in Delivery Improvement, Industry.
Bronto’s Chris Kolbenschlag frames the discussion well: He purchased from an online retailer, they assumed he wanted to receive followup emails, and thus, those emails did eventually commence.
This is something I’ve had a lot of experience with. Working for an e-commerce service provider from later 2000 through mid 2006, I was the guy setting permission policy, dealing with spam complaints and advising on deliverability issues, primarily regarding email lists built over time from online store purchasers. There was an opt-in checkbox on the platform’s checkout pages, and it was up to the client as to whether or not it was pre-checked (“opted-in”) by default. Most clients pre-checked it by default.
My experience was, from a deliverability perspective, this kind of auto opt-in didn’t really present issues. People didn’t tend to forge addresses when purchasing, and people tended not to report mail as spam when it’s coming from somebody they just did business with.
I’m not saying it’s the wisest way to do things, by any means. If you have any other deliverability challenges at all, this kind of thing could likely add to them. And is it the most consumer friendly way to run things? I don’t think so. In my humble opinion, it’s always better to wait for the consumer to sign up on their own. But I’m not one of those aggressive marketer types.
And of course, the laws governing email permission vary by locale.
It’s alarming to read that, depending on whom you believe, the FBI feels it has the legal right to access your email messages without having to obtain a search warrant. I know I don’t have anything particularly damning in my personal email account, but it’s the principle of the matter that’s the problem. (And consider errors and leaks. Nothing in my email inbox is going to send me to jail, but it could contain many other things of a sensitive nature. Financial information. Industry dialog. Customer communication. Et cetera. Keeping that out of anybody else’s possession is the best way from anything leaking or being misused.
The bummer is that there doesn’t seem to be any way for the average joe user like you or me to do anything about it. According to that Marketwatch article, you could download all your email messages to your hard drive (clunky), encrypt emails when sending them (even more clunky), or move to an “off shore” email service (which simply exchanges one privacy concern for another).
The only bit of good news is that at least in the four states of the Sixth Circuit (Kentucky, Michigan, Ohio, Tennessee), the Warhsak ruling prohibits the FBI from obtaining email messages without a warrant. The bad news is, that seems to apply only to those four states.
I received my first phishing attempt via text message today. Apparently that’s called SMiShing, and it’s a thing. Sadly, I’m too busy to have the guy follow up with his promised phone call to try to get my Gmail password from me, but I did take a moment and report it to 7726, just in case that’ll do good to help protect somebody else in the future.
Also, apparently I have a G-Email account. Is that the kind of email account you get from the company who used to own NBC?
Fridays are a busy day in the land of deliverability, so I don’t have a lot of time to come up with a specific post for today. But, I thought this might interest folks here — the other day, a client asked me about using CDNs (content delivery networks) to host HTML email content, and I blogged up a quick reply over on my work blog.
(It’s true! Fridays are the new Mondays.)
Over on the Magill Report, Stephanie Colleton from Return Path shares her thoughts on how to tell whether or not an email message is legitimate.
Let’s add to that some more thoughts from Return Path’s Lauren Soares.
Then let’s add to that some of my own thoughts specifically for email senders.
Every company sending email today ought to:
- Use DKIM Authentication. It’s not the end-all, but authenticating your email makes it easier for the receiving ISP to denote good mail versus bad mail. (Sure, spammers authenticate their mail, too. But authentication doesn’t overcome a bad sending reputation.)
- Utilize DMARC, if you can. It doesn’t make sense for everyone, but for domains sending lots of bulk mail (marketing messages, transactional messages) and if you’re representing a brand that is, was, or could become a phishing target, you really ought to consider using DMARC.
- Think about your from address and link domains. If your main domain name is domain.com, don’t send mail as domain3.com or domainmail.com. If you need to use a specific domain or subdomain for an outsourced service provider, make it a subdomain under your main domain name (email.domain.com instead of domainemail.com).
- Think about what you’re actually putting in the body of those email messages. Be careful not to do the things that phishers do. If you’re a financial institution, is it safe to include links back to a login page? How much PII (personally identifiable information) are you putting in email messages?
I’m sure I’m barely scratching the surface here. What else should senders be doing to help reduce, mitigate or prevent phishing/domain misuse? What else should companies be doing to help educate their subscriber base on how to tell good emails from bad emails?
Commtouch’s latest “Internet Threats Trend Report” suggests that penny stock spam has returned:
Pump and dump spam, also known as penny stock spam, one of the most popular topics among spammers between 2006 and 2008, made a forceful comeback in Q1 after having all but disappeared in previous years. In March 2013, pump and dump spam dominated the list of spam topics. Eighteen percent of the top 25 spam emails (with a combined volume of 46% of all spam) were pump and dump mailings. The trick was the same as in previous years. The emails advertise cheap shares with very small trading volumes, indicating there was significant earning potential in them. If only a few recipients can be fooled into buying the stock, the value will rise significantly and the spammers who have bought shares at the lower price can cash in.
This certainly fits with what I’m seeing in my spamtraps for at least the past month. Yuck, so much stock spam.
in Delivery Improvement, Industry.
Over on the AOL Postmaster blog, Lili Crowley announced yesterday that AOL has made changes to their spam filtering system. Specifically, more senders may be subject to blocking with CON:B1 errors. AOL’s website explains that CON:B1 errors indicate that an IP address is being blocked “due to a spike in unfavorable e-mail statistics.” This strongly suggests that a sender blocked with a CON:B1 error message has a negative sending reputation. This is yet another data point as to how ISPs have been tightening up spam filtering and reputation requirements over the past few years. What you might have been able to deliver five years ago, you might not be able to get delivered today.
Cloudmark says, yes, SMS gift card spam is down, thanks to recent action taken by the Federal Trade Commission. Read more over on PC World. I’m very glad to see this. I ended up on the list of one of those spammers and they were driving me nuts. Thank goodness for Google Voice’s report spam functionality.
What can you do to stop SMS spam? If you use Google Voice, and the SMS messages are coming to your Google Voice number, just report it as spam inside of the GV interface. If it’s coming directly to your cell number, not via GV, then you can forward the message to 7726 (SPAM). It’s a clunky, multi-step process, however. And does it actually result in anything happening? Hard to say. I don’t yet have any proof that SMS spam reports to a provider are quick to result in blocking, as is the case with email spam. I suspect it still can’t hurt to report SMS spam, though. The more reports, the more likely a provider will be driven to take action.
Over on his blog, John Levine offers up a review of the history of the .PW TLD (top-level domain). The context: Recently relaunched, .PW has perhaps immediately become a spam haven. John mentions that at least one receiver is already treating mail referencing .PW as “block on sight.” Incidentally, John’s not the only friend of mine complaining about a recent uptick of spam referencing the .PW TLD.
Based on what I’ve heard so far, my guess is that more, widespread blocking of mail referencing .PW domains seems likely.
Deja vu? It feels like .biz all over again.
May 6, 2013 update: John Levine adds, “I don’t think I’ll be unblocking mail from .PW anytime soon.”
(Hi! Al Iverson here. I’ll be guest blogging a bit while Laura and Steve are off dealing with stuff.)
Over on the BRANDED3 blog, Search Strategist Stephen Kenwright shares how social network Path sent text messages to everybody in his address book, very early in the morning on Tuesday, telling everyone that he had shared pictures with him on Path. Except, according to him, he hadn’t.
This even resulted in a number of odd, robotic voice phone calls to Stephen’s friends and family. Why? Because nowadays, when you send a text message to a landline, most phone companies convert it into a voice call. The phone rings, you answer it, and a robotic voice reads the text message to you. The functionality is a bit creepy, and I can imagine that it would scare the heck out of somebody’s grandparents.
Path is saying that basically the whole thing is user error, but I’m not sure that I’m convinced of that. Even if Kenneth somehow missed this option at install time, Path likely needs to make this feature much more clearly opt-in and ensure that users know what they’re getting into. Right or wrong, if it keeps happening, it’s going to lead to more negative press and perhaps even new scrutiny from the FTC. You don’t mess around with SMS permission.