Recent Posts

Hotmail fights greymail

I’ve heard a lot of marketers complaining about people like me who advocate actually purging addresses from marketing lists if those addresses are non-responsive over a long period of time. They have any number of reasons this advice is poor. Some of them can even demonstrate that they get significant revenue from mailing folks who haven’t opened an email in years.
They also point out that there isn’t a clear delivery hit to leaving those abandoned addresses on their list. It’s not like bounces or complaints. There isn’t a clear way to measure the dead addresses and even if you could there aren’t clear threshold guidelines published by the ISPs.
Nevertheless, I am seeing more and more data that convinces me the ISPs do care about companies sending mail that users never open or never read or never do anything with.
The most recent confirmation was the announcement that Hotmail was deploying more tools to help users manage “greymail.” I briefly mentioned the announcement last week. Hotmail has their own blog post up about the changes.
It seems my initial claim that these changes this won’t affect delivery may have been premature. In fact, these changes are all about making it easier for Hotmail users to deal with the onslaught of legitimate but unwanted mail.

Read More

Government and botnets

The US government is looking at telling ISPs how to deal with compromised customers and botnets.
They’re a bit late to the party, though. Most of the major commercial ISPs have been implementing significant botnet controls for many years now. Control involves a number of different techniques, but notification has been designed into the system from day 1.

Read More

Spot the CAN SPAM violations

I received this piece of unsolicited email today, to an address harvested off a website. How many CAN SPAM violations can you count?

Read More

Spammers and Google+

I have a google+ account, but don’t check it very often. There seems to be a significant amount of noise on the feeds and trying to keep up with all the people who added me to circles was driving all the real mail out of my gmail inbox.
This morning I realized the noise just got louder. It seems spammers are buying very, very old lists scraped from usenet and inviting everyone on those lists to join them on Google+. Yup, an address of mine that has not been used in 7 or 8 years and is not very publicly associated with me got a Google+ invite from someone I’ve never heard of before.
I know there have been a lot of complaints about spammers abusing Google+. I thought it was possible, but I didn’t realize they were actually purchasing email lists to load into Google and spam people.

Read More

Changes at Hotmail

Microsoft announced a number of changes to the Hotmail interface today. It doesn’t look like this will affect how mail is received, but will affect how users can interact with it.
As always, the best advice I can give you is send mail people want and like.

Read More

Links Sept 29, 2011

Al Iverson has a post up about his experiences with customers who try to acquire email addresses through appending.
J.D. Falk has a post up about the history of DKIM.

Read More

Six months or out

Mickey Chandler has a great post up about Triage vs. Planning. Where he talks about the decisions you make differ depending on the context.
It’s a good read, and I strongly encourage everyone to go give it a look.
But his post led me to a post by Andrew Kordek at Trendline where he claims that there is an industry rule of thumb that says 6 months is the rule of thumb to define an inactive.
Wait, What?
I know there’s a huge amount of controversy in the email space about whether or not you should purge inactive addresses. I know there are some very vocal people who think that removing inactive addresses is tantamount to marketing suicide. But where did 6 months come from? Who made it an industry standard?
If we don’t know where the standard came from, if we don’t know why we’re doing it then what kind of mickey mouse industry are we running here?
There is a lot about email marketing that is empirical. You poke the black box on one side and see what happens on the other. The problem with that is, that we can “discover” a lot of effects that aren’t real, but somehow turn into “you must do this!”
I have no doubt there are times when a 6 month expiry is a good idea. A number of my clients over the last few years use a much, much shorter time because that’s what works for them. I also know there are times when longer expiry times are a good idea, too.
It’s really important that when you’re making decisions about your email marketing program that you don’t mindlessly apply “standards” to what you’re doing. Think about the practical effects of your decisions and put them in context with your overall business plan.
To do otherwise is to kneecap your email marketing program.

Read More

Are you ready for the next attack?

ESPs are under attack and being tested. But I’m not sure much progress in handling and responding to the attacks has been made since the Return Path warning or the Epsilon compromise.
Last week a number of email marketers became aware that attacks against ESPs and senders were ongoing. The shock and surprise many people exhibited prompted my Spear Phishing post on Friday.
The first round of phishing went out on Wednesday, by Friday they were coming from a different ESP. Whether this was a compromised ESP customer or employee it doesn’t matter. ESPs should have reaction plans in place to deal with these threats.
It’s been months since the first attacks. This is more than enough time to have implemented some response to reports of attacks. Yet, many people I talked to last week had no idea what they should or could be doing to protect themselves and their customers.
Last time the attacks were publicly discussed I was frustrated with many of the “how to respond” posts because few of them seemed to address the real issue. People seemed to be pushing agendas that had nothing to do with actually fixing the security holes. There were lots of recommendations to sign all mail with DKIM, implement 2 factor authentication, deploy validation certificates on web properties, or adhere to sender’s best practices.
None of those recommendations actually addressed the gaping security hole: Humans.

Read More

DKIM is Done

This was posted to the IETF DKIM Working Group mailing list this morning:

Read More

Spear phishing

It’s been about a year since people started publicly talking about spear phishing attacks against ESPs and major emailers. There was a lot of energy put into talking about how to protect against future attacks. I have to wonder, though, how much of that talk translated into action?
What processes do you have in place to protect your company against attacks?
If you’re at an ESP, do you have the ability to scan your outgoing stream for keywords or domains?
If you’re a brand, have you implemented restrictions on which employees have access to your databases?
What have you done since the last set of attacks? Are you vulnerable if new attacks start?
More information on ESP attacks:
Be on the lookout
Time for a real security response
Email attacks

Read More
Categories
Tags