of discussion about email addresses stolen from ESPs in the next few days, if you haven’t already. There are a lot of interesting things to discuss about that from an email perspective – from “Why two factor authentication isn’t a magic bullet.” to “And this is why corporate spam folders can be a major security risk.”
We could have fodder for blog content for weeks!
Right now I’m just going to look at one of the reasons why it’s worth stealing a list of email addresses from an ESP or a list owner, rather than just gathering them from other sources. That is, why the ESPs and list owners are high value targets beyond just “that’s where the email addresses are“.
If you steal a list of addresses from a list owner, or a bunch of lists from an ESP, you have one very useful extra piece of information about the recipients beyond the usual name-and-email-address. You know a company that the recipient is already expecting to receive email from.
That means that you know someone you can pretend to be in order to get a recipient to open and respond to a malicious email you send them – which will make an attempt to phish someones credentials or compromise their computer via email much more likely to be effective.
A good example of targeted phishing for credentials is the online game World of Warcraft. There’s a huge criminal underground that makes real world money by selling game money to players. The main thing the gold sellers need to have to be able to acquire game money, advertise their services to players and to give game money to players in return for dollars is an endless series of World of Warcraft accounts. Blizzard, the World of Warcraft owner, work reasonably hard to squash those accounts and make it slightly tricky for the gold sellers to sign up for them, so stealing account credentials from existing users is a great way to get them. And you can also strip those accounts bare of in-game possessions and gold in the process.
Some of the phishing is done in the game itself, where you know that everyone has an account you can steal if you can just get them to visit your website and compromise their machine…

Happy April Fools!

There’s nothing useful I can post on April the first. Plus, it’s sunny and 85 here and, I’m about to declare it the weekend.
So I leave you with a picture of what I Can Haz Cheezburger thinks of our business.

Authentication and phishing

Yahoo announced today that they are releasing the Yahoo! Mail Anti-Phishing Platform (YMAP) that will help protect their users from phishing. They have a similar project in place for eBay and PayPal mail, but this will extend to a broader range of companies.

Just give it up already

I have a mail system totally separate from my inbox to use when I’m testing signup forms. Some of them are client, some of them are vendors my clients are thinking about using. In any case, it’s mail I’m seriously concerned won’t stop just by me opting out of it.
The server hosting that mail system has been flakey lately, and needs to be hard power cycled to make it come back. We had a major power glitch this morning and so ended up down at the colo and power cycled that box while we were there.
This box was last working February 4th. It’s been off the internet for almost 2 months now. It wasn’t answering on port 25. It was dead. No mail here. And, yet, a bunch of legitimate email marketers are still attempting to send those addresses mail.
Really. Dead for 2 months and the senders keep trying to mail to those addresses. The server came back about 2 1/2 hours ago. I already have 6 emails from two different senders.
Seriously. If you can’t deliver a mail to someone for TWO MONTHS just give it up already. I am sad that even companies that get the best advice I can give them still can’t get the simple things right.
And, really, don’t argue “but it came back! Clearly we should keep trying!” Yes, it came back. But in all the years I’ve had this disposable email system I have not opened a single image. I’ve not purchased a single thing. I’ve never shown any sign of life on any of those addresses. The mailserver has been down for months at a time. There is no value to continuing to send mail to those addresses. And, yet, people still do it.
Why? WHY!?

News about the Rustock takedown

Spam levels plummeted 2 weeks ago as the Rustock botnet was beheaded. Reports have been trickling out in the press about the takedown, about the botnet and about the team responsible.
Rustock Takedown Analysis at The Register
Brian Krebs’ intitial report of the takedown
Taking down botnets from a Microsoft attorney
Spam Network Shut Down at the Wall Street Journal
Global Spam Levels Graph from Symantec

Spammers, eh?

From my inbox, missed by the spamfilter:

Do you know people who have worked a lot or could not find a job for a long time and suddenly began to earn well, gain valuable items and look better?
We can reveal to you their secret.
Anyone who bought a diploma from us raised their standard of living in half!
Our diplomas are verified and credible. We offer expert help in selection of the right option and a short waiting time.
Don’t look at other – DO YOUR OWN SUCCESS!
—–
+ 1 – 646 – 555 – 1212
—–
We need your infarmation:
1) Your Name
2) Your Country
3) Telephone No. with a code of country if you are outside USA
Do Not Reply to this Email.
We do not reply to text inquiries, and our server will reject all response traffic.
We apologize for any inconvenience this may have caused you.
This is not a spam
If you don’t want to receive this message to your e-mail, call this number and refuse it – spell your e-mail
Read More

Letters to the abuse desk

Ben over at Mailchimp has shared some of the mail that comes into the mailchimp abuse desk. It’s a post well worth a read.
One of the things that leaped out at me during that post is that the positive emails highlight how much the Mailchimp delivery and compliance people help their users get good delivery. They’re not just saying “you can’t do that” because they’re mean or they want to make life more difficult for their users. They are saying no because what the user wants to do is a bad idea.
I also appreciated the letter from the customer who had to tell Mailchimp that management had decided to not take Mailchimp’s advice. This is something that happens to me sometimes. Clients agree with my recommendations but management decides that they’re not going to implement them. It can be difficult to watch, particularly when I then see how much that company is struggling with blocks or see them show up on some of the big spam lists. But, it’s also part and parcel of the job. Not everyone, no matter how effectively I make my cases, will take my advice.

Thank you, Fred!

I am honored and humbled to be called out as a Goddess of Email Deliverability by Fred Tabsharani in his recent deliverability.com post. He has named and lauded people I am proud to call colleagues and friends. Thank you, Fred.

Turn it all the way up to 11

I made that joke the other night and most of the folks who heard it didn’t get the reference. It made me feel just a little bit old.
Anyhow, Mickey beat me to it and posted much of what I was going to say about Ken Magill’s response to a very small quote from Neil’s guest post on expiring email headers last week.
I, too, was at that meeting, and at many other meetings where marketers and the folks that run the ISP spam filters end up in the same room. I don’t think the marketers always understand what is happening inside the postmaster and filtering desks on a day to day basis at the ISPs. Legitimate marketing? It’s a small fraction of the mail they deal with. Ken claims that marketing pays the salaries of these employees and they’d be out of a job if marketing didn’t exist. Possibly, but only in the context that they are paid to keep their employers servers up and running so that the giant promises made by the marketing team of faster downloads and better online experiences actually happen.
If there wasn’t an internet and there weren’t servers to maintain, they’d have good jobs elsewhere. They’d be building trains or designing buildings or any of the thousands of other jobs that require smart technical people.
Ken has no idea what these folks running the filters and keeping your email alive deal with on a regular basis. They deal with the utter dregs and horrors of society. They are the people dealing with unrelenting spam and virus and phishing attacks bad enough to threaten to take down their networks and the networks of everyone else. They also end up dealing with law enforcement to deal with criminals. Some of what they do is deal with is unspeakable, abuse and mistreatment of children and animals. These are the folks who stand in front of the rest of us, and make the world better for all of us.
They should be thanked for doing their job, not chastised because they’re doing what the people who pay them expect them to be doing.
Yes, recipients want the mail they want. But, y’know, I bet they really don’t want all the bad stuff that the ISPs protect against. Ken took offense at a statement that he really shouldn’t have. ISPs do check their false positive rates on filtering, and those rates are generally less than 1% of all the email that they filter. Marketers should be glad they’re such a small part of the problem. They really don’t want to be a bigger part.

Evangelizing Permission

Last week the Only Influencers email discussion group tackled this question posed by Ken Magill.

No false-starts, do-overs, or mulligans for Email

Guest post by Neil Schwartzman
Josh Baer, former VP of Datran Media and current CEO of OtherInBox.com has been floating an idea at the DMA’s Email Experience Council and a few other places, and recently got some traction in Ken Magill’s Magill Report.
What Josh is proposing is to create the technical means by which a Sender can decide when email ‘expires’ and is automatically removed from a recipient’s inbox, either by deletion, or perhaps archiving (in the case of Gmail). This would supposedly help the end-user, by removing marketing offers that are no longer available.

Expiring emails

J.D. Falk posts over on the Return Path blog about the new proposed standard for expiring email. It’s an interesting concept, but like J.D. I don’t see it going very far.

Phishing protection

Last week Return Path announced a new service: Domain Assurance. This service allows companies who send only authenticated email to protect their brand from phishing attacks. Participating ISPs will reject unauthenticated email from domains participating in this program.

Blocklist BCP

As many of you may be aware there is a draft document working its way through the Internet Research Task Force (IRTF) discussing best common practices for blocklists. The IRTF is a parallel organization to the IETF and is charged with long term research related to the Internet. The Anti-Spam Working Group was chartered to investigate tools and techniques for dealing with spam.
Recently the ASRG posted a draft of a best practices document aimed at those running blocklists (draft-irtf-asrg-bcp-blacklists-07). This document has been under development for many years. The authors have used this document to share their experiences with running blocklists and their knowledge of what works and what doesn’t.
Best practices documents are never easy to write and consensus can be difficult. But I think that the authors did a good job capturing what the best practices are for blocklists. I do support the document in principle and, in fact, support many of the specific statements and practices outlined there. As with any best practices documents it’s not perfect but overall it reflects the current best practices for blocklists.
Ken Magill’s article about the BCP
Anti-Abuse buzz article about the BCP

Back from MAAWG

Today is the first day back at work after a productive MAAWG conference.
The thing I get most out of MAAWG is a greater appreciation for what a large, global force messaging is. The recent protests and uprisings around the world have relied on messaging to organize, share information and communicate. Messaging is also somewhat fragile. Thing things that make it great for strangers to interact with one another also allows bad people and organizations to cause harm.
It is a struggle to minimize the harm while not hurting the good.
MAAWG is comprised of the people that make messaging work. These are folks that are on the front lines in the fight to stop online harm. It’s somewhat humbling to watch a conference full of really smart people, from all levels of responsibility, discuss ways to improve messaging for real users and real people while stopping the bad people. There are good ideas and bad ideas, but discussions are professional and informative. Plus it’s always good to see old friends and make new ones.
I inevitably come back from MAAWG with a load of things to do, new projects to take on and new ideas. This time I’m also looking forward to the publication of a document announced at the conference. The EastWest Institute’s Chief Technology Officer Karl Frederick Rauscher talked about a report they will be publishing next month talking about how China and the US are working together to fight spam.

Marketing on Facebook

An interesting look at what doesn’t work when marketing on Facebook.

Light blogging for a while

Sorry for the lack of substantive posts, things seem to have gone completely out of control and I’m not finding a lot of extra cycles to sit down and blog. I’ll try and get some stuff up this week, but I’m also getting ready for MAAWG and the sessions I’m a part of there.
There was an interesting post by Romer over on his personal blog. If you don’t know, Romer helps maintain one of the commercial mail filters. He recently got spammed by one of his vendors and talked about how this is probably not the best idea. Al adds his own take on companies assuming permission. I’ve talked about taking permission in the past but haven’t touched on things like “spamming the guy who runs the filter.”
You’d be surprised, or maybe you wouldn’t, about how many people who run filters for large organizations get spammed regularly. You wouldn’t be surprised to find out that those people do factor in their own personal spam load when adjusting their organizational filters.

Brand engagement in social media

Adobe has a good post up about consumer reaction and interaction with brands in social media like Twitter and Facebook.

Followup to Amazon SES

The nice folks at Amazon contacted me about my post yesterday and pointed out that they are not allowing just anyone to mail through their system. They have a multi step process for qualifying senders.
The first step, as described by their website is:

Amazon announces SES email service

Last month Amazon announced a cloud based email service: Amazon SES. Amazon SES is an API based email service priced at a very low rate.
The SES product rounds out Amazon’s cloud hosting offerings. The Amazon cloud hosting service is great for webhosting but pretty bad for mail. A lot of ISPs refused to accept email from Amazon cloud IPs. But now cloud hosted customers, and others, can use the SES system to send mail.
It remains to be seen how the SES program works. They are using shared IPs for all customers. This means shared IP based reputation. As one of the major targets is transactional mail, something that normally has a very high engagement factor, it’s likely there will be a lot of good reputation on the SES IPs.
On the flip side, Amazon has set a very low price point and is allowing anyone to use their API. This is going to make it very attractive to some bad actors. These are the same folks who are attempting to compromise ESPs and sneak their mail through enforcement.
A lot of the delivery through the Amazon SES IPs is going to rely on enforcement. They seem to be putting a lot of stock in their content filtering being able to stop spam from getting through. That may or may not be enough; a lot of spammers are actually really good at avoiding content filters.
The good news is that Amazon seems to have considered a lot of these issues. They are providing a SPF record for the SES IPs, and have a way to accept DKIM signed email. They also have an experienced delivery person working there which will work in their favor.
It will be interesting to see if this works. I believe the success or failure will lie with Amazon. I know, I know, normally I say that a sender is responsible for their own reputation. But in a shared environment, it is the overall reputation of the senders that is the key to delivery. Amazon can drive that overall reputation by what customers they allow to send mail through the system. It will be interesting to see what happens in 6 – 12 months when they’ve had some time to build up a customer base.

Goodmail alternatives

A number of Goodmail customers are scrambling to identify alternatives now that Goodmail is shutting down. There are two companies in the field offering similar services.
Return Path offers Return Path Certified. A number of large ISPs accept Return Path certification, including Yahoo, Hotmail and Comcast. IP addresses that are certified are not guaranteed to reach the inbox, but there are some delivery benefits to being certified. For instance, Hotmail lifts hourly delivery limits for certified IPs. Return Path closely monitors certified IPs and will remove certification from IP addresses that do not meet their standards. They are offering an expedited application process and managed transition to former Goodmail customers.
SuretyMail offers accreditation to senders. SpamAssassin does use SuretyMail as a factor in their scores. Mail from accredited IPs receives lower SpamAssassin scores. I don’t have much direct experience with SuretyMail, so I can’t talk too knowledgeably about their processes. A former customer has written, however, about their experience with SuretyMail. They are offering a half off application fee for former Goodmail customers.
The other option for senders is to find a good delivery consultant. As I said yesterday, a large number of senders are not certified or accredited and experience 95+% inbox delivery rates. Many of my customers, for instance, see 100% inbox without certification. There are certain market segments where certification makes a difference. But for senders who are sending mail that users actually want to receive and are engaged with, certification isn’t always necessary.

Goodmail shutting down

Yesterday Goodmail sent out mail to all their customers announcing they are ceasing operations and taking all their token generators offline as of 5pm pacific on February 8th.
While this is a bit of a surprise on one level, I’m not that shocked. Ken Magill mentioned in August that Goodmail was on the sales block and rumors have been circulating for weeks about significant changes coming to Goodmail.
Goodmail has struggled to find a market since they first started. At one point they were even giving services away to customers at partner ESPs. Despite the free service, people at some of those ESPs told me they were having difficulty getting customers to adopt Goodmail.
Likewise, on the ISP side, Goodmail didn’t seem to have much penetration into the market. They had AOL, Yahoo and some cable companies, but not much else. And as of early last year, Yahoo removed the Goodmail machines.
I think the real underlying problem was that most companies who are doing things well don’t need certification services. Sure, there are a couple exceptions but in general anyone who is sending good mail is getting to the inbox. Even for companies where delivery was not quite as good as they might want, the marginal improvement at those ISPs that do use Goodmail was not sufficient to justify the cost of Goodmail services.
While I have the utmost respect for the Goodmail management team I think this result was almost inevitable. I never got the impression they valued the end recipient quite as much as the ISPs do. That was just one thing that lead me to believe they just didn’t seem to understand the email ecosystem quite the way that a certification service should.
I echo Dennis’ thoughts and well wishes towards the Goodmail folks. The experiment in sender financed delivery was well worth doing and I think they did it as well as anyone could have.

Plenty of Fish hack

There’s been a lot of press recently about the Plenty of Fish hack and their response to it.

Yes, we have no IP addresses, we have no addresses today

We’ve just about run out of the Internet equivalent of a natural resource – IP addresses.

How many people to enforce policy?

I’ve been head down working on a doc for a client and started wondering what the average size of an enforcement team is. This client told me during one of our calls they wanted to be as clean and well respected as another ESP, but was shocked when I told them how large an enforcement and delivery team that ESP maintained.
I know other clients of mine have 6 – 8 people for a very large customer base, and all of them take their job very seriously.
That got me to thinking: what is the average size of a policy and enforcement desk? Does it scale with userbase? Does it scale with the amount of mail you send? Is there a minimum size?
So tell me: how many people are on your policy and enforcement team?

Groupon and science

And interesting reaction to a recent Groupon offer for spa services.

Change is required

I get a lot of calls from senders who tell me that they have not changed what they were doing, but all of a sudden their mail isn’t performing the way it used to. Sometimes it’s simply less effective marketing, but more often than not the issue is mail being blocked or filtered to the bulk folder.
What worked today won’t work tomorrow. Spammers are forever evolving new techniques to get past spam filters. ISPs are forever evolving new techniques to stop them.
One of the current driving forces for spam filter development is focused on the individual recipients. Recipient wants and needs are king in the world of ISP mail filtering. Much of that is driven by the underlying business models of the free ISPs. They are selling eyeballs to their advertisers and that relies on keeping as many eyeballs around for as long as possible.
An early version of the recipient driven filtering was “add to your address book” where individual users could over ride ISP delivery decisions by actively adding a From: address to their address book. The ISPs have been refining this over time. For instance, if you reply to an email in some clients, you are prompted to add that address to your address books. If you take an email out of your bulk folder and move it to your inbox then that address is automatically added to your address book.
But the refinements haven’t stopped there. ISPs are now making smart decisions about what emails a particular recipient will want to receive. This raises a number of challenges to senders. How do you send email to ten thousand or a hundred thousand or a million people and make it relevant to all of them?
Smart senders will take the individual delivery challenge in stride. They will change along with the ISPs, to send mail that their recipients want to receive. Change is inevitable and required.

Customers want to get mail from us!

Many online retailers assume that anyone making a purchase from them is a prime target for email marketing. THEY ARE OUR CUSTOMERS! Of course they want to get mail from us!
Well. Maybe. But not always. Think about the person who shops online during the holidays. I visit a lot of places looking for gifts for other people. These aren’t places I’d normally shop for myself, and are not places that have things I’m interested in. This means I don’t really have, or want, an ongoing relationship with them.
So for those of you that think they’ve found a new customer because I made a purchase this Christmas, I’d just like to say: Not so much. I mean, yeah, you have the perfect gift for my mother this year. Or that appropriately tacky bit of Vette swag for my dad. But, really, I just want to buy the gift and have it shipped. I don’t want an ongoing customer relationship with you. In fact, I really never want to hear from you again.
Some online retailers are polite and treat purchasers with respect. They allow guest checkouts and don’t require tons of personal information and account creation for a purchase. They even let you opt-out of being added to their mailing list at the time of purchase. Other retailers require the full registration process (you need to know my marital status? so I can buy a gift for my dad? what?) and don’t offer an opt-out during the checkout process. Instead, you infer I want your mail and make me opt-out after the fact.
Making a purchase doesn’t constitute permission. Sometimes retailers can get away with it because when I’m making a purchase for me I might be interested in more mail from you. When I’m making a purchase for someone else, though, there is no long term relationship to be developed.
Sure, with the right campaign you may be able to convert one of those purchasers into a returning purchaser. But without a carefully planned and executed conversion campaign you may lose more future customers than you convert.

Fines for not honoring unsubscribes

Virgin Blue has been fined $110,000 by the Australian government for not honoring unsubscribes.

Nothing is forever, even email

Yesterday I talked about how important it was to send welcome messages when you discover old email addresses. Today on the Return Path Blog, Tami Monahan Foreman shares an example email that does just that, but not as well as one might hope.

Still more spam stats

Mailchannels put together another post looking at spam volumes. Related to that, many people are reporting that bot levels are climbing again.

Changes at Yahoo

Deliverability.com has a blog post from Naeem Kayani at Adknowledge about the recent Yahoo changes. They point to the reputation of the From: address as a factor. I’m not sure anyone knows what exactly Yahoo is doing, but the suggestions from Naeem are good ones.

Social networks and bulk email

There’s been a bit of a commotion on Twitter and over at J Caldwell’s blog about Al’s reaction to someone harvesting his address off LinkedIn and then adding that email address to his company’s marketing / newsletter database. Al objected to getting the mail, the person who did this shot back that it wasn’t spam, there was lots of arguing both over twitter and on the blog post.
This also recently happened when a well known email marketer took all 500+ of his Linked In contacts (including me) and added them to his corporate Christmas card list. His behaviour also created a bit of a stir, although it was a little less public.
That mailing was interesting, because a number of people who received the card thought this was the Best Use of Email, EVER! Some of them went so far as to opine “How could ANYONE not like this mail? What are they, Scrooge?” Well, actually, I found the mail irrelevant and a bit annoying. I have to admit I would have been a lot less annoyed if I knew this was a one time thing. However, in order to comply with CAN SPAM he included an opt-out. Which lead to some head scratching: have I been added to their full list? Am I going to get their newsletter from now on? Do I have to opt-out? What was he thinking?
Watching both of the above situations go down I have come up with a list of things you must consider when sending bulk mail to people who have connected with you on social networks.

More spam graphs

Ken Simpson, CEO of Mailchannels, was kind enough to give me permission to post their graph of spam and email volumes from September 1, 2010 through Jan 3, 2011.

Spam volumes in 2010

I started hearing various people comment about lower spam volumes sometime in mid December. This isn’t that unusual, spam volumes are highly variable and someone is always noticing that their spam load is going up or going down. The problem is extrapolating larger trends from a small selection of email addresses. There’s too much variation between email addresses and even domains to make any realistic assumptions about global spam volumes from mail coming into a particular address or domain. And that variation is before you even consider that spam filters prevent much of the spam from actually reaching people.

Merry Christmas

We’re slowing down for the end of the year. Blogging will be light the next week.
See you in the New Year!
Laura, Steve and the cats

AOL goes kablooey

Sometime last night, AOL managed to delete their MX records, causing mail to hard bounce for at least 3 hours, possibly more. Annalivia noticed, contacted the NOC, appropriate people were paged and the records are now functional again.
This morning AOL seems to be having more mail problems, possibly related to everyone retrying mail that was hard bounced last night after the MX record was deleted. Or the company is just finally showing the consequences of laying off so many people last year.
I think the most worrying bit about this is that the AOL NOC didn’t notice there was no mail coming in for 3 hours. I don’t get mail for an hour and I start checking to see if the mailserver has fallen over. I can’t believe no one noticed no incoming mail for 3 hours.
I suggest that anyone who had AOL bounces last night package those up and resend today. But don’t send them all at once, trickle them out over the course of the day. Remember, everyone else is trying to send their mail, too. And AOL is not having a happy day.
UPDATE: The Return Path Received blog points out some of the reasons some of you might still be seeing AOL mail fail. The fix is to flush your DNS cache or reboot your DNS server.

Email marketing ulcers for the holiday

I’ve mentioned here before that I can usually tell when the big ISPs are making changes to their spam filtering as that ISP dominates my discussions with current and potential clients and many discussions on delivery mailing lists.
The last two weeks the culprit has been Yahoo. They seem to be making a lot of changes to their filtering schemes right at the busiest email marketing time of the year. Senders are increasing their volume trying to extract that last little bit of cash out of holiday shoppers, but they’re seeing unpredictable delivery results. What worked to get mail into the inbox a month ago isn’t working, or isn’t working as well, now.
Some of this could be holiday volume related. Many marketers have drastically increased their mail volume over the last few weeks. But I don’t think the whole issue is simply that there is more email marketing flowing into our mailboxes.
As I’ve been talking with folks, I have started to see a pattern and have some ideas of what may be happening. It seems a lot of the issue revolves around bulk foldering. Getting mail accepted by the MXs seems to be no different than it has been. The change seems to be based on the reputation of the URLs and domains in the email.
Have a domain with a poor reputation? Bulk. Have a URL seen in mail people aren’t interested in? Bulk. Have a URL pointing to a website with problematic content? Bulk.
In the past IPs that were whitelisted or had very good reputations could improve delivery of email with neutral or even borderline poor reputations. It seems that is no longer an effect senders can rely on. It may even be that Yahoo, and other ISPs, are going to start splitting IP reputation from content reputation. IP reputation is critical for getting mail in the door, and without a good IP reputation you’ll see slow delivery. But once the mail has been accepted, there’s a whole other level of filtering, most of it on the content and generally unaffected by the IP reputation.
I don’t think the changes are going to go away any time soon. I think they may be refined, but I do think that reputation on email content (particularly domains and URLs and target IP addresses) is going to play a bigger and bigger role in email delivery.
What, specifically, is going to happen at Yahoo? Only they can tell you and I’m not sure I have enough of a feel for the pattern to speculate about the future. I do think that it’s going to take a few weeks for things to settle down and be consistent enough that we can start to poke the black box and map how it works.

Holomaxx dismisses part of lawsuit

Ken announced yesterday that Holomaxx dropped their suits against Ironport and ReturnPath. Suits against Yahoo and Hotmail are still active.
In the Yahoo case, there is a case management meeting on January 14th.
In the Microsoft case, a response the complaint is due by December 17th.
I’m not quite sure what happened to prompt this change, but I think it makes it even more unlikely that the case will be successful. The courts have repeatedly ruled in favor of ISPs in these kinds of cases.
EDIT: I’d link to Ken’s article, but I appear to have closed that tab and I can’t find it on his website. I’ll add it as soon as I do.
EDIT: Ken’s announcement

Now you know…

The key to email marketing, at least if you read blogs and talk to experts who blog about such things, is to segment your lists. But what does segmenting your lists really mean? Ken touches on it in a recent article about engagement and segmenting.
Segmenting your list means, quite simply, knowing your audience. It means tailoring your message to them, in order to extract as much money from them as possible. It means knowing which subscribers you can push with volume and which you will lose if you increase things too far.
In short, it means not treating all your subscribers the same, instead treating them slightly differently based on how they interact with your message.
To some people, this is too difficult. Ken even quoted someone in the industry as saying

Office cat says

All work and no cat petting makes for a very cranky, and in the way, cat.

GFI/SORBS – should I use them?

Act 1 • Act 2 • Intermezzo • Act 3 • Act 4 • Act 5
Management Summary, Redistributable Documents and Links
In the past week we’ve demonstrated that the SORBS reputation data is riddled with mistakes, poor practices, security holes and operational problems, and that the quality of the end result is really too poor to be useful.
Today I’m looking at how this information should affect your choice of spam filtering technology.

GFI/SORBS – I'm blacklisted, now what?

Act 1 • Act 2 • Intermezzo • Act 3 • Act 4 • Act 5
Management Summary, Redistributable Documents and Links
In the past week we’ve demonstrated that the SORBS reputation data is riddled with mistakes, poor practices, security holes and operational problems, and that the quality of the end result is really too poor to be useful.
What does this mean to you though? There are really two aspects: 1. what to do if you’re blacklisted or blocked by GFI or based on GFI/SORBS data and 2. how this information should affect your choice of spam filtering technology. We’ll be looking at the first point today, and the second tomorrow.

GFI/SORBS considered harmful, part 3

Act 1 • Act 2 • Intermezzo • Act 3 • Act 4 • Act 5
Management Summary, Redistributable Documents and Links
In the last few days we’ve talked about GFI’s lack of responsiveness, the poor quality of their reputation and blacklist data, and the interesting details of their DDoS claims. Today we’re going to look at (some of) the fundamental problems with GFI’s procedures and infrastructure that cause those issues. Some of the subset of issues I’ve chosen highlight are minor, some are major, but they show a pattern of poor decisions.
SSL Certificates
When you use SSL on a web connection it brings you two benefits. The first is that it encrypts the connection between your browser and the webserver, so that it’s very difficult for anyone to watch or tamper with your interaction with that webserver. The second, more important, reason is to make sure that you’re talking to the webserver you think you’re talking to, to avoid man-in-the-middle attacks.
This security relies on you trusting the certification authority that issues the SSL certificate that the website uses. A website providing services to the public should always use an SSL certificate created by one of a small number of reputable certification authorities that are pre-loaded into all webservers as “trusted”. These SSL certificates are something that need to be be purchased, but they’re very inexpensive – less than ten dollars a year.

GFI/SORBS – a DDoS Intermezzo

Act 1 • Act 2 • Intermezzo • Act 3 • Act 4 • Act 5
Management Summary, Redistributable Documents and Links
I’ve been stage-managing for a production of The Nutcracker this week, so musical terminology is on my mind. In opera, the intermezzo is a comedic interlude between acts of an opera series.
This comedic interlude is about the “DDoS” – a distributed denial of service attack. What is a denial of service attack?

GFI/SORBS considered harmful, part 2

Act 1 • Act 2 • Intermezzo • Act 3 • Act 4 • Act 5
Management Summary, Redistributable Documents and Links
Yesterday I talked about GFI responsiveness to queries and delisting requests about SORBS listings. Today I’m going to look at data accuracy.
The two issues are tightly intertwined – a blacklist that isn’t responsive to reports of false positive listings will end up with a lot of stale or inaccurate data, and a blacklist that has many false positives will likely be overwhelmed with complaints and delisting requests, and won’t be able to respond to them – leading to a spiral of dissatisfaction and inaccurate data feeding off each other.

GFI/SORBS considered harmful

Act 1 • Act 2 • Intermezzo • Act 3 • Act 4 • Act 5
Management Summary, Redistributable Documents and Links
A little over a year ago the SORBS blacklist was purchased by GFI Software. I had fairly high hopes that it would improve significantly, start behaving with some level of professionalism and competence and become a useful data source, in much the same way that the SpamCop blacklist turned into an accurate, professionally run source of data after they transitioned from being a volunteer run blacklist to a service of IronPort.
GFI’s statement a year ago was:

Preferences pages

As often as I talk about how badly companies send mail, I think it’s always a good idea to highlight when I find companies doing good things.
Today’s example of a company making me happy is Sur la Table. I’ve been on their mailing list for quite a while and do enjoy the offers and information they send. With the advent of the holiday cooking season, though, they’ve massively increased their volume. 21 emails in September, 25 emails in October and 37 emails in the month of November.

Email attacks

Ken has an article up today about the ongoing attacks against ESPs and email marketers. In it he says:

ESPs being targeted

There has been an ongoing, concerted attack against ESPs recently. Today ReturnPath published some of what is known about the attack.

Facebook Postmaster page

There’s still quite a bit of concern and worry about how the Facebook messaging platform is going to affect marketing. One thing that may help is the Facebook postmaster page. There’s all sorts of good information on those pages, reflecting the years of experience that their messaging team has in running large platforms.
Some points worth mentioning.

TWSD: SEO Spamming

It’s no secret that I get a lot of spam. It’s no secret that some catches my eye enough to actually write about it here. Today’s spam is an email that actually made me laugh, though. Somewhere, some gardening site paid a lot of money for search engine optimization and got ripped off.
We own the site samspade.org. It’s down now, victim of a major hardware crash, but this was a site with a number of tools for tracking spammers. This morning, I got email about SamSpade.

One of the strengths of email that instant messaging lacks is asynchronous communication. With email, you send someone a message and they may or may not respond right away. Sending somebody an email means that you are not necessarily expecting an instantaneous reply. In fact, that’s the whole point of not using the phone or instant messaging. You are not expecting your target recipient to be at your beck and call.
Read More

Attention is a limited resource

Marketing is all about grabbing attention. You can’t run a successful marketing program without first grabbing attention. But attention is a limited resource. There are only so many things a person can remember, focus on or interact with at any one time.
In many marketing channels there is an outside limit on the amount of attention a marketer can grab. There are only so many minutes available for marketing in a TV or radio hour and they cost real dollars. There’s only so much page space available for press. Billboards cost real money and you can’t just put a billboard up anywhere. With email marketing, there are no such costs and thus a recipient can be trivially and easily overwhelmed by marketers trying to grab their attention.
Whether its unsolicited email or just sending overly frequent solicited email, an overly full mailbox overwhelms the recipient. When this happens, they’ll start blocking mail, or hitting “this is spam” or just abandoning that email address. Faced with an overflowing inbox recipients may take drastic action in order to focus on the stuff that is really important to them.
This is a reality that many marketers don’t get. They think that they can assume that if a person purchases from their company that person wants communication from that company.

FBox: The sky isn't falling

Having listened to the Facebook announcement this morning, I am even more convinced that emailpocalypse isn’t happening.
Look, despite the fact that companies like Blue Sky Factory think that this means marketers are NEVER EVER going see the inside of an inbox again this isn’t the end of email marketing.
Yes, Facebook email is a messaging platform that marketers are not going to have direct, unlimited and unfettered access to. I have no problem with this. Unfettered access to a messaging platform has been abused by marketers long enough, that I heartily approve of a platform that gives real control back to the recipient.
With that being said, there are a couple blindingly obvious ways to avoid having to give users control of their own inbox.

Going to MAAWG

Following on from last weeks post about MAAWG, I thought I’d write a bit about actually going to MAAWG. You’re an ESP and you’ve been accepted into the organization. Now you have some decisions to make.

Emailpocalypse

Apparently emailpocalypse is coming on Monday. That’s when Facebook is going to release their email platform (the one no one knows anything about) and it’s going to DESTROY EMAIL MARKETING AS WE KNOW IT.
Are you ready?
I think my favorite doom and gloom scenario is: Facebook will throw out the book on email deliverability because it will likely be the first mass-user email platform that is whitelist-based. In other words, you will NOT be able to send to a user unless they have given you explicit permission to do so.
THE HORRORS! Marketers are going to have to get PERMISSION TO SEND EMAIL. OH NOES! The SKY! It is falling! Recipients are going to have to actually invite marketers in! They can’t just take permission, they have to be granted it.
Oddly enough, a lot of the folks who are having conniptions are also people who have been preaching permission for years. Really, if they’re already getting explicit permission, then this is no different. It’s just an email platform.
And even if Titan is somehow a total game changer and is going to require explicit permission, it’s not going to destroy email marketing. Everyone who has a facebook account already has another email account. Marketers who can’t get explicit permission to mail to the facebook account can certainly keep sending “permission” email to their other email accounts.

MAAWG: Not a Marketing Conference

There seems to be this great misunderstanding among a huge number of email marketers and delivery professionals that MAAWG is some sort of marketing or marketing related conference.
They’re wrong.
MAAWG is the Messaging Anti-Abuse Working Group. The intention of the group is to provide a setting where companies providing internet services can work together to stop abuse. Email is one of the major platforms talked about, but there are also discussions about other forms of messaging abuse.
This conference is unique both in its content and in the people who attend. For many ISP reps this is their sole opportunity to get together with peers, former co-workers and friends. Many of the ISP folks are actually low to mid-level employees who are working the front lines fighting abuse every day. MAAWG is a chance for them to work and socialize with people who understand their jobs and the challenges associated with handling abuse on a daily basis. It’s a place to look at the larger issues and blow off steam.
There are a number of folks who show up at the conference that don’t deal with abuse in any capacity, however. They don’t have to deal with rampant levels of spam heavy enough to take down a mailserver. They don’t have to deal with the horror that is child porn. They don’t have to deal with angry subscribers. They don’t have to deal with criminals.
In short, they’re not abuse desk folks. They are, at best, a delivery person but more often are some high level executive at a marketing firm. These folks treat MAAWG as a place to wheedle business cards and contacts from the ISP reps. Stop abuse? The only abuse they see is that their email isn’t instantly delivered to the inbox. Spam? That’s what other people send. Phishing? Child porn? Not important.
All too many of them are not even subtle or coy about the fact that their only concern is finding contacts. One ISP rep tells the story of some marketer that followed him into the bathroom and attempted to trade business cards while the ISP person was at the urinal. Make no mistake, this is not an isolated incident. The badgering is so bad that some ISP reps refuse to state who their employer is.
The ISP folks are there to actually spend time with their peers and y’know, do actual work. ISP reps are not there to get hassled by dozens of marketers.
To be fair, a number of ESPs send delivery folks who are actually working to stop abuse. They do chase spammers through their systems. They do deal with criminals. Unfortunately, because they are from ESPs they are prohibited from actually working with the ISPs.
Why? Because so many of the ESP reps aren’t actually there to stop abuse that MAAWG has had to draw firm lines between ESPs and ISPs to make the ISP reps feel comfortable. I can’t fault MAAWG for that even as I can see there are ESP reps who perform the exact same job functions as the ISP reps.
The ESPs have created this situation. Instead of sending folks on their side who deal with messaging abuse, they send high level executives and marketers. They send people who think that the ISPs owe them something. That believe the ISPs will let mail through just because they shared a beer at the conference. That believe there is some inner circle and if they join they can find out the secret sauce so they can get their mail through filters. They send people who think that ISPs should be forced to sit at a table and listen to marketers yell about “the false positive problem.”
This isn’t to say ESPs and marketing companies shouldn’t join MAAWG and go to conferences. There’s a lot of abuse that both groups have to deal with. But MAAWG isn’t a marketing conference. Sending only marketers or executives to the conference not only misses the point of the organization, it actively sabotages it.

Comments on Holomaxx post

I’m putting together a longer analysis of the Holomaxx case that will look at the claims against the various defendants. There’s some deep mis-understanding of how various things works (hint: wiretapping? not so much).
There was one comment from “The Other Barry” about complaints that I think bears highlighting.

Birthdays and World Series Parades

Steve whisked me away for a surprise birthday dinner and night in the city. Then we got caught in the crowds for the Giant’s parade and, well, no blogging yesterday or today. Back tomorrow.

More information on arrests

Terry Zink has a more detailed post on some of the spammer arrests and takedowns that have happened recently.
In addition to the events I mentioned yesterday, authorities arrested an Armenian man suspected of running the Bredolab botnet. Unfortunately, the arrest has not stopped the spam with the malware payload.
These are issues that many ISP abuse and postmaster desks deal with on a daily basis. Their filtering schemes and policies are in place to protect customers from the mob, and criminals. I don’t think enough marketers and senders understand exactly how much the ISPs are dealing with and why many ISPs don’t really care that “mail is taking 12 hours to get to the inbox.” They are dealing with much more important things.

Ah, Spammers.

The too many.
The stupid.
The spammers.
The blog spammers are still actively attempting to get their claws into my blog. Today the comments included:

Clicktracking 2: Electric Boogaloo

A week or so back I talked about clicktracking links, and how to put them together to avoid abuse and blocking issues.
Since then I’ve come across another issue with click tracking links that’s not terribly obvious, and that you’re not that likely to come across, but if you do get hit by it could be very painful – phishing and malware filters in web browsers.

First, some background about how a lot of malware is distributed, what’s known as “drive-by malware”. This is where the hostile code infects the victims machine without them taking any action to download and run it, rather they just visit a hostile website and that website silently infects their computer.
The malware authors get people to visit the hostile website in quite a few different ways – email spam, blog comment spam, web forum spam, banner ads purchased on legitimate websites and compromised legitimate websites, amongst others.
That last one, compromised legitimate websites, is the type we’re interested in. The sites compromised aren’t usually a single, high-profile website. Rather, they tend to be a whole bunch of websites that are running some vulnerable web application – if there’s a security flaw in, for example, WordPress blog software then a malware author can compromise thousands of little blog sites, and embed malware code in each of them. Anyone visiting any of those sites risks being infected, and becoming part of a botnet.
Because the vulnerable websites are all compromised mechanically in the same way, the URLs of the infected pages tend to look much the same, just with different hostnames – http://example.com/foo/bar/baz.html, http://www.somewhereelse.invalid/foo/bar/baz.html and http://a.net/foo/bar/baz.html – and they serve up just the same malware (or, just as often, redirect the user to a site in russia or china that serves up the malware that infects their machine).
A malware filter operator might receive a report about http://example.com/foo/bar/baz.html and decide that it was infected with malware, adding example.com to a blacklist. A smart filter operator might decide that this might be just one example of a widespread compromise, and go looking for the same malware elsewhere. If it goes to http//a.net/foo/bar/baz.html and finds the exact same content, it’ll know that that’s another instance of the infection, and add a.net to the blacklist.
What does this have to do with clickthrough links?
Well, an obvious way to implement clickthrough links is to use a custom hostname for each customer (“click.customer.com“), and have all those pointing at a single clickthrough webserver. It’s tedious to setup the webserver to respond to each hostname as you add a new customer, though, so you decide to have the webserver ignore the hostname. That’ll work fine – if you have customer1 using a clickthrough link like http://click.customer1.com/123/456/789.html you’d have the webserver ignore “click.customer1.com” and just read the information it needs from “123/456/789.html” and send the redirect.
But that means that if you also have customer2, using the hostname click.customer2.com, then the URL http://click.customer2.com/123/456/789.html it will redirect to customer1’s content.
If a malware filter decides that http://click.customer1.com/123/456/789.html redirects to a phishing site or a malware download – either due to a false report, or due to the customers page actually being infected – then they’ll add click.customer1.com to their blacklist, meaning no http://click.customer1.com/ URLs will work. So far, this isn’t a big problem.
But if they then go and check http://click.customer2.com/123/456/789.html and find the same redirect, they’ll blacklist click.customer2.com, and so on for all the clickthrough hostnames of yours they know about. That’ll cause any click on any URL in any email a lot of your customers send out to go to a “This site may harm your computer!” warning – which will end up a nightmare even if you spot the problem and get the filter operators to remove all those hostnames from the blacklist within a few hours or a day.
Don’t let this happen to you. Make sure your clickthrough webserver pays attention to the hostname as well as the path of the URL.
Use different hostnames for different customers clickthrough links. And if you pick a link from mail sent by Customer A, and change the hostname of that link to the clickthrough hostname of Customer B, then that link should fail with an error rather than displaying Customer A’s content.

Email as social media

Rachel Luxemburg, a good friend of mine who runs the Community team over at Adobe, tweeted a link to Successful Social Media is More Than A Campaign. I was reading that article and realized quite how much of it applies to email. In fact, a couple of Amber’s specific recommendations are directly relevant to email.

Just stop spamming!

Al posted a clip from the Jim Carrey movie Liar Liar on SpamResource (slightly NSFW) that resonated with me this week.
If you meet me on the street and ask me what my job is I’ll tell you that I work with companies who send bulk email to make sure that they’re not sending spam. I do this by educating clients into good practices and teaching them how to send mail people want to receive. What this statement doesn’t tell people is that usually clients find me because they have been suspended by their ISP for spamming or blocked by some receiver.
Clients who find me because they can’t send mail usually hire me to solve their immediate problem. And I do give the the best advice I can to resolve their problem. But fixing today’s problem isn’t enough, you also need to fix the processes that caused the problem. To me, a critical part of my job is to set clients up for long term success by creating procedures that will get them delisted and keep them from being relisted in the future.
Sometimes, though, I have those moments Al is talking about. When clients don’t actually want to fix their problems, they just want to argue. They want to argue about the definition of spam. They want to argue about permission. They want to argue about how awful their ISPs are for suspending their account. They want to argue about CAN SPAM. They want to argue about free speech. They are angry and they want to fight.
My role is to listen to them, then guide them down a constructive path. I do turn out to be the sounding board for a lot of customers, sometimes they just need to know someone is listening to them. Once they get it all out we can move on into solving the problem.
But, boy, are there the occasional conversations where I just want to scream, “JUST STOP SPAMMING!”

Mail that looks like spam

One thing I repeat over and over again is to not send mail that looks like spam. Over at the Mailchimp Blog they report some hard data on what looks like spam. The design is simple, they took examples of mail sent by their customers and forwarded them over to Amazon’s Mechanical Turk project to be reviewed by humans.
In a number of cases they discovered that certain kinds of templates kept getting flagged as spam, even when Mailchimp was sure that the sender had permission and the recipients wanted the mail. They analyzed some of these false positives and identified some of the reasons that naive users may identify those particular emails as spam.
Ben concludes:

The hard sell works

Ken Magill, dad extraordinaire, describes how he went above and beyond the call to get his son a DVD while battling hard sell marketing techniques.

Return Path Certification: Is there value?

Recently, a client asked me, what is the value to ISPs in utilizing Return Path Certification (formerly known as Sender Score Certified)? Meaning, why do ISPs use it? A number of ISPs both big and small have spam filtering systems that treat certified IP addresses differently than non-certified IP addresses. Sometimes spam filtering is bypassed, effectively guaranteeing inbox delivery. Sometimes rate limits are greatly loosened, allowing mail to flow in much faster. Sometimes it is used as just one of the many variables used by the ISP to determine inbox placement versus bulk folder placement versus rejecting the mail outright.
The question is a little different than usual. It’s not a question of, why should a sender become certified? It’s a question of, why would an ISP choose to use the certification data on the inbound side? It’s a neat question, one that I’ve never really heard answered by an ISP before.
Curious, I asked a number of ISP folks for their opinions on this topic. Assuming few would want to discuss this on the record, I made it clear that I wouldn’t mention any names. What I found was that nobody had anything bad to say about Return Path Certification. One person I talked to said that they don’t really give it that much thought–it just works. Many thousands of inbound messages come in from certified IPs, and they never get any spam complaints about those messages, so it’s all good. That’s hardly a scientific review process, but hey, if it works for them…
Another told me that Return Path Certification “helps us by helping senders improve the overall quality and desirability of email that comes into our network. This is great for our customers who rely on email communications in their daily life and expect of us predictable delivery of their key emails.”
The overwhelming message I received from ISPs was that they like Return Path Certification because there’s a strong implication that those mail streams are already clean and that the sender’s practices have already been vetted. They feel that Return Path is doing the hard work of insisting on the right best practice requirements and monitoring appropriate metrics to ensure that good guys get certified and bad guys don’t get certified. If a sender can get certified, it is as though they are announcing to the world (and ISPs) that they have already been reviewed and seem to be doing things correctly.
10/14/2010 Update: Return Path just notified certified senders that their mail will now proceed directly to the inbox at Comcast, presumably bypassing some or all of Comcast’s usual spam filtering.
Guest post by Al Iverson.

Zeus Loves to Spoof

I manage inbound mail for a large set of mailboxes at work; and a number of those mailboxes are on various Zeus botnet spam lists. So, every day, I’m treated to the Zeus botnet “flavor of the day,” giving me insight into who they’re spoofing at any given time. A client asked me why the messages morph so often and I explained that the spammers seem to be continually changing their spam in an attempt evade signature-based identification and blocking. And wow, they sure do morph a lot.
In just the past three weeks, I’ve seen Zeus botnet spew try to pretend to be mail from all of these different companies: Amazon, Bank of America, Bell Canada, Best Buy, Craigslist, Credential Solutions, Esurance, Facebook, Fedex, Groupon, iTunes, LinkedIn, Microsoft, NewEgg, Vistaprint and Zappos. That’s just in three weeks! And I’m not even sure I successfully identified all of the spoofed senders.
This is pretty scary stuff. Uneducated consumers might be fooled into thinking that these are legitimate emails. The companies sending legitimate emails now have to wonder, what can they do to prevent/mitigate these kinds of issues? A smart company probably uses email authentication to help identify their mail as legitimate, but the malicious messages don’t even use their domains. ISPs want to block it, but they’re not always easily identified. It seems to me that impeding delivery of this kind of bad mail requires a whole bunch of moving parts, involving multiple stakeholders in the email ecosystem.
For starters…

SMS Providers: Filtering Content?

In the realm of email, content filtering is old hat. Nowadays, it’s all about reputation and engagement. Okay, sure, content filtering still exists, but the bad old days are long gone. No more do you have to worry that using the word FREE in the subject line is going to get your mail blocked.
Sounds like spam blocking in the world of text messaging is not quite as modern, according to a lawsuit I read about a couple of weeks ago. SMS messaging provider EZ Texting filed suit against cell carrier T-Mobile over blocking of its client’s mobile messages, claiming that the reason for the blocking was apparently due either to content-based filtering or because of censorship. The EZ Texting client at the heart of the matter is a website that allows users to locate their nearest medical marijuana dispensary.
T-Mobile, in its response to the allegations, states that what actually happened is that EZ Texting broke the rules. When you register a short code with the various cellular carriers, you provide them with written documentation detailing just exactly what you intend to do with that short code. What kind of messages you’re going to send to your subscriber base. What the message flow looks like in various interaction scenarios. From my experience working for an ESP that offers mobile messaging support, I know this to be true.
As T-Mobile said on its website: “Each carrier has a process to ensure that content providers like EZ Texting follow the Mobile Marketing Association‘s U.S. Consumer Best Practices Guidelines for Cross-Carrier Mobile Content Programs, as well as other regulations applicable to the mobile content business. When T-Mobile discovered that EZ Texting had not followed this process for […] the text messaging service at issue in the lawsuit – we turned off the short code that EZ Texting was using for these services. The content of the […] service simply had nothing to do with T-Mobile’s decision.”
T-Mobile said that the documentation filed with the provider indicated that the short code in question suggested that its intended use was to let subscribers know about promotions at various bars and night clubs. Use of the short code for a campaign related to a medical marijuana dispensary service fell outside of that use case, and lo, T-Mobile revoked use of that short code. They say that they “subsequently learned that EZTexting was running several other unauthorized shadow programs on the same short code,” meaning that there was additional use of the short code even beyond the original, defined use (night club promotions) and the use by the medical marijuana dispensary locater.
Turns out, the point is moot. Last Friday, October 1st, the Washington Post reported that T-Mobile and EZ Texting have settled their lawsuit. I’m kind of saddened by that, as it would have been nice to see the courts affirm T-Mobile’s right to block inappropriate use of their network. But, you never know which way the court will rule, so maybe it was in everybody’s best interest to not let this get as far as a jury.
And who knows, maybe EZ Texting jumped the gun here, and only needed to file amended paperwork to fix the issue. Compare this to spam blocking — we’ve all had clients who immediately want to threaten and bluster and potentially even sue, because they got spam blocked. But, 99.99% of the time, it’s much easier, and much simpler, to resolve the issue, to get the block removed, without resorting to legal action.

Challenge Response: It is what it is

Have you ever sent an email message, and received an automated response in reply? And in that reply, you are asked to “prove that you are human” by clicking on a link and/or entering a CAPTCHA code. What is this? Is it new?
When that happens, you’re interacting with a “challenge response” email filtering system. When you receive a “prove that you’re human” reply, that message is a “challenge” that the spam filter is requesting that you to respond to. This “response” to the “challenge” helps the spam filter (in theory) know that a real person sent the original message.
It’s not that widely used, nor is it that widely loved, because it has a pretty big flaw. Very little spam has legitimate from address on it. Most of the time, the from address is forged. It goes back to some innocent, unrelated party. In those cases (i.e. “for most spam,”) the challenge email is sent to the wrong person. So, you end up spamming unrelated people with “challenges.” Ever received a challenge request in reply to an email you never sent? Yup, that’s what’s happening. It’s just as bad as the spam itself, in my opinion. It’s an annoying email, probably sent in bulk, to people who didn’t ask for it.
Occasionally marketers freak out, thinking, “OH MY GOSH! MY MESSAGES AREN’T GETTING THROUGH!! THEY’RE GETTING TRAPPED BY THESE FILTERS!!!” That reaction is overkill. Don’t freak out! This kind of filter is not widely used — and it is not new at all. Heck, just about four years ago, I helped to answer a challenge/response question for Email Insider’s Email Diva column.
I guess this is one of those things that comes up again periodically, because there are always new people in our industry who haven’t stumbled across it before.
An industry colleague of mine, who works for a major ISP, was asked what he makes of those filters. “It is what it is,” he replied. Meaning, perhaps, that these filters are not great, but there’s not much you can do about them, and they are really not worth losing all that much sleep over.

Email append: Do you hate it?

Hi! Al Iverson here. I offered to guest blog for my friend Laura Atkins, as she’s off to a conference for a few days. If you like my posts, c’mon over and visit me at my blog, Spam Resource.
A few weeks ago, an industry colleague asked me why I’m so anti-email append. I’m not specifically anti-email append, I’m just not very fond of things that cause deliverability problems. And any time I have some huge, horribly complex client deliverability problem to deal with, the underlying source of the problem tends to be some sort of third party data thing, like email append or co-registration. It’s pretty straight forward, from my perspective. You’re sending mail to people who didn’t give you their email address. I know it’s legal, the ISPs know it’s legal. But the ISPs see that this causes spam complaints to spike, and they hate enabling delivery of mail that causes complaints, so it gets you blocked.
Email Append -> Add those addresses to your list -> You get higher spam complaints -> You get blocked.
Why does this happen? Why are these people complaining about my mail? This is a simple question to answer, too: Subscribers don’t want this mail. Most of the people who get this mail, they were not expecting it. They didn’t give you their email address. They’re surprised that you have their email address. They’re probably already getting a lot of unexpected mail (you don’t think you’re the only one who “appended” their email address, do you?), and they are experiencing inbox fatigue. Click, select all, report spam.
You have no idea what our subscribers want, you might say. Really? No idea at all? If you do this, and you find yourself blocked, as you likely will, THAT RIGHT THERE IS AN EXCELLENT DATA POINT THAT SHOWS THAT PEOPLE DON’T WANT THIS MAIL. You’re making assumptions about what you think your subscribers want, and the data is telling you that you’re wrong. Listen to that data, learn from it.
If you don’t, you’re not going to have much success getting mail delivered successfully to the inbox.

Suing spammers

I’m off to MAAWG next week and seem to have had barely enough time to breathe lately, much less blog. I have a half written post, but it’s taking a little more research to put together. That can wait until I get the chance to do the research.
Instead I thought I’d talk about the North Coast Journal article “The Rise and Fall of a Spam Crusader.” It’s quite an interesting article and looks into the personal and business sacrifices that people make in order to chase down spammers.
In my experience a lot of the serial litigators have very poor practices around data collection and analysis. They don’t collect evidence, they just collect email and then make assertions and assumptions. This not every effective when having to convince a judge that you are right.
The article actually does nothing to change this impression. The cases ASIS won are the cases where the defendants didn’t respond. That also means that ASIS couldn’t collect.
I do disagree with Mr. Singleton, the lawyer, where he says CAN SPAM is dead. In many cases I’ve seen there aren’t clear CAN SPAM violations. So if he’s trying to sue these spammers under CAN SPAM his cause of action is wrong. Secondly, the article goes on to talk about the broader implications.

Zombie Apocalypse

I hope my series on zombie addresses has convinced you that there are zombie addresses on your list and that you should be concerned about the effect they have on delivery and metrics. Today I’d like to talk about what you can do to get rid of zombie addresses without affecting too many actual subscribers.

One thing that many companies struggle with while dealing with zombie addresses is letting go of addresses. They are so tied up in the idea that a bigger list is better that they can’t let them go. Even if a particular address has not had any activity in 18 or 24 months, they insist that they can’t give it up, it might come back and the customer might make a giant purchase. No. It’s a zombie. It’s not coming back, except to eat your brains.
The first step to dealing with zombies is to acknowledge their existence. They are there, they are on your lists and they are dirtying up your lists. Pretending they’re not there does not make them go away. They are zombies. In no case is there a human inside. There is no potential sale lurking, waiting to jump out and act on that perfectly crafted offer.
The second thing to remember is that the humans that used to have the zombie addresses found you once and they are still interested in what you’re offering then they will find you again. They may even already be back on your list with their new email address.
While you can’t identify zombie addresses specifically, you can identify addresses that act like zombie addresses. These are addresses that have no activity over a long period of time, more than 12 months. For these addresses that haven’t had activity in 12 – 18 – 24 months, you want to confirm with the recipient that they are there and want to continue to receive mail from you.
The best way to notify them is to send an email asking if they want to remain on your list. If they fail to act, you will remove them from future mailings. Short, sweet and will let you drop off zombie addresses without much effort on your part.
I know, I know, you aren’t ready to let go so fast. After all, some people have come back after 24 months and made a purchase from the perfect offer. They’re not dead yet! OK. But you can’t get a response from them through email. They just don’t care enough about what you’re sending. That’s when you contact them through another channel.
For instance, if the email address is tied to a web account, say a social networking site or bank account or a web forum, you can also contact the user through your website. Next time they log in, send them a message that says their email address has been removed due to inactivity, but if they want to reactivate they can do so at the subscriber preference center or profile page. When they do, send them an email to confirm that this is the address where they want to receive mail. At this point you can give them a link or a magic cookie to past into the website to verify the address.
Or if you’re a bigger retailer you can send alerts to your customer service staff, so when the account holder contacts you by phone with a question or an order you can get an updated email address. If you have a loyalty program, have an alert come up at the point of sale and the clerk can ask for an updated email address.
I even know one company that would send postcards to their zombie accounts in an effort to re-engage them and get an active email address from them.
If the person never comes back, if they don’t ever interact with your business again, if none of the channels work to contact them and update the address then it really is best to just let the relationship go. It may not be you, or anything you’ve done. People move on, their interests change and that’s part of life. They may have moved outside of your service area, or they may have joined your list for a specific product that they don’t need or you don’t sell. They may have died and turned into a real zombie. In any case, they are not a viable prospect for your mail.
Email addresses and business relationships are not forever. Letting zombie addresses go is important for the health of any email marketing program.

Zombie email: Part 3

Last week, in Zombie email: part 1 and part 2 I talked a little about the history of email addresses and how changes in the ISP industry in the early to mid 2000’s brought about the rise of zombie email addresses. Today we’ll look at the effect zombie addresses have on email stats and why ISPs are starting to monitor zombie addresses.
A zombie address, despite the fervent belief of some email marketers, doesn’t come back to life. The person who initially registered that address has decided to stop using that email address. The defining factor of a zombie address is that there isn’t now and won’t be anyone in the future reading email sent to that address. There is no human there to read or react to any email sent to that address.
A zombie address does not represent an actual recipient, they’re just remnants of a recipient that once was present.
Having a list containing any significant number of zombie addresses can throw off metrics enough to mislead a sender about the effectiveness of their email marketing program. Sometimes, the zombie addresses make the metrics look worse, sometimes they make metrics look better. In either case, the metrics don’t accurately represent the performance of a marketing program.
Zombie email addresses do bulk out a mailing list, making lists look bigger. They’re not real addresses, so they don’t reflect quality, but they do impress marketers that think bigger is always better. But, in reality, you may as well add thousands of addresses at non-existent domains for the real value these addresses bring to your list.
Zombie email addresses on a list depresses any metric that use “number of emails sent” or “number of emails accepted” as a denominator. If 10% of a list is zombie addresses, then an open rate reported as 15% will actually be an open rate of 16.7%. The more zombie addresses on a list, the more the statistics will be depressed.
In addition to having lower open rates, lists with more zombie addresses also have a lower complaint rate. In fact, in the recent past spammers have padded their lists with zombie addresses as a way to artificially lower their complaint rates.
Spammers using addresses created just to bulk up the denominator and lower complaint rates have led ISPs to start monitoring the types of addresses on a particular list. I first heard about ISPs looking at recipient profiles at a meeting in 2006, so it is not, in any way, a new technique for ISPs. What is new is the number of zombie addresses on legitimate, well maintained lists, and the fact that they are present in high enough volume to affect reputation and delivery.
ISPs use zombie addresses to monitor the reputation of a sender because it is a more accurate way to measure what the recipients think about an email and that sender. Senders ignore zombie addresses because they make some stats look bigger (total list size) and better (lower complaint rates). Many senders also believe that addresses come back to life, despite all evidence to the contrary, and will not purge an address for any reason other than it bounces. They’d rather live with inaccurate and misleading metrics than removing non-performing addresses.
Tomorrow, in the final post of this series, we’ll examine how senders can identify potential zombie addresses and what steps they can take protect themselves from the negative reputation hit from zombie addresses. (Zombie Apocalypse)

Zombie email: Part 2

In zombie email: part 1 I talked about how email addresses were tightly tied to internet access in the very early years of the internet. We didn’t have to worry about zombie email addresses because when an account was shut down, or ignored for a long time then mail would start bouncing and a sender could stop sending to that account.
There were two major changes to email accounts in the early 2000’s that led to the rise of zombie emails.
People started decoupling their internet access from their email addresses. Free addresses were easy to get and could be checked from everywhere. No longer did they have to dial in to get email, they could access it from outside the office and outside the home. Mobile devices, including the first generation of smart phones and laptops, helped drive people to use email addresses that they could access from any network. The easy access to free mail accounts and the permanence led people to adopt those addresses as their primary address.
When people changed addresses, for whatever reason, they didn’t have to stop paying. There was no way to tell the free ISPs to stop accepting mail for that address. Free mail providers would let addresses linger for months or years after the user had stopped logging in. Sometimes those addresses would fill up and start bouncing email, but they were not often turned off by the ISPs.
The lack of purging of abandoned addresses was the start of dead addresses accumulating on mailing lists. But there weren’t that many addresses in this state, and eventually they would fill up with mail. When they were full the ISP would stop accepting new mail for that account, and the address would bounce off a mailing list.
Everything changed with the entrance of Gmail onto the scene. When Gmail launched in 2004 they were providing a whole GB of storage for email accounts a totally unheard of storage capacity. Within a year they were providing multiple gigabytes of storage. Other freemail systems followed Gmail’s lead and now all free accounts have nearly unlimited storage. Plus, any mail in the spam folder was purged after a few weeks and bulk mail doesn’t count against the users’ storage quota. Now, an abandoned email account will almost never fill up thus senders can’t use over quota bounces to identify abandoned accounts.
Now we’re stuck in a situation where SMTP replies can’t be used to identify that there is no one home inside a particular email account. Senders can’t distinguish between a quiet subscriber and an abandoned address. ISPs, however, can and are using zombie addresses as a measure of a senders reputation.
On Monday we’ll talk about why and how zombie addresses can affect delivery. (Zombie emails: part 3)
Tuesday, we’ll talk about strategies to protect your list from being taken over by zombies. (Zombie Apocalypse)

Zombie email: Part 1

Zombie email addresses: those email addresses that never really die, eat your brains and destroy your email delivery. To understand zombie addresses and why they’re just now becoming a problem, we really need to understand some of the history of email addresses.
In the early days of the net, people got an email address usually associated directly with their access to the Internet. Many of them ended with .edu or .gov. I even had one that ended in .BITNET for a while. The first ISPs followed this convention. Users signed up for an account at a local dialup and were assigned an email address, and that was their email address. It wasn’t until the late 1990’s where there was widespread access to multiple email addresses.
What this means is that when people left a job, or canceled their Internet access their email address went away. Addresses that were abandoned would, after a short period of time, start bouncing back with user unknown, giving everyone the opportunity to stop mailing that account.
Even with the advent of multiple addresses for a single account and the easy availability of free addresses from places like Hotmail addresses that had been abandoned would still bounce off a list. Why? Because accounts had limited storage. My first dialup account had, I think, 10MB of space. It may have been as much as 20MB, but it wasn’t very much. Accounts receiving a lot of mail that weren’t checked frequently would fill up and start bouncing mail. Senders would be able to remove abandoned accounts because they were full.
Tomorrow we’ll talk about two things happened in the early 2000’s that changed email and led to the rise of zombie email.
Zombie Email: Part 2
Zombie Email: Part 3
Zombie Apocalypse

It's not illegal to block mail

My post “We’re going to party like it’s 1996” is still getting a lot of comments from people. Based on the comments, either people aren’t reading or my premise wasn’t clear.
Back in 1996 the first lawsuits were brought against ISPs to stop ISPs from blocking email. These suits were failures. Since that time, other senders have attempted to sue ISPs and lost. Laws have been written protecting the rights of the ISPs to block content they deem to be harmful.
Dela says that he was just attempting to open up a conversation, but I don’t see what he thinks the conversation is. That ISPs shouldn’t block mail their customers want? Sure, OK. We’re agreed on that. Now, define what mail recipients want. I want what mail I want, not what someone else decides I might want.
Marketers need to get over the belief that they own end users mailboxes and that they have some right to send mail to people. You don’t.
When marketers actually start sending wanted mail, to people who actually subscribe – not just make a purchase, or register online or happen to have an easily discoverable email address – then perhaps marketers will have some standing to claim they are being treated illegally. Until and unless that happens, the ISPs are well within their rights to block mail that their users don’t want.

Reputation monitoring sites

There are a number of sites online that provide public information about reputation of an IP address or domain name.

In Atlanta through Friday

Off to visit the Chimps this week in Atlanta. Blogging from me may be light, but Steve will be around.

Gmail Evolution

All the cool kids are doing infographics, so here’s our take on the new Gmail Priority Inbox.

Spammers quickly adopting social media

Spammers have already discovered they can send spam through Apple’s new Ping service. Yes, some of the fastest adopters of new technology are spammers.
Isn’t technology wonderful?

The cult of SPF lives

Years ago, prior to the public discussions of Domain Keys, there was SPF as the solution to all our email authentication problems. SPF was going to let people do all sorts of things with email. The proponents even privately asserted that it would solve the spam problem. In essence, SPF was a cult. BoF sessions at meetings had the flavor of a big tent style revival. Those of us who didn’t support SPF were shunned and belittled. How could we not support such a brilliant protocol? Did we want spam to continue being a problem? All our objections no matter how rooted in reality were dismissed out of hand. SPF was an evangelical, cult-like movement.
I am somewhat sad to announce that the cult of SPF still lives. The most recent example is the number of people that have taken me to task for a recent post I wrote pointing out that SPF records aren’t actually that important for email delivery. My example was that a client of mine had incorrect SPF records (with a -all even) but was still getting inbox delivery at Hotmail. We repaired the records, re-registered them with Hotmail and Hotmail not only isn’t checking them but also sent mail to me admitting they don’t check SPF for incoming email.
My statement was that SPF wasn’t really important to getting email delivered. This seems to have upset a number of people. Someone on twitter pointed out that a valid SPF record gave you a positive score with SpamAssassin. What they didn’t mention was that a valid SPF record gives you an entire -0.001 with SpamAssassin.
Today I get a comment from Tom (which seems more like an ad for his company than an actual comment) that says

Gmail and SenderScore

Return Path discusses that a high (>80) SenderScore is correlated with inbox delivery at Gmail.

Botnets and viruses and phishing, oh my!

MessageLabs released their monthly report on email threats yesterday. Many media outlets picked up and reported that 41% of spam was from a the Rustock botnet.
Other highlights from the report include:

Goodmail for sale?

The first edition of the Magill Report dropped in my mailbox (and the mailboxes of lots of other people judged by my twitter feed) this afternoon. In his newsletter, tucked between an announcement of a new DMA CEO and rather depressing news about how long it’s taking to find jobs, he announced that Goodmail is being offered for sale. It seems that an investment banking firm is offering a company it calls “Project Conduit.”

Social Networks and Email

There’s been a steady trickle of “Email is Dead!” announcements over the years.
2005 – Pew Internet announces “email may be at the beginning of a slow decline”
2006 – USA Today announces “Email has become the new snail-mail”
2009 – The Wall Street Journal announces “The End of the Email Era”.
That’s not surprising, and it’s due to the importance of email – in the same way that most high-end smartphones have to be pitched as “iPhone killers”, no new communication channel will get any respect unless it’s pitched to the blogosphere (and the venture capitalists) as an “email killer”.
That claim has been debunked lots of times. Repeatedly. Many, many times. More times than that.
But sometimes you need something to make you notice quite how alive email is. I signed up for a Facebook account about three years ago, and had half forgotten about it. After a couple of people mentioned it at a pool party on Saturday, I added three friends yesterday.
This is what my mailbox looks like today (with a couple of private mailing lists blanked out):

Email is looking quite healthy.
If anything does ever kill it, I’m betting it won’t be social networking.

Spamhaus and Gmail

Today’s been chock full of phone calls and dealing with clients, but I did happen to notice a bunch of people having small herds of cows because Spamhaus listed www.gmail.com on the SBL.
“SPAMHAUS BLOCKS GOOGLE!!!” the headlines scream.
My own opinion is that Google doesn’t do enough to police their network and their users, and that a SBL listing isn’t exactly a false positive or Spamhaus overreaching. In this case, though, the headlines and the original article didn’t actually get the story right.
Spamhaus blocked a range of IP addresses that are owned by Google that included the IP for www.gmail.com. This range of IP addresses did not include the gmail outgoing mailservers.
Spamhaus says

Is your data secure?

Not just secure from outside forces, but also secure from employees?
In a recent survey published by Help Net Security, approximately half of all employees said they would take data, including customer data, when leaving a job.
This has major implications for ESPs, where employees have access to customer data and mailing lists. There are at least 2 cases that I am aware of where employees have walked out of a company with customer mailing lists, and I’m sure there are other incidents.
ESPs should take action to prevent employees from stealing customer data.

The return of the Magill Report

After a 6 month hiatus, Ken Magill has returned to offer his insightful, and somewhat snarky, take on email marketing. You can subscribe at The Magill Report.
Ken is really trying to make this report an example of how to do ad supported email newsletters right. When I subscribed yesterday I received the following welcome message:

Thursday mini-audit – part 3

Four weeks ago you signed up for your mailing list using a virgin email address. (You didn’t? Maybe you should do that today – there’s no time like Thursday for a quick sanity check!)
Check the mailbox for the account you signed up

Limited email at gmail

Mike Monteiro has a screenshot of what happens when you actually fill up a gmail inbox.
How much of that mail is spam, I wonder?
HT: Laughing Squid

Spamfilters: a marketer's best friend

I was cleaning out my spam folder this afternoon. I try and do it at least once a day, otherwise the volume gets so bad I don’t actually look at the mail I just mark it all as read. I realized, though, that spamfilters are actually a marketer’s best friend.
If there were no spam filters keeping all the crap people get out of their inbox (in my case over 1000 messages a day) then spam would overwhelm even the most dedicated email junkie. I couldn’t do my job without my spam filters, and in fact the recent rash of virus spew is ending up in my inbox and making finding real mail a problem. I do a lot of sorting before mail ever hits my inbox, and I’m still struggling to deal with the couple hundred “your order has shipped!” and “please her tonight!” emails that my local bayesian filters haven’t caught up to, yet.
Today’s stats:
Work inbox: 17 messages
Work spam: 419
95.9% spam
Personal inbox: 40
Personal spam: 975
95.9% spam
Without filters, I couldn’t accurately find that 4.1% of real mail that I get. Without filters, I couldn’t do my job. Without filters, I couldn’t find the real receipts from purchases I actually made. Without filters, I couldn’t read and respond to mail I wanted.
A mailbox overflowing with spam is unuseable, and email marketers should be thankful that providers work so hard to keep spam out. Otherwise, email wouldn’t be useful for anything.

Is social media a laughing matter?

I really love my job, but sometimes I miss academia, research and science. One of the ways I stay somewhat connected to that world is reading Scienceblogs (and the new Scientopia site). A few weeks ago my worlds collided when one of the librarians at Scienceblogs posted a Friday funny: 5 signs you’re talking to a social media douchebag.

Spammer loses in the court of public opinion

Columnist Mike Cassidy of the SJ Mercury News dedicates his column today to explaining how horribly a spammer named Michael Luckman is being treated by Spamhaus.
The gist of the story is that Mr. Luckman thinks that because it is legal to purchase lists and send mail that there is nothing anyone can do to stop him from doing so. Unfortunately for Mr. Luckman, this isn’t actually true. Simply complying with the law does not mean that spamming behaviour has to be tolerated by ISPs. What’s more, ISPs have a lot of power to stop him.
His recipients’ ISPs can stop him. Filtering companies can stop him. And his upstream can stop him. In fact, Mr. Luckman’s upstream is GoDaddy, a company that has an abuse desk that is one of the toughest on the Internet. They do not tolerate spamming at all and will disconnect customers that are spamming whether or not there is a SBL listing involved.
Sure, Mr. Luckman is complying, or says he’s complying, with CAN SPAM. But that doesn’t change the fact that he is violating his contract with GoDaddy. Given that admission, I am extremely surprised that the reporter focused so exclusively on Spamhaus’ role in this, without mentioning GoDaddy’s abuse enforcement or that Mr. Luckman has to comply with contracts he signed.
Most reputable marketers agree that sending mail to purchased email addresses is spam. Most recipients agree that mail they didn’t ask to receive is spam. Even the reporter agrees that Mr. Luckman is a spammer. Compliance with CAN SPAM doesn’t mean anyone is required to accept his mail, nor provide him with a connection to the rest of the internet.
This is a lesson Mr. Luckman is having problems learning. Instead of fixing his process so he isn’t sending spam, he contacts a reporter to plead his case in the court of public opinion. Sadly for him, most people hate spam and won’t defend a self admitted spammer against a blocking group. In fact, over 80% of the people who have voted in the “has Spamhaus gone too far” poll have said no. What’s your vote?

Freemail opens

Justin Coffey commented on my check your assumptions post pointing out his data on opens related to ISPs. He says:

Ownership of the inbox

Marketers often treat recipient inboxes with a certain level of ownership. They talk about getting mail to the inbox with the underlying implication that inboxes are for use by marketers and they tend to forget that recipients use email for a lot of things, not just being marketing targets.
This was crystallized for me a few years ago when I was running a conference session. The session had a very diverse group of attendees and as part of the session they broke up into smaller groups to talk about various email related topics. One of the questions was how do people use email. Those groups with more ISP representatives produced a list with dozens of ways people use email. The groups dominated with email marketers, though, came up with a much more limited set of uses, all of them related to marketing or commerce. They didn’t mention mailing lists or one on one discussions or connecting with friends as part of the things people use email for.
Marketers seem to forget that email was not adopted by users so they could be marketed to. In fact, email is primarily used by people to interact with friends, colleagues, allies and family members. Most recipients really don’t really care about marketing in their inbox. They’re much more interested in the mail from mom with pictures of the new puppy. They’re looking for that mail from a friend linking to a silly video. They’re deeply involved in an online discussion with friends or colleagues about anything at all.
This doesn’t mean they don’t want marketing in their inbox. Every subscription is an invitation to visit the recipient’s mailbox. They are inviting a sales person to visit them at home or at work; spaces where marketers are not traditionally invited.
The problem is that a lot of email marketers do not respect the space they’ve been invited into. They assume, usually incorrectly, they are being given ownership of that space. The marketer sees the inbox as their marketing space, not as space that the recipient feels ownership over.
When someone buys a magazine or watches TV, there are a lot of ads, but that’s OK because they don’t feel any ownership of those spaces. But when they subscribe to something in email, they don’t cede ownership of their inbox to the senders. It is still their inbox and marketers are there only because the recipient invited them. The recipient will kick marketers out if they start writing on the walls or otherwise disrespecting their space.
Many delivery consultants talk about engagement and sending timely, relevant email. All of those are really coded phrases meaning “when you’re invited into somebody’s house don’t scrawl on the walls or poop on the carpets.”

Lycos delivery problems

Lycos has had some ongoing problems this week. Their alert on the issue says:

Don't forget to check out the forest

I have the #emailmarketing feed on twitter scrolling live across my screen while I’m working. It’s been an interesting experience as many of the people who tweet #emailmarketing aren’t part of my social network.
Over the last week or so there’s been a lot of tweeting going on about Ben and Jerry’s GIVING UP EMAIL MARKETING!!! Only, come to find out, that’s not what they’re doing. Yes, they are moving more into the social networking arena but they will be continuing to connect with subscribers through email. Today many are tweeting that perhaps they “jumped the cow” with their initial reports of email abandonment by B&J.
Watching the ongoing discussions led me to wonder if a lot of email marketers are so focused on the trees that they miss the forest? Are they so disconnected from how people actually use email, and social networks for that matter, that they spend way to much time chasing a response and not enough time thinking about what they’re saying and doing?
Email marketing discussions often focus on a limited number of things, the biggest are how to get mail to the inbox and how to get recipients to engage. Many marketers spend time and money looking for the elusive combination of factors that will get their mail to the inbox and impel the recipient to give the sender money. The focus is on details like color and pre-headers and length and timing and content above and below the fold and the perfect call to action.
The discussions focus almost exclusively on the sender and only mention the subscriber in passing. That is understandable on one level. Senders can only control one end of the equation and figuring out what inputs compel the best response from the other side is what marketing is all about.
But there’s another part of email marketing, and that is that subscribers invite marketers into their inboxes. When someone subscribes to a newsletter or mail from a company they’re offering that company the opportunity to interact with them in their personal space. This is, in fact, the holy grail of marketing having the customer invite contact from a seller.
I suspect this is why the rumors of Ben and Jerry’s abandoning email had people all up in arms. A company abandoning a channel where they had an engaged and interested audience? PREPOSTEROUS! What’s happening to email as marketing?
I’ll be honest, I didn’t pay much attention because it was such a silly idea. Any marketer worth their salt wouldn’t give up a way to interact with customers. Ben and Jerry’s is a company with an almost cult like following. Anyone who was going to subscribe to a B&J newsletter was going to want that mail (new flavors! coupons! new locations! inside information!).
Someone started a rumor, though, that B&J were abandoning email marketing and everyone focusing on the trees grabbed that story and ran with it. They were so focused on the details they didn’t take a step back and think about what they were repeating. Had they taken a step back and thought about the forest they would have realized how silly the idea of B&Js abandoning email as a customer communication channel was.

What does open rate tell you

There has been an lot written about open rates in the past, but there are two posts that stand out to me. One was the EEC’s post on renaming open rate to render rate and Mark Brownlow’s excellent post on what open rate does and does not measure. I’ve also weighed in on the subject. The issue is still very confused.
If asked, most people will tell you that open rate is the number of emails that were opened by the recipient. The problem is that this isn’t actually true. Open rate is measured by the number of people that display an image in an email. Traditionally this has been a uniquely tagged 1×1 pixel, until some filters and mail clients stopped displaying 1×1 pixels. More recently, every image in an email is tagged, so opening one image would record as an open.
So open rate doesn’t actually tell a sender how many people opened and read an email. It really only records that an image in a particular email is loaded. It does not record when an email is opened. Some people don’t load images by default. Some people don’t load images at all, even when they open and actively read the text portion of the email.
Clearly, there are some uses for open rates. It can give a useful metric when comparing different forms of the same email (A/B testing) and when looking at user engagement over time. However, we have also recently seen that open rate is not predictive for click through rate.

Getting removed from an ISP block

A question came up on a mailing list about how long it typically took to resolve a spam block at an ISP. I don’t think that question actually has a single answer, as each ISP has their own, special, process.
ISPA takes 5 minutes. You fill out a form, it runs through their automated system and you’re usually delisted.
ISPB asks a lot of questions in their form, so it takes about 15 minutes to collect all the data they want and 10 minutes to fill out their form. Then, using very, very short words you keep repeating what you need to the tier 1 person who initially responded. That person eventually figures out they can’t blow you off and throws your request to tier 2, who handles it immediately.
ISPC has a different, somewhat long form. Again, you spend time collecting all the data and then fill out the somewhat obscure form. You get a response, but it’s a boilerplate totally unrelated to the initial request, so you keep answering until you find a tier 1 rep who can read and do what you initially asked.
ISPD has a form that takes about 2 minutes to fill out. Unfortunately, it goes to an outsourced postmaster team in the Far East and response times are ranging from days to months right now.
ISPE has an email address and if you catch them on a good day, they’re very helpful. Sometimes there’s no response, though.
ISPF has a troubleshooting page and accept requests to fix things, but never respond in any visible manner.
ISPG they tells you to talk to Spamfiltering Company H.
Spamfiltering company H answers their email in a prompt and friendly manner. OK, sometimes the answers are just “wow, your client/customer/IP range is sending lots of spam,” but hey, it’s an answer.
Spamfiltering company I is a useless bag of protoplasm and don’t even answer the email address they give you on their webpages. In a fit of fairness, I have heard they will occasionally respond, but usually that response is to tell you to go pay some apparently unrelated company a bribe to get delisted.
Spamfiltering company J doesn’t have a lot of ways to contact them, but have a lot of folks that participate in various semi-public arenas so if you’re even slightly part of the community, you can email them and they’re very helpful.
Spamfiltering company K is totally useless, but will tell you to have recipients whitelist you.

Optonline problems

I’m hearing from multiple sources that they’ve been having problems getting mail delivered to optonline.net, optonline.com and optimum.net all day. This appears to be affecting senders across the board, from ISPs to ESPs.
It looks like something is not working right over there, and hammering retries doesn’t seem to be helping. The best recommendation is for senders to back off overnight and test some sends tomorrow.

Tagged Email Addresses

Sept 17, 2019: Shutting down comments on this post because we cannot help you recover any email account and I am concerned about the number of people who are providing PII (including phone numbers, credit card numbers!!! and email addresses) in the comments.

Buying Lists

One of my email addresses at a client got spammed today offering to sell me appending services. I was going to post the email here and point out all of the problems in how he was advertising it, including violating CAN SPAM.
As I often do, I plugged his phone number into google, only to discover that my blog post from March about this spammer was the 2nd hit for that number. Well, go me.
I can report nothing has changed. He’s still violating CAN SPAM. He’s still claiming I have no right to post, share, spindle, mutilate or fold his spam. Well, in the interest in something, I thought I’d share the whole post this time. Just to warn folks from attempting to purchase services from appendleads.com (nice website, by the way).

Creating effective links

CampaignMonitor blogged today about an email they sent out that triggered the Thunderbird “this might be a scam” filter.

Email is not direct mail

Had an interesting talk with a colleague at a BBQ this weekend. He was at a large ISP and then moved on to do delivery at a large email marketing company. This marketing company was started by a very successful direct (snail mail) marketer. The CEO believed totally in testing and they measured everything. They knew what colors provoked a better response and which fonts were better received by recipients.
But this wasn’t always enough. They had some spotty delivery and my friend was hired to try and solve the delivery problems. He had some luck and did fix a number of things, but there was a deeper issue he couldn’t address: that email is not direct mail. The types of testing done is the type of testing for direct mail. They were so focused on getting the best response to a particular offer they refused to consider tweaking an offer from their “proven ideal” to stop triggering content filters at some large ISPs. So their ideal offers would sometimes end up in the inbox and sometimes in the bulk folder and sometimes just disappear.
With direct mail, the USPS is required by law to deliver mail to the addressee. Not only that there are a lot of barriers put up to prevent (or discourage) recipients to opt-out of receiving direct mail. This isn’t the case in email. Not only is their no requirement for an ISP to deliver email to recipients, there is actually a law that says that recipients must be able to opt-out from receiving future emails.
Direct marketers are used to having a lot of freedom and control over their mail. They can buy and sell address lists and send almost anything they want without having anyone tell them they can’t. That mindset translates badly into the email space where the ISPs and the recipients have a lot of control over their incoming email. It means that senders with the absolute perfect test copy see delivery problems because their perfect copy looks just like something a spammer would do and gets caught in content filters. It means they come into email and try to buy a list and discover that while it may be financially viable, they have to deal with angry upstreams, blocks at recipient ISPs and sometimes a Spamhaus listing.
Email isn’t the same as direct mail and attempting to map direct mail techniques onto email usually doesn’t work.

10 ways spam is like Vuvuzelas

Amir Lev has a great post today detailing the 10 ways that spam is like Vuvuzelas. After reading his reasons (and deleting over 1000 messages from Cutwail), I absolutely agree.

Speaking to executives about deliverability

Exacttarget published a Deliverability whitepaper today. They interviewed a number of people around the email industry and asked them what they would tell C-level executives about email and email marketing.
It’s well worth a read, particularly given there are at least two ISP representatives speaking out about what they think makes a good email marketing program. You’ll see many of the themes we talk about here represented in the various articles.
Good delivery boils down to a few things, the most important of which is sending mail people have asked for and want.

ESPs, Non-portable Reputation and Vendor Lock-in

I’ve seen some mentions recently of ESPs suggesting that if you use your own domain in the From: of mail you send through an ESP then that ESP can’t “do email authentication” properly unless they require you to edit your domains DNS settings. That’s not really so, but there is a kernel of truth in there.
The real situation is, unsurprisingly, a bit more complicated.
What authentication features should you look for in an ESP?

Gmail and the PBL

Yesterday I wrote about the underlying philosophy of spam filtering and how different places have different philosophies that drive their filtering decisions. That post was actually triggered by a blog post I read where the author was asking why Gmail was using the PBL but instead of rejecting mail from PBL listed hosts they instead accepted and bulkfoldered the mail.
The blog post ends with a question:

Why do ISPs do that?

One of the most common things I hear is “but why does the ISP do it that way?” The generic answer for that question is: because it works for them and meets their needs. Anyone designing a mail system has to implement some sort of spam filtering and will have to accept the potential for lost mail. Even the those recipients who runs no software filtering may lose mail. Their spamfilter is the delete key and sometimes they’ll delete a real mail.
Every mailserver admin, whether managing a MTA for a corporation, an ISP or themselves inevitably looks at the question of false positives and false negatives. Some are more sensitive to false negatives and would rather block real mail than have to wade through a mailbox full of spam. Others are more sensitive to false positives and would rather deal with unfiltered spam than risk losing mail.
At the ISPs, many of these decisions aren’t made by one person, but the decisions are driven by the business philosophy, requirements and technology. The different consumer ISPs have different philosophies and these show in their spamfiltering.
Gmail, for instance, has a lot of faith in their ability to sort, classify and rank text. This is, after all, what Google does. Therefore, they accept most of the email delivered to Gmail users and then sort after the fact. This fits their technology, their available resources and their business philosophy. They leave as much filtering at the enduser level as they can.
Yahoo, on the other hand, chooses to filter mail at the MTA. While their spamfoldering algorithms are good, they don’t want to waste CPU and filtering effort on mail that they think may be spam. So, they choose to block heavily at the edge, going so far as to rate limit senders that they don’t know about the mail. Endusers are protected from malicious mail and senders have the ability to retry mail until it is accepted.
The same types of entries could be written about Hotmail or AOL. They could even be written about the various spam filter vendors and blocklists. Every company has their own way of doing things and their way reflects their underlying business philosophy.

XXX coming to a mailbox near you… eventually

ICANN voted to advance the .xxx TLD proposal today. As one might expect, this is a sponsored TLD intended for use porn and adult sites. This doesn’t mean that .xxx domains will be available immediately, there are still multiple steps in the process.
The next step is for ICANN to investigate the business model of ICM Registry, the sponsor of this TLD. If that passes, then .xxx domains will be coming to web browsers and mailboxes near you.
Update: For those of you who are shocked there is porn on the internet I only have to say (NSFW video + audio after the cut)

Delivery Jobs

There are a couple companies currently looking for delivery specialists.
e-Dialog: Delivery Specialist
Responsys: Delivery Consultant
ThinData: Delivery & ISP Relations Analyst
ThinData: Privacy Analyst
Know anyone else hiring? Leave links in the comments.

Legitimate mail in spamfilters

It can be difficult and frustrating for a sender to understand they whys and wherefores of spam filtering. Clearly the sender is not spamming, so why is their mail getting caught in spam filters?
I have a client that goes through this frustration on rare occasions. They send well crafted, fun, engaging content that their users really want. They have a solid reputation at the ISPs and their inbox stats are always above 98%. Very, very occasionally, though, they will see some filtering difficulties at Postini. It’s sad for all of us because Postini doesn’t tell us enough about what they’re doing to understand what my client is doing to trigger the filters. They get frustrated because they don’t know what’s going wrong; I get frustrated because I can’t really help them, and I’m sure their recipients are frustrated because they don’t get their wanted mail.
Why do a lot of filter vendors not communicate back to listees? Because not all senders are like my clients. Some senders send mail that recipients can take or leave. If the newsletter shows up in their inbox they may read it. If the ad gets in front of their face, they may click through. But, if the mail doesn’t show up, they don’t care. They certainly aren’t going to look for the mail in their bulk folder. Other senders send mail that users really don’t want. It is, flat out, spam.
The thing is, all these senders describe themselves as legitimate email marketers. They harvest addresses, they purchase lists, they send mail to spamtraps, and they still don’t describe themselves as spammers. Some of them have even ended up in court for violating various anti-spam laws and they still claim they’re not spammers.
Senders are competing with spammers for bandwidth and resources at the ISPs, they’re competing for postmaster attention at the ISPs and they’re competing for eyeballs in crowded inboxes.
It’s the sheer volume of spam and the crafty evilness of spammers that drives the constant change and improvement in spamfilters. It’s tough to keep up with the spamfilters because they’re trying to keep up with the spammers. And the spammers are continually looking for new ways to exploit recipients.
It can be a challenge to send relevant, engaging email while dealing with spamfilters and ISPs. But that’s what makes this job so much fun.

Link roundup June 18, 2010

Hotmail has released a new version of their software with some changes. Return Path discusses the changes in depth, but there are a couple that senders may find helpful.

The view from a blacklist operator

We run top-level DNS servers for several blacklists including the CBL, the blacklist of infected machines that the SpamHaus XBL is based on. We don’t run the CBL blacklist itself (so we aren’t the right people to contact about a CBL listing) we just run some of the DNS servers – but that means that we do get to see how many different ways people mess up their spam filter configurations.
This is what a valid CBL query looks like:

A short note

We had a catastrophic failure of our mail server over the weekend. We lost both drives and the server won’t boot past the BIOS stage. Most of the weekend was spent on recovery and restoration, and we expect to have mail restored today. In the meantime, if you need to get a hold of me I’m available on AIM as wttwlaura and can be reached at my gmail account: wttwlaura.
This does mean I have the opportunity *ahem* to re-organized mail and my mail handling work flow. What better time to move to zero inbox than now when I have to rebuild my sieve scripts from scratch?
UPDATE: mail is back and I can be reached at the normal places, including through our contact link.

My ISP might get blacklisted

The last of seven in our occasional series on why ESPs need, or don’t need, lots of IP addresses to send mail properly.

Domain Assurance by Return Path

As often happens during MAAWG, email companies are announcing new products. One of the interesting ones is the new Domain Assurance product from Return Path.

HTML in email

Steve and I were talking this afternoon about HTML in email. He wanted to know what headers I looked for in the HTML portion of an email. A good question, as I’ve seen everything from a full doctype declaration through to just <body> tags.. All of them seem to render OK in various mail clients so I don’t spend too much time worrying about the specific HTML header elements. I do look for invalid tags and comments, but I check those whether they are in the header or the body.
Those of you that design HTML emails, what are your experiences with headers? Are there specific HTML headers that you always include? Do you skip the header portion of the HTML document and just use body tags? How do you test? What do you think is important?

Who's sharing data

Al has a post asking what people would do if their information was shared after opting out of any sharing.
It’s a tough call and one I think about as I see mail coming to my mailbox to such addresses as laura-sony and laura-quicken and laura-datran. All of these were addresses given to specific companies and where I attempted to opt-out of them sharing my data with other companies. Somewhere along the line, though, the addresses leaked and got into the hands of spammers.
Those addresses are overwhelmed with spams and scams. The frustrating part is there is no way to fix it. Once the addresses are leaked, they’re leaked. They will be receiving spam throughout eternity, even if the companies involved stop selling data or fix their data handling problem.
I don’t know what to do, honestly. If I think it was a one time thing, such as the addresses that started getting spam after the iContact data leak, then I’ll change my address at the vendor and retire the address the spammers have. But with other vendors, I don’t know what happened and I suspect the vendor doesn’t either, and so I can either deal with the spam or hope that I don’t lose real mail from that vendor.
There’s no easy answer. Any time you hand over an email address, or any other form of personal data, you’re trusting in the company, all of their employees and all of their vendors and partners to be honest and competent. This is often not the case.
What do you do?

Delivery Monitor Closing Down

Delivery Monitor by Aweber is one of the inbox monitoring services available for senders. Aweber has been in the process of winding down Delivery Monitor for the last few months and they will be turning the service off completely tomorrow.
A lot of folks have asked me about replacements for Delivery Monitor. There are, of course, Return Path and Pivotal Veracity, but many of the smaller mailers I talk to can’t justify the expenditure for either service.
Enter Green Arrow Monitor, a service provided by Green Arrow. This is a new seed list service aimed at marketers that need some delivery monitoring at commercial US ISPs. They’re reaching for the middle of the market. As a bonus, they’re offering special pricing for former Delivery Monitor customers.
While they don’t offer all the bells and whistles of other seedbox services, for the small to mid-size company that wants to know what their delivery is like at the major commercial ISPs this is a worthwhile service to investigate.
Full disclosure – I worked with GreenArrow to look at what parts of the market were being missed by other monitoring services and provide delivery consulting for some of their customers.

Confirming spam reports

Someone floated the idea of having ISPs confirm that a user really wants to report a mail as spam every time they do so. The original poster was asking for comments and what we thought of such an idea.

Spamtraps

There is a lot of mythology surrounding spamtraps, what they are, what they mean, how they’re used and how they get on lists.
Spamtraps are very simply unused addresses that receive spam. They come from a number of places, but the most common spamtraps can be classified in a few ways.

Email lost a valuable voice

In very sad news ClickZ announced today that Stefan Pollard, email marketer at Responsys and writer for ClickZ passed away recently. Stefan and I interacted over the years but we never had the opportunity to meet in person. His articles on email and delivery were always on my must read list. While I didn’t agree with everything he wrote, I always appreciated his writing and his point of view.
ClickZ is running an online memorial for Stefan which also links to a scholarship fund for his children run by Responsys.

Delivery problems are not all spam related

Not every delivery failure is due to poor reputation or spam. Sometimes ISPs just have problems on their mailservers and so mail doesn’t get through. It’s often hard for delivery experts (and their bosses and their customers and their clients) to watch email delays or rejections without being able to do anything about it.
Sometimes, though, there is nothing to do. The rejections are because something broke at the ISP and they have to sort through it. Just this week there’s been a lot of twitter traffic about problems at a major cable company. They are rate limiting senders with very good reputations. They have admitted there is a problem, but they don’t have a fix or an ETA. From what I’ve heard it they’re working with their hardware vendor to fix the problem.
Hardware breaks and backhoes eat fiber. Yes, ISPs should (and all of the large ones do) have backups and redundancies. But those backups and redundancies can’t always handle the firehose worth of mail coming to the ISPs. As a result, the ISPs start rejecting some percentage of mail from everyone. Yahoo even has a specific error message to distinguish between “we’re blocking just you” from “we’re shedding load and temp failing everyone.”

Public reputation data

IP based reputation is a measure of the quality of the mail coming from a particular IP address. Because of how reputation data is collected and evaluated it is difficult for third parties to provide a reputation score for a particular IP address. The data has to be collected in real time, or as close to real time as possible. Reputation is also very specific to the source of the data. I have seen cases where a client has a high reputation at one ISP and a low reputation at another.
All this means is that there are a limited number of public sources of reputation data. Some ISPs provide ways that senders can check reputation at that ISP. But if a sender wants to check a broader reputation across multiple ISPs where can they go?
There are multiple public sources of data that I use to check reputation of client IP addresses.
Blocklists provide negative reputation data for IP addresses and domain names. There are a wide range of blocklists with differing listing criteria and different levels of trust in the industry. Generally the more widely used a list the more accurate and relevant it is. Generally I check the Spamhaus lists and URIBL/SURBL when investigating a client. I find these lists are good sources for discovering real issues or problems.
For an overall view into the reputation of an IP address, both positive and negative, I check with senderbase.org provided by Ironport and senderscore.org provided by ReturnPath.
All reputation sources have limitations. The primary limitation is they are only as good as their source data, and their source data is kept confidential. Another major limitation is reputation sources are only as good as the reputation of the maintainer. If the maintainer doesn’t behave with integrity then there is no reason for me to trust their data.
I use a number of criteria to evaluate reputation providers.

Why offer a feedback loop?

Someone asked yesterday

What business advantage is there to an ISP in offering a feedback loop? I’ve never really seen one.
Read More

Gmail rendering problem workaround

Gmail recently changed some of the rendering of emails on their website, breaking a lot of email layouts in the process.
Numerous places have published workarounds including
The Email Guide and Return Path.

Reputation and "the cloud"

As Reddit recently learned it’s not a great idea to use the Amazon EC2 cloud to host mailservers. There are a number of reasons for this, most of them related to the reputation of mail coming from EC2 servers.
When you’re using machines in the cloud, changing IP addresses is as simple as initializing a new server. Spammers discovered this almost as soon as the EC2 cloud became public. They would set up a mailserver and send spam through that server until it was blocked. Then they’d just start another instance to avoid the block and keep spamming. They had an almost unlimited number of IP addresses to abuse and moving around was easy to do. Amazon did little to stop the spam coming from the cloud so many ISPs and spam filtering companies blocked email from the entire range of IP addresses allocated to the EC2 cloud.
Blocking large swathes of network space that are consistent sources of abuse is well accepted as a method of dealing with spam. Yes, this form of blocking has inconvenienced legitimate companies who aren’t actually doing anything wrong. But when a service provider doesn’t take sufficient action to stop customers from spamming through their networks, then ISPs will implement countermeasures.

Reddit and email

Ben over at Mailchimp writes about Reddit discovering a lot of their mail was being blocked because they were sending from the Amazon EC2 cloud.

Recent email marketing news

Apparently mentioning “affiliate” in a blog post brings out the blog spammers. I’ve had dozens of trackbacks on yesterday’s how to avoid affiliate spam. Oh, the irony.
A bucket of announcements came out over the last week.
The uber smart folks at Mailchimp have a new iPad app called Chimpadeedoo. This app lets merchants collect email addresses at the point of sale, on an iPad sitting next to the register. Given the troubles my clients have run into when trying to collect addresses in their brick and mortars, this is definitely a product whose time has come.
Venkat talks about a few anti-spam cases making their way through California courts and how the courts seem to be siding with the plaintiffs recently.
On the lawsuit front, John Levine posts about peacefire.org losing an anti-spam case due to the Gordon v. Virtumundo case.
ReturnPath and Liveclicker have partnered to bring video to email. I know marketers are all for video in email, but I can’t get excited about it. I read fast and videos always seem to take to long to watch. I don’t have a feel, though, for how much the average email recipient wants video in their mailbox.
Stephanie Miller from ReturnPath has a summary of a talk given by representatives from Hotmail and Yahoo at the Email Insider’s Summit sponsored by Mediapost. Both ISPs emphasized the need for senders to engage their recipients.

Mainstream spam wrap-up

Over the last week Steve and I have posted about the AARP hiring affiliates to send spam on their behalf: starting with the poorly done email message, moving through the process of identifying the responsible entity and then walking through the details of how we tracked the spammer.
Why spend a week writing about the AARP spamming? I initially posted about the AARP spam because it was such a horrible example of email marketing. Not just that it was spam but it was careless spam. Plus, in a lot of my interactions with marketers, clients and delivery experts I hear a lot about how “real” companies don’t spam, don’t support spam and wouldn’t ever let someone spam on their behalf. This isn’t true, not even a little bit.
The post actually came to the attention of the AARP and someone from their national headquarters commented that it was “just spam” and had nothing to do with AARP. I’ll be honest, I was annoyed with their reaction. I did my homework before calling the AARP out and was convinced this mailing was authorized by them.
Over the next 2 days Steve investigated the spam and reported on his findings. He only documented the full investigation on one of the emails I received (yes, there were multiple emails sent to the same address, most of them coming from different domains owned by the spammer). We did this to document that yes, mainstream companies do hire spammers and that trail can sometimes be tracked. We also wanted to show the lengths spammers and their customers will go to in order to get through filters and spam blocks.
A lot of mainstream groups do support spam and hire other people to send it on their behalf. Many of these same companies expect ISPs to hurry up and let mail through because “we’re a legitimate company” when their mail is blocked.
To be fair, some companies may not initially intend to support spam, but when they see the money rolling in they can’t stop. Some may pay lip service to no-spam policies, but deliberately turn a blind eye to spam advertising their company. Some hire spammers, but with enough distance between themselves and the spammer that they can deny they knew about the spam.
Every company using email for acquisition without actively managing the email program is at risk of spammers being hired on their behalf. There are some things that can be done to lower the risk of spammers being used to send spam, but the spammers are clever and if the payouts are high enough they will spam on your behalf.
There are things a company can do to minimize the chances that an affiliate program will attract spammers. Check back tomorrow for some processes that have proven effective for my clients.

What Happens Next…

or Why All Of This Is Meaningless:
Guest post by Huey Callison
The analysis of the AARP spam was nice, but looking at the Mainsleaze Spammer Playbook, I can make a few educated guesses at what happens next: absolutely nothing of consequence.
AARP, if they acknowledge this publicly (I bet not) has plausible deniability and can say “It wasn’t us, it was an unscrupulous lead-gen contractor”. They probably send a strongly-worded letter to SureClick that says “Don’t do that again”.
SureClick, if they acknowledge this publicly (I bet not) has plausible deniability and can say ‘It wasn’t us, it was an unscrupulous affiliate”. They probably send a strongly-worded letter to OfferWeb that says “Don’t do that again”.
OfferWeb, if they acknowledge this publicly (I bet not) has plausible deniability and can say ‘It wasn’t us, it was an unscrupulous affiliate”. And maybe they DO fire ‘Andrew Talbot’, but that’s not any kind of victory, because he probably already has accounts with OTHER lead-gen outfits, which might even include those who also have AARP as
a client, or a client-of-a-client.
So the best-case result of this analysis being made public is that two strongly-worded letters get sent, the URLs in the spam and the trail of redirects change slightly, but the spam continues at the same volume and with the same results, and AARP continues to benefit from the millions of spams sent on their behalf.
I’m not a lawyer, but I was under the impression that CAN-SPAM imposed liability on the organization that was ultimately responsible for the spam being sent, but until the FTC pursues action against someone like this, or Gevalia, corporations and organizations will continue to get away with supporting, and benefiting from, millions and millions of spams.
As JD pointed out in a comment to a previous post: sorry, AARP, but none of us are going to be able to retire any time soon.

Analysing lead-gen spam

Yesterday I showed how major companies hire hard core spammers.
Today I’m going to show you some of the technical details as to how I found that data. This is a fairly quick and shallow analysis, the sort of thing I’d typically do for a client to help them decide whether the case was worth pursuing before expending too much money and time on investigation and legal paperwork. I’ve also done it using standard command line tools that are available on pretty much any unix command line (and windows, with a little effort).
There are several questions to answer about the email in question.

AARP, SureClick, Offerweb and Spam

On Tuesday Laura wrote about receiving spam sent on behalf of the AARP. The point she was discussing was mostly just how incompetent the spammer was, and how badly they’d mangled the spam such that it was hardly legible.
One of AARPs interactive advertising managers posted in response denying that it was anything to do with the AARP.

Spam from mainstream companies

Yesterday I wrote about spam I received advertising AARP and used it as an example of a mainstream group supporting spammers by hiring them (or hiring them through proxies) to send mail on their behalf.
My statement appears to have upset someone, though. There is one comment on the post, coming from an IP address allocated to the AARP.

Did anyone actually look at this email before sending?

I received spam advertising AARP recently. Yes, AARP. Oh, of course they didn’t send me spam, they hired someone who probably hired someone who contracted with an affiliate marketer to send mail.
The affiliates, while capable of bypassing spam filters, are incapable of actually sending readable mail.

We only mail people who sign up!

I get a lot of calls from clients who can’t understand why they have spamtraps on their lists. Most of them tell me that they never purchase or rent lists, and they only mail to people who sign up on their website. I believe them, but not all of the data that people input into webforms is correct.
While I don’t have any actual numbers for how many people lie in forms, there was a slashdot poll today that asked readers “How truthful are you when creating web accounts?”. The answer seems to be “not very” at least for the self-selected respondents.

I want to avoid network outages

Number six of seven in our occasional series on why ESPs need, or don’t need, lots of IP addresses to send mail properly.

The psychic and the not-really-opt-in

I’ve been getting a continual stream of spam from a psychic. I blogged about it a few months ago, and even had a call with the psychic’s ESP. None of that seemed to matter. Every few days I’d get another ad for psychic candles, or recording services or whatever. It wasn’t mail I could easily filter, and every time I’d get it I’d growl and dump it in my junk folder.
Yesterday, I received another mail from her. The subject line is “list opt-in verification.” Really? Could she really be actually confirming her list? Actually asking if I want to continue receiving mail?

Signing up for lists

How many email marketers hand over email addresses whenever asked? Are those of us in the email field more or less likely than the average consumer to sign up for something?
I sign up for a lot of mail, but there are different categories of that mail.
Mail I actually want from a company. Usually these are local companies where I visit their brick and mortar or an online only company that I actively buy from. I read the emails for the content and because I’m interested in the company and their products. I occasionally will actually analyze their headers and think about their sending practices. Usually I’m just interested in the sale they’re offering or the information they’re sharing. These companies get a tagged email address that goes into my main mailbox.
Mail where I’m interested in how the company is using email. Generally these are big, national brands. Sometimes they’ll ask me for an address during an offline transaction, other times I’ll make a purchase from. I’m not really interested in what they’re offering, but it’s good to keep an eye on how email is being used by large companies with expensive ad agencies and marketing departments. I do look at the headers of the mail, check their authentication and look at the format of the emails. These companies also get tagged address that goes right to my main mailbox.
One thing I don’t do is automatically provide email addresses to companies. This annoys some to no end. “We don’t have an email address on file for you. Do you have an email address?” They never ask if I want to give them the address, they just ask if I have one. I expect a lot of people just say, “Yes, it’s laura@example.com” and don’t think for a second this means they are opting in to mail from that company. I also think that some companies train their phone and sales reps to ask this way in order to get email addresses from people without informed consent.
I also do a lot of signups to client lists. This is mail I want as without copies of the email I can’t do the audits they’ve contracted me to do. I have a set of addresses that go to a special account and are automatically tagged with client and signup information so I can sort and filter by client and website and all sorts of fancy things. I spend a lot of time looking at the structure of the email. I look at headers for compliance with standards and to confirm any authentication is set up correctly. I look at the body for similar reasons.
I also sign up for some mail that I don’t really want to receive. For these classes of mail I have disposable addresses. This can be investigating affiliates (or potential affiliates) for clients. This can be for an ESP client who wants one of their customers investigated. Sometimes I can’t believe a website is for real so I sign up just to see what their hook is.
Using different addresses and different filtering schemes helps me keep all these email uses separate and clear. I can tell what category a mail is in just by the address that it was sent to. I can also filter on “To” addresses, meaning that mail I’ve signed up for doesn’t get caught in my spam filters. Complex? Yes. But it keeps me up to date not only on offers from companies I purchase from, but also on what others are doing in the email marketing world.

Confusing opt-in and opt-out

Harvard Business Review posted a blog earlier this week suggesting that all businesses should treat email marketing as an opt-out process. Unfortunately, the post seemed to me to conflate and confuse a number of things.
She mixes in potential customers providing business cards to an exhibitor at a trade show with current customers that are using a product. She promotes businesses using opt-out as a default communication practice, but then talks about giving customers preference centers to manage the contact.
Overall, it was a very confusing article.
For instance the author says:

Blocklists, delisting and extortion

As I’m sure many of you have heard by now there is a new blocklist called ‘nszones.’ This blocklist is apparently stealing data from a number of other publicly accessible blocklists, combining the data and then charging folks for delisting.
This is a scam attempting to extort money from people. The blocklist has no way to actually remove IPs from the parent zones and I’m pretty sure they won’t even remove IPs from their own zones. In this case, the blocklist is clearly a scam, but there are other lists that are actually used by some mailservers that do charge for removal.
No legitimate blocklist will ever expect a listee to pay for delisting. Ever.
I feel very strongly about this. In fact, one of the major blocklists is run off a domain owned by Word to the Wise. Occasionally, I get contacted by folks looking for help with a listing on that list and I will not take them on as a client. I will provide general advice and make sure that they are correctly contacting the blocklist but nothing more.
This is, to my mind, the only ethical thing to do. I don’t even want a hint of impropriety surrounding either myself or the blocklist. Charging money for delisting only feeds the conspiracy theories.
Charging listees for removal (or listing listees so those charges can be a revenue source) is likely to lead to poor quality data and a blocklist that’s not terribly accurate nor effective. Furthermore, if a list operator is unethical or confrontational in their interactions with listees, they’re probably equally unprofessional in their interactions with potential list users. This results in few recipient domains actually using the list to block mail. Lists that charge are not widely used and being listed on them often does not affect email delivery in any appreciable manner.

Listen to the experts

Two blog posts came out today interviewing big players in the email and delivery arena.
Over on the Unica blog, Len Shnyeder interviews Annalivia Ford who is a new member of their email operations team. She has had many years of experience in dealing with senders from the receiver position. She summarizes successful delivery as follows:

Return Path Changes certification standards

Return Path recently announced changes to their certification program. They will no longer be certifying 3rd party mailers.

Define "spam"

A comment came through recently from Trent asking me to define spam. It’s been a while since I’ve talked about how I define spam, so let’s look at it.
Personally, I describe spam as unsolicited bulk email. If I didn’t ask for it and it looks like bulk mail then I consider it spam. In many cases the spammers have multiple email addresses of mine so I can demonstrate the mail was sent in bulk.
In my consulting and working with clients, though, I rarely use the word spam. There are so many different definitions of spam, I have no way to know if my clients understand what I am saying, so I avoid the term as much as humanly possible. An example of some of the few definitions of spam I’ve seen used over the years.

Delivery resources

I’m working on a few projects designed to help provide mentoring for other delivery people and to bridge the communication gap between the various groups active in email. One of those projects is collecting, linking to, and publishing more delivery resources. Some will be linked to directly from the blog, others will be linked to from the wiki. While I’m reasonably familiar with what’s out there, it is impossible for me to know about all the useful resources available. So I ask you readers:

You want to sell me a list?

Over the years, some of my clients have found it expedient to give me email addresses at their domains. These addresses forward mail addressed to laura@clientsite to my own mailbox. Generally these are so I can be added to internal mailing lists and have access to their internal tools.
It’s often amusing to see the spam that comes through to those addresses. Over the last few weeks I’ve received multiple spams advertising an email appending service.
Let the irony sink in. An email appending service is sending me an email at a client company offering the client company the opportunity to append email addresses. “See how accurate our appending is!”
How accurate can a service be if they can’t even target their own spam correctly?
In addition to the appalling targeting they’re also violating CAN SPAM (no physical postal address), their website is a collection of broken links and they don’t provide any company name or information in the email or on the website.
To top it all off, the mail says, “if you’re not the right person to act on this mail, please forward this to the right person.” Followed by a standard legal disclaimer that says, “The information contained in this e-mail message and any attachments is confidential information intended only for the use of individuals or entities named above. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail at the originating address.”
I wonder if blogging about the utter email incompetence about mail from David Williams, Business Development (phone number: 800-961-5127) violates the confidentiality clause?

I need to dodge filters

Number five of seven in our occasional series on why ESPs need, or don’t need, lots of IP addresses to send mail properly.

Yahoo turns on images by default for RP certified IPs

ReturnPath announced today that images and links from Return Path Certified senders are turned on by default in the Yahoo mail interface. This affects many of the other domains using Yahoo for mail hosting including Bellsouth, SBC, Rogers, BT Internet and Rocketmail.
Overall, I think this is something that Return Path can be proud of. Yahoo fiercely protects their users’ inboxes. They have even gone so far as to cancel contracts with certification companies when the level of certified clients was not to their standards. I have no doubt that this decision was made by looking at the quality of customers that Return Path are certifying and deciding that the certification is a meaningful and useful measure of the mail.
This speaks to the time and effort Return Path commits to both the initial certification process and the ongoing monitoring and compliance processes.

A good inbox experience

One of the reasons so much email is filtered at the ISPs is that they want users to have a good inbox experience. Earlier this week Yahoo announced they were providing users with the ability to collapse certain ads while reading email.

State of the Industry

Over the last few weeks I’ve had a series of posts on the blog from various authors who are active in the email space.
I posted A very young industry commenting on the lack of experience among email marketers. I think that some of the conflict between ISPs and ESPs and receivers and marketers can be traced back to this lack of longevity and experience. Often there is only a single delivery expert at a company. These people often have delivery responsibilities dropped on them without any real training or warning. They have to rely on outside resources to figure out how to do their job and often that means leaning on ISPs for training.
JD Falk described how many at ISPs feel about this in his post With great wisdom…

You must be present to win

Guest post by Phil Schott
I often have the pleasure of putting my four year-old son to bed at night and I’m usually exhausted afterward. It’s a never-ending string of questions and admonishments that goes something like this,
“Daddy, is it a stay-at-home day tomorrow?
“No, Joe, tomorrow is a go-to-school day, it’s Tuesday. Joe, stop talking and go to sleep and please stop picking your nose.”
“Daddy, how long until the Easter bunny comes?”
“A few weeks. Now, go to sleep and stop picking your nose, Josef.”
“Dude, what did I say about picking your nose?”
“Sorry daddy, I can’t help it. It’s my job.”
“Daddy, When’s it going to be my birthday?”
“Joe, you’re not going to live to see your birthday if you don’t stop picking your nose and go to sleep.”
Lather, rinse, repeat for about 10-30 minutes every night. Same questions, same answers, always picking his nose.
In retrospect it seems funny and maybe sweet, but it never does at the time and the thought of doing it all over again tomorrow night makes me want to run out screaming.
However, I realize that if not me, who? Who’s going to tell Joe to stop picking his nose? Who’s going to answer his questions? I have to. It’s my job. If I want to be his dad, that’s what I’ve got to do. If not, then I don’t get to be his dad, I don’t get to be part of his life, and I don’t get to be part of my family.
There are folks in our industry just like Joe and me–those who never seem to get it, those who ask questions over and over, and those who tire of answering the same questions.
I’d like to thank those who answer those questions over and over. Folks like Al Iverson, JD Falk, Mickey Chandler, Greg Kraios, Ken Magill, Laura Atkins, Steve Atkins, Karen Balle, Annalivia Ford, and many others who deserve to be on this list.
I’ve only been in deliverability for a few years and I’d be nowhere if these folks hadn’t answered my dumb questions, posted their thoughts, shared their knowledge, and told me to stop picking my nose on occasion.
It pains me though to read from time to time the ranting of those in our industry who want to decry the dumb marketer, give up, and take their ball home. It’s a shame, but that’s their right and their decision. However, they then don’t get to be part of the community. They lose the effectiveness to tell a dumb marketer to stop picking his nose. They become a washed-up, has been, curmudgeon with no voice. Like with my four year-old son, if I want to be a part of the deliverability community I’ve got to stick it out and deal with it. You have to be present to win.
In her post, A very young industry, Laura Atkins of Word to the Wise quotes ExactTarget’s Joel Book as stating that less than 20% of those in email marketing have more than two years experience. Yes, it’s an industry full of four year-olds. If you’re one of those in the know are you going to bemoan this fact that’s beyond your control or are you going to work to make the community you’ve helped build a better place? You absolutely can choose to move on. We will miss you and I wish you the best of luck. But either keep helping out as you’ve expertly done or get out of the way. Don’t take cheap shots at those trying to do the right thing and trying to do some good work.
For those of you tired of answering the same inane questions you’re fooling yourself if you think the folks who really need to hear your message are reading. They’re not. And they’re going to keep on asking their inane questions until somebody helps them out. I choose to help them out. I choose to be part of the community. I choose to be present.
A big part of the issue is how daunting it can be to ask for help without the risk of appearing the fool. There are far too many folks in this business of deliverability who are more interested in proving how smart they are and selectively sharing knowledge than they are in helping raise the overall level of consciousness and enlightenment.
If you want the idiots and fools to go away then help them become something more. Help them like no one helped you when you started out. With much effort, time, and frustration, I could pick through five years of your blog posts to find the one bit of information I need, or you could give me the URL to the post that will reveal all. I’m not asking you to spoon feed me, I’m just asking for a little help. There’s no books on this stuff and you can’t go to school to get your BA in deliverability. All we’ve got is each other.
Phil Schott has been handling delivery and compliance for a major ESP for the last 3 and a half years.

Delivery and compliance jobs

Al is posting a list of delivery, anti-spam and compliance jobs over on Spam Resource. If you’re in the market, go check them out.

Troubleshooting email delivery

Mark Brownlow has a post up explaining how he discovered some problems with delivery at Gmail by digging deeper into his statistics. Mark goes through his thought process including his initial conjecture on what might be causing the problems and then how he looked at the data to see if his supposition fit the data.
I love this post. It is so refreshing to watch someone document how they asked questions, then looked at data to find out the answers. Too many people treat best practices in email delivery as a set of rules that are meant to be broken. Instead of actually asking questions and determining what is best for their market and their recipients they implement best practices.
Following best practices isn’t exactly a bad thing, the reason they’re best is because they’re easy to communicate practices that will not result in bad outcomes. But, they’re not always the ideal practices for a specific situation. Best practices are ones that work across a wide range of senders and situations. Blindly implementing best practices will not always result in the best outcome for each situation.
Mark’s post is a tutorial in the art of looking at email delivery. I think there is a need for more of those kinds of posts, explaining the process from identifying an email problem through to confirming that is actually the problem and then testing potential fixes. I’ll be posting troubleshooting guides here over the next few weeks and months. If you have an issue you think would be an interesting case study drop me an email and we’ll go through it.

Which is better UTF-8 or ISO-?

Someone asked today on a mailing list whether they should be using UTF-8 or “ISO” encoding for sending email. What’s the best choice depends on some of the details of the situation, but here’s the answer I gave:
UTF-8 will work for pretty much anything, as it’s just an 8 bit encoding scheme for Unicode (which is supposed to be the one character encoding to rule them all). It’s well supported in most languages and development environments – Windows has been native UTF-16 under the covers since the mid 90s, for instance – and typical messages that use mainstream glyphs should render well from utf-8 in most western MUAs and browsers.
There are still a very few old or broken clients out there that will not handle UTF-8 well but (outside the asian language market, where there’s still some non-ASCII, non-Unicode legacy usage) they’re typically ones that don’t really handle any character set encoding well and the only thing safe to send to them is either plain ASCII or whichever ASCII superset their OS happens to support natively (which is probably an argument for sending Windows-1252 codepage, but not a terribly strong one).
The various extended ASCIIs (such as ISO-8859-*) will only work for messages that are written solely using characters from that character set. If you have even one character in a message that cannot be expressed in ISO-8859-1, then you can’t use ISO-8859-1 to send that message.
ISO-8859-1 (aka Latin1) is fairly sloppy in some respects – it has no apostrophe, nor single quotes, for instance – but it can handle an awful lot of languages, from Kurdish to Swahili. It can’t handle Dutch, Estonian, Finnish, Hungarian and Welsh particularly well, nor can it show the Euro symbol (ISO-8859-14 or -15 are needed for some characters there).
A common problem is that many people (and the software they write) think that Windows uses Latin1. It doesn’t, it uses Windows-1252. If you accept messages written on Windows, using the Windows-1252 code page, and throw them out on the wire as ISO-8859-1 what you end up with is not quite right. It mostly works, as the two codepages overlap quite a bit, but they have different glyphs in the 0x80-0x9f range. So if you use single or double quotes (“smart quotes”), or the Euro symbol, or ellipses, or bullet, or the trademark symbol in your message they’ll be garbled. This is so common that some mail clients and web browsers will actually treat a document that claims to be ISO-8859-1 as Windows-1252, but that’s a bug workaround and not something it’s really safe to rely on.
If you’re doing personalized messages, and you’re sending one of them to Győző and one of them to Eiður then you may have to use different character sets for the two messages. If you’re talking about Győző and personalizing it for Eiður then you might find things break horribly.
Someone probably has some concrete data on mail client character set support, broken down by region and language, but my understanding is that this is a reasonable approach:

Standardizing email metrics

Slogging towards e-mail metrics standardization a report by Direct Mag on the efforts of the Email Experience Council to standardize definitions related to email marketing.

Transitioning Yahoo bound email from Goodmail certification

In early February Yahoo announced they were no longer offering preferred delivery to Goodmail customers. By the end of March, Yahoo will have decommissioned the Goodmail specific mail handling servers. What does this mean for Goodmail customers who have no history of mail to the normal Yahoo mail exchanges? Will they have to go through an IP warmup period?
Thankfully, no, they won’t. IP addresses that have been delivering Goodmail certified mail are being transitioned across to the Yahoo whitelisting program. Just because customers are losing Goodmail certification does not mean they will lose all their sending history at Yahoo. This is very good news, as senders don’t have to give up all their sending history due to Yahoo’s decisions.
I have heard some grumbling from some delivery experts that the ‘pre-warmup’ isn’t meaningful or useful. I strongly disagree. The reason senders have to warm up IP addresses is because spammers are very good at finding unused addresses and exploiting them to send spam. The warmup period gives the receivers a way to evaluate the mailstream from a particular IP and determine if the mail is wanted without having to subject their users to excessive amounts of spam.
In this case, Yahoo knows that good senders will be moving from one set of mail exchangers to another. They have nothing to gain by forcing those senders to go through a warmup period. They know what the mailstreams look like and can special case them. This isn’t a benefit every sender gets, in fact losing established reputation is one of the major considerations when moving IP addresses, ESPs or certification services.
While current Goodmail customers are getting this benefit now, they will be subject to the same spam filtering other senders face at Yahoo. Failure to meet Yahoo’s thresholds for good email may result in loss of whitelisting, bulk foldering of email and rate limiting.
More detailed information about delivering to Yahoo is available on the Word to the Wise Delivery Wiki.

Yahoo decomissioning Goodmail MXs

Yahoo announced today that they would be decommissioning the Goodmail specific MX machines as of March 24. Goodmail customers should talk to Goodmail about necessary transition issues. On Yahoo’s end, my understanding is that they are working to make the transition as painless as possible for the customers of Goodmail.
This seems to be the final nail in the coffin for Goodmail at Yahoo.
I’ll have more next week on how senders can cope with the loss of Goodmail certification.

Improving the email interface

Want an improved email interface? Then build it.
There’s been an ongoing discussion about adding thumbs up / thumbs down style buttons to email clients. While I am dubious this is a useful feature or something that recipients will use, if there are others in the industry that think it would be useful then I strongly suggest they go ahead and create it.
In fact, there are a couple things that have been asked for in email interfaces that aren’t currently provided. Last October I blogged about adding an unsubscribe button to email clients.

With great wisdom…

Guest Post by JD Falk
There was certainly some surprise in the room when I pointed out (yep, it was me) that Laura has been around since before there were ESPs. Part of it, I’m sure, was because Laura’s not particularly ancient — and part was because it’s a shock to realize that people sent and received email and everything was just fine long before the segment of the industry that you work in had even been imagined.
Since this was at MAAWG, there were quite a few people in the room who were involved before there were ESPs (I asked for a show of hands) — and it was interesting to see how many of them work for ESPs now. Commenting on Laura’s article “A very young industry,” Kent McGovern mentioned three — including Anne Mitchell, who made up the word “deliverability” not long after stepping down as the head lawyer for the first shared blacklist of email-sending IP addresses.
Just think about that. She was the head lawyer for the MAPS RBL before there was such a thing as deliverability. (I worked with her there; so did Laura.)
There are a lot of us who’ve been around that long, and most don’t work in the deliverability/marketing side of the industry. Nearly all of us have become cynical over the years; some were cynical to begin with. A few, sadly, have burned out entirely from the frustration of having the same arguments, same discussions, over and over and over.
I think some of the recent refrain calling for ESPs to pressure each other into better practices comes in part from that same frustration. Yes, bad practices are bad, but we’re also tired with teaching the same thing to people with the same title, and feeling like the message never gets through. Part of what we’re saying is “It’s your industry, you’ve learned this stuff, now you teach ’em.”
And when you do, it does work — far more often than when we say it, because you speak the same language. There’s now a generation (for lack of a better term) of ESP & deliverability staff who weren’t around before there were ESPs, maybe not even before CAN-SPAM, but have learned many of the same things and undergone similar transformation. Who’d have thought that Jaren Angerbauer — quite possibly the nicest guy in the industry — would ever start sighing at those young whippersnappers like a cynical old anti-spammer? And Jaren’s not only teaching deliverabilitators; he’s also teaching college students, ensuring that they’ll know far more when they enter the work force than you or he did.
We old-timers once struggled with the idea that we must reach out — even to people we disagree with — and teach what we knew, learning along the way to put it into terms that marketers understand. It’s so much simpler to add to a blacklist and throw away they key, declaring “not my problem anymore.” But we did start teaching, and look how far we’ve come; we’re still doing it, and look how much further there is to go.
Now it’s time for the next generation to do the same. Stop looking to us, or to the ISPs, to solve the problems of your industry for you; we’re busy dealing with spam, as we should’ve been doing all along. Your colleagues’ cluelessness is exactly as impermanent as your own was, and can be overcome in the same ways. Whether you have fifteen or ten or five or merely two years of experience, you’ve found your way to this blog and read down to this line, and attained some measure of wisdom, and you can ease the passage for others.
When someone at a marketing conference says something that you know isn’t true, that you know will result in poor deliverability and industry ire, call them on it. Engage them in a dialogue. Teach, explain, cajole, push — because with great wisdom comes great responsibility.
It’s your turn.
J.D. Falk is Director of Product Strategy for Receiver Products at Return Path, which is not an ESP.

A very young industry

Last week I saw a tweet that quoted Joel Book, Director of eMarketing Education at Exacttarget as saying

News and announcements: March 1, 2010

Some news stories and links today.
Spamhaus has announced their new domain block list (DBL). The DBL is a list of domains that have been found in spam.

RPost and Goodmail settle lawsuit

Last September, I blogged about RPost suing Goodmail for patent infringement. Today the two companies announced they’ve reached a settlement and have forged a partnership. Goodmail will be offering RPost’s technology as an upgrade to customers and replacing their own “proof of delivery” technology with RPost’s legal service technology.

A little light post for a friday after MAAWG

10 signs you might have a deliverability issue

A sure fire business model for senders and ESPs

For companies who are sending mail on their own behalf

News from MAAWG

During MAAWG a number of companies in the email space announce new initiatives, mergers, products and the like. This MAAWG is no different.
Spammers adjust to security trends. This is not really news, spammers have been adjusting to new security measures since folks started blocking from: addresses back in ’95 and ’96. The tactics are different and developing, but for every security hole that is blocked, spammers will search for another hole to exploit. The unfortunate truth is that end user is the weak point, and spammers and scammers are very very good at social engineering.
Spam statistics stalemate. Spam is still accounting for approximately 90% of all email traffic.
Cloudmark acquires Bizanga. I talked to some of the Cloudmark folks and they seem very excited with their acquisition of the Bizanga MTA and email technology.
Bizanga Storage announced. Bizanga Store is a scalable storage system brought to you by some of the people who were instrumental in building the Bizanga MTA acquired by Cloudmark.
ReturnPath announced partnership with RPost. Yet more ongoing changes in the certification field.

Microsoft delivery partnerships

Last week John Scarrow from Microsoft made a public statement on Deliverability.com about Microsoft’s approach to using available products in the email industry.

MAAWG SF

Blogging will probably be light next week. Steve and I are both headed to MAAWG SF. Steve will be presenting training on Monday and at one of the later sessions, too. I managed to get out of having to work this conference, so no presenting for me.
We’re both looking forward to seeing everyone. Drop by and say hi.

Google Buzz

Google Buzz has garnered a lot of attention this week, most of it looking at the privacy implications of requiring users to opt-out of sharing information with anyone who’s ever sent them email.
WARNING: Google Buzz Has a Huge Privacy Flaw
Fugitivus Blog (possibly NSFW due to language)
A dangerous buzz and opt-in isn’t just for email
How Google Buzz just blew your psuedonym
Lifehacker has a number of posts about Google Buzz and how to reset your settings.
I’ve already seen tweets and social media recommending using the networks generated by Google Buzz for marketing purposes.
I’m not very impressed with what I’ve heard about Google Buzz and the total lack of control it gives people over sharing information. I used to be very open with my information online, down to identifying the lab I worked in. I then said something on Usenet that upset someone. That person spent the next 4 months harassing me by phone at work and at home, and even went so far as to dig up my boss’ home number and harass her at home. I’ll be honest it was a scary experience. Even though I knew my stalker was 1500 miles away and extremely unlikely to actually show up on my doorstep, I was still worried for my safety.
That experience made me a lot more cautious about what I share online and how much information I give to people. Google Buzz seems to take a lot of the control of my information away from me. Which is why you won’t find me participating in the Google social network.
UPDATE: And here we go: Win a free laptop by following Hubspot on Google Buzz

Tagged.com's newest trick

I signed up a disposable address at tagged.com last summer, to see how their signup process went and how aggressive they were at marketing.
They mailed me maybe a dozen times over the course of a month and then the mail stopped.
Until today.
Today I got two messages from tagged.com, one from Sophia C (33) and one from Melinda E (27). The messages are identical except for the names and some of the advertising on the bottom.
I find it a bit coincidental that after all the recent news about Tagged that I start getting mail from them again. Mail that is not from anyone I know. Mail attempting to entice me into logging back into the tagged site.

AOL transmitting 4xx error for user unknown

AOL is currently returning “451 4.3.0 <invaliduser@aol.com>: Temporary lookup failure” in some cases when they really mean “550 user unknown.” This message from AOL should be treated as 5xx failure and the message should not be retried (if at all possible) and the failure should be counted as a hard bounce for list management purposes.
This is something broken at AOL’s end, and the guys with the magic fingers that keep the system running are working to fix it. Right now there doesn’t seem to be an ETA on a fix, though.
Even if you are a sender who is able to stop the retries, you may see some congestion and delays when sending to AOL for the time being. Senders who don’t get the message, or who are unable to stop their MTAs from retrying 4xx mail will continue to attempt delivery of these messages until their servers time out. This may cause congestion for everyone and a noticeable slowdown on the AOL MTAs.
AOL blog post on the issue
HT: Annalivia

Yahoo stops offering preferred delivery to Goodmail certified email

A week ago, Goodmail notified customers about upcoming changes to the Goodmail Certification program. They wanted customers to be aware that Yahoo was going to stop offering Goodmail certified email priority delivery and guaranteed inbox placement as of February first. I’ve talked with a number of people in the industry, including representatives of Goodmail and Yahoo about this change.
Yahoo was the first to respond to my request for a comment, and offered the following statements. The decision was made at some of the higher levels of management and my contact did not participate. I was told that Yahoo was looking to have more control over their incoming mail stream. They did not want to be contractually obligated to deliver email. The Yahoo rep also told me that Goodmail was in no way responsible for the Yahoo connectivity problems over the last couple weeks.
I also spoke with Goodmail. They also stated that Goodmail was in no way responsible for the Yahoo MTA problems. They are continuing to negotiate with Yahoo and are hoping to have full functionality to Goodmail certified email at Yahoo in the future. Also, Goodmail certified email may continue to see good delivery at Yahoo, but the certification symbol will not be displayed to Yahoo users.
I do believe Goodmail is continuing to negotiate with Yahoo, but I don’t expect to see any reversal of the decision any time soon. There are a number of underlying problems here, but reading between the lines it seems that Goodmail is certifying companies that send mail Yahoo users don’t want.
Last summer a number of people in the industry told me that Yahoo had a meeting with Goodmail and told Goodmail that the quality of the mail that they certified was not up to Yahoo’s standards. At that point, Goodmail dropped a number of clients and stopped taking on new clients. One colleague believed he had a slam-dunk application that would take days to approve. Instead he chased Goodmail sales reps for weeks looking for confirmation that his employer would be accepted. Eventually, he did receive a response: his employer was not accepted and there would be a full revamping of the qualifications for the certification program.
It seems, though, that any changes implemented by Goodmail over the summer did not improve the mail stream enough for Yahoo to continue outsourcing delivery decisions to Goodmail.
Quite frankly, I am unsurprised by this. My impression of Goodmail has always been they never really understood the role of a certifying agency. For any certifying agency to be successful, they must continually monitor certified customers and enforce standards. Goodmail’s initial certification process was fine, but they never seemed to follow through on the monitoring and enforcement. I remember sitting at lunch with one of their founders a few years ago and repeatedly asking the same questions: How are you going to police your customers? What are you going to do when bad mailers come to you? How are you going to enforce your standards? The answers I received were vague and left me with the opinion that they didn’t really understand what spammers would do, or pay, to get guaranteed inbox placement. I never felt they recognized the work involved in enforcing the high standards needed to keep their ISP partners happy with their service.
What distinguishes Goodmail from other certification services is that Goodmail doesn’t make recommendations to recipient ISPs. Instead, Goodmail partner ISPs are contractually required to accept Goodmail certified email and deliver that to the ISP. In this case, it appears the certified mail did not meet Yahoo’s standards, and Yahoo ended the contract. I don’t expect Yahoo to change their stance until Goodmail can convince Yahoo that Goodmail will treat Yahoo users email stream exactly the same as Yahoo does.

Timeliness of email

There’s been an interesting discussion in the comments from yesterday’s post about temp failing. My position is that email is not a 100% reliable medium for transmitting time sensitive information.
Two things happened today to reinforce that.

20% of email doesn't make it to the inbox

Return Path released their global delivery report for the second half of 2009. To put together the report, they look at mail delivery to the Mailbox Monitor accounts at 131 different ISPs for 600,000+ sends. In the US, 20% of the email sent by Mailbox Monitor customers to Return Path seed accounts doesn’t make it to the inbox. In fact, 16% of the email just disappears.
I’ve blogged in the past about previous Return Path deliverability studies. The recommendations and comments in those previous posts still apply. Senders must pay attention to engagement, permission, complaints and other policy issues. But none of those things really explain why email is missing.
Why is so much mail disappearing? It doesn’t match with the philosophy of the ISPs. Most ISPs do their best to deliver email that they accept and I don’t really expect that ISPs are starting to hard block so many Return Path customers in the middle of a send. The real clue came looking at the Yahoo numbers. Yahoo is one of those ISPs that does not delete mail they have accepted, but does slow down senders. Other ISPs are following Yahoo’s lead and using temporary failures as a way to regulate and limit email sent by senders with poor to inadequate reputations. They aren’t blocking the senders outright, but they are issuing lots of 4xx “come back later” messages.
What is supposed to happen when an ISP issues a 4xx message during the SMTP transaction is that email should be queued and retried. Modern bulk MTAs (MessageSystems, Port25, Strongmail) allow senders to fine tune bounce handling, and designate how many times an email is retried, even allowing no retries on a temporary failure.
What if the missing mail is a result of senders aggressively handling 4xx messages? Some of the companies I’ve consulted for delete email addresses from mailing lists after 2 or 3 4xx responses. Other companies only retry for 12 – 24 hours and then the email is treated as hard bounced.
Return Path is reporting this as a delivery failure, and the tone of discussion I’m seeing seems to be blaming ISPs for overly aggressive spamfiltering. I don’t really think it’s entirely an ISP problem, though. I think it is indicative of poor practices on the part of senders. Not just the obvious permission and engagement issues that many senders deal with, but also poor policy on handling bounces. Perhaps the policy is fine, but the implementation doesn’t reflect the stated policy. Maybe they’re relying on defaults from their MTA vendor.
In any case, this is yet another example of how senders are in control of their delivery problems. Better bounce handling for temporary failures would lower the amount of email that never makes it to the ISP. This isn’t sufficient for 100% inbox placement, but if the email is never handed off to the ISP it is impossible for that email to make it to the inbox.

iContact lists compromised

iContact has acknowledged that (some) of their customer lists were compromised and that they are investigating. As iContact has chosen not to allow comments on that post, feel free to share comments here.
HT: @aliverson

Delivery reference site

Over the years I’ve picked up a lot of useful and relevant information about email delivery. I’ve shared a lot of information here on the blog, and while that’s great, a blog is not a great format for a reference. The ISP information page was an initial pass at creating a reference. I realized that just linking to the ISP provided information didn’t communicate very much about how to deliver email even to those ISPs that were explicitly mentioned.
Enter the Word to the Wise Delivery Wiki to fill the need for a publicly accessible reference on email delivery. The cornerstone of the site is the ISP Information page. This page contains summary information about a number of ISPs, including known connection and sending limits. Each ISP mentioned on that page also has a individual page with more detailed information on delivering to that ISP. The information is as accurate as I could make it, and in many cases have been reviewed by representatives of the ISPs.
I welcome contributions from the general community. I will also be continuing to add content. My goal is to have a community resource for people handling email and delivery issues.

Yahoo and Goodmail

The industry has been abuzz the last few days with the news that of Feb 1, Yahoo will no longer be supporting Goodmail in their interface. I did get a chance to get a response from someone at Yahoo, but didn’t get a chance to talk to anyone from Goodmail. Look for a post next week discussing the breakup, what impact it has on the industry and what this may mean for other ISPs.

Protecting customer data

There have been a number of reports recently about customer lists leaking out through ESPs. In one case, the ESP attributed the leak to an outside hack. In other cases, the ESPs and companies involved have kept the information very quiet and not told anyone that data was leaked. People do notice, though, when they use single use addresses or tagged addresses and know to whom each address was submitted. Data security is not something that can be glossed over and ignored.
Most of the cases I am aware of have actually been inside jobs. Data has been stolen either by employees or by subcontractors that had access to it and then sold to spammers. There are steps that companies can take to prevent leaks and identify the source when or if they do happen.

Project Omnivore

Ben at Mailchimp has posted some information about Project Omnivore. This is a predictive system that not only predicts potential abuse, but can also be used to predict poor campaigns. Steve and I had a chance to see Omnivore in action when we were in Atlanta last fall, and were impressed by the accuracy for bad stuff. It seems, however, that Omnivore is useful to predict good behaviour as well.

ESPs leaking email addresses

Two of my tagged email addresses started getting identical pharma spam over the weekend. It is annoying me because I am now getting spam in a mailbox that was previously spam free. The spam is overwhelming the real traffic and I am having to make some decisions about what to do with the email addresses and their associated accounts with the companies I gave them to.
One thing I did notice, though, is that both companies use iContact as their ESP. A cursory check of my other mailboxes shows that none of my other tagged addresses are mailed through iContact. I don’t think it’s very likely that these two individual, unrelated companies made deals with the same spammers to sell address lists at the same time. It’s much more likely that there was a compromise somewhere and address lists were stolen.
Edit: Checked my other account and, likewise, I’m getting the same spam to a 3rd address serviced by iContact. I’ve sent mail to all 3 companies involved and we’ll see how they react.
And, as I was thinking about this, iContact just laid off a bunch of staff about the same time they announced their partnership with Goodmail. Based on past history with companies in this situation, it seems possible this is a disgruntled former employee. I’ve also seen reports from other people noticing spam to addresses given to iContact customers.

Bad year coming for sloppy marketers

MediaPost had an article written by George Bilbrey talking about how 2010 could be a difficult year for marketers with marginal practices. George starts off the article by noticing that his contact at ISPs are talking up how legitimate companies with bad practices are causing them problems and are showing up on the radar.
This is something I talked about a few weeks ago, in a series of blog posts looking at the changes in 2010. The signs are out there, and companies with marginal practices are going to see delivery get a lot more difficult. George lists some practices that he sees as problems.

20M leads a month

Some back of the envelope calculations.

20M “opt-in” leads a month is roughly 650,000 leads a day.

Links for 1/15/10

A lot has happened this week.
Spammers and scammers are attempting to steal money from people attempting to donate money to those in earthquake devastated Haiti. A number of places, including CNN and CAUCE, are warning people who want to donate online to do so through trustworthy links. Don’t click on links in unsolicited emails nor on random websites.
AOL laid off most of their postmaster team. This is going to have a significant impact on sender support provided by AOL. The background chatter I’m hearing indicates that there is likely to be response delays of days to weeks for support tickets.
Pivotal Veracity was acquired by Unica, a marketing software company. Industry buzz says that PV will be run as a subsidiary and maintain their independent customer base.
Spamhaus launched a new website, which includes a link for a domain based URI blocklist. There’s not much information available about this new blocklist, but it’s likely to function similar to SURBL and URIBL.
The lethic botnet was penetrated and disabled. Dark Market, one of the large credit card number trading sites, was taken down and the proprietor arrested.

How do unengaged recipients hurt delivery?

In the comments Ulrik asks: “How can unengaged recipients hurt delivery if they aren’t complaining? What feedback mechanism is there to hurt the the delivery rate besides that?”
There are a number of things that ISPs are monitoring besides complaint rates, although they are being cautious about revealing what and how they are measuring things. I expect that ISPs are measuring things like:

AOL layoffs and postmaster changes

As most of you probably know, AOL went through a serious round of layoffs yesterday. Unlike previous layoffs this one did hit the postmaster team pretty hard. Anna posted this morning that she was the only non-programming member of the postmaster team left in the US. This means there are a number of experienced folks looking for work with experience managing delivery for a large outfit. More info is on her blog.
While I don’t have any firm data, I expect that this is going to significantly affect the support that senders see from AOL. I know many of us have held up AOL as the poster child for how ISPs should interact with senders. That era is drawing to a close.
These layoffs come as AOL has migrated to a new mail system and a lot of senders are seeing new and different error messages. I do believe the folks handling the mail system and the migration are still there and are feverishly working to resolve problems caused by the migration. Right now things are in flux and senders should probably expect delays in getting support from AOL for delivery problems.
UPDATE: Matt Vernhout has a list of suggestions for how to deal with AOL delivery issues.

Resource hogging

Today on SFGate there was an article talking about how some Bay Area coffee houses were struggling to deal with workers who purchase one cup of coffee and then camp out all day using the free wifi. The final paragraph quoted one of the campers.

Lessons from the good, the typical and the ugly

What can smart ESPs learn from my recent series The good, The typical and The ugly?

Delivery case study

Mailchimp published a case study looking at a customer moving from sending in house to using Mailchimp.

And the ugly…

Getting back to my series on the good, the typical and the ugly in the ESP field, and there is some very ugly out there. I have 3 examples of the ugliness out there and what ESPs and legitimate senders are competing with.
The fake ESP
A spammer approached me early on in my consulting career, asking me to help him set up a fake ESP. He wanted to set up his corporate network so that to an outsider it would look like he was selling ESP services and thus had a large number of customers. There wouldn’t be any customers, however, all the mail would be coming from his company. When the blocking got bad enough, and it would as he would purchase addresses from anywhere, he would “disconnect” the responsible customer. My role was to help him come up with a plausible sounding acceptable use policy and then contact the ISPs when he “disconnected” the customer. I declined to participate in this scheme. This doesn’t appear to have stopped him, though, if the rumors I hear are to be believed.
Waterfalling
Related to the fake ESP scheme is waterfalling. Spammers acquire lists of email addresses and then begin the process of cleaning them by mailing. In some cases, they mail through fake ESPs, as above. In other cases, they actually spread their traffic out across legitimate ISPs. As they mail the lists through the ESPs, they remove unsubscribes, bounces and complaints. When the list reaches a set cleanliness, they move it to another ESP. They repeat this, gradually moving through cleaner and cleaner ESPs. Eventually, they move the list to their own network and sell mailings to it as an opt-in list. It’s not opt-in, it’s just cleansed of all negative responders.
The companies abusing ESPs to clean their lists do tarnish the reputation of ESPs. While the responsible ESPs do disconnect the waterfallers, they usually do so after problems are detected. That being said, there are some companies that are constantly looking for “partnerships” at ESPs and the ESPs turn them away during the sales cycles.
Affiliates
While not necessarily an ESP problem there are some large companies out there that hire spammers to send acquisition email for them. They also send their own mail, both marketing and transactional, through ESPs. The issue for ESPs come when the URL blocks happen and the bad reputation of their customer’s mail bleeds back to the ESPs IP addresses. The ESP becomes known as “one of those places that mails for X” and their reputation falls accordingly. In some cases, even if the mail through the ESP is clean and opt-in, the ESP finds itself blocklisted for just doing business with a company that hires spammers.
I’ve had a couple clients recommended to me by ESPs because the ESP was dealing with a persistent spam block around this particular customer. The mail the customer sent through the ESP was opt-in, but the client was using an extensive network of affiliates to send spam for them. I collected a lot of examples of their spam from various affiliates, even gave them a couple of examples from my own email addresses. One of those addresses has not been actively used in 6 years. My client tells me they talked to their affiliates and that the affiliate assured them I had signed up, I just forgot. The client chose to believe the affiliate over me, despite the fact that I had many other examples. That client lost their ESP (and good for the ESP) but is still sending spam. I just got one advertising their stuff yesterday, at the same address I gave to them years ago, all images, hashbusters, domain hidden behind proxy, coming from a snowshoer network.
All of the companies I’ve talked about here describe themselves as legitimate email marketers. Even the company telling me I opted in to their mail was defending themselves and their affiliates as legitimate email marketers.

Email related predictions for 2010

As my recent series of posts has indicated, I am seeing a lot of future changes in the email industry.

SpamAssassin Problems

The default SpamAssassin configuration considers any date far in the future to be extremely suspicious, which is pretty reasonable.
However, as @schampeo points out, it also seems to consider any date later than 2009 to be “far in the future”.
That means that until the SpamAssassin folks roll out a fix, and that gets deployed by SpamAssassin users pretty much all email will get an additional 2-3.5 spamminess points. That’s likely to cause a lot of content-based blocking over the next few weeks, until fixed rules are deployed both by SpamAssassin users and by all the various spam filtering appliances that use SpamAssassin rulesets.
(If you’re a SpamAssassin user, add “score FH_DATE_PAST_20XX 0.0” to your local.cf file to disable that rule).
EDIT: Mike has some more background on the bug.
EDIT: Fix it out on the spamassassin homepage.

News and links 12/31/09

We’re iced in here in DC so I’ve been catching up with some industry news while camped in front of a heater and the TV.
Best of the ESPs by Forrester Research. Congrats to ET and Responsys for coming out on top. The results, as reported by MediaPost, match reasonably well with my overall impressions of the industry (so they must be right!)
Return Path is rolling out a new version of SenderScore. A welcome change for those of us who regularly refer to an IP’s sender score and find it doesn’t match other data.
CAUCE has done a series of posts looking back at significant events in spam over the last decade.
Al has a retrospective on various data breaches affecting email addresses over the last few years.
Happy New Year, everyone!

Holiday Break

I did have the absolute best of intentions to finish the Ugly part of my series on “The Good, The Typical and the Ugly” while on the plane yesterday. But, as things sometimes go, it didn’t happen. Blogging will be light through Jan 4th as I’m actually taking some time to visit family, relax and recharge. When I get back I’ll have a post about the ugly end of senders and ESPs as well as some advice on how to join the ranks of the good. I’m also planning to have some new resources available and announced early in January.
May everyone traveling have safe journeys. Happy Christmas.

The good, the typical and the ugly

In the theme of the ongoing discussions about ESPs and their role in the email ecosystem, I thought I’d present some examples of how different ESPs work.
The good ESPs are those that set and enforce higher standards than the ISPs. They invest money and time in both proactive and reactive policy enforcement. On Monday I’ll talk about these standards, and the benefits of implementing these policies.
The typical ESPs are those that have standards equivalent to those of the ISPs. They suspend or disconnect customers when the customers generate problems at the ISPs. They have some proactive policy enforcement, but most of their enforcement is reactive. On Tuesday I’ll talk about these standards and how they’re perceived by the ISPs and spam filtering companies.
The ugly ESPs are those that have low standards and few enforcement policies. They let customers send mail without permission. Some of the ugly ESPs even abuse other ESPs to send some of their mail, thus sharing their bad reputations across the industry. On Wednesday I’ll look at some of their practices and discuss how they affect other players in the industry.

Cultural Bias

Guest post by Chris Wheeler
After reading Laura’s and Steve’s posts on the gap between the “senders” and “receivers” (both excellent reads I recommend if you haven’t already done so), it really made me think about why I do what I do and why I think (hopefully not being too narcissistic here) that I’m reasonably good at it.
I was formally educated and then broken in after school with the technology world but have never considered myself a technology purist (I will never author a C# book or program my own killer app). However, I also enjoy people and working with (almost) all of them. Traditionally, these two skillsets have not meshed well in the technology industry to a nontrivial level. So, when I went into deliverability, I was intrigued by the fact that it is as much of a technology, business, marketing and people facing genre as any. And, one of the things I am highly grateful for was that I worked for a sender who really seemed to get it. Of course there were marketing jerks and revenue driven bullies there as well, but my management supported me in really trying to do the right thing by the end email recipient (and in this case, customer).
This helped me shape my view of my role in deliverability and decide which type I wanted to be. Mind you, I have never worked at an ISP. So, my bias is towards the senders. If you have a management team that understands that deliverability is not just a flashy word to throw around, push in prospects’ faces or otherwise excuse away as another service to potentially charge for when not necessarily needed, you’re in a good place. But, you also have to decide what you value as important and ethical for yourself. Unfortunately, there are a lot of folks who are in the deliverability space not because they like the work and are truly looking out for recipients, but rather (and as Steve’s post touches) out there to make money doing anything they can to drive revenue from their perspective without much respect or empathy for the person on the other end of the mailbox. ESPs have been given a bad name in the industry as the aggressors, those who are willing to use and abuse the email ecosystem to get money with no respect to the common rules of “best practices” or recipient perspective. Unfortunately, a lot of folks in the email receiving world have adopted this as their stereotype and dismiss anyone trying to triage a deliverability problem as one who is just wanting to get more emails in an inbox..to generate more opens…to garner more clicks…and ultimately put more cash in their pocket.
This is simply untrue. But, there are a lot of senders who do fit into this category, unfortunately.
The same can be said of ISPs, who seem to be on the defensive all the time and take every piece of incoming mail as having a negative relevancy score attached to the intended recipient and make the sender pay (literally in terms of some accreditation methods) to move towards what they perceive as a positive and user wanted email. The sloppy ISPs rely heavily on using highly automated systems to either do binary blocking outright on certain arbitrary indicators in mail or simply throw their hands up and call anyone not sending a one to one message from someone’s relative or friend spam. Again, though, this is an unfair stereotype that doesn’t apply across the board. I work with many ISPs that do take the time, effort and examination to help recipients get mail they want instead of just outright declaring jihad on mass senders altogether. If you pay close attention, these are also usually those who are very technicallly savvy (and thus breed a desire to keep the internet a free and open exchange for ideas to be messaged, including those that are marketing related and wanted). I enjoy reading the information they post. Our conversations. Listening to what they have to say. And in turn, I believe they do the same of me since they know I’m more about letting numbers and actions speak for themselves as opposed to trying to circumvent any process or “game” them. Numbers and actions, for me, are about spam complaints being driven down, email engagement being up, and benefit being gleaned from the messages sent via whatever method is most appropriate. CNN, for example, sends me transactional breaking news alerts. I may not read every one. And I certainly am not driven to purchase or pay into a service as a result. But, I do enjoy getting these and would be upset if that stream of information stopped. A lot of ISPs get this – the implied and real value I have as a result of knowing what’s going on in any facet of email communication when I don’t have a chance to proactively find out myself.
The rub is that ESPs are paid money to send email (with their hue changing based on types of email they send, the clients they onboard, adherence to their own rules, etc.). But, we are paid to send email (notice “quantity” is intentionally excluded from this sentence). It’s the core product of our systems…deliver communication via electronic mail. ISPs are not paid to receive email. Some ISPs are paid for the images or impressions they drop in which are driven by the mail a user gets being the catalyst for the times they check their mail. Or, some ISPs charge money for email (so in a sense, they are paid to deliver within their own confines of what is spam or not to the customer). Other ISPs just have email as an extension of their existing services (think cable providers or cellular companies) which ultimately can be ear marked for revenue.
So, not all senders are bad; neither are all ISPs good (and vice versa). But, at the end of the day, I can honestly say I don’t have that many problems when dealing with receivers since I tend to only really have a relationship with those I believe are trying to do the right thing, like me, in ensuring recipients get mail they want, need, or otherwise are just glad to have around.I don’t need to be yelled at as an abuser of the internet because I’ve found a living in sending email, as much as a mechanic does for contributing to global warming for putting gasoline burning cars back on the road. Nor, do the ISPs deserve to have fingers waved in their face either when, usually, they’re trying to keep their recipients happy and not melt under the deluge of true spam that technology has brought with it. I’m sure this will inspire some nasty comments, or at the least, a nonplussed double take, but ISPs are businesses as well. They are not run on cookies and rainbows. Same with ESPs. Finding a balance between the two with corporate management pushing down and reinforcing an intermediary relationship that doesn’t engage in an antagonistic or adversarial role is what will win every time.
It’s about the people, the personalities, and a new industry that’s evolved in the aftermath of the advent of spam and marketing mail. But, if your culture is one which doesn’t fit what makes you feel you’re successful or back your mores you’ve developed or adopted over the years, you must realize you’re empowered to make yourself respected and happy. No one else, though. And, at the end of the day, I think the issues between ISPs and ESPs not communicating effectively is more about what the company culture is and how well (or not) they respect and encourage their employees to drive for whatever measurement of success you both share (be it money, recipient satisfaction, client satisfaction, just putting in an honest day’s work, or the fact you get to work from Punxsutawney).

I need to deliver my mail fast

Number four of seven in our occasional series on why ESPs need, or don’t need, lots of IP addresses to send mail properly.

Blocking of ESPs

There’s been quite a bit of discussion on my post about upcoming changes that ESPs will be facing in the future. One thing some people read into the post is the idea that ISPs will be blocking ESPs wholesale without any regard for the quality of the mail from that company.
The idea that ESPs are at risk for blocking simply because they are ESPs has been floating around the industry based on comments by an employee at a spam filter vendor at a recent industry conference.
I talked to the company to get some clarification on what that spam filtering company is doing and hopefully to calm some of the concerns that people have.
First off, and probably most important, is that the spam filtering company in question primarily targets their service to enterprises. Filtering is an important part of this service, but it also handles email archiving, URL filtering and employee monitoring. The target market for the company is very different than the ISP market.
The ISPs are not talking about blocking indiscriminately, they are talking about blocking based on bad behavior.
Secondly, this option was driven by customer request. The customers of the spam filtering appliance were complaining about “legitimate” mail from various ESPs. Despite being reasonable targeted the mail was unrequested by the recipient. While ESPs use FBLs and other sources of complaints to clean complainers off rented or epended lists at ISPs, the option is not available for mail sent to corporations. Enterprises don’t, nor should they have to, create and support FBLs. Nor should employees be expected to unsubscribe from mail they never requested.
This option is the direct result of ESPs allowing customers to send spam.
Thirdly, this option is offered to those customers who ask for it. It is not done automatically for everyone. The option is also configurable down to the end user.
While I haven’t seen the options, nor which ESPs are affected, I expect that the ones on the list are the ones that the filtering vendor receives complaints about. If you are not allowing your customers to send spam, and are stopping them from buying lists or epending, then you probably have not come to the attention of the filtering company and are not on the list of ESPs to block.

TWSD: evade blocks

Al Iverson has responded to one of the comments on my “Changes” post.

The coming changes

Yesterday I talked about how I’m hearing warnings of a coming paradigm shift in the email industry. While these changes will affect all sender, ESPs in particular are going to need to change how they interact with both ISPs and their customers.
Currently, ESPs are able to act as “routine conveyers.” The traffic going across their network is generated by their customers and the ESP only handles technical issues. Responsible ESPs do enforce standards on their customers and expect mailings to meet certain targets. They monitor complaints and unknown users, they monitor blocks and reputation. If customers get out of line, then the ESP steps in and forces their customer to improve their practices. If the customer refuses, then the ESP disconnects them.
Currently standards for email are mostly dictated by the ISPs. Many ESPs take the stance that if any mail that is not blocked by the ISPs then it is acceptable. But just because a certain customer isn’t blocked doesn’t mean they’re sending mail that is wanted by the recipients.
It seems this reactive approach to customer policing may no longer be enough. In fact, one of the large spam filter providers has recently offered their customers the ability to block mail from all ESPs with a single click. This may become a more common response if the ESPs don’t start proactively policing their networks.
Why is this happening? ISPs and filtering companies are seeing increasing percentages of spam coming out of ESP netspace. Current processes for policing customers are extremely reactive and there are many ESPs that are allowing their customers to send measurable percentages of spam. This situation is untenable for the filtering companies or the ISPs and they’re sending out warnings that the ESPs need to stop letting so much spam leave their networks.
Unsurprisingly, there are many members of the ESP community that don’t like this and think the ISPs are overreacting and being overly mean. They do not think the ISPs or filtering companies should be blocking all an ESPs customers just because some of the customers are sending unwanted mail. Paraphrased, some of the things I’ve heard include:

ISPs are speaking, is anyone listening?

Lately I’ve been seeing and hearing a lot of quiet warning noises coming from ISPs and spam filtering companies about sender behaviour. I believe they’re forecasting changes in how ISPs treat commercial email and what new issues senders are going to have to negotiate.
The short version is that commercial mail is a mixed bag. Recipients want commercial mail that is relevant and engaging. As the ISPs get a handle on filtering spam from botnets and viruses, commercial mail is showing up on their radar. They’re seeing problems in the mail streams coming from commercial mailers. Unlike spammers, the commercial streams are hard to block, as they are a mix of wanted and unwanted mail.
They’re seeing more and bigger problems from commercial mailers and they’re starting to drop the hints that smart people will take and incorporate into their future business plans.
What are the ISPs saying?
The model for blocking, temp failing and bulk foldering is changing. No longer are there hard metrics driving delivery decisions. ISPs are moving from complaint based filtering schemes to something a lot more squishy. The ISPs want mail that their recipients want. They don’t want mail their recipients don’t want.
For a while “want” was measured as “do not complain about in numbers higher than X” but that was a metric that was very, very easy to game. It’s not just about individual IP reputations, and it’s not just about individual IP complaint rates. Now it’s about not sending mail to that email address that’s been abandoned for 9 months. It’s about sending mail that keep the recipients around so the ISPs can show them ads. It’s about making the end users happy with their inbox experience.
Right now, the statements coming from the ISPs are quiet. They’re not talking specifics, but there is a growing chorus that says commercial mailers need to make some changes to how they’re doing things now. The warnings are there for the people who are listening. From what I’m hearing, though, I don’t think many people are listening. I have no doubt when the quiet warnings turn into blocks and filters there will be much complaining about the lack of warning.
The problem isn’t the lack of warning, the problem is the lack of listening.

Tribes

Earlier Laura talked about a communication gap between ESPs and ISPs.
My take on it is that it’s something more than just a difficulty in communicating, rather it’s a division due to differences in personality and approach of those individuals whose primary interest is themselves and those whose primary interest is the health of the overall email ecosystem.
The former group (who I mentally refer to using the shorthand “frat boys“) want to make everything all about them, and their companies revenue, and their visibility in the industry, and their ego resume. Broad generalizations with little need for understanding are adequate to raise their visibility and keep them employed. Details aren’t that important to them. Dominating the conversation is. (Lest that sound negative, these are exactly the individuals who can thrive in sales, customer relations, bizdev and marketing environments.)
The latter (shorthand “utilitarians“) instinctively want to make email work well and to be useful for everyone. They want email to be a healthy, useful system and tend to believe that that means optimizing for the greatest good for the greatest number. (If you’ve any philosophy background, think “felicific calculus as applied to email”). They tend to understand the system in much more detail than the frat boys, though maybe less than the mechanics. And they tend to be better at working together – as they’re more interested in hearing other peoples data in order to get better at what they do, rather than being there to convince others of their pre-decided agenda.
(There’s a third group I think of as “mechanics” who take more joy in the details of keeping the system running smoothly on a small scale, without much interest in the broader system, whether that be in a technical or business role. They tend not to be very interactive in public, though, so don’t have much impact at the level of conversations I’m thinking about).
While I hate the broad terms “senders” and “receivers” used to (falsely) divide the industry into two disjoint halves, I’m painting with a fairly broad brush here, so I’m going to stick with them.
There are quite a few of all three types of people at both senders and receivers – but their power and visibility varies.
At senders there’s a mix of frat boys and utilitarians in operational and policy making positions, but the frat boys tend to have a lot more public visibility – they’re the ones who are trying to be visible, to dominate the conversation, and they’re the people you tend to see doing all the talking and less of the listening, whether it be on industry mailing lists or at the microphone at a conference. Because of their greater visibility, they’re who you think of when you think of senders, and typically they’ll be the ones you end up interacting with most in any random mix of individuals from senders.
At receivers the operational (as opposed to policy) level is where the real decision making power is as far as email is concerned, and it’s heavily dominated by the utilitarians. (In fact, the more visible frat boys I can think of who were in influential positions at receivers are mostly now working on behalf of senders).
Frat boys are very, very bad at communicating with utilitarians. And utilitarians find it very hard to discuss issues they consider serious with frat boys at anything deeper than a superficial level.
Mechanics aren’t great at communicating with strangers in anything other than a fairly friendly environment, but manage best with other mechanics or with utilitarians.
If you’re a C level manager at a sender, and you’re deciding which of your staff are well suited to collaborate with typical receiver staff that’s something important to consider. The public face of the recievers are probably utilitarians. Frat boys are the worst representatives to send out to talk to them.

The delivery communication gap

There seems to be a general uptick in the number of specific questions that ESPs and commercial senders are asking recently. I’m getting them from clients, and I’m hearing similar stories from my various contacts over on the ISP side. The questions cover a wide range of areas in email delivery, but the underlying issue is really that there are no real fixed rules about email delivery anymore. The only rule is “send mail users want to receive” and there are no specific guidelines to how to do that.
This is frustrating for a lot of people. They want to know exactly how many complaints they need to stay under. They want to know what “engagement” means and how exactly the ISPs are measuring it. They want to know all of the metrics they need to meet in order to get mail to the inbox.
There is a lot of frustration among senders because they’re not getting the answers they think they need and they feel like the ISPs aren’t listening to them.
Likewise there is a lot of frustration among ISPs because they’re giving answers but they feel like they’re not being heard.
Some of the problem is truly a language difference. A lot of delivery people on the ESP side are marketers first and technologists second. They don’t have operational experience. They don’t have that any feel for the technology behind email and can’t map different failure modes onto their causes. Some of them don’t have any idea how email works under the covers. Likewise, a lot of postmaster people are technologists. They deeply understand their customers and their email servers and don’t speak marketing.
The other issue is the necessary secrecy. Postmasters have been burned in the past and so they have to be vague about what variables they are measuring and how they are weighting them.
All of this leads to a very adversarial environment.
I’ve been talking with a lot of people about this and none of us have any real answers to the solution. Senders say the ISPs should spend more time explaining to the senders what they need to do. ISPs say the senders should stop sending spam.
Am I quite off base here? Is there no communication gap? Am I just cynical and missing some obvious solution? Anyone have any suggestions on how to solve the issue?

FCC Wireless list: Cox.net removed

The FCC wireless list has been updated and cox.net has been removed. The cox.net subdomains remain, but there should be no interruption of marketing mail to cox.net recipients.

Delivery delays due to congestion

Now that we’re deep in the middle of the Christmas shopping season, I’m seeing more and more complaints about delays at ISPs. Mickey talked about everything the ISPs have to consider when making hardware and buildout decisions in his post The hard truth about email on Spamtacular. When, like on cyber Monday, there’s a sharp increase in the volume of email, sometimes ISPs don’t have the capacity to accept all the email that is thrown at them.

A quick marketers guide to DKIM

J.D. Falk posted a brief but comprehensive guide to the different DKIM flags: what they mean and how they may affect delivery. (The original link seems to be dead so I reproduced the blog post for reference It’s just that good. A DKIM Primer Resurrected

Irrelevant emails drive unsubscribes

A new study published by the Chief Marketing Officer Council and and InfoPrint shows that nearly 50% of all unsubscribes were driven by a lack of relevancy.

AOL EWL: low complaints no longer enough

This morning AOL announced some changes to their Enhanced White List. Given I’ve not talked very much about the AOL EWL in the past, this is as good a time as any to talk about it.
The AOL Enhanced Whitelist is for those senders that have very good practices. Senders on the EWL not only get their mail delivered to the inbox, but also have links and images enabled by default. Placement on the EWL is done solely on the basis of mail performance and only the best senders get on the list.
The new announcement this morning says that AOL will take more into account than just complaints. Previously, senders with the lowest complaint rates qualified for the EWL. Now, senders must also have a good reputation in addition to the low complaint rates. Good reputation is a measure of user engagement with a particular sender.
This change only reinforces what I and many other delivery experts have been saying: The secret to good delivery is to send mail recipients want. ISPs are making delivery decisions based on those measurements. Send mail that recipients want, and there are few delivery problems.
For a long time good delivery was tied closely to complaint rates, so senders focused on complaints. Spammers focused on complaints too, thus managing to actually get some of their spam delivered. ISPs noticed and started looking at other ways to distinguish wanted mail from spam. One of the better ways to separate spam from wanted mail is to look at user engagement. And the ISPs are measuring engagement and using that measurement as part of their decision making process. Send so much mail users don’t read it, and your reputation goes down followed by your delivery rates.

Sending too much mail

Not having policies restricting the amount of mail any customer or recipient receives may lead to higher spam complaint rates and blocking warns the DMA Email Marketing Council.
HT: Box of Meat

The nightmare before Christmas

Over at the Exacttarget blog, there is a guest post up from Annalivia who handles much of the sender support (and about 15 million other things) at AOL.

Cox and the FCC wireless list

On Nov 20, Cox added a number of domains to the FCC Wireless domain list. One of the domains added was cox.net. This caused understandable consternation among a number of senders, as the opt-in requirements for wireless domains are much more stringent than for sending to non-wireless domains.
Earlier today, Tom Bartel, from Return Path tweeted: “We pinged them – likely error -they are on it – keep an eye on the FCC listing for an update.”
So it appears that the listing was most likely unintentional (and I’m hearing around the industry that someone from Cox have confirmed that it was a mistake) and they will be removing the domain from the list soon.

More on best practices

Mark Brownlow took my post about best practices and expanded on the theme. He is absolutely right and I encourage everyone to go read his article.

Internationalisation (part 1)

There’s been a gentle bit of uproar recently about ICANN finally beginning the process of rolling out support for internationalized domain names (IDN) at the DNS root and the effect that may have on email senders. Even if you haven’t noticed the uproar, it’s still a subject you probably want to be familiar with if you’re sending email.
What are internationalised domain names?
An internationalised domain name is simply a domain name that uses non-ascii characters – most anything other than a-z, 0-9 and ‘-‘ – such as those used in these URLs: http://пример.испытание/ or http://例子.測試/ (If those links are unreadable or don’t work, it means that your browser isn’t handling IDN well or doesn’t have the appropriate fonts installed yet).
They’re an obvious thing to want, especially if you’re from anywhere other than an anglophone country, but the Internet was originally built as an ascii-only network, and under the covers it still is entirely ascii-only, so layering non-ascii characters on top has taken a lot of work and time to roll out. IDN development dates back to at least 1996 and it has been supported by some top level domains since 2003. So the recent announcement to support non-ascii top level domains is just the latest step in a long and careful process.
Almost all of the underlying internet protocols are still ASCII based though, including DNS and SMTP, so a lot of the internationalisation work involves mapping non-ASCII words onto ASCII strings before they’re passed to the network, and mapping them back again before they’re displayed to the user. This is done in a fairly ad-hoc way, different in different protocols.
If you were to visit the cyrillic URL I mentioned above then the first thing your web browser would do would be to take the cyrillic string “пример.испытание” and translate it to the ASCII hostname “xn--e1afmkfd.xn--80akhbyknj4f” then look that up in the DNS to find the server handling that URL.
If you were to display that on a webpage or in an HTML email it might be converted to ASCII as”http://приме р.и с п ы тание/”.
If you were to send it as part of a plain text email, encoded as UTF8/quoted-printable, it would look like “http://%D0%BF%D1%80%D0%B8%D0%BC%D0%B5%D1%80.%D0%B8%D1%81%D0%BF%D1%8B%D1%82%D0%B0%D0%BD%D0%B8%D0%B5/”. If there’s a lot of non-ASCII characters in the message then it’s more likely to be encoded as UTF8/base64: “aHR0cDovL9C/0YDQuNC80LXRgC7QuNGB0L/Ri9GC0LDQvdC40LUvCg==”.
And all of those will (or at least should) be displayed to the end user identically.
Confused yet? That’s fine. Internationalisation on the Internet is a very complex and inconsistent subject. In my next post I’ll try and narrow down which bits of it you need to worry about when it comes to sending email and to not upsetting phishing or spam filters at the recipients ISP.

Non marketing uses of email

Box of Meat tweeted earlier today:

tired of marketers calling their conferences and cliques “email whatever” as if marketing is the only thing email is for
Read More

A blast from the past

I’m sitting here watching Iron Chef (the real one, not the American version) and surfing around on SFGate.com. It’s a slow night catching up on all the news I’ve missed this week while off traveling. I see a link on the front page: “Web marketer ordered to pay Facebook $711M.” As I click I wonder if I know the web marketer in question. A former client? A name I recognize?

Problems at Cox: Resolved

People mailing to Cox in the wee hours of this morning may have received a rejection message citing the Invaluement DNSBL.
554 IMP a.b.c.d blocked. IPBL100 – Refer to Error Codes section at http://postmaster.cox.net for more information.
I spoke with one of the folks at Cox and they said there was an error in the implementation causing non-listed IPs to be rejected erroneously between about 4am to 8am (Eastern) this morning. The problem has been resolved as of 8am, and all traffic is flowing normally. The also stated that attempts to resend any blocked messages will succeed. They do apologize for any problems this may have caused.
For those of you with aggressive bounce handling, removing addresses after a single 550 bounce, you will also want to re-enable any cox.net subscribers that bounced off during this configuration problem.

Why do you need so many IP addresses (part 2)?

In my last post I discussed the background as to why an ISP will require their users to use their IP address allocation efficiently. I also mentioned in passing that I’d discussed ESP address allocation with both ESPs and ISPs recently.
The ESP was talking about assigning a couple of dozen IP addresses to each customer, because they might be useful for spreading load and it would provide some flexibility for moving from one IP address to another if one should get blocked. And IP addresses are pretty much free. They were wrong.
The ISP was considering an application for 750 IP addresses from a new ESP customer. They assumed that there was no possible reason other than snowshoe spam for an email related customer to need that many IP addresses. While I suspect they may have been right about the specific potential customer, the general assumption was wrong.
I’ve seen a lot of reasons given by ESPs for why they need so many IP addresses:

Why do you need so many IP addresses?

IP addresses aren’t an unlimited resource, not on the current version of the Internet anyway. There are only a limited number of them and, while some of the doom and gloom proclamations about us running out in the next year or two may be exaggerated, we are running low on them and should be conserving them where we can.
An ISP can’t create new IP addresses from whole cloth. Instead, when they need more IP addresses they must petition one of the regional internet registries (RIRs) for a new set of addresses which they can then parcel out to their customers. There’s a RIR for each part of the world. ARIN distributes IP addresses for use in North America, RIPE handles IP addresses for Europe, APNIC handles them for the Asia-Pacific region and LACNIC for Latin America.
Each RIR enforces a fairly complex set of rules on the ISPs to ensure that the distribution of IP addresses is somewhat fair and reasonably parsimonious. The rules vary slightly from RIR to RIR in the details, but are fairly consistent in the general meaning. Unless you’re petitioning your local RIR for your own chunk of addresses for some reason (which you aren’t, unless you have a genuine need for more than 2000 IP addresses, or a legitimate need for more than 500 addresses and a complex redundant network setup) you only need to care about the rules that each RIR asks the ISP to enforce on their customers.
When an ISP asks, for example, ARIN for a new block of IP addresses they may be asked to demonstrate efficient usage of the IP addresses they’ve received previously. If they can’t do that, they may not be able to get the new IP addresses. This is, obviously, a Big Deal so ISP network engineers do their best to use address space efficiently, and try and stop their sales reps from handing address space out like candy at Halloween. The end result is that an ISP really does need to have you justify your IP usage – they’re not just being mean or trying to gouge you for more money.
There are several rules that an ISP might follow. One is that an initial allocation of more than, perhaps, 16 addresses will need some justification of how a quarter of those will be efficiently used immediately and how half of them will be used within six months. Another is that if you’re asking for additional IP addresses you’ll need to demonstrate that you’re efficiently using perhaps 80% of the addresses you’ve been assigned previously. The details may vary, and you can probably negotiate with the ISP, but eventually the ISP will need to justify themselves to ARIN, so they’re going to enforce something like this on their customers – or make you pay through the nose to cover the risks they take by bending the rules.
So what does efficient usage mean? That’s very simple in some cases, fuzzier in others. If you have 50 physical machines providing services on the internet, that’s a good justification for 50 IP addresses. If you’re providing internet access to end users (cable modems, DSL, dial-up) then one IP address per user is easy to justify. Virtual webhosting doesn’t justify one IP address per user, but virtual webhosting using SSL does. This is one of those rare cases where you really do have to explain your business model, showing that you’re making efficient use of the addresses you have, and that you have some room for expected growth but aren’t wasting address space by leaving too many addresses idle.
How about ESPs and other bulk mail senders – what does efficient address space usage mean for them? That’s something that seems, from recent conversations I’ve had, to be poorly understood by either ISPs or ESPs. And it’s fairly complex, that’s for sure. So I’ll save that for my next post.

How NOT to get your mail unblocked

My friend Barry™ contacted me earlier this week to rant about senders contacting him asking for blocks to be lifted.

They are all Barry. Listen to Barry

Al has a guest post up from an ISP rep (now universally referred to as Barry) about senders contacting ISPs. It lists things senders do that Barry Don’t Like.
Listen to Barry.
There are also comments from various other Barrys in the comments. Those are worth reading, too.

Matt Blumberg joins the DMA Board

Matt Blumberg, CEO of ReturnPath, announced on his blog today that he has joined the board of the DMA. The blog post is both an explanation of why he did it and an agenda for what he wants to accomplish.

Email is dead…

Or so the WSJ technology blog would have us believe.

Email has had a good run as king of communications. But its reign is over.
In its place, a new generation of services is starting to take hold—services like Twitter and Facebook and countless others vying for a piece of the new world. And just as email did more than a decade ago, this shift promises to profoundly rewrite the way we communicate—in ways we can only begin to imagine.
We all still use email, of course. But email was better suited to the way we used to use the Internet—logging off and on, checking our messages in bursts.
Read More

Defining spam

This is a post I’ve put off for a while as the definition of spam is a sticky subject. There are online fora where the definition of spam has been debated for more than 10 years, and if there isn’t a working definition after all that time, it’s unlikely there will ever be a definition the participants can agree on.
This came up again recently because one of the comments on my “Reputation is not permission” post took me to task for daring to call the mail “spam.” I’m going to assert here that the mail was unsolicited bulk email. I did not ask for it and I know at least 4 other people that received it.
The commenter, and a few marketers, argue that if the mail is sent without any forgery and the mail contains an opt-out link then it is not spam. It is a definition I have only seen folks who want to send unsolicited bulk email use, however. What they are really arguing is their mail isn’t spam because they provide a valid return address and a way to opt-out. Few people actually agree with this definition.
Here are 10 of the many definitions of spam that I’ve seen.

Tension at the DMA

What is arguably an internal dispute at the DMA has spilled over into an email and ad battle. Gary Pike is sending email and publishing ads on websites asking DMA members to sign their proxy votes over to him. I saw one of the ads on Chief Marketer a few days ago, but am now unable to get the same ad to load.
The dispute has also generated a lawsuit as the DMA alleges that Mr. Pike has inappropriately used the DMA membership contact lists to support his bid for election.
Who is Gerry Pike Big Fat Marketing Blog
Proxy fight for DMA board Direct Mag
Legal action against Pike DirectMag
DMA proxy fight DirectMag
Gunfight at the DMA corral Ken Magill

Spamhaus rolls out anti-snowshoe filters

Spamhaus announced today that they are rolling out a new system to detect snowshoe spammers.
What is a snowshoe spammer?
Snowshoe spammers send spam not from compromised servers or botnets, but from large numbers of IP addresses that they are using legitimately. They try to stay below the radar of spam filters, and so get their unwanted email through to the inbox, by looking like a lot of little senders of email rather than one big volume of email.
While a legitimate user of lots of IP addresses might ask for a /23 (500 adjacent IP addresses) from their ISP, and put their real name on the network registration, a snowshoe spammer might instead have 50 blocks of 8 or 16 IP addresses scattered all across their ISP. And they won’t have their real names on the network registrations – instead there’ll be no records at all, or fake but plausible looking company names.
Like a legitimate sender a snowshoe spammer uses real domain names in the mail they send – but unlike the legitimate sender instead of using one real domain name they’ll typically use hundreds of different ones. They’ll sometimes be created completely randomly, such as dreamingdisposal.com or acrosticvienna.com, sometimes they’ll be created so as to sound vaguely like plausible businesses. The contact information on the domain registration is falsified, usually by using one of the commercial domain registration anonymization services such as DomainsByProxy.
And, just like botnet spam, the snowshoe spammer will send low volumes of email from each IP address, to stay below the threshold where someone might look closely at a particular source. This spreading their activity out, so there’s not too much noticable pressure at any one point, is where the term snowshoe spammers comes from.
What are Spamhaus doing?
Spamhaus CSS is a list of IP addresses that Spamhaus think are being used by a snowshoe spammer. It isn’t being published as a separate blacklist, rather it’s being published as part of the Spamhaus SBL, so it’ll be used automatically by everyone using the SBL or Zen lists from Spamhaus. This will help Spamhaus react much more quickly to block snowshoe spammer infestations.
Does this affect me?
If you’re a legitimate sender, this should be yet another reason for you to make sure that you’re being transparent about who you are and what you do.
If you don’t want to risk being mistaken for a snowshoe spammer make sure you’re using one or two real domains with a web presence rather than dozens or hundreds of opaque domain names. Use mail1.yourcompany.com – mail25.yourcompany.com rather than yc1.com – yc25.com.
And make sure you have real contact information in all your domain and network registration information, not false or out of date information and definitely not an anonymisation service.

Links for 9/29/09

A little bit of link sharing today.
Mark Brownlow posts about how critical clicks are to conversion. He also looks at successful techniques that various marketers have used to engage customers.
Chris Wheeler has an insightful post at SpamResource discussing reputation, engagement and what the ISPs are looking at when making delivery decisions. J.D. Falk touches on some of the same themes in his blog post “The Spam Folder is Your Chance to Shine.”
Neil Schwartzman talks about delivery emergencies from the ISP side of the desk.
Terry Zink gives a brief background on sender reputation and a followup looking at how ISPs are working to prevent spammers from stealing their reputations.
Seth Godin continues to turn marketing on his head with his discussion of how marketers have gone from renting to owning.

The secret to dealing with ISPs

What is the secret to dealing with ISPs?
The short answer is: Don’t do it if at all possible. Talking to ISP reps generally isn’t going to magically improve your reptuation. There is no place in the reputation systems where delivery can be modified because the delivery specialist knows or is liked by the postmaster at an ISP.
With my clients, I work through delivery issues and can solve 80 – 90% of the issues without ever having to contact anyone at the ISPs. 90% of the remaining issues can be handled using the publicly available contacts and websites provided by the ISPs.
In the remaining cases, the “secret” to getting useful and prompt replies is to:

Compliance vs. Deliverability

Most people I know handling delivery issues for senders have some version of delivery or deliverability in their job title. But as I talk to them about what they do on a daily basis, their role is as much policy enforcement and compliance as it is delivery. Sure, what they’re telling customers and clients is how to improve delivery, but that is often in the context of making customers comply with relevant terms and conditions.
Some delivery folks also work the abuse desk, handling complaints and FBLs and actually putting blocks on customer sends.
I think the compliance part of the delivery job description that is often overlooked and severely downplayed. No one likes to be the bad guy. None of us like handling the angry customer on the phone who has had their vital email marketing program shut down by their vendor. None of us like the internal political battles to convince management to adopt stricter customer policies. All of these things, however, are vital to delivery.
Despite the lack of emphasis on compliance and enforcement they are a vital and critical part of the deliverabilty equation.

Your delivery is yours, not your ESPs

Ken is right. As he almost always is.

I received a cold-call voicemail yesterday from a representative of an e-mail service provider looking to do a barter deal.
Never mind I’m not the person to approach for barter deals—or any other type of non-editorial issue, for that matter—the sales rep made one statement that made me cringe.
“Our delivery rates are very high,” she said.
That statement has no place in a pitch from an e-mail service provider.
Read More

Apparent changes at mail.com

I was poking around at some DNS this weekend and happened to do a MX lookup for mail.com and noticed something changed. Previously mail.com mail was handled by Outblaze (now owned by IBM). It seems, though, that mail.com is now outsourcing their mail delivery to AOL.

Marketing to businesses

“If you do stupid things, you’re going to get blocked,” says Jigsaw CEO Jim Fowler in an interview with Ken Magill earlier this week.
Jigsaw is a company that rewards members to input their valuable business contacts. Once the addresses are input into Jigsaw, they are sold to anyone who wants them. Jigsaw gets the money, the people providing information get… something, the people who provided business cards to Jigsaw members get spammed and the people who downloaded the lists get to deal with a delivery mess. Sounds like a lose for everyone but Jigsaw.
Except that now Jigsaw is listed on the SBL for spam support services. Well, that’s going to cause some business challenges, particularly given how many companies use the SBL as part of their filtering scheme.
It’s hard to think of a situation where I would appreciate someone I gave a business card to providing my information to a site that then turns around and lets anyone download it to send email to. I know, I know, there are a million companies out there I’ve never heard of that have The Product that will Solve All my Problems. But, really, I don’t want them in my work mailbox. The address I give out on my business cards is, for, y’know, people to contact me about what I’m selling or to contact me about things they’ve already purchased from me. That address is not for people to market to. I have other addresses for vendors, and even potential vendors, to contact me.
Jigsaw clearly facilitates spam to businesses by collecting email addresses and then selling them on. This is a drain on small businesses who now have inboxes full of valuable offers to wade through. Perhaps their stint on the SBL will make them reconsider their spam support services.
HT: Al

Links for Sept 10, 2009

As everyone else has been announcing, the Tucows FBL is taking applications from the general public. I’ve updated the ISP Information page to link to the signup as well.
Loren McDonald has a blog up at MediaPost talking about how the language marketers use (Blast!) affects how they are perceived in the industry. I think he’s quite correct. Many people on the senders side hear thing things marketers say and judge that the markters are contemptuous of not only the ISPs but also the recipients. Language matters!
Pivotal Veracity announced MailboxIQ this week. This technology allows senders to track what individual users do to their email. Senders are now able to measure inbox / bulk performance for their whole list, not just seed addresses. The delivery person in me thinks this will help senders make better decisions about engaged recipients and give them more data to send mail that recipients want. The rest of me is a bit unhappy with marketers finding a new way to invade people’s privacy. I’m just glad that I don’t use webmail except for handling client issues.
In other news, Mailchimp has been trolling through their client’s response data and discovered that recipients using gmail.com are more engaged and responsive than users at other domains.

DKIM implementation survey: prelim results

First off, I want to thank everyone who participated in the DKIM implementation survey. This week has been pretty hectic so far, so I haven’t had a chance to actually dig down into the data from the survey, but I thought I’d post some preliminary results.
The ESP survey had 45 respondents. 30% of those sent more than 15 million emails a month.
Of all the respondents: 40% are signing with Domain Keys, 51.1% are signing with DKIM.
Of all respondents: 79.5% are signing with Domain Keys and 78.8% are signing with DKIM to access services (whitelists or FBLs) provided by the ISPs.
50% of those not signing with Domain Keys are not doing so because customers have not requested it. 61% of those not signing with DKIM are not doing it because of technical difficulties with deployment.
The ISP survey had 16 respondents, with 37.5% handling less than 500,000 mailboxes and 18.8% handling more than 15 million mailboxes. 75% of respondents said they are not checking Domain Keys on inbound mail. 56% said they are not currently checking DKIM on inbound mail.
Only 10 ISPs answered the question if they plan to check either Domain Keys or DKIM.

Maine backs away from new marketing restrictions

The WSJ reports that politicians in Maine have figured out that the new Maine law prohibiting collecting information from teenagers without parental permission is badly written and has a lot of problems.
The Attorney General has decided not to enforce the law as it stands. The law does contain private right of action, so there may be private suits filed against companies.
I can’t necessarily fault the state senator who drafted the legislation for her intentions.

Links for 9/2/09

People are still talking about the White House spamming. At Al Iverson’s Spam Resource there are two posts, one from Jaren Angerbauer titled Guest Post: Email and the White House and another from Al himself titled White House Spam, Signup Forgery, and GovDelivery. Both are insightful discussions of the spam that the White House has been sending. Over at ReturnPath, Stephanie Miller talks about how the publicity surrounding the spam is great PR for permission.
Stefan Pollard has an article at ClickZ looking at how an apology email in response to a recipient visible email mistake can actually make the fallout worse.
Web Ink Now documents one recipient’s experience with a bad, but all too common, subscription practice.
==
Don’t forget to participate in the DKIM implementation survey. For ESPs. For ISPs. Check back next week for results.

DKIM implementation survey

DKIM has been a hot topic of discussion on some of my mailing lists today. One of the open questions is what is holding up adoption of DKIM. I have my own theories, but thought I’d throw out some questions to see how ESPs and ISPs are currently using domain based reputation.
I have set up two surveys one for ESPs and one for ISPs. Responses are anonymous.
I’ll collect responses for a week and share the results.

Email as a PR problem

Email is a great way to connect to and engage with people. It is also a medium where the sender doesn’t get to control the message as well as they might in other media. This means that sometimes email campaigns go wrong in a way that drives a national news story about how you are a spammer.
In the stress and flurry of dealing with public accusations of spamming many companies overlook the fact that the underlying issue is they are sending mail that the recipients don’t want or don’t expect. If there is a public uproar about your mail as spam, then there is a good chance something in your email strategy isn’t working.
Even in the recent White House as spammers strategy, there is a strong chance that they are actually using reasonable and industry standard methods to collect email addresses. However, in their case, they are a large target for people to forge email addresses in forms. “Bob doesn’t like the president, but I’ll sign him up for this list so he can learn how things really are.” or “Joe doesn’t like the democrats so I’ll sign him up for their mailings just to piss him off.”

When you are confronted with an email campaign that upsets a large number of people there are a number of steps you should take.
Step 1: Gather information
This includes information internally about what actually happened with the campaign and information from the people who are complaining.
Externally: Get copies of the emails with full headers. If you’re working with people who do not want to reveal any details of the mail they received then you may not be able to fully investigate it, but if they do you will have everything you need right there. Figure out where their address came from (you do have good audit trails for all your email addresses, right?).
Internally: Talk to everyone who worked on that particular campaign. This includes the geek down in the IT department who manages the database. Figure out if anything internally went wrong and mail was sent to people it wasn’t intended for. I know of at least 2 cases where a SQL query was incorrectly set up and the unsubscribe list was mailed by accident.
Step 2: Identify the underlying problem
Look at all the available information and identify what happened. Was there a bad source of email addresses? Did someone submit addresses of spamtraps to a webform? Was there a technical problem? Again, talk to your people internally. In many companies I have noticed a tendency to try and troubleshoot problems like this at very high levels (VP or C-level executives) without involving the employees who probably know exactly what happened. This sometimes leads to mis-identifying the problem. If you can’t identify it, you can’t fix it.
Step 3: Identify the solution
Once you know what the problem was, you can work out a solution. Sometimes these are fairly simple, sometimes not so much. On the simple end you may have to implement some data hygiene. On the more complex end, you may need to change how data is handled completely.
Step 4: Inform the relevant parties of the solution
Make a statement about the problem, that you’ve identified it and that you’ve taken steps to fix it. How you do this is a little outside my area of expertise, although I have participated in crafting the message, rely on your PR folks on how to communicate this. In the Internet space, honesty is prized over spin, so do remember that.
Every company is going to have the occasional problem. In the email space, that tends to result in the company being labeled a spammer. Instead of being defensive about the label, use the accusation to drive internal change to stop your mail from being labeled spam by the recipients.

Changes at Comcast Postmaster

Two changes at the Comcast Postmaster page that I think are worthy of mentioning.

Spam that's not spam

Steve and I were talking this evening and I mentioned to him that I got “a lot of spam that wasn’t really spam. Know what I mean?”
He did. But if I tell that to you, what does it mean to you?
More on this in a couple days, but I’m onsite at a client’s for the next few days so it may take me a plane ride home to put all the thoughts down.

You might be a spammer if…

… the best thing you have to say about your email practices is “They’re CAN SPAM compliant.”
… text to .gif is a vital part of your email generation process
… you have to mail from multiple ESPs in order to get good delivery
Please contribute your own in the comments.
I’d also like to thank Al for guest posting 2 days this week. Thanks, Al!

E-Postage Just Won't Die

E-Postage is back! Wired covers a report from New Scientist. Here’s what they have to say: “Yahoo’s researchers want you to voluntarily slap a one-cent stamp on your outgoing e-mails, with proceeds going to charity, in a bid to cut down on spam. Can doing good really do away with spam, which consumes 33 terawatt hours of electricity every year, not to mention way too much of our time?”
Alex Rubin at Return Path says hold up, wait a minute. He writes: “Our contacts at Yahoo! tell us this idea is purely in the research realm, and is not scheduled for development in Yahoo! Mail. In other words: it isn’t even vaporware and isn’t likely to be a part of the Yahoo! mail system anytime soon.” He goes on to say (I’m paraphrasing) that oops, Yahoo didn’t really intend for this research to become public.
So, apparently, there are no plans for Yahoo to roll out E-Postage today, tomorrow or next week. Nothing to see here, beyond a simple web site and some thoughts from a Yahoo researcher. Some individual’s hopeful vision for the future, not a corporate announcement of an upcoming product.
E-Postage has always been a neat idea, I’ve thought. A neat idea beset by insurmountable problems. First, end users don’t want to pay for the email messages they send, they want all you can eat. With years of webmail providers offering free email access, you’ll have a heck of a time convincing somebody’s grandmother that they have to pony up a nickel to be able to email the grandkids.
Then, answer me this: Who’s going to handle the economics on the back-end? And any time you have a computer storing a resource (like, say, account information for that tiny little bit of money you’ll need to be able to send me an email), that information can be hacked, exploited, stolen. You think spammers are actually going to pony up? Why would they? They’ll just hack into millions of exploitable computers, stealing five cents from everyone along the way, and gleefully shoveling millions of spams into millions of inboxes.
This concept of E-Postage, either paying money to send email, or spending “computational power” to send email, has been kicking around for years. Periodically, some researcher comes up with the idea anew, and suggests that we all immediately adopt their sure fire plan to solve the world’s spam problem, immediately, pennies at a time. These ideas never seem to go anywhere. And that will never change until somebody can actually convince most of the world to adopt their proposed scheme. Will it ever happen? Never say never, but I have no plans to rush out and buy e-Stamps any time soon.
— Al Iverson

Beware: Phishing and Spam in Social Networks

Trend Micro warns us today about how spam and phishing can hit you even in the closed ecosystem of a social networking system such as Facebook. Malware abounds. And in the social network arena, just like anywhere else, “using your account to send spam” is a common thing for the bad guys to want to do.
In Rik Ferguson’s investigation (which I read about on CNet News), he came across a link to a URL that asked for his Facebook credentials, supposedly necessary to allow installation of a specific Facebook application. Once the credentials were handed over, the app immediately spammed all of his Facebook friends, sending them a bogus notification, attempting to draw them into visiting the phishing/malware URL, with (one assumes) the hope of spreading the infection even wider.
He’s a researcher for Trend Micro, so he knows what he’s doing. But for the rest of us, this highlights how necessary it is to be careful with who you give your usernames and passwords to. In my opinion, it’s never safe to take your username and password from one site and hand it over to another site. Some social networking make the problem even worse by blurring the lines between safe and unsafe by asking for usernames and passwords to third party accounts, but you just can never know with 100% certainty which sites are legitimate and which ones aren’t.
— Al Iverson

White House spamming: update

There’s quite a discussion about the White House spam going on over at Bronto Blog.
Ken Magill wrote about the controversy today in Magilla Marketing. Anyone who’s followed his newsletter for a while knows he’s been reporting on politicians buying and sharing lists for the last few months. He has some data that may help clarify where the addresses aren’t coming from.

Delivery Blog Carnival – Selling, trading and renting email addresses

A couple weeks ago, I linked to a comment from a marketer mentioning that email addresses should be able to be traded around like snail mail addresses. I suggested this might be a good topic to hear from a lot of different people on.
Mickey posted List Rental is…. In that post he looked at how email is different from direct mail and how the attitudes are different as well.
The folks at Bronto got into the spirit of the blog carnival and Kristin, Kelly and Chris all contributed to a single post offering their perspectives on trading lists, intrusive marketing and delivery.
Al Iverson has two posts on buying lists. One is an older post talking about the delivery hassles and problems related to purchased lists from the perspective of a ESP delivery expert. Over on his SpamResource blog, he posts about the same issue from the perspective of a recipient who is tired of receiving spam.
I also posted on the issue, looking at how email is not snail mail and senders cannot be successful in email by applying the direct mail rules.
Thanks to everyone who submitted posts.

Email is not direct mail

A few weeks ago someone commented on a previous post of mine about list purchasing saying that at some point senders should be able to trade and sell email lists like they trade and sell direct mail lists. As much as marketers may not like this, email is never going to be the free for all that direct mail is and they’re never going to have the ability to trade email addresses the way they do physical addresses.
I don’t think this “marketing opportunity” is going to be realized for two major reasons. One, marketing is intrusive and people are more resistant to intrusions in their email boxes than intrusions in other places. Two, marketers own many of the channels used for marketing, but they don’t own email.
Billboards, commercials, flyers dropped in the driveway, garbage in the mailbox, door-to-door salespeople, telemarketers interrupting dinner, pop-up ads that cover up the content on the website. All of these push marketing into the daily lives of people. Marketers set out to intrude and interrupt their targets. The interruptions often generate frustration and anger. Marketers also make it difficult, if not impossible, to opt-out of the marketing. “Put me on your do not call list” doesn’t always work. Requesting to be removed from a catalog list rarely works. The only way to avoid pop-ups is to avoid those websites that serve them. Door to door sales people just keep coming and each one is sure the “no soliciting” sign is not directed at them.
Marketers have created an over-saturation of marketing. People are frustrated and exasperated by the interruptions. Many feel powerless in the face of so many intrusions.
Email marketing is, in many ways, the ultimate in intrusive and interruptive marketing. The marketer can send email whenever they want and it waits to interrupt the recipient. Combine this with how people use email and it is a recipe for recipients being intolerant of unasked for email marketing.
Email is, at its heart, a way for people to communicate with one another. It is a more immediate and personal way of communicating than writing letters to each other. Email is closer to a replacement for phones than it is for a replacement of snail mail. People started seeing their inbox as a way to have close to real-time conversations. Marketing email, particularly unasked for marketing email, is often seen as an interruption of the conversation. Unasked for marketing email is much closer to a telemarketers calling during dinner than it is to receiving an unsolicited credit card offer in a mailbox.
People don’t really like unasked for marketing emails, many of them refer to such emails as spam.
People feel a lot of ownership over their inbox. This ownership results in loud calls to their ISPs to stop the spam. The ISPs have responded by providing more and more controls over who can intrude in any one users inbox. The end result is that end users have more control in this medium than they have in other types of intrusive and interruptive marketing. As long as the power is in the recipients hands, marketers will find it difficult to trade addresses around like they do for snail mail.
This individual control directs the actions of the ISPs. If enough customers tell an ISP that a particular sender is sending spam, then the ISP will block that mail. The ISPs are gatekeepers protecting their customers from spam. The power of one person blocking a single mail is multiplied when thousands of people block the same mail. Eventually, the ISP will stop the mail from getting to the users.
ISP customers have said, loud and clear, we do not like spam. ISPs responded by blocking spam, instituting lawsuits against spammers and promoting laws that make some types of spam illegal. Until the business model of ISPs change, that is they’re not making money from their customers and are instead making money from email marketers, the ISPs will continue to listen and set standards that make recipients happy.
In this one area marketing targets have more influence and power than marketers. Marketers can’t treat email like another direct channel because marketers don’t own the channel and don’t make the rules there. This is why trading address lists around is not going to become an acceptable or accepted practice.

Contact addresses and spam

One of the challenges anyone doing business on the internet faces is how to provide contact information so that potential customers can reach you in a form that spammers can’t easily abuse. Contact forms are the classic method, but they can (and are) abused by spammers. We decided to try something different. About 2 months ago, we started using rotating contact addresses. Every day a new address is deployed on the contact form on our website. Each address is valid for a fixed period of time, and is then retired.
This seems to be working well for us. Spammers are harvesting the email addresses, but because they are only valid for a fixed period of time, the amount of spam in my mailbox is not overwhelming. I am spending less time searching for sales mails through spam. An interesting side effect is I can actually see who is harvesting addresses and spamming.
It’s not perfect, I’m still getting spam to that address. But it’s spam at a level where I’m not losing real mail.

Delivery Blog Carnival

I’ve been thinking for a while that a delivery blog carnival might be an interesting thing. Al, Mickey and I were talking today about a comment on an article and we thought it might be interesting if we all blogged about it. Then I thought we could open it up to a wider audience.
The comment that prompted our conversation is:

Gmail unsubscribe option update

Brad Taylor has a post on the official Gmail blog talking about the new unsubscribe option. There are two points I didn’t cover here yesterday.

Gmail offering unsubscribe option

This morning Lifehacker reported that Gmail was offering an option to unsubscribe from some legitimate email lists.
Gmail’s help pages say:

Yahoo fixed XBL problem

Yahoo sent out an email yesterday evening to their postmaster mailing list saying they believe they have fixed the issue that I mentioned earlier this week. Some of the MXs were erroneously rejecting mail claiming that the sending IPs were on the XBL.

12% of email recipients respond to spam

Twitter and some of the other delivery blogs are all abuzz today talking about the consumer survey released by MAAWG (pdf link, large file) looking at end user knowledge and awareness of email security practices.
The survey has a lot of good data and I strongly encourage people to look at the full report. There are a couple of results that are generating most of the buzz, including the fact that nearly half of the respondents have clicked on a link or replied to a spam email. Additionally, 17% of respondents said they made a mistake when they clicked on the link.
The magic statistic, though, is that 12% of the respondents said that they responded to spam because they were interested in the products or services offered in the spam. This, right there, is one of the major reasons why spam continues and is a growing problem. Out of 800 people surveyed, almost 100 of them were interested enough in the products sold by spam to respond positively. There are roughly 1.6 billion people on the Internet, which gives spammers a market of 200 million people for their spam.
Other studies have seen similar responses, that is consumers do respond to spam. Most surveys don’t define spam, however, and given a lot of consumers call “mail I don’t like” or “all commercial email” as spam it’s hard to know what the respondents are responding too. In some studies, some respondents even defined mail from companies that they had given their email address to, but had not explicitly asked for email from as spam. In this study MAAWG did request how the respondent defined spam. Of the respondents, 60% say spam is mail they did not solicit, and 41% say spam is mail that ends up in the spam folder. Given that 60% of respondents define spam as “unsolicited email” it is possible that some people are responding to mail they never requested.
Sad news for those of us who were hoping that lack of consumer response would make spamming unprofitable enough that spammers would stop.
The crosstab between “how do you define spam” and “how do you react to spam” may be an interesting data set to see.

Yahoo delivery problems

Al writes about a Yahoo delivery problem where they have identified a particular Yahoo MX that is falsely returning “mail blocked due to XBL.” The IPs in question are not on the XBL. Yahoo is aware of the issue and are working on a resolution. If you are seeing these bounces, Yahoo is aware of the issue. Exacttarget has worked around the issue by suspending deliveries to the affected MX.

Links for 7/8/9

With all the traveling I did last month, I’m still not back to full blogging speed. I have been slowly reading through the backlog of unread posts from my RSS feeds and there was lots of good stuff published.
Three myths about DKIM by John Levine. A very good explanation taking down some of the myths of DKIM. Also on the DKIM front, RFC 5585 DKIM Service Overview was published last month. According to Cisco, DKIM adoption is climbing. More information about DKIM is available at dkim.org and our own dkimcore.org.
The always awesome guys at Mailchimp have embraced twitter as part of their platform. Not only have they set up their own service for link shortening so that links can be tweeted, but have also incorporated twitter stats into their mail dashboard.
Al has an insightful post on delivery, spam filtering vendors and the differences (or lack thereof) between B2C and B2B marketing. As I tell my customers, there is no switch inside the filtering scheme for “I know this person, they’re OK, let the mail in.”
Terry Zink has started a series about blacklists triggered by the recent SORBS announcement. His first post, My take on blacklists, part 2, discusses how some people go about building a blocklist from scratch.
Happy 7-8-9 everyone.

Thoughts on transactional mail

I mentioned a few weeks ago about a conversation I’d had at MAAWG about transactional email and opened up the conversation to readers here. Mike proposed a definition.

Modifying RP managed FBLs

I was recently pointed out the FBL support pages for those feedback loops hosted by ReturnPath. Clicking around, they have the framework and the beginnings of a good source of information for their services. You can also open support tickets for questions and services that are not covered in their knowledge base.

Problems at Excite

I’ve been chasing an intermittent and inconsistent delivery problem at Excite for a week or so. Excite is accepting email, but mail is not getting to the recipient’s inbox or bulk folder. Al tweeted he’s seeing a similar problem with his customers’ mail and had contacted Excite.
Excite does appear to be aware of the issue, but I have no ETA on a fix.
EDIT: Comments are closed

Update on FixOutlook.org campaign

Last week I mentioned that the Email Standards Project has started a website (FixOutlook.org) and a twitter campaign to pressure Microsoft to use a HTML compliant rendering engine for Outlook. Currently Outlook uses the HTML engine in MS Word and that engine is not fully compliant with of the HTML standards as published by W3C.org.
Microsoft did reply to the FixOutlook.org campaign on the MSDN Developer blog. The money quote, which they bolded for emphasis in the original post:

Email standards and formatting

There is a lot of buzz on twitter and the email blogs today about Microsoft’s decision to use the HTML rendering engine from MS Word in Outlook 2010 instead of the HTML rendering engine from Explorer. The people behind the Email Standards Project have set up FixOutlook.org and are asking people to join twitter to and tweet the fixoutlook.org URL to send a message to Microsoft.
I’ve been thinking about this much of the morning, and considering Microsoft’s history with implementation of standards. Microsoft has never really followed many of the Internet standards. They adopt what they like, and create new “standards” that work with MS products. This has worked for them, given their position in the market. Companies and software developers that wanted to interoperate with Microsoft software had to comply with Microsoft, Microsoft never had to comply with them.
I find it extremely unlikely that this effort will cause Microsoft to deviate from their course. Based on Microsoft’s history, the solution is not for Microsoft to change rendering in Outlook, but for everyone else to change how they do things.
Mark Brownlow blogged on the topic, too, and makes another of his insightful points. Email marketers and email designers are not an important user group to Microsoft. Instead, they’re focused on the actual people who use Outlook to send and receive email.

Guilty of violating CAN SPAM

Al Ralsky has long been known as “the king of spam.” He has a long history of spamming, suing ISPs who block his mail and refusing to provide him with connectivity. He was profiled in the Detroit Free Press based on his spamming activity more than 5 years ago. He also has a history of convictions for fraud and other related crimes.
Yesterday, he and some of his family and business partners pled guilty to another raft of charges including fraud, money laundering and CAN SPAM violations. This may be the first time someone has pled guilty to violating CAN SPAM. Press reports indicate there is jail time in his future.
Detroit Free Press article
Washinton Post article
DirectMag article
This is the type of mailer that all mailers compete with. Everyone had to deal with spam from Al Ralsky: recipients, senders and ISPs. Thanks to the justice department, FBI and everyone involved for their hard work.

What a world!

One of the fascinating things on the Internet is how a few dedicated people can create free, or mostly free, resources that become an important part of infrastructure for companies around the world. Blocklists are one of the prime examples of this phenomenon. Almost all of the widely used blocklists started out as a resource provided by a single person, generally using recovered hardware on donated bandwidth. There is a consistent time commitment, but no more than any other hobby.
As the list gains in popularity, the resource commitment increases. Hardware purchases and upgrades need to be made, bandwidth bills increase, more and more time must be spent dealing both with people using the list and people affected by listings. Truly popular lists may have to invest in ticketing systems and diagnostic infrastructure. Websites need to be maintained. The list may now be part of the infrastructure at far flung corporations or ISPs. People affected by the listings may be demanding immediate responses. The hobby is now the equivalent a job and people who aren’t paying the maintainer rely on that “hobby” for their own networks.
Once a list is successful, then maintainer needs to expand infrastructure, build up redundancy and have defenses against various attacks. This is the point where they start talking to volunteers to manage some of the extra work. Typically they find individuals or corporations willing to donate bandwidth and rack space.
Successful lists rely on volunteers or paid staff to handle listings and delistings as well as the databases, websites and DNS servers required to host a public service. None of this is unusual, many of the people maintaining lists are strong proponents of the open source software and use that to model the blocklist services as well. However, it’s always a good thing to remember that some of the people maintaining blocklists are doing this not for any personal profit, but as a way to contribute to the community on the Internet.
One thing I didn’t mention above, but deserves to be recognized is that the maintainer needs to be someone with people skills and the ability to handle conflict. This is true for internal conflict, among the volunteers or the service providers as well as external conflict with people affected by the blocklist. There is a lot of conflict around blocklists and it’s critically important that the maintainer, or their designated representative, be able to handle angry people in emotionally charged situations.
Why did this come up today? One of the top blocklists, SORBS announced over the weekend (at least here on the west coast of the US) that without someone stepping up to donate bandwidth and space that SORBS would be shut down in July. Other bloggers have commented on this. In case anyone was unclear on the commitment it takes to maintain a space, Michelle mentions on her shutdown post SORBS needs a full 42U of rack space for the hardware and has commented on spam-l that bandwidth costs are estimated by her current host to be 200K a month.
Given the time and resource constraints it is unlikely that SORBS users will see uninterrupted service. It is possible that the data will be moved and hosted elsewhere, however, current SORBS users may want to stop querying the lists now and wait for a resolution to be announced.

Pizzanomics

Ben at Mailchimp has a very funny post about how pizza is a metric for how big your company is.

Choosing Twitter over Email to engage customers

Eric Goldman has an interesting blog post over at hit Technology and Marketing Law blog comparing and contrasting twitter and email. One of the reasons he likes Twitter is that it gives him, the ‘subscriber’ (follower in Twitspeak) control. There’s no chance that the company will sell his data. And, if the company does tweet too much that is uninteresting or irrelevant, the follower can ‘unsubscribe’ (or unfollow) without any fear that the company will override or lose the unsub request.
To my mind, the biggest problem with Twitter for B2C communication is the 140 character limit. On the other hand, it means that companies need to be clear in their language and concise in their tweets. Maybe the limited space is actually a feature not a bug.

Y! and ARF

Someone twittered me a question about Y! and their ARF reports. Apparently the ARF header is not including AM/PM which is causing problems for some people. Yahoo is aware of the issue and looking into it.
On a housekeeping note, sorry for the lack of postings this week. I’m still recoving from the trip and while I have a lot of things I want to talk about (including responding to the great comments on transactional email) I am swamped with catching up.

Live from MAAWG!

OK, so I’m not at MAAWG any longer and I can’t blog about what happens there even if I was. However, there is an article at PC World about the conference.
I’ve been going to MAAWG conferences for many years now. Not every one, being a small company means that I can’t just take off for a week, particularly overseas where phones don’t work (something solved by an iPhone 3G). But I’ve been to quite a few of them.
I have to say the last few conferences have really impressed me. The quality of discussions and the training sessions have been full of useful information. Even for someone who has been around as long as I have, there is always something new to learn. I strongly encourage people who want to stop abuse in the messaging sphere to consider joining. Everyone is hurt by messaging abuse: end-users, senders and receivers. We all have a role to play in stopping abuse, and MAAWG is one way to learn about what you can do.
On a more personal note it was great to meet new folks and to see familiar faces. And a big thanks to all of you who took the time to tell me you liked this blog. Thank you for reading!
EDIT: Another press article about the conference.

Transactional email

I was talking with some people at the conference yesterday and we started discussing what makes an email transactional. I am reluctant to say the best definition we came up with was “I know it when I see it” but it was close. The interesting thing was that most of the participants agreed that we all used the term the same.
I thought I’d ask readers here: How do you define transactional email? I’m interested in this both from the perspective of a sender and from the perspective of a receiver.

Yahoo fixed erroneous rejection problem

Yahoo announced over the weekend that they fixed their rejection problem. It may take some time to filter out to all their MTAs, but they do believe the issue is resolved.

Introducing the "No email 'till Monday"

Ever have that day? That day full of delivery problems, ISP problems, headaches and turmoil? That week where you want to just forget email ever existed? Ever have that day extend for a week?
So have we all. In honor of that kind of day, we introduce the “No email ’till Monday”.
Fill a shaker with ice. Then add:
6 fl ounces light rum
4 fl ounces pineapple juice
2 fl ounces cointreau
heavy dash blood orange bitters.
Shake. Pour into 2 cocktail glasses and garnish with a pineapple slice.
Serves 2 (or one if it’s been a really *really* bad week)

We have made this with both light rum and pineapple flavored rum. The pineapple lends a sweeter taste to the drink, but there is a nice burnt sugar edge to the drink with the straight light rum.
I’m headed out on Monday to Amsterdam for a family wedding and MAAWG so blogging will be light for the next 2 weeks. I have some posts stacked up and the people I meet and talk with at MAAWG always trigger new thoughts about email, delivery and spam so do check back while I’m gone.
Those of you who are going to be at MAAWG be sure to stop by my session on Wednesday afternoon and add your perspective to the discussion.

Yahoo delivery problems

Over the last week or so a number of people have mentioned problems with delivery to Yahoo. It seems that some emails are being erroneously rejected. Earlier this week, Yahoo posted a message to the Yahoo Postmaster announcement list saying they were aware of the problem and were working on fixing it.

ReturnPath customers?

Someone posted the following question about ReturnPath in the comments:

Useful links: May 21

Dave Romerstein over at Cloudmark continues his series on blocked email. While he’s not saying anything different than many of us have already said, his perspective is well worth a read.

Odd Yahoo Bounces

A number of people are reporting seeing a new bounce from Yahoo. “smtp;553 Mail from x.x.x.x not allowed – [10]”. My clients have been asking and other people have been asking about this. It seems that something is changing at Y! More information as I hear it.

Best time to send marketing email

Pages and pages have been written about the best time to send email. Marketers spend significant amounts of energy discussing and researching the best time of the day and the best day of the week to send email. I have long thought that these discussions do not put enough attention on individual end users and how the recipients interact with email.
Researchers recently developed a model for email user behaviour that splits email users into two classes “e-mailaholics” that send, and presumably read, email all the time and “day labourers” that send, and presumably read, email during standard business hours. There is very little transition between groups, 75% of users stayed in the same usage group over the 2 years of the study.
What does this mean for senders? Senders need to know know how their recipients use email and which user group recipients are. By analyzing clicks and opens, senders can classify recipients and use that data to send mail that is more relevant and better targeted.
h/t arXiv blog at Technology Review

Delivery news April 2009

Penton Media’s Marketing Practices
Ken Magill responds to critics of Penton’s email marketing practices in an article out today. His article is quite open and points out that some of the things Penton does are not good.

Poor delivery is not always about spam

There are days I think we have trained people too well to believe every delivery problem is a misplaced spam block. We also have people trained to expect near 100% immediate delivery from send to inbox.
The problem is, email isn’t 100% reliable. It’s close. Very close. But sometimes mail just fails. It’s not because the ISPs hate you. It’s sometimes not even because the mail looks like spam.
Sometimes Mail Just Fails.
One of the challenges of working in email delivery is knowing enough to be able to separate out the random delivery failures from real delivery issues.

What Mark Said

Mark Brownlow skewers the arguments from opt-out proponents. A definite must read.

Links Post

Lifecycle Marketing on Bronto Blog. A good summary of issues in marketing to customers as they move through a relationship with recipients.
Blocked email: why me? on Cloudmark’s blog. A good introduction to blocking issues.
Tamara’s links for 4/16. She’s found a lot of good posts here, including multiple posts about unsubscribes and others on improving your email marketing program.
Speaking of unsubscribes, Loren McDonald discusses how the location of the unsubscribe link can affect reputation and email performance.

Verizon does not have a FBL

When I posted my initial cut of the ISP information page earlier this year, there was a comment asking about a Verizon FBL. At that time, I talked to some of the people-who-would-know over at Verizon and asked if they do have a FBL. The answer was a definite no.
For some reason, though, I continue to receive questions about the Verizon FBL. Based on the questions, the best I can extrapolate is that there is an ESP out there, somewhere, that states they have a Verizon FBL. It is possible, albeit unlikely, that they have a special agreement with Verizon. However, there is no generally available Verizon FBL.
If Verizon does make a FBL widely available, I will mention it here and update the ISP information page with the data. Until then, be very cautious with claims that there is a Verizon FBL.

Open rates climbing, click rates dropping

Ken Magill reported on a study published by Epsilon (pdf link) on Tuesday. This report shows open rates are climbing but click-through rates are falling.

Three ways spammers get your address

Paul explains 3 ways spammers get your email address.

Privacy policies in court

Venkat has an analysis of a case where an individual provided a unique address to a vendor and that vendor released the address in violation of the posted privacy policy. The federal court rejected the suit due to the failure of the plaintiff to provide evidence of harm.
I posted last week about privacy policies and how often they are intentionally or unintentionally violated and when email addresses leak. Courts have consistently ruled against plaintiffs. It seems that the courts believe merely revealing information, even in contradiction to a posted privacy policy, is not actionable by the plaintiff.
As a consumer, I really don’t like the ruling. If a company is going to post a privacy policy, then they should follow it and if they don’t, I should be able to hold them responsible for their lies. Back in the land of reality, I am not surprised at the rulings. Individuals have never owned their personal information, it is the property of the people who compile and sell data
It does mean, however, that privacy polices are not worth the paper they’re written on.

Open rates

Right now, there is no way to compare open rates as everyone calculates them differently. Mark Brownlow covers this today.

The not April Fools post

I thought for a while about putting up an April Fools post, but decided against it. However, today being April first, anything I post is going to be treated suspiciously.
So I decided to ask my readers: what would you like to have me blog about over the next few months? What topics have I touched on that you’d like me to explore deeper? Is there something I’ve not discussed that you would like me to post on?
Also, what information would make your job easier? I know my ISP info chart was tweeted and heavily linked to, is there other information I could put together that would be similarly useful?

Happy Friday

Mark Brownlow released a video earlier this week titled “If B2B marketing emails could talk.” Enjoy.

HT: Mickey

Fake privacy policies

I sign up at a lot of websites and liberally spray email addresses across the net. These signups are on behalf of one customer or another and each webform gets its own tagged and tracked email address. I always have a specific goal with each signup: getting a copy of a customer’s email, checking their signup process, auditing an affiliate on behalf of a customer or identifying where there might be a problem in a process. Because I have specific goals, I am pretty careful with these signups and usually uncheck every “share my email address” box I can find on the forms.
In every case the privacy policies of my clients and the things they tell me are explicit in that addresses will not be shared. It’s all opt-in, and email addresses are not shared without permission. Even in the cases where I am auditing affiliates, my clients assure me that if I follow this exact process my address will not be shared. Or so the affiliates have assured them.
Despite my care and the privacy policies on the websites, these addresses occasionally leak or are sold. This is actually very rare, and most of the websites I test never do anything with my address that I don’t expect. But in a couple cases these email addresses have ended up in the hands of some hard core spammers (hundreds of emails a day) and there was no useful tracking I could do. In other cases the volume has been lower, and I’ve watched the progression of my email addresses being bought and sold with morbid fascination.
Today an address I signed up at a website about a year ago got hit with multiple spams in a short time frame. All came from different IPs in the same /24. All had different domains with no websites. Whois showed all the domains were registered behind a privacy protection service. Interestingly, two of the domains used the same CAN SPAM address. The third had no CAN SPAM address at all. None of these addresses match the data I have on file related to the email signup.
It never ceases to amaze me how dishonest some address collection outfits. Their websites state clearly that addresses will not be bought an sold, and yet the addresses get lots of spam unrelated to the original signup. For those dishonest enough to do this they’ll never get caught unless recipients tags and tracks all their signups. Even worse, unless their partners test their signups or their mailing practices, the partners may end up unwittingly sending spam.

Cox FBL update

Delivery mailing lists have been a buzz this week trying to figure out what is going on with the Cox FBL. Someone tried to sign up for the FBL and received a message saying Cox was no longer accepting applications. They forwarded the rejection to some of the mailing lists asking if anyone else had seen a similar message. Panic ensued. Rumors and futile suggestions flew wildly. OK, maybe that’s a slight exaggeration, but there did seem to be more than a little consternation and confusion about what was going on.
Everyone can stop panicking now.
Yes, Cox did stop accepting new applications for their FBL. They were swamped and overwhelmed with applications and had quite a significant backlog. One of my clients got caught in this backlog. I applied for them back in mid-October and they were just approved last week.
In order to solve the backlog problem, they shut down new applications. They will be working through the current applications and when they’ve approved all the current ones, they will start accepting new ones. I expect that it may be a couple months before they’re accepting applications again.
No need to panic. No need to email lots of people at Cox. No need to contact their FBL provider. Remain calm.
If you were lucky enough to get an application in, they will be getting to it as soon as possible. You will receive an email when you are approved.
If you have already been approved, there will be no interruption in your FBL. You will continue to receive reports during the signup hiatus.

ISP Information pages

I have posted a ISP Information Page. Right now it contains links to Postmaster pages, Whitelist signup pages and FBL signup pages. I have some ideas on what information would be helpful to add, but would like to hear what types of info people would like to have easy access to.
What do you think I should add to the page?

RoadRunner FBL live

RoadRunner sent out email today announcing their new FBL is live.

Marketing reports

Two marketing reports were reviewed today in other blogs.
Stefan Pollard writes at the Merkle report showing that recipients really will add a sender’s address to their address book, but that they are picky about which senders they do this for. His article also provides a number of suggestions for how to be a sender that is added to the address book.
Meanwhile, Matt Vernhout discusses the Retail Welcome Email Benchmark Study published by Smith Harmon. Unsurprisingly, the study found that welcome emails were very important to future deliverability.
Happy Friday!

Organizing the mail flow

I get a lot of email. On a typical day I will get close to 2000 messages across my various work and personal accounts. About 60 – 70% of that mail is spam and caught by spamassassin or my mta filters and moved into mailboxes that I check once a day for false positives. About 15 – 10% of the remaining mail is from various discussion lists, and those are all sorted into their own mailboxes so I can keep conversations straight. The rest of the email is divided between mail directly to me and various commercial lists I have opted in to.
Up until recently, the commercial mail was all just dumped into my inbox. Nothing special happened to it it just sat there until I could read it. Recently, however, the volume of commercial mail has exploded, swamping my inbox. After losing track of some critical issues, I sat down and fixed my mail filters. Now, all my commercial and marketing mail (ie, mail I signed up for with tagged addresses) is now being filtered into its own mailbox.
There are two takeaways here.
One: the volume of commercial mail has increased significantly. Companies who were previously mailing me once a month are now mailing me twice a week. This contributed to the clutter and resulted in me pushing all commercial mail out of my inbox. I don’t think this increase is limited to just my mailbox, I believe many recipients are seeing an increase in commercial and marketing email, to the point where they’re finding it difficult to keep up with it all.
Two: Recipients have a threshold over which too much email makes their mailbox less usable. Once this threshold is reached they will take steps to change that. In my case, I can just filter all the commercial email as I use tagged addresses for all my signups. In other cases, they may start unsubscribing from all the mail cluttering their mailbox or blocking senders.
It is the tragedy of the commons demonstrated on a small scale.

Open Rate? Render Rate?

The EEC is pushing the term render rate to replace the term open rate. In addition to changing the name the EEC is attempting to standardize how the render rate is calculated. Loren McDonald, co-chair of the EEC Measurement Accuracy Roundtable posted his views on the discussion today. He presents 3 reasons why we should care about using render rate.

Images in email

It can be very hard to create engaging graphics and layout that work in all email programs. Each has it’s own quirks and weirdness in interpreting the underlying HTML code. Today, while investigating an issue for a client, I learned that some versions of Lotus Notes don’t display images in PNG format. Magilla Marketing addresses the same issue today.

The great debate

While surfing around last night, I discovered that the email experience council is running a poll. “The Great Email Debate Topic #2 – Single Opt-In or Double Opt-In?”
The email blogs have been discussing the question for a few weeks now, since one ClickZ columnist decided to stir controversy by claiming that “it is impossible to grow a list using double opt-in.” The original column inspired many other people to comment on the issue.
This is really a tempest in a teapot. There are situations where no address should be added to a mailing list without some sort of confirmation or verification step. Senders must protect themselves from bad subscription requests and double opt-in is one way to do this. Likewise, there are situations where a single opt-in with good list management will create a very clean list. Double opt-in isn’t necessary to stop spam.
Senders who think that they can’t grow their list with double opt-in are already behind the 8-ball in terms of list management. Yes, lists will grow slower. In the present environment, many users are very used to submitting a registration to a web page and then looking in their mailbox for an email to complete the process. No longer is “double opt-in” a foreign concept. Social networking sites, web forums and mailing lists commonly use double opt-in.
The challenge is for marketers to construct a signup process that is engaging enough to convince users to check their mailbox and click on the link. Senders with good marketing strategy will be able to do this, when it’s necessary.
Not every mailing list has to be double opt-in, but every engaging list could be without decreasing the number of subscribers.

Not all email is created equal

I have been dealing with a client delivery issue at a major ISP recently. During the course of troubleshooting my client tested mail delivery using a personal email account. This client noticed that email was delivered promptly. He then asked me if it was possible to get the ISP to prioritize his bulk mail over personal email. The short answer is no, ISPs do prioritize one-to-one email over bulk email.
Answering the question for him crystallized some vague thoughts that ended up running through my head at the conference last week. During the conference, and similar email conferences, conference call and any discussion that involves senders and receivers, there is usually little discussion of end users.
End users. Those people who are recipients of the emails that senders send. Those people who are customers of the nreceiver ISPs. End users who are almost never involved in the conversation, but without whom there would not be a conversation. These are the people that really matter. These are who senders need to engage. These are who the receivers need to keep happy.
It is, in fact, the end users who want one-to-one email more than they want bulk mail. Even the best bulk mail is not as engaging as that email from your best friend, or the problem solving with a colleague, or the latest gossip. ISPs know this, and they do not prioritize bulk mail, no matter how well managed and how engaging, over one-to-one mail.

Link Roundup

Why email marketers are hated. A group of Ontario spammers finds Ken Magill’s email address and spams him. Repeatedly.
New docs in e360 v. Spamhaus. The judge threw out the after-the-fact affidavit from e360, but did not grant Spamhaus’ motion for summary judgment. Looks like this might end up at trial after all.
Oral arguments in Zango v. Kaspersky. I have been following this a little because SamSpade for Windows was classified as malware by one vendor a long time ago.
New books on email marketing.
Anything interesting people have seen that I missed?

MAAWG Senders

Last week at MAAWG a number of members asked me about signing up for the MAAWG senders’ list. I have instructions for how to do so. If you would like a copy, email me at laura-maawg at wordtothewise dotcom.
Note: ONLY MAAWG members are eligible for any of the discussion lists or working groups.

Jon Leibowitz: New FTC chair

Jon Leibowitz is slated to be appointed the new chair of the FTC as reported by Bloomberg and CNet. This may mean tougher regulations online. In the past Mr. Leibowitz has advocated that online advertisers move to opt-in for website cookies. This may signal his intention to put more control in the hands of the consumer. According to Bloomberg, Mr. Leibowitz has also “advocated more aggressive enforcement by the FTC.” We may see more CAN SPAM prosecutions as a result.

Brand name spam

I’ve been getting a lot more spam advertising name brand companies. Places like FTD Flowers, Seattle Coffee Direct, Wal-Mart, Jet Blue, Gevalia and VistaPrint seem to all be working with spammers. In some cases, I am getting the same email to different email addresses from different domains and different IP addresses.
I am sure, if asked, all the advertised companies would say they have no knowledge of spamming by their vendors. I’m sure they would say that their vendors tell them I opted in to the email and must have just forgotten. I am sure that this isn’t really spam.
Except it really is spam. Real companies with real brands do use the services of spammers. When caught they loudly protest their innocence and talk about rogue affiliates. In the best cases they will “fire” the affiliate and then look the other way when the affiliate signs back up.
Spam is sending mail to people who never requested it. Hiring someone to do it for you doesn’t mean you aren’t a spammer. With the economy tanking and companies trying to maximize their bottom line, more and more name brands seem to be jumping on the spam bandwagon. It is not an unexpected development, but it will mean more aggressive spam filtering and more difficult email delivery for everyone.

Words of wisdom from the hallway

Sitting around talking with folks in the hallway. One ISP rep mentions “we think we have found another front company of theirs…”
My only comment was “If a company needs to create a front company…” We all just looked at each other and didn’t need to come up with the “then…”
Really, if a sender thinks they must establish front companies to get connectivity or get customers or get delivery… then this is an admission of guilt.

Gearing up for MAAWG

One of the nice bits of SF MAAWG is that I don’t actually have to get on a plane in order to get to the conference. Still there seems to be a very long list of “things to do” before heading up to the city.
If you’re going to be there, stop by and say Hi

Double opt-in, it's not what you think it is

Bill McCloskey has a post over on ClickZ about single opt-in vs. double opt-in. The post itself is generating a lot of buzz in the industry and has pages and pages of comments. I’m not going to really comment on the post, as I think much of what I would say has been covered in the comments, in posts here and in every email marketing discussion that has happened in the last 5 years.
I do want to comment on one of the comment’s however. This comment makes the assertion that “double opt-in was a term designed by spammers to make confirmed opt-in look too troublesome and problematic to use.” This is a bit of lore that is deeply, deeply established in the minds of many anti-spammers. There is a core group of activists that are completely convinced that anyone who ever uses the term double opt-in to refer to a confirmation practice is not only a spammer, but a lying scammer. They cannot imagine a world where someone might use this term while actually supporting the practice.
The problem with this belief is that it’s not true. Double opt-in was mostly used by PostmasterDirect (now part of ReturnPath) as a way to market their email addresses. PostmasterDirect actually patented a process for confirming addresses and used double opt-in as a way to distinguish themselves in the market place. It wasn’t that double opt-in was twice as hard as opt-in, it’s that their email address lists were twice as good as those other lists that you might be thinking of buying.
So, no, double opt-in is not spammer speak. It is, in fact, often the speech of a sender who is attempting to do the right thing. The fact that the sender does not know a made up history of a term does not turn them into a lying spammer. Asserting that it does says a lot more about the person making the assertion.

Question from the comments

On yesterday’s post there is a question in the comments that I think needs a bit more discussion.

The unexpected email

In almost every discussion of “how to stop spam” someone will come up with the idea that if a recipient only allowed known people to send them email then the spam problem would be solved. There are lots of problems with this type of solution, but one of the biggest is that it ignores that sometimes the unexpected email is wanted. Typically, these unexpected but wanted emails is from an old friend or contact. But sometimes, the unexpected email can actually look like unsolicited bulk email and yet be wanted.
I actually received one of those emails today. The folks at http://schmap.com found my flickr stream and sent me email asking me for permission to use a couple of my photos in their London city guide. Completely unexpected, but very welcome email.
Sometimes, in the struggle to keep email useful and to keep spam out of the inbox, we forget how useful and wanted that unexpected email can be.

Building a list for the long term

Mark Brownlow asks 2 key questions senders should be thinking about for their list building strategy for 2009.

ISP Postmaster Pages

I’ve been working on some reference information about ISPs for my own internal use as well as sharing with clients. There doesn’t seem to be any public reference site for postmaster sites, so I decided to publish what I’ve collected.

Can I use a purchased list?

Can I use a purchased list?
Thanks to the MailChimp folks for the great resource!

Better Preheaders

Mark Brownlow has an article about using pre-header space better in your emails.

Lycos Europe shuts down

Multiple bloggers have commented on Lycos Europe shutting down. Some of them have linked to domains involved. One person, who wishes to remain anonymous, has sent me a list of domains which have a MX pointing at Lycos Europe. If you see a failure to resolve or connect to any of these domains in the coming weeks, you should remove all the email addresses at that domain from your lists. The list is about 500 domains, so they’re behind a cut.

Yahoo FBL returns

This morning ReturnPath and Yahoo announced the new Yahoo FBL has gone live. Signups are being accepted at http://feedbackloop.yahoo.net/. Yahoo provides the following instructions:
Yahoo! offers a Complaint Feedback Loop service, free of charge, via this site operated by Return Path. To begin the process:

AOL Postmaster Support down Jan 16th through Jan 20th

AOL just posted that the backend of their postmaster support ticketing system will be down over the from January 16th through January 20th. This means that while new tickets can be opened, work will not proceed on them until the system is back up on Jan 20th. I expect this also means that any tickets in the system might be delayed as well.

Google Apps – where's my abuse@

Most ISP feedback loops require you to demonstrate that you’re really responsible for your domain before they’ll start forwarding reports to you. The usual way that works is pretty similar to a closed-loop opt-in signup for a mailing list – the ISP sends an email with a link in it to the abuse@ and postmaster@ aliases for your domain, and you need to click the link in one or both of the emails to continue with the feedback loop signup process.
That’s mostly there to protect you, by making sure that someone else can’t get feedback loop messages for your domain. And it’s not too difficult to do, as you should already have an abuse@ and postmaster@ alias set up, and have someone reading the abuse@ alias.
But maybe you’re using Google Apps to host your corporate email, and that’s the domain you need to use for your feedback loops. So you go to create abuse and postmaster users, but it won’t let you – you just get the error Username is reserved for email list only. Uhm, what?
Google want to police use of domains hosted on their service, so they automatically set up abuse and postmaster aliases for your domain, and any mail sent to them is handled by Google support staff. You may well be happy with Google snooping on your abuse role account, but you really need to be able to read the mail sent to it yourself too.
So what to do? Well, the way Google set things up they actually create invisible mailing lists for the two role accounts, and subscribe Google Support to the lists. In older versions of Google Apps you could make those mailing lists visible through the user interface by trying to create a new mailing list with the same name, then simply add yourself to the mailing list and be able to read your abuse@ email.
But Google broke that functionality in the latest version of the Google Apps control panel, when they renamed email lists to “groups”. If you try and create a new group with the email address abuse@ your domain you’ll get the error Email already exists in this domain, and no way to make that list visible.
So, what to do?
Well, there’s a workaround for now. If you go to Domain Settings you can select the “Current Version” of the control panel, rather than the “Next Generation” version. That gives you the old version of the control panel, where all this worked. Then you can go to User Accounts, create a new email list delivering to abuse@ and add one of your users to the mailing list. You can then set the control panel back to “Next Generation” and have access to the mailing lists via Service Settings → Email → Email Addresses.
Hopefully Google will fix this bug, but until they do here’s the step-by-step workaround:

Subvert the dominant paradigm

I am very slowly getting back into the swing of work and reconnecting with colleagues and other delivery folks, both on the sending and receiving side. On the sending side, there are multiple discussions happening about how senders can best communicate with receivers how much spam blocking by ISPs impacts legitimate businesses.
This is one of those perpetual issues, popping up usually around the time of conferences where both senders and receivers pop up. Senders are frustrated by the amount of their mail that is blocked, receivers are frustrated by the amount of mail that isn’t blocked and by the complaints from their users. The sender solution is to attempt a dialog with receivers, where they can tell the receivers how much legitimate mail is blocked. Receivers respond by avoiding senders as much as possible.
The impasse annoys everyone and doesn’t do anything to get mail delivered. I challenge both senders and receivers to find a new way to relate to each other this year

MAAWG agenda published

For those of you who are MAAWG members, the agenda for the February meeting in San Francisco has been published. Who is planning on attending?

Legitimate list vendors

In this week’s Magilla newsletter, Ken provides a number of ways to identify a bad email list vendor. His suggestions are not only appropriate for list vendors, but are also a good way to screen mail partners, customers or even vendors.

RoadRunner FBL information

RoadRunner has decided to delay the launch of their new FBL until after the holidays. Sounds like a good idea to me, the launch is never quite as smooth as the ISP wants it to be. People are checking out and trying to troubleshoot the problems while also dealing with all the extra stress and demands of the holiday season is asking for trouble. The good news is that they are now planning on running the two FBLs in parallel for a few weeks, instead of ending one then starting the other.

Co-reg

Well over half of the clients who come to me with delivery problems admit at some point that one of the ways they collect subscribers is through co-registration. They typically have widespread delivery problems at the major ISPs as well as SBL listings.
John Levine posted over the weekend about his thoughts on co-reg.

Blocking mail to spamcop.net

Josh reports mail from MobileMe to spamcop.net addresses is being filtered somewhere and isn’t being delivered or actively bounced. He asserts that Apple is blocking all mail to Spamcop addresses

Aggregate stats for benchmarking

The great folks over at Mailchimp publish aggregate stats from their customers. This is a useful set of data for senders who want to see how other mailers or ESPs are doing.
One set of stats is the data from

Mailing old files, part 2

Stephanie Miller at ReturnPath offers suggestions on how marketers can break the rules, mail old lists and reap the rewards.

Old lists have bad delivery

This is something we all know is true, and something that everyone believes. But, Mailchimp has actually published numbers demonstrating just how bad old lists are.

Yahoo delays

People are reporting delivery delays into Yahoo over the last day or so. Yahoo is having some general connectivity problems and are working to correct the issue.

AOL Report Card Changes

Changes to the AOL report card were announced today on the AOL Postmaster blog.

Excite (BlueTie) FBL live

ReturnPath announced today that the BlueTie FBL is live. You can signup for the new FBL at http://feedback.bluetie.com/.

Just Leave Me Alone Already

I tend to avoid online sites that require you to register and provide information including email addresses. In my experiences companies cannot resist sending email and my email load is extremely heavy and I want less email, not more. Sometimes, though, what I need to do requires an online registration and giving an email address to a company I would really prefer not to have it.
Recently, I had to register online with AT&T Wireless. My iPhone was getting repeated text spams and I wanted it to stop. The only way to do this is register online. Registering online required giving them an email address.
The text spam has stopped, but they have been sending me almost daily emails since then. Each email has an opt-out, and I have availed myself of every opportunity to opt-out. Each opt-out link takes me to a different site, a different page, a different process.
In two of the cases, AT&T seems to be violating the new CAN SPAM provisions. For one, I had to tell them what I wanted to opt-out of (email or phone) and then was taken to a page where I had to input my cell number, my email address and request to be removed. In another case, I was forced to login to my online wireless account and then was able to change preferences. In only one of the 3 opt-outs I have requested, was the opt-out form actually a single click, just requiring my email address.
I am wondering just how many mailing lists AT&T added my address to and how often they will continue sending me mail after their 10 days are up. It is this level of frustration, that mail just keeps coming and coming and coming even after the recipient has repeatedly attempted to opt-out, that causes people to hit the “this is spam” button on mail that the sender thinks is opt-in.
But, really, AT&T, please stop sending me mail that I never asked for, and that I have repeatedly asked you to stop sending me by jumping through your hoops. Oh, and you may consider sharing the opt-out data with all the same internal groups that you shared my email address with initially.

FBL updates

Roadrunner shifted the release date for their new FBL to December 14th.
Despite rumors, the Yahoo FBL is not actually accepting new participants.

Twittering

Yes, I finally succumbed to peer pressure and started twittering as wise_laura. Stop on by and introduce yourselves.

New AOL postmaster blog

AOL has their new postmaster blog up and running at http://postmaster-blog.aol.com/. Today they announced new tools over there including a FBL checking tool and a block checking tool.

Gmail problems

Some people have been reporting problems with mail to gmail backing up. Steve has some information about the problem.

SpamZa fails again

The SpamZa folks have been attempting to use this blog (and probably other blogs) to get out their message that their website can be used to abuse both recipients and senders. They have been having connectivity problems, most likely due to their abuse being unacceptable to the upstreams they could find. Now, faced with the utter failure of their spam people project, they are attempting to post comments ridiculing those of us who were on the right side of this issue.

AOL Postmaster blog down

AOL has discontinued their blogging platform. This means the AOL postmaster blog is no longer active. I suspect the AOL postmaster team is exploring their options and trying to find a way to continue blogging.
If I hear anything one way or another, I will post it here.
Update: 11/3
AOL assures me they are migrating to a new platform and the blog will be back up.
I also managed to grab a copy of the IP Reputation post that AOL put up and I linked to last week.

Email news

ReturnPath sold its email change of address division to Fresh Address and spun off its email marketing division. Full announcement at the RP Blog and a copy of the press release at EmailKarma.
e360 petitioned the court earlier this week to compel Spamhaus to expand on their answers to e360’s interrogatories. Today the court denied the motion. Text of the motion at Mickey’s place.
There has been a noticeable increase in registrar phishing over the last week. This may be related to ICANN de-accrediting ESTHosts, a registrar well known in the anti-spam community for registering domains used in phising and spam. UPDATE from ICANN.

Monitoring customers at ESPs

In the past I’ve talked about vetting clients, and what best effort encompasses when ESPS try to keep bad actors out of their systems. But what does an ESP do to monitor clients ongoing? Al Iverson from ExactTarget says that they:

We want your mail to succeed

One thing I hear from a lot of delivery folks, both consultants and those who work at the ESPs, is that their customers and clients fight back whenever they say no. A client or a customer proposes this great idea that involves sending irrelevant email to uninterested people. Then, with bated breath, they ask their delivery consultant to agree it is a brilliant idea. Most of the time, their great idea is actually a bad idea. Those of us who have been around a while can even and provide examples and experiences that back up that it is a bad idea.
The result is similar, when told their idea will hurt their delivery they fight tooth and nail. On good days they will argue and decide to listen. On bad days they go off and do what they were warned not to do.
It can be horribly frustrating for all of us in the delivery field. We actually want customers’ mail to succeed. We tell customers no, not because we want to ruin their day or their business or their ideas, but because we want to help their business. Our job is to make their email work, and sometimes that means saying no.
Next time your delivery consultant, or your ESP delivery expert, tells you that an idea may cause delivery problems, give them some credit for their experience and expertise. We really do have your best interests at heart and really do want your email to succeed.

The judge in e360 v. Spamhaus has denied Spamhaus’ motion for dismissal. However, the judge also ordered that the 16 new witnesses be stricken and capped damages at the original $11.7M. Mickey has the order.
Tuesday the FTC announced it had shut down a major spamming operation. I am not sure the results are visible yet, yesterday there were 2041 spams in one of my mailboxes yesterday versus 2635 a week ago.
The FBI announced today it had infiltrated and shut down a international carding ring. While not directly spam related the phishers and carders work together and some of them use spam.
Rumor has it that many mailers are seeing problems delivering to AOL the last few days. It seems that AOL is making adjustments to their filtering system. As when any ISP changes filter rules and weights, some of the people just skirting by see delivery problems. What people are hearing is that if they are seeing delivery problems at AOL they need to improve their reputation.
Last week Yahoo had another online workshop with the mail folks. They have published a transcript of the talk. I was at the talk and there were only a couple spam related questions.

donhburger: Why does Yahoo sell our email addresses to spammers?
YMailRyan: We absolutely don’t sell your addresses to spammers. No IFs, ANDs, or BUTs about it.
imintrouble: My mom keeps emailing em but I never get it and usually it ends up in my spam box. Why? How do I make this stop? She’s getting pissed that I’m not replying.
YMailTeam: Oh no! Be sure your Mom is on your contact list– this should help keep mom out of spam box and put her back into your inbox.
buergej: Just why do I keep receiving the same kind of spam from a series of what appear to be women day after day after day?
YMailCarl: Spam is, unfortunately a constant problem for anyone using email. The reason you are receiving these emails is because spammers have somehow gotten a hold of your email address and are mailing you their lovely messages. There are several things you can do to assist with this. First, continue to report these messages as “Spam” by clicking the button at the top of the email labled “Spam”. Note that you don’t need to actually look at the message to do this. When you report items as spam it lets Yahoo! know that messages originating from that person are likely spam. This not only helps you, but helps other Yahoo! users as well.
YMailCarl: Second, if the emails are from similar names, you can set up filters in your email account to block those names and send them to your trash or spam folder.
YMailCarl: Obviously these messages you are receiving are not from women trying to sell you products personally – the messages are typically generated by a script which will try to forge or “spoof” the originating address.
YMailCarl: We agree that Spam is a serious issue and have many resources dedicated to fighting this problem.
YMailCarl: You can find some additional information about fighting spam here: http://help.yahoo.com/l/us/yahoo/mail/original/abuse/index.html
donhburger: Why when I mark Emails as Spam do I continue to get emils from the same persons?
YMailMaryn: When you mark a message as “spam” from within your Inbox that moves the message to your Spam Folder. And all subsequent messages that are sent from that particular sender will not be delivered to your Inbox, but will be delivered to your Spam Folder.
Read More

Spam Royalty

MSNBC has a slide show up about 10 of the worst spammers, which one really is SpamKing?

FTC Opt out clarification

In early July, the Magilla Marketing newsletter has an article about how email preference centers may now be illegal due to the clarifications published by the FTC. Trevor Hughes of the ESPC is quoted extensively, lamenting about how marketers cannot legally interfere in the unsubscribe process.

New email related blog

Mickey Chandler, of SpamSuite.com has launched a new email delivery specific blog: Spamtacular.com. He moved a number of posts from his other blog, but today has a new post up about how a prior business relationship impacts compliance with CAN SPAM. He concludes with:

New Email RFCs

JD Falk has a good article about RFCs, email standards and delivery.

Email Standards Updated

This morning I received notification that the IETF had approved RFC5321 and RFC5322. These two RFCs are standards track and are updating the current email standards RFC821/822 and RFC2821/2822.
MailChannels has a description of the changes between 2821/2822 and 5321/5322. While the new RFCs obsolete the old ones, they are more a clarification than actual changes to the protocols. Dave Crocker had this to say about the new documents.

Catching up

I am still catching up from being away at MAAWG last week, and have not had much time to blog or even follow other blogs enough to link to what people are saying.
I would encourage those of you who are not MAAWG members to consider joining the organization. MAAWG has been working hard on putting together sender training courses. I gave part of one of them. I also attended all the other training sessions and learned quite a bit from those sessions as well.
MAAWG, as its name suggests, is a working group. There are opportunities for everyone to teach, participate and learn. The next meeting, is in San Francisco next February.

Confirmed (double) opt-in in the wild

Lashback gives an example of the use of confirmed opt-in in the wild.

The Question

Mark Brownlow has a list of 12 questions every email marketer should ask about their marketing program. Buried in the middle is the most important question for delivery.

MAAWG

Chris Nixon has a post talking about the background of MAAWG and why he is here in Ft. Lauderdale.

Links to check out

Things are going well, if busy, here at the conference. I am attending lots of sessions and continuing to edit my talk for tomorrow. I thought I would list some random links that have come up here recently.
Lashback is advertising a joint webinar with Habeas, Publishers Clearinghouse and Lashback on how to protect brands and increase revenues with reputation management.
Terry Zink explains the new Microsoft advertising campaign. There are actually quite a few Microsoft people here at the conference, including the brain behind SNDS. We ran into each other yesterday evening, his room is right next to mine.
Ken Magill has an ongoing series of articles investigating Email Appenders, and all their various incarnations. This is an example of the confused jumble of connections that some companies use in order to hide.
Speaking of companies with bad reputations, the NY Times reports on Intercage’s loss of hosting. Atrivo/Intercage are notorious amongst the folks who fight malware and bots and have been called the American version of the Russian Business Network.

MAAWG

I head off to MAAWG on Sunday where I will catch up with the people I have not seen since last October. One of the very nice things about email delivery right now is the industry is small enough to know almost everyone involved. While MAAWG is only one of a number of conferences, it is one of the few where senders and receivers both attend.
I expect that I will come back from the conference with a head stuffed full of ideas and projects and lots of good information. I am also part of a team doing sender training sessions, specifically I helping out on the talk about how to screen customers. I will be sharing some of my thoughts on vetting customers here over the next few weeks.
If you are going to be at MAAWG, do stop by and say hi!

Overheard at the airport

Sitting at the gate, waiting for boarding I overhear a conversation. A woman is texting on her blackberry and saying to her traveling partner, “You know that universal sign for ‘not’? He thinks that is why mail is ending up in the junk folder. And if we add it to our mail then it will get delivered.”
This is one of the strangest theories of email delivery I have heard in a long time.

Fixing mistakes

At BeRelevant Kath posts about common mistakes mailers make and how to recover from them.

Techcrunch 50

Techcrunch50 is going on currently. There are a three email related businesses that have been pitched.
AdRocket: Technology to insert contextual text ads, on a per subscriber basis, into existing newsletters.
OtherInbox: A service allowing individuals to have their own subdomain for email, and an endless supply of email addresses at that domain.
Postbox: A new way to organize, manage and annotate email.
EDIT: Comments closed due to excessive spam

Alphabetical spammers

There have been a couple posts recently about a paper presented at the Fifth Conference on Email and Spam (CEAS). The paper showed how addresses beginning with different letters get different volumes of spam.
But this post is not really about the paper, although it is an interesting academic review of spam, it is more about a memory that the discussions triggered.
Long ago I was handling the abuse desk at the very large network provider. This was in the days before Feedback loops, so every complaint was an actual forwarded email from a recipient. Generally, we saw a couple dozen complaints about any individual spam problem. Not a huge volume by any means, but that meant that any volume of complaints was significant.
One afternoon I started seeing a spike in complaints about a customer who never received complaints before. I started looking a little deeper and discovered we had around 50 complaints about this mailing, many from people I knew, and all from individuals at domains that started with A. This was one of the few times we actually pulled the plug in the middle of a mailing.
I still remember going to my boss suggesting this was something to take action on now because we had over 50 complaints and they were still in the A‘s! The customer was mortified that the guaranteed opt-in list they purchased was so bad and promised never to spam again.
Have a good weekend everyone.

Garbage in… garbage out

Ken Magill (hereafter known as Mr. Stupid Poopypants) has a follow up article today on his article from last week about the Obama campaign’s mailing practices. While poking Dylan a bit, his message is that marketers really need to look harder at double opt-in.

A whole year?

It is, in fact, one year today that I started blogging. My first real post came on August 30, 2007… discussing the e360 v. Spamhaus case. And look, here I am, a year later still discussing the e360 v. Spamhaus case. The end of that first post said:

Who is responsible for data integrity

Yesterday, Ken Magill wrote about his experience with the Obama campaign’s open and unconfirmed marketing list. Ken, to see just how open the Obama subscription form was, subscribed using a valid email address but the name of Stupid Poopypants. As expected, mail to Ken from the Obama campaign was addressed to Stupid.
eROI uses this as an example of people who ruin their ROI by filling fake data into forms and ends their post by addressing Ken as follows:

Interview with Matt Blumberg

Mark Brownlow posted an interview with Matt Blumberg, CEO of ReturnPath, about the merger with Habeas. It is well worth a read.
I have not yet commented on the merger and how this is going to affect the delivery industry because I am not sure how it will. Some of the effect is dependent on what ReturnPath does with the two companies and how their policies change. Here at Word to the Wise, we have known the folks at both companies for a very long time.
One thing that strikes me about this merger is that it means there are few direct competitors left in the delivery market. Everyone currently in the whitelist / delivery certification market seems to have a slightly different target audience and slightly different business model.
ReturnPath has SenderScore Certified and the Safelist. To get on these lists senders must meet criteria that, while filtered through ReturnPath, are set by the ISPs. Many senders find that they can get consistently high inbox delivery just by meeting the ISP standards, even if they are not SenderScore Certified or on the Safelist. However, certification does provide senders with an assurance that they are meeting standards.
Goodmail has their CertifiedEmail product. While certified senders must also meet criteria, they are also paying ISPs for delivery. I have always seen the Goodmail product as more focused on and more valuable for transactional senders rather than other senders. This slightly overlaps with ReturnPath’s target market, but the senders in this market do have different needs pressures.
ISIPP has their SuretyMail product. This provides a framework for senders to make statements about the email they send in a way that receivers can reliably query. This is a slightly different approach, in that ISIPP does not classify mail for their customers, but allows customers to self-classify. The benefit of ISIPP is that the ISIPP framework is trusted by their receiver-users and can push back on ISIPP if customers incorrectly self-classify.
Different markets, different business models, different approaches.

Challenge/Response

Christopher Breen at Macworld posts about a major pet peeve of mine.

EmailAppenders

Al points out that EmailAppenders are possibly trying to change their online reputation. To bad their “suggestion” does not work.

Blog Olympics – Passing on the stick

Given that it is August and a lot of people are on vacation and it seems to be a general low point in getting things done at work, I expect blogging to be light through the end of the month. Once everyone gets back in September, I will have a more substantive posts up more regularly. Happily, EmailKarma helped me with a somewhat fluffy post today. He tagged me into the Blog Olympics meme. The rules say I am supposed to pick 7 blogs I read and tag them forward. The rules also state that I have to link back to the blog that passed on the stick to me but I cannot add it to the list of my favorite 7 blogs.
I limited my picks to email related blogs. Now, in no particular order (vaguely the order they show up in my RSS feed, but nothing actually that specific):

Upcoming Conferences

EmailKarma lists a number of upcoming events for email marketers and delivery folks.

Updates on upcoming AOL FBL changes

Annalivia posted more information over on the AOL Postmaster blog about the upcoming conversion of the AOL FBL to ARF only. Specifically, she provides instructions for how to read the FBL emails in different email clients.

Delivery Haikus

As we mentioned earlier Habeas is being bought out by ReturnPath.
While they’ve not actually used it for several years the thing that Habeas will be remembered for is their introduction of the Haiku form of poetry into email headers:

ReturnPath acquires Habeas

This morning ReturnPath announced they had acquired Habeas.
Goodbye Habeas.
What have you left? Just footprints
in snow as spring comes.

Letting Go

Derek Harding has an article over at ClickZ, discussing the importance of letting subscribers go.

Backscatter

The term backscatter describes the email an innocent victim receives when a spammer forges the victim’s email address into a spam run. The amount of mail involved can be just a few emails or can range into the hundreds of thousands of emails. Terry Zink recently wrote an 18 part series on backscatter. It is well worth a read.

Addictive email marketing

Magilla Marketing had an article this week about Bob Richards, who paid $14,000 to an email appending company, only to discover that of the 118,000 email addresses he received over 85,000 of them bounced. Mr. Richards was also terminated from his email service provider due to bounces and complaints. He posted a complaint on RipOffReport.com, issued a press release and reported the appending company to the FTC and other law enforcement.
In his press release, Mr. Richards equates his vendor, and other vendors to email marketers, with drug pushers.

Spam or not spam

I have been a bit behind on my blog reading recently, and am slowly going through my RSS feed catching up with what everyone has had to say about spam in the last few weeks.
One of the articles that caught my attention was a post from VerticalResponse discussing the response to a marketing campaign from one of their customers. It seems to me the point of the post is to defend the VerticalResponse mail to the customer. The mail VerticalResponse sent was not spam. Why this is true is not made clear, other than the mail was not pills spam, phishing or porn.
Contrasting with that article is a post a friend pointed out to me today. This article goes to the other extreme, and seems to say that any one-to-many email is spam and should not be sent. While trying to find his point, the author does take the step of exempting any opt-in marketing from his definition. The confusing bit is that the statistics he is using are compiled by MailerMailer, who have a very clear anti-spam policy and allow only permission based marketing.
What both posts seem to be missing is that, these days, spam is in the eye of the receiver, not the sender. There are customers who groan every time they receive mail from their vendor. Eventually, they may lash out at a sender and complain about the email. At that point, a sender is now dealing with an angry person, and arguing the mail is no spam is not going to diffuse the situation. On the flip side, there are people who are very happy to receive mail, even advertising and marketing mail, from vendors. Even if they do not “open” the mail (read: load images in the email), they may be opening, reading and acting on the offers in the email.
Email marketing is a valuable tool, when it is done correctly and focuses on the receiver’s needs and wants. It is when marketers ignore the individuals they are mailing that they are more likely to see complaints or problems.

Yahoo update

It has been quite a while since I have had the opportunity to share information about Yahoo here on the blog, but there is new information to share.
Yesterday, Mark Risher from Yahoo spent some time talking with people about all things spam over at Yahoo. Matt from EmailKarma posted the transcripts as well as some excerpts from the talk. The really interesting bit, for me, was confirmation that Yahoo will be bringing back their FBL in the next few weeks. I have been hearing rumors about the return of the FBL for a while now, and it seems the general timeline (fall-ish) is accurate.
Speaking of the feedback loop, there have also been rumors that Yahoo is not accepting any changes to existing feedback loops. This does not seem to be the case. According to an internal person, companies who are currently in the beta FBL program can make changes to the program by contacting the postmaster team.

We're back!

Sorry for the downtime, the machine running the blog had a motherboard fail and for various reasons (deadlines, family emergencies, etc) it has taken a bit of time to get the blog moved to another machine.
I do apologize for the time the blog was gone. Regular blogging will return tomorrow.

AOL announces web support tool

Yesterday, David announced a new suite of tools to help senders troubleshoot blocking problems more efficiently.

List Attrition

DJ over at Bronto blog has a post up about list churn / list attrition. She quotes a statistic published by Loren from MediaPost (the original post is behind a subscription wall) that a list will lose 30% of their subscribers year over year. This is similar to a statistic that I use, but the context I have seen the published statistic in is slightly different. DJ offers suggestions on how to reduce this churn. All the suggestions are great, but I think that they slightly miss the point. There are multiple processes that can be described as list churn. One is churn DJ addresses, that is people unsubscribe from a mailing list. The other is people abandon their email addresses. Individual mailers have some control over the first type of churn, but almost no control over the second.
I think the study Loren was quoting describes the second phenomenon not the first. In 2002, ReturnPath published a study that showed 31% of people changed email addresses in a single year. Understand, this does not mean that 31% of recipients on any particular list will actively decide to unsubscribe from a list or report it as spam or otherwise unsubscribe from that list. This is 31% of all email address owners will get a new address and abandon their current one. There are a few reasons for the churn.

CAN SPAM rules take effect

The new CAN SPAM rules take effect today. EmailKarma has a list of articles detailing the new rules. These rules govern handling of opt-outs and establish a “sender” category for purposes of physical address and opt-outs.

Analyzing email

Over at the VerticalResponse blog, Janine walks us through analyzing clicks in an email and sets herself new things to test in future mailings. Well worth a read.

AOL converting all FBLs to ARF

AOL announced today that they are phasing out non-ARF feedback loops. As of September 2, 2008, no new non-ARF feedback loops will be created and all existing non-ARF feedback loops will be converted to ARF.
What is ARF?
ARF stands for Abuse Reporting Format. It is a standardized format intended to make processing of automated abuse reports (or feedback loop reports) easier. Word to the Wise has published tools to help recipients process ARF formatted reports and help developers create tools to handle ARF formatted reports. Abacus also supports ARF format out of the box.

Smart email marketing

Mark Brownlow has an ongoing series of posts looking at the strategies and tactics that distinguish a smart email marketer from a bulk email marketer that is well worth reading.
1/29 – comments closed due to excessive spam on this post

Excite outsourcing email

Excite announced this morning that they are outsourcing all their incoming email functions to BlueTie. This means that the Excite FBL and whitelist are being discontinued with no plans for replacement.
Over at Deliverabity.com, Dennis is accepting feedback from senders to forward on to Excite.
Edit: I am going to close comments on this post. This is not the place for Excite endusers to comment on the new changes in the interface.

Information you should know

MailChimp is using microformats technology to allow recipients to add senders to their address book from the subscription page. All senders should tell recipients what address mail is coming from at the point of subscription and encourage recipients to add the senders to their address books. This new technology simplifies that for the recipient.
Denise Cox posts about a recent conference she attended in London looking at what makes email valuable. She has many good suggestions on how to improve your ROI, but captures the essence of getting a good ROI on mail in 3 sentences.

Language

Over on Deliverability.com Krzysztof posts about discussions going on over on the URIBL list about using “confirmed opt-in” to describe a subscription process versus using “double opt-in” to describe the same subscription process. I do not even need to read the list to know what is being said. This is a disagreement that has been going on since the first usage of “double opt-in” over 10 years ago.
To better explain the vitriol, a little history of the two terms might help.
My personal recollection and experience is that the term “confirmed opt-in” was coined by posters in the newsgroup news.admin.net-abuse.email around 1997 or 1998. There was some discussion about marketers / spammers (a lot of the posters did not distinguish between the two) trying to use the term “double opt-in” instead of “confirmed opt-in.” Many posters believed (and many still do) that this was a deliberate attempt by marketers to make the process seem overly burdensome and unworkable.
During the 2003 FTC spam hearings, Rebecca Lieb shared formal definitions for 5 different subscription types including “Confirmed opt-in” and “double opt-in”. These definitions are still up on ClickZ.

Open rate

Mark Brownlow over at Email Marketing Reports has been talking about open rates for a while. His point, one I fully agree with, is that open rate is not what you think it is. At best it is a measure of who is rendering your email. Today he links to a post from ReturnOnSubscriber. In this post, the author demonstrates that by using an alt tag saying “don’t you want to save 40%”, the open rate for an email increased 27% over previous sends.
But. Wait.
I would argue that there was no change in the number of emails that were opened and read. In fact, an alt tag can only increase your open rate if recipients are already opening and reading your mail. What is really being measured here is the number of people who load images, not the number of people who are reading your mail. Those extra 27% of people opened and read that email before they loaded an image. They had to! If the alt tag was to have any effect on open rates, then people had to read the alt tag!
Now we have this great increase in a statistic, but what does that actually mean? I know that open rates make marketers feel all warm and fuzzy, but HUF did not actually increase the number of people opening and reading his mail. The only increase was in the number of people rendering images. Much more interesting would be actual clicks or even sales. Does the increase in people loading images in an email translate into actual revenue? That’s the really critical measure.

New Yahoo Domains

Yahoo announced two new email domains today.

Contradictions

In the span of 48 hours the following two things happened.
Josh Baer posts over on deliverability.com about GoDaddy’s policies and recommends no email marketer use GoDaddy as a registrar because they are so hostile to email marketing that they charge customers for complaints. To quote Josh:

Whitelisting

Derek has a really good article on whitelisting and what it means over at ClickZ.

Postini makes a statement

I was looking for some info on Postini for a client recently and discovered a statement on their website telling senders not to bother them.

Delivery percentages

Some of my customers use one of the mailbox monitoring services out there. One of them consistently has 97% or better inbox delivery. On those few occasions when their delivery drops to 90%, they contact me to find out what the problem is. This happened recently and I spent some time digging through their delivery logs to see what I could determine.
The logs are showing that all the mail to domainA is delivered, except for 6 addresses sitting in the delayed email queue. Those six addresses are the exact addresses that the monitoring company uses. At domainB I see something similar, all the mail has been delivered except for mail to the monitoring addresses. In this case, domainB is deferring the mail with a rejection message that says too much email is being sent to these addresses and the domain is throttling them.
The important thing to remember about this is that the 100% missing statistic only says that the mail to the monitoring addresses is missing, it says nothing about mail to the actual list subscribers. In this case, I can see that the mail is not missing, it’s sitting in the outbound queue waiting to be retried.
Mark Brownlow has an ongoing series about using the right language when talking about delivery.

Marketers missing out

Many delivery blogs have posted about the recent ReturnPath study showing that marketers are missing prime opportunities to use email to develop a strong relationship with recipients. I finally manged to get a few moments to read through the study and comment on it. Over a few days in February ReturnPath researchers signed up at more than 60 major retailer brands. They then monitored the subscriptions to see how often and what kind of mail the retailers sent.
Overall, it seems the researchers were disappointed in how the retailers were using mail. Even the title of the whitepaper captures this feeling: “Creating Great Subscriber Experiences: Are Marketers Relationship Worthy?” The answer seems to be more no than yes.
From my perspective the data is not all that surprising. In many cases it seems bigger companies rely on the recognition of their brand to get them through minor delivery problems (like complaints) rather than good practices. Whereas a smaller company will have to work harder to develop a relationship, larger companies with wide brand recognition can fall back on their brand.
There were a few areas ReturnPath measured.

Microsoft takes on phishers

Microsoft has a post up talking about phishers and how to protect yourself.

EEC Followup

I was just forwarded email from the DMA about the EEC issue. To their credit, the DMA took the problem seriously. The email says:

ISP Spam

One thing I do not talk about very often is the amount of spam that comes out of ISP smarthosts. Generally this is because many of the major end user ISPs do a reasonable job managing their spam and the ratio of spam to not-spam mail coming out of their IPs is heavily weighted towards the not-spam end of things.
This has not always been the case, and there have been instances where ISPs particularly those providing webmail have been exploited by spammers, often Nigerians, and used to send tons of spam. It can take months to fix, and requires the ISP employees to actively seek and destroy problem accounts, block access from some IP ranges and change their security to prevent future compromises.
We know that spammers exploit webmail services and that there are things that the webmail services need to do. Recently, there seems to have been a massive uptick in the amount of spam coming through Gmail’s servers.
This is not a problem unique to Gmail, most of the other webmail companies have had similar infestations of 419 spammers in the past. The Nigerians figure out how to exploit some part of the webmail infrastructure, create tens of thousands of accounts and send spam through those accounts. Once the ISP fixes the problem, the Nigerians move on to the next webmail provider to abuse. Meanwhile, receivers can block some or most of the Nigerian spam by blocking on the X-Originating-IP. Much of the spam is blocked, but non-spam email from the ISP gets through.
In the Gmail case blocking is not so simple. As a matter of policy, Gmail does not put an originating IP address in email sent through the Gmail interface. Not having originating IPs puts receivers in the position of only having the option of blocking Gmail’s IPs, not the abusers who are using Gmail. This has been an unpopular policy decision by Gmail, and they have been approached by numerous groups to convince them to provide this level of information so receivers can make more selective blocking decisions.
It remains to be seen how quickly Gmail gets their outbound 419 spam under control. The rumblings I am hearing from people about the problem are getting louder. The supporting data quietly being handed around are astonishing and point to a genuine problem at Gmail. Hopefully, Gmail will take action now and stop spammers from abusing their system before the extent of their problem becomes more public.

ReturnPath Joe Job

ReturnPath has posted information about the Joe Job against them.

Vote for a new name

Mickey is trying to decide if his blog needs a new name.

Comcast "hacked"

Comcast recently had their whois registration password compromised by hackers, who then changed the authoritative DNS servers from the real ones to ones run by the hackers. Today Wired has an article saying that the hackers warned Comcast that this would happen.

Angry Pills Spammer

It looks like Postmaster Direct angered some pills spammer. This morning I received spam redirecting to a Canadian Healthcare pharmacy site (selling me Viagra at 73% off!) containing the footer from a Postmaster Direct email.
The term “Joe Job” is used when a spammer deliberately uses spam to cause harm to a specific person or company. In this case, it may or may not be a Joe Job against Postmaster Direct. There have been cases of spammers stealing text and graphics from legitimate ESPs and using that text in an email. Whether that is to make the ESP look bad or the sender look more legitimate is not clear.
Given ReturnPath’s position in the industry, though, it’s certainly possible this is an aggrieved spammer looking to inflict a little pain on one of the most trusted email certifiers.

More evidence the DMA does not get it

A friend of mine sent me a link to a blog a few weeks ago. Jeff Nolan points out that to get to content on the DMA website one must go through a registration process. Not only do you have to register, but the registration requires you first search the DMA database to see if you are already registered. Jeff has screen shots of the process.
I fully understand the desire to control access to information put on the web, and the desire to know who is reading your stuff. And, of course, the DMA is all about collecting personal information in order to provide meaningful targeted advertising to recipients. If this is not their goal with the website, then there is no reason to require registration.
Taken with the EEC fiasco, it demonstrates that the DMA is not a leader in online marketing.

Political Spam

At Adventures in Email Marketing, there is a post up this morning about political spam. It seems Anna discovered that providing her email address on her voter registration card not only results in political groups sending her email to that address, but also that political email does not have to follow the rules of CAN SPAM. The article ends with a few questions and makes some suggestions.

Botnets

Terry Zink has been posting articles about botnets as traced by Hotmail. I do not often talk about botnets as they are outside my area of expertise. They are not something I deal with, as no one who uses botnets is welcome as a client here.
My clients and I, however, do have to deal with the fallout from botnets. Because of botnets, receiver ISPs are extremely suspicious of mail from any IP address that they have not seen mail from previously. Mail from new IPs is, more often than not, a newly infected Windows machine. This results in mail from new IPs not starting with a reputation of zero but starting with a negative reputation.
Botnets are another example of spammers making it more difficult for mailers with permission to use email.

Followup to EEC spamming

Ken has a followup to his article last week about the EEC spamming.

Links

Venkat posts today about the ruling in the Asis v. Azoogle case. I have not yet had a chance to read the whole ruling, but in talking with Mickey over at SpamSuite it seems to expand the Gordon ruling a bit.
Mickey posts on Intellectual Intercourse about spam received from a recruiting agency trying to get him to hire one of their clients. This spam was amusing in that it contained reference to a bill that Mickey helped defeat years ago.
Box of Meat blog links to a CSO online article graphically demonstrating a botnet. The representation is really helps to understand the scope of the problem.
On Bronto Blog DJ posts about resurrecting old addresses. He has it right when he says: “If you continue to send email to customers that is random and unexpected, there will be consequences.”
Matt at ReturnPath has a couple posts about who should get delivery services and how ReturnPath chooses customers. This is something I end up dealing with occasionally. There are not specific types of companies I refuse to do consulting for. I will generally provide consulting on best practices to any business segment. My one restriction is that I will not provide ISP relations (ie, contacting the ISPs) for companies that do not send opt-in email. This has caused consternation with some potential customers.
Mark Brownlow at No Man is an iland suggests renaming “open rate” as “render rate” in an effort to make it much clearer what “open rates” really measure. Expect to see render rates referred to here on this blog in the future.
Josh talks about suppression list abuse on Deliverability.com. For those of us who use unique addresses for every signup, it quickly becomes clear that there are leaks in the suppression process. I have also seen problems with leaks from subscriptions, so do not think the problem is just in suppressions.

EEC shows how not to send email

The Email Experience Council is the email marketing arm of the Direct Marketing Association. They recently sent out a mailing that demonstrated what not to do when sending email, including:

More on spamfiltering feedback

Al wrote a post commenting on my post from last Thursday on spamfilters talking to senders who are being filtered. I think his take on it is close to mine. I would point out that Google has a pretty opaque system and no feedback to senders, but a lot of people seem to think their filters are accurate and do a good job.
Overall, I think there is room for discussion and feedback between senders and recipients, but on both sides the goal needs to be improving the enduser experience.

Comcast FBL open to the public

The Comcast FBL has been moved out of beta testing an into production. ISPs and senders can sign up for the FBL at http://feedback.comcast.net/
All of the applications are currently reviewed by hand, so there may be some delay as they deal with the launch rush. Please be patient. If you currently have a FBL through the beta program, you do not need to do anything, the FBL will continue.

Blog roundup

Denise Cox has a list of 10 things your signup page should have over on her blog.
The AOL postmaster blog has its first post up talking about bounces.
BeRelevant has a great blog with lots of suggestions email best practices.
Mark Brownlow had a great post this weekon moving the unsubscribe button to the top of your newsletter to make it easy for customers to unsubscribe. The comments are a must read as well, including one commenter that saw the number of ‘this is spam’ hits go down when he moved the unsubscribe link to the top of the email.

Report spam button broken: an ISP perspective

This press release has been discussed in a lot of groups and sites I read. One of my favorite comments comes from one of the filter developers at a large ISP. He was asked “does the overuse/misuse of the this-is-spam button significantly affect the ability to do your job?” His response, reposted with permission,

How do you use bounce data?

AOL is looking for input from ISPs and ESPs to better understand how you handle data sent to you by AOL.

Yahoo, part 5…

… wherein I rename this blog “What change did Yahoo make today.” No, really, I like the guys at Yahoo a lot, but really, occasionally I would like to blog about something different!
Today’s change, actually yesterday’s, is that Yahoo has closed their beta FBL program to changes or additions. It is a beta program, this is not unexpected. They will be making changes based on the results of that program and will open it up sometime in the future.
Yahoo!’s announcement

Yahoo delays, part 4: Yahoo blogs

Yahoo posted some suggestions about contacting their postmaster group over on the ymail blog. They also explained what they were doing to solve the problems with response delays.
Some of the problem is being caused by excessive follow-up emails, either because senders did not provide all the necessary information initially or because they are asking why they have not heard anything. Each of these requires more work on the part of Yahoo and throws the queues into further disarray and puts everyone even more behind.
Yahoo asks that people be patient, they are working through things. On their end, they have added more staff to the postmaster team. They also suggest senders can help by providing ALL the information they ask for at http://postmaster.yahoo.com/ before submitting the request. Incomplete requests contribute even more to the backlog as Yahoo employees have to chase down senders to get their full information.

Ken speaks the truth

Ken Magill has a great article up today about how many marketers expect their ESPs to fix their delivery problems when in reality the marketers policies and practices are the real problem.

Roadrunner turns images off by default

Earlier this week DirectMag published an article talking about RoadRunner blocking images by default. I did talk to someone over at RoadRunner and found out a few more details about this change.
What is happening is that RR is rolling out a new web interface. This interface has both a bulk/spam filter and has images disabled by default.
I do not expect sender to notice this change in the open rates of RoadRunner addresses. Most RoadRunner customers use their own mail client (Outlook, Outlook Express, Thunderbird, etc.) and not the RR web interface. The number of uses this change touches is a very small fraction of the RR users.

Yahoo delays, part 3: Yahoo speaks

Yahoo is aware of the recent problems and have been working feverishly to fix them. A Yahoo employee posted to a mailing list earlier today, explaining some of the recent issues. The summary is:
1) The Yahoo delays are a result of a tighter spam filtering policy. The delays are the result of the system erroneously recognizing email as spam and deferring delivery. They do believe that retrying long enough will result in all mail being delivered to Yahoo recipients.
2) They have been continually making fixes to the system over the last few days and senders should see queues start to empty over the next few hours.
3) They believe the adjustments made will resolve the deferral problems. If you continue to see problems, you can contact them through the form at http://postmaster.yahoo.com/.
4) They are working to provide more self-serve information at http://postmaster.yahoo.com/ as well as timely service updates.
Loose ends from my previous Yahoo posts:

Yahoo delays, part 2

A number of people have posted to various mailing lists and made blog posts pointing to the Yahoo Mail blog post discussing recent problems Yahoo was having with mail. The general feeling seemed to be “AHA! That’s what is wrong!”
Unlike many of my peers, I do not think this explains the delivery problems senders have been seeing while attempting to deliver mail to Yahoo. The Yahoo mail blog article is talking about the Yahoo outgoing mailservers (smarthosts) for their non-webmail users. It is extremely unlikely that these are the same servers used for incoming email.
While I sympathize with everyone who had the AHA! moment and thought their delivery problems were being acknowledged and addressed by Yahoo! I do not think this is really what that blog post is saying.
I am hearing from people that Yahoo is aware of a problem with delayed incoming email, and they are working on fixing it. This does seem to be a broader problem than just bulk mailers, I am hearing from small and mid-size ISPs that they are having significant problems delivering email to Yahoo, too.
For more information about what Yahoo is doing to filter mail check out my previous post Greylisting: that which Yahoo! does not do.

Yahoo delays

You may have noticed increase in delays and rejections from Yahoo. I am certainly seeing a lot of customers complaining and hearing a lot of other delivery people commenting on problems getting mail into Yahoo. I have even heard from multiple ISPs that are struggling with full queues and delayed email.
No solutions or suggestions right now, just that everyone is having problems right now. I expect it will take some time for the backlogs to dissipate, even after the underlying problem is fixed. If I hear anything more I will post it here.

Ironport response

Last week I posted about a ESP that had a misconfiguration in their Ironport A60s that let spammers use the A60s to relay email to AOL. Earlier this week, Pat Peterson from Ironport approached me to talk about the problem and clarify what happened.
Ironport has provided me with the following explanation.

Articles I read today

It has been a rather busy day today, I do not have a full blog post. I did see a couple posts come across my RSS feeds. Both of them have content I want to talk about and discuss in a little more detail, as I think they touched on some very interesting issues.
Network World has an article interviewing Mark Risher from Yahoo. The article discusses Yahoo’s use of DomainKeys as part of their inbound mail filtering.
Mickey has an article about how to deal with ISPs when attempting to troubleshoot a blocking issue.
More details and commentary on both articles later this week.

ESP unwittingly used to send spam

Late last week I heard from someone at AOL they were seeing strange traffic from a major ESP, that looked like the ESP was an open relay. This morning I received an email from AOL detailing what happened as relayed by the ESP.

Predictions for 2008

I did not have a lot of predictions for what will happen with email at the beginning of the year so I did not do a traditional beginning of the year post. Over the last 3 – 4 weeks, though, I have noticed some things that I think show where the industry is going.
Authentication. In January two announcements happened that lead me to believe most legitimate mail will be DK/DKIM signed by the end of the year. AOTA announced that approximately 50% of all email was currently authenticated. They did not separate out SPF/SenderID authentication from DK/DKIM authentication, but this still suggests email authentication is being widely adopted. AOL announced they will be checking DKIM on their inbound mail. I expect more and more email will be DKIM signed in response to this announcement.
Filtering. The end of 2007 marked a steady uptick in mail being filtered or blocked by recipient domains. I expect this trend to continue throughout 2008. Recipient domains are rolling out new technology to measure complaints, evaluate reputation and monitor unwanted email in ways that tease out the bad actors from the good. This means more bad and borderline email will be blocked. Over the short term, I expect to see more good email blocked, too, but expect this will resolve itself by Q2/Q3.
Sender Improvements. As the ISPs get better at filtering, I expect that many borderline senders will discover they cannot continue to have sloppy subscription practices and still get their mail delivered. Improved authentication and better filtering let ISPs pin-point blocks. Instead of having to block by IP or by domain, they can block only some mail from a domain, or only some mail from an IP. There are a number of senders who are sending mail that users do not want mixed with mail that recipients do want. Right now, if there is more mail that recipients want in that mix, then ISPs let the mail through. This will not continue to happen through 2008. Senders will need to send mail users actively want in order to see good delivery.
Less is more. A lot of other email bloggers have talked about this, and I will echo their predictions. Less email is more. Send relevant mail that your customers want. Target, target, target. Good mailers will not send offers to their entire database, instead they will send mail to a select portion of their database.
Feedback loops. Use of feedback loops by recipient domains will continue to grow.
Mobile email. More recipients will be receiving email on mobile devices.
Suggestions for 2008

SenderScore Certified expands

ReturnPath announced yesterday that SenderScore Certified now covers 1.2 billion inboxes, including mail handled by Hotmail, Time Warner Cable, GoDaddy and eventually Yahoo. A number of filters are also using SSC, including Spam Assassin, IronPort Systems, Barracuda Networks and Cloudmark.

Update on Yahoo and the PBL

Last week I requested details about Yahoo rejections for IPs pointing to the PBL when the IP was not on the PBL. A blog reader did provide me with extremely useful logs documenting the problem. Thank you!
Based on my examination of the logs, this appears to be a problem only on some of the Yahoo! MXs. In fact, in the logs I was sent, the email was rejected from 2 machines and then eventually accepted by a third.
I have forwarded those logs onto Yahoo who are looking into the issue. I have also talked with one of the Spamhaus volunteers and Spamhaus is aware of the issue as well.
The right people are looking at the issue and Spamhaus and Yahoo are both working on fixing this.
Thanks for the reports and for the logs.

AOL and AIM mail

Earlier this week a question came up on a mailing list. The questioner recently started seeing an increase in rejections to @aol.com addresses. These rejections said

PBL and Yahoo

A few days ago I posted about Yahoo using the Spamhaus lists. In the comments of that post there have been multiple reports of mail being bounced from Yahoo with a reason of “on the PBL” but the IP was not on the PBL.
I am happy to look into this for people. I’m sure neither Spamhaus nor Yahoo want to be incorrectly rejecting email. To do this, though, I need the rejection message from Yahoo, the IP the mail was sent from and when it happened. Feel free to email the information to laura at wordtothewise.com.

Changes at RoadRunner

I’ve been hearing rumors that some *.rr.com domains have been bouncing all mail sent to them. Those domains belong to customers that were moved to Comcast as part of the RoadRunner / Comcast / Adelphia purchase and customer swap. As a courtesy, RoadRunner forwarded mail to comcast for those former RoadRunner customers, but have ceased to do so.
Mail to any address in the following *.rr.com domains will no longer be delivered.
jam.rr.com
midsouth.rr.com
mn.rr.com
se.rr.com
sport.rr.com
swfla.rr.com
ucwphilly.rr.com
houston.rr.com
These addresses should be removed from your lists. These users now have Comcast addresses. You cannot just substitute the Comcast domain for the RoadRunner domain as users were required to choose new localparts. That means bobjones@houston.rr.com may not be, and probably is not, bobjones@comcast.

Yahoo and Spamhaus

Yahoo has updated and modified their postmaster pages. They have also put a lot of work into clarifying their response codes. The changes should help senders identify and troubleshoot problems without relying on individual help from Yahoo.
There is one major change that deserves its own discussion. Yahoo is now using the SBL, XBL and PBL to block connections from listed IP addresses. These are public blocklists run by Spamhaus. Each of them targets a different type of spam source.
The SBL is the blocklist that addresses fixed spam sources. To get listed on the SBL, a sender is sending email to people who have never requested it. Typically, this involves email sent to an address that has not opted in to the email. These addresses, known as spamtraps, are used as sentinel addresses. Any mail sent to them is, by definition, not opt-in. These addresses are never signed up to any email address lists by the person who owns the email address. Spamtraps can get onto a mailing list in a number of different ways, but none of them involve the owner of the address giving the sender permission to email them.
Additionally, the SBL will list spam gangs and spam supporters. Spam supporters include networks that provide services to spammers and do not take prompt action to remove the spammers from their services.
The XBL is a list of IP addresses which appear to be infected with trojans or spamware or can be used by hackers to send spam (open proxies or open relays). This list includes both the CBL and the NJABL open proxy list. The CBL list machines which appear to be infected with spamware or trojans. The CBL works passively, looking only at those machines which actively make connections to CBL detectors. NJABL lists machines that are open proxies and open relays.
The Policy Block List (PBL) is Spamhaus’ newest list. Spamhaus describes this list as

Happy New Year

Blogging was light the last few weeks as I coped with the holidays, visitors and a very nasty cold. I have a backlog of posts I want to write over the next few weeks, including a description of stale list syndrome, information about pitfalls of collecting email addresses at the point of sale, and how to improve your IP reputation.
As I did in 2007, I’ll also keep updating readers to change in Email Standards, continue to update everyone about changes at individual ISPs and comment on the state of the email industry.

SenderScore update

Matt has posted a bit more about the SenderScore Blacklist, following up on my post about the changes at Comcast. George Bilbrey, VP and General Manager, for Return Path followed up with him to explain a bit more about the blacklist. George says:

Changes at Comcast

I can usually tell when one of the ISPs makes some change to their incoming spam filtering just by my call volume. The past few weeks the ISP in most of my calls has been Comcast. And, what do you know, they have made changes to how they are filtering email.
According to their bounce message, Comcast is using ReturnPath’s proprietary SenderScore product to filter mail. Reports on thresholds vary, but IPs with SenderScores of 70 and below have been blocked with messages similar to:

Email standards at the email client

The Email Standards Project launched last week. This group is looking to lobby and encourage companies to make their email clients comply with HTML display standards. They are also identifying how different clients display email with HTML. Check out their website, and see what they’re doing.
I do apologize for the light blogging recently. I have a couple big deadlines on my plate. I hope to get back to regular blogging soon.

News and articles

Things have been insanely busy the last few days so blogging has been light. I do have links to a few news articles though. ClickZ has a report on the benefits they saw when switching to a professional email service provider. ReturnPath talks about changes to the email landscape as we enter the holiday shopping season. Terry Zink talks about how he measures the effectiveness of filters. A commenter on this blog asked about how to improve delivery to AOL, and I should have an answer to that in a few days.

Spamfilters are stupid

Ben over at MailChimp writes about spamfilters that are following links in emails resulting in people being unsubscribed from lists without their knowledge. I strongly suggest clients use a 2 step unsubscribe system, that does not require any passwords or information. The recipient clicks on a link in the email and confirms that they do want to be unsubscribed once they get to the unsubscribe webpage.
Even more concerning for me is the idea that people could be subscribed to emails without their knowledge. For some subset of lists, using confirmed (double) opt-in is the best way to make sure that the sender really has permission from the recipient. Now we have a spam filter that is rendering “click here to opt-in” completely useless. I am sure there are ways to compensate for the stupidity of filters. As usual, though, the spammers are doing things which push more work off onto the end user and the legitimate mailers.

Greylisting: that which Yahoo does not do

Over the last couple days multiple people have asserted to me that Yahoo is greylisting mail. The fact that Yahoo itself asserts it is not using greylisting as a technique to control mail seems to have no effect on the number of people who believe that Yahoo is greylisting.
Deeply held beliefs by many senders aside, Yahoo is not greylisting. Yahoo is using temporary failures (4xx) as a way to defer and control mail coming into their servers and their users.
I think much of the problem is that the definition of greylisting is not well understood by the people using the term. Greylisting generally refers to a process of refusing email with a 4xx response the first time delivery is attempted and accepting the email at the second delivery attempt. There are a number of ways to greylist, per message, per IP or per from address. The defining feature of greylisting is that the receiving MTA keeps track of the messages (IP or addresss) that it has rejected and allows the mail through the second time the mail is sent.
This technique for handling email is a direct response to some spamming software, particularly software that uses infected Windows machines to send email. The spam software will drop any email in response to a 4xx or 5xx response. Well designed software will retry any email receiving a 4xx response. By rejecting anything on the first attempt with a 4xx, the receiving ISPs can trivially block mail from spambots.
Where does this fit in with what Yahoo is doing? Yahoo is not keeping track of the mail it rejects and is not reliably allowing email through on the second attempt. There are a couple reasons why Yahoo is deferring mail.

40 email companies

Ken Magill has a post up mentioning the top 40 companies in email marketing. Some highlights:

ISP Postmaster sites

A number of ISPs have email information and postmaster sites available. I found myself compiling a list of them for a client today and thought that I would put up a list here.

How to improve AOL delivery

DMNews interviewed Charles before he left AOL about the state of spam and the challenges for ISPs and how that affects senders. The article was published this week. In it he talks about

New VP at Goodmail

Charles Stiles, who managed the postmaster team at AOL and was laid off 2 weeks ago, is the new VP of Worldwide Business Development at Goodmail.
Ken Magill mentioned the possibility of Charles moving to Goodmail yesterday.

Changes at AOL Postmaster desk

The recent layoffs at AOL did affect the AOL Postmaster desk, and information I have received is that there was significant loss. As a result of the staff decrease, some changes have been made to the whitelisting and FBL processes. In order for a FBL to be approved it must meet the new FBL guidelines. In a nutshell, anyone wanting to get a FBL from AOL must meet ONE of the following criteria.

ISPs like boxes of meat

On the heels of JDs post about building relationships with ISPs, many of our Abacus customers and our ISP contacts have been commenting that boxes of meat are always welcome.
Please, remember to send them boxes of meat.
Meat may not get your email delivered, but it will make the ISPs remember you fondly.

Blacklisted on FiveTen: no big deal

Al posted an analysis on DNSBL Resource about the effectiveness of the FiveTen blacklist.
He says:

Tools for monitoring email

A number of groups provide tools for monitoring email performance.
Some of these tools are provided by ISPs, like Hotmail and AOL have postmaster webpages. Hotmail also provides things like SNDS so you can monitor what Hotmail is seeing about your network.
Al has a new blacklist stats center over at DNSBL.com. Of interest is the accuracy of some of the widely used lists like Spamhaus, Spamcop, and PSBL. Other lists like FiveTen were wildly inaccurate. In fact, Al has shown that blocking mail from any IP with a 7 in it is more accurate (more spam hits, less non-spam hits) than FiveTen.
ReturnPath provides free reputation lookup and monitoring based on the data they acquire.

Yahoo blocks unauthenticated PayPal and eBay Mail

Yahoo announced this morning that over the course of the next few weeks Yahoo would roll out a new feature to their email that blocks any unauthenticated email from eBay and PayPal.
In a blog post Nikki Dugan says:

Marketing and Delivery blogs

Mark Brownlow links to a number of marketing and delivery blogs over at his website. Different perspectives and different thoughts will give you the tools to create the best email marketing campaign for your business.

It really can be your email

Yesterday I wrote about activist groups getting blocked at major ISPs and how the ISPs don’t block mail because they don’t like the political viewpoints in email. This morning Mark Brownlow has a post up about delivery in general and the cause of many delivery problems.

They’re not blocking you because they hate you.

Really. They’re blocking you because you’re doing something that is triggering their blocking mechanisms.
This has happened over and over and over again. Some political or activist website sends out an email that gets blocked by some large ISP and the political site turns it into a giant crisis that means the ISP hates them or is trying to shut them up or is trying to silence their message.
Except that’s not what is going on. The folks at the large ISPs who handle blocking and incoming mail are incredibly smart and conscientious . They take their jobs seriously. They, both personally and corporately, want their customers (the end recipients) to receive the email they want. Additionally, they do not want to deliver mail that the recipients did not ask to receive.
In almost no cases is the block a particular activist site encounters a result of the ISP not liking the content of the email. If an activist site is being blocked it’s due to complaints or reputation or something that ISPs measure and block on. Some person at the ISP didn’t read your email, decide they didn’t like what you had to say and then block that email. That email was blocked because something related to that email triggered the thresholds for blocking.
Of course, as with everything online, there are caveats. In this case it’s that the above statements really only hold true for large ISPs in free countries. There are some countries in the world that do block email based on content, and that is dictated by the government. Likewise, some small ISPs will block based on the guy in charge not liking the email.
Generally, though, if an activist site is being blocked by a large ISP in the US or other free countries it is because their mailings are somehow not complying with that ISPs standards. Instead of starting an email campaign or blog campaign to shame the ISP for suppressing speech, it is much more productive to actually contact the ISP in question and find out what went wrong.

Goodmail

Goodmail made a splash on the email marketing and ISP industries a few years ago by announcing their CertifiedEmail program. They guaranteed that using their certification would result in email going directly to the inbox, and all images in the email would be displayed by default. Senders using Goodmail would pay money, per message, and Goodmail would split that money with the receiving ISP.
This sounds very much like a situation where everyone wins. The senders get their mail to the inbox with images turned on. The receiving ISPs get a little money to deliver email and offloads some of their sender screening onto a third party. Individual recipients know that this email is certified and that it’s safe to click on links in the email.
In the time since CertifiedEmail has been announced, however, there seems to be very little adoption. Sure, receivers do seem to be signing up, a little. AOL and Yahoo have been using CertifiedEmail for a while. In summer 2007, a number of cable providers announced they would be using CertifiedEmail as well.
Senders, on the other hand, don’t seem to be adopting this as fast as Goodmail might like. The Federal Government recently announced they would be sending email signed by Goodmail and some large online companies, Overstock.com among them, are also sending with certified email. In order to get more companies to sign up for CertifiedEmail, Goodmail announced in August 2007 that they had partnered with CheetahMail, Episilon and Axciom Digital to provide free CertifiedEmail to qualifying customers of those ESPs.
Why might companies not be adopting CertifiedEmail? I have a couple of thoughts.

Spam Documentary on TV

A few months back John Levine participated in a Canadian TV Show called Spam, The documentary. This will be shown on Court TV on Sept 18th at 11pm or the 19th at 3am.
John says

Real Spam?

Both Al and Mickey have written astute comments on Kevin Sirtz’s article about how permission is not important in web[sic] marketing.
It is pretty clear to me that Mr. Sirtz does not really understand email, and not just because he conflates email with the web. Anyone who has been involved in the email marketing space knows that permission is the lynchpin of good deliverability and high ROI.
This is not to say that Mr. Sirtz is not having the experience he states. With very small lists you can get away with personal relationships substituting for permission. Senders of any size, though, do not have the relationship with their recipients and need to actually send email only to those recipients who have requested to receive email from the sender.

First Post

Everybody’s doing it, blogging I mean. It struck me this was a good place to write about delivery issues I encounter in my job and solutions I’ve found for the problems my clients have. This would also be a place to comment on new issues I’ve seen from ISPs.I’ve listed a couple delivery blogs I read over on the blogroll. I’ll also be updating that with some marketing related blogs I’ve found useful.Thanks for stopping by!