Recent Posts

So you want to start a company? (part 2)

You’re setting up a company (or a new division or maybe even a new brand) and you’d like to use email to communicate with your customers. In this series of posts I’m going to touch on some of the things you can do today to make email life easier for you in the future. Today, choosing a domain name.

So you want to start a company? (part 1)

Only Influencers blog talk radio

I had the privilege to talk with a bunch of experts on the Only Influencers Blog Talk Radio show this morning. The discussion centered around the perceived conflict between Marketing and Delivery.
The conversation was a good one, with a lot of different perspectives aired. I strongly recommend people who are interested in hearing multiple industry experts talking about email marketing and delivery listen to the podcast.
Once I get back from MAAWG I plan to talk a little more about delivery managers as fire fighters and why that is such a good metaphor for delivery.

Delivery events next week

Next week is MAAWG and I’ll be there talking about delivery, blocking and all sorts of things. If you’re going, be sure to stop by the Choose Your Own Delivery Adventure. It should be lots of fun!
Also next week on Monday I’ll be a guest on the Only Influencers blog talk radio show discussing Delivery versus Marketing.

Before you build a list

I can’t add much more to Steve Denner’s article about building list size.

Get a helmet

There’s been a lot of interesting reaction to Steve’s security post yesterday. A lot of people seem upset that we have pointed out one of the ways that ESPs may be getting compromised. Complaints range from the message being overly simplistic, through to complaints that we just don’t understand how much of an issue security is, through to complaints that we’re not pointing out that some ESPs actually are secure. Some people have even provided counter examples of how simple it is to compromise any company, so why are we picking on ESPs.
Security is a problem any company faces. Some industries are bigger targets than others, and ESPs have really jumped up the target list. ESPs are getting lists stolen. ESPs are getting reputations stolen.
There’s one ESP I know for a fact that has lost multiple customer lists 3 times. Three companies I get email from are hosted there. When all three of those tagged addresses started getting spam, the only logical assumption was that the ESP was compromised. Again. Those are companies I want to hear from, though, and I changed addresses on their sites after every breach. What’s distressing, though, is the total lack of response from either the customer or the ESP to my notices about the breaches. To be fair, the problem seems to have stopped more recently.
Silence and refusal to address an issue is a big problem. An address I gave a company on the Only Influencers list was stolen (I’m not going to say leaked because I actually trust them to not have violated their privacy policy) sometime back in early 2011. I didn’t notice right away because my spam filters were catching the mail, but eventually the spammers managed to get one into my inbox. When I saw it, I started checking and realized that address had been compromised a long time ago. I notified the company, with as much history of the address as I could. I ended my message with:

I know your customers' passwords

Go to your ESP customer login page and use “View Source” to look at the HTML (under “Page” on Internet Explorer, “Tools->Web Developer” on Firefox, and “View” on Safari).
Go on, I’ll wait.
Search for the word autocomplete. If it says something like autocomplete=”off” then your web developers have already thought about this security issue. If it doesn’t, then you might have a serious security problem.
What’s going on here? You’ve probably noticed that when you’re filling in a web form your browser will often offer to fill in data for you once you start typing. This feature is supported by most modern browsers and it’s very convenient for users – but it works by recording the contents of the form in the browser, including the username and password.
As a bad guy that’s very interesting data. I can take some off-the-shelf malware and configure it with the URLs of a bunch of ESP login pages. Then I just need to get that malware installed on your customers desktops somehow. A targeted web drive-by malware attack, maybe based on targeted hostile banner ads is one approach, but sending email to people likely to be ESP customers is probably more effective. Maybe I’ll use hostile email that infects the machine automatically, or – most likely – I’ll use a phishing attack, sending a plausible looking email with an attachment I’m hoping recipients will open.
Once the malware is installed it can rummage through the users browser files, looking for any data that matches the list of login pages I gave it. I just need to sit back and wait for the malware to phone home and give me a nicely packaged list of ESPs, usernames and passwords. Then I can steal that customer’s email lists and send my next phishing run through that ESP.
This isn’t a new issue – it’s been discussed since browsers started implementing autocompletion over a decade ago, and it’s been a best practice to include autocomplete=”off” for password fields or login forms for years.
How serious a risk is this for ESPs? Well, I looked at the customer login pages at several ESPs that have a history of being compromised and none of them are using autocomplete=”off”. I looked at several that haven’t been compromised that I know of, and they’re all using either autocomplete=”off” or a complex (and reasonably secure-looking) javascript approach to login. Correlation isn’t causation, but it’s fairly strong circumstantial evidence.
ESPs should fix this hole if they haven’t already. If any customers are upset about having to actually type in their password (really?) they can take a look at secure password management tools (e.g. 1Password, LastPass or KeePass).
Thanks to Tim at Silverpop for reminding me that this is a serious security hole that many ESPs haven’t plugged yet and pointing me at some of these resources.
More on passwords and application security tomorrow.

Browsers, security and paranoia

MAAWG is coming up and lots of us are working on documents, and presentations. One of the recent discussions is what kind of security recommendations, if any, should we be making. I posted a list of things including “Don’t browse the web with a machine running Windows.”
Another participant told me he thought my recommendation to not use a windows machine to browse the web was over the top and paranoid. It may be, but drive by malware attacks are increasing. Visiting big sites may not be enough to protect you, as hackers are compromising sites and installing malware to infect visitors to those sites. Some ad networks have also been used to spread malware.
Criminals have even figured out how to install malware on a machine from email, without the recipient having to click or open attachments.
Avoiding the internet from a machine running Windows is a security recommendation I don’t expect many people to follow, but I do not think security and anti-virus software is enough to protect people from all of the exploits out there.
Of course, there are a lot of reasons that one might be forced to use a particular browser or operating system. For instance, I was on the phone with my bank just today to ask if they supported Safari. They say they do, but there are some things that just don’t work. The customer service rep said that they recommend Internet Explorer to all their users. She then suggested I switch browsers. No thanks, I’ll deal with the broken website.
Compromises are a major threat, and criminals are spending a lot of time and money on creating ways to get past current security. No longer is “not clicking on malware” enough to protect users. When a security clearinghouse is compromised and used as a vector for a targeted attack against Google, none of us are safe. When a security company is compromised, none of us are safe.
I realize my recommendation to avoid browsing the web on a Windows based machine is more wishful thinking than practical. I also know that other browsers and operating systems will be targeted if enough people move away from currently vulnerable operating systems. And I know that a simple, offhand suggestion won’t fix the problem.
As someone who’s been online long enough to see the original Green Card spam I know that online dangers evolve. But I can’t help thinking that most of us aren’t taking the current threats seriously enough.

Rancid Slime and Email Marketing

Despite what some email marketers may tell you there are times when it’s really not appropriate to try and add someones email address to your list.
I just opened a pot of yogurt and instead of a smooth, creamy dessert there was a sticky brown slurry dotted with firm white chunks – looking like hot-and-sour soup, and not in a good way. No, this isn’t an email marketing metaphor, it’s just background to the story.
Food is a fairly delicate product, and supply-chain problems happen – it doesn’t take leaving yogurt out in the sun all day to turn it into something unpleasant. I’m not too concerned, but I thought I’d drop them a line and tell them that they had a problem (not because I want the traditional coupon for a free yogurt but because I want them to fix their problem and reduce the odds of the yogurt I buy next month trying to kill me).
They have a web site. I dodge past the full-screen pop-up “subscribe to our newsletter!” and go to their contact us link. Comment, complaint or question? Complaint, I guess.
They ask for a lot of information, almost all of it “required”. UPC Code, Plant Number, Production Line, Use By Date, Time Stamp, Store where it was purchased, city, state, comments. And my title, first name, last name, email address. And my email address again (no, people, that is *not* what double opt-in means). Phonenumber, Street Address, Building/Suite/Unit, City/Town, State, Zip Code, Country.
And whether I “Would you like to receive news, information and other offers from Brennan’s” – with the tempting options of “Accept” or “Not Accept”.
Skipping over the question of whether 23 fields ever makes sense for a subscription capture form, someone who’s contacting you to complain that your product looks like last months chinese take-out isn’t someone you have a close relationship with, someone who wants to receive your email. Odds are pretty good that they’re either going to decline your tempting offers and be slightly annoyed, or (accidentally?) sign up for them and hit the this-is-spam button when you mail them.
Neither is a good result, for you or them. Maybe you should wait to offer the opportunity to sign up for your yogurt mailing list until after you’ve resolved the complaint to their satisfaction, rather than when they’re making the complaint?

Unsolicited feedback

Those of us in the email space often have opinions about volume and frequency and opt-in and everything involved in email marketing. What we don’t always have is the luxury of receiving unsolicited feedback from recipients.
Every once in a while I find a post online that is that unsolicited feedback from someone. Today a poster on reddit describes his experience with signing petitions and the resulting mail from political causes. After signing a number of petitions, he started getting huge amounts of email. The volume was so high, he started unsubscribing.
I’m not going to copy his whole article here, but there are some interesting points relevant to the email marketing end of things.