Recent Posts

How long is your DKIM key?

While we were at M³AAWG, Wired published an article talking about how simple it was to crack DKIM keys. I didn’t post about it at the time because it didn’t really seem like news. DKIM keys smaller than 1024 are vulnerable and not secure and the DKIM spec does not recommend using keys smaller than 1024. When I asked the DKIM-people-who-would-know they did tell me that the news was that the keys had been cracked and used in the wild to spoof email.
Fair enough.
If you are signing with DKIM, use a key 1024 or longer. Anything shorter and your risk having the key cracked and your mail fraudulently signed.
This morning M³AAWG published recommendations on keeping DKIM keys secure.

Marketing and storms

Never let it be said that marketers can’t take advantage of anything. In this case, there was a lot of commercial email mentioning Hurricane Sandy sent over the last few days. The emails themselves mapped into a number of broad categories.
Informational: Emails from hotels, airlines and east coast businesses keeping customers updated about their current status. Emails from many banks also fell into this category. Generally these emails offered information about reservations, flight statuses and cancellations. In the case of banks, customers were also told about loosening of overdraft and other policies.
Sales: Some retailers used the storm as an excuse for a storm. American Apparel sent out an email advertising a 36 hour sale for residents in states on the hurricane path. This prompted some recipients to complain about the tastelessness of the advertising.
Relief efforts: A number of companies sent out emails encouraging subscribers to donate to relief efforts. In many cases these companies are located in or have employees directly affected by the storm. Some of these companies offered discounts or bonuses to people who donated to relief efforts.
Spam: Finally, I would be remiss in not pointing out that spammers and scammers come out in force after most natural disasters. Spammers took full advantage of the storm, too and were sending out lots of mail mentioning the storm. Mailchimp dedicated a full blog post to looking at the amount of spam mentioning the storm and its impact on email delivery.
Return Path has an analysis of some of the Sandy related mailings and how they performed both between categories (although Return Path didn’t categorize them like I did) and within categories. It’s well worth a read to see how different approaches worked.
Email is a great way to communicate with people. The breadth of emails going out about or referencing the storm are a testament to that.

Storms, outages and email

There’s been quite a bit of discussion about how Hurricane (Superstorm?) Sandy has affected email delivery over the last week. There are a couple things that may affect delivery at a number of domains.
Receiving mailservers hosted in facilities that lost power or connectivity for one reason or another. Most of these issues seem to be resolved now, although a number of places are still on generator power. There are also a number of facilities where employees and customers went above and beyond the call of duty to keep those facilities running. Peer1 got a lot of press for their bucket brigade, but they’re not the only company that kept running despite power outages, flooding and horrible conditions.
Routing hardware went down in a number of places. Again, mostly because of the power outages. Router failures can mean that some mail can’t get from A to B, even if both A and B are up and functioning. As with the servers, these problems seem mostly under control.
Recipients don’t have power or internet at home. In fact, I think this is one of the bigger marketing challenges. Recipients can’t get their mail because they don’t have power or internet. This is probably going to have a bit of a longer term affect on email. Even when folks get their email back, the latest sale email from their favorite vendor isn’t necessarily going to be what they are looking for in their inbox. Even if they are looking for that sale email, they’re going to have a mailbox with days worth of email to sort through.
None of this is a long term problem. It’s mostly temporary. But marketers can expect lower open and click rates during the storm cleanup and restoration phase.

It's Thursday: AOL must be having problems

And, in fact, they are.
This time I’m seeing random reports of FBL failures. Some folks are seeing a significant (more than 50%) decrease in FBL emails. Other folks are reporting FBL reports that aren’t really FBL reports, but instead look like failed code output.
If you’re seeing this kind of problems it’s not just you.
As always, people at AOL are working to fix things and cooperating with people in the sending community who are having this problem. In other news, I found out last week that the one Really Smart Mail Guys I thought was still there is still at AOL but is no longer in their mail division. That means that the guys who built the AOL version of Skynet have left it to its own devices. Be afraid. Be Very Afraid.

Poisoning Spamtraps

Today’s question comes from Dave in yesterday’s comment section.

I wonder if spammers might submit harvested addresses to big-name companies known to not use confirmed opt-in just to poison what they believe might be spamtraps?
Read More

Harvesting and forging email addresses

For the contact address on our website, Steve has set up a rotating set of addresses. This is to minimize the amount of spam we have to deal with coming from address harvesters. This has worked quite well. In fact it works so well I didn’t expect that publishing an email address for taking reader questions would generate a lot of spam.
Boy, was I wrong. That address has been on the website less than a month and I’m already getting lots of spam to it. Most of it is business related spam, but there’s a couple things that make me think that someone has been signing that address up to mailing lists.
One is the confirmation email I received from Yelp. I don’t actually believe Yelp harvested my address and tried to create me an email account. I was happy when I got the first mail from Yelp. It said “click here to confirm your account.” Yay! Yelp is actually using confirmations so I just have to ignore the mail and that will all go away.
At least I was happy about it, until I started getting Yelp newsletters to that address.
Yelp gets half a star for attempting to do COI, but loses half for sending newsletters to people who didn’t confirm their account.
I really didn’t believe that people would grab a clearly tagged address off the blog and subscribe it to mailing lists or networking sites. I simply didn’t believe this happened anymore. I know forge subscribing used to be common, but it does appear that someone forge signed me up for a Yelp account. Clearly there are more dumb idiots out there than I thought.
Of course, it’s not just malicious people signing the address up to lists. There are also spammers harvesting directly off the website.
I did expect that there would be some harvesting going on and that I would get spam to the address. I am very surprised at the volume and type of spam, though. I’m getting a lot of chinese language spam, a lot of “join our business organization” spam and mail claiming I subscribed to receive their offers.
Surprisingly, much of the spam to this address violates CAN SPAM in some way shape or form. And I can prove harvesting, which would net treble damages if I had the time or inclination to sue.
It’s been an interesting experience, putting an unfiltered address on the website. Unfortunately, I am at risk of losing your questions because of the amount of spam coming in. I don’t think I’ve missed any, yet, but losing real mail is always a risk when an address gets a lot of spam – whether or not the recipient runs filters.
I’m still pondering solutions, but for now the questions address will remain as it is.

MAAWG presents the first J.D. Falk award

Last week at MAAWG went much like all MAAWG conferences go: too much to do, too many interesting panels to attend, too many people to connect and work with, a plethora of very interesting keynote speakers and a total lack of sleep. Most of what happens at MAAWG is not public, but some of the events are.
One of the things that I can talk about is the J.D. Falk award. This award was established by MAAWG, Return Path and J.D.’s family to recognize people who work, usually behind the scenes and without fanfare, to enhance the Internet and protect end users. I sat on the award committee and we had a number of nominations for very worthy work. But the nomination that stood out was the one for Tom Grasso. Tom was the driving force behind the creation of the DNS Changer Working group. He was responsible for connecting experts from throughout the Internet industry, including ISPs, anti-virus vendors, and the broader security community to prevent the Internet for going dark for hundreds of thousands of infected individuals.
I am very proud of the decision the committee made. The bar has been set high for future recipients. Tom did an amazing job convincing lots of players to work together. His involvement definitely made the internet better for everyone, not just those infected by Rove Digital’s malware. What he did is a model for private / public partnerships in the future.
I don’t think I could say it better than the MAAWG press release, so I’ll just end with that.

Setting up DNS for sending email

Email – and email filtering – makes a lot of use of DNS, and it’s fairly easy to miss something. Here are a few checklists to help:

Retrying mail to AOL

I’m working on stuff for MAAWG so I’m really not all that up on what’s happening in the world of email recently. A lot of folks are commenting on my AOL post, and I’m hearing that queues are backing up and emptying as AOL makes changes.
One thing people have been asking me is if they should retry mail to the addresses that are bouncing. I say yes, absolutely. Some of the error messages are related to real filters, but there seems to be quite a bit of slop in the filters these days. I think, though, that the recipients do exist and removing the addresses from future mailings is premature.

Mail problems at AOL

We cannot help endusers troubleshoot AOL connection problems. Please do not call. Please do not write. You need to talk to AOL. We are not AOL. We cannot help you.