Word to the Wise

Recently there has been a massive uptick in forgeries. I have been seeing hundreds of bounce back messages, peaking at more than 1000 in an hour. I have been talking about this with people who monitor large spamtrap feeds, large MTAs and spamfilters and it seems this is not an isolated experience. The consensus seems to be that there is new spamware out there which is using email addresses on the spam list as a From: address

The volume itself is annoying. Thousands of messages a day from “mailer-daemon” telling me that the mail I sent with the subject line “Get a longer tool” cannot be delivered to some random address some where. These are coming to at least 3 separate email addresses. One of them was given to Intuit back in 2001/2002 when I registered a copy of Quicken, and ended up leaked to loan spammers and is all over spam lists. The other two are addresses scraped from websites. Same spammer has them, same spammer is using them as part of his spam run.

Even more annoying than the volume, though, is the challenge/response emails. “Your email to jobobjimbo@example.com cannot be delivered until you click this link.” I have been adding every domain I can find that is using c/r to my filters, and just discarding the c/r emails so I do not have to deal with them. That is not my ideal solution, it does mean that if someone using c/r ever tries to contact me I will not see the challenge and our communications cannot happen.

Some people have recommended that the right way to deal with challenges from forged spam are actually to answer the challenges. As the reasoning goes, if someone using c/r is going to outsource their spam filtering to a victim of spam forgery, then they should expect that the “spam filter” may have a different opinion than they do. While I always sympathized with this viewpoint, I was not sure I would ever confirm spam forgeries. The sheer volume of c/r stuff I have received in the last few weeks has almost convinced me that people who use c/r deserve every bit of spam they get. If a c/r filter lets in spam, then perhaps they will reconsider their choice to spew challenges out to forged email addresses.

The amount of c/r spam I am getting as part of the forgery runs is decreasing, I think I have finally managed to block the primary sources. It does mean I will not be able to communicate with people who use c/r in the future, but I find this a small price to pay for not having to be an outsourced spam filter. I get enough of my own spam, I really do not want to have to deal with yours.

No Comments »

I’ve been hearing stories from other deliverability consultants and some ISP reps about what people are telling them. Some of them are jaw dropping examples of senders who are indistinguishable from spammers. Some of them are just examples of sender ignorance.

“We’re blocked at ISP-A, so we’re just going to stop mailing all our recipients at ISP-A.” Pure spammer speak. The speaker sees no value in any individual recipient, so instead of actually figuring out what about their mail is causing problems, they are going to drop 30% of their list. We talk a lot on this blog about relevancy and user experience. If a sender does not care about their email enough to invest a small amount of time into fixing a problem, then why should recipients care about the mail they are sending?

A better solution then just throwing away 30% of a list is to determine the underlying reasons for  delivery issues, and actually make adjustments to  address collection processes and  user experience. Build a sustainable, long term email marketing program that builds a loyal customer base.

“We have a new system to unsubscribe people immediately, but are concerned about implementing it due to database shrink.” First off, the law says that senders must stop mailing people that ask. Secondly, if people do not want email, they are not going to be an overall asset. They are likely to never purchase from the email, and they are very likely to hit the ‘this is spam’ button and lower the overall delivery rate of a list.

Let people unsubscribe. Users who do not want email from a sender are cruft. They lower the ROI for a list, they lower aggregate performance. Senders should not want unwilling or unhappy recipients on their list.

“We found out a lot of our addresses are at non-existent domains, so we want to correct the typos.” “Correcting” email addresses is an exercise in trying to read recipients minds. I seems intuitive that someone who typed yahooooo.com meant yahoo.com, or that hotmial.com meant hotmail.com, but there is no way to know for sure. There is also the possibility that the user is deliberately mistyping addresses to avoid getting mail from the sender. It could be that the user who mistyped their domain also mistyped their username. In any case, “fixing” the domain could result in a sender sending spam.

Data hygiene is critical, and any sender should be monitoring and checking the information input into their subscription forms. There are even services which offer real time monitoring of the data that is being entered into webforms. Once the data is in the database, though, senders should not arbitrarily change it.

No Comments »

Yesterday we talked about social networks that harvest the address books of registered  users and send mail to all those addresses on behalf of their registered user. In the specific case, the registered user did not know that the network was going to send that mail and subsequently apologized to everyone.

That is not the only way social networks collect addresses. After I posted that, Steve mentioned to me that he had been receiving invitations from a different social network. In that case, the sender was unknown to Steve. It was random mail from a random person claiming that they knew each other and should network on this new website site.  After some investigation, Steve discovered that the person making the invitation was the founder of the website in question and there was no previous connection between them.

The founder of the social networking site was harvesting email addresses and sending out spam inviting people he did not know to join his site.

Social networking is making huge use of email. Many of my new clients are social networking sites having problems delivering mail. Like with most things, there are some good guys who really do respect their users and their privacy and personal information. There are also bad guys who will do anything they can to grow a site, including appropriating their users information and the information of all their users correspondents.

It is relatively early in the social networking product cycle. It remains to be seen how much of an impact the spammers and sloppier end will have. If too much spam gets through, the spam filters and ISPs will adapt and social networks will have to focus more on respecting users and potential users in order for their mail to get delivered.

1 Comment »

JD had a comment on my Valentines day semi-fluff post, that really summed up the reality for senders. He said

Make sure your mail doesn’t look anything like spam — not just in the text and formatting, but in all of your mailing practices.

Good advice, your mail will not be blocked if it does not look like spam. What kinds of things do I mean? Here are things that spammers do, that often non-spammers do as well.

Ignore bounces. One of the absolute quickest ways to get blocked is to keep sending mail to non-existent addresses. Purge your lists, make sure you are removing those addresses that will never deliver.

Hide contact information. Do not use a domain privacy service, put your real business address in your whois records.

Fake contact information. Do not use blatantly fake information in your domain registration. Register your actual business address. Do not use 555-xxxx phone numbers.

Use free or very low cost vendors. Do not use free or advertising supported vendors for your webhosting, mail hosting, or DNS. Geocities hosted webpages, mydyndns.org hosted name servers, freemail addresses (aim, gmail, hotmail, yahoo addresses), these are ways spammers get around blocks.

Shift IP addresses. If you get an IP address blocked, for any reason, do not just start mailing from another IP. Figure out what the problem is and fix it. Skipping around blocks is what spammers do.

Mail from many different places. Do not send emails from a diverse set of IP addresses located all over the world. Spammers spread their sending out in order to dilute their spam metrics to avoid threshold based blocks. They have done this so often there is even a term for it: snowshoeing.

Use bad HELO values. Many botnets and spam infected windows machines use badly formatted or incorrect HELO values. Use a fully qualified domain name, in your domain, for a HELO value.

Use generic rDNS. Set a reverse DNS value for your IPs that does not contain the IP address or otherwise look programatically assigned.

Use incorrect HTML. Spammers hide text and use fake HTML tags in order to avoid content filters. Consequently, filters check HTML against the HTML specification.

Send different HTML and text in multipart/alternative email. In addition to using badly formatted and fake HTML, spammers put drastically different text in the text portion of HTML emails. Filters check for this and if too many differences between email parts makes mail look like spam.

Send no text part in HTML email. Spammers do this to avoid the above two filters. Do this and you look no different than they do.

Use multiple corporate identities. If you have separate divisions or brands that is one thing, but often spammers set up completely separate companies and conceal the relationship between those companies.

All of these things are spammer tactics meant to confuse, fool, deflect and avoid filtering mechanisms.

How many of them does your company do?

No Comments »

Late last week I heard from someone at AOL they were seeing strange traffic from a major ESP, that looked like the ESP was an open relay. This morning I received an email from AOL detailing what happened as relayed by the ESP.

IronPort Open Relay Vulnerability

Systems Affected
IronPort A60 running software version 2.5.4-005. According to IronPort, later devices and software versions using the same filtering mechanisms are vulnerable.

Overview
In recent weeks, one or more rogue spammers have been using misconfigured IronPort A60s as open relays to send unsolicited emails for AOL users via open relay. It is important for IronPort device administrators to review their configuration to shore up any vulnerability to this web server exploit.

Diagnosis
A seemingly minor configuration mistake made years ago internally has been exploited over the last several weeks to send out massive amounts of unsolicited email to AOL users. The spam mail originated from an outside zombie server, apparently infected with remote mailing viruses (such as BackDoor.Servu.76) according to the IT contact at IP 66.139.77.16. <ESP> has a filter specifically designed to deliver email over IP ranges set for AOL only. However, it was listed before a filter designed to log and discard bounced emails coming in through the Internet-facing of the IronPort appliance.

Impact
We have received 6,500 customer complaints so far through the AOL feedback loop. As the IronPort devices are black boxes, we are unable to determine how many unsolicited emails were delivered across them. It is difficult to ascertain whether or not the rogue spammer(s) knew only AOL addresses were delivered using this exploit. It is important to note that only AOL addresses were delivered in our specific case due to the order of the filters.

Solution
The solution was simple: move the filter designed to log and drop bounce messages coming in from the Internet to the top of the filter list so it will run first, as other filters may direct the IronPort device to deliver the emails through this vulnerability.

Authors: Jake Lanza, Baigh Auvigne, Daniel Fox

Congrats to the ESP for noticing this so quickly and being on the ball to stop this leak so quickly.

The compromise was first noticed when email coming back through the AOL FBL did not match any mail sent by the ESP. Initially, the ESP contacted AOL to report a problem with the FBL, but in working with AOL employees determined the email was coming from the ESP’s IP addresses.

This highlights the need to not just process FBL emails, but also monitor them and react when there are emails in a FBL that you do not recognize.

Ironport has responded here.

3 Comments »

Over on the ET blog, Al posted about how CAN SPAM compliance is not sufficient for you to not be spamming.

It’s a bit different perspective, but very complimentary to my post yesterday about what is and is not spam. He and I have both heard from ISP people about how many requests for whitelisting or unblocking are prefaced with, “We comply with CAN SPAM” and how meaningless that statement really is. Al has a longer discussion of why.

No Comments »

A few days ago I was reading the attempt by e360 and Dave Linhardt to force Comcast to accept his mail and to stop people posting in the newsgroup news.admin.net-abuse.email from claiming he is a spammer. The bit that pops out at me in this complaint of his, is the fact that he believes that by complying with the minimal standards of the CAN-SPAM act, he is not spamming.

The problem with this claim is that CAN SPAM lists the minimal standards an email must meet in order to avoid prosecution. CAN SPAM does not define what is spam, it only defines the things senders must do in order to not be violating the act. There is no legal definition of spam or of what is not spam.

To add to the confusion there are a number of confusing and contradictory definitions of spam. Definitions people have used over the years include:

• unsolicited bulk email
• unsolicited commercial email
• mail I don’t want
• mail I don’t think my customers want
• mail that is identical/similar to mail that hit my spamtrap
• mail that was sent to a non-existent address at my domain
• mail that contains HTML
• unsolicited email
• mail that advertises Viagra or porn sites or similar
• mail that other people send

I rarely use the word spam. There are so many different definitions of spam, I have no way to know if my clients understand what I am saying, so I avoid the term completely. I do think it is important for senders to understand the definitions of spam as used by entities responsible for filtering large amounts of incoming email.

Spamhaus and some other blocking lists use “unsolicited bulk email” as their definition. Generally, they have addresses that have never been used to sign up for email, and if a mailer sends mail to them, the mailer is sending unsolicited bulk email and is eligible for listing on the blocklist. The lists believe that if a mailer is sending one piece of email to a user who did not request it, then they are likely mailing many other users who did not request any mail. This definition centers around permission, and only sending email when you have the permission of the recipient.

Many of the large ISPs use “mail our users complain about” as their definition. With this definition, they do not have to argue permission status with a sender. The data shows that their customers complain about mail from that sender or with that URL. The ISPs are going to block, or deliver to the bulk folder, email that their users do not want.

Filters and some blocking lists use “mail that has characteristics of mail we know is unsolicited bulk mail” as their definition. These characteristics can be things like an invalid HELO string, or lack of reverse DNS on the connecting IP address, or badly formatted HTML. Mail that looks like spam, in the technical sense, is often treated like spam.

Resolving a block or listing requires first understanding the definition that entity is using. For blocklists senders usually must make changes to eliminate any possibility an address will get on the list without permission of the owner of that address. For ISPs, senders must decrease the complaints from users, usually accomplished by improving the signup process, getting a FBL from the ISP and and sending more relevant email. For filters, fixing the technical issues, cleaning up HTML and sending mail that does not look like spam will resolve many of the issues.

Complying with the law is not sufficient to meet the standards of recipients. If e360 is sending mail users are complaining about, then the recipient ISPs are going to treat the mail as spam and filter or block it. If e360 is sending mail to people who have not requested it, then posters in NANAE are going to claim e360 is spamming. Is e360 sending mail that complies with CAN SPAM? I expect that they are. Does this mean they are not spamming as defined by some people? Of course not.

2 Comments »

Seth Godin links to a post up over on The Long Tail about spammers who send PR mail to Chris Anderson, an editor at wired. Apparently lots of people send automated email to the editor of Wired hawking their latest and greatest product, service or photos.

In response to this overwhelming amount of mail, Chris has instituted a new email acceptance policy. He says

So fair warning: I only want two kinds of email: those from people I know, and those from people who have taken the time to find out what I’m interested in and composed a note meant to appeal to that (I love those emails; indeed, that’s why my email address is public).

He then publishes a (fairly long) list of email addresses who have violated this policy in the last 30 days. Many of those addresses are ones I recognize, others appear to be the result of blowback.

Even more interesting is the discussion in the comments. It seems that some people recognized their email addresses on the list that Chris published and were unhappy. Dan says

So, I’m on this list. dan at onewordphotography.com. I’m a freelance photographer in Canada and I shoot a lot of travel stock. I have your email address and 7000 others by buying a list of what they call “image buyers” from a company called Agency Access. They tell me they get these lists by compiling them from questionnaires etc at trade shows and industry events.

Now, over the years, I have tried calling many of my intended targets but, when your market is magazine and book publishers all over the world and you have 7 to 10000 potential targets this can get expensive and impossibly time consuming. As well, the vast majority of creative buyers don’t even bother returning your phone call. I’ve tried individual emails which gets an even lower response. So, I started sending out stock list updates via a mass emailing and the response has been nothing short of phenomenal. […] The bottom line is, as a single entity operating a creative business, marketing to potential buyers is necessary, time consuming, expensive and difficult to do on an individual basis. As well, when the “broad brush” (okay, I’ll call it spam) approach works as well as it does for me, it makes sense to keep doing it.

I spent $10,000 this year on lists, email software, promotional cards etc. to promote my business and my work. You’re on a list of people who buy creative work that is sold to photographers every day. If you don’t really buy photography, why not just hit the unsubscribe button? Why give out your email? I get about 150 emails a day and travel 200+ days a year which makes it very difficult to get back to everyone after sorting through the spam I get but, it’s an unfortunate part of the business and I unsubscribe to stuff that does not appeal to me. […]

Chris follows up to that comment explaining that no, he never did sign up. As you read through the comments there is discussion about convenience and costs and who should not have to pay, or work, to advertise effectively.

To my mind it is a much more interesting discussion than happens on many of the anti-spam mailing lists, because a) the senders are getting a voice and b) there is not as much dogma about what is and is not acceptable.

Is what Chris is doing acceptable? There are a lot of different opinions on this but here’s mine. Any individual has the right to block or not block email coming into their email address. Even if I have signed up for your email, I can still block you and that is just how it is. If I have not signed up to receive email from you, then you have no expectation that I will grant you the courtesy of unsubscribing. In this specific case, the address is a business address and I these cases I expect that the employer has a say in the filters that are run against mail coming into business addresses.

Publishing a list of email addresses on a webpage, knowing those addresses will be harvested by spammers is beyond what I would ever do. But I do know that spam is annoying, frustrating and infuriating; doing something so small to get back at them can be hugely satisfying.

Al has a post on the same article, talking about how this demonstrates that purchased lists are not a good thing.

3 Comments »

One of the challenges of my job is to separate my personal feelings and experiences related to email marketing and spam from my advice to clients. I am here to make your delivery better, not to make everyone use email marketing the way that makes me the most comfortable.

That being said, I get a lot of spam across my various email addresses. If I have an extra few minutes I’ll sometimes send complaints, but more and more it is too hard, too complicated and / or the ISPs do not care anyway. In the last 2 weeks I’ve had 3 experiences with unexpected / unwanted email (aka: spam) where I did take action.

1. Bank of America.
2. Neolane.
3. Xign Corporation.

Bank of America
I would never have chosen to be a BoA customer, but they bought out MBNA a while ago and I ended up as a customer of theirs. I’m not happy with them, but there is inertia and a very high (unused!) credit limit involved. Bank of America decided that all their customers needed to receive emails when a new bill is prepared. Fair enough, a lot of people probably like this. I do not, and am slightly annoyed that I am receiving sensitive financial information by email when I did not request it, but it should be a simple issue to unsubscribe, right? Not so much, no.

The email I received says:

If you want to stop receiving e-Bill summaries via email, follow these steps:

1. Sign in to Online Banking.
2. Click the Bill Pay & e-Bills tab.
3. Select Automatic Payments.
4. Locate the payee for which you would like to cancel e-Bill summaries through email.
5. Select Add/Edit/View.
6. Remove the check mark from the box that reads I would like to receive e-Bill summaries via email. You will continue to receive e-Bills in your Online Banking Service.

I log in to follow the instructions but get stopped at step 5. BoA requires that I provide them with at checking account number and routing information in order to proceed. When I call the bank the phone folks are very helpful, but still, I should not have to call my bank in order to stop receiving email I never signed up for in the first place.

Moral of the story: Do not sign up customers for email and then prevent them from easily unsubscribing.

Neolane.com
They have managed to find an email address belonging to me. I’m not sure how as it is not published anywhere and I do not think I have had any contact with Neolane. They keep sending me notifications for webinars. I noticed that at the bottom of the email there was a copyright belonging to a company I have interacted with in the past. I contact someone I know over at that company and ask him if he knows how I signed up for this list. A flurry of emails later and he tells me that Neolane is a partner and is mailing to their own list and they will probably contact me. My contact also comments that his clicks and opens have been decreasing recently and he’s not been able to figure out why, but this may help explain it.

Moral of the story: Affiliates and partners mailing your content or even links to your site may cause you delivery problems.

Xign Corporation
Xign is an online billing and payment processor. They handle billing for one of our Abacus customers. I did sign up at the Xign website, but only because that was the only way to invoice the customer. I have received the occasional email from Xign about web outages and maintenance windows. I did not really want them, but could see how they were relevant to my registration on the website.

Last week, however, JPMorgan Xign decides to send me a blatant advertisement for their services, touting how much more efficient I will be if I just use their online invoicing system. I contacted their ESP and pointed out that while I had registered at the Xign website I was not a customer and really did not want this kind of email. I also suggested that the ESP might want to check the permission status of this list. The ESP responded quickly saying that no, really, this was not permission and they would have a chat with their customer before any other emails went out.

Moral of the story: Just because someone registers at your website does not mean they are your customer.

For the most part, these are exceptional examples. They are certainly not examples of companies blatantly and unrepentantly spamming. They are, however, examples of poorly implemented marketing or bad decisions made by the sender.

How well do you know your email marketing program? Could you be tripped up by similar issues?

No Comments »