Recent Posts

No room for cowards

Brian Krebs was the keynote speaker at a MAAWG meeting a few years ago. He is a tech journalist that knows and understands the dark underworld of online crime. Yesterday, his website was taken down by a dDOS attack and the Fairfax County SWAT team was called to his house by someone.
Brian does work that is risky. His contributions to what we know about online crime are extremely valuable.
His post talking about what happened yesterday is well worth reading.
ETA: The ArsTechnica article on the event.

Bad Neighborhoods on the Internet

Of the 42,000 Internet Service Providers (ISPs) surveyed, just 20 were found to be responsible for nearly half of all the internet addresses that send spam.

Network World on Spamhaus

Spamhaus warns marketers to keep email databases tidy

Hear me talk about improving delivery

Tom Sather (ReturnPath) and I will be speaking on Thursday at a webinar hosted by the Association of Business and Media Companies.
How to Boost Email Marketing Response Rates

Logging in to unsubscribe

I have been talking with a company about their unsubscribe process and their placement of all email preferences behind an account login. In the process, I found a number of extremely useful links about the requirements.
The short version is: under the 2008 FTC rulemaking senders cannot require any information other than an email address and an email preference to opt-out of mail. That means senders can’t charge a fee, they can’t ask for personal information and they can’t require a password or a login to unsubscribe.
I’ve talked about requiring a login to unsubscribe in the past here on the Word to the Wise blog.
Let them go
Questions about CAN SPAM
One click, two click, red click, blue click
How not to handle unsubscribes
I’m not the only person, though, that’s written about this.
The FTC has written about it in the FTC CAN SPAM Compliance Guide for business

Social invading everything

I discovered, inadvertently, that there is a business networking site modeled after dating site. If you’re selling something you go on the site and register as a seller. If you’re buying something you go on the site and register as a buyer. Buyers can post RFIs and sellers can respond.
Decent enough business model, they’ve even fleshed it out so the site itself acts as an invoicing and billing mechanism.
That’s how I discovered it, one of our very large international telco customers decided they wanted to use this site for billing. Many large telcos expect vendors to use their proprietary site, so I wasn’t that surprised when they asked. And, given they’re international being able to bill them electronically just means I don’t have to remember to use the international stamps.
At the behest of our customer, I signed up at the website. It’s like most social networking sites, create a profile, categorize yourself, make everything public. The thing is, I don’t want to use this site to find new customers. I am just using it because one of my current customers is expecting it. Don’t get me wrong, Abacus is a great product and our customers are extremely happy with it, but it’s pretty niche. It’s not something that’s going to be searched for on a generic website.
I thought that when I set my profile to private that would be some sort of signal to keep me out of the main directory of the site. This morning I realized that wasn’t true when I got a bunch of emails telling me about all these companies looking for “business software” (the closest category I could find).
Getting a bunch of irrelevant mail was annoying enough. Even worse, there was no unsub link in the email. Eventually, I discovered an entire page of email options that were not made clear to me up front. I also sent mail to support and suggested that they talk to their lawyers to clarify whether their opt-out option was consistent with CAN SPAM. I’m pretty sure it doesn’t, but I am not a lawyer.
To the company’s credit, they did have good support and my questions through support were answered in a timely fashion. One of their support reps even called me on the phone to clarify what it was that I wanted to happen and walk me through their email options. She was very upfront about yes, they opted everyone in to all the mail at the very beginning of the process. “We’re like match.com for businesses!”
I’m sure there are some businesses that will find this service to be great. But it’s not what I want or need. Despite the fact that their support was so helpful, I don’t have a great feeling about this company. It seems a bit dishonest that I thought I was signing up for a billing portal, but was actually joining “match.com for businesses. Why couldn’t they make that clear in the 7 emails in 2 days “inviting” me to sign up?
I know I’m a little more sensitive to bad mailing processes than most people, but this was quite an unpleasant experience from the multiple identical emails and reminders before I signed up to the irrelevant stuff I got afterwards.

The 5 stages of a Spamhaus listing

Courtesy of Spencer over at Experian.
The 5 Stages of Recovery

Questions about Spamhaus

I have gotten a lot of questions about Spamhaus since I’ve been talking about them on the blog and on various mailing lists. Those questions can be condensed and summed up into a single thought.

Spamhaus Speaks

There’s been a lot of discussion about Spamhaus, spam traps, and blocking. Today, Spamhaus rep Denny Watson posted on the Spamhaus blog about some of the recent large retailer listings. He provides us with some very useful information about how Spamhaus works, and gives 3 case studies of recent listings specifically for transactional messages to traps.
The whole thing is well worth a read, and I strongly encourage you to check out the whole thing.
There are a couple things mentioned in the blog that I think deserve some special attention, though.
Not all spam traps actually accept mail. In fact, in all of the 3 case studies, mail was rejected during the SMTP transaction. This did not stop the senders from continuing to attempt to mail to that address, though. I’ve heard over and over again from senders that the “problem” is that spamtrap addresses actually accept mail. If they would just bounce the messages then there would be no problem. This is clearly untrue when we actually look at the data. All of the companies mentioned are large brick and mortar retailers in the Fortune 200. These are not small or dumb outfits. Still, they have massive problems in their mail programs that mean they continue to send to addresses that bounce and have always bounced.
Listings require multiple hits and ongoing evidence of problems. None of the retailers mentioned in the case studies had a single trap hit. No, they had ongoing and repeated trap hits even after mail was rejected. Another thing senders tell me is that it’s unfair that they’re listed because of “one mistake” or “one trap hit.” The reality is a little different, though. These retailers are listed because they have horrible data hygiene and continually mail to addresses that simply don’t exist. If these retailers were to do one-and-out or even three-and-out then they wouldn’t be listed on the SBL. Denny even says that in the blog post.

Filtering is not just about spam

A lot of filters started out just as filters against spam. But over the years they’ve morphed into more general blocks against dangerous or problematic email. There’s a lot of crime and bad behavior on the internet, much of it using email as a conduit or vector. Filtering is so much more than stopping spam now. It’s as much, or more, about stopping crime.
Email filters are essential to protect us from scammers. Sometimes I forget this, and then I read about a grandmother getting swindled by a Nigerian scammer and ending up dead.
There are real consequences to poor filtering and there is real crime facilitated by email. It’s easy to forget this as we deal with the email that gets caught in filters when they shouldn’t.
Filters are one of the first lines of defense against online crime.
Not only does filtering stop crime, but they also keep email working. An unfiltered mail stream is an ugly, unreadable, unworkable mess.