Recent Posts

December 2016: The Month in Email

Happy New Year! We’re looking forward to some interesting new projects this year, both for our clients and for Word to the Wise. Stay tuned!
December was a slow month for blogging, with everything going on. But we’re back on the horse now and ready to blog for 2017.
WalesCaernarfonCastle
List and subscription management continue to be hot topics, especially in the wake of the listbombing attacks earlier this year. Earlier this month, I presented a webinar on listbombing for the EEC and DMA to review the attacks and discuss best practices for companies to manage subscriptions. For Ask Laura, I wrote about the unsubscribe process and how senders can best manage those requests to keep their lists current and compliant.
With all the holiday mail flying around, Steve wrote up a good post about the challenges of DNS hosting and issues customers may have reaching your site. He also wrote about canonicalization, a process for comparing things to see if they are the same, which is useful for understanding how messages change during the delivery process. It’s important to understand how this works with DKIM, as that process specifically looks at changes to messages in delivery to validate them.
I wrote a post about how delivery at Gmail is a bit different from other mail providers, which can lead to intermittent delivery problems, and got some useful information in the comments about some upcoming process changes. And as always, unwanted email is SPAM. It doesn’t matter if you call it outreach or prospecting, or “here’s something you might find interesting!” Still SPAM.

Read More

Happy New Year!

Well, we mostly survived 2016. A year ago I was making predictions about how 2016 would be the year of email security. I was thinking of things like TLS and authentication and access to the inbox. It wasn’t out of the question, Gmail said they’d be turning on p=reject sometime mid-year. They also were suggesting that they would be putting more value on messages that aligned, even in the absence of a DMARC signature. The first still hasn’t happened, and the second doesn’t appear to be in place, either.
DataSecurity_Illustration
That doesn’t mean email security wasn’t a hot topic in 2016. In fact, the use of a private email server was a major topic during the US elections. We also had spear-phishing play a major role in the compromise of campaign systems. I didn’t talk much about that here when it happened, but news reports make it clear that Chairman Podesta and others were targeted for compromise. The NY Times has a more in depth article with broader context around the attacks and how emails were used to infiltrate a major political party.
The irony is with all the time spent talking about how insecure the private server was, that server wasn’t compromised. Instead, the compromise was at Gmail.
We all need to pay attention to our email and how we use it. It also means when we’re sending bulk and marketing email we need to consider the private and personal information we’re putting in messages. Do you send PII? Is there a way you don’t have to? What can we do to protect our brand and our users?
It’s not just bulk email we need to think about, either. Personal email can contain PII, or personal information. A common saying among some of my security friends is “never put in email anything you wouldn’t want to see on the front page of the Washington Post or NY Times.” That’s an easy thing to say, but the convenience of email makes it easy to share information that we may not want on the front page of either paper. Many of us aren’t actually targets of malicious activity so we don’t have to worry about being targeted the way elected and other officials are. But that doesn’t mean we are not at risk. It just means we’re at less risk than others.
Email is a frequent vector for malicious actors to access computers. Most, if not all of the major breeches in the last few years have started with a phishing attack of some sort. The attacks are planned out and sophisticated. This is not going to get better. The phishers are smart and plan the attacks.  We also need to be more personally aware of security given the current political climate. We need to take steps to protect ourselves more than we have in the past.
Security is more important than ever and we all need to protect ourselves.

Read More

It's that time of year

I’m winding down blogging through the next week or so. I have a lot to say and blog about in the coming year, but I don’t think I’m alone in saying good bye and good riddance to 2016.
Happy Holidays to everyone, whatever events you may celebrate. I have to admit, it doesn’t feel very holiday around here. Part of that is we cut the cord a few months ago and we’ve not been subjected to the unending stream of Nutcracker music during commercials.  We’ve also not been volunteering as stage crew for the local ballet school’s Nutcracker performance. There’s a definite dearth of Nutcracker music, which makes it seem less like the holiday season.
We did get our tree up this past weekend. I’ve got to admit, I’m really impressed the camera in my iPhone 7. It makes our tree look very festive (with a little help from Luminar)
IMG_6784
Happy Holidays and a bright, shiny new year.

Read More

Poor delivery at Gmail but no where else

I’ve mentioned before that I can often tell what ISP is making filter changes by what my calls are about. The last few weeks it’s been Gmail where folks are struggling to get to the inbox. One of the things most clients and potential clients have mentioned is that they’re not having any problems at the other major ISPs.

Read More

Listbombing Webinar

Earlier this week I gave a webinar hosted by the EEC and the DMA discussing the listbombing problem. They will be making the recording available later this week and I will link to it then.
I wish I could say the issue was done and over with and that it was something we don’t have to worry about any longer. Unfortunately, that’s just not the case. Attacks are ongoing. Many of them are being caught and mitigated, but they’re still occurring.
We can’t let up our guard, though. Attackers will adapt to the mitigations and negate them.
And remember, listbombing is a sign that your subscription process is not collecting accurate data. If Evil Bob or Dumb Bob can give you Real Bob’s address then your data is all suspect. The problem is somewhat in the form, but it’s also in the whole process. What steps can you take to verify data without creating too much friction in the process?
This is an opportunity for forward thinking companies to reconsider their subscription and address acquisition processes. How do we get Bob’s address and information without Evil Bob or Dumb Bob giving us bad data and without contributing to the overall abuse online.
 

Read More

Is your website up? Are you sure?

“What would you do for 25% more sales?”
It’s panicked gift-buying season, and I got mail this morning from Boutique Academia, part of their final push before Christmas.
Inbox__18_975_messages__26_unread_
They’re hoping for some Christmas sales in the next three days. They do make some lovely jewelry – ask Laura about her necklace some time – so I clicked on their mail.
Failed_to_open_page
That’s not good. I like Boutique Academia, and fixing email and dns problems is What We Do, so I took a look.
Safari isn’t quite as bad with not-exactly-truthful error messages as Internet Explorer, but I still don’t really trust it. Perhaps the problem is with the click-tracking domain in the email, rather than with boutiqueacademia.com? So I open the base page at http://boutiqueacademia.com, get redirected immediately to https://www.boutiqueacademia.com – which fails to load.
15542402_1501169219896451_6901276936993410491_n
OK, start with the basics. DNS.

Read More

DKIM Canonicalization – or – why Microsoft breaks your mail

thx1138
One of these things is just like the other

Canonicalization is about comparing things to see if they’re the same. Sometimes you want to do a “fuzzy” comparison, to see if two things are interchangeable for your purposes, even if they’re not exactly identical.
As a concrete example, these two email addresses:

Read More

Ask Laura: Should we confirm unsubscribes?

Tower_thumbnail

Dear Laura,
We have some questions about best practices for unsubscribes. Our ESP uses the List-Unsubscribe header by default on every email. I’m not familiar with this, and I have some questions for you.
First, do you think this is a good idea? Should we always use it, or just for certain emails? Should we use the mailto:link or link to a web site to unsubscribe?
We were also asked about double opt-out and if we should do it. We’re thinking that if someone clicks on the unsubscribe link they would be directed to a site displaying a message such as “Sorry to see you go. We have sent an email out for you to fully unsubscribe from the mailing list”. They then have to open the email and click on the link. Do you recommend doing this? Are there anti-spam regulations that this might violate?
And then, once someone unsubscribes (either with double opt-out or not), should we send out some sort of email confirmation? We currently do not, but we’re thinking of sending something like “Sorry to see you go.  If you unsubscribed accidentally please click here to re-subscribe.” What do you think?
Thanks,
Breaking Up Is Hard to Do

Read More

Industry news

Just some stuff going on around email that probably merit a mention but not a whole blog post.
talkingforblog
Next Tuesday at 1 eastern I’ll be giving a webinar on the subscription bombing and discussing what companies can do to mitigate the problem.
Google is working on new “invisible” captchas, that separate out humans from bots without humans having to do anything.
EmailonAcid created an interactive puzzle email.
Return Path acquired Email Copilot. Then laid off approximately 60 employees citing restructuring (no links for this one, but emails were sent to customers and someone forwarded me a copy).
Mailchimp sent 1.5 billion emails on Black Friday, and published stats and information about how well they delivered and performed.
 

Read More

Outreach or spam?

This showed up in my mailbox earlier today:
Pluckyou
The tweet in question
pluckyou2
From Crunchbase: “Pluck is an email prospecting tool that gives you the email addresses of the people tweeting about subjects related to your business.”
Prospecting: another name for spamming. Look, I know that you want to sell you’re newest, greatest product to the world. But just because I tweet something with a # that you think is relevant to your product doesn’t mean that I want to get your spam. I also know it’s hard to get attention and find prospects; I’m a small business owner, too and I need to market my own services. But spamming isn’t a good idea. Ever.
There’s been a significant increase in this kind of spam “to help your business” lately. It’s a rare day I don’t get something from some company I’ve never heard of trying to sell me their newest product. It might be something if they tried a contact or two and then went away. But they’ll send mail for weeks or months without getting an answer. Look, silence IS an answer and it means you need to go away and leave your prospects alone.
Unfortunately, there are services out there that sell a product that let you “automatically follow up” with your prospects. Pluck up there uses one of them, as that’s who’s handling all the links in the message. In fact, if you go to the bare domain (qcml.io) they talk a good anti-spam game. “Die, spammers, die.” I reported the message to them. I’m not expecting them to actually do anything, and I’m not expecting a response.
It’s just spam under another name. There’s no pretense that it’s anything else. Even if it’s sent in a way that makes it look like a real person typed the message, like QuickMail offers. “All emails will come straight out of your personal inbox as though you typed them yourself.” As if you typed them yourself.
The worst part is there’s no real way to stop the mail. I can’t unsubscribe. The companies selling the software don’t provide any guidance to their customers about what the law requires. Take the message from Pluck that started the post. It violates CAN SPAM in multiple ways. Moreover, the address they used is not publicly associated with my twitter handle, which means they’re doing some harvesting somewhere. That means treble penalties under CAN SPAM.
I could reply and ask them to stop mailing me. I’ve done that a couple times with a message that says, “Please don’t email me any more.” I’ve got to tell you, some people get really mad when you ask them not to email you. Some just say yes, but others are really offended that you asked them to stop and get abusive. It’s gotten to the point where I don’t ask any more because of that one person who decides to harass, threaten and scream at me. Sure, it’s maybe 1 in 5, but I don’t have the time or energy to figure out who is going to be receptive and who isn’t. I don’t have time for that. No one has time for that.
I’m expecting that filters are going to catch up eventually and these types of mail will be easier to filter out. Until then, though, small business owners like myself are stuck in a place where we have to deal with spam distracting us from our business. At least I get blog content out of it.
 
 
 

Read More
Categories
Tags