Word to the Wise https://wordtothewise.com Wed, 16 Apr 2014 21:06:34 +0000 en-US hourly 1 http://wordpress.org/?v=3.9-RC1 A good example of 3rd party email https://wordtothewise.com/2014/04/good-example-3rd-party-email/ https://wordtothewise.com/2014/04/good-example-3rd-party-email/#comments Wed, 16 Apr 2014 18:49:28 +0000 https://wordtothewise.com/?p=6844 This morning I received a great example of a 3rd party email that I thought I’d share with all of you.   What’s so great about it? It’s sent from the company I actually gave my email address to: Macheist. It tells me why I’m getting this email: I purchased Fantastical back in 2013 It […]

The post A good example of 3rd party email appeared first on Word to the Wise.

]]>
This morning I received a great example of a 3rd party email that I thought I’d share with all of you.

Good3rdPartyEmail

 

What’s so great about it?

  1. It’s sent from the company I actually gave my email address to: Macheist.
  2. It tells me why I’m getting this email: I purchased Fantastical back in 2013
  3. It introduces me to Fantastical’s new product: Fantastical 2 for iPad and iPhone.
  4. It gives me a chance to opt-in to mail from Flexbits.

I have no problem with this mail, even though it’s acquisition mailing. Macheist isn’t selling or handing off my information, even to their own vendors. But they are giving me the chance to follow up with products I’ve purchased in the past.

Not only is this consumer friendly, but it’s also in compliance with the new CASL regulations coming into effect in July.

Overall, a great example of how to send consumer friendly acquisition email.

The post A good example of 3rd party email appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2014/04/good-example-3rd-party-email/feed/ 1
AOL problems https://wordtothewise.com/2014/04/aol-problems/ https://wordtothewise.com/2014/04/aol-problems/#comments Wed, 16 Apr 2014 00:01:13 +0000 https://wordtothewise.com/?p=6842 Lots of people are reporting ongoing (RTR:GE) messages from AOL today.  This indicates the AOL mail servers are having problems and can’t accept mail. This has nothing to do with spam, filtering or malicious email. This is simply their servers aren’t functioning as well as they should be and so AOL can’t accept all the mail […]

The post AOL problems appeared first on Word to the Wise.

]]>
Lots of people are reporting ongoing (RTR:GE) messages from AOL today.  This indicates the AOL mail servers are having problems and can’t accept mail. This has nothing to do with spam, filtering or malicious email. This is simply their servers aren’t functioning as well as they should be and so AOL can’t accept all the mail thrown at them. These types of blocks resolve themselves. 

The post AOL problems appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2014/04/aol-problems/feed/ 1
Ignoring opt-outs https://wordtothewise.com/2014/04/ignoring-opt-outs/ https://wordtothewise.com/2014/04/ignoring-opt-outs/#comments Tue, 15 Apr 2014 22:49:50 +0000 https://wordtothewise.com/?p=6839 One of the marketing solutions to the spam problem is just to have recipients opt out. We think that commercial e-mail should always — and I emphasize always — provide for a way for the consumer to say: “I don’t want to hear from you again. One bite of the apple is enough. Having heard […]

The post Ignoring opt-outs appeared first on Word to the Wise.

]]>
One of the marketing solutions to the spam problem is just to have recipients opt out.

We think that commercial e-mail should always — and I emphasize always — provide for a way for the consumer to say: “I don’t want to hear from you again. One bite of the apple is enough. Having heard from you, I don’t want you to send me email again.” So we think that the approach of allowing a single message, and then an opt-out, makes the most sense. Bob Weitzen, DMA President, 2003

The problem with this approach is that some companies ignore the opt out from consumers. Even in the face of the CAN SPAM act, they still find ways to send mail to people who opted out.

Today’s example is from Microsoft. They sent out a mail this morning  to an address that was not given to Microsoft and has not received mail here since 2011.

Subject: We miss you! Re-subscribe to receive the latest tech news from Microsoft

Dear Laura,

Did you know your current contact settings have cancelled all Microsoft email communications to your inbox? We’d like to encourage you to re-subscribe so you won’t miss out on any of our great content and resources to help you and your organization realize its full potential. Opt-in to receive the latest information from Microsoft — all it takes is one click. If the content you receive is not to your liking, you can opt back out at any time.

I’m hearing from other people, on Facebook and to our contact address, that they have received this email as well. This seems to be a widespread “re-engagement” campaign by Microsoft. Some folks I’ve talked to say that the address they’ve received the mail to has been unused for years. Others say the message came addressed to the wrong name.

Overall, this was an extremely poorly done campaign by Microsoft. They are sending mail to recipients who have specifically said that they don’t want mail from Microsoft. They are admitting that the recipients don’t want the mail. I wish I could say I was surprised, but I’m really not. Consumer preferences just don’t matter to many marketers.

Edit: Consumerist article on Microsoft sending to opt-outs.

The post Ignoring opt-outs appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2014/04/ignoring-opt-outs/feed/ 0
The anatomy of From: https://wordtothewise.com/2014/04/the-anatomy-of-from/ https://wordtothewise.com/2014/04/the-anatomy-of-from/#comments Mon, 14 Apr 2014 19:07:35 +0000 https://wordtothewise.com/?p=6823 Compared with some of the more complex pieces of the email protocol the From: header seems deceptively simple. But I’ve heard several people be confused about what it’s made up of over the past couple of months, so I thought I’d dig a bit deeper into how it’s defined and how it’s used in practice. […]

The post The anatomy of From: appeared first on Word to the Wise.

]]>
Compared with some of the more complex pieces of the email protocol the From: header seems deceptively simple. But I’ve heard several people be confused about what it’s made up of over the past couple of months, so I thought I’d dig a bit deeper into how it’s defined and how it’s used in practice.

Here’s a simple example:

 

anatomyfrom

 

There are two interesting parts.

The first is what’s technically called the display-name, but more commonly known as the “friendly from” in the bulk email industry. It has no meaning within the email protocol, it’s just text that’s displayed to the recipient to describe who an email was sent by. Because it’s just text, you can put anything you like in there, but it’s usually either the name of the person who wrote the mail or the name of the company or brand that sent it.

The second is the actual email address, the thing with an at-sign in it. Surprisingly, this isn’t used at all during the actual delivery of the email; there’s a hidden field (called the return path or the 5321.MailFrom or the envelope sender  or the bounce address) that’s used instead. For person-to-person email it’s usually the same address, but for bulk mail it’s often different.

So what does the actual email address, the 5322.From, mean? For that we go to the document that specifies what email headers mean – RFC 5322, “Internet Message Format”. (RFC 5322 is the updated replacement of the older RFC 822 – and that’s why the actual email address is often called the 822.From or 5322.From when people are being precise about exactly which email address they’re talking about).

RFC 5322 says “The From: field specifies the author of the message, that is, the mailbox of the person or system responsible for the writing of the message.” and “In all cases, the From: field SHOULD NOT contain any mailbox that does not belong to the author of the message”. It’s the email address of the author of the message.

(In some cases the email may have been written by the author, but then sent on their behalf by someone else. RFC 5322 says that in that situation the email address in the From field is still the author of the message. The person who sent the message gets their own field, “Sender:”).

What is the 5322.From used for? During the delivery process it’s used for some sorts of filtering and authentication. In particular, if you’re reading about DMARC you’ll see “identifier alignment” mentioned a lot – which basically means “the only domain we care about authenticating is the one in the 5322.From”. It’s also the usual field that’s used in user-visible mail filtering such as whitelisting email addresses that are in the users address book.

In the mail client itself the most obvious use of the 5322.From is that when you hit reply, that’s the email address your reply will go to by default. The author of the mail can override that by adding a Reply-To field, containing one or more email addresses if they want different behaviour. It’s also commonly used to filter email and to group mails by author.

What’s displayed to the end user? Originally the entire content of the From: header was shown in the recipients mailbox but it’s now fairly common to display just the friendly from, with no mention of the email address at all. That started in mobile clients, where space is at a premium and the friendly from is just, well, friendlier – but it’s spread to desktop and webmail clients too. In Yahoo webmail the 5322.From isn’t displayed anywhere at all unless you find the View Full Header menu option and dig through the raw headers, and my phone doesn’t display it anywhere obvious and only recently made it possible to see it at all.

The post The anatomy of From: appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2014/04/the-anatomy-of-from/feed/ 4
Yahoo Statement on DMARC policy https://wordtothewise.com/2014/04/yahoo-statement-dmarc-policy/ https://wordtothewise.com/2014/04/yahoo-statement-dmarc-policy/#comments Sat, 12 Apr 2014 15:08:07 +0000 https://wordtothewise.com/?p=6820 Yesterday Yahoo posted a statement about their new p=reject policy. Based on this statement I don’t expect Yahoo to be rolling back the policy any time soon. It seems it was incredibly effective at stopping spoofed Yahoo mail. On Friday afternoon last week, Yahoo made a simple change to its DMARC policy from “report” to […]

The post Yahoo Statement on DMARC policy appeared first on Word to the Wise.

]]>
Yesterday Yahoo posted a statement about their new p=reject policy. Based on this statement I don’t expect Yahoo to be rolling back the policy any time soon. It seems it was incredibly effective at stopping spoofed Yahoo mail.

On Friday afternoon last week, Yahoo made a simple change to its DMARC policy from “report” to “reject”. In other words, we requested that all other mail services reject emails claiming to come from a Yahoo user, but not signed by Yahoo.

Yahoo is the first major email provider in the world to adopt this aggressive level of DMARC policy on behalf of our users.

And overnight, the bad guys who have used email spoofing to forge emails and launch phishing attempts pretending to come from a Yahoo Mail account were nearly stopped in their tracks.

There is a regrettable, short-term impact to our more aggressive position on DMARC. Many legitimate emails sent on behalf of Yahoo Mail customers from third parties are also being rejected. We apologize for any inconvenience this may have caused.

Given the effectiveness of this policy, I would not be surprised to see other free mail providers (Gmail, Hotmail, AOL) or other ISPs to adopt this policy in the coming months. This is a shift in how many of us are used to using email, particularly personal email. But, as Yahoo says, times have changed and it’s time to take those painful actions that will increase our security.

In addition to making a public statement, Yahoo also published a number of things that senders (i.e., email intermediaries) can do to still handle email from Yahoo addresses as they are sent through different infrastructures. Many of these recommendations for senders are things that are already in process at most ESPs and mailing lists.

This seemingly simple policy statement is a revolutionary step in addressing issues of forgery and spam that many people have been discussing and arguing about for more than 10 years. This is a painful change for many people, Yahoo and non-Yahoo users alike. Luckily, the internet community has stepped up and implemented the changes that will make mail work even with a restrictive policy like p=reject. Now that mailing lists and ESPs are taking the steps to accommodate this policy change I expect to see other ISPs follow Yahoo’s lead and start publishing p=reject policies. Luckily for them Yahoo was first, so the impact on their users and mailing list managers should be much lower than we’ve been dealing with the last week.

The post Yahoo Statement on DMARC policy appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2014/04/yahoo-statement-dmarc-policy/feed/ 1
Dealing with DMARC for Mail intermediaries https://wordtothewise.com/2014/04/dealing-dmarc-mail-intermediaries/ https://wordtothewise.com/2014/04/dealing-dmarc-mail-intermediaries/#comments Fri, 11 Apr 2014 18:18:08 +0000 https://wordtothewise.com/?p=6816 I’ve been getting some mail and calls from folks looking for help on resolving the issue of DMARC bouncing. Some of these calls are from ESPs, but others are from SAAS providers who have users that have signed up with yahoo.com addresses and are now dealing with mail from those users bouncing, even when mail […]

The post Dealing with DMARC for Mail intermediaries appeared first on Word to the Wise.

]]>
I’ve been getting some mail and calls from folks looking for help on resolving the issue of DMARC bouncing. Some of these calls are from ESPs, but others are from SAAS providers who have users that have signed up with yahoo.com addresses and are now dealing with mail from those users bouncing, even when mail is going back too those users.

None of the solutions are really great, but here are a couple options.

1) Prohibit users users from sending with @yahoo.com header-from addresses. This will be challenging for some companies for all sorts of reasons. I have seen a number of people suggest switching to @hotmail.com or @gmail.com addresses. This only works as long as Gmail and Hotmail/Outlook don’t start publishing p=reject policies. It’s unclear if they’re even considering this at all, but it may happen.

2) Rewrite the header-from address from @yahoo.com to something you control. One thing I’ve been suggesting to customers is set up a specific domain for rewriting, like @yahoo.ESP.com. This domain would need to forward mail back to the @yahoo.com users, which does add another layer of complexity as these addresses will become spam magnets. Thus the forwarding IP should be on a distinct and separate IP, to prevent interference with other systems. Note, too, that any users sending to these reply addresses from a domain protected by DMARC p=reject will bounce.

If you have questions or want to ask specifically about what to do in your setup, I’ve blocked out some time in my schedule next week for companies. If you want more information about this please contact me to for available times, information requirements and pricing.

The post Dealing with DMARC for Mail intermediaries appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2014/04/dealing-dmarc-mail-intermediaries/feed/ 2
Yahoo DMARC articles worth reading https://wordtothewise.com/2014/04/yahoo-dmarc-articles-worth-reading/ https://wordtothewise.com/2014/04/yahoo-dmarc-articles-worth-reading/#comments Thu, 10 Apr 2014 21:54:54 +0000 https://wordtothewise.com/?p=6814 There are a bunch of them and they’re all worth reading. I have more to say about DMARC, both in terms of advice for senders and list managers affected by this, and in terms of the broader implications of this policy decision. But those articles are going to take me a little longer to write. […]

The post Yahoo DMARC articles worth reading appeared first on Word to the Wise.

]]>
There are a bunch of them and they’re all worth reading.

I have more to say about DMARC, both in terms of advice for senders and list managers affected by this, and in terms of the broader implications of this policy decision. But those articles are going to take me a little longer to write.

How widespread is the problem? Andrew Barrett publishes numbers, pulled from his employer, related to the number of senders using @yahoo.com addresses in their commercial emails. Short version: a low percentage but a lot of users and emails in raw numbers.

What can mailing list managers do? Right now the two answers seem to be stop Yahoo.com addresses from posting or fix your mailing list software. Al has posted how he patched his software to cope, and linked to a post by OnlineGroups.net about how they patched their software.

A number of people are recommending adding an Original Authentication Results header as recommended in the DMARC.org FAQ. I’m looking for more information about how that would work.

For commercial mailers, there doesn’t seem to be that much to do except to not use @yahoo.com address as your header-From address. Yes, this may affect delivery while you’re switching to the new From address, but right now your mail isn’t going to any mailbox provider that implements DMARC checking.

One other thing that commercial mailers and ESPs should be aware of. Depending on your bounce handling processes, this may cause other addresses to bounce off the list. Once the issue of the header-From address is settled, you can reactivate addresses that bounced off the list due to authentication failures since April 4.

 

The post Yahoo DMARC articles worth reading appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2014/04/yahoo-dmarc-articles-worth-reading/feed/ 0
Fixing discussion lists to work with new Yahoo policy https://wordtothewise.com/2014/04/fixing-discussion-lists-work-new-yahoo-policy/ https://wordtothewise.com/2014/04/fixing-discussion-lists-work-new-yahoo-policy/#comments Wed, 09 Apr 2014 17:24:27 +0000 https://wordtothewise.com/?p=6812 Al has some really good advice on how to fix discussion lists to work with the new Yahoo policy. One thing I would add is the suggestion to actually check dmarc records before assuming policy. This will not only mean you’re not having to rewrite things that don’t need to be rewritten, but it will […]

The post Fixing discussion lists to work with new Yahoo policy appeared first on Word to the Wise.

]]>
Al has some really good advice on how to fix discussion lists to work with the new Yahoo policy.

One thing I would add is the suggestion to actually check dmarc records before assuming policy. This will not only mean you’re not having to rewrite things that don’t need to be rewritten, but it will also mean you won’t be caught flat footed if (when?) other free mail providers start publishing p=reject.

The post Fixing discussion lists to work with new Yahoo policy appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2014/04/fixing-discussion-lists-work-new-yahoo-policy/feed/ 0
If you have servers using SSL, read this https://wordtothewise.com/2014/04/servers-using-ssl-read/ https://wordtothewise.com/2014/04/servers-using-ssl-read/#comments Tue, 08 Apr 2014 14:36:06 +0000 https://wordtothewise.com/?p=6810 I was going to post about SSL certification and setup today, but the security world got ahead of me. Recent versions of openssl – the library used by most applications to implement SSL – released over the past couple of years have a critical bug in them. This bug lets any attacker read any information […]

The post If you have servers using SSL, read this appeared first on Word to the Wise.

]]>
I was going to post about SSL certification and setup today, but the security world got ahead of me.

Recent versions of openssl – the library used by most applications to implement SSL – released over the past couple of years have a critical bug in them. This bug lets any attacker read any information from the process that’s running SSL, reliably, silently and without leaving any trace on the compromised server that it’s happened.

What’s so dangerous about that? As well as things like usernames, passwords, private email and so on, this lets the attacker take the private key for your SSL certificate. Once they have that private key, they can run a server that pretends to be you, even over SSL, opening up all sorts of shenanigans.

There are more details at heartbleed.com - but the short form is that you should check the version of openssl on all your servers – if it’s running openssl version 1.0.1 through 1.0.1f, it’s vulnerable.

You should obviously upgrade to openssl 1.0.1g on vulnerable machines, but given the scope of the potential attack you might want to consider the information on them already compromised. If so, that’d mean replacing the SSL certificates and changing any passwords the affected services have access to (both user passwords and any service passwords, such as database credentials).

 

The post If you have servers using SSL, read this appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2014/04/servers-using-ssl-read/feed/ 1
Example bounces due to Yahoo p=reject https://wordtothewise.com/2014/04/example-bounces-due-yahoo-preject/ https://wordtothewise.com/2014/04/example-bounces-due-yahoo-preject/#comments Mon, 07 Apr 2014 18:56:33 +0000 https://wordtothewise.com/?p=6807 There are a number of different bounces that people are reporting due to Yahoo publishing a DMARC record of p=reject. I decided to put some of those bounces here so confused users could find out what they needed to do. Comcast smtp;550 5.2.0 meQj1n01053u42A0HeQj3v Message rejected due to DMARC. Please see http://postmaster.comcast.net/smtp-error-codes.php#DM000001 Google smtp;550 5.7.1 […]

The post Example bounces due to Yahoo p=reject appeared first on Word to the Wise.

]]>
There are a number of different bounces that people are reporting due to Yahoo publishing a DMARC record of p=reject. I decided to put some of those bounces here so confused users could find out what they needed to do.

Comcast

smtp;550 5.2.0 meQj1n01053u42A0HeQj3v Message rejected due to DMARC. Please see http://postmaster.comcast.net/smtp-error-codes.php#DM000001

Google

smtp;550 5.7.1 Unauthenticated email from yahoo.com is not accepted due to domain’s DMARC policy. Please contact administrator of yahoo.com domain if this was a legitimate mail. Please visit http://support.google.com/mail/answer/2451690 to learn about DMARC initiative. 100si2781324qgv.4 – gsmtp

Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 550 5.7.1 more information. ua2si8779123

Hotmail

550 5.7.0 (COL0-MC6-F31) Unfortunately, messages from (IP) on behalf of (yahoo.com) could not be delivered due to domain owner policy restrictions. (in reply to end of DATA command))

XS4ALL

smtp;550 5.7.1  DMARC failure for domain yahoo.com, policy reject

Yahoo

554 5.7.9 Message not accepted for policy reasons.  See http://postmaster.yahoo.com/errors/postmaster-28.html (in reply to end of DATA command))

What can you do if you get one of these bounces?

Endusers can do a couple things. For one-to-one mail make sure you’re using the Yahoo outgoing mail servers and that should fix the problem without you having to really make any change. For email to mailing lists you’ll need to switch to an email address at another domain for that mailing list.

If you’re sending mail through an ESP, you’re going to need to change your header-from address to something other than a @yahoo.com address. This is going to break some things, unfortunately, but as long as Yahoo is publishing this record, you’re not going to be able to use Yahoo.com addresses for your commercial mail.

The post Example bounces due to Yahoo p=reject appeared first on Word to the Wise.

]]>
https://wordtothewise.com/2014/04/example-bounces-due-yahoo-preject/feed/ 5