Recent Posts

Comodo, TLS certificates and business ethics

• steve
• Jun 24, 2016

• Industry

We run a lot of our own infrastructure at Word to the Wise. Our email and web presence runs on our own hardware, in our own cabinet in our own network space. Partly that’s because we’re all from very technical backgrounds, and can run them in a way that’s better suited to our needs than an off-the-shelf web service. Partly it’s so we can do things like add instrumentation to our inbound mail stream so we have easy access to information when diagnosing a customer’s delivery issues. But it’s also partly so we can keep up to date on protocols and software, and leaven our advice to clients with some first hand, real world experience.
One of those things is TLS certificates, for webservers and email servers.
We already used Comodo for code-signing certificates, so when their sales rep called me and offered some decent pricing of extended validation (EV or “green bar”) certificates in exchange for a three-year commitment that seemed like a good opportunity to experience the extended validation process.
I’ve written previously about how painful the process of getting a TLS certificate from a legacy certification authority such as Comodo is, but this post isn’t about that.
I mentioned a few months ago that our green bar TLS certificate would be going away. That was because Comodo didn’t honor their agreement with us. While we ordered three years of EV certificate from Comodo, paid them for three years of EV certificate and confirmed in writing with the sales rep that they would provide three years of EV certificate, after one year Comodo decided that they wouldn’t honor that agreement.
The sales rep was mysteriously “no longer with the company” and his sales manager decided that they’d keep the money, but not provide the agreed to certificates. After a dozen or so promised calls back or email replies from a “sales manager” to discuss “what they could do for us” didn’t happen, we gave up on Comodo and switched to using Lets Encrypt for our TLS certificates.
We’re very, very happy with Let’s Encrypt. The price of “free” is nice, but it’s the simplicity, reliability and general lack of having to deal with horrible sales reps that’s the best thing.
Apparently a lot of other Comodo customers thought the same thing, as Comodo seems to want to recapture those customers by pretending to be Let’s Encrypt.  They filed trademark registrations for “Let’s Encrypt”, “Comodo Let’s Encrypt” and “Let’s Encrypt with Comodo”. Comodo is in the business of “trust” and “identity” and I can’t think of any behaviour of theirs more antithetical to that.
And, on an email note, Comodo also seemed to decide that they didn’t want their employees to know about this, nor to answer questions about it, and reportedly configured their email filters to reject email mentioning letsencrypt.org with “mail contains a virus”.

— from Peter Stenberger, on twitter
(Given Comodo are a major email filter vendor I hope that that’s just a local configuration used by Comodo themselves, not part of their public filtering products.)
We will no longer be using or recommending Comodo as a vendor.
(This post brought to you as an exercise in avoiding the question “What effect will brexit have on the email industry?”, as the answer “Global economic collapse would probably be bad for the email industry, yes.” seems a little simplistic.)

Domain transparency

• steve
• Jun 22, 2016

• Best Practices

An email I received this morning got me thinking about how your domain name is one of the main ways you identify yourself if you’re sending email.
We talk about domain reputation quite a lot – DKIM and SPF let a sender volunteer a domain name as a unique identifier for recipients to use to track reputation, DMARC allows them to tie that domain to the domain visible to the user in the From: field. And most ISPs use the domains in links in the body of the message to track reputation, either internally or through third-party reputation providers.

But there’s also a human side. We expect people and companies to be honest in how they identify themselves – and we’re suspicious when they aren’t. We’ve been trained to be wary of messages that claim to be from a company we know but which, for whatever reason, don’t look quite right. Rightly so – a lot of phishing and credential theft is based on bad people using branding and domains that look like legitimate ones.
Here are some header snippets from this morning’s (legitimate) email:

iOS mail supporting list-unsub header

• laura
• Jun 21, 2016

• Industry

Al over at SpamResource reports that the next generation of Apple’s iOS has support for the list unsubscribe header.
To the best of my knowledge, this is the first time an independent email client has built in support for the List-Unsubscribe header. Microsoft and Google support it, but only in their webmail system. Hopefully other mail clients will follow suit.

Role accounts

• laura
• Jun 21, 2016

• Industry

A question came up on a recent deliverability panel about role accounts.

Sanford Wallace goes to Jail

• laura
• Jun 17, 2016

• Legal

Sanford Wallace has been sentenced to 2 years in jail by the US District court in San Jose for contempt of court and electronic mail fraud. Sanford has been around for more than 2 decades. He is one of the spammers that drove me to learn how to read headers and report spam back in the late nineties.

Sanford has been in and out of courts and the news almost as long as he’s been spamming. When I dug into Pacer this morning to grab a copy of the sentencing report I see multiple cases, some going back as far as 1996. There aren’t electronic records for Concentric Network v. Wallace, et al. (case: 5:96-cv-20829-RMW) but the final disposition of the case says “Permanent Injunction.”

About that permission thing

• laura
• Jun 14, 2016

• Industry

I wrote a few days ago about permission and how it was the key to getting into the inbox. It’s another one of those “necessary but not sufficient” parts of delivery. There are, however, a lot of companies who are using email without the recipient permission. These companies often contact me to help them solve their delivery problems.  Often these are new companies who are trying to jumpstart their business on the cheap by using email.

The calls have a consistent pattern.

M3AAWG in Philly This Week

• laura
• Jun 14, 2016

• Uncategorized

Today marks the training day for M³AAWG 37 in Philly. With all the traveling and speaking I’ve been doing lately we’re not going to be there. So no tweeting from me about the conference.

We’ve been attending various M³AAWG meetings since way early on – 2004? 2005? in San Diego. The organization has grown and matured and really come a long way since the early days. One of the challenges of M³AAWG is that it is a true working group. This isn’t like the various conferences I’ve been attending recently. I think there are two things that makes M³AAWG different from other conferences.
One of the most obvious things is the lack of a vendor floor. Sure, there are vendors and sponsors but vendors don’t bring in displays and have sales people stand around them to talk to folks. The conference does have demos and negotiations and meetings, but done differently than other events.
The other difference I’ve noticed is that M³AAWG is much more about participation. As the name says, this is a working group. Everyone is encouraged to get involved in things they’re interested in or that they think they can contribute to. Other conferences are a lot more about information being shared by speakers and panels. But during M³AAWG conferences, there are 2 mornings devoted to round tables.
The round tables are a true community effort, and probably deserve some discussion for people who’ve never been to the conference. Before the conference, members of the community submit ideas for things they think M³AAWG should discuss. These suggestions are reviewed by the board and leadership and ones that fall within M³AAWG’s purview are taken to the conference.
The first day of roundtables each topic is discussed in small groups. Volunteers facilitate a 20 – 30 minute discussion on the topic at hand with attendees. After time is called, attendees go to another topic and discuss that one. Part of what is discussed is not just the issue (say, how to get off a blacklist) but also what the final work product looks like. Is this a document for M³AAWG members? A panel at a future conference? A public document?
The second day is refinement of the roundtable topics and commitment from people to move the project forward. Champion is the person who is project managing this. Other roles depend on the work product. For presentation or panels, there is one set of roles. For documents there are roles as writers and editors and contributor.
M³AAWG has written and produced some useful resources and information over the years. Many of those resources are public, like best practice documents and metric reports. Other docs and reports are specifically for members.
The working group part of M3AAWG in one of its real strengths. Experts on all sides of the business of email get together to keep email useable and workable. Early on it there were a few barriers and some suspicion about various participant groups. But, as the industry as grown things have changed. Many folks have moved from ISPs to ESPs and back. There’s also a bigger place for companies that provide services to ESPs and ISPs, like us here at Word to the Wise. We’ve built bridges and technology and have been a positive force on the world.
 

GOP candidate not doing email well

• laura
• Jun 13, 2016

• Asides

According to Adage and Return Path, Donald Trump’s mail campaign is not one to write home about. He’s not asking for donations and has a high rate of spam complaints.

Ask Laura: Why is my video email blocked?

• laura
• Jun 10, 2016

• Industry

Gmail / Apps authentication issues

• steve
• Jun 9, 2016

• Asides

I’ve seen several reports of unexpected rejections for unauthenticated email to Google over IPv6 today. Unauthenticated mail over IPv6 is a bad idea, but Google usually spam folders it rather than rejecting it.
The Gmail status dashboard is reporting an issue “Some messages sent to consumer Gmail accounts are being rejected due to authentication enforcement” so something isn’t working as intended.