Recent Posts

Temporary Hiatus

Had a family emergency so the blog will be on hiatus for a couple weeks.

For years now, Microsoft has maintained Smart Network Data Services (SNDS) for anyone sending mail to Hotmail/Outlook/Live.com. This is a great way for anyone responsible for an IP sending mail to hotmail to monitor what traffic Hotmail is seeing from that IP address.
This morning I got up to a number of people complaining that logins were failing on the website and the API was down. I contacted the person behind SNDS and they confirmed there was a problem and they were fixing it.
Sometime this afternoon it was possible to login to the SNDS interface again, so it looks like they did fix it.
A bit of a warning, though, don’t expect to see any of the data from the last few days. There seems to be something with SNDS that means that when the service is down data isn’t collected or available. In the past when there have been problems, older data was not populated when the service came back.

Arrest made in Spamhaus dDOS

According to a press release by the Openbaar Ministerie (the Public Prosecution Office), a dutch man with the initials SK has been arrested in Spain (English translation) for the dDOS attacks on Spamhaus. Authorities in Spain have searched the house where SK was staying and seized electronic devices including computers and mobile phones.
Brian Krebs has more, including multiple sources that identify SK as Sven Olaf Kamphuis. Sven Olaf Kamphuis was quoted in many articles about the dDOS, including the NY Times and various reports by Ken Magill.
ETA: Spamhaus thanks the LEOs involved in the arrest.

If you want to spam, don't be stupid

Some random UK email marketing company that I’ve never heard of harvested my address off of LinkedIn (yes, it’s my LinkedIn specific address) and is now spamming me advertising their cheap email marketing services. There were a lot of things about this particular mail that really annoyed me. The annoyance wasn’t just spam in a folder that shouldn’t have spam, it’s that the spam itself was badly done.
The thing is, they could have done this in a way that didn’t annoy me enough to blog about them being spammers. A teeny, tiny amount of effort and an ounce of empathy for their recipients and I wouldn’t have anything to blog about today.
If you want to spam, don’t be stupid. How can you avoid being stupid?
1) Send only one email and make it clear in the message this is a one time (or limited time) email. Don’t just randomly harvest addresses off a website, like Submission Technology did today, and add all those addresses to your marketing list. Spam is an interruption and an annoyance. And if spammers had any sense they’d limit the amount of time they spent annoying and interrupting recipients.
2) Target your email correctly and don’t be lazy. This morning’s mail from Submission Technology was advertising their UK specific marketing programs. They have my LinkedIn profile, they know I’m on the other side of the US from the UK.
3) Don’t lie about where you got my name. In this case, I know Submission Technology harvested it off LinkedIn because that’s the address they are sending it to. And, in fact, in the email they sent they mention they are sending this to me because we’re connected on LinkedIn. The problem is, I can find no trace of a connection between us on LinkedIn. And, yes, I did look because I generally drop connections that add me to their mailing lists.
One part of my anger at this particular spam is that they’ve appropriated a tagged email address of mine and added it to their marketing lists. That’s breaking my filtering.
After doing a little research into their company and their practices, though, I have to wonder if they’re going to sell my address. It seems that Submission Technology sells addresses to their customers, among other product offerings. Is this address that I’ve dedicated to handling LinkedIn specific emails really now going to end up getting spam from UK companies?
Based on multiple online reports (Andy Merrett and Ben Park) it doesn’t even look like unsubscribing will be sufficient to get this mail to stop.
One of the most amusing bits links that showed up was a comment on a post here from 2008. It seems that they spammed Steve Linford and were SBLed for it. I’m only guessing that since they’re not still listed they’ve figured out how to suppress Steve’s address at least.
Sending unsolicited email can be a problem for bulk senders; you risk alienating your potential customers, getting blocked and developing a poor reputation. Some of those problems can be mitigated by not being stupid.

Password security

Many of us have lots of accounts on various networking sites, but how much attention do we pay to password security?
If you haven’t heard, someone managed to compromise the Associated Press’ twitter account today. Not only was the account compromised, but they put out a fake tweet claiming that there were explosions at the White House and President Obama was injured.
A funny prank? Maybe. But tweets like this have a real world effect. For instance, the stock market plunged 140 points after the initial reports, rebounding when people realized it wasn’t true.
It’s not clear how the AP twitter password was compromised. There are many possibilities including classic social engineering through to compromised machines inside AP with password sniffers on them.
The lesson here is that we’re all targets, even ‘soft’ seeming targets like social media accounts. Practice safe computing.

Evaluating usability at an ESP

Clients and random people often ask me to recommend an ESP based on “the best delivery.” I usually point out that most of the reputable ESPs are similar in terms of their delivery. There aren’t many widely used reputation services that block based on ESPs unless there is long term and ongoing problem from the ESP.
This is even more true when the ESP uses dedicated IPs for customers. ESPs that use shared IPs can have poor delivery if they don’t effectively police customers and lower the reputation of all their IP addresses.
My normal comment about ESPs is to find a price point and feature set that meets the client’s needs. Clickmail has a good post about how to evaluate an ESP for usability.

Boston police using email to warn residents

Jaclyn Reiss tweets:
Town of Watertown email blast sent just now says stay in home, follow police instructions, local businesses should NOT open
Email is not dead, not even close.
Stay safe, Boston.

Do you have an abuse@ address?

I’ve mentioned multiple times before that I really don’t like using personal contacts until and unless the published or official channels fail. I don’t hold this opinion just about resolving delivery issues, but also use official channels when reporting spam to one of my addresses or spam traps.
My usual complaints contain a plain text copy of the mail, including full headers and a short summary of the email address it was sent to. “This is an address that was part of a leak from…” or “This is an address scraped off my website. It’s been removed from the website since 2004” or “This address isn’t used to sign up for any mail.”
Sadly, there are a number of “legitimate” ESPs that don’t have or don’t monitor their abuse address. In some cases it’s an oversight or a break down of internal mail handling. But in most cases, it’s a sign that the ESP doesn’t actually handle abuse.
It’s frustrating to watch an ESP post long blog posts about “best practices” and “effective delivery” and “not spamming” and yet not be able to actually stop their own customers from spamming. It’s not even that I necessarily want them to disconnect their spamming customers (although that would be nice) but suppressing the address that I’ve told them was a spamtrap seems trivial. And yet, a month after my first complaint and weeks after escalating to a personal contact, I’m still getting spam.
The 5 things every ESP should do to handle spam complaints.

Social media the Home Depot way

I’ve been following Richard the Cat on Twitter for a while. It’s the story of a family and their trials and tribulations with their yard as told by their cat.
The twitter feed (and Richard’s tumblr) are a product of the Home Depot marketing department. And it’s great. Richard has awesome comments on his humans and their struggle to create a happy yard. The tweets are low key and not overly home depot branded, but every Richard tweet I see, I think about the yard and things we might need from Home Depot.
And, of course, who on the internet doesn’t love a cat meme?
To my mind this is one of the better examples of brand social media. There is a theme. The tweets and tumblr does remind followers of the brand – Richard is an orange cat after all. The process is participatory, followers can upload cat photos on the Tumblr and tweet with Richard on Twitter.
Social media is social; a two way street. A lot of brands fail with the social part in that they treat it as a one way street. Home Depot doesn’t do that with Richard.

Confirmation is too hard…

One of the biggest arguments against confirmation is that it’s too hard and that there is too much drop off from subscribers. In other words, recipients don’t want to confirm because it’s too much work on their part.
I don’t actually think it’s too much work for recipients. In fact, when a sender has something the recipient wants then they will confirm.
A couple years ago I was troubleshooting a problem. One of my client’s customer was seeing a huge percentage of 550 errors and I was tasked with finding out what they were doing. The first step was identifying the source of the email addresses. Turns out the customer was a Facebook app developer and all the addresses (so he told me) were from users who had installed his apps on Facebook. I did my own tests and couldn’t install any applications without confirming my email address.
Every Facebook user that has installed an application has clicked on an email to confirm they can receive email at the address they supplied Facebook. There are over 1 billion users on Facebook.
Clicking a link isn’t too hard for people who want your content. I hear naysayers who talk about “too hard” and “too much drop off” but what they’re really saying is “what I’m doing isn’t compelling enough for users to go find the confirmation email.”
This isn’t to say everyone who has a high drop off of confirmations is sending poor content. There are some senders that have a lot of fake, poor or otherwise fraudulent addresses entered into their forms. In many cases this is the driving factor for them using COI: to stop people from using their email to harass third parties. Using COI in these cases is a matter of self protection. If they didn’t use COI, they’d have a lot of complaints, traps and delivery problems.
The next time you hear confirmation is too hard, remember that over 1 billion people, including grandparents and the technologically challenged, managed to click that link to confirm their Facebook account. Sure, they wanted what Facebook was offering, but that just tells us that if they want it bad enough they’ll figure out how to confirm.
HT: Spamresource