Recent Posts

DKIM and DomainKeys, Spam and Ham

I’ve been preaching “DKIM is great! DomainKeys is obsolete, get rid of it!” for several years now. I thought I’d take a look at my mailbox and see who was using authentication.
I’ve divided this into “Ham” and “Spam”. Spam is, well, all the spam I’ve received over the past couple of years. Ham is the non-spam mail in my inbox, whether personal, business, bulk or transactional. I’ve excluded most of the discussion mailing lists I’m on (not least because many of them consist of people in the email industry or are email standards development mailing lists, so have email authentication levels that are way outside the norm).

Uploading your address book to social media

I am one of the moderators of a discussion list working on a document about getting off blocklists. If anyone not on the list attempts to post to the list I get a moderation request. One came through while I was gone.
Now, I don’t really think Jim Mills wants to be friends with a mailing list. I think he probably gave LinkedIn his email password and LinkedIn went through and scraped addresses out of his address book and sent invitations to all those addresses.
I don’t have any problem with connecting to people on social media. I do even understand that some people have no problem giving their passwords over to let social media sites plunder their address books and find connections. What I do have a problem with is social media sites that don’t do any pruning or editing of the scraped addresses before sending invitations.
In this case, the email address, like many mailing lists, has in the email address “mailman.” While it’s probably impossible to weed out every mailing list, support address and commercial sender, it doesn’t seem like it would be too difficult to run some minor word matching and filtering. It’s not even like those addresses have to be removed from invites. Instead they could be presented to the user for confirmation that these are real people and addresses.
Yes, it’s friction in the transaction and it costs money to do and do well. But those costs and friction are currently offloaded onto uninvolved third parties.

Seedy underworld

ESPs have to deal with spammers, phishers and scammers getting onto their networks. Mailgun talks about some of the things they’ve found our about these problem customers.

Thanks, Al

A giant, very public thank you to Al for volunteering to mind the blog while Steve and I made an emergency trip to the UK. There was once or twice I noticed something that I thought “I should take a second and blog about this” only to discover Al was way ahead of me and had already posted it.
Both of us picked up some sort of ugly cold while we were there so it will be a couple days before blogging will be back to normal here.

Auto-opt-in?

Bronto’s Chris Kolbenschlag frames the discussion well: He purchased from an online retailer, they assumed he wanted to receive followup emails, and thus, those emails did eventually commence.
This is something I’ve had a lot of experience with. Working for an e-commerce service provider from later 2000 through mid 2006, I was the guy setting permission policy, dealing with spam complaints and advising on deliverability issues, primarily regarding email lists built over time from online store purchasers. There was an opt-in checkbox on the platform’s checkout pages, and it was up to the client as to whether or not it was pre-checked (“opted-in”) by default. Most clients pre-checked it by default.
My experience was, from a deliverability perspective, this kind of auto opt-in didn’t really present issues. People didn’t tend to forge addresses when purchasing, and people tended not to report mail as spam when it’s coming from somebody they just did business with.
I’m not saying it’s the wisest way to do things, by any means. If you have any other deliverability challenges at all, this kind of thing could likely add to them. And is it the most consumer friendly way to run things? I don’t think so. In my humble opinion, it’s always better to wait for the consumer to sign up on their own. But I’m not one of those aggressive marketer types.
And of course, the laws governing email permission vary by locale.

The FBI in my Inbox?

It’s alarming to read that, depending on whom you believe, the FBI feels it has the legal right to access your email messages without having to obtain a search warrant. I know I don’t have anything particularly damning in my personal email account, but it’s the principle of the matter that’s the problem. (And consider errors and leaks. Nothing in my email inbox is going to send me to jail, but it could contain many other things of a sensitive nature. Financial information. Industry dialog. Customer communication. Et cetera. Keeping that out of anybody else’s possession is the best way from anything leaking or being misused.
The bummer is that there doesn’t seem to be any way for the average joe user like you or me to do anything about it. According to that Marketwatch article, you could download all your email messages to your hard drive (clunky), encrypt emails when sending them (even more clunky), or move to an “off shore” email service (which simply exchanges one privacy concern for another).
The only bit of good news is that at least in the four states of the Sixth Circuit (Kentucky, Michigan, Ohio, Tennessee), the Warhsak ruling prohibits the FBI from obtaining email messages without a warrant. The bad news is, that seems to apply only to those four states.

Get reading for SMiShing?

I received my first phishing attempt via text message today. Apparently that’s called SMiShing, and it’s a thing. Sadly, I’m too busy to have the guy follow up with his promised phone call to try to get my Gmail password from me, but I did take a moment and report it to 7726, just in case that’ll do good to help protect somebody else in the future.
Also, apparently I have a G-Email account. Is that the kind of email account you get from the company who used to own NBC?

Image Hosting on a Different Domain?

Fridays are a busy day in the land of deliverability, so I don’t have a lot of time to come up with a specific post for today. But, I thought this might interest folks here — the other day, a client asked me about using CDNs (content delivery networks) to host HTML email content, and I blogged up a quick reply over on my work blog.
(It’s true! Fridays are the new Mondays.)

Spams, Scams, and Senders

Over on the Magill Report, Stephanie Colleton from Return Path shares her thoughts on how to tell whether or not an email message is legitimate.
Let’s add to that some more thoughts from Return Path’s Lauren Soares.
Then let’s add to that some of my own thoughts specifically for email senders.
Every company sending email today ought to:

Pump-and-dump Spam is Back!

Commtouch’s latest “Internet Threats Trend Report” suggests that penny stock spam has returned: