Recent Posts

Analysing a data breach – CheetahMail

I often find myself having to analyze volumes of email, looking for common factors, source addresses, URLs and so on as part of some “forensics” work, analyzing leaked emails or received spam for use as evidence in a case.
For large volumes of mail where I might want to dig down in a lot of detail or generate graphical or statistical reports I tend to use Abacus to slurp in and analyze all the emails, store them in a SQL database in an easy to handle format and then do the ad-hoc work from a SQL commandline. For smaller work, though, you can get a long way with unix commandline tools and some basic perl scripting.
This morning I received Ukrainian bride spam to a tagged address that I’d only given to one vendor, RedEnvelope, so that address has leaked to criminal spammers from somewhere. Looking at a couple of RedEnvelope’s emails I see they’re sending from a number of sources, so I decided to dig a little deeper.
I started by searching for all emails to that tagged address in my mail client, then copied all the matching emails to a newly created folder. Then I took a copy of that folder and split it into one file per email using a shell one-liner:

Read More

I hate spam

But sometimes it makes me laugh. Yesterday I got a 419 that said, “[…]have been diagonalized with HIV/AIDS which has defiled all forms of medical treatment[…]” Diagonalized? Defiled all forms of treatment?
At least it was entertaining, right?

Read More

Customized for your profile?

With all the discussion about how daily deal emails are the silver bullet to making a profit on the Internet, I signed up for a couple of lists. Not only did I sign up for different lists, I also signed up for the same lists from different addresses.
One of those programs touts that they send me offers tailored to me. Except that the offers I get at Hotmail are different than the ones I get at Gmail are different from the ones I get elsewhere.
So how tailored is this really? In general there is no difference with how I interact with the mail in those various accounts, so that profile is the same. And, well, the person behind the addresses is all the same. If the ads were specially chosen for me, why am I getting different ones at different accounts? Is this particular marketer simply randomly assigning offers and claiming they’re targeted? How many other mailers claim to send ads tailored to my profile, and then just throw the profile out the window and send whatever they want to send today?
This isn’t to say that there aren’t a some marketers that do pay attention to recipient profiles. But I’m starting to wonder if the majority of “targeting” is more lip service than reality.
What do other people think?

Read More

Character encoding

This morning, someone asked an interesting question.

Last time I worked with the actual HTML design of emails (a long time ago), <head> was not really needed. Is this still true for the most part? Any reason why you still want to include <head> + meta, title tags in emails nowadays?

Read More

What matters for reputation?

There is a contingent of senders and companies that seems to believe that receiver ISPs and filtering companies aren’t measuring reputation correctly. Over and over again the discussion comes up where senders think they can improve on how reputation is measured.
One factor that is continually repeated is the size of the company. I’ve even seen a couple people suggest that corporate net worth should be included in the reputation calculation.
The problem with this suggestion is that just because a company is big or has a high net worth or is on the Fortune500 doesn’t mean that the mail they send isn’t spam. I’ve certainly received spam from large, name brand companies (and organizations). I’ve also consulted with a number of those companies who bought or appended a list and then had to deal with the fallout from a Spamhaus listing or upstream disconnection.
Sure, there is a certain logic to company size and prominence being a part of a reputation calculation. For instance, my experience suggests consumers who recognize a brand are less likely to treat mail as “spam” even if they didn’t sign up for the mail in the first place. Certainly there are large brands (Kraft, FTDDirect, 1-800Flowers, OfficeDepot) that have been caught sending mail to people who never opted in to their lists.
Many people don’t realize that company size and prominence are already factored into the reputation scores. No ISPs don’t look at a mail and, if it’s authenticated, add in a little positive because it’s part of a giant, name brand company. Rather, the recipients change how they interact with the mail. Even recipients who didn’t sign for mail from Office Depot may click through and purchase from an offer. Some recipients recognizing the brand will hit delete instead of “this is spam.”
All of these things mean that big brands have recognition that takes into account that they are prominent brands. Elaborate processes and extra reputation points given to big brands don’t need to happen, they’re already an innate part of the system.
 

Read More

Defending against the hackers of 1995

Passwords are convenient for the end user, but it’s too easy to lose control of them. People share them with other people. People write them down, where they can be read. People send them in email, and that email is easily intercepted. People’s web browsers store the passwords, so they can log in automatically. Worst of all, perhaps, people tend to use the same username and password at many different websites. If just one of those websites is compromised (or even run as a password collecting scam) then those passwords can be used to attack accounts at all of the others.
Two factor authentication that uses an uncopyable physical device (such as a cellphone or a security token) as a second factor mitigates most of these threats very effectively. Weaker two factor authentication using digital certificates is a little easier to misuse (as the user can share the certificate with others, or have it copied without them noticing) but still a lot better than a password.
Security problems solved, then?

Read More

What is Two Factor Authentication?

Two factor authentication, or the snappy acronym 2FA, is something that you’re going to be hearing a lot about over the next year or so, both for use by ESP employees (in an attempt to reduce the risks of data theft) and by ESP customers (attempting to reduce the chance of an account being misused to send spam). What is Authentication?
In computer security terms authentication is proving who you are – when you enter a username and a password to access your email account you’re authenticating yourself to the system using a password that only you know.
Authentication (“who you are”) is the most visible part of computer access control, but it’s usually combined with two other A’s – authorization (“what you are allowed to do”) and accounting (“who did what”) to form an access control system.
And what are the two factors?
Two factor authentication means using two independent sources of evidence to demonstrate who you are. The idea behind it is that it means an attacker need to steal two quite different bits of information, with different weaknesses and attack vectors, in order to gain access. This makes the attack scenario much more complex and difficult for an attacker to carry out.
It’s important that the different factors are independent – requiring two passwords doesn’t count as 2FA, as an attack that can get the first password can just as easily get the second password. Generally 2FA requires the user to demonstrate their identity via two out of three broad ways:

Read More

Auto-acks don't create a contract

From Eric Goldman’s blog Acknowledging Receipt of an Email Doesn’t Form a Contract–Stebbins v. Wal-Mart. I know a number of people who have tried the “if you do X, we will have a contract” trick and it’s nice to see the courts pointing out how silly this is.

Read More

Security framework document published

The Online Trust Alliance has published a security framework for ESPs.
Overall, I think it’s a useful starting point. I don’t agree with all of their suggestions. Some of them are expensive and provide little increase in security. While others decrease security, like the suggestion to force regular password changes.
I think the most important part of the document is the question section. The key to effective security measures is understanding threats. Answering the self assessment questions and thinking about internal processes will help identify potential threats and their vectors.
The document is not a panacea, and even companies that implement all of their recommendations will still be open to attacks from other avenues. But it certainly is a very good way to open the security discussion.

Read More

Setting expectations at the point of sale

In my consulting, I emphasize that senders must set recipient expectations correctly. Receiver sites spend a lot of time listening to their users and design filters to let wanted and expected mail through. Senders that treat recipients as partners in their success usually have much better email delivery than those senders that treat recipients as targets or marks.
Over the years I’ve heard just about every excuse as to why a particular client can’t set expectations well. One of the most common is that no one does it. My experience this weekend at a PetSmart indicates otherwise.
As I was checking out I showed my loyalty card to the cashier. He ran it through the machine and then started talking about the program.
Cashier: Did you give us your email address when you signed up for the program?
Me: I’m not sure, probably not. I get a lot of email already.
Cashier: Well, if you do give us an email address associated with the card every purchase will trigger coupons sent to your email address. These aren’t random, they’re based on your purchase. So if you purchase cat stuff we won’t send you coupons for horse supplies.
I have to admit, I was impressed. PetSmart has email address processes that I recommend to clients on a regular basis. No, they’re not a client so I can’t directly take credit. But whoever runs their email program knows recipients are an important part of email delivery. They’re investing time and training into making sure their floor staff communicate what the email address will be used for, what the emails will offer and how often they’ll arrive.
It’s certainly possible PetSmart has the occasional email delivery problem despite this, but I expect they’re as close to 100% inbox delivery as anyone else out there.

Read More
Categories
Tags