Recent Posts

Return Path announces new abuse prevention service

Return Path announced a new product this morning, designed to help mailbox providers stop outbound abuse.

Read More

Gmail sending out warnings for 512 bit DKIM keys

As an update to yesterday’s post, Gmail is contacting postmasters at domains signing with 512 bit keys to warn them of the upcoming changes. This message also clarifies “DKIM keys failing.” Messages signed with 512 bit keys or less will be treated as unsigned by Gmail in the next week or so.

Read More

Is Google failing DKIM keys shorter than 512 bits?

Today’s Wednesday question comes from Andrew B. and got pushed to Thursday so I could check a few more facts.

Read More

Data Driven Email (and other) Marketing

The frequency of emails from the Obama campaign ended up being a talking point for pundits and late night talk show hosts. Jon Stewart of The Daily show even asked President Obama about email directly during his October 18th interview. (Video, email question at the 5:56 mark)

Read More

How long is your DKIM key?

While we were at M3AAWG, Wired published an article talking about how simple it was to crack DKIM keys. I didn’t post about it at the time because it didn’t really seem like news. DKIM keys smaller than 1024 are vulnerable and not secure and the DKIM spec does not recommend using keys smaller than 1024. When I asked the DKIM-people-who-would-know they did tell me that the news was that the keys had been cracked and used in the wild to spoof email.
Fair enough.
If you are signing with DKIM, use a key 1024 or longer. Anything shorter and your risk having the key cracked and your mail fraudulently signed.
This morning M3AAWG published recommendations on keeping DKIM keys secure.

Read More

Marketing and storms

Never let it be said that marketers can’t take advantage of anything. In this case, there was a lot of commercial email mentioning Hurricane Sandy sent over the last few days. The emails themselves mapped into a number of broad categories.
Informational: Emails from hotels, airlines and east coast businesses keeping customers updated about their current status.  Emails from many banks also fell into this category. Generally these emails offered information about reservations, flight statuses and cancellations. In the case of banks, customers were also told about loosening of overdraft and other policies.
Sales: Some retailers used the storm as an excuse for a storm. American Apparel sent out an email advertising a 36 hour sale for residents in states on the hurricane path. This prompted some recipients to complain about the tastelessness of the advertising.
Relief efforts: A number of companies sent out emails encouraging subscribers to donate to relief efforts. In many cases these companies are located in or have employees directly affected by the storm. Some of these companies offered discounts or bonuses to people who donated to relief efforts.
Spam: Finally, I would be remiss in not pointing out that spammers and scammers come out in force after most natural disasters. Spammers took full advantage of the storm, too and were sending out lots of mail mentioning the storm. Mailchimp dedicated a full blog post to looking at the amount of spam mentioning the storm and its impact on email delivery.
Return Path has an analysis of some of the Sandy related mailings and how they performed both between categories (although Return Path didn’t categorize them like I did) and within categories. It’s well worth a read to see how different approaches worked.
Email is a great way to communicate with people. The breadth of emails going out about or referencing the storm are a testament to that.

Read More

Storms, outages and email

There’s been quite a bit of discussion about how Hurricane (Superstorm?) Sandy has affected email delivery over the last week. There are a couple things that may affect delivery at a number of domains.
Receiving mailservers hosted in facilities that lost power or connectivity for one reason or another. Most of these issues seem to be resolved now, although a number of places are still on generator power. There are also a number of facilities where employees and customers went above and beyond the call of duty to keep those facilities running. Peer1 got a lot of press for their bucket brigade, but they’re not the only company that kept running despite power outages, flooding and horrible conditions.
Routing hardware went down in a number of places. Again, mostly because of the power outages. Router failures can mean that some mail can’t get from A to B, even if both A and B are up and functioning. As with the servers, these problems seem mostly under control.
Recipients don’t have power or internet at home. In fact, I think this is one of the bigger marketing challenges. Recipients can’t get their mail because they don’t have power or internet. This is probably going to have a bit of a longer term affect on email. Even when folks get their email back, the latest sale email from their favorite vendor isn’t necessarily going to be what they are looking for in their inbox. Even if they are looking for that sale email, they’re going to have a mailbox with days worth of email to sort through.
None of this is a long term problem. It’s mostly temporary. But marketers can expect lower open and click rates during the storm cleanup and restoration phase.

Read More

It's Thursday: AOL must be having problems

And, in fact, they are.
This time I’m seeing random reports of FBL failures. Some folks are seeing a significant (more than 50%) decrease in FBL emails. Other folks are reporting FBL reports that aren’t really FBL reports, but instead look like failed code output.
If you’re seeing this kind of problems it’s not just you.
As always, people at AOL are working to fix things and cooperating with people in the sending community who are having this problem. In other news, I found out last week that the one Really Smart Mail Guys I thought was still there is still at AOL but is no longer in their mail division. That means that the guys who built the AOL version of Skynet have left it to its own devices. Be afraid. Be Very Afraid.
 
 

Read More

Poisoning Spamtraps

Today’s question comes from Dave in yesterday’s comment section.

I wonder if spammers might submit harvested addresses to big-name companies known to not use confirmed opt-in just to poison what they believe might be spamtraps?

Read More

Harvesting and forging email addresses

For the contact address on our website, Steve has set up a rotating set of addresses. This is to minimize the amount of spam we have to deal with coming from address harvesters. This has worked quite well. In fact it works so well I didn’t expect that publishing an email address for taking reader questions would generate a lot of spam.
Boy, was I wrong. That address has been on the website less than a month and I’m already getting lots of spam to it. Most of it is business related spam, but there’s a couple things that make me think that someone has been signing that address up to mailing lists.
One is the confirmation email I received from Yelp. I don’t actually believe Yelp harvested my address and tried to create me an email account. I was happy when I got the first mail from Yelp. It said “click here to confirm your account.” Yay! Yelp is actually using confirmations so I just have to ignore the mail and that will all go away.
At least I was happy about it, until I started getting Yelp newsletters to that address.
Yelp gets half a star for attempting to do COI, but loses half for sending newsletters to people who didn’t confirm their account.
I really didn’t believe that people would grab a clearly tagged address off the blog and subscribe it to mailing lists or networking sites. I simply didn’t believe this happened anymore. I know forge subscribing used to be common, but it does appear that someone forge signed me up for a Yelp account. Clearly there are more dumb idiots out there than I thought.
Of course, it’s not just malicious people signing the address up to lists. There are also spammers harvesting directly off the website.
I did expect that there would be some harvesting going on and that I would get spam to the address. I am very surprised at the volume and type of spam, though. I’m getting a lot of chinese language spam, a lot of “join our business organization” spam and mail claiming I subscribed to receive their offers.
Surprisingly, much of the spam to this address violates CAN SPAM in some way shape or form. And I can prove harvesting, which would net treble damages if I had the time or inclination to sue.
It’s been an interesting experience, putting an unfiltered address on the website. Unfortunately, I am at risk of losing your questions because of the amount of spam coming in. I don’t think I’ve missed any, yet, but losing real mail is always a risk when an address gets a lot of spam – whether or not the recipient runs filters.
I’m still pondering solutions, but for now the questions address will remain as it is.

Read More
Categories
Tags