Blocked for phishing

A couple clients recently have had bounces from different places indicating that their mails were caught by the recipients’ anti-virus filter. These are some of my better clients sending out daily newsletters. They’ve been mailing for years and I know that they are not phishing. They asked me to investigate the bounce messages.
The information I had to work with was minimal. One bounce said:

The AntiVirus server has detected the Phishing.Heuristics.Email.SpoofedDomain virus in an email sent to you, allegedly sent by bounces*@customer.example.com. This email address may, or may not, be the originating source, as some viruses can hijack address books and in turn, send email with any of those addresses. Please take note that this virus has been destroyed and this email is a notification of virus activity and is itself virus free.

The other bounce said:

The message senders were
bounce*@bounce.example.com
Today@example.com.com

and they have been notified that they have sent a potential virus.
The message title was Customer: Subject line from email. The message date was Tue, 23 Jun 2009 12:16:13 – The virus or unauthorized code identified in the email is >>> Possible MalWare ‘Exploit/Phishing-amazon-04ee’ found in ‘5832897_2X_PM2_EMQ_MH__message.htm’. Heuristics score: 202
The real clue came when I looked at the emails that triggered the bounce. In both cases, my clients were linking to Amazon.com with a re-director link. There are many filters out there that look at the visible text of a link and compare it with the link target. If the link points to one domain like a re-director but the visible text points to another, this may trigger some spam or virus filters to intercept the email.
My experience suggests this happens more often when the domain used in the visible text is one of those domains that are heavily phished: amazon.com, ebay.com, bank websites, etc. The solution is to not include a domain name in the visible text portion of a link. Instead of “Go buy the DVDs at <a href=”http://www.example.com/linkdomain/”>Amazon.com</a>,” change the link to “Go <a href=”http://www.example.com/linkdomain/”>buy the DVDs</a> at Amazon.com.”  Same content, same call to action, but no chance of the email getting caught in a phish filter.

12% of email recipients respond to spam
Yahoo fixed XBL problem

Related Posts

Marketing reports

Two marketing reports were reviewed today in other blogs.
Stefan Pollard writes at the Merkle report showing that recipients really will add a sender’s address to their address book, but that they are picky about which senders they do this for. His article also provides a number of suggestions for how to be a sender that is added to the address book.
Meanwhile, Matt Vernhout discusses the Retail Welcome Email Benchmark Study published by Smith Harmon. Unsurprisingly, the study found that welcome emails were very important to future deliverability.
Happy Friday!

Read More

Link Roundup

Why email marketers are hated. A group of Ontario spammers finds Ken Magill’s email address and spams him. Repeatedly.
New docs in e360 v. Spamhaus. The judge threw out the after-the-fact affidavit from e360, but did not grant Spamhaus’ motion for summary judgment. Looks like this might end up at trial after all.
Oral arguments in Zango v. Kaspersky. I have been following this a little because SamSpade for Windows was classified as malware by one vendor a long time ago.
New books on email marketing.
Anything interesting people have seen that I missed?

Read More

Links to check out

Things are going well, if busy, here at the conference. I am attending lots of sessions and continuing to edit my talk for tomorrow. I thought I would list some random links that have come up here recently.
Lashback is advertising a joint webinar with Habeas, Publishers Clearinghouse and Lashback on how to protect brands and increase revenues with reputation management.
Terry Zink explains the new Microsoft advertising campaign. There are actually quite a few Microsoft people here at the conference, including the brain behind SNDS. We ran into each other yesterday evening, his room is right next to mine.
Ken Magill has an ongoing series of articles investigating Email Appenders, and all their various incarnations. This is an example of the confused jumble of connections that some companies use in order to hide.
Speaking of companies with bad reputations, the NY Times reports on Intercage’s loss of hosting. Atrivo/Intercage are notorious amongst the folks who fight malware and bots and have been called the American version of the Russian Business Network.

Read More