Data

Re-adding subscribers after reputation repair

A comment came in on Engagement and Deliverability and I thought it was a good question and deserved a discussion.

Recycled spamtraps

Spamtraps strike fear into the heart of senders. They’ve turned into this monster metric that can make or break a marketing program. They’ve become a measure and a goal and I think some senders put way too much emphasis on spamtraps instead of worrying about their overall data accuracy.

Being in infosec for so long takes its toll. I've come to the conclusion that if you give a data point to a company, they will eventually sell it, leak it, lose it or get hacked and relieved of it. There really don't seem to be any exceptions, and it gets depressing.
Read More

Data never dies

The data are what they are

I’ve had a lot less opportunity to blog at the recent M3AAWG conference than I expected. Some of it because of the great content and conversations. Another piece has to do with lack of time and focus to edit and refine a longer post prompted by the conference. The final issue is the confidential nature of what we talk about.
With that being said, I can talk about a discussion I had with different folks over the looking at A/B testing blog post from Mailchimp. The whole post is worth a quick read, but the short version is when you’re doing A/B testing, design the test so you’re testing the relevant outcomes. If you are looking for the best whatever to get engagement, then your outcome should be engagement. If you’re looking for the best thing to improve revenue, then test for revenue.
Of course, this makes perfect sense. If you do a test, the test should measure the outcome you want. Using a test that looks at engagement and hoping that translates to revenue is no better than just picking one option at random.
That particular blog post garnered a round of discussion in another forum where folks disagreed with the data. To listen to the posters, the data had to be wrong because it doesn’t conform to “common wisdom.” The fact that data doesn’t conform to common wisdom doesn’t make that data wrong. The data is the data. It may not answer the question the researcher thought they were asking. It may not conform to common wisdom. But barring fraud or massive collection error, the data are always that. I give Mailchimp the benefit of the doubt when it comes to how they collect data as I know they have a number of data scientists on staff. I’ve also talked with various employees about digging into their data.
At the same time the online discussion of the Mailchimp data was happening, there was a similar discussion happening at the conference. A group of researchers got together to ask a question. They did their literature review, they stated their hypothesis, they designed the tests, they ran the tests. Unfortunately, despite this all being done well, the data showed that their test condition had no effect. The data were negative. They asked the question a different way, still negative. They asked a third way and still saw no difference between the controls and the test.
They presented this data at the conference. Well, this data went against common wisdom, too, and many of the session participants challenged the data. Not because it was collected badly, it wasn’t, but because they wanted it to say something else. It was the conference session equivalent of data dredging or p-hacking.

Overall, the data collected in any test from a simple marketing A/B testing through to a phase III clinical trial, is the answer to the question you asked. But just having the data doesn’t always make the next step clear. Sometimes the question you asked isn’t what you tested. This doesn’t mean you can retroactively find signal in the noise.
Mailchimp’s research shows that A/B testing for open rates doesn’t have any affect on revenue. If your final goal is to know which copy or subject line makes more revenue, then you need to test for revenue. No amount of arguing is going to change that data.

Edison acquires part of Return Path

Today Matt Blumberg announced that Edison Software acquired Return Path’s Consumer Insight division, current customers and some Return Path staff.
Congrats to everyone involved.

5 answers you need before mailing old addresses.

From the archives: Mailing old addresses: 5 questions to ask first
James asked the question on twitter:

Indictments in Yahoo data breach

Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo’s servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals.
Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.

Incentivizing incites fraud

There are few address acquisition processes that make me cringe as badly as incentivized point of sale collection. Companies have tried many different ways to incentivize address collection at the point of sale. Some offer the benefit to the shopper, like offering discounts if they supply an email address. Some offer the benefits to the employee. Some offer punishments to the employee if they don’t collect addresses from a certain percentage of customers.
All of these types of incentive programs are problematic for email collection.

On the shopper side, if they want mail from a retailer, they’ll give an address simply because they want that mail. In fact, asking for an address without offering any incentive is way more likely to get their real address. If they don’t want mail but there is a financial incentive, they’re likely to give a made up address. Sometimes it will be deliverable, but belong to another person. Sometimes it will be undeliverable. And sometimes it will be a spamtrap. One of my delivery colleagues occasionally shares addresses she’s found in customer lists over on her FB page. It’s mostly fun stuff like “dont@wantyourmail.com” and “notonyour@life.com” and many addresses consisting of NSFW type words.
On the employee side there can also be abuses. Retailers have tried to tie employee evaluations, raises and promotions to the number of email addresses collected. Other retailers will actively demote or fire employees who don’t collect a certain number of addresses. In either case, the progression is the same. Employees know that most customers don’t want the mail, and they feel bad asking. But they’re expected to ask, so they do. But they don’t push, so they don’t get enough addresses. Eventually, to protect their jobs, they start putting in addresses they make up.
Either way, incentivizing point of sale collection of information leads to fraud. In a case I read about in the NY Times, it can lead to fraud much more serious than a little spam. In fact, Wells Fargo employees committed bank fraud because of the incentives related to selling additional banking products at the teller.

Do you know where your signups are?

Here at Word to the Wise we sign up for a lot of email from our customers. There are multiple reasons we do this.

US-EU Privacy Shield Approved

Since the Safe Harbor rules were struck down by EU courts, the US and EU have been in negotiations to replace it. This morning (pacific time) the EU approved the new rules called Privacy Shield. WSJ Article

The source of deliverability problems

Most deliverability problems don’t start where many people think they do. So very often people call looking for deliverability help and tell me all about the things they’re doing to reach the inbox. They’ll tell me about content, they’ll tell me about bounces, they’ll talk about complaints, engagement, opens and clicks. Rarely will they bring up their list source without some prompting on my part.

The reality is, though, that list source is to root of deliverability success and deliverability problems. Where did those addresses come from and what do the people who gave them think you’re going to do with them?
Outsourcing collection to a third party can cause significant issues with delivery. Letting other people collect addresses on your behalf means you lack control over the process. And if you’re paying per address, then there monetary incentive for that company to pad the list with bogus addresses.
Sometimes there are even issues with having your own employees collect addresses from customers. For instance, a retailer requires sales associates collect a minimum percentage of addresses from customers. The company even ties the associates’ evaluations to that percentage. Associates have an incentive to submit addresses from other customers. Or a retailer will offer a discount for an address and customers want the discount but not the mail, so they give a fake address.
All of these things can affect deliverability.
Address collection is the key to delivery, but too many companies just don’t put enough attention to how they’re collecting addresses and entering into the relationship with subscribers. This is OK for a while, and delivery of small lists collected like this can be great. But as lists grow in size, they come under greater scrutiny at the ISPs and what used to work doesn’t anymore.
The first step to diagnosing any delivery problem is to look at the list. All of the things ISP use to measure reputation measure how well you’re collecting addresses. Changing IPs or domains or content doesn’t change the reason mail is being filtered. It just means the filters have to figure out something new to key on.
Want great deliverability? Start with how you’re collecting addresses.
Want to fix deliverability? Start with how you’ve collected addresses, how you’ve stored them and how you’ve maintained them.

My panels from #EEC16

I had the privilege to be a part of two panels at EEC16, with some of the best folks in the business.
The first panel was “Everything You Ever Wanted to Know About Deliverability, but Were Afraid to Ask.”
We had a lot of great audience questions.
The first question, which was awesome (and I don’t think planted) was: “What is the most important thing we can do to improve our deliverability?”
All of us had really similar answers: pay attention to your data and your acquisition. Deliverability starts with your data: good data = good deliverability, poor data = poor deliverability. How you acquire addresses is vital to any email program.
I’ve had dozens of sales calls with potential clients over the years. Most of them tell me lots of stuff about their marketing program. I hear details of engagement, data hygiene, response rates, CTRs, bounce handling. But very, very few people spontaneously tell me how they’re acquiring addresses. That’s so backwards. Start with acquiring addresses the right way. Deliverability is all in the acquisition step. Of course, you need to nurture and care for those subscribers, sent the right message at the right time and all the good things we talk about. None of that matters if you don’t start with good data.
Another question was about spamtraps. The panel had me take this one. I’ve written extensively about spamtraps and what they do and what they mean. The important thing to remember, though, is that a spamtrap is a signal. If you have spamtraps on your list, then there is a problem with your data acquisition. Somehow, people are getting addresses that do not belong to them on the list.
Spamtraps are a problem, but not for the reasons many people think they are problems. Folks get upset when their mail is blocked because of spamtraps. Blocking isn’t the only damage, though. For every spamtrap on a list that is one less responsive addresses. It’s one customer who you are not reaching. If there are spamtraps on a list, it’s likely there are deliverable addresses that don’t belong to your customers, too. These recipients are going to view that mail as spam. They didn’t sign up, they didn’t ask for it, they don’t want it. They’re going to complain, hurting your reputation. Too many of these recipients and delivery will suffer.
Spamtraps are a warning that something is wrong. That something is usually your data acquisition process.
Questions went on through the session and ranged from things like how to get mail to B2B inboxes and is there value in certification. We also had some insightful questions about authentication.
The second panel I was on was the closing keynote panel: “ISP Postmasters & Blacklist Operators: Defending Consumer Inboxes.” This was where I got to show my incoming mail chops, a bit. I was a last minute fill in for the panel and I am honored that Dennis and Len thought I could represent the incoming mail folks. It’s not like I’m out there writing filters, but I do pay attention to what the filter operators are saying and doing.
I think it is important for marketers to get a feel for what’s really going on at the ISPs. They aren’t trying to stop real mail, they’re trying to stop malicious mail. Matt from Comcast talked a lot about how marketers and ISPs share customers and the ISPs are trying to keep those customers safe and happy. Jaren discussed some of the decision making processes his company goes through deciding whether to err on the side of letting spam through or filtering good mail. Tom discussed how his blocklist works with some brands to help stop phishing attacks against those brands.
Overall, I think the session was a great success. The conference was great and I am looking forward to going back next year.
Were you at either panel? What did you think?
+eddc

Dueling data

One of the things I miss about being in science is the regular discussions (sometimes heated) about data and experimental results. To be fair, I get some of that when talking about email stuff with Steve. We each have some strong view points and aren’t afraid to share them with each other and with other people. In fact, one of the things we hear most when meeting folks for the first time is, “I love it when you two disagree with each other on that mailing list!” Both of us have engineering and science backgrounds, so we can argue in that vein.

One of the challenges of seemingly contradictory data is figuring out why it seems to disagree. Of course, in science the first step is always to look at your experimental design and data collection. Did I do the experiment right? (Do it again. Always do it again.) Did I record the data correctly? Is the design right? So what did I do differently from what you did? For instance, at one of my labs we discovered that mixing a reagent in plastic tubes created a different outcome from mixing the reagent in glass vials. So many variables that you don’t even think of being variables that affect the outcome of an experiment.

February 2016: The Month in Email

Happy March! Here’s a look back at our last month of email adventures.
It was a busy few weeks for us with the M³AAWG meeting in San Francisco. We saw lots of old friends and met many new people — all in all, a success, despite the M³AAWG plague we both contracted. Hot topics at the conference included DMARC, of course, and I took the opportunity to write up a guide to help you determine if you should publish a DMARC policy.
On the subject of advice and guidance, Ask Laura continues to be a popular column — we’ve had lots of interesting questions, and are always looking for more general questions about email delivery. We can’t tackle specifics about your program in this column (get in touch if we can help you with that directly) but we can help with questions like “Will our ESP kick us off for mailing purchasers?” or “Help! I’m confused about authentication.”
Continuing on the authentication front, I noted that Gmail is starting to roll out some UI to indicate authentication status to users. It will be interesting to see if that starts to affect user (or sender) behavior in any way. In other interesting industry news, Microsoft has implemented an Office 365 IP Delisting page. I also wrote a followup post to my 2015 overview of the state of ESPs and purchased lists — it’s worth checking out if this is something your business considers.
I wrote a post about security and backdoors, prompted by both the FBI/Apple controversy and by Kim Zetter’s talk at M³AAWG about Stuxnet. These questions about control and access will only get more complicated as we produce, consume, store, and share more data across more devices.
Speaking of predictions, I also noted my contribution to a great whitepaper from Litmus that explores the state of Email Marketing in 2020.
As always, we looked at some best practices this month. I wrote up some of my thoughts about data hygiene following Mailchimp’s blog post about the value of inactive subscribers. As always, there isn’t one right answer, but there’s a lot of good food for thought. And more food for thought: how best practices are a lot like public health recommendations. As with everything, it comes down to knowing your audience(s) and looking at the relationship(s), which, as you know, is a favorite subject around here.

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control. Apple letter to customers
Read More

Thoughts on Data Hygiene

One of the big deliverability vs. marketing arguments has to do with data hygiene and dropping inactive users. Marketers hate that deliverability people tell them to let subscribers go after a long time of no activity from the subscriber.
Data hygiene is good. Email is not permanent and not forever, and the requirements for data hygiene in the email space are very different than the requirements in the postal mail space. There is no such thing as “dear occupant” in email. I mean, you can sent to occupant, but the occupant can then hit the this is spam button. Too many emails to “occupant” and mail goes to bulk instead of the inbox. These are real risks.
With that being said, there are a lot of things to consider when putting together a data hygiene program. You’re looking to remove people who are no longer interested in your brand as much as they are no longer interested in your mail. You’re trying to suss out who might have abandoned the email address you have for them. It’s complicated.
I’ve worked with a lot of clients over the years to implement data hygiene programs. Sometimes those programs were to deal with a bulk foldering issue. Other times clients have been trying to address a SBL listing. Still other clients were just looking for better control over their email and delivery. In all cases, my goal is to identify and classify their recipients into 3 groups: addresses we know are good, addresses we know are bad, and then addresses we don’t know about.
Good addresses get mailed. Bad addresses get dumped. The challenging bit is what do we do with the unknown addresses? That’s when we start looking at other data the client may have. Purchases? Website visits? What do we have to work with and what else do we know about the people behind the addresses. Once we’ve looked at the data we design a program to take the addresses we don’t know about and drop them into either the good or the bad bucket. How we do that really depends on the specifics of the company, their program and their data. But we’ve had good success overall.
There’s been a lot of discussion on hygiene this week, after Mailchimp published a blog post looking at the value of inactive subscribers. They found something that I don’t find very surprising, based on my observations across hundreds of clients over the years.

Peeple, Security and why hiding reviews doesn't matter

There’s been a lot of discussion about the Peeple app, which lets random individuals provide reviews of other people. The founders of the company seem to believe that no one is ever mean on the Internet and that all reviews are accurate. They’ve tried to assure us that no negative reviews will be published for unregistered users. They’re almost charming in their naivety, and it might be funny if this wasn’t so serious.
The app is an invitation to online abuse and harassment. And based on the public comments I’ve seen from the founders they have no idea what kind of pain their app is going to cause. They just don’t seem to have any idea of the amount of abuse that happens on the Internet. We work with and provide tools to abuse and security desks. The amount of stuff that happens as just background online is pretty bad. Even worse are the attacks that end up driving people, usually women, into hiding.
The Peeple solution to negative reviews is two fold.

Privacy and being online

I have an email address that’s old enough to drink. It came to me today when I was discussing data hygiene. I mean, I have an email address that is old enough to drink! And it wasn’t even my first email address, it’s just the one I still have access to.
This realization led me down a path of what things have changed since I got that address.
I remember … DataSecurity_Illustration
… when things posted on the Internet weren’t around forever.
… when Google bought DejaNews and made USENET archives more available.

Organizational security and doxxing

The security risks of organizational doxxing.
These are risks every email marketer needs to understand. As collectors of data they are a major target for hackers and other bad people. Even worse, many marketers don’t collect valid data and risk implicating the wrong people if their data is ever stolen. I have repeatedly talked about incidents where people get mail not intended for them. I’ve talked about this before, in a number of posts talking about misdirected email. Consumerist, as well, has documented many incidents of companies mailing the wrong person with PII. Many of these stories end with the company not allowing the recipient to remove the address on the account because the user can’t prove they own the account.
I generally focus on the benefits to the company to verify addresses. There are definite deliverability advantages to making sure email address belongs to the account owner. But there’s also the PR benefits of not revealing PII attached to the wrong email address. With Ashley Madison nearly every article mentioned that the email address was never confirmed. But how many other companies don’t verify email addresses and risk losing personally damaging data belonging to non customers.
Data verification is so important. So very, very important. We’ve gone beyond the point where any big sender should just believe that the addresses users give them are accurate. They need to do it for their own business reasons and they need to do it to prevent incorrect PII from being leaked and shared.

It's not about the spamtraps

I’ve talked about spamtraps in the past but they keep coming up in so many different discussions I have with people about delivery that I feel the need to write another blog post about them.
Spamtraps are …
… addresses that did not or could not sign up to receive mail from a sender.
… often mistakenly entered into signup forms (typos or people who don’t know their email addresses).
… often found on older lists.
… sometimes scraped off websites and sold by list brokers.
… sometimes caused by terrible bounce management.
… only a symptom …

August 2015: The month in review

It’s been a busy blogging month and we’ve all written about challenges and best practices. I found myself advocating that any company that does email marketing really must have a well-defined delivery strategy. Email is such vital part of how most companies communicate with customers and potential customers, and the delivery landscape continues to increase in complexity (see my post on pattern matching for a more abstract look at how people tend to think about filters and getting to the inbox). Successful email marketers are proactive about delivery strategy and are able to respond quickly as issues arise. Stay tuned for more from us on this topic.
I also wrote up some deliverability advice for the DNC, which I think is valuable for anyone looking at how to maintain engagement with a list over time. It’s also worth thinking about in the context of how to re-engage a list that may have been stagnant for a while. A comment on that post inspired a followup discussion about how delivery decisions get made, and whether an individual person in the process could impact something like an election through these delivery decisions. What do you think?
As we frequently point out, “best practices” in delivery evolve over time, and all too often, companies set up mail programs and never go back to check that things continue to run properly. We talked about how to check your tech, as well as what to monitor during and after a send. Josh wrote about utilizing all of your data across multiple mail streams, which is critical for understanding how you’re engaging with your recipients, as well as the importance of continuous testing to see what content and presentation strategies work best for those recipients.
Speaking of recipients, we wrote a bit about online identity and the implications of unverified email addresses in regards to the Ashley Madison hack and cautioned about false data and what might result from the release of that data.
Steve’s in-depth technical series for August was a two-part look at TXT records — what they are and how to use them — and he explains that the ways people use these, properly and improperly, can have a real impact on your sends.
In spam news, the self-proclaimed Spam King Sanford Wallace is still spamming, despite numerous judgments against him and his most recent guilty plea this month. For anyone else still confused about spam, the FTC answered some questions on the topic. It’s a good intro or refresher to share with colleagues. We also wrote about the impact of botnets on the inbox (TL;DR version: not much. The bulk of the problem for end users continues to be people making poor marketing decisions.) In other fraud news, we wrote about a significant spearphishing case and how DMARC may or may not help companies protect themselves.

Data is the key to deliverability

Last week I had the pleasure of speaking to the Sendgrid Customer Advisory Board about email and deliverability. As usually happens when I give talks, I learned a bunch of new things that I’m now integrating into my mental model of email.
One thing that bubbled up to take over a lot of my thought processes is how important data collection and data maintenance is to deliverability. In fact, I’m reaching the conclusion that the vast majority of deliverability problems stem from data issues. How data is collected, how data is managed, how data is maintained all impact how well email is delivered.
Collecting Data
There are many pathways used to collect data for email: online purchases, in-store purchases, signups on websites, registration cards, trade shows, fishbowl drops, purchases, co-reg… the list goes on and on. In today’s world there is a big push to make data collection as frictionless as possible. Making collection processes frictionless (or low friction) often means limiting data checking and correction. In email this can result in mail going to people who never signed up. Filters are actually really good at identifying mail streams going to the wrong people.
The end result of poor data collection processes is poor delivery.
There are lots of way to collect data that incorporates some level of data checking and verifying the customer’s identity. There are ways to do this without adding any friction, even. About 8 years ago I was working with a major retailer that was dealing with a SBL listing due to bad addresses in their store signup program. What they ended up implementing was tagged coupons emailed to the user. When the user went to the store to redeem the coupons, the email address was confirmed as associated with the account. We took what the customers were doing anyway, and turned it into a way to do closed loop confirmation of their email address.
Managing Data
Data management is a major challenge for lots of senders. Data gets pulled out of the database of record and then put into silos for different marketing efforts. If the data flow isn’t managed well, the different streams can have different bounce or activity data. In a worst case scenario, bad addressees like spamtraps, can be reactivated and lead to blocking.
This isn’t theoretical. Last year I worked with a major political group that was dealing with a SBL issue directly related to poor data management. Multiple databases were used to store data and there was no central database. Because of this, unsubscribed and inactivated addresses were reactivated. This included a set of data that was inactivated to deal with a previous SBL listing. Eventually, spamtraps were mailed again and they were blocked. Working with the client data team, we clarified and improved the data flow so that inactive addresses could not get accidentally or unknowingly reactivated.
Maintaining Data
A dozen years ago few companies needed to think about any data maintenance processes other than “it bounces and we remove it.” Most mailbox accounts were tied into dialup or broadband accounts. Accounts lasted until the user stopped paying and then mail started bouncing. Additionally, mailbox accounts often had small limits on how much data they could hold. My first ISP account was limited to 10MB, and that included anything I published on my website. I would archive mail monthly to keep mail from bouncing due to a full mailbox.
But that’s not how email works today. Many people have migrated to free webmail providers for email. This means they can create (and abandon) addresses at any time. Free webmail providers have their own rules for bouncing mail, but generally accounts last for months or even years after the user has stopped logging into them. With the advent of multi gigabyte storage limits, accounts almost never fill up.
These days, companies need to address what they’re going to do with data if there’s no interaction with the recipient in a certain time period. Otherwise, bad data just keeps accumulating and lowering deliverability.
Deliverability is all about the data. Good data collection and good data management and good data maintenance results in good email delivery. Doing the wrong thing with data leads to delivery problems.

Marketers, we have a problem

And that problem is security.
Much of what marketing does is build profiles of customers by collecting huge amounts of data on every customer. That data collection is facilitated by compliant customers that provide all sorts of personal data just because they’re politely asked by a retail clerk.
There will always be people who comply with data requests, but I expect more customers to be wary of sharing information at the register.
I’m not the only one, a recent NY Times blog post from one of their security researchers: Stop asking me for my email address. She discusses how much information companies ask for and how complacently consumers hand it over without asking about security.

Experian selling data to identity thieves

If you’re not following or reading Brian Krebs, you should be. He does some of the best investigative reporting in the email, security and internet space. Today’s blog post is a disturbing look into the data selling and identity theft industries. Brian details evidence that shows Experian (yes, that Experian) has been selling consumer data to identity thieves.

Uploading your address book to social media

I am one of the moderators of a discussion list working on a document about getting off blocklists. If anyone not on the list attempts to post to the list I get a moderation request. One came through while I was gone.
Now, I don’t really think Jim Mills wants to be friends with a mailing list. I think he probably gave LinkedIn his email password and LinkedIn went through and scraped addresses out of his address book and sent invitations to all those addresses.
I don’t have any problem with connecting to people on social media. I do even understand that some people have no problem giving their passwords over to let social media sites plunder their address books and find connections. What I do have a problem with is social media sites that don’t do any pruning or editing of the scraped addresses before sending invitations.
In this case, the email address, like many mailing lists, has in the email address “mailman.” While it’s probably impossible to weed out every mailing list, support address and commercial sender, it doesn’t seem like it would be too difficult to run some minor word matching and filtering. It’s not even like those addresses have to be removed from invites. Instead they could be presented to the user for confirmation that these are real people and addresses.
Yes, it’s friction in the transaction and it costs money to do and do well. But those costs and friction are currently offloaded onto uninvolved third parties.

Fast and loose

Politicians often play fast and loose with permission and data. This can cause them all sorts of problems with email delivery at major ISPs. I really expect that politicians buy, sell, transfer, spindle, mutilate and fold data. If they can use it to further their goals, they will. And, many of the consumer protection and privacy laws don’t apply to political groups.
The news that Representative Bachman may have known that some of her mailing list was taken and used by others is a surprise even to me. I talked with a few ESP reps, though, and they told me that this was mostly par for the course and that they often have a lot of delivery and compliance issues with their political clients. Many have had to suspend or terminate political clients, and a couple people mentioned SBL listings.
This isn’t a problem with just one side of the political spectrum, it seems endemic in how the game is played.

Address leak leads to phishing

A number of people in the industry are reporting getting phishing emails to addresses they used at DocuSign.
There were initial reports of a DocuSign data breach back in December. Now it appears DocuSign is being used as a phishing target.

Volume! Volume! Volume!

Saw a series of tweets this morning from random consumers about holiday marketing volume.

Data, data, elections and data

One of the interesting stories coming out of the recent US Presidential election is how much data the Obama Campaign collected about voters, volunteers and donors. Today Politico talks about how valuable that data is, and how many Democrats want to get their hands on it.

Data Driven Email (and other) Marketing

The frequency of emails from the Obama campaign ended up being a talking point for pundits and late night talk show hosts. Jon Stewart of The Daily show even asked President Obama about email directly during his October 18th interview. (Video, email question at the 5:56 mark)

Data Cleansing part 2

In an effort to get a blog post out yesterday before yet another doctor’s appointment I did not do nearly enough research on the company I mentioned selling list cleansing data. As Al correctly pointed out in the comments they are currently listed on the SBL. And when I actually did the research I should have done it was clear this company has a long term history of sending unsolicited email.
Poor research and a quickly written blog post led to me endorsing a company that I absolutely shouldn’t have. And I do apologize for that.
With all that being said, Justin had a great question in the comments of yesterday’s post about data cleansing.

Data Cleansing

According to Ken, Outward Media has productized a database of 300,000,000 email addresses that should never be mailed.

Six months or out

Mickey Chandler has a great post up about Triage vs. Planning. Where he talks about the decisions you make differ depending on the context.
It’s a good read, and I strongly encourage everyone to go give it a look.
But his post led me to a post by Andrew Kordek at Trendline where he claims that there is an industry rule of thumb that says 6 months is the rule of thumb to define an inactive.
Wait, What?
I know there’s a huge amount of controversy in the email space about whether or not you should purge inactive addresses. I know there are some very vocal people who think that removing inactive addresses is tantamount to marketing suicide. But where did 6 months come from? Who made it an industry standard?
If we don’t know where the standard came from, if we don’t know why we’re doing it then what kind of mickey mouse industry are we running here?
There is a lot about email marketing that is empirical. You poke the black box on one side and see what happens on the other. The problem with that is, that we can “discover” a lot of effects that aren’t real, but somehow turn into “you must do this!”
I have no doubt there are times when a 6 month expiry is a good idea. A number of my clients over the last few years use a much, much shorter time because that’s what works for them. I also know there are times when longer expiry times are a good idea, too.
It’s really important that when you’re making decisions about your email marketing program that you don’t mindlessly apply “standards” to what you’re doing. Think about the practical effects of your decisions and put them in context with your overall business plan.
To do otherwise is to kneecap your email marketing program.

Mailing old addresses: 5 questions to ask first

James asked the question on twitter:

If you haven’t mailed an address in 5-10 yrs, would you include it in a re-engagement mail?
Read More

Would you buy a used car from that guy?

There are dozens of people and companies standing up and offering suggestions on best practices in email marketing. Unfortunately, many of those companies don’t actually practice what they preach in managing their own email accounts.
I got email today to an old work email address of mine from Strongmail. To be fair it was a technically correct email. Everything one would expect from a company handling large volumes of emails. It’s clear that time and energy was put into the technical setup of the send. If only they had put even half that effort into deciding who to send the email to. Sadly, they didn’t.
My first thought, upon receiving the mail, was that some new, eager employee bought a very old and crufty list somewhere. Because Strongmail has a reputation for being responsible mailers, I sent them a copy of the email to abuse@. I figured they’d want to know that they had a new sales / marketing person who was doing some bad stuff.
I know how frustrating handling abuse@ can be, so I try to be short and sweet in my complaints. For this one, I simply said, “Someone at Strongmail has appended, harvested or otherwise acquired an old email address of mine. This has been added to your mailing list and I’m now receiving spam from you. ”
They respond with an email that starts with:
“Thank you for your thoughtful response to our opt-in request. On occasion, we provide members of our database with the opportunity to opt-in to receive email marketing communications from us.”
Wait. What? Members of our database? How did this address get into your database?
“I can’t be sure from our records but it looks like someone from StrongMail reached out to you several years ago. It’s helpful that you let us know to unsubscribe you. Thank you again.”
There you have it. According to the person answering email at abuse@ Strongmail they sent me a message because they had sent mail to me in the past. Is that really what you did? Send mail to very old email addresses because someone, at some point in the past, sent mail to that address? And you don’t know when, don’t know where the address came from, don’t know how it was acquired, but decided to reach out to me?
How many bad practices can you mix into a single send, Strongmail? Sending mail to addresses where you don’t know how you got them? Sending mail to addresses that you got at least 6 years ago? Sending mail to addresses that were never opted-in to any of your mail? And when people point out, gently and subtly, that maybe this is a bad idea, you just add them to your global suppression list?
Oh. Wait. I know what you’re going to tell me. All of your bad practices don’t count because this was an ‘opt-in’ request. People who didn’t want the mail didn’t have to do anything, therefore there is no reason not to spam them! They ignore it and they are dropped from your list. Except it doesn’t work that way. Double opt-in requests to someone has asked to be subscribed or is an active customer or prospect is one thing. Requests sent to addresses of unknown provenance are still spam.
Just for the record, I have a good idea of where they got my address. Many years ago Strongmail approached Word to the Wise to explore a potential partnership. We would work with and through Strongmail to provide delivery consulting and best practices advice for their customers. As part of this process we did exchange business cards with a number of Strongmail employees. I suspect those cards were left in a desk when the employees moved on. Whoever got that desk, or cleaned it out, found those cards and added them to the ‘member database.’
But wait! It gets even better. Strongmail was sending me this mail, so that they could get permission to send me email about Email and Social Media Marketing Best Practices. I’m almost tempted to sign up to provide me unending blog fodder for my new series entitled “Don’t do this!”

Zombie Apocalypse

I hope my series on zombie addresses has convinced you that there are zombie addresses on your list and that you should be concerned about the effect they have on delivery and metrics. Today I’d like to talk about what you can do to get rid of zombie addresses without affecting too many actual subscribers.

One thing that many companies struggle with while dealing with zombie addresses is letting go of addresses. They are so tied up in the idea that a bigger list is better that they can’t let them go. Even if a particular address has not had any activity in 18 or 24 months, they insist that they can’t give it up, it might come back and the customer might make a giant purchase. No. It’s a zombie. It’s not coming back, except to eat your brains.
The first step to dealing with zombies is to acknowledge their existence. They are there, they are on your lists and they are dirtying up your lists. Pretending they’re not there does not make them go away. They are zombies. In no case is there a human inside. There is no potential sale lurking, waiting to jump out and act on that perfectly crafted offer.
The second thing to remember is that the humans that used to have the zombie addresses found you once and they are still interested in what you’re offering then they will find you again. They may even already be back on your list with their new email address.
While you can’t identify zombie addresses specifically, you can identify addresses that act like zombie addresses. These are addresses that have no activity over a long period of time, more than 12 months. For these addresses that haven’t had activity in 12 – 18 – 24 months, you want to confirm with the recipient that they are there and want to continue to receive mail from you.
The best way to notify them is to send an email asking if they want to remain on your list. If they fail to act, you will remove them from future mailings. Short, sweet and will let you drop off zombie addresses without much effort on your part.
I know, I know, you aren’t ready to let go so fast. After all, some people have come back after 24 months and made a purchase from the perfect offer. They’re not dead yet! OK. But you can’t get a response from them through email. They just don’t care enough about what you’re sending. That’s when you contact them through another channel.
For instance, if the email address is tied to a web account, say a social networking site or bank account or a web forum, you can also contact the user through your website. Next time they log in, send them a message that says their email address has been removed due to inactivity, but if they want to reactivate they can do so at the subscriber preference center or profile page. When they do, send them an email to confirm that this is the address where they want to receive mail. At this point you can give them a link or a magic cookie to past into the website to verify the address.
Or if you’re a bigger retailer you can send alerts to your customer service staff, so when the account holder contacts you by phone with a question or an order you can get an updated email address. If you have a loyalty program, have an alert come up at the point of sale and the clerk can ask for an updated email address.
I even know one company that would send postcards to their zombie accounts in an effort to re-engage them and get an active email address from them.
If the person never comes back, if they don’t ever interact with your business again, if none of the channels work to contact them and update the address then it really is best to just let the relationship go. It may not be you, or anything you’ve done. People move on, their interests change and that’s part of life. They may have moved outside of your service area, or they may have joined your list for a specific product that they don’t need or you don’t sell. They may have died and turned into a real zombie. In any case, they are not a viable prospect for your mail.
Email addresses and business relationships are not forever. Letting zombie addresses go is important for the health of any email marketing program.

Zombie email: Part 3

Last week, in Zombie email: part 1 and part 2 I talked a little about the history of email addresses and how changes in the ISP industry in the early to mid 2000’s brought about the rise of zombie email addresses. Today we’ll look at the effect zombie addresses have on email stats and why ISPs are starting to monitor zombie addresses.
A zombie address, despite the fervent belief of some email marketers, doesn’t come back to life. The person who initially registered that address has decided to stop using that email address. The defining factor of a zombie address is that there isn’t now and won’t be anyone in the future reading email sent to that address. There is no human there to read or react to any email sent to that address.
A zombie address does not represent an actual recipient, they’re just remnants of a recipient that once was present.
Having a list containing any significant number of zombie addresses can throw off metrics enough to mislead a sender about the effectiveness of their email marketing program. Sometimes, the zombie addresses make the metrics look worse, sometimes they make metrics look better. In either case, the metrics don’t accurately represent the performance of a marketing program.
Zombie email addresses do bulk out a mailing list, making lists look bigger. They’re not real addresses, so they don’t reflect quality, but they do impress marketers that think bigger is always better. But, in reality, you may as well add thousands of addresses at non-existent domains for the real value these addresses bring to your list.
Zombie email addresses on a list depresses any metric that use “number of emails sent” or “number of emails accepted” as a denominator. If 10% of a list is zombie addresses, then an open rate reported as 15% will actually be an open rate of 16.7%. The more zombie addresses on a list, the more the statistics will be depressed.
In addition to having lower open rates, lists with more zombie addresses also have a lower complaint rate. In fact, in the recent past spammers have padded their lists with zombie addresses as a way to artificially lower their complaint rates.
Spammers using addresses created just to bulk up the denominator and lower complaint rates have led ISPs to start monitoring the types of addresses on a particular list. I first heard about ISPs looking at recipient profiles at a meeting in 2006, so it is not, in any way, a new technique for ISPs. What is new is the number of zombie addresses on legitimate, well maintained lists, and the fact that they are present in high enough volume to affect reputation and delivery.
ISPs use zombie addresses to monitor the reputation of a sender because it is a more accurate way to measure what the recipients think about an email and that sender. Senders ignore zombie addresses because they make some stats look bigger (total list size) and better (lower complaint rates). Many senders also believe that addresses come back to life, despite all evidence to the contrary, and will not purge an address for any reason other than it bounces. They’d rather live with inaccurate and misleading metrics than removing non-performing addresses.
Tomorrow, in the final post of this series, we’ll examine how senders can identify potential zombie addresses and what steps they can take protect themselves from the negative reputation hit from zombie addresses. (Zombie Apocalypse)

Zombie email: Part 2

In zombie email: part 1 I talked about how email addresses were tightly tied to internet access in the very early years of the internet. We didn’t have to worry about zombie email addresses because when an account was shut down, or ignored for a long time then mail would start bouncing and a sender could stop sending to that account.
There were two major changes to email accounts in the early 2000’s that led to the rise of zombie emails.
People started decoupling their internet access from their email addresses. Free addresses were easy to get and could be checked from everywhere. No longer did they have to dial in to get email, they could access it from outside the office and outside the home. Mobile devices, including the first generation of smart phones and laptops, helped drive people to use email addresses that they could access from any network. The easy access to free mail accounts and the permanence led people to adopt those addresses as their primary address.
When people changed addresses, for whatever reason, they didn’t have to stop paying. There was no way to tell the free ISPs to stop accepting mail for that address. Free mail providers would let addresses linger for months or years after the user had stopped logging in. Sometimes those addresses would fill up and start bouncing email, but they were not often turned off by the ISPs.
The lack of purging of abandoned addresses was the start of dead addresses accumulating on mailing lists. But there weren’t that many addresses in this state, and eventually they would fill up with mail. When they were full the ISP would stop accepting new mail for that account, and the address would bounce off a mailing list.
Everything changed with the entrance of Gmail onto the scene. When Gmail launched in 2004 they were providing a whole GB of storage for email accounts a totally unheard of storage capacity. Within a year they were providing multiple gigabytes of storage. Other freemail systems followed Gmail’s lead and now all free accounts have nearly unlimited storage. Plus, any mail in the spam folder was purged after a few weeks and bulk mail doesn’t count against the users’ storage quota. Now, an abandoned email account will almost never fill up thus senders can’t use over quota bounces to identify abandoned accounts.
Now we’re stuck in a situation where SMTP replies can’t be used to identify that there is no one home inside a particular email account. Senders can’t distinguish between a quiet subscriber and an abandoned address. ISPs, however, can and are using zombie addresses as a measure of a senders reputation.
On Monday we’ll talk about why and how zombie addresses can affect delivery. (Zombie emails: part 3)
Tuesday, we’ll talk about strategies to protect your list from being taken over by zombies. (Zombie Apocalypse)

Zombie email: Part 1

Zombie email addresses: those email addresses that never really die, eat your brains and destroy your email delivery. To understand zombie addresses and why they’re just now becoming a problem, we really need to understand some of the history of email addresses.
In the early days of the net, people got an email address usually associated directly with their access to the Internet. Many of them ended with .edu or .gov. I even had one that ended in .BITNET for a while. The first ISPs followed this convention. Users signed up for an account at a local dialup and were assigned an email address, and that was their email address. It wasn’t until the late 1990’s where there was widespread access to multiple email addresses.
What this means is that when people left a job, or canceled their Internet access their email address went away. Addresses that were abandoned would, after a short period of time, start bouncing back with user unknown, giving everyone the opportunity to stop mailing that account.
Even with the advent of multiple addresses for a single account and the easy availability of free addresses from places like Hotmail addresses that had been abandoned would still bounce off a list. Why? Because accounts had limited storage. My first dialup account had, I think, 10MB of space. It may have been as much as 20MB, but it wasn’t very much. Accounts receiving a lot of mail that weren’t checked frequently would fill up and start bouncing mail. Senders would be able to remove abandoned accounts because they were full.
Tomorrow we’ll talk about two things happened in the early 2000’s that changed email and led to the rise of zombie email.
Zombie Email: Part 2
Zombie Email: Part 3
Zombie Apocalypse

Is your data secure?

Not just secure from outside forces, but also secure from employees?
In a recent survey published by Help Net Security, approximately half of all employees said they would take data, including customer data, when leaving a job.
This has major implications for ESPs, where employees have access to customer data and mailing lists. There are at least 2 cases that I am aware of where employees have walked out of a company with customer mailing lists, and I’m sure there are other incidents.
ESPs should take action to prevent employees from stealing customer data.

Don't always believe the statistics

Mark Brownlow has a great roundup of how statistics and data can mislead marketers if they’re not really paying attention.

The importance of data hygiene

Over the weekend, one of the major ISPs purged a lot of abandoned accounts from their system. This has resulted in a massive increase in 550 user unknown bounces at that ISP. This ISP is one of those that uses bounces to feed into their reputation system and the purge may cause otherwise good senders to be blocked temporarily.
Talking to clients and other industry folks, it looks like the addresses that have newly bounced off had zero activity for at least 6 months. Nothing. Nada. No clicks. No opens. No interaction.
This is why data hygiene is so critical. Just because the emails are being accepted at the ISP, and even showing inbox placement at the mailbox monitoring companies does not mean that there is actually someone reading your email. Failure to look at overall data means that when an ISP bulk deletes abandoned accounts then bounces will increase. While I don’t expect this to have any real, long term effect on sender reputation I do expect that some senders with a lot of cruft on their list will see some short term delivery problems.
Companies that run re-engagement campaigns saw a whole lot less bouncing and even less blocking as a result of the purge. They were removing addresses that were non-responsive all along and thus didn’t have major deadwood on their list.
Ongoing data hygiene shows you what your list really is, not your list plus abandoned accounts. The addresses that the ISP purged? They were not valuable anyway. No one was reading that mail for at least 6 months.
If you did see a spike in bounces this weekend at a major ISP, you should really look at engagement. If some percentage of recipients at one ISP are actually non-existent, then it’s likely that about that same number are non-existent at other major ISPs as well. What are you going to do to identify and remove those dead addresses from your lists?

iContact lists compromised

iContact has acknowledged that (some) of their customer lists were compromised and that they are investigating. As iContact has chosen not to allow comments on that post, feel free to share comments here.
HT: @aliverson

Protecting customer data

There have been a number of reports recently about customer lists leaking out through ESPs. In one case, the ESP attributed the leak to an outside hack. In other cases, the ESPs and companies involved have kept the information very quiet and not told anyone that data was leaked. People do notice, though, when they use single use addresses or tagged addresses and know to whom each address was submitted. Data security is not something that can be glossed over and ignored.
Most of the cases I am aware of have actually been inside jobs. Data has been stolen either by employees or by subcontractors that had access to it and then sold to spammers. There are steps that companies can take to prevent leaks and identify the source when or if they do happen.

Best time to send email: analysis and discussion

Mark Brownlow (who I don’t think is here in Ams, much to my disappointment) wrote a long assessment of how to determine what is the best time to send email. He walks through the questions and the data that a sender should evaluate when making the decision when to best send email.
I have previously posted about my views on the best time to send email. There is no one best time to send email. In fact, my experience leads me to believe if someone said the best time to send email is at 4pm on Tuesday afternoon then 4pm on Tuesday afternoon would rapidly become the absolute worst time to send email.
It should come as no surprise, then, that I really like Mark’s #4 recommendation.

Best time to send email: redux

Last week I wrote about a study classifying different types of email users. My point is that senders should be very aware of how their users interact with email, in order to provide the best user experience and the most revenue for the sender. If, for instance, the bulk of recipients are daytime (9 – 5 M-F) users, then the best time to email is different than if the bulk of recipients are all the time users of email.
At least 2 different people commented on when the “best” time to send email was, completely missing the entire point of my post. When you send email should be related to when your users are active in their email client. Senders know this, because they can track times when people open and click on links in the email. The data is all there, it just needs to be mined.
Plus, if every sender sent mail at the exact same time, that being the best time to send mail, then it will immediately become the absolute worst time to send email.
Pay attention to your recipients, and not to the internet experts. Listen to what your customers and recipients are telling you. Do what’s best for them, not what’s best for Joe’s Bait and Tackle Shop.

Best time to send marketing email

Pages and pages have been written about the best time to send email. Marketers spend significant amounts of energy discussing and researching the best time of the day and the best day of the week to send email. I have long thought that these discussions do not put enough attention on individual end users and how the recipients interact with email.
Researchers recently developed a model for email user behaviour that splits email users into two classes “e-mailaholics” that send, and presumably read, email all the time and “day labourers” that send, and presumably read, email during standard business hours. There is very little transition between groups, 75% of users stayed in the same usage group over the 2 years of the study.
What does this mean for senders? Senders need to know know how their recipients use email and which user group recipients are. By analyzing clicks and opens, senders can classify recipients and use that data to send mail that is more relevant and better targeted.
h/t arXiv blog at Technology Review

e360 sues a vendor

As if suing themselves out of business by going after Comcast and Spamhaus weren’t enough, e360 is now suing Choicepoint for breach of contract and CAN SPAM violations. As usual, Mickey has all the documents (complaint and answer) up at SpamSuite.
This may actually be an interesting case. On the surface it is a contractual dispute. Choicepoint sold e360 40,000,000 data records containing contact information including email addresses, snail mail addresses and phone numbers. Some of the records were marked “I” meaning they could be used for email. Some of the records were marked “O” meaning they could not be used for email.
Despite these terms being reasonably well defined in the contract, e360 sent email to addresses in records marked “O.” Some of those addresses resulted in e360 being sued by recipients. During the course of the suit, e360 contacted Choicepoint and asked for indemnification. Choicepoint refused for a number of reasons, including the fact that Choicepoint told e360 the addresses were not for mailing. In response, e360 filed suit.
The interesting and relevant part of this case is the CAN SPAM violation that e360 alleges.

Data Integrity, part 2

Yesterday I blogged about eROIs contention that consumers should not be wasting the time of lead gen companies by filling in fake data. There were lots of good comments on the post, and I strongly encourage you to go read them if you are interested in different perspectives on the data issue.
One of the arguments I was making is that people are only going to give accurate information if they trust the website that is collecting information. I do, strongly, believe this. I also believe very strongly that websites collecting information need to do so defensively. It is the only way you can get good information.
This ties in with an earlier post about a website that collects email addresses from any visitor, then turns around and submits those addresses to webforms. Hundreds of mailing lists have already been corrupted by this group. They are a prime reason companies must design address collection process defensively. There are people who do bad things, who will take an opportunity to harass senders and recipients. This company is not the first, nor will they be the last to commit such abuses.
Taking a stand against abusive companies and people may be useful, but that will not stop the abuse. It is much easier to design process that limits the amount of abuse. For lead gen, in particular, confirmed opt-in is one way to limit the amount of bad data collected. As a side effect, it also results in less blocked mail, fewer complaints and better delivery.

Who is responsible for data integrity

Yesterday, Ken Magill wrote about his experience with the Obama campaign’s open and unconfirmed marketing list. Ken, to see just how open the Obama subscription form was, subscribed using a valid email address but the name of Stupid Poopypants. As expected, mail to Ken from the Obama campaign was addressed to Stupid.
eROI uses this as an example of people who ruin their ROI by filling fake data into forms and ends their post by addressing Ken as follows: