Recent Posts

Blackboxes and unknown effects

In my previous career I studied the effect of alcohol on developing embryos. It’s a bit weird I ended up in that field because embryological development always seemed to complex to me. And it was and is complicated. In a lot of ways, though, it was good training for deliverability. We dealt with a lot of processes that seem, on the surface, straightforward.
Fertilization happens, then you get a flat group of cells, those cells fold up into the neural tube, cells migrate around, things happen, limbs form, organs form and 21 days later you have a fluffy little chick.
The details in all those steps, though. They’re a bit more complicated, looking something like this:
There are lots of different things going on inside the embryo to take it from a single cell up to a complex multicellular being. Genes turn on, genes turn off at different times in development, often driven by overlapping concentration gradients. Genes turn each other and themselves on and off. It’s complex, though, and there are things that happen that we don’t quite understand and have to black box. “If I add this protein, or take this gene and that gene away… what happens?”
A lot of that is like what email reputation is these days. There isn’t one factor in reputation, there are hundreds or thousands. They interact with each other, sometimes turning up reputation, sometimes turning down reputation. We figure this out by poking at the black box and seeing what happens. Unlike development, though, delivery rules are not fixed. They are changing along the way.
It’s not simple to explain delivery and how all the moving parts interact with each other. We don’t always know that doing A will lead to X. Because A -> X is not a straight line and there are other things that impact that line. Those other things also impact A, X and each other.
Delivery is a tangled web. On the surface it seems simple, but when you start peeling back the layers you discover the jumble of factors that all interact with each other. It’s what makes this a challenging field for all of us.

International Women's Day

Today is International Women’s Day. In recognition of this day, there has been a call for a general woman’s strike. I thought long and hard about how I would participate in this event. Even yesterday I had no clear view of whether or not I would be working today.
As a self-employed woman, me not working today only hurts me and my clients. There’s no one to leave work for, I either do it before or after. It’s got to get done and it’s my responsibility to do it. But at the same time, I recognize the unpaid and underpaid work most women do and fully support the strike.
After much thought, I decided that my contribution to the strike would be to do what I needed to do for work. But that I would remove myself from public conversations about email today. I spend quite a bit of my time doing unpaid work that supports the email industry: standards work, answering questions in various fora, supporting different initiatives, writing documents, blogging about industry events. I won’t be doing any of that work today.
Yes, there are questions I could answer, advice I could give, industry events that I have comments and insight on. But today, today I’m not going to do any of that.

Verizon changes but no time line

Yesterday there was a lot of talk about Verizon moving out of email and transitioning all their customers over to the AOL backend. The source was a page in the Verizon help center about transitioning an email address. There is no date on the page, so it’s unclear when this is going to happen or when it started.
I posted about Verizon beginning this transition back in May of 2016: Changes coming to Verizon email. The wording on the AOL page I link to is very similar to the wording on the page that was passed around yesterday.
Without a date it’s hard to really provide any advice, other than to maintain your list hygiene (you do have list hygiene programs, right?) and remove addresses that hard bounce. Quite honestly, I don’t think this will really have any effect on delivery. It doesn’t appear these changes are happening all at once, and Verizon customers have the option to keep their verizon.net address. They’re just going to have to access it differently.
For companies that use an email address as a primary key for logins or accounts, it’s probably a good time to contact customers with a verizon.net address and ask them to update their address. That’s a good idea most of the time, but when we know changes are happening at a domain level, it’s a requirement.

Large companies (un?)knowingly hire spammers

This morning, CSO and MacKeeper published joint articles on a massive data leak from a marketing company. (Update: 2019: both articles are gone, a cached version of the CSOnline link is at https://hackerfall.com/story/the-fall-of-an-empire-spammers-expose-their-entire) This company, River City Media (RCM), failed to put a password on their online backups sometime. This leaked all of the company’s data out to the Internet at large. MacKeeper Security Researcher, Chris Vickery discovered the breach back in December and shared the information with Spamhaus and CSO online.
The group has spent months going through the data from this spammer. As of this morning, the existence of the breach and an overview of the extent of their operation were revealed by CSO and MacKeeper. Additionally, Spamhaus listed the network on the Register of Known Spamming Operations (ROKSO).

There are a couple interesting pieces of this story relevant to legitimate marketers.
The biggest issue is the number of brands who are paying spammers to send mail from them. The CSO article lists just some of the brands that were buying mail services from RCM:

February 2017: The Month In Email

Happy March!

As always, I blogged about best practices with subscriptions, and shared a great example of subscription transparency that I received from The Guardian. I also wrote about what happens to the small pool of people who fail to complete a confirmed opt-in (or double opt-in) subscription process. While there are many reasons that someone might not complete that process, ultimately that person has not given permission to receive email, and marketers need to respect that. I revisited an older post on permission which is still entirely relevant.
Speaking of relevance, I wrote about seed lists, which can be useful, but — like all monitoring tools — should not be treated as infallible, just as part of a larger set of information we use to assess deliverability. Spamtraps are also valuable in that larger set of tools, and I looked at some of the myths and truths about how ISPs use them. I also shared some thoughts from an industry veteran on Gmail filtering.
On the topic of industry veterans, myths and truths, I looked at the “little bit right, little bit wrong” set of opinions in the world of email. It’s interesting to see the kinds of proclamations people make and how those line up against what we see in the world.
We attended M³AAWG, which is always a wonderful opportunity for us to catch up with smart people and look at the larger email ecosystem and how important our work on messaging infrastructure and policy really is. I was glad to see the 2017 Mary Litynski Award go to Mick Moran of Interpol for his tireless work fighting abuse and the exploitation of children online. I also wrote about how people keep wanting to quote ISP representatives on policy issues, and the origin of “Barry” as ISP spokesperson (we should really add “Betty” too…)
Steve took a turn as our guest columnist for “Ask Laura” this month with a terrific post on why ESPs need so many IP addresses. As always, we’d love to get more questions on all things email — please get in touch!

End of an era

A few moments ago, I cancelled one of my email addresses. This is an address that has been mine since somewhere around 1993 or 4. It was old enough to vote. And now it’s no more.
I am not even sure why I kept it for so long. It was my dialup account back when I was in grad school in Delaware. When I moved to Madison to work at the university, I kept it as a shell account and email address. I gave it up as my primary email address about the time it was bought by a giant networking company. By then I had my own domain and a mail server living behind the futon in the living room. That was back when we started WttW, somewhere around 2002.
15 years the address has mostly laid dormant. I used it for a couple yahoo groups accounts, but just lists that I lurked on.
I did use it as research for some past clients, typically the ones using affiliate marketers. “Our affiliates only ever send opt in mail!” Yeah, no. See, look, your affiliate is spamming me. My favorite was when said customer put me on the phone with the affiliate.

Confirmed Opt-In: An Old Topic Resurrected

Looking back through my archives it’s been about 4 years or so since I wrote about confirmed opt in. The last post was how COI wasn’t important, but making sure you were reaching the right person was important. Of course, I’ve also written about confirmed opt-in in general and how it was a tool somewhat akin to a sledgehammer. I’m inspired to write about it today because it’s been a topic of discussion on multiple mailing lists today and I’ve already written a bunch about it (cut-n-paste-n-edit blog post! win!).
Confirmed opt-in is the process where you send an email to a recipient and ask them to click on a link to confirm they want the mail. It’s also called double opt-in, although there are some folks who think that’s “spammer” terminology. It’s not, but that’s a story for another day. The question we were discussing was what to do with the addresses that don’t click. Can you email them? Should you email them? Is there still value in them?

We have to treat the addresses as a non-homogenous pool. There are a lot of reasons confirmation links don’t get clicked.

Policy is hard

We’re back at work after a trip to M³AAWG. This conference was a little different for me than previous ones. I spent a lot of time just talking with people – about email, about abuse, about the industry, about the ecosystem. Sometimes when you’re in a position like mine, you get focused way too much on the trees.

Of course, it’s the focusing on the trees that makes me good for my clients. I follow what’s going on closely, so they don’t have to. I pay attention so I can distill things into useable chunks for them to implement. Sometimes, though, I need to remember to look around and appreciate the forest. That’s what I got to do last week. I got to talk with so many great people. I got to hear what they think about email. The different perspectives are invaluable. They serve to deepen my understanding of delivery, email and where the industry is going.

One of the things that really came into focus for me is how critical protecting messaging infrastructure is. I haven’t spoken very much here about the election and the consequences and the changes and challenges we’re facing. That doesn’t mean I’m not worried about them or I don’t have some significant reservations about the new administration. It just means I don’t know how to articulate it or even if there is a solution.
The conference gave me hope. Because there are people at a lot of places who are in a place to protect users and protect privacy and protect individuals. Many of those folks were at the conference. The collaboration is still there. The concern for how we can stop or minimize bad behavior and what the implications are. Some of the most difficult conversations around policy involve the question who will this affect. In big systems, simple policies that seem like a no-brainer… aren’t. We’re seeing the effects of this with some of the realities the new administration and the Republican leaders of congress are realizing. Health care is hard, and complex. Banning an entire religion may not be a great idea. Governing is not like running a business.
Talking with smart people, especially with smart people who disagree with me, is one of the things that lets me see the forest. And I am so grateful for the time I spend with them.

Naming Names

One of the things that regularly happens at email conferences is a bunch of representatives from various ISPs and sometimes deliverability companies get up on stage and entertain questions from the audience about how to get email to the inbox. I’ve sat in many of these sessions – on both sides of the stage. The questions are completely predictable.
Almost invariably, someone asks if they can quote the ISP representative, because there is this belief that if you connect a statement with an employee name that will give the statement more weight. Except it doesn’t really. People who aren’t going to listen to the advice won’t listen to it even if there are names attached.
A lot of what I publish here is based on things the ISP reps have said. In some cases the reps actually review and comment on the post before I publish it. I don’t really believe attaching names to these posts will make them any more accurate. In fact, it will decrease the amount of information I can share and will increase the amount of time it takes to get posts out.
Last night I was joking with some folks that I should just make up names for attribution. Al did that many years ago, coining the pseudonym Barry for ISP reps. Even better, many of the ISP employees adopted Barry personas and used them to participate in different online spaces. Barry A. says X. Barry B. says Y. Barry C. says W. Barry D.
It doesn’t matter what names I attach.
I think I’m going to start adding this disclaimer to the appropriate blog posts:
Any resemblance to persons living or dead should be plainly apparent to them and those that know them. All events described herein actually happened, though on occasion the author has taken certain, very small, liberties with narrative.
Because, really.

Network Abuse

Many years ago, back when huge levels of spam involved hundreds of thousands of emails, there was a group of people who spent a lot of time talking about what to do about abuse. One of the distinctions we made was abuse of the net as opposed to abuse on the net. We were looking at abuse of the network, that is activity that made the internet less useable. At the time abuse of the network was primarily spam; sure, there were worms and some malicious traffic, but we were focused on email abuse.
In the last 20 years, multiple industries have arisen around network abuse. I’m sitting at a conference with hundreds of people discussing how to address and mitigate abuse online. In the context of the early discussions, we’re mostly focused on abuse of the network, not abuse on the network.
But abuse on the network is an issue. It’s a growing issue, IMO. The internet has contributed to the rise and normalization of the alt-right. Social media is a medium used for abuse on the net. Incidents range from bullying of school kids to harassment of celebrities to sharing of child abuse material. All of these things are abuse on the net. They are an issue. They need to be addressed.
Today M³AAWG gave the 2017 Mary Litynski Award to Mick Moran from Interpol for his work in fighting child exploitation and abuse on the net. As I tweeted during the session, I have a phenomenal amount of respect for Mick and people like him who work tirelessly to protect children online. I don’t talk much about child abuse materials*, but I know the problem is there and it’s bad.

One of the discussions I’ve had with some folks lately is how we can better fight abuse on the net. Many of the tools we’ve built over the years are focused on volume – more complaints mean a more serious incident. But in the case of abuse on the net, or who is wrong. volume isn’t really an issue. It’s a hard problem to solve. It’s easy to create a system that lets the good guys get information, but it’s hard to create a system that also keeps the bad guys out and prevents gaming and is effective and values single complaints of problems.
Folks like Mick, and the abuse teams at ISPs all over the world, are integral to finding and rescuing abused and exploited children. Their work is so important, and most people have no idea they exist. On top of that, the work is emotionally difficult. Some of my friends work in that space, dealing with child abuse materials, and all of them have the untold story of the one that haunts them. They don’t talk about it, but you can see it in their eyes and faces.
We can do better. We should do better. We must do better.

*Note: Throughout this post I use the term “child abuse materials” to describe what is commonly called child pornography. This is because porn isn’t necessarily bad nor abusive and the term child porn minimizes the issue. It’s important to make it clear that children are abused, sometimes for years, in order to make this material.