Recent Posts

Lavabit and darkmail

The M3AAWG keynote address today was a talk from Ladar Levinson about the shut down of Lavabit mail service after receiving demands from the NSA to hand over their SSL keys.
@maawg tweeted different quotes from the session. There is a conflict between privacy and security, and these are questions we need to resolve.
Ladar talked about his potential new service called darkmail, which pushes encryption back to the user level. I think there is relevance to this, as many online services are used for political and other organizing. As someone said to me last night, some of the people using our service could be killed if we don’t protect their privacy. He wasn’t speaking of the US residents, but people in places like Ukraine or Arab countries or other places undergoing violent revolutions.
Privacy is important, how we treat privacy is important. Handing over SSL keys to governments strikes me as a big problem.

Brian Krebs wins the Mary Litynski award

A little late, but I’ve been in sessions most of today. M3AAWG announced this morning that Brian Krebs won the 2014 Mary Litynski award. This award is given to people who work tirelessly to make the internet a better place.
I first had the pleasure of listening to Brian give the keynote address at a MAAWG conference many years ago. His ability to infiltrate some major spam operations and online forums for criminals is amazing. He’s also had retaliation attempts, including being SWATed and having heroin delivered to his house.
If you get a chance to hear Brian speak, I strongly encourage you to do so. His knowledge is outstanding and his speaking style is entertaining. I’ve learned a lot from Brian over the years and I’m pleased he won this award and that M3AAWG recognized his contribution to stopping abuse online.
M3AAWG press release

Using confirmation to get good email addresses

For 25 hours the group De La Soul is releasing their entire catalog for free online. What none of the articles are mentioning is that they’re using this to build their database of email addresses in a way that’s going to result in a clean database of high value email addresses.
How are they doing that? By making sure the addresses belong to their fans before they actually give fans access to the catalog. Yes, they are using confirmation as part of their signup process.
If you go to their website: wearedelasoul.com you’re asked for an email address so they can send the downloads to you.

The fine print is the interesting bit:

M3AAWG conference next week

Next week is M3AAWG 30 in San Francisco. We’ll be there and are very excited to see the familiar faces and meet new people.
I recently had someone ask me what would I recommend to someone going to their first M3AAWG conference. My recommendation to anyone in the sender or marketer space is to go to some of the talks that are not about email delivery. Go to the sessions that talk about malware or SMS or anything other than just email delivery. For anyone in the ISP space go to a session focused on mobile or email sending. Use this time to learn about something totally different than what you do every day.
Another question I get frequently from senders is if the people from the ISPs are open to sitting down and talking with senders about the senders’ email problems. Generally, the answer is no. Most of the time, the ISP has no knowledge of who you are and what mail you’re sending, so all they can say is “send me an email with the IPs and I’ll take a look at it.” That’s it.
We’ll be in the city starting Monday afternoon, and I always enjoy meeting readers. Stop by and introduce yourself.

Target breach started from email

According to Brian Krebs the compromise of Target’s POS system probably originated with a phishing attack against one of Target’s vendors. This attack compromised credentials of the HVAC vendor and possibly allowed the hackers entrance into Target’s systems.
Interestingly, Brian mentions Ariba, a company I’ve been forced to deal by a large customer of ours. I’m not sure if there really is an attack vector where a vendor can get access through Ariba to the internal systems of the customers. However, my experience with Ariba has been frustrating and problematic, so I’ll be happy to believe their security is as broken as their email.
Email is a great way to interact with people and companies. It’s great for growing communities and businesses. But it is also a way for attackers to get access to your computer and the websites you interact with. Protect yourself, and your company, by running security software. And, please, don’t open attachments or click on links in emails and provide usernames and passwords.

LinkedIn shuts down Intro product

Intro was the LinkedIn product that created an email proxy where all email users sent went through LinkedIn servers. This week LinkedIn announced it is discontinuing the product. They promise to find new ways to worm their way into the inbox, but intercepting and modifying user mail doesn’t seem to have been a successful business model.

Engagement, it's not what you might think

Most delivery experts will tell you that ISPs measure recipient engagement as a part of their delivery. That’s absolutely true, but I think there’s a language difference that makes it hard for senders to understand what we mean by engagement.
ISPs, and other filtering companies, profile their user base. They know, for instance, who logs in and checks mail every day. They know who checks mail every 20 seconds. They know who gets a lot of spam. They know who hasn’t logged in for months. They know who accurately marks mail as spam and who is sloppy with the this-is-spam button. They know if certain recipients get the same mail, it’s likely to be spam.
Engagement at the ISPs is more about the recipient engaging with their email address and the mail in their mailbox then it is about the recipient engaging with specific emails.

More on Newsmax and spam to political lists

Things are getting stranger and stranger with Newsmax and the politicians they’re managing lists for. Earlier this week, recipients on Scott Brown’s list received emails with the subject line “5 Signs You’ll Get Alzheimer’s Disease.” The advertisement was for products and information from Dr. Blaylock, a contributor to Newsmax Health. Scott Brown told the political reporter at WMUR in New Hampshire that he did not authorize this email was cutting ties with Newsmax
Newsmax contacted me after I posted about unexpected email to the Herman Cain mailing list. They wanted to make it clear to me that their mailings were all double opt-in and that they adhered to all best practices. They also said that select advertisers were allowed to put ads in the body of messages from the politician to their supporters.
It seems, though, that may not be the whole truth. After I received the message from Newsmax, I signed up on caintv.com to see if they really were using double opt-in. While it is very possible that Mr. Cain was using double opt-in during the campaign, he isn’t any longer. I started receiving emails immediately, with neither a welcome message or a confirmation message.
In the case of Scott Brown’s list, the advertisement wasn’t from an outside advertiser, the advertisement was for a Newsmax columnist. And the ad wasn’t in the body of a message to supporters, it was the message to supporters. Mr. Brown has this to say about his likeness and mailing list being used by Newsmax.

Contacting an ISP that doesn't have a postmaster page

How do you contact an ISP about a block that doesn’t have a postmaster page? While there’s no one answer, I do have some suggestions.
Start by contacting the postmaster@ or abuse@ addresses. For smaller ISPs, the same people handling outbound abuse are the people handling inbound filtering.
When you contact them have the following:

Problems with Yahoo FBL

There are a couple problems I’ve been alerted to with the Yahoo FBL today.
The first comes from Michael Ellis and is about broken FBL reporting at Yahoo.