AOL bounces and false positives

A number of people have been seeing an increase in AOL bounces over the last few days. Some of these are the new rejection 554/421 CON:B1 message. This is, basically, you’ve topped our thresholds, back off.
The other one is a bit more interesting. The error message a lot of people are seeing is 554/421 RLY:SN. Senders should only be getting this error message when they are sending email from a banned address.

This error indicates you are sending email using a disallowed AOL.COM screenname as your FROM or REPLY-TO address, or as one of AOL’s affiliates from an unauthorized IP address. Example: Billing@aol.com

Clearly this is AOL attempting to minimize phishing and spoofing of the AOL brand. This is a great thing.
Unfortunately, there seems to be some problems with the current implementation. This rule is catching perfectly legitimate email. One report I have seen is that mail with @aol.com in the from address is getting rejected with this message. That means all those small businesses sending mail from their @aol.com addresses through an ESP are seeing problems. Another report I’ve seen is that email addresses with “a” “o” “l” in order (like, for instance, kaolin@somewhere.example.com) are also getting rejections.
It’s very possible that this filter is catching other mail, too.
Folks I’ve talked to are in touch with AOL and AOL is working on fixing the issue.
Note these do seem to be intermittent errors and not every email with an @aol.com address in the from line or some rendition of “aol” in the email address is getting bounced. But if you do start seeing increases in the number of AOL bounces and they are RLY:SN, this may be why. A short term work around will probably be to modify From: addresses where possible. Longer term, we’re just going to have to wait for AOL to fix things.

Related Posts

Bounces, complaints and metrics

In the email delivery space there are a lot of numbers we talk about including bounce rates, complaint rates, acceptance rates and inbox delivery rates. These are all good numbers to tell us about a particular campaign or mailing list. Usually these metrics all track together. Low bounce rates and low complaint rates correlate with high delivery rates and high inbox placement.

Read More

Data hygiene and bouncing zombies

There are a number of folks who tell me there can be no zombie addresses on their lists, they aggressively remove any address that bounces. The problem is that zombie addresses don’t bounce, at least not always. And even when ISPs say they have a policy to bounce email after a certain period of time with no access, that’s not always put into practice.
How do I know that ISPs don’t always deactivate addresses on the schedules they publish? Because I have seen addresses not be deactivated.
I have addresses in a lot of places that I go for long periods of time not checking. It’s rare that they’re taken from me or reject mail – most of the time they’re special test addresses I use when diagnosing issues. This post is based on my experiences with those addresses and how abandoned addresses are treated at some ISPs.
For Gmail I have two examples of addresses not being deactivated.
In July 2011, we set up a test address to look at how Gmail was handling authentication. We sent a matrix of different test emails to it, with valid and invalid SPF and DKIM signatures. We pulled the data from the account. I don’t know for certain when the last time I logged in, but it was August or September of last year. So we have an address that has been dormant since September 2011.
I just sent mail to the account and google happily accepted it.
Mar  2 07:03:22 misc postfix/smtp[11770]: 11CA12DED3: to=<wttwtestacct@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.127.27]:25, delay=1.8, delays=0.25/0.02/0.56/0.93, dsn=2.0.0, status=sent (250 2.0.0 OK 1330700602 x8si8608852pbi.66)
I have another google account (apparently) that my records show I set up sometime in 2010. The login info was saved October 2010. I don’t know when the last time I logged in was, but given I’d forgotten the existence of the account it’s a good bet that it has been more than a year. That account is also accepting mail as of today.
Mar  2 07:06:25 misc postfix/smtp[11836]: 8D90C2DED3: to=<phphendrie@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.127.27]:25, delay=1.6, delays=0.26/0.02/0.68/0.66, dsn=2.0.0, status=sent (250 2.0.0 OK 1330700785 a8si4075740icw.96)
For Hotmail I also have quite a bit of history and information. I signed up for my first Hotmail account in 1997. That was an account I used the address to post to usenet, but I didn’t actually use it for mail. I’d check it occasionally (usually when someone said in the newsgroup that they were going to email me) but it wasn’t an address I used regularly. As I moved from posting regularly in usenet, I started checking that account even less.
For a while, if I went more than 6 months checking my Hotmail account they would make me “re-claim” it. What would happen when I’d log in is I’d get a message along the lines of “well, we disabled this account due to inactivity, do you want it back?” I’d say yes, have to go through the setup process again and it would be my account. Mail was deleted during the disabling, and I am guessing they rejected anything new going to that account. I went through this dance for 4 or 5 years. I even had my calendar set to remind me to login every 6 months or so. There was some sentimental value to the address that kept me logging in. I have that same username at every major free ISP: Gmail, Hotmail, Yahoo and AOL, so it’s “my” address.
About 6 or 7 years ago, that behavior changed. I stopped getting the request to reclaim my account. Instead I could just log in. I’d still have mail (mostly spam as the address is on *lots* of lists and millions CDs). I still check it irregularly. I don’t have any idea when the last time I checked it was, but I think it’s been since at least November and probably longer back than that. Hotmail is still accepting mail for that address as well.
It’s anecdotal evidence, at best, but it ‘s the type of evidence that is acceptable even when it’s anecdotal. There are some addresses that are abandoned for long periods of time at the free mailbox providers and they’re are not all automatically pulled from the ranks of active addresses.
What does this mean for senders? It means that data hygiene has to go beyond just removing addresses that bounce. ISPs are not disabling addresses consistently enough for marketers to be able to trust that all addresses on their list are active just because they are accepting email.
This is the root of the recommendation to put in a hygiene program, this is why senders need to look at who is actually engaged with their brand and make some hard decisions about shooting zombies in the head.

Read More

I know your customers' passwords

Go to your ESP customer login page and use “View Source” to look at the HTML (under “Page” on Internet Explorer, “Tools->Web Developer” on Firefox, and “View” on Safari).
Go on, I’ll wait.
Search for the word autocomplete. If it says something like autocomplete=”off” then your web developers have already thought about this security issue. If it doesn’t, then you might have a serious security problem.
What’s going on here? You’ve probably noticed that when you’re filling in a web form your browser will often offer to fill in data for you once you start typing. This feature is supported by most modern browsers and it’s very convenient for users – but it works by recording the contents of the form in the browser, including the username and password.
As a bad guy that’s very interesting data. I can take some off-the-shelf malware and configure it with the URLs of a bunch of ESP login pages. Then I just need to get that malware installed on your customers desktops somehow. A targeted web drive-by malware attack, maybe based on targeted hostile banner ads is one approach, but sending email to people likely to be ESP customers is probably more effective. Maybe I’ll use hostile email that infects the machine automatically, or – most likely – I’ll use a phishing attack, sending a plausible looking email with an attachment I’m hoping recipients will open.
Once the malware is installed it can rummage through the users browser files, looking for any data that matches the list of login pages I gave it. I just need to sit back and wait for the malware to phone home and give me a nicely packaged list of ESPs, usernames and passwords. Then I can steal that customer’s email lists and send my next phishing run through that ESP.
This isn’t a new issue – it’s been discussed since browsers started implementing autocompletion over a decade ago, and it’s been a best practice to include autocomplete=”off” for password fields or login forms for years.
How serious a risk is this for ESPs? Well, I looked at the customer login pages at several ESPs that have a history of being compromised and none of them are using autocomplete=”off”. I looked at several that haven’t been compromised that I know of, and they’re all using either autocomplete=”off” or a complex (and reasonably secure-looking) javascript approach to login. Correlation isn’t causation, but it’s fairly strong circumstantial evidence.
ESPs should fix this hole if they haven’t already. If any customers are upset about having to actually type in their password (really?) they can take a look at secure password management tools (e.g. 1Password, LastPass or KeePass).
Thanks to Tim at Silverpop for reminding me that this is a serious security hole that many ESPs haven’t plugged yet and pointing me at some of these resources.
More on passwords and application security tomorrow.

Read More