Recent Posts

I know your customers' passwords

Go to your ESP customer login page and use “View Source” to look at the HTML (under “Page” on Internet Explorer, “Tools->Web Developer” on Firefox, and “View” on Safari).
Go on, I’ll wait.
Search for the word autocomplete. If it says something like autocomplete=”off” then your web developers have already thought about this security issue. If it doesn’t, then you might have a serious security problem.
What’s going on here? You’ve probably noticed that when you’re filling in a web form your browser will often offer to fill in data for you once you start typing. This feature is supported by most modern browsers and it’s very convenient for users – but it works by recording the contents of the form in the browser, including the username and password.
As a bad guy that’s very interesting data. I can take some off-the-shelf malware and configure it with the URLs of a bunch of ESP login pages. Then I just need to get that malware installed on your customers desktops somehow. A targeted web drive-by malware attack, maybe based on targeted hostile banner ads is one approach, but sending email to people likely to be ESP customers is probably more effective. Maybe I’ll use hostile email that infects the machine automatically, or – most likely – I’ll use a phishing attack, sending a plausible looking email with an attachment I’m hoping recipients will open.
Once the malware is installed it can rummage through the users browser files, looking for any data that matches the list of login pages I gave it. I just need to sit back and wait for the malware to phone home and give me a nicely packaged list of ESPs, usernames and passwords. Then I can steal that customer’s email lists and send my next phishing run through that ESP.
This isn’t a new issue – it’s been discussed since browsers started implementing autocompletion over a decade ago, and it’s been a best practice to include autocomplete=”off” for password fields or login forms for years.
How serious a risk is this for ESPs? Well, I looked at the customer login pages at several ESPs that have a history of being compromised and none of them are using autocomplete=”off”. I looked at several that haven’t been compromised that I know of, and they’re all using either autocomplete=”off” or a complex (and reasonably secure-looking) javascript approach to login. Correlation isn’t causation, but it’s fairly strong circumstantial evidence.
ESPs should fix this hole if they haven’t already. If any customers are upset about having to actually type in their password (really?) they can take a look at secure password management tools (e.g. 1Password, LastPass or KeePass).
Thanks to Tim at Silverpop for reminding me that this is a serious security hole that many ESPs haven’t plugged yet and pointing me at some of these resources.
More on passwords and application security tomorrow.

Browsers, security and paranoia

MAAWG is coming up and lots of us are working on documents, and presentations. One of the recent discussions is what kind of security recommendations, if any, should we be making. I posted a list of things including “Don’t browse the web with a machine running Windows.”
Another participant told me he thought my recommendation to not use a windows machine to browse the web was over the top and paranoid. It may be, but drive by malware attacks are increasing. Visiting big sites may not be enough to protect you, as hackers are compromising sites and installing malware to infect visitors to those sites. Some ad networks have also been used to spread malware.
Criminals have even figured out how to install malware on a machine from email, without the recipient having to click or open attachments.
Avoiding the internet from a machine running Windows is a security recommendation I don’t expect many people to follow, but I do not think security and anti-virus software is enough to protect people from all of the exploits out there.
Of course, there are a lot of reasons that one might be forced to use a particular browser or operating system. For instance, I was on the phone with my bank just today to ask if they supported Safari. They say they do, but there are some things that just don’t work. The customer service rep said that they recommend Internet Explorer to all their users. She then suggested I switch browsers. No thanks, I’ll deal with the broken website.
Compromises are a major threat, and criminals are spending a lot of time and money on creating ways to get past current security. No longer is “not clicking on malware” enough to protect users. When a security clearinghouse is compromised and used as a vector for a targeted attack against Google, none of us are safe. When a security company is compromised, none of us are safe.
I realize my recommendation to avoid browsing the web on a Windows based machine is more wishful thinking than practical. I also know that other browsers and operating systems will be targeted if enough people move away from currently vulnerable operating systems. And I know that a simple, offhand suggestion won’t fix the problem.
As someone who’s been online long enough to see the original Green Card spam I know that online dangers evolve. But I can’t help thinking that most of us aren’t taking the current threats seriously enough.

Rancid Slime and Email Marketing

Despite what some email marketers may tell you there are times when it’s really not appropriate to try and add someones email address to your list.
I just opened a pot of yogurt and instead of a smooth, creamy dessert there was a sticky brown slurry dotted with firm white chunks – looking like hot-and-sour soup, and not in a good way. No, this isn’t an email marketing metaphor, it’s just background to the story.
Food is a fairly delicate product, and supply-chain problems happen – it doesn’t take leaving yogurt out in the sun all day to turn it into something unpleasant. I’m not too concerned, but I thought I’d drop them a line and tell them that they had a problem (not because I want the traditional coupon for a free yogurt but because I want them to fix their problem and reduce the odds of the yogurt I buy next month trying to kill me).
They have a web site. I dodge past the full-screen pop-up “subscribe to our newsletter!” and go to their contact us link. Comment, complaint or question? Complaint, I guess.
They ask for a lot of information, almost all of it “required”. UPC Code, Plant Number, Production Line, Use By Date, Time Stamp, Store where it was purchased, city, state, comments. And my title, first name, last name, email address. And my email address again (no, people, that is *not* what double opt-in means). Phonenumber, Street Address, Building/Suite/Unit, City/Town, State, Zip Code, Country.
And whether I “Would you like to receive news, information and other offers from Brennan’s” – with the tempting options of “Accept” or “Not Accept”.
Skipping over the question of whether 23 fields ever makes sense for a subscription capture form, someone who’s contacting you to complain that your product looks like last months chinese take-out isn’t someone you have a close relationship with, someone who wants to receive your email. Odds are pretty good that they’re either going to decline your tempting offers and be slightly annoyed, or (accidentally?) sign up for them and hit the this-is-spam button when you mail them.
Neither is a good result, for you or them. Maybe you should wait to offer the opportunity to sign up for your yogurt mailing list until after you’ve resolved the complaint to their satisfaction, rather than when they’re making the complaint?

Unsolicited feedback

Those of us in the email space often have opinions about volume and frequency and opt-in and everything involved in email marketing. What we don’t always have is the luxury of receiving unsolicited feedback from recipients.
Every once in a while I find a post online that is that unsolicited feedback from someone. Today a poster on reddit describes his experience with signing petitions and the resulting mail from political causes. After signing a number of petitions, he started getting huge amounts of email. The volume was so high, he started unsubscribing.
I’m not going to copy his whole article here, but there are some interesting points relevant to the email marketing end of things.

Spamhaus rising?

Ken has a good article talking about how many ESPs have tightened their standards recently and are really hounding their customers to stop sending mail recipients don’t want and don’t like. Ken credits much of this change to Spamhaus and their new tools.

MAAWG travel alert

For those of you coming to the Bay Area for MAAWG and considering flying into Oakland, be aware the Bay Bridge will be closed in the Oakand -> San Francisco direction for all of President’s day weekend. BART is unaffected, but if you’re planning on driving from Oakland into the city, you’ll have to do it by going south over the San Mateo bridge and then back north to the city.

What blogs are you reading besides mine?

It’s been a week. A very, very long week. Which means that at 4 on a Friday I’m grasping at straws for something interesting to write about. So I do what I do when I’m out of ideas, I look through the email related blogs I’m subscribed to.
A bunch of them are still active, but there’s a good dozen or so that haven’t been updated in months. I realize I’m getting most of my current news from Twitter (or, Facebook) not from my actual RSS feeds.
So what email / marketing / delivery / internet security related blogs are people reading these days? What should I add to my list to keep up to date on the pulse of the email industry?
EDIT: apparently the Akismet filter I use went berserk with the multiple links in comments. I think I’ve pulled everything they caught incorrectly. If you tried to post and it’s not showing, drop me an email at the obvious place.

Dear Email Address Occupant

There’s a great post over on CircleID from John Levine and his experience with a marketer sending mail to a spam trap.
Apparently, some time back in 2002 someone opted in an address that didn’t belong to them to a marketing database. It may have been a hard to read scribble that was misread when the data was scanned (or typed) into the database. It could be that the person didn’t actually know their email address. There are a lot of ways spamtraps can end up on lists that don’t involve malice on the part of the sender.
But I can’t help thinking that mailing an address for 10 years, where the person has never ever responded might be a sign that the address isn’t valid. Or that the recipient might not want what you’re selling or, is not actually a potential customer.
I wrote a few weeks back about the difference between delivery and marketing. That has sparked conversations, including one where I discovered there are a lot of marketers out there that loathe and despise delivery people. But it’s delivery people who understand that not every email address is a potential purchaser. Our job is to make sure that mail to non-existent “customers” doesn’t stop mail from actually getting to actual potential customers.
Email doesn’t have an equivalent of “occupant” or “resident.” Email marketers need to pay attention to their data quality and hygiene. In the snail mail world, that isn’t true. My parents still get marketing mail addressed to me, and I’ve not lived in that house for 20+ years. Sure, it’s possible an 18 year old interested in virginia slims might move into that house at some point, and maybe that 20 years of marketing will pay off. It only costs a few cents to keep that address on their list and the potential return is there.
In email, though, sending mail to addresses that don’t have a real recipient there has the potential to hurt delivery to all other recipients on your list. Is one or two bad addresses going to be the difference between blocked and inbox? No, but the more abandoned addresses and non-existent recipients on a list there are on a list, the more likely filters will decide the mail isn’t really important or wanted.
The cost of keeping that address, one that will never, ever convert on a list may mean losing access to the inbox of actual, real, converting customers.

What not to do

There’s a London concert promoter that’s been spamming our old sales address for 5 or 6 years now. I’ve sent in complaints, I’ve tried to unsubscribe, and the mail still keeps coming. They managed to get through my filters, again, this morning. In a fit of frustration I tweeted about how frustrated I was that they would not stop spamming me.
Well, that got someone’s attention. The person managing their twitter account tweeted at me with an email address and a suggestion to send him my address so he could take care of it. I sent the mail as asked and even got a reply.
Unfortunately, the reply was “I clicked the unsubscribe link at the bottom of the message for you.”
I dunno, maybe his mouse is a magic mouse and, somehow, the click from that magic mouse will be more effective than a click from my not-magic mouse. I’m not holding out much hope, though. I have no doubt that my sales address will keep getting invited to raves in London long after I retire.

DKIM deployment challenges

Cloudmark has an interesting blog post pointing out some of the challenges of signing mail with DKIM in a large company with a diverse mail system.