Maawg

The gang is trickling in

It’s been a few years since we’ve actually made it to a MAAWG. We missed much of 2018 and 2019 due to our international move. Then 2020 San Francisco conflicted with a personal engagement. Then, well, pandemic hit and it’s been virtual and then we were moving and … wow, it’s been busy!

Read More

ESPs need to step up their compliance game

I don’t send a lot of spam complaints generally. Mostly I block and move on. There are some companies, though, that I offer the professional courtesy of sending a complaint or a report to their abuse@ address. Former clients, friends and colleagues generally get that courtesy.

Read More

Your first M3AAWG meeting

It’s that time of year again where nearly all my client calls involve the question, “are you going to be at M3AAWG SF?” Up until last year, the answer was always yes. But now it’s not a brief drive up the peninsula and a BART ride into the city, it’s a transatlantic plane flight.

Read More

Resources for safer conferences

The MAAWG conference was held in Brooklyn a few weeks ago. Many positive discussions and sessions happened at the conference. But there was an incident of harassment during the conference where one participant assaulted multiple other attendees during late evening activities. I’m not going to speak too much to what happened as I wasn’t there. What I will say is that I am proud of my friends and colleagues who stepped up to make sure that the targets of the harassment made it safely to their rooms. I’m also pleased that the conference pulled the harasser’s badge and banned him from the conference in short order.

Read More

2018 JD Falk Award … a mailing list

It’s M3AAWG time. Even though we’re not there, I’m getting regular updates from friends and colleagues who are there. Yesterday, was the presentation of the 2018 JD Falk award. The award recognises “a particularly meritorious project undertaken by a dedicated individual or group reflecting the spirit of volunteerism and community building.” In this case, the award went to a group of people on the “BEC mailing list.”

Read More

Spring in San Francisco

And, of course, that means M3AAWG is coming to town. I’m speaking on two panels this conference and will be around starting mid-day Monday. Of course, half the fun of M3AAWG is watching the swarms of posts on Facebook of friends traveling to wherever.
Those of you visiting, weather is nice. Sadly (as we’re heading back into drought) we’re not expecting rain next week. And, we’re back up at the top of the hill – across the street at the Fairmont.
Looking forward to seeing everyone.

Read More

Back from MAAWG

Had an all too short trip to M3AAWG. It was great to see old friends and meet new folks. I have lots to talk about and a poll to get into the field once I get caught up on client work.

While I’m deep in the depths of my inbox, I thought I’d share a bit of insight into the question of new domain vs. subdomain that often comes up.

Read More

MAAWG next week

I’ll be up in Toronto Tuesday and part of Wednesday for the M3AAWG meeting. If you’re there, say HI!

Read More

February 2017: The Month In Email

Happy March!

As always, I blogged about best practices with subscriptions, and shared a great example of subscription transparency that I received from The Guardian. I also wrote about what happens to the small pool of people who fail to complete a confirmed opt-in (or double opt-in) subscription process. While there are many reasons that someone might not complete that process, ultimately that person has not given permission to receive email, and marketers need to respect that. I revisited an older post on permission which is still entirely relevant.
Speaking of relevance, I wrote about seed lists, which can be useful, but — like all monitoring tools — should not be treated as infallible, just as part of a larger set of information we use to assess deliverability. Spamtraps are also valuable in that larger set of tools, and I looked at some of the myths and truths about how ISPs use them. I also shared some thoughts from an industry veteran on Gmail filtering.
On the topic of industry veterans, myths and truths, I looked at the “little bit right, little bit wrong” set of opinions in the world of email. It’s interesting to see the kinds of proclamations people make and how those line up against what we see in the world.
We attended M3AAWG, which is always a wonderful opportunity for us to catch up with smart people and look at the larger email ecosystem and how important our work on messaging infrastructure and policy really is. I was glad to see the 2017 Mary Litynski Award go to Mick Moran of Interpol for his tireless work fighting abuse and the exploitation of children online. I also wrote about how people keep wanting to quote ISP representatives on policy issues, and the origin of “Barry” as ISP spokesperson (we should really add “Betty” too…)
Steve took a turn as our guest columnist for “Ask Laura” this month with a terrific post on why ESPs need so many IP addresses. As always, we’d love to get more questions on all things email — please get in touch!

Read More

Policy is hard

We’re back at work after a trip to M3AAWG. This conference was a little different for me than previous ones. I spent a lot of time just talking with people – about email, about abuse, about the industry, about the ecosystem. Sometimes when you’re in a position like mine, you get focused way too much on the trees.

Of course, it’s the focusing on the trees that makes me good for my clients. I follow what’s going on closely, so they don’t have to. I pay attention so I can distill things into useable chunks for them to implement. Sometimes, though, I need to remember to look around and appreciate the forest. That’s what I got to do last week. I got to talk with so many great people. I got to hear what they think about email. The different perspectives are invaluable. They serve to deepen my understanding of delivery, email and where the industry is going.

One of the things that really came into focus for me is how critical protecting messaging infrastructure is. I haven’t spoken very much here about the election and the consequences and the changes and challenges we’re facing. That doesn’t mean I’m not worried about them or I don’t have some significant reservations about the new administration. It just means I don’t know how to articulate it or even if there is a solution.
The conference gave me hope. Because there are people at a lot of places who are in a place to protect users and protect privacy and protect individuals. Many of those folks were at the conference. The collaboration is still there. The concern for how we can stop or minimize bad behavior and what the implications are. Some of the most difficult conversations around policy involve the question who will this affect. In big systems, simple policies that seem like a no-brainer… aren’t. We’re seeing the effects of this with some of the realities the new administration and the Republican leaders of congress are realizing. Health care is hard, and complex. Banning an entire religion may not be a great idea. Governing is not like running a business.
Talking with smart people, especially with smart people who disagree with me, is one of the things that lets me see the forest. And I am so grateful for the time I spend with them.

Read More

It's that time of year again!

That time of year when my friends and colleagues join the annual migration to San Francisco for 3 days and 4 nights of messaging, mobile, malware, and midnight meetings. We’re headed up to the conference later today. Do stop by and say hi!

Read More

October 2016: The Month in Email

We’ve returned from London, where I spoke at the Email Innovations Summit and enjoyed a bit of vacation. My wrap-up post also mentions an article I wrote for the Only Influencers site, which looks at questions I get asked frequently: “Why does spam make it to the inbox and our legitimate marketing email doesn’t? Should we just copy their tactics?”
Parliament2ForBlog
In industry news, Yahoo caught our attention for two surprising moves: disabling forwarding and — much more disturbing — creating software for intelligence agencies to search customer email.
Some legal updates this month: The Second Court of Appeals upheld an earlier ruling that companies are in fact liable for the activities of their affiliates, including spam and fraudulent claims. This is important, as we often see spammers and cybercriminals use affiliates to distance themselves from these activities. We also saw another fine assessed for a violation of CASL, and noted with appreciation the transparency and thoughtful process that the Canadian Radio-television and Telecommunications Commission (CRTC) demonstrates in explaining their actions.
Another excellent report is the one created by the Exploratorium to explain their recent experience with being phished. It’s a good piece to share with your organization, in that it reminds us that these cybercriminals are exploiting not just our technology but our trust-based connections to our friends and colleagues. It’s important to raise awareness about social engineering as a part of information security. And speaking of email security, we were delighted to note that André Leduc received the 2016 J.D. Falk award this month at M3AAWG for his excellent work on this topic. It’s a fitting legacy to our friend, J.D., who died five years ago this month. We miss him.
Finally, we’d be remiss in observing Halloween without a post about zombies. Feel free to read it aloud in your spookiest voice.

Read More

2016 J.D. Falk Award

André Leduc received the 2016 J.D. Falk award this week at the Paris meeting of M3AAWG. He was recognized for spearheading two distinct projects.
The first was the Operation Safety Net – Best Practices to Address Online, Mobile, and Telephony Threats  This 76 page report was written by global security experts. One of the major goals of the report was to discuss security in language accessible to policy makers and management. The report, newly updated in 2015, is available at the M3AAWG website. Making technical language accessible is, to my mind, one of the most important parts of getting security recommendations implemented.
In addition to his work in making security recommendations accessible, André was the lead architect behind the Canadian Anti-Spam Legislation. This legislation has greatly reduced the amount of spam received by Canadians. According to Leduc, CASL has improved permission practices by senders outside of Canada.
Congratulations to André.

Read More

And… we're back from London

The Email Innovations Summit in London was a good conference. Much smaller than Vegas, but with a number of very interesting talks. I got to meet a number of folks I’ve only known online and we had some interesting conversations at the conference and at the pub-track in the evenings.
FullSizeRender 3
I had so many grand plans for doing some work while in London. So many plans. And then I actually mostly disconnected and ignored anything I “should” be doing.  Instead, Steve and I did some touristing, some relaxing, some family time and some connecting with his college friends. We also (over)heard a lot of conversations about the US Election. One night at dinner every table around us was talking about our candidates and what they thought of them. It’s always interesting to hear what non-Americans think about our country.
In addition to missing two debates, it seems we missed some online news, too. I think the biggest thing was another large DDoS attack against that took out many major websites. I’m starting to see some comments that spam levels were down during the attack, too, but haven’t dug into that yet.
I did have an article published in the Only Influencers newsletter last week: Marketers Can’t Learn from Spam. All too often marketers think spammers are better at unboxing because they see spam in their inbox. But spammers are just more criminal and spend a lot of effort trying to bypass filters. These aren’t lessons marketers can learn from.
Unfortunately, due to our London trip, we are going to miss M3AAWG in Paris, which starts today. Two weeks between conferences was exactly the wrong time for going to both. Never fear, many folks will be tweeting what they can using #m3aawg38.
We’re both slowly getting back into the swing (and timezone!) of back to work. Blogging will pick up over the next few days. And I have new castle pictures to share.

Read More

Yahoo disabled forwarding

Al posted about this over on his blog earlier this week. Yahoo has disabled the ability to forward email from one Yahoo account to an email account on a different system.
There is, of course, all sorts of speculation as to why forwarding has been disabled including speculation this has to do with holding on to accounts during the Verizon purchase. It’s certainly possible this is the case.
However, forwarding email is hard. Forwarding email on a large scale can result in spam blocks and delivery problems. It’s such an issue M3AAWG published a forwarding best practices document. It’s possible that Yahoo is making some changes on the back end to better implement the best practice recommendations. I don’t know, but it’s possible that Yahoo is telling the truth that they’re improving technology.

Read More

M3AAWG in Philly This Week

Today marks the training day for M3AAWG 37 in Philly. With all the traveling and speaking I’ve been doing lately we’re not going to be there. So no tweeting from me about the conference.
logo
We’ve been attending various M3AAWG meetings since way early on – 2004? 2005? in San Diego. The organization has grown and matured and really come a long way since the early days. One of the challenges of M3AAWG is that it is a true working group. This isn’t like the various conferences I’ve been attending recently. I think there are two things that makes M3AAWG different from other conferences.
One of the most obvious things is the lack of a vendor floor. Sure, there are vendors and sponsors but vendors don’t bring in displays and have sales people stand around them to talk to folks. The conference does have demos and negotiations and meetings, but done differently than other events.
The other difference I’ve noticed is that M3AAWG is much more about participation. As the name says, this is a working group. Everyone is encouraged to get involved in things they’re interested in or that they think they can contribute to. Other conferences are a lot more about information being shared by speakers and panels. But during M3AAWG conferences, there are 2 mornings devoted to round tables.
The round tables are a true community effort, and probably deserve some discussion for people who’ve never been to the conference. Before the conference, members of the community submit ideas for things they think M3AAWG should discuss. These suggestions are reviewed by the board and leadership and ones that fall within M3AAWG’s purview are taken to the conference.
The first day of roundtables each topic is discussed in small groups. Volunteers facilitate a 20 – 30 minute discussion on the topic at hand with attendees. After time is called, attendees go to another topic and discuss that one. Part of what is discussed is not just the issue (say, how to get off a blacklist) but also what the final work product looks like. Is this a document for M3AAWG members? A panel at a future conference? A public document?
The second day is refinement of the roundtable topics and commitment from people to move the project forward. Champion is the person who is project managing this. Other roles depend on the work product. For presentation or panels, there is one set of roles. For documents there are roles as writers and editors and contributor.
M3AAWG has written and produced some useful resources and information over the years. Many of those resources are public, like best practice documents and metric reports. Other docs and reports are specifically for members.
The working group part of M3AAWG in one of its real strengths. Experts on all sides of the business of email get together to keep email useable and workable. Early on it there were a few barriers and some suspicion about various participant groups. But, as the industry as grown things have changed. Many folks have moved from ISPs to ESPs and back. There’s also a bigger place for companies that provide services to ESPs and ISPs, like us here at Word to the Wise. We’ve built bridges and technology and have been a positive force on the world.
 

Read More

M3AAWG 36 – San Francisco

So many familiar faces. So many new faces.
This is my one M3AAWG this year and I’m so excited to be here. The organization has really grown and changed over the 10 years we’ve been a member. It’s only getting better and better.
I’ll be tweeting from public sessions (and probably tweeting random things that occur to me as I’m here) using the #m3aawg36 tag.

Read More

June 2015: the Month in Email

Happy July! We are back from another wonderful M3AAWG conference and enjoyed seeing many of you in Dublin. It’s always so great for us to connect with our friends, colleagues, and readers in person. I took a few notes on Michel van Eeten’s keynote on botnets, and congratulated our friend Rodney Joffe on winning the prestigious Mary Litynski Award.
In anti-spam news, June brought announcements of three ISP-initiated CAN-SPAM cases, as well as a significant fine leveled by the Canadian Radio-television and Telecommunications Commission (CRTC) against Porter Airlines. In other legal news, a UK case against Spamhaus has been settled, which continues the precedent we’ve observed that documenting a company’s practice of sending unsolicited email does not constitute libel.
In industry news, AOL started using Sender Score Certification, and Yahoo announced (and then implemented) a change to how they handle their Complaint Feedback Loop (CFL). Anyone have anything to report on how that’s working? We also noted that Google has discontinued the Google Apps for ISPs program, so we expect we might see some migration challenges along the way. I wrote a bit about some trends I’m seeing in how email programs are starting to use filtering technologies for email organization as well as fighting spam.
Steve, Josh and I all contributed some “best practices” posts this month on both technical issues and program management issues. Steve reminded us that what might seem like a universal celebration might not be a happy time for everyone, and marketers should consider more thoughtful strategies to respect that. I wrote a bit about privacy protection (and pointed to Al Iverson’s post on the topic), and Josh wrote about when senders should include a physical address, what PTR (or Reverse DNS) records are and how to use them, testing your opt-out process (do it regularly!), and advice on how to use images when many recipients view email with images blocked.

Read More

Another M3AAWG on the books

Another M3AAWG is over. It was great to see old friends, some of whom I’ve known for more than a decade. It was even better to meet new people who I’m sure will become old friends. The conference has grown so much bigger than my first MAAWG back in San Diego (MAAWG 3 in 2005). That was maybe a hundred people. Today M3AAWG has more members companies than were at the original conference.
I’m still processing all the information from the conference. I learned a lot of new things. I had some of my knowledge confirmed. I’ve had some of my beliefs challenged.
It’s always great to see everyone. And thank you for everyone who went out of your way to tell me you read the blog. It’s great to know that I’ve made some of you think and helped you learn and given you backup when you need to talk to bosses or customers.
Regular blogging resumes tomorrow.
Sláinte
 
 

Read More

Whirlwind that is M3AAWG

It’s been a great conference, and it’s only about half done. As is common at these conferences, I write down lots of things we should do and need to publish. The difference is now that we are growing I may have the time to put the polish on them and get them published.
Today’s keynote discussed the economics of botnet mitigation. Michel van Eeten from Delft University of Technology presented information compiled from some different datasets about botnets.
Good news
Botnet infection rates are relatively stable. They’ve not spiraled out of control like some people were predicting.
Interesting news
More than 50% of bot infections are contained on 50 ISPs in the entire world.
Bad news
Centers set up specifically to fix botnet infections don’t really have a big impact on infection cure rate.
Good news
ISP actions and walled gardens do have an impact on infection cure rates.
The biggest take away from the session is that ISPs are critical in both protecting from infection and helping users cure infection once it happens.

Read More

2016 Mary Litynski Award

The Mary Litynski Award is presented by M3AAWG to people who have done extensive work outside the public eye over a significant period of time. At the Dublin conference the award was presented to Rodney Joffe. A lot of other people will talk about Rodney’s accomplishments, including his role in the founding of Genuity, his work with the DMA in the early days of spam, his efforts against SMS spam and his efforts to secure the Internet infrastructure. But I have a much more personal perspective.
Rodney was seminal in changing my life and career path. Back in 1999, Rodney asked Steve to look into some DNS creativity he was testing. A few months later, Rodney invited Steve to join a new company he was founding based on that DNS creativity. We moved out the the Bay area and Steve started working for UltraDNS in early 2000.
Moving out to the Bay Area triggered my career shift into anti-spam and anti-abuse. I started working at MAPS (now Trend Micro) in their experimental consulting service division. We were the “carrot” end of the equation, where our job was to help companies minimize the abuse coming out of their networks.
After MAPS went through a round of layoffs in 2001, Rodney started recommending me as an email consultant to some of his connections in the marketing world. This work was a success and directly led to the founding of Word to the Wise and everything that flows from that.
M3AAWG has published a video where Rodney discusses his role in the history of spam and some of the other things he’s done to fight junk advertising (both fax and SMS spam). He sued junk faxers in small claims court. He was instrumental in getting SMS spam covered under the TCPA. He wrote the first global opt-out list supported by both the DMA and the ISPs and proved that global opt-out would never work. He literally pulled the plug on spamming customers.
Rodney says he’s “Not smart, just the guy who carries the bags of money and helps the smart people get things done.” I certainly don’t believe that is true. He has done things on the global scale to make the Internet a safer place for end users. But my appreciation is much more personal. I will forever be grateful to him for starting us on this path and the help and advice he gave us so many years ago.

Read More

May 2015: The Month in Email

Greetings from Dublin, where we’re gearing up for M3AAWG adventures.
In the blog this month, we did a post on purchased lists that got a lot of attention. If you’ve been reading the blog for any length of time, you know how I feel about purchased lists — they perform poorly and cause delivery problems, and we always advise clients to steer clear. With your help, we’ve now compiled a list of the ESPs that have a clearly stated policy that they will not tolerate purchased lists. This should be valuable ammunition both for ESPs and for email program managers when they asked to use purchased lists. Let us know if we’re missing any ESPs by commenting directly on that post. We also shared an example of what we saw when we worked with a client using a list that had been collected by a third party.
In other best practices around addresses, we discussed all the problems that arise when people use what they think are fake addresses to fill out web forms, and gave a nod to a marketer trying an alternate contact method to let customers know their email is bouncing.
We also shared some of the things we advise our clients to do when they are setting up a mailing or optimizing an existing program. You might consider trying them before your own next send. In the “what not to do” category, we highlighted four things that spammers do that set them apart from legitimate senders.
In industry news, we talked about mergers, acquisitions and the resulting business changes: Verizon is buying AOL, Aurea is buying Lyris, Microsoft will converge Office365/EOP and Outlook.com/Hotmail, and Sprint will no longer support clear.net and clearwire.net addresses.
Josh posted about Yahoo’s updated deliverability FAQ, which is interesting reading if you’re keeping up on deliverability and ESP best practices. He also wrote about a new development in the land of DMARC: BestGuessPass. Josh also wrote a really useful post about the differences between the Mail From and the Display From addresses, which is a handy reference if you ever need to explain it to someone.
And finally, I contributed a few “meta” posts this month that you might enjoy:

Read More

Friday fun stuff

Between the rampaging llamas and a photo optical illusion the internet has been a silly, silly place the last 24 hours.
I have a little present for folks. I hinted there may be pictures from Kilt Day at M3AAWG in an earlier post.
There are, and all of the subjects have granted permission for me to share the photos here. Follow me below the cut.

Read More

Aetna, phishing and security

We’ve just gotten home from M3AAWG and I’m catching up with a lot of the administrative stuff that’s gotten ignored while we were soaking up the tons of information from some of the smartest Internet security folks around. One of the tasks I’m working on is checking on our recent bills from our health insurance provider. Their website seems to be down, so I called them up and asked them if it was down or if something was broken on my end.
They did confirm there was a problem with the site “earlier today” but then started asking me for my account information. They’ve promised to email me a new password because of reasons.
One of the things about M3AAWG is that concentrated discussions about spam and online criminals and security can make everything feel so fragile and security so inadequate to protect us against criminals. I start thinking that everything is compromised. It doesn’t help that websites fail just at the time when I start trying to figure out if my personal information leaked out.
In the course of trying to figure out if there is something wrong at Aetna and if my personal information is safe, I find an article about how poor security is for health companies. “Health companies flunked an email security survey—except Aetna.” Apparently, out of all the health companies out there, Aetna are the only ones fully implementing DMARC on all their mail streams.
The problem is that for the mail I received from Aetna, the visible From: address is AetnaeBilling@aetnagroupbilling.com. This is one of the major vulnerabilities of DMARC. How can I, as a recipient, tell that this is officially mail from Aetna? Any phisher could register “aetnabilling.com” or “aetnagoupbilling.com” or “aetnaebilling.com” and publish DMARC records and use those records to phish customers. Even worse, aetnagroupbilling.com isn’t a SSL registered website.
This is exactly the type of setup a phisher would use to gain access to people’s health insurance accounts. And Aetna offers the ability to draft payments directly from a business checking account, so breaking into the billing account also offers some level of access to the business money.
Do I think this is a phish? No.
Do I think the average person would be able to tell that? No.
There’s got to be a better way to secure folks online.

Read More

Back from M3AAWG

Last week was the another M3AAWG meeting in San Francisco. The conference was packed full of really interesting sessions and things to learn. Jayne’s keynote on Tuesday was great, and brought up a lot of memories of just what it was like to be fighting spam and online abuse in the mid to late 90s. It’s somewhat amazing to me that many of the people I first met, or even just heard about are still actively working to fight abuse and make the Internet safer.
Wednesday was another great keynote from Facebook, discussing security. Facebook is committed to sharing threat information and has started the ThreatExchange website as a hub for sharing data among large companies.
One thing that was amusing was during one talk someone mentioned YubiKey for managing logins. They said many people were sharing long strings of random keys that sometimes happen because someone has accidentally triggered the one time passcode. YubiKey is awesome, if sometimes ccccccdkhjnbitklrrtnhjrdfgdlhektfnfeutgtdcib inscrutable.
As has become a bit of a M3AAWG tradition lately, Wednesday was also kilt day. There may be pictures. For those of you planning to go to Dublin, Wednesday will be kilt day as well.
The conference was great, but ended on a bit of a down note. We received word that Wednesday night a long time friend, Ellen R., passed away due to complications from a stroke. The conference held a moment of silence for her at the end. Ellen was a friend as well as a colleague. She was around on IRC when we started this crazy experiment called Word to the Wise and was always helpful and insightful. She volunteered with, and then worked for, Spamcop and then volunteered with Spamhaus. Ellen will be very missed.
I started off the conference remembering all the friends I made back in the late 90s and ended it remembering and missing those who are no longer around. Email has been one amazing journey, and doesn’t look like it’s going away anytime soon.

Read More

Mary Litynski Award winner Jayne Hitchcock

This morning the Messaging, Mobile and Malware Anti-Abuse Working Group announced the winner of the Mary Litynski Award.
Congratulations to Jayne Hitchcock of WHO@ for her work over the last 2 decades fighting online abuse and cyberstalking.
I’ve never actually met Jayne, but I do remember following her story in the late 90s. She started off trying to protect people from being scammed by Woodside Literary Agency. In return for her work to inform and protect people the principals of Woodside set out on a multi-year harassment campaign against her.
This was in the late 90s and the Internet was very new. There weren’t any laws. There weren’t really abuse desks. We had to protect each other. Law enforcement didn’t know what to do with problems. There weren’t any laws against harassment online. The word “cyberstalking” was created by a reporter when describing what was happening to Jayne.
Jayne has been a force for good online and she and her volunteers help people who are victims of abuse online and cyberstalking. She’s been instrumental in getting anti-cyberstalking laws passed and helping law enforcement understand why online abuse is an issue and that it should be addressed.

Read More

M3AAWG Recommends TLS

SSL or Secure Sockets Layer is protocol designed to provide a secure way of transmitting information between computer systems. Originally created by Netscape and released publicly as SSLv2 in 1995 and updated to SSLv3 in 1996. TLS or Transport Layer Security was created in 1999 as a replacement for SSLv3. TLS and SSL are most commonly used to create a secure (encrypted) connection between your web browser and websites so that you can transmit sensitive information like login credentials, passwords, and credit card numbers.
M3AAWG published a initial recommendation that urges the disabling of all versions of SSL. It has been a rough year for encryption security, first with Heartbleed vulnerability with the OpenSSL library, and again with POODLE which stands for “Padding Oracle on Downgraded Legacy Encryption” that was discovered by Google security researchers in October of 2014. On December 8, 2014 it was reported that TLS implementations are also vulnerable to POODLE attack, however unlike SSLv3, TLS can be patched where as SSL 3.0 has a fundamental issue with the protocol.

Read More

M3AAWG Boston

The tri-annual procession of Facebook friends and colleagues to a disclosed location to talk about messaging, abuse and prevention started over the weekend.  For me, this M³AAWG conference marks the beginning of a new chapter. We’re hiring, and even before the conference officially started I’ve had some productive conversations with people about what we’re looking for and how we see the company growing. M³AAWG is always a little like a reunion. I’ve been working with some of the people present for more than a dozen years, and some I’ve known for even longer. The conference is work, they mean the “working group” part of their name, but it’s also a time to create and maintain the community that keeps our online messaging from being overwhelmed. If you’re here, drop by and say hi (and don’t forget to visit my session on Thursday afternoon)! Otherwise, watch this space as I share what insights I can about the information presented.

Read More

Dealing with compromised user accounts

M3AAWG is on a roll lately with published documents. They recently released the Compromised User ID Best Practices (pdf link).

Read More

Nominations for the J.D. Falk Award

J.D. Falk was one of the first names I encountered when learning how to read headers and report spam back in the mid-90s. He was one of the folks leading the fight against spam and actively trying to improve the Internet. When I was hired by MAPS I got to work with J.D. and a number of other big-names. One of the things that really surprised me was that this “internet elder” I had imagined was younger than me and with much bluer hair.
After MAPS imploded, J.D. and I carved out separate careers. He went to work at a number of major mailbox providers and I started delivery consulting. Our paths crossed occasionally, usually at conferences, but we also were on a number of mailing lists together. I kept an eye on J.D and his impact on email delivery. In fact, J.D. was responsible for a lot of the modern anti-spam techniques implemented at ISPs.
Eventually, he moved to Return Path where he worked on their Receiver Support group; even as he continually argued against the false sender / receiver dichotomy that so many people endorse.
M3AAWG, with financial support from Return Path, created the J.D. Falk award to recognize people who work to create a better online world. Nominations for the 3rd annual J.D. Falk award are now open. The M3AAWG website has more details.

Read More

Some email related news

A couple links to relevant things that are happening in email.
M3AAWG released the Help! I’m on a Blocklist! (PDF link) doc this week. This is the result of 4 years worth of work by a whole lot of people at M3AAWG. I was a part of the working group (“doc champion” in M3AAWG parlance) and want to thank everyone who was involved and contributed to the process. I am very excited this was approved and published so people can take advantage of the collective wisdom of M3AAWG participants.
In other announcements, Gmail announced today on their Google+ page that that they were putting a new “unsubscribe” link next to the sender name when mail is delivered to the Promotions, Social or Forums tab. This appears to be the official announcement of the functionality they announced at the SF M3AAWG last February. It likely means that all users are currently getting the “unsubscribe” link. What Gmail doesn’t mention in that blog post is that this functionality uses the “List-Unsubscribe” header, not the link in the email, but I don’t think anyone except bulk mailers really care about how it’s being done, just that it is.
Also today Gmail announced they were going to recognize usernames with non-Latin or accented characters in the name. Eventually, they claim, they’ll also allow people to get Gmail addresses with accented characters.

Read More

May 2014: The month in email

It’s been a busy and exciting month for us here.
Laura finished a multi-year project with M3AAWG, the Messaging, Malware and Mobile Anti-Abuse Working Group (look for the results to be published later this year) and continued working with clients on interesting delivery challenges and program opportunities. Steve focused on development on the next version release of Abacus, our flagship abuse desk tool, which will also be available later this year.
And as always, we had things to say about email.
The World of Spam and Email Best Practices
We started the month with a bit of a meta-discussion on senders’ fears of being labeled spammers, and reiterated what we always say: sending mail that some people don’t want doesn’t make you evil, but it is an opportunity to revisit your email programs and see if there are opportunities to better align your goals with the needs of people on your email lists. We outlined how we’ve seen people come around to this position after hitting spamtraps. That said, sometimes it is just evil. And it’s still much the same evil it’s been for over a decade.
We also wrote a post about reputation, which is something we get asked about quite frequently. We have more resources on the topic over at the WiseWords section of our site.
Gmail, Gmail, Gmail
Our friends over at Litmus estimate Gmail market share at 12%, which seems pretty consistent with the percentage of blog posts we devote to the topic, yes? We had a discussion of Campaign Monitor’s great Gmail interview, and offered some thoughts on why we continue to encourage clients to focus on engagement and relevance in developing their email programs. We also wrote a post about how Gmail uses filters, which is important for senders to understand as they create campaigns.
SMTP and TLS
Steve wrote extensively this month about the technical aspects of delivery and message security. This “cheat sheet” on SMTP rejections is extremely useful for troubleshooting – bookmark it for the next time you’re scratching your head trying to figure out what went wrong.
He also wrote a detailed explanation of how TLS encryption works with SMTP to protect email in transit, and followed that with additional information on message security throughout the life of the message. This is a great set of posts to explore if you’re thinking about security and want to understand potential vulnerabilities.
DKIM
Steve also wrote a series of posts about working with DKIM (DomainKeys Identified Mail), the specification for signing messages to identify and claim responsibility for messages. He started with a detailed explanation of DKIM Replay Attacks, which happens when valid email is forwarded or otherwise compromised by spammers, phishers or attackers. Though the DKIM signature persists (by design) through a forward, the DKIM specification restricts an attacker’s ability to modify the message itself. Steve’s post describes how senders can optimize their systems to further restrict these attacks. Another way that attackers attempt to get around DKIM restrictions is by injecting additional headers into the message, which can hijack a legitimately signed message. If you’re concerned about these sort of attacks (and we believe you should be), it’s worth learning more about DKIM Key Rotation to help manage this. (Also of note: we have some free DKIM management tools available in the WiseTools section of our site.)
As always, we’re eager to hear from you if there are topics you’d like us to cover in June.

Read More

Still catching up

I had planned to get some more information out from M3AAWG sessions last week, including the Gmail session and the ISP session. But, I am still catching up with other work.
I will say this, though, implementing a preference center will not solve delivery problems when you are sending from an IP with no reverseDNS.
Tomorrow. Tomorrow I will have content. (Stop laughing. Really. Just stop)

Read More

Gmail pilots new FBL

Yes, it’s true. Gmail announced last Thursday at M3AAWG that they were piloting a new Feedback loop.
The Gmail FBL is currently for ESPs only. The announcement during MAAWG was that only MAAWG ESP members were eligible. They are requiring a DKIM signature for the FBL, but ESPs using individual customer d= values can get a FBL based on IPs. They are also not providing ANY information that reveals the complainer. Gmail’s intention is only to give ESPs feedback so that ESPs can prevent abuse. They are not giving feedback so complainers can be removed.
The email has a .csv attachment that has 3 columns: date, identifier and complaint rate.
The identifier is an ESP provided customer identifier. One of the ESPs I talked to said they were adding an X-header into their emails.
I’ve heard from beta testers that there is a minimum of 100 complaints before you’ll get any report.
Reports are sent daily if there is sufficient traffic to trigger them.
If you’re a MAAWG member, check the senders list for the signup URL.

Read More

So much to write about

This was a great MAAWG conference and there are a couple sessions I can write about. There were multiple sessions where representatives from various blocking groups and ISPs talked about what they block on. I have extensive notes and will be writing things up in the next few days.
The awesome folks at Mailchimp brought t-shirts for us.

Read More

Lavabit and darkmail

The M3AAWG keynote address today was a talk from Ladar Levinson about the shut down of Lavabit mail service after receiving demands from the NSA to hand over their SSL keys.
@maawg tweeted different quotes from the session. There is a conflict between privacy and security, and these are questions we need to resolve.
Ladar talked about his potential new service called darkmail, which pushes encryption back to the user level. I think there is relevance to this, as many online services are used for political and other organizing. As someone said to me last night, some of the people using our service could be killed if we don’t protect their privacy. He wasn’t speaking of the US residents, but people in places like Ukraine or Arab countries or other places undergoing violent revolutions.
Privacy is important, how we treat privacy is important. Handing over SSL keys to governments strikes me as a big problem.

Read More

M3AAWG conference next week

Next week is M3AAWG 30 in San Francisco. We’ll be there and are very excited to see the familiar faces and meet new people.
I recently had someone ask me what would I recommend to someone going to their first M3AAWG conference. My recommendation to anyone in the sender or marketer space is to go to some of the talks that are not about email delivery. Go to the sessions that talk about malware or SMS or anything other than just email delivery. For anyone in the ISP space go to a session focused on mobile or email sending. Use this time to learn about something totally different than what you do every day.
Another question I get frequently from senders is if the people from the ISPs are open to sitting down and talking with senders about the senders’ email problems. Generally, the answer is no. Most of the time, the ISP has no knowledge of who you are and what mail you’re sending, so all they can say is “send me an email with the IPs and I’ll take a look at it.” That’s it.
We’ll be in the city starting Monday afternoon, and I always enjoy meeting readers. Stop by and introduce yourself.

Read More

The J.D. Falk award 2013

M3AAWG awarded the second J.D. Falk award today in Montreal. The winner was Gary Warner from the University of Alabama.
Gary has been involved in fighting abuse and online crime since the 1990s. He developed the Center for Information Assurance and Joint Forensics Research at the University. This is an education program that not only teaches students about online threats and how to fight them, but collaborates with both industry experts and law enforcement.
You can check out Gary at his blog or on twitter.
 

Read More

Questioning standards

M3AAWG publishes documents summarizing and discussing current practices for stopping and preventing abuse. Some of these documents are focused on ISPs while others are focused on marketers. While M3AAWG is not directly nor officially a standards body, most of the documents have been written by members and reflect the best current practices for that document.
Members have been asked to leave the organization and some companies are denied membership because they are not in line with the organizational values. Some of these companies are ESPs or marketers, but some of these companies have been ISPs as well.
The standards written by M3AAWG are challenging for a lot of marketers to follow. These standards are written with the input of senders, but they all comply with the M3AAWG mission of stopping messaging abuse. Many ISPs believe that unsolicited email is abuse, thus M3AAWG standards say that all mail needs to be sent to recipients who request that mail. Purchasing lists, selling lists, and appending email addresses are all unacceptable activities for M3AAWG members.
I never really had much concern about the effectiveness of the M3AAWG process. Most of the big industry players are there and many of the ISPs have an aggressive anti-abuse attitude.
But last week I saw a blog post on a fairly major industry blog that listed a bunch of (made up, tasteless and sexist) things “overheard” at the recent M3AAWG conference (it’s been removed and I wouldn’t link to it anyway). The blog post made it look like no real work gets done at M3AAWG and that the attendees don’t work at the conference. I won’t claim that it’s a staid and quiet conference, but most attendees work very hard during the day.
The next day, the author tweeted:

Read More

Phones part of SMS botnet

Spammers have been moving into the phone market for a long time. Just recently security firms have discovered an Android  botnet. This botnet sends viruses over SMS, and when a link in the SMS is clicked, the phone is infected with the virus which then sends more SMS.
The technology for blocking and reporting SMS spam is comparable to email blocking technology 10 or 12 years ago. There just aren’t many tools for people to use to control this spam. M3AAWG is addressing mobile spam, but it still seems that the volumes are increasing without much recourse. Even the 7726 reporting number doesn’t seem to stop the spam (nor remove per-text charges).
At least in the beginning of the email spam problem, we didn’t have botnets. Now, at the beginning of the curve for SMS spam, we already have self replicating botnets. I’m afraid the good guys might be behind on this issue.
Then again I might just be cranky because SMS spammers woke us up at 4:30 am.
Infoworld article
TNW article
PCWorld article

Read More

Collaboration key to fighting crime on the internet

The Pittsburg Post Gazette has a good article on the DNS Changer Working group and how it can serve as a model for future collaboration against cyber crime.

Read More

MAAWG presents the first J.D. Falk award

Last week at MAAWG went much like all MAAWG conferences go: too much to do, too many interesting panels to attend, too many people to connect and work with, a plethora of very interesting keynote speakers and a total lack of sleep. Most of what happens at MAAWG is not public, but some of the events are.
One of the things that I can talk about is the J.D. Falk award. This award was established by MAAWG, Return Path and J.D.’s family to recognize people who work, usually behind the scenes and without fanfare, to enhance the Internet and protect end users. I sat on the award committee and we had a number of nominations for very worthy work. But the nomination that stood out was the one for Tom Grasso. Tom was the driving force behind the creation of the DNS Changer Working group. He was responsible for connecting experts from throughout the Internet industry, including ISPs, anti-virus vendors, and the broader security community to prevent the Internet for going dark for  hundreds of thousands of infected individuals.
I am very proud of the decision the committee made. The bar has been set high for future recipients. Tom did an amazing job convincing lots of players to work together. His involvement definitely made the internet better for everyone, not just those infected by Rove Digital’s malware. What he did is a model for private / public partnerships in the future.
I don’t think I could say it better than the MAAWG press release, so I’ll just end with that.

Read More

J.D. Falk Award

This morning M³AAWG announced the creation of the J.D. Falk award to recognize and honor people like J.D. who work to make the Internet safer for all users.

Read More

Anti-Botnet Code of Conduct Published

The Communications Security, Reliability and Interoperability Council (CSRIC) published a Anti-botnet code of conduct for ISPs. This is a purely voluntary code for U.S. ISPs that want to mitigate the botnet threat to follow. You can download a full copy of the final report from the MAAWG website. The FCC has published a fact sheet about the report on their own website.

Read More

Back, still catching up

We’re back from MAAWG, but somehow I’ve not managed to catch up with everything from last week enough to have time to get back into the swing of blogging. I do have lots and lots of things to say, just not quite enough hours in the day to get them down on paper.
It was great to meet so many blog readers. I really appreciate each and every one of you that introduced yourselves and told me you read the blog. Not many people comment, so I don’t have a good feel for the number of readers. Hearing from readers was great!
MAAWG itself seemed lower key than it has been in the past, but I really think the organization is getting good work done. I strongly recommend people who haven’t been before to visit. There’s lots of great information about messaging, filtering and abuse prevention. They even have a new name! M3AAWG. (Messaging, Malware and Mobile are the 3 Ms)
 
 
 

Read More

Only Influencers blog talk radio

I had the privilege to talk with a bunch of experts on the Only Influencers Blog Talk Radio show this morning. The discussion centered around the perceived conflict between Marketing and Delivery.
The conversation was a good one, with a lot of different perspectives aired. I strongly recommend people who are interested in hearing multiple industry experts talking about email marketing and delivery listen to the podcast.
Once I get back from MAAWG I plan to talk a little more about delivery managers as fire fighters and why that is such a good metaphor for delivery.

Read More

Delivery events next week

Next week is MAAWG and I’ll be there talking about delivery, blocking and all sorts of things. If you’re going, be sure to stop by the Choose Your Own Delivery Adventure. It should be lots of fun!
Also next week on Monday I’ll be a guest on the Only Influencers blog talk radio show discussing Delivery versus Marketing.
 

Read More

MAAWG travel alert

For those of you coming to the Bay Area for MAAWG and considering flying into Oakland, be aware the Bay Bridge will be closed in the Oakand -> San Francisco direction for all of President’s day weekend. BART is unaffected, but if you’re planning on driving from Oakland into the city, you’ll have to do it by going south over the San Mateo bridge and then back north to the city.

Read More

SOPA / PIPA

I’ve not mentioned anything about the Stop Online Piracy Act (SOPA) and it’s companion bill the Protect Intellectual Property Act (PIPA) that are currently making their ways through Congress. Both bills put a lot of obligation on the ISPs to stop bad traffic on the Internet. Unfortunately, it seems no one writing the bill asked anyone with technical or operational experience for input. Many of the obligations are going to significantly impact ISP functioning and will probably degrade service for users.
The Messaging Anti-Abuse Working Group sent a letter to congress yesterday (PDF link), outlining the issues with SOPA and PIPA. I found it explained the bills and the flaws much better than many other summaries.

Read More

Vetting customers

MAAWG has published a BCP for vetting new customers. This is the culmination of much work by a lot of people.
One of the best things about the document is the discussion of how spammers attempt to hide their identity. All too often I’ve been called in by ESPs to help them identify how a spammer got on their network and where their process failed. As filtering gets better at blocking spam, spammers are spending more and more time trying to steal good reputations to get their unwanted mail through.
Providers who follow these rules may still find themselves with spammers as customers, but the spammers will have to work harder to get on clean networks.

Read More

Government and botnets

The US government is looking at telling ISPs how to deal with compromised customers and botnets.
They’re a bit late to the party, though. Most of the major commercial ISPs have been implementing significant botnet controls for many years now. Control involves a number of different techniques, but notification has been designed into the system from day 1.

Read More

MAAWG and email appending

In today’s Magill Report Ken says:

The only surprise in the Messaging Anti-Abuse Working Group’s statement last week condemning email appending was that it didn’t publish one sooner.
However, MAAWG’s implication that email appending can’t be accomplished without spamming is nonsense.

Read More

MAAWG statement on email appending

MAAWG has published their position statement on email appending. It’s pretty explicit in it’s condemnation of the practice.

Read More

Holomaxx doubles down

Holomaxx has, as expected, filed a motion in opposition to the motion to dismiss filed by both Yahoo (opposition to Yahoo motion and Hotmail (opposition to Microsoft motion). To my mind they still don’t have much of an argument, but seem to believe that they can continue with this.
They are continuing to claim that Microsoft is scanning email before the email gets to Microsoft (or Yahoo) owned hardware.

Read More

MAAWG: Just keeps getting better

Last week was the 22nd meeting of the Messaging Anti-Abuse Working Group (MAAWG). While I am prohibited from talking about specifics because of the closed door nature of the group, I can say I came out of the conference exhausted (as usual) and energized (perhaps not as usual).
The folks at MAAWG work hard and play even harder.
I came away from the conference feeling more optimistic about email than I have in quite a while. Not just that email is vital and vibrant but also that the bad guys may not be winning. Multiple sessions focused on botnet and crime mitigation. I was extremely impressed with some of the presenters and with the cooperation they’re getting from various private and public entities.
Overall, this conference helped me to believe that we can at least fight “the bad guys” to a draw.
I’m also impressed with the work the Sender SIG is doing to educate and inform the groups who send bulk commercial messages. With luck, the stack of documents currently being worked on will be published not long after the next MAAWG conference and I can point out all the good parts.
There are a couple specifics I can mention. One is the new list format being published by Spamhaus and SURBL to block phishing domains at the recursive resolver. I blogged about that last Thursday. The other bit is sharing a set of security resources Steve mentioned during his session.
If your organization is fighting with any messaging type abuse (email, social, etc), this is a great place to talk with people who are fighting the same sorts of behaviour. I do encourage everyone to consider joining MAAWG. Not only do you have access to some of the best minds in email, but you have the opportunit to participate in an organization actively making email, and other types of messaging, better for everyone.
(If you can’t sell the idea of a MAAWG membership to your management or you’re not sure if it’s right for you, the MAAWG directors are sometimes open to allowing people whose companies are considering joining MAAWG to attend a conference as a guest. You can contact them through the MAAWG website, or drop me a note and I’ll make sure you talk with the right folks.)
Plus, if you join before October, you can meet up with us in Paris.

Read More

Prepping for MAAWG

The June MAAWG meeting is next week. Both of us are working on various projects, documents and announcements for the meeting. This means light blogging, although we’ll post public announcements as they come out.
If you’re going to MAAWG be sure to stop by and say hi!

Read More

Holomaxx status

Just for completeness sake, Holomaxx did also file an  amended complaint against Microsoft. Same sloppy legal work, they left in all the stuff about Return Path even though Return Path has been dropped from the suit. They point to a MAAWG document as a objective industry standard when the MAAWG document was merely a record of a round table discussion, not actually a standards document. I didn’t read it as closely as I did the Yahoo complaint, as it’s just cut and paste with some (badly done) word replacement.
So what’s the status of both cases?
The Yahoo case is going to arbitration sometime in July. Yahoo also has until May 20 to respond to the 1st amended complaint.
The Microsoft case is not going to arbitration, but they also have a response deadline of May 20.
I’m not a legal expert, but I don’t think that what Holomaxx has written fixes the deficits that the judge pointed out in his dismissal. We’ll see what the Y! and MSFT responses say a month from today.

Read More

Amendment is futile, part 2

When Yahoo filed for dismissal of the Holomaxx complaint, they ended the motion with “Amendment would be futile in this case.” The judge granted Yahoo’s motion but did grant Holomaxx leave to amend. Holomaxx filed an amended complaint earlier this month.
The judge referenced a couple specific deficiencies of Holomaxx’s claims in his dismissal.

Read More

Back from MAAWG

Today is the first day back at work after a productive MAAWG conference.
The thing I get most out of MAAWG is a greater appreciation for what a large, global force messaging is. The recent protests and uprisings around the world have relied on messaging to organize, share information and communicate. Messaging is also somewhat fragile. Thing things that make it great for strangers to interact with one another also allows bad people and organizations to cause harm.
It is a struggle to minimize the harm while not hurting the good.
MAAWG is comprised of the people that make messaging work. These are folks that are on the front lines in the fight to stop online harm. It’s somewhat humbling to watch a conference full of really smart people, from all levels of responsibility, discuss ways to improve messaging for real users and real people while stopping the bad people. There are good ideas and bad ideas, but discussions are professional and informative. Plus it’s always good to see old friends and make new ones.
I inevitably come back from MAAWG with a load of things to do, new projects to take on and new ideas. This time I’m also looking forward to the publication of a document announced at the conference. The EastWest Institute’s Chief Technology Officer Karl Frederick Rauscher talked about a report they will be publishing next month talking about how China and the US are working together to fight spam.

Read More

Going to MAAWG

Following on from last weeks post about MAAWG, I thought I’d write a bit about actually going to MAAWG. You’re an ESP and you’ve been accepted into the organization. Now you have some decisions to make.

Read More

MAAWG: Not a Marketing Conference

There seems to be this great misunderstanding among a huge number of email marketers and delivery professionals that MAAWG is some sort of marketing or marketing related conference.
They’re wrong.
MAAWG is the Messaging Anti-Abuse Working Group. The intention of the group is to provide a setting where companies providing internet services can work together to stop abuse. Email is one of the major platforms talked about, but there are also discussions about other forms of messaging abuse.
This conference is unique both in its content and in the people who attend. For many ISP reps this is their sole opportunity to get together with peers, former co-workers and friends. Many of the ISP folks are actually low to mid-level employees who are working the front lines fighting abuse every day. MAAWG is a chance for them to work and socialize with people who understand their jobs and the challenges associated with handling abuse on a daily basis. It’s a place to look at the larger issues and blow off steam.
There are a number of folks who show up at the conference that don’t deal with abuse in any capacity, however. They don’t have to deal with rampant levels of spam heavy enough to take down a mailserver. They don’t have to deal with the horror that is child porn. They don’t have to deal with angry subscribers. They don’t have to deal with criminals.
In short, they’re not abuse desk folks. They are, at best, a delivery person but more often are some high level executive at a marketing firm. These folks treat MAAWG as a place to wheedle business cards and contacts from the ISP reps. Stop abuse? The only abuse they see is that their email isn’t instantly delivered to the inbox.  Spam? That’s what other people send. Phishing? Child porn? Not important.
All too many of them are not even subtle or coy about the fact that their only concern is finding contacts. One ISP rep tells the story of some marketer that followed him into the bathroom and attempted to trade business cards while the ISP person was at the urinal. Make no mistake, this is not an isolated incident. The badgering is so bad that some ISP reps refuse to state who their employer is.
The ISP folks are there to actually spend time with their peers and y’know, do actual work. ISP reps are not there to get hassled by dozens of marketers.
To be fair, a number of ESPs send delivery folks who are actually working to stop abuse. They do chase spammers through their systems. They do deal with criminals. Unfortunately, because they are from ESPs they are prohibited from actually working with the ISPs.
Why? Because so many of the ESP reps aren’t actually there to stop abuse that MAAWG has had to draw firm lines between ESPs and ISPs to make the ISP reps feel comfortable. I can’t fault MAAWG for that even as I can see there are ESP reps who perform the exact same job functions as the ISP reps.
The ESPs have created this situation. Instead of sending folks on their side who deal with messaging abuse, they send high level executives and marketers. They send people who think that the ISPs owe them something. That believe the ISPs will let mail through just because they shared a beer at the conference. That believe there is some inner circle and if they join they can find out the secret sauce so they can get their mail through filters. They send people who think that ISPs should be forced to sit at a table and listen to marketers yell about “the false positive problem.”
This isn’t to say ESPs and marketing companies shouldn’t join MAAWG and go to conferences. There’s a lot of abuse that both groups have to deal with. But MAAWG isn’t a marketing conference. Sending only marketers or executives to the conference not only misses the point of the organization, it actively sabotages it.

Read More

Domain Assurance by Return Path

As often happens during MAAWG, email companies are announcing new products. One of the interesting ones is the new Domain Assurance product from Return Path.

Read More

Delivery resources

I’m working on a few projects designed to help provide mentoring for other delivery people and to bridge the communication gap between the various groups active in email. One of those projects is collecting, linking to, and publishing more delivery resources. Some will be linked to directly from the blog, others will be linked to from the wiki. While I’m reasonably familiar with what’s out there, it is impossible for me to know about all the useful resources available. So I ask you readers:

Read More

State of the Industry

Over the last few weeks I’ve had a series of posts on the blog from various authors who are active in the email space.
I posted A very young industry commenting on the lack of experience among email marketers. I think that some of the conflict between ISPs and ESPs and receivers and marketers can be traced back to this lack of longevity and experience. Often there is only a single delivery expert at a company. These people often have delivery responsibilities dropped on them without any real training or warning. They have to rely on outside resources to figure out how to do their job and often that means leaning on ISPs for training.
JD Falk described how many at ISPs feel about this in his post With great wisdom…

Read More

You must be present to win

Guest post by Phil Schott
I often have the pleasure of putting my four year-old son to bed at night and I’m usually exhausted afterward. It’s a never-ending string of questions and admonishments that goes something like this,
“Daddy, is it a stay-at-home day tomorrow?
“No, Joe, tomorrow is a go-to-school day, it’s Tuesday. Joe, stop talking and go to sleep and please stop picking your nose.”
“Daddy, how long until the Easter bunny comes?”
“A few weeks. Now, go to sleep and stop picking your nose, Josef.”
“Dude, what did I say about picking your nose?”
“Sorry daddy, I can’t help it. It’s my job.”
“Daddy, When’s it going to be my birthday?”
“Joe, you’re not going to live to see your birthday if you don’t stop picking your nose and go to sleep.”
Lather, rinse, repeat for about 10-30 minutes every night. Same questions, same answers, always picking his nose.
In retrospect it seems funny and maybe sweet, but it never does at the time and the thought of doing it all over again tomorrow night makes me want to run out screaming.
However, I realize that if not me, who? Who’s going to tell Joe to stop picking his nose? Who’s going to answer his questions? I have to. It’s my job. If I want to be his dad, that’s what I’ve got to do. If not, then I don’t get to be his dad, I don’t get to be part of his life, and I don’t get to be part of my family.
There are folks in our industry just like Joe and me–those who never seem to get it, those who ask questions over and over, and those who tire of answering the same questions.
I’d like to thank those who answer those questions over and over. Folks like Al Iverson, JD Falk, Mickey Chandler, Greg Kraios, Ken Magill, Laura Atkins, Steve Atkins, Karen Balle, Annalivia Ford, and many others who deserve to be on this list.
I’ve only been in deliverability for a few years and I’d be nowhere if these folks hadn’t answered my dumb questions, posted their thoughts, shared their knowledge, and told me to stop picking my nose on occasion.
It pains me though to read from time to time the ranting of those in our industry who want to decry the dumb marketer, give up, and take their ball home. It’s a shame, but that’s their right and their decision. However, they then don’t get to be part of the community. They lose the effectiveness to tell a dumb marketer to stop picking his nose. They become a washed-up, has been, curmudgeon with no voice. Like with my four year-old son, if I want to be a part of the deliverability community I’ve got to stick it out and deal with it. You have to be present to win.
In her post, A very young industry, Laura Atkins of Word to the Wise quotes ExactTarget’s Joel Book as stating that less than 20% of those in email marketing have more than two years experience. Yes, it’s an industry full of four year-olds. If you’re one of those in the know are you going to bemoan this fact that’s beyond your control or are you going to work to make the community you’ve helped build a better place? You absolutely can choose to move on. We will miss you and I wish you the best of luck. But either keep helping out as you’ve expertly done or get out of the way. Don’t take cheap shots at those trying to do the right thing and trying to do some good work.
For those of you tired of answering the same inane questions you’re fooling yourself if you think the folks who really need to hear your message are reading. They’re not. And they’re going to keep on asking their inane questions until somebody helps them out. I choose to help them out. I choose to be part of the community. I choose to be present.
A big part of the issue is how daunting it can be to ask for help without the risk of appearing the fool. There are far too many folks in this business of deliverability who are more interested in proving how smart they are and selectively sharing knowledge than they are in helping raise the overall level of consciousness and enlightenment.
If you want the idiots and fools to go away then help them become something more. Help them like no one helped you when you started out. With much effort, time, and frustration, I could pick through five years of your blog posts to find the one bit of information I need, or you could give me the URL to the post that will reveal all. I’m not asking you to spoon feed me, I’m just asking for a little help. There’s no books on this stuff and you can’t go to school to get your BA in deliverability. All we’ve got is each other.
Phil Schott has been handling delivery and compliance for a major ESP for the last 3 and a half years.

Read More

With great wisdom…

Guest Post by JD Falk
There was certainly some surprise in the room when I pointed out (yep, it was me) that Laura has been around since before there were ESPs. Part of it, I’m sure, was because Laura’s not particularly ancient — and part was because it’s a shock to realize that people sent and received email and everything was just fine long before the segment of the industry that you work in had even been imagined.
Since this was at MAAWG, there were quite a few people in the room who were involved before there were ESPs (I asked for a show of hands) — and it was interesting to see how many of them work for ESPs now. Commenting on Laura’s article “A very young industry,” Kent McGovern mentioned three — including Anne Mitchell, who made up the word “deliverability” not long after stepping down as the head lawyer for the first shared blacklist of email-sending IP addresses.
Just think about that. She was the head lawyer for the MAPS RBL before there was such a thing as deliverability. (I worked with her there; so did Laura.)
There are a lot of us who’ve been around that long, and most don’t work in the deliverability/marketing side of the industry. Nearly all of us have become cynical over the years; some were cynical to begin with. A few, sadly, have burned out entirely from the frustration of having the same arguments, same discussions, over and over and over.
I think some of the recent refrain calling for ESPs to pressure each other into better practices comes in part from that same frustration. Yes, bad practices are bad, but we’re also tired with teaching the same thing to people with the same title, and feeling like the message never gets through. Part of what we’re saying is “It’s your industry, you’ve learned this stuff, now you teach ’em.”
And when you do, it does work — far more often than when we say it, because you speak the same language. There’s now a generation (for lack of a better term) of ESP & deliverability staff who weren’t around before there were ESPs, maybe not even before CAN-SPAM, but have learned many of the same things and undergone similar transformation. Who’d have thought that Jaren Angerbauer — quite possibly the nicest guy in the industry — would ever start sighing at those young whippersnappers like a cynical old anti-spammer? And Jaren’s not only teaching deliverabilitators; he’s also teaching college students, ensuring that they’ll know far more when they enter the work force than you or he did.
We old-timers once struggled with the idea that we must reach out — even to people we disagree with — and teach what we knew, learning along the way to put it into terms that marketers understand. It’s so much simpler to add to a blacklist and throw away they key, declaring “not my problem anymore.” But we did start teaching, and look how far we’ve come; we’re still doing it, and look how much further there is to go.
Now it’s time for the next generation to do the same. Stop looking to us, or to the ISPs, to solve the problems of your industry for you; we’re busy dealing with spam, as we should’ve been doing all along. Your colleagues’ cluelessness is exactly as impermanent as your own was, and can be overcome in the same ways. Whether you have fifteen or ten or five or merely two years of experience, you’ve found your way to this blog and read down to this line, and attained some measure of wisdom, and you can ease the passage for others.
When someone at a marketing conference says something that you know isn’t true, that you know will result in poor deliverability and industry ire, call them on it. Engage them in a dialogue. Teach, explain, cajole, push — because with great wisdom comes great responsibility.
It’s your turn.
J.D. Falk is Director of Product Strategy for Receiver Products at Return Path, which is not an ESP.

Read More

A very young industry

Last week I saw a tweet that quoted Joel Book, Director of eMarketing Education at Exacttarget as saying

Read More

MAAWG SF

Blogging will probably be light next week. Steve and I are both headed to MAAWG SF. Steve will be presenting training on Monday and at one of the later sessions, too. I managed to get out of having to work this conference, so no presenting for me.
We’re both looking forward to seeing everyone. Drop by and say hi.

Read More

12% of email recipients respond to spam

Twitter and some of the other delivery blogs are all abuzz today talking about the consumer survey released by MAAWG (pdf link, large file) looking at end user knowledge and awareness of email security practices.
The survey has a lot of good data and I strongly encourage people to look at the full report. There are a couple of results that are generating most of the buzz, including the fact that nearly half of the respondents have clicked on a link or replied to a spam email. Additionally, 17% of respondents said they made a mistake when they clicked on the link.
The magic statistic, though, is that 12% of the respondents said that they responded to spam because they were interested in the products or services offered in the spam. This, right there, is one of the major reasons why spam continues and is a growing problem. Out of 800 people surveyed, almost 100 of them were interested enough in the products sold by spam to respond positively. There are roughly 1.6 billion people on the Internet, which gives spammers a market of 200 million people for their spam.
Other studies have seen similar responses, that is consumers do respond to spam. Most surveys don’t define spam, however, and given a lot of consumers call “mail I don’t like” or “all commercial email” as spam it’s hard to know what the respondents are responding too. In some studies, some respondents even defined mail from companies that they had given their email address to, but had not explicitly asked for email from as spam.  In this study MAAWG did request how the respondent defined spam. Of the respondents, 60% say spam is mail they did not solicit, and 41% say spam is mail that ends up in the spam folder. Given that 60% of respondents define spam as “unsolicited email” it is possible that some people are responding to mail they never requested.
Sad news for those of us who were hoping that lack of consumer response would make spamming unprofitable enough that spammers would stop.
The crosstab between “how do you define spam” and “how do you react to spam” may be an interesting data set to see.

Read More

Live from MAAWG!

OK, so I’m not at MAAWG any longer and I can’t blog about what happens there even if I was. However, there is an article at PC World about the conference.
I’ve been going to MAAWG conferences for many years now. Not every one, being a small company means that I can’t just take off for a week, particularly overseas where phones don’t work (something solved by an iPhone 3G). But I’ve been to quite a few of them.
I have to say the last few conferences have really impressed me. The quality of discussions and the training sessions have been full of useful information. Even for someone who has been around as long as I have, there is always something new to learn. I strongly encourage people who want to stop abuse in the messaging sphere to consider joining. Everyone is hurt by messaging abuse: end-users, senders and receivers. We all have a role to play in stopping abuse, and MAAWG is one way to learn about what you can do.
On a more personal note it was great to meet new folks and to see familiar faces. And a big thanks to all of you who took the time to tell me you liked this blog. Thank you for reading!
EDIT: Another press article about the conference.

Read More

Introducing the "No email 'till Monday"

Ever have that day? That day full of delivery problems, ISP problems, headaches and turmoil? That week where you want to just forget email ever existed? Ever have that day extend for a week?
So have we all. In honor of that kind of day, we introduce the “No email ’till Monday”.
Fill a shaker with ice. Then add:
6 fl ounces light rum
4 fl ounces pineapple juice
2 fl ounces cointreau
heavy dash blood orange bitters.
Shake. Pour into 2 cocktail glasses and garnish with a pineapple slice.
Serves 2 (or one if it’s been a really *really* bad week)
The "No email 'till Monday"
We have made this with both light rum and pineapple flavored rum. The pineapple lends a sweeter taste to the drink, but there is a nice burnt sugar edge to the drink with the straight light rum.
I’m headed out on Monday to Amsterdam for a family wedding and MAAWG so blogging will be light for the next 2 weeks. I have some posts stacked up and the people I meet and talk with at MAAWG always trigger new thoughts about email, delivery and spam so do check back while I’m gone.
Those of you who are going to be at MAAWG be sure to stop by my session on Wednesday afternoon and add your perspective to the discussion.

Read More

MAAWG Senders

Last week at MAAWG a number of members asked me about signing up for the MAAWG senders’ list. I have instructions for how to do so. If you would like a copy, email me at laura-maawg at wordtothewise dotcom.
Note: ONLY MAAWG members are eligible for any of the discussion lists or working groups.

Read More

Gearing up for MAAWG

One of the nice bits of SF MAAWG is that I don’t actually have to get on a plane in order to get to the conference. Still there seems to be a very long list of “things to do” before heading up to the city.
If you’re going to be there, stop by and say Hi

Read More

Catching up

I am still catching up from being away at MAAWG last week, and have not had much time to blog or even follow other blogs enough to link to what people are saying.
I would encourage those of you who are not MAAWG members to consider joining the organization. MAAWG has been working hard on putting together sender training courses. I gave part of one of them. I also attended all the other training sessions and learned quite a bit from those sessions as well.
MAAWG, as its name suggests, is a working group. There are opportunities for everyone to teach, participate and learn. The next meeting, is in San Francisco next February.

Read More

MAAWG

Chris Nixon has a post talking about the background of MAAWG and why he is here in Ft. Lauderdale.

Read More

Links to check out

Things are going well, if busy, here at the conference. I am attending lots of sessions and continuing to edit my talk for tomorrow. I thought I would list some random links that have come up here recently.
Lashback is advertising a joint webinar with Habeas, Publishers Clearinghouse and Lashback on how to protect brands and increase revenues with reputation management.
Terry Zink explains the new Microsoft advertising campaign. There are actually quite a few Microsoft people here at the conference, including the brain behind SNDS. We ran into each other yesterday evening, his room is right next to mine.
Ken Magill has an ongoing series of articles investigating Email Appenders, and all their various incarnations. This is an example of the confused jumble of connections that some companies use in order to hide.
Speaking of companies with bad reputations, the NY Times reports on Intercage’s loss of hosting. Atrivo/Intercage are notorious amongst the folks who fight malware and bots and have been called the American version of the Russian Business Network.

Read More

Upcoming Conferences

EmailKarma lists a number of upcoming events for email marketers and delivery folks.

Read More