Recent Posts

More information on arrests

Terry Zink has a more detailed post on some of the spammer arrests and takedowns that have happened recently.
In addition to the events I mentioned yesterday, authorities arrested an Armenian man suspected of running the Bredolab botnet. Unfortunately, the arrest has not stopped the spam with the malware payload.
These are issues that many ISP abuse and postmaster desks deal with on a daily basis. Their filtering schemes and policies are in place to protect customers from the mob, and criminals. I don’t think enough marketers and senders understand exactly how much the ISPs are dealing with and why many ISPs don’t really care that “mail is taking 12 hours to get to the inbox.” They are dealing with much more important things.

The dark side of email marketing

Everyone I talk to when dealing with issues inevitably has to tell me they are legitimate email marketers. They’re not spammers, they’re just business people. I often find it difficult to fathom why they need to tell me this. It’s not like email marketers are criminals or anything.
Two recent stories reminded me how evil some folks are. While I’ve not had any direct contact (that I know of) with any of the players on this end of things I have zero doubt that if they called me they would tell me that they were legitimate email marketers.
In one case, a members of a spam gang kidnapped the teenage daughter of someone investigating their activities. The gang held her for more than 5 years in horrific conditions. Yesterday Joseph Menn, author of “Fatal System Error” posted on Boing Boing that his friend got his daughter back. It is a heartbreaking story and incredibly sobering.
In another case, the Russian police arrested a man who ran spammit.com, a clearinghouse for viagra sellers to find spammers to send their mail. Reports say that mail volumes dropped by a fifth after the site was taken offline.
There is real evil in the email marketing industry. Sure, they’re spammers and we can all stand up and say they’re not legitimate. But, this is what the ISPs and Spamhaus and law enforcement are dealing with on a regular basis.

Content based filters

Content based filters are incredibly complex and entire books could be written about how they work and what they look at. Of course, by the time the book was written it would be entirely obsolete. Because of their complexity, though, I am always looking for new ways to explain them to folks.
Content based filters look at a whole range of things, from the actual text in the message, to the domains, to the IP addresses those domains and URLs point to. They look at the hidden structure of an email. They look at what’s in the body of the message and what’s in the headers. There isn’t a single bit of a message that content filters ignore.
Clients usually ask me what words they should change to avoid the filters. But this isn’t the right question to ask. Usually it’s not a word that causes the problem. Let me give you a few examples of what I mean.
James H. has an example over on the Cloudmark blog of how a single missing space in an email caused delivery problems for a large company. That missing space changed a domain name in the message sufficiently to be caught by a number of filters. This is one type of content filter, that focuses on what the message is advertising or who the beneficiary of the message is. Some of my better clients get caught by these types of filters occasionally. A website they’re linking to or a domain name they’re using in the text of the message has a bad reputation. The mail gets bulked or blocked because of that domain in the message.
One of my clients went from 100% inbox every day to random failures at different domains. Their overall inbox was still in the 96 – 98% range, but there was a definite change. The actual content of their mail hadn’t changed, but we kept looking for underlying causes. At one point we were on the phone and they mentioned their new content management system. Sure enough, the content management company had a poor reputation and the delivery problems started exactly when they started using the content management. The tricky part of this was that the actual domains and URLs in the messages never changed, they were still clickthrough.clientdomain.example.com. But those URLs now pointed to an IP address that a lot of spammers were abusing. So there were delivery problems. We made some changes to their setup and the delivery problems went away.
The third example is one from quite a long time ago, but illustrates a key point. A client was testing email sends through a new ESP. They were sending one-line mail through the ESPs platform to their own email account. Their corporate spamfilter was blocking the mail. After much investigation and a bit of string pulling, I finally got to talk to an engineer at the spamfiltering company. He told me that they were blocking the mail because it “looked like spam.” When pressed, he told me they blocked anything that had a single line of text and an unsubscribe link. Once the client added a second line of text, the filtering issue went away.
These are just some of the examples of how complex content based filters are. Content is almost a misnomer for them, as they look at so many other things including layout, URLs, domains and links.

Ah, Spammers.

The too many.
The stupid.
The spammers.
The blog spammers are still actively attempting to get their claws into my blog. Today the comments included:

Broken Policies

As an email policy wonk, I think a lot about how specific policy implementations can go wrong. Sure, every policy can go wrong, or not fit a common case. A lot of people only write polices that address common cases and don’t worry about the rarer cases. The problem is there are some rare cases that may cause significant harm and those cases should be addressed.
Consumerist has a case up about email policy gone wrong with a clear path to harm but no policy for handling the issue. There are a couple places I see where this policy hole can be fixed.
Chase Bank does no verification when they collect email addresses, which results in them sending email to a person who does not have an account with Chase. This is not an ideal situation for anyone. Chase is revealing private financial information to an outside party, the actual bank customer is not getting their information and someone is getting email about money that’s not theirs.
In terms of policy for institutions handling sensitive personal information, I would always recommend implementing a verification step. This is mail that people want so they should confirm it. It’s also mail that really should be not going to 3rd parties.
Chase does not implement any verification step for email. This isn’t a fatal problem, as long as there is some process in place to get feedback and then correct the issue.
Unfortunately, Chase’s policies failed here, too. Chase requires an account number to speak to a representative about any issues. In this case, the email recipient does not have an account number. All of Chase’s contact channels rely on an account number: no account number, no talking to a human.
In terms of overall policy Chase is hoping here is that, at some point, their actual customer will notice they’re not getting email and call in and attempt to troubleshoot the problem with Chase reps. I’m willing to bet, though, that their tier 1 people don’t have the training or information needed to troubleshoot this problem. I expect they’re going to read the script that says, “We sent you the mail, it must be a problem on your end. Have a nice day.”
Chase, and other bank analogues that require an account number, that do not verify email addresses should not require account numbers to talk to someone about the mail they are receiving. Why? Because although it’s reasonably rare that the mail is going to the wrong party, the potential harm to the bank’s customer is very high. This danger to customers means the bank should invest in a support pathway that allows non-customers to call, or write, to report misdirected email.
If Chase were my customer, I’d recommend adding a button to the email that says “receiving this mail in error, report here.” Make this a simple form that the recipient can fill out, two boxes one for email address and one optional one for “reason”. Once the bank has the report, they can stop the misdirected email and attempt to contact the customer through another channel. I’d also recommend that customers confirm any new address they add to the account in the future.
I know the bank thinks that by requiring an account number they are protecting their customers. Unfortunately, they’re failing to address a rare but potentially harmful case. Sadly, I expect even after this, they will still fail to implement any changes that will stop this from happening in the future.

Clicktracking 2: Electric Boogaloo

A week or so back I talked about clicktracking links, and how to put them together to avoid abuse and blocking issues.
Since then I’ve come across another issue with click tracking links that’s not terribly obvious, and that you’re not that likely to come across, but if you do get hit by it could be very painful – phishing and malware filters in web browsers.

First, some background about how a lot of malware is distributed, what’s known as “drive-by malware”. This is where the hostile code infects the victims machine without them taking any action to download and run it, rather they just visit a hostile website and that website silently infects their computer.
The malware authors get people to visit the hostile website in quite a few different ways – email spam, blog comment spam, web forum spam, banner ads purchased on legitimate websites and compromised legitimate websites, amongst others.
That last one, compromised legitimate websites, is the type we’re interested in. The sites compromised aren’t usually a single, high-profile website. Rather, they tend to be a whole bunch of websites that are running some vulnerable web application – if there’s a security flaw in, for example, WordPress blog software then a malware author can compromise thousands of little blog sites, and embed malware code in each of them. Anyone visiting any of those sites risks being infected, and becoming part of a botnet.
Because the vulnerable websites are all compromised mechanically in the same way, the URLs of the infected pages tend to look much the same, just with different hostnames – http://example.com/foo/bar/baz.html, http://www.somewhereelse.invalid/foo/bar/baz.html and http://a.net/foo/bar/baz.html – and they serve up just the same malware (or, just as often, redirect the user to a site in russia or china that serves up the malware that infects their machine).
A malware filter operator might receive a report about http://example.com/foo/bar/baz.html and decide that it was infected with malware, adding example.com to a blacklist. A smart filter operator might decide that this might be just one example of a widespread compromise, and go looking for the same malware elsewhere. If it goes to http//a.net/foo/bar/baz.html and finds the exact same content, it’ll know that that’s another instance of the infection, and add a.net to the blacklist.
What does this have to do with clickthrough links?
Well, an obvious way to implement clickthrough links is to use a custom hostname for each customer (“click.customer.com“), and have all those pointing at a single clickthrough webserver. It’s tedious to setup the webserver to respond to each hostname as you add a new customer, though, so you decide to have the webserver ignore the hostname. That’ll work fine – if you have customer1 using a clickthrough link like http://click.customer1.com/123/456/789.html you’d have the webserver ignore “click.customer1.com” and just read the information it needs from “123/456/789.html” and send the redirect.
But that means that if you also have customer2, using the hostname click.customer2.com, then the URL http://click.customer2.com/123/456/789.html it will redirect to customer1’s content.
If a malware filter decides that http://click.customer1.com/123/456/789.html redirects to a phishing site or a malware download – either due to a false report, or due to the customers page actually being infected – then they’ll add click.customer1.com to their blacklist, meaning no http://click.customer1.com/ URLs will work. So far, this isn’t a big problem.
But if they then go and check http://click.customer2.com/123/456/789.html and find the same redirect, they’ll blacklist click.customer2.com, and so on for all the clickthrough hostnames of yours they know about. That’ll cause any click on any URL in any email a lot of your customers send out to go to a “This site may harm your computer!” warning – which will end up a nightmare even if you spot the problem and get the filter operators to remove all those hostnames from the blacklist within a few hours or a day.
Don’t let this happen to you. Make sure your clickthrough webserver pays attention to the hostname as well as the path of the URL.
Use different hostnames for different customers clickthrough links. And if you pick a link from mail sent by Customer A, and change the hostname of that link to the clickthrough hostname of Customer B, then that link should fail with an error rather than displaying Customer A’s content.

Would you buy a used car from that guy?

There are dozens of people and companies standing up and offering suggestions on best practices in email marketing. Unfortunately, many of those companies don’t actually practice what they preach in managing their own email accounts.
I got email today to an old work email address of mine from Strongmail. To be fair it was a technically correct email. Everything one would expect from a company handling large volumes of emails. It’s clear that time and energy was put into the technical setup of the send. If only they had put even half that effort into deciding who to send the email to. Sadly, they didn’t.
My first thought, upon receiving the mail, was that some new, eager employee bought a very old and crufty list somewhere. Because Strongmail has a reputation for being responsible mailers, I sent them a copy of the email to abuse@. I figured they’d want to know that they had a new sales / marketing person who was doing some bad stuff.
I know how frustrating handling abuse@ can be, so I try to be short and sweet in my complaints. For this one, I simply said, “Someone at Strongmail has appended, harvested or otherwise acquired an old email address of mine. This has been added to your mailing list and I’m now receiving spam from you. ”
They respond with an email that starts with:
“Thank you for your thoughtful response to our opt-in request. On occasion, we provide members of our database with the opportunity to opt-in to receive email marketing communications from us.”
Wait. What? Members of our database? How did this address get into your database?
“I can’t be sure from our records but it looks like someone from StrongMail reached out to you several years ago. It’s helpful that you let us know to unsubscribe you. Thank you again.”
There you have it. According to the person answering email at abuse@ Strongmail they sent me a message because they had sent mail to me in the past. Is that really what you did? Send mail to very old email addresses because someone, at some point in the past, sent mail to that address? And you don’t know when, don’t know where the address came from, don’t know how it was acquired, but decided to reach out to me?
How many bad practices can you mix into a single send, Strongmail? Sending mail to addresses where you don’t know how you got them? Sending mail to addresses that you got at least 6 years ago? Sending mail to addresses that were never opted-in to any of your mail? And when people point out, gently and subtly, that maybe this is a bad idea, you just add them to your global suppression list?
Oh. Wait. I know what you’re going to tell me. All of your bad practices don’t count because this was an ‘opt-in’ request. People who didn’t want the mail didn’t have to do anything, therefore there is no reason not to spam them! They ignore it and they are dropped from your list. Except it doesn’t work that way. Double opt-in requests to someone has asked to be subscribed or is an active customer or prospect is one thing. Requests sent to addresses of unknown provenance are still spam.
Just for the record, I have a good idea of where they got my address. Many years ago Strongmail approached Word to the Wise to explore a potential partnership. We would work with and through Strongmail to provide delivery consulting and best practices advice for their customers. As part of this process we did exchange business cards with a number of Strongmail employees. I suspect those cards were left in a desk when the employees moved on. Whoever got that desk, or cleaned it out, found those cards and added them to the ‘member database.’
But wait! It gets even better. Strongmail was sending me this mail, so that they could get permission to send me email about Email and Social Media Marketing Best Practices. I’m almost tempted to sign up to provide me unending blog fodder for my new series entitled “Don’t do this!”

Spam is not a marketing strategy

Unfortunately, this fact doesn’t stop anyone from spamming as part of their marketing outreach. And it’s not just email spam. I get quite a bit of blog spam, most of which is caught by Akismet. Occasionally, though, there’s spam which isn’t caught by the filter and ends up coming to me for approval.
Many of these are explanations of why email marketing is so awesome. Some of them are out and out laugh inducing. One of my favorites, and the inspiration for this post.

Email as social media

Rachel Luxemburg, a good friend of mine who runs the Community team over at Adobe, tweeted a link to Successful Social Media is More Than A Campaign. I was reading that article and realized quite how much of it applies to email. In fact, a couple of Amber’s specific recommendations are directly relevant to email.

Just stop spamming!

Al posted a clip from the Jim Carrey movie Liar Liar on SpamResource (slightly NSFW) that resonated with me this week.
If you meet me on the street and ask me what my job is I’ll tell you that I work with companies who send bulk email to make sure that they’re not sending spam. I do this by educating clients into good practices and teaching them how to send mail people want to receive. What this statement doesn’t tell people is that usually clients find me because they have been suspended by their ISP for spamming or blocked by some receiver.
Clients who find me because they can’t send mail usually hire me to solve their immediate problem. And I do give the the best advice I can to resolve their problem. But fixing today’s problem isn’t enough, you also need to fix the processes that caused the problem. To me, a critical part of my job is to set clients up for long term success by creating procedures that will get them delisted and keep them from being relisted in the future.
Sometimes, though, I have those moments Al is talking about. When clients don’t actually want to fix their problems, they just want to argue. They want to argue about the definition of spam. They want to argue about permission. They want to argue about how awful their ISPs are for suspending their account. They want to argue about CAN SPAM. They want to argue about free speech. They are angry and they want to fight.
My role is to listen to them, then guide them down a constructive path. I do turn out to be the sounding board for a lot of customers, sometimes they just need to know someone is listening to them. Once they get it all out we can move on into solving the problem.
But, boy, are there the occasional conversations where I just want to scream, “JUST STOP SPAMMING!”