Recent Posts

Clicktracking 2: Electric Boogaloo

A week or so back I talked about clicktracking links, and how to put them together to avoid abuse and blocking issues.
Since then I’ve come across another issue with click tracking links that’s not terribly obvious, and that you’re not that likely to come across, but if you do get hit by it could be very painful – phishing and malware filters in web browsers.
Visting this site may harm your computer
First, some background about how a lot of malware is distributed, what’s known as “drive-by malware”. This is where the hostile code infects the victims machine without them taking any action to download and run it, rather they just visit a hostile website and that website silently infects their computer.
The malware authors get people to visit the hostile website in quite a few different ways – email spam, blog comment spam, web forum spam, banner ads purchased on legitimate websites and compromised legitimate websites, amongst others.
That last one, compromised legitimate websites, is the type we’re interested in. The sites compromised aren’t usually a single, high-profile website. Rather, they tend to be a whole bunch of websites that are running some vulnerable web application – if there’s a security flaw in, for example, WordPress blog software then a malware author can compromise thousands of little blog sites, and embed malware code in each of them. Anyone visiting any of those sites risks being infected, and becoming part of a botnet.
Because the vulnerable websites are all compromised mechanically in the same way, the URLs of the infected pages tend to look much the same, just with different hostnames – http://example.com/foo/bar/baz.html, http://www.somewhereelse.invalid/foo/bar/baz.html and http://a.net/foo/bar/baz.html – and they serve up just the same malware (or, just as often, redirect the user to a site in russia or china that serves up the malware that infects their machine).
A malware filter operator might receive a report about http://example.com/foo/bar/baz.html and decide that it was infected with malware, adding example.com to a blacklist. A smart filter operator might decide that this might be just one example of a widespread compromise, and go looking for the same malware elsewhere. If it goes to http//a.net/foo/bar/baz.html and finds the exact same content, it’ll know that that’s another instance of the infection, and add a.net to the blacklist.
What does this have to do with clickthrough links?
Well, an obvious way to implement clickthrough links is to use a custom hostname for each customer (“click.customer.com“), and have all those pointing at a single clickthrough webserver. It’s tedious to setup the webserver to respond to each hostname as you add a new customer, though, so you decide to have the webserver ignore the hostname. That’ll work fine – if you have customer1 using a clickthrough link like http://click.customer1.com/123/456/789.html you’d have the webserver ignore “click.customer1.com” and just read the information it needs from “123/456/789.html” and send the redirect.
But that means that if you also have customer2, using the hostname click.customer2.com, then the URL http://click.customer2.com/123/456/789.html it will redirect to customer1’s content.
If a malware filter decides that http://click.customer1.com/123/456/789.html redirects to a phishing site or a malware download – either due to a false report, or due to the customers page actually being infected – then they’ll add click.customer1.com to their blacklist, meaning no http://click.customer1.com/ URLs will work. So far, this isn’t a big problem.
But if they then go and check http://click.customer2.com/123/456/789.html and find the same redirect, they’ll blacklist click.customer2.com, and so on for all the clickthrough hostnames of yours they know about. That’ll cause any click on any URL in any email a lot of your customers send out to go to a “This site may harm your computer!” warning – which will end up a nightmare even if you spot the problem and get the filter operators to remove all those hostnames from the blacklist within a few hours or a day.
Don’t let this happen to you. Make sure your clickthrough webserver pays attention to the hostname as well as the path of the URL.
Use different hostnames for different customers clickthrough links. And if you pick a link from mail sent by Customer A, and change the hostname of that link to the clickthrough hostname of Customer B, then that link should fail with an error rather than displaying Customer A’s content.

Read More

Would you buy a used car from that guy?

There are dozens of people and companies standing up and offering suggestions on best practices in email marketing. Unfortunately, many of those companies don’t actually practice what they preach in managing their own email accounts.
I got email today to an old work email address of mine from Strongmail. To be fair it was a technically correct email. Everything one would expect from a company handling large volumes of emails.  It’s clear that time and energy was put into the technical setup of the send. If only they had put even half that effort into deciding who to send the email to. Sadly, they didn’t.
My first thought, upon receiving the mail, was that some new, eager employee bought a very old and crufty list somewhere. Because Strongmail has a reputation for being responsible mailers, I sent them a copy of the email to abuse@. I figured they’d want to know that they had a new sales / marketing person who was doing some bad stuff.
I know how frustrating handling abuse@ can be, so I try to be short and sweet in my complaints. For this one, I simply said, “Someone at Strongmail has appended, harvested or otherwise acquired an old email address of mine. This has been added to your mailing list and I’m now receiving spam from you. ”
They respond with an email that starts with:
“Thank you for your thoughtful response to our opt-in request. On occasion, we provide members of our database with the opportunity to opt-in to receive email marketing communications from us.”
Wait. What? Members of our database? How did this address get into your database?
“I can’t be sure from our records but it looks like someone from StrongMail reached out to you several years ago.  It’s helpful that you let us know to unsubscribe you.  Thank you again.”
There you have it. According to the person answering email at abuse@ Strongmail they sent me a message because they had sent mail to me in the past. Is that really what you did? Send mail to very old email addresses because someone, at some point in the past, sent mail to that address? And you don’t know when, don’t know where the address came from, don’t know how it was acquired, but decided to reach out to me?
How many bad practices can you mix into a single send, Strongmail? Sending mail to addresses where you don’t know how you got them? Sending mail to addresses that you got at least 6 years ago? Sending mail to addresses that were never opted-in to any of your mail? And when people point out, gently and subtly, that maybe this is a bad idea, you just add them to your global suppression list?
Oh. Wait. I know what you’re going to tell me. All of your bad practices don’t count because this was an ‘opt-in’ request. People who didn’t want the mail didn’t have to do anything, therefore there is no reason not to spam them! They ignore it and they are dropped from your list. Except it doesn’t work that way. Double opt-in requests to someone has asked to be subscribed or is an active customer or prospect is one thing. Requests sent to addresses of unknown provenance are still spam.
Just for the record, I have a good idea of where they got my address. Many years ago Strongmail approached Word to the Wise to explore a potential partnership. We would work with and through Strongmail to provide delivery consulting and best practices advice for their customers. As part of this process we did exchange business cards with a number of Strongmail employees. I suspect those cards were left in a desk when the employees moved on. Whoever got that desk, or cleaned it out, found  those cards and added them to the ‘member database.’
But wait! It gets even better. Strongmail was sending me this mail, so that they could get permission to send me email about Email and Social Media Marketing Best Practices. I’m almost tempted to sign up to provide me unending blog fodder for my new series entitled “Don’t do this!”

Read More

Spam is not a marketing strategy

Unfortunately, this fact doesn’t stop anyone from spamming as part of their marketing outreach. And it’s not just email spam. I get quite a bit of blog spam, most of which is caught by Akismet. Occasionally, though, there’s spam which isn’t caught by the filter and ends up coming to me for approval.
Many of these are explanations of why email marketing is so awesome. Some of them are out and out laugh inducing. One of my favorites, and the inspiration for this post.

Read More

Email as social media

Rachel Luxemburg, a good friend of mine who runs the Community team over at Adobe, tweeted a link to Successful Social Media is More Than A Campaign. I was reading that article and realized quite how much of it applies to email. In fact, a couple of Amber’s specific recommendations are directly relevant to email.

Read More

Just stop spamming!

Al posted a clip from the Jim Carrey movie Liar Liar on SpamResource (slightly NSFW) that resonated with me this week.
If you meet me on the street and ask me what my job is I’ll tell you that I work with companies who send bulk email to make sure that they’re not sending spam. I do this by educating clients into good practices and teaching them how to send mail people want to receive. What this statement doesn’t tell people is that usually clients find me because they have been suspended by their ISP for spamming or blocked by some receiver.
Clients who find me because they can’t send mail usually hire me to solve their immediate problem. And I do give the the best advice I can to resolve their problem. But fixing today’s problem isn’t enough, you also need to fix the processes that caused the problem. To me, a critical part of my job is to set clients up for long term success by creating procedures that will get them delisted and keep them from being relisted in the future.
Sometimes, though, I have those moments Al is talking about. When clients don’t actually want to fix their problems, they just want to argue. They want to argue about the definition of spam. They want to argue about permission. They want to argue about how awful their ISPs are for suspending their account. They want to argue about CAN SPAM. They want to argue about free speech. They are angry and they want to fight.
My role is to listen to them, then guide them down a constructive path. I do turn out to be the sounding board for a lot of customers, sometimes they just need to know someone is listening to them. Once they get it all out we can move on into solving the problem.
But, boy, are there the occasional conversations where I just want to scream, “JUST STOP SPAMMING!”

Read More

Mail that looks like spam

One thing I repeat over and over again is to not send mail that looks like spam. Over at the Mailchimp Blog they report some hard data on what looks like spam. The design is simple, they took examples of mail sent by their customers and forwarded them over to Amazon’s Mechanical Turk project to be reviewed by humans.
In a number of cases they discovered that certain kinds of templates kept getting flagged as spam, even when Mailchimp was sure that the sender had permission and the recipients wanted the mail. They analyzed some of these false positives and identified some of the reasons that naive users may identify those particular emails as spam.
Ben concludes:

Read More

One beeelion dollars

One Beeelion dollarsFacebook won another round in their court case against a Canadian spammer last week. Their $873,000,000 judgment was upheld by the Quebec Superior court. At today’s exchange rates, the judgment translates to over CDN$1,000,000,000.
In fine spammer style the defendant, Adam Guerbuez, is flouting the judgment and claiming he won’t pay a dime. In fact, he’s already filed bankruptcy and is reported to have transferred a number of assets to family members. From what I’m hearing from some of my Canadian colleagues the courts up there take a very dim view of his behaviour. Like many things that go through the court system, though, it is unlikely that the process will be rapid.
This is one of the largest, if not the largest, fines levied for violations of the CAN SPAM act. I don’t think Facebook will see much, if anything, of the money. But, hey, maybe the Canadian courts will throw this spammer in jail for flouting their ruling.

Read More

The hard sell works

Ken Magill, dad extraordinaire, describes how he went above and beyond the call to get his son a DVD while battling hard sell marketing techniques.

Read More

Clicktracking link abuse

If you use redirection links in the emails you send out, where a click on the link goes to your server – so you can record that someone clicked – before redirecting to the real destination, then you’ve probably already thought about how they can be abused.
Redirection links are simple in concept – you include a link that points to your webserver in email that you send out, then when recipients click on it they end up at your webserver. Instead of displaying a page, though, your webserver sends what’s called a “302 redirect” to send the recipients web browser on to the real destination. How does your webserver know where to redirect to? There are several different ways, with different tradeoffs:

Read More

Return Path Certification: Is there value?

Recently, a client asked me, what is the value to ISPs in utilizing Return Path Certification (formerly known as Sender Score Certified)? Meaning, why do ISPs use it? A number of ISPs both big and small have spam filtering systems that treat certified IP addresses differently than non-certified IP addresses. Sometimes spam filtering is bypassed, effectively guaranteeing inbox delivery. Sometimes rate limits are greatly loosened, allowing mail to flow in much faster. Sometimes it is used as just one of the many variables used by the ISP to determine inbox placement versus bulk folder placement versus rejecting the mail outright.
The question is a little different than usual. It’s not a question of, why should a sender become certified? It’s a question of, why would an ISP choose to use the certification data on the inbound side? It’s a neat question, one that I’ve never really heard answered by an ISP before.
Curious, I asked a number of ISP folks for their opinions on this topic. Assuming few would want to discuss this on the record, I made it clear that I wouldn’t mention any names. What I found was that nobody had anything bad to say about Return Path Certification. One person I talked to said that they don’t really give it that much thought–it just works. Many thousands of inbound messages come in from certified IPs, and they never get any spam complaints about those messages, so it’s all good. That’s hardly a scientific review process, but hey, if it works for them…
Another told me that Return Path Certification “helps us by helping senders improve the overall quality and desirability of email that comes into our network.  This is great for our customers who rely on email communications in their daily life and expect of us predictable delivery of their key emails.”
The overwhelming message I received from ISPs was that they like Return Path Certification because there’s a strong implication that those mail streams are already clean and that the sender’s practices have already been vetted. They feel that Return Path is doing the hard work of insisting on the right best practice requirements and monitoring appropriate metrics to ensure that good guys get certified and bad guys don’t get certified. If a sender can get certified, it is as though they are announcing to the world (and ISPs) that they have already been reviewed and seem to be doing things correctly.
10/14/2010 Update: Return Path just notified certified senders that their mail will now proceed directly to the inbox at Comcast, presumably bypassing some or all of Comcast’s usual spam filtering.
Guest post by Al Iverson.

Read More
Categories
Tags