Recent Posts

Security vendors and trust.

A big part of my predictions for 2016, that I’ll publish shortly, is that security is going to be a huge issue. I think we’re really going to see receivers expecting senders to have their houses in order when it comes to sending mail.
Of course, some filter companies need to get their houses in order to. Yesterday, a security researcher went public with problems in the TrendMicro anti-virus appliance. These vulnerabilities would let any email sender remotely execute code on the recipients machine with no interaction of the user. They also exposed all the passwords on the machine to the outside world.
Even worse, Trend doesn’t seem to understand the urgency to fix this. They have started releasing patches for the exploits, but there are significant problems with the patched versions as well.
If you’re a Trend user, you may want to consider other vendors for desktop security. I know that no security is perfect and that other vendors have problems, too. But shipping a password manager that exposes all passwords is just incompetence. It seems like a corporate lack of understanding of what their business is and how to actually create security software.
Even worse is that lack of urgency from the Trend folks as the security researchers are explaining the problem. I don’t care if the person receiving the report was the janitor, anything that says security exploit should be escalated to someone who can determine if the report is valid.
Compare Trend’s reaction to this to Juniper’s reaction to discovering a backdoor in their code in December. First off, Juniper found the exploit during a routine code review. That alone tells you Juiper is continually monitoring their code security. Second, Juniper was reasonably open about the issue, with executives posting blogs and security posting advisories talking about the issue. More importantly, they shared how they were going to fix it and prevent it from happening again.
Security is such a large issue right now. We have to be able to trust our vendors to do what they’re selling us. Every vendor is going to make mistakes and have vulnerabilities. No code and no developer is perfect. I do expect, though, that vendors will take exploits seriously and act fast in order to correct the problem. I’m not seeing that sense of urgency with Trend.
 

Read More

Spamhaus reports Verizon routing hijacked IPs

Late last week Spamhaus published a blog post detailing their investigation into Verizon routing millions of IP addresses hijacked by spammers.
The Spamhaus blog post goes into some detail about what hijacked routing is.

Read More

Triggered and transactional emails

triggeredvstransactoinalEarlier this week I was talking on IRC with some colleagues. There was some kvetching about senders that think transactional emails are the same as triggered emails. This led to discussion about whether transactional and triggered emails are the same. I don’t think they are, but it took a while for me to come up with why I don’t think they’re the same. It took even longer to come up with definitions I liked.
Transactional Emails: Emails sent in response to direct request by the recipient. Transactional emails are usually one-off emails. Transactional emails probably don’t need an unsubscribe link, although it may be a good idea to include one just to make people feel comfortable receiving them. Examples: password reset emails, receipts, tickets.
Triggered Emails: Emails sent in response to an action by a recipient. Triggered emails can be one-off, but can also be series of emails. Triggered emails should have an unsubscribe link, so people can stop the emails if needed. Examples: cart abandonment emails, after purchase surveys, followups to software installation.
The key difference is that in a transactional email, the recipient has asked for that particular email. In a triggered email, the recipient may very well want and respond to the email, but they didn’t ask for it.
There are, as always, some grey areas here. Is a welcome message transactional or triggered? Probably transactional, but they should always have an unsubscribe link.
What about software installation followups? We’ve been looking at some alternatives to our current time tracking software which involved me setting up accounts at multiple different SaaS providers. A couple of them had triggered welcome series. These emails let me know things I could do with the software, things I still needed to set up, and led me through the process of trying out their system.
This was mostly good, but not completely. One of the series didn’t have an opt-out link, though. That was somewhat annoying because I’d already decided the tracker didn’t do what we needed. I couldn’t make the mail stop. I think if there is one thing I’d say about mail is that senders should never force someone to receive their mail.
It’s tempting for senders to define all triggered emails as transactional. Since it’s a user action that caused the mail to be sent, it must be a transactional email. But a lot of triggered emails are triggered by actions the user doesn’t know will trigger an email. Cart abandonment emails are a good example of this, not every retailer has them and so users aren’t yet expecting to get an email if they drop stuff in their carts and then leave the site.
Overall, both transactional and triggered emails have their place in a healthy email program. But they shouldn’t be confused for one another and should be treated as separate mail streams.

Read More

10 experts in 50 minutes: predictions for 2016

I’m thrilled to be one of the email experts speaking at the 2016 predictions webinar hosted by SparkPost.
Come join us!

Read More

Facebook scams move to LinkedIn

There’s a fairly common Facebook scam where someone clones an account, then sends out friend requests to friends of that person. This actually happened to a friend over the holiday break. The only problem was that most of the folks who got friend requests were actually security people. Security people who thought it was very, very funny to play along with said scammer.
The scam account didn’t last long, partly because FB security is pretty good and partly because a few of the folks the scammer invited were FB employees. I’m sure, though, that for a brief moment the scammer thought he’d found the motherlode of scam victims.
Today I got a similar scam on LinkedIn. A very bare account with little in the way of information about who this was.
LI_Scam_Profile
I don’t like connecting with these kinds of profile. But, the name does sound vaguely familiar. So I do a little Googling. And I find another LinkedIn profile for the same person, but this profile has a lot more info: A picture, a statement, 500+ connections, all the things one expects from a real person on LinkedIn.
So yes, Facebook scams have rolled over to LinkedIn. Be careful out there, folks. Pay attention to who you’re friending on all social media, not just FB or LinkedIn. Discretion is the better part of valor and all.

Read More

Random thoughts on reporting abuse

stop_atOn IRC today, someone mentioned an Ars Technica article discussing how a research team tried to contact Xfinity about a security flaw in their home security system.

Read More

December 2015: The month in email

December2015_blogHappy 2016! We enjoyed a bit of a break over the holidays and hope you did too. Here’s our December wrap up – look for a year-end post later this week, as well as our predictions for the year ahead. I got a bit of a head start on those predictions in my post at the beginning of December on email security and other important issues that I think will dominate the email landscape in 2016.
DMARC will continue to be a big story in 2016, and we’re starting to see more emphasis on DMARC alignment as a significant component of delivery decisions. I wrote a bit more on delivery decisions and delivery improvement here.
December in the world of email is all about the holidays, and this year was no exception. We saw the usual mix of retailers creating thoughtful experiences (a nice unsubscribe workflow) and demonstrating not-so-great practices (purchased list fails). We took a deeper look at the impacts and hidden costs of list purchasing – as much as companies want to expand their reach, purchased lists rarely offer real ROI. And on the unsubscribe front, if you missed our discussion and update on unroll.me unsubs, you may want to take a look.
Steve wrote a detailed post looking at what happens when you click on a link, and how you can investigate the path of a clickthrough in a message, which is useful when you’re trying to prevent phishing, fraud, and other spam. In other malicious email news, the CRTC served its first ever warrant as part of an international botnet takedown.
In other industry news, some new information for both ESPs and recipients interested in feedback loops and a somewhat humorous look at the hot-button issues that divide our ranks in the world of email marketing. Please share any we may have missed, or any other topics you’d like us to address.

Read More

Doing it right

It’s that time of the year – marketers send more email than usual, recipients unsubscribe from their lists.
Clicking on the unsubscription link in the email I just received took me to an unsubscription landing page. The box for my email address was prepopulated based on the cookie in the unsubscription link, the default setting is to unsubscribe me from all mail from the sender and just clicking the sole button on the page will unsubscribe me.
It offers me an alternative to unsubscribing from everything – letting me receive just the content I want. It does that immediately on the unsubscription landing page (rather than suggesting I go to a subscription center or, worse, requiring I click on a different link in the mail originally). And it tells me the important things about the newsletters I might want to subscribe to – what they’re about and how often they’re sent.
oldways
This isn’t anything particularly special, but sometimes it’s nice to highlight someone who is doing it right.

Read More

Happy Holidays

Blogging will be light (or non-existent) for the next week or so. I leave you with Valeria and her first Christmas tree from many years ago. ValeriasFirstChristmas
The kittens are older now, we can have a tree complete with lights AND ornaments.
See y’all in the new year!

Read More

New FBL information

A couple new bits of information for folks interested in participating in feedback loops.
If you’re an ESP, you’ll want to sign up for the two new FBLs that were released this month. XS4ALL and Telenor are now offering complaint feeds to senders.
If you’re a mail recipient and want the ability to report spam, try the new browser/MUA plugins for reporting spam released by the French anti-spam grup Signal Spam
These browser plugins allow recipients to report spam directly from a button in the browser. Signal Spam reports:
The button is working for the biggest webmails around, such as yahoo!, SFR, gmail, outlook, AOL, laposte, free, and is downloadable for Chrome, Safari and Firefox with this links :
Chrome
Safari
Firefox
These plugins are currently in beta, but should be released by the end of 2016.
For those folks who use our ISP information page, I haven’t yet added Telenor and XS4ALL to the pages of available FBLs. Part of that is because we’re looking at options to improve data presentation and ease of maintenance. The perl script that magically generated the summary page from other pages was great, until it hid itself on some VM somewhere and can’t be found. There are other things we want to maintain as public resources, so we’re looking into options. (wikimedia was one of our early attempts… it didn’t do what we needed). Anyone have a public KB or wiki package they particularly like?

Read More
Tags