Word to the Wise https://wordtothewise.com Fri, 27 Mar 2015 14:00:57 +0000 en-US hourly 1 http://wordpress.org/?v=4.2-alpha-31730 We’re all targets https://wordtothewise.com/2015/03/were-all-targets/ https://wordtothewise.com/2015/03/were-all-targets/#comments Fri, 27 Mar 2015 14:00:57 +0000 https://wordtothewise.com/?p=8025 Last week, another email provider announced their systems had a security incident. Mandrill’s internal security team detected unusual activity and took the servers offline to investigate. While there’s no sign any data was compromised or servers infiltrated, Mandrill sent an email to their customers explaining the incident was due to a firewall rule change. Email […]

The post We’re all targets appeared first on Word to the Wise.

]]>
Last week, another email provider announced their systems had a security incident. Mandrill’s internal security team detected unusual activity and took the servers offline to investigate. While there’s no sign any data was compromised or servers infiltrated, Mandrill sent an email to their customers explaining the incident was due to a firewall rule change.

Email service providers are a high value target for hackers, even if all they have is email addresses. Selling the email addresses is extremely profitable for hackers who can either sell the list outright or sell access to the list. In addition to gaining access to the email addresses, hackers often use the ESP to send these messages essentially stealing the ESP’s reputation to deliver the spam.

It was just over four years ago when a number of major ESPs were targets of a large attack and multiple ESPs were compromised. Earlier this month, three people were arrested for their roles in the attack. While the attacks four years ago were primarily spear phishing attacks, the security incident at Mandrill shows that hackers and botnets are actively probing the ESP’s network looking for access or known vulnerabilities. Spear phishing is an attempt to gain unauthorized access to a system by specifically targeting an individual, group, or organization. The scam attempts to have the user to click a link to infect their computer and network or capture their user id and password via a fake website. The scam email may appear to be sent from the company’s security or human resources department, but the email is either forged or another user’s account has been compromised.

Just because recent arrests have been made does not mean the threat is over. Systems often change, are upgraded, and are integrated with many additional services and systems can become vulnerable.  Security will never be a set and forget policy. In the last 12 months there has been two significant vulnerabilities discovered, first Heartbleed and second was POODLE. Security professionals from all industries had to react quickly to secure their systems and hackers immediately began probing for systems that were unpatched. GFI reports there were over 7,000 vulnerabilities discovered in 2014 with 24% of them being rated as high severity. Security must not only cover servers, but the transmission of the data internally and with third-party vendors, and the workstations of employees.

IT and security professionals must be ever vigilant in protecting their network and their customers data. SANS Institute provides a number of security control best practices including a document on Data Protection. The control recommendations range from quick wins to advanced considerations such as monitoring all traffic leaving the organization and being able to detect any unauthorized or unusual transfer of data, blocking access to file transfer protocols and file sharing websites, performing annual reviews of all keys, certifications, and security procedures.

One of the best ways to help the entire industry to be secure is to be transparent and open when incidents happen. Mandrill has published a blog post with the results of their investigation.

The post We’re all targets appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2015/03/were-all-targets/feed/ 1
Recipients need to be able to unsubscribe https://wordtothewise.com/2015/03/recipients-need-to-be-able-to-unsubscribe/ https://wordtothewise.com/2015/03/recipients-need-to-be-able-to-unsubscribe/#comments Thu, 26 Mar 2015 00:58:43 +0000 https://wordtothewise.com/?p=8072 The The Canadian Radio-television and Telecommunications Commission (CRTC) announced today that Plentyoffish Media paid a $48,000 fine for CASL violations. According to the  CRTC news release, Plentyoffish Media was failing to allow consumers to unsubscribe from mail in compliance with CASL. CASL requires that any commercial electronic email message contain an easy and free unsubscribe mechanism. […]

The post Recipients need to be able to unsubscribe appeared first on Word to the Wise.

]]>
The The Canadian Radio-television and Telecommunications Commission (CRTC) announced today that Plentyoffish Media paid a $48,000 fine for CASL violations. According to the  CRTC news release, Plentyoffish Media was failing to allow consumers to unsubscribe from mail in compliance with CASL.

CASL requires that any commercial electronic email message contain an easy and free unsubscribe mechanism. Plentyoffish sent mail to its members without an unsubscribe mechanism. According to their webpage (HT: Sanket) there were some messages that users were unable to opt-out of without closing their account.

You can stop message notifications (sent out when you get a message) in Mail Settings. Unfortunately you cannot stop the “latest match” emails – if these are a problem we’ll delete your account upon request. PoF FAQ.

There are a couple of takeaways here.

The first is that, again, the CRTC did not impose the highest fine possible. When the law came into effect, there were some concerns that the CRTC would be driving companies out of business by imposing maximum fines for CASL violations. While we only have two enforcement actions, neither of them involved the maximum fine, even when there was a blatant violation of the law. This isn’t a law being enforced in a way that is going to destroy email marketing a we know it. Instead, the law is being used to protect consumer interests.

The other is more a more general point. Some senders don’t want to provide opt-outs for customers. This sounds great for the sender. But failing to offer an unsubscribe link from mail can result in delivery problems. The free webmail providers and many of the cable companies track “this is spam” hits and automatically direct future mail from that sender to the recipient’s bulk folder. Recipients can also create filters and totally block mail from senders.

When senders control the opt-out, rather than relying on FBLs and complaints, it gives them more control over their mail stream. They can attempt to re-engage users through non-email channels and recapture that subscriber at a later date. When the mail is going to the bulk folder based on user filters, the user has to actively change the filter to start receiving the mail again.

Overall, letting recipients unsubscribe, even from mail senders don’t think they should unsubscribe from is a net benefit to senders. In the case of Plentyoffish Media, it would have saved them nearly 50,000 dollars.

The post Recipients need to be able to unsubscribe appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2015/03/recipients-need-to-be-able-to-unsubscribe/feed/ 2
When spam filters fail https://wordtothewise.com/2015/03/when-spam-filters-fail/ https://wordtothewise.com/2015/03/when-spam-filters-fail/#comments Tue, 24 Mar 2015 00:04:24 +0000 https://wordtothewise.com/?p=8059 Spam filters aren’t perfect. They sometimes catch mail they shouldn’t, although it happens less than some people think. They sometimes fail to catch mail they should. One of the reason filters fail to catch mail they should is because some spammers invest a lot of time and energy in figuring out how to get past […]

The post When spam filters fail appeared first on Word to the Wise.

]]>
Spam filters aren’t perfect. They sometimes catch mail they shouldn’t, although it happens less than some people think. They sometimes fail to catch mail they should.

One of the reason filters fail to catch mail they should is because some spammers invest a lot of time and energy in figuring out how to get past the filters. This is nothing new, 8 or 9 years ago I was in negotiations with a potential client. They told me they had people who started working at 5pm eastern. Their entire job was to craft mail that would get through Hotmail’s filters that day. As soon as they found a particular message that made it to the inbox, they’d blast to their list until the filters caught up. When the filters caught up, they’d start testing again. This went on all night or until the full list was sent.

Since then I’ve heard of a lot of other filter bypass techniques. Some spammers set up thousands of probe accounts at ISPs and would go through and “not spam” their mail to fool the filters (ISPs adapted). Some spammers set up thousands of IPs and rotate through them (ISPs adapted). Some spammers register new domains for every send (ISPs adapted). Some spammers used botnets (ISPs adapted)

I’m sure, even now, there are spammers who are creating new techniques to get through filters. And the ISPs will adapt.

The post When spam filters fail appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2015/03/when-spam-filters-fail/feed/ 0
Thoughts on Hotmail filtering https://wordtothewise.com/2015/03/thoughts-on-hotmail-filtering/ https://wordtothewise.com/2015/03/thoughts-on-hotmail-filtering/#comments Fri, 20 Mar 2015 00:25:17 +0000 https://wordtothewise.com/?p=8048 One of the new bits of information to come out of the EEC15 deliverability discussions is how Hotmail is looking at engagement differently than other webmail providers. Many webmail providers really do look at overall engagement with a mail when making delivery decisions. And this really impacts new subscribers the most. If there is a mailing […]

The post Thoughts on Hotmail filtering appeared first on Word to the Wise.

]]>
One of the new bits of information to come out of the EEC15 deliverability discussions is how Hotmail is looking at engagement differently than other webmail providers.

Many webmail providers really do look at overall engagement with a mail when making delivery decisions. And this really impacts new subscribers the most. If there is a mailing where a lot of subscribers are engaged, then new subscribers will see the mail in their inbox. Based on what was said at the webinar earlier this week engagement has no effect at Hotmail outside of the individual user’s box.

I’ve certainly seen this with clients who’ve tried trimming subscriber lists but that doesn’t really help get mail moved from the Hotmail bulk folder to the inbox.

 

Instead of subscriber lists, Hotmail is really looking at bounces. They’re watching the number of nonexistent accounts senders are mailing to and they’re counting and a sender hits too many bad addresses and that is a major hit to their reputation.

All of this makes remediation at Hotmail challenging. Right now, we can remediate a bad reputation at a lot of ISPs and the filters catch up and mail starts flowing back to the inbox. Hotmail has set up a system that they say is “hard for spammers to game.” This seems to translate into hard for legitimate senders to fix their reputation.

Hotmail is, IMO, the current tough nut in terms of deliverability. Develop a bad reputation there and it’s difficult to fix it. I’m sure it’s possible, though.

The post Thoughts on Hotmail filtering appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2015/03/thoughts-on-hotmail-filtering/feed/ 2
Tweets from engagement and deliverability webinar https://wordtothewise.com/2015/03/tweets-from-engagement-and-deliverability-webinar/ https://wordtothewise.com/2015/03/tweets-from-engagement-and-deliverability-webinar/#comments Wed, 18 Mar 2015 00:01:16 +0000 https://wordtothewise.com/?p=8021 Want to see some of the tweets shared during the EEC Deliverability and Engagement webinar on March 17? Check out what was said as it happened.

The post Tweets from engagement and deliverability webinar appeared first on Word to the Wise.

]]>
Want to see some of the tweets shared during the EEC Deliverability and Engagement webinar on March 17? Check out what was said as it happened.

The post Tweets from engagement and deliverability webinar appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2015/03/tweets-from-engagement-and-deliverability-webinar/feed/ 0
Mythbusting deliverability and engagement https://wordtothewise.com/2015/03/mythbusting-deliverability-and-engagement/ https://wordtothewise.com/2015/03/mythbusting-deliverability-and-engagement/#comments Tue, 17 Mar 2015 23:58:37 +0000 https://wordtothewise.com/?p=8018 Yesterday I published an article talking about an engagement webinar hosted by the EEC and DMA. I made a couple predictions about what would be said. ISPs do monitor engagement, even if they do it differently than senders thought. Engagement is important for inbox delivery at some ISPs. Different ISPs have different ways of making […]

The post Mythbusting deliverability and engagement appeared first on Word to the Wise.

]]>
Yesterday I published an article talking about an engagement webinar hosted by the EEC and DMA. I made a couple predictions about what would be said.

  1. ISPs do monitor engagement, even if they do it differently than senders thought.
  2. Engagement is important for inbox delivery at some ISPs.
  3. Different ISPs have different ways of making inbox decisions.
  4. Engagement will matter more in the future.

And, yes, all those things were said. The ISPs told us quite a bit about what they look for when making delivery decisions.

ISPs monitor engagement, measured by what users do with the mail. Do they delete it without opening it? Do they move it from the bulk folder to the inbox? Do they whitelist the sender?

ISPs also measure inactive accounts. Some use the mail to inactive accounts as a metric in their delivery decisions. Some don’t. AOL deletes accounts that haven’t logged in for 180 days. (Personal note: logging into AIM counts as a login and they don’t delete your account if you use AIM.)

Some ISPs use engagement as part of their overall reputation metrics. Other ISPs don’t. Outlook, for instance, doesn’t use engagement other than to make decisions about an individual email and the recipient. At Gmail, however, the individual user actions bubble up and affect the overall delivery of a mail.

This is really one of the first times it’s been so clear to me how different the specifics of filtering are at the different ISPs. I mean, I always knew that they all had their special secret sauce. Recent client experiences have also taught me that what works to get mail back into the inbox at one ISP doesn’t always work for another ISP. Hotmail/Outlook (sorry, I am old school enough I haven’t mentally branded them “outlook.com” yet) treats bounces (user unknowns) as a major factor. Other ISPs use spam trap accounts as a major factor in their decisions.

And, while it was never explicitly said, engagement is not going away as a factor in delivery decisions. Filters and algorithms may change, but senders are going to have to focus more and more on sending the emails people really want to receive in order to get to the inbox.

 

The post Mythbusting deliverability and engagement appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2015/03/mythbusting-deliverability-and-engagement/feed/ 2
Delivery and engagement https://wordtothewise.com/2015/03/delivery-and-engagement/ https://wordtothewise.com/2015/03/delivery-and-engagement/#comments Mon, 16 Mar 2015 22:47:16 +0000 https://wordtothewise.com/?p=8016 Tomorrow is the webinar Mythbusters: Deliverability vs. Engagement. This webinar brings together the ISP speakers from EEC15, plus Matt from Comcast, to expand on their comments. There’s been some confusion about the impact of engagement on delivery and whether or not senders should care about recipient engagement. My opinion on the matter is well known: […]

The post Delivery and engagement appeared first on Word to the Wise.

]]>
Tomorrow is the webinar Mythbusters: Deliverability vs. Engagement. This webinar brings together the ISP speakers from EEC15, plus Matt from Comcast, to expand on their comments. There’s been some confusion about the impact of engagement on delivery and whether or not senders should care about recipient engagement.

My opinion on the matter is well known: recipient engagement drives delivery to the inbox at some providers. I expect tomorrow we’ll hear a couple things from the ISPs.

  1. ISPs do monitor engagement, even if they do it differently than senders thought.
  2. Engagement is important for inbox delivery at some ISPs.
  3. Different ISPs have different ways of making inbox decisions.
  4. Engagement will matter more in the future.

But what is engagement? Engagement means recipients are interacting with emails. Senders measure engagement by watching users load images and click on links. ISPs measure engagement by looking at what users do with emails (file, reply to, save, open, delete without opening, spam). The engagement measures are different, and they give each group different data.

Measurements by the ISPs also apply to many factors inside the email. Most of the big ISPs have some mechanism to allow recipients to identify an email as spam. Some ISPs provide this information back to senders in the form of a feedback loop (FBL). FBLs are tied to IP addresses (or in some cases d= values in the DKIM signature) but complaints count against other parts of the email, too. Yahoo, for example, keeps track of complaints against specific URLs in a message and will block mail that contains a URL that gets too many complaints. I’m sure they’re not the only provider that tracks complaints and URLs.

Senders are much more limited in what they can track for engagement: image loads (opens) and clicks. These measurements have always been proxies for what the ISPs are measuring, but they’re what senders have to work with.

 

The post Delivery and engagement appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2015/03/delivery-and-engagement/feed/ 0
thirty.years.com https://wordtothewise.com/2015/03/thirty-years-com/ https://wordtothewise.com/2015/03/thirty-years-com/#comments Fri, 13 Mar 2015 19:28:51 +0000 https://wordtothewise.com/?p=8011 Thirty years ago this Sunday, symbolics.com was registered – the first .com domain. It was followed, within a few months, by bbn.com, think.com, mcc.com and dec.com. Symbolics made lisp machines – symbolics.com is now owned by a domain speculator. BBN is a technology R&D company who’ve worked on everything. If I had to pick one […]

The post thirty.years.com appeared first on Word to the Wise.

]]>
Thirty years ago this Sunday, symbolics.com was registered – the first .com domain. It was followed, within a few months, by bbn.com, think.com, mcc.com and dec.com.

Symbolics made lisp machines – symbolics.com is now owned by a domain speculator.

BBN is a technology R&D company who’ve worked on everything. If I had to pick one thing they were involved with it’d be the Internet Message Processor – the router used on the very first Internet nodes. They are still around, as a division of Raytheon.

Think.com made some amazing massively parallel computers. Their hardware group was bought out by Sun, who were bought out by Oracle and think.com now redirects to a broken error page at oracle.com.

Mcc.com were the first – and for a while, the largest – computing research and development consortium in the US. They did groundbreaking work on everything from silicon to AI. Their domain is now a generic parked page owned by a domain speculator.

Dec.com were Digital Equipment Corporation – creators of the PDP, VAX, Alpha and StrongARM processors, amongst many other things. They were a huge company when I worked for them designing Alpha CPUs in the mid 90s, then they were acquired by Compaq, then HP, then split up. Their domain is now a personal website.

It took nearly three years to reach 100 registered .com domains and nearly 10 years to reach 9,000.

As of this morning there are 116,621,517 domains registered in .com, from (64 zeros).com to (64 letter z).com, out of a possible total of more than two googol – so there’s still a domain there for you.

221,848 of those domains in .com mention “mail”.

The post thirty.years.com appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2015/03/thirty-years-com/feed/ 2
Updated M3AAWG Best Practices for Senders https://wordtothewise.com/2015/03/updated-m3aawg-best-practices-senders/ https://wordtothewise.com/2015/03/updated-m3aawg-best-practices-senders/#comments Wed, 11 Mar 2015 18:36:17 +0000 https://wordtothewise.com/?p=8001 M3AAWG has published a new version of the Senders Best Common Practices document and the contains a lot of new information since the original publication in 2008. The new document covers how to vet ESP customers, considerations when selecting a dedicated or share IP to send mail, and includes best practices on a number of technical […]

The post Updated M3AAWG Best Practices for Senders appeared first on Word to the Wise.

]]>
M3AAWG has published a new version of the Senders Best Common Practices document and the contains a lot of new information since the original publication in 2008. The new document covers how to vet ESP customers, considerations when selecting a dedicated or share IP to send mail, and includes best practices on a number of technical processes.

The Senders Best Common Practices document is targeted at deliverability teams and email marketers. Any company that is sending marketing emails, using an Email Service Provider, or provides an email enabled platform, it’s always good to go back and periodically review your system to ensure nothing was missed and to stay up-to-date on all new recommendations.

A few of the recommendations include the use of the List-Unsubscribe header, publishing a clear WHOIS for domains used for sending mail, and how to process non-delivery report messages.

The List-Unsubscribe header provides an additional way for users to opt-out of email messages. Gmail and Outlook.com both use the presence of the list-unsubscribe header to provide a one-click button to allow the user to unsubscribe from the mailing list. Often enough, if a user cannot find an opt-out link, they’re marking the message as spam. Allowing a recipient to unsubscribe easily is critical to maintaining good delivery reputation.

A WHOIS is query to determine who is the registered user or assignee of a domain name. During a session at the most recent M3AAWG meeting, it was announced that spammers throw away 19 million domains per year. When a postmaster or abuse desk receive a complaint, they’ll often query to see who owns the domain the email was sent from or who owns the domains used in the hyperlinks. If the WHOIS record is out of date or set to private, this limits the ability for the postmaster or abuse desk to reach out to the owner of the domain.

Processing non-deliver reports is critical to maintaining a high delivery reputation. Many ESPs have an acceptable-use-policy that includes a bounce rate. Mailjet recommends a bounce rate of less than 8% and Mandrill recommends less than 5%. If a system is not in place to remove the hard bounces from your mailing list, the sender’s reputation will quickly deteriorate.

The Senders Best Common Practices document can be downloaded at M3AAWG.org.

 

The post Updated M3AAWG Best Practices for Senders appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2015/03/updated-m3aawg-best-practices-senders/feed/ 0
February 2015 – The month in email https://wordtothewise.com/2015/03/february-2015-month-email/ https://wordtothewise.com/2015/03/february-2015-month-email/#comments Mon, 09 Mar 2015 18:07:24 +0000 https://wordtothewise.com/?p=7998 This was a short and busy month at WttW! We attended another great M3AAWG conference, and had our usual share of interesting discussions, networking, and cocktails. I recapped our adventures here, and shared a photo of the people who keep your email safe while wearing kilts as well. We also commended Jayne Hitchcock on winning […]

The post February 2015 – The month in email appeared first on Word to the Wise.

]]>
This was a short and busy month at WttW!

We attended another great M3AAWG conference, and had our usual share of interesting discussions, networking, and cocktails. I recapped our adventures here, and shared a photo of the people who keep your email safe while wearing kilts as well. We also commended Jayne Hitchcock on winning the Mary Litynski award for her work fighting abuse and cyberstalking.

In other industry news, we noted that Salesforce is launching DKIM support, which means senders will be able to use DMARC as well. With the volume of email that is sent through the Salesforce platform every day, this is great news for senders who have additional authentication requirements. Speaking of authentication, I wrote up a summary of our current recommendations.

We continue to be interested in the ongoing discussions in our industry about measuring email engagement. One of the most-visible email metrics marketers use is the open, and we talked about all the different ways that might be measured. We also noted Chad White’s great post on the subject. We’ll have more on this over the next few weeks, both about how engagement is measured and why it matters.

The post February 2015 – The month in email appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2015/03/february-2015-month-email/feed/ 0