It’s alarming to read that, depending on whom you believe, the FBI feels it has the legal right to access your email messages without having to obtain a search warrant. I know I don’t have anything particularly damning in my personal email account, but it’s the principle of the matter that’s the problem. (And consider errors and leaks. Nothing in my email inbox is going to send me to jail, but it could contain many other things of a sensitive nature. Financial information. Industry dialog. Customer communication. Et cetera. Keeping that out of anybody else’s possession is the best way from anything leaking or being misused.

The bummer is that there doesn’t seem to be any way for the average joe user like you or me to do anything about it. According to that Marketwatch article, you could download all your email messages to your hard drive (clunky), encrypt emails when sending them (even more clunky), or move to an “off shore” email service (which simply exchanges one privacy concern for another).

The only bit of good news is that at least in the four states of the Sixth Circuit (Kentucky, Michigan, Ohio, Tennessee), the Warhsak ruling prohibits the FBI from obtaining email messages without a warrant. The bad news is, that seems to apply only to those four states.

I received my first phishing attempt via text message today. Apparently that’s called SMiShing, and it’s a thing. Sadly, I’m too busy to have the guy follow up with his promised phone call to try to get my Gmail password from me, but I did take a moment and report it to 7726, just in case that’ll do good to help protect somebody else in the future.

Also, apparently I have a G-Email account. Is that the kind of email account you get from the company who used to own NBC?

Fridays are a busy day in the land of deliverability, so I don’t have a lot of time to come up with a specific post for today. But, I thought this might interest folks here — the other day, a client asked me about using CDNs (content delivery networks) to host HTML email content, and I blogged up a quick reply over on my work blog.

(It’s true! Fridays are the new Mondays.)

Over on the Magill Report, Stephanie Colleton from Return Path shares her thoughts on how to tell whether or not an email message is legitimate.

Let’s add to that some more thoughts from Return Path’s Lauren Soares.

Then let’s add to that some of my own thoughts specifically for email senders.

Every company sending email today ought to:

• Use DKIM Authentication. It’s not the end-all, but authenticating your email makes it easier for the receiving ISP to denote good mail versus bad mail. (Sure, spammers authenticate their mail, too. But authentication doesn’t overcome a bad sending reputation.)
• Utilize DMARC, if you can. It doesn’t make sense for everyone, but for domains sending lots of bulk mail (marketing messages, transactional messages) and if you’re representing a brand that is, was, or could become a phishing target, you really ought to consider using DMARC.
• Think about your from address and link domains. If your main domain name is domain.com, don’t send mail as domain3.com or domainmail.com. If you need to use a specific domain or subdomain for an outsourced service provider, make it a subdomain under your main domain name (email.domain.com instead of domainemail.com).
• Think about what you’re actually putting in the body of those email messages. Be careful not to do the things that phishers do. If you’re a financial institution, is it safe to include links back to a login page? How much PII (personally identifiable information) are you putting in email messages?

I’m sure I’m barely scratching the surface here. What else should senders be doing to help reduce, mitigate or prevent phishing/domain misuse? What else should companies be doing to help educate their subscriber base on how to tell good emails from bad emails?

Commtouch’s latest “Internet Threats Trend Report” suggests that penny stock spam has returned:

Pump and dump spam, also known as penny stock spam, one of the most popular topics among spammers between 2006 and 2008, made a forceful comeback in Q1 after having all but disappeared in previous years. In March 2013, pump and dump spam dominated the list of spam topics. Eighteen percent of the top 25 spam emails (with a combined volume of 46% of all spam) were pump and dump mailings. The trick was the same as in previous years. The emails advertise cheap shares with very small trading volumes, indicating there was significant earning potential in them. If only a few recipients can be fooled into buying the stock, the value will rise significantly and the spammers who have bought shares at the lower price can cash in.

This certainly fits with what I’m seeing in my spamtraps for at least the past month. Yuck, so much stock spam.

Over on his blog, John Levine offers up a review of the history of the .PW TLD (top-level domain). The context: Recently relaunched, .PW has perhaps immediately become a spam haven. John mentions that at least one receiver is already treating mail referencing .PW as “block on sight.” Incidentally, John’s not the only friend of mine complaining about a recent uptick of spam referencing the .PW TLD.

Based on what I’ve heard so far, my guess is that more, widespread blocking of mail referencing .PW domains seems likely.

Deja vu? It feels like .biz all over again.

May 6, 2013 update: John Levine adds, “I don’t think I’ll be unblocking mail from .PW anytime soon.”