Spam Resource

Twitter Rolls Out Two-Factor Authentication

2013-05-24T10:42:00.001-05:00

It's Twitter's turn to jump on the two factor bandwagon. I'm sad that it didn't happen sooner, but still happy to see them joining the ranks of Apple, Yahoo, Google, Microsoft and Facebook.

Please, please, please consider turning on two factor authentication on your accounts! Yet another industry colleague found their Twitter account hacked yesterday, used to send me some sort of weight loss spam link. If they had turned on two factor authentication, I don't think that would have happened. Two factor authentication really does improve your chances that you'll keep bad guys from accessing your accounts and data.

Apple Rolls out Two-Factor Authentication

2013-05-10T10:31:00.001-05:00

I'm a big fan of two factor authentication. I've been using it on my Google accounts forever. Yahoo has it. Microsoft has it. Now, Apple has it, too! I'm very glad to hear this. I'll be setting it up for my account this weekend.

A New DNSBL: DNSBL Chile

2013-05-01T15:55:00.000-05:00

It's been a long time since I've noticed a new anti-spam blacklist (DNSBL) out in the wild. For more information, click on over to the DNSBL Chile article on DNSBL.com.

Dutchman Arrested in Spamhaus DDoS

2013-04-29T09:30:00.001-05:00

Brian Krebs reports on the arrest made in response to the recent massive distributed denial-of-service attack against anti-spam group Spamhaus.

(Hat tip: Laura Atkins)

Groupon is Hiring

2013-04-17T10:24:00.000-05:00

Groupon is looking for an email deliverability engineer to be based in Sidney, NSW, Australia. From the posting: "The role of Email Deliverability Engineer will ensure optimal inbox rates through daily monitoring of outbound mail and inbox placement, following best practices, and keeping up with changing industry laws and regulations. This person will report to the head of the deliverability department delivering regular reporting and analysis on deliverability performance." Click here to learn more.

Edit: I almost missed that Groupon is also looking for someone in Berlin as well.

COI: Another List Manager's View (or two)

2013-04-16T15:18:00.000-05:00

Ken Magill posted today on "Why Fully Confirmed Opt-in Sucks." It's definitely worth reading, and I hear where Ken's coming from.

To "lose a subscriber" through their failure to confirm, that can really hurt when a list is pretty small. I should know -- I do know this myself -- because I managed the email list for my friend's wonderful jazz club in St. Paul, Minnesota, from late 1998 through mid-2006. (That would be the Artists' Quarter, by the way, and you should definitely go there next time you're up in the Twin Cities. Tell Kenny and Davis that Al sent you.)

For the AQ email list, I used COI from the start. It wasn't necessarily a political statement. It was born of using the tools I had handy. I had previously written a confirmed opt-in list management tool myself, so that's what I used.

After about five years in, I think we had about five thousand confirmed subscribers. It grew pretty slowly but regularly throughout that time. A local jazz club's marketing efforts aren't necessarily like big business. Even so, eventually we hit a critical mass where the email messages became more important than monthly postal mailings of the club's calendar. The emails clearly drew patrons into the club and back to the club. The way we knew that is because whenever I would accidentally typo a cover charge in an email message, it was usually me publishing it as lower than the actual cover price, and a group of folks would always complain upon reaching the club's front door only to find that the door man wanted more for entry than it said in the email message. (Side note: Typos -- I never realized what a quick and easy measure of success they can be.)

Yes, occasionally somebody couldn't figure out to click a link. That's something you'd see less of today, I suspect, but back then it was no more than a handful of people per year who would reply to the confirm email or otherwise contact me, complaining that they weren't receiving the emails or didn't know what to do.

Somewhere, I've got the final signup logs, showing all the people who didn't confirm. Sadly, I couldn't find the data to share it with you (and it would be pretty old by now, wouldn't it?). But, my recollection is that what unconfirmed addresses were submitted were mostly garbage, primarily typos. And the occasional fraudulent subscription attempt. Being a loud and well known anti-spammer meant that people would occasionally try to indirectly cause problems for me by causing problems for my friends -- that's where that kind of thing came into play.

Anyway. Long story short, COI made sense in my specific use case, and wasn't problematic.

You've got random marketers here and there yelling about how you should never use COI (or even respect engagement), and you've got Ken's well considered article on his specific use case, so I thought I would share mine as well.

In closing, let me tell you what I told Ken over in the comments on his article: There's a certain class or certain type of marketer basically running around flailing their arms and yelling about how best practices are stupid, advice suggesting caution is stupid, we see other people do it wrong, why can't we do the same? Well, my response to that is this: Not every poor mailer gets blacklisted -- just like not all poorly built buildings fall down. That doesn't mean the caution recommended and expertise provided by your local neighborhood deliverability expert was wrong. It means you got lucky. Not everybody gets lucky every time, and some of us think it might be wise to build in some safeguards, since some of us think they're better than luck in the long run. Back to the building analogy -- I can't stop you from building it faster and higher, unsafely, but you also can't act surprised if and when it comes crashing down. Because I've seen it happen a couple times a month for the past ten years. Some months more than that, some months fewer, but it all averages out.

Payday Loans in the News

2013-04-15T10:19:00.002-05:00

It looks like email permission is not the only challenge for some payday loan marketers. Case in point: This weekend I ran across this story on Slashdot explaining how a Wordpress plugin was hacked to include a link to a UK payday loan site.

Tons of Misdirected Mail

2013-04-12T09:59:00.001-05:00

In Laura Atkins' blog post where she shares her thoughts on COI, she links to this amazing article from the New Yorker, where Matthew J.X. Malady shares a bit of insight about the vast amounts of misdirected mail received at his own vanity Gmail account.

Does COI make sense?

2013-04-11T13:47:00.002-05:00

You've read one point of view somewhere else. Now go read this different, very well thought out take on the subject. It provides a very good overview of the considerations surrounding whether or not you would want to implement confirmed opt-in.

Two-step auth coming to Microsoft?

2013-04-09T11:59:00.001-05:00

I'm very happy to hear that two-step (also call two-factor) authentication is coming to Microsoft, supposedly in the near future. Yahoo! and Google have had it for a while now, and I'm a big fan. Getting spam from a friend's hacked account is a common attack vector and anything that a platform and its users can do to better lock down accounts to prevent unauthorized access means less spam for you and me.

On a related note, my iPhone broke recently. I backed it up, then brought it in to an Apple store near my office, where it was cheerfully replaced with a new phone under warranty. I'm all set, I thought. I've got everything backed up. Except -- the backup did not include my account settings for Google Authenticator, the two factor authentication token provider app for iOS. Oops. And I had changed a cell phone number somewhere around 12-18 months ago, and thus, some of my accounts didn't have a working backup phone number associated with them. I was able to work it all out, but it took some fiddling, and I did end up locking myself out of one lesser used account. Don't be like me -- make sure you go in and check your two-factor settings and make sure everything there is still correct. (And for lesser used accounts, consider using SMS rather than an authenticator app. If you're like me and likely to keep the same phone number for the foreseeable future, you'll be able to receive that text message on whatever new phone you might purchase down the road.)

And finally, a clever hack: My friend Mickey Chandler pointed out to me that you can sync Google Authenticator in a way that allows more than one device to be the token provider for a given account. Is this less secure? I'm not sure, but I love the idea of perhaps having my wife's phone be configured to provide codes for my accounts in a pinch, and vice versa.

Sky.com Transitioning to Yahoo! Mail backend

2013-04-08T13:44:00.001-05:00

One of the UK's largest ISPs, Sky.com, has hired Yahoo! Mail to run their email infrastructure. For more information, surf on over to this page with current status and details. Sounds like it's not going so well for subscribers.

What does this mean for senders? Smart UK deliverability consultant Richard Bewley brought two very important questions to my attention: Does this mean that the Yahoo! FBL now covers sky.com? And also, does this mean that a poor sending reputation with sky.com recipients will impede your overall ability to get mail to the inbox at any Yahoo-hosted mailboxes? I'm not sure of the answers to those questions today, but I rather suspect we'll eventually hear "yes" to both of those. Stay tuned!

(H/T: Richard Bewley)

Worst Write-up?

2013-04-01T11:42:00.004-05:00

Can't blame this on the date, as it was posted days ago. This publication would like you to know that "the attacks were focused on a company called Spamhaus, which maintains a "domain name system" to connect a typed-in URL to the correct server hosting the appropriate content."

Uh, what? You probably shouldn't be allowed to write any more stories covering tech until you learn what a spam filter is, what a DNSBL is, and even what DNS is.

Spamhaus DDoS in the News

2013-03-29T11:35:00.000-05:00

Spamhaus sure seems to be in the news a lot lately. Or at least, I'm mentioning them on my blog an awful lot lately.

The latest coverage concerns a rather large DDoS (Distributed Denial of Service) attack against Spamhaus, which effectively pushed bits of their infrastructure offline for a time, as the internet connections linking to this infrastructure were flooded with garbage traffic.

Gizmodo claims that it didn't happen. Spamhaus and Cloudflare both disagree. It even got coverage in the New York Times and on CNet. Laura Atkins' linked to a more reasonable (less sensational) bit of explanation published by the Internet Storm Center. (If you only click through to one of these links, that's the one to read.)

The internet didn't die, and I wasn't kept from streaming Netflix. But, clearly, there was some time when Spamhaus' website was offline, and according to commenters on Laura Atkins' Word to the Wise blog, they were slow in responding to queries and delisting requests.

Incidentally, I'm a big fan of Gawker and Gizmodo, so I was bummed to see the Gizmodo article got some important facts wrong. I'll leave which facts as an exercise for the reader. And if you like a good (crazy) conspiracy theory, John C. Dvorak pulls a good one right out of his nose and flicks it onto the page for all to read. His fantastic scientific testing methodology apparently includes measuring a DDoS through comparison of load times of two single internet web pages, and a picture of Julian Assange confuses him into thinking that he's found the secret, true cyber-home of Wikileaks (he hasn't).

That Wasn’t Funny

2013-03-21T11:55:00.001-05:00

I’m married to a feminist. My wife, Kate Harding, knows a thing or two about rape culture, bad guys and misogyny. (In fact, she’s the author of “Asking For It” forthcoming from Da Capo Press in Fall 2013.)

She has long shared with me stories about women being treated shabbily both in real life and online. (You wouldn’t believe the vast amount of “I hope you die you f-ing b-" and much worse that female bloggers, in particular, have to put up with. **) And hey, I work in technology, so I’ve observed misogynistic behavior myself, and in particular, at a few different conferences over the years. (Don’t take my word for it -- read about the crappy attacks aimed at one attendee who loudly complained about sexism at a recent technology conference. I know that some folks I respect will disagree with me, but upon reflection, I think it is good that she spoke out, reminiscent of the Hollaback! movement.)

Anyway. Because of all of that, I guess I would never have thought it was a good idea to write something up for a deliverability tips/news blog in the guise of asking women at a particular conference to “come up to my room and throttle my IP address” or whatever the heck that was supposed to be. But, it feels that perhaps I come at this from a different perspective, because of the people I know and what I’ve learned from them. (And for the record, MAAWG has an excellent conduct policy.)

I’m sharing this all with not to shame anyone, but to educate. Please, listen and learn, and try to make the world a better place. Don't make these problems worse, not even a little bit.

( ** There is much worse I could link to. My wife has blogged about online harassment at length. I couldn't even share the link to my favorite post on a PG-rated blog. Email me for the URL.)

Crazy on Display

2013-03-20T10:12:00.001-05:00

Ken Magill tweeted this today:

If anyone still wonders why Spamhaus keeps at arm's length, check out the comments on this bit.ly/10e7i3y
— Ken Magill (@Kmagill) March 20, 2013

Meaning, if you're wondering why some of the Spamhaus people tend to use pseudonyms, why they tend to keep everything in email, et cetera, read Ken's article. The article is a bunch of Q&A with Spamhaus representatives, answering questions submitted by readers, mostly marketers. The comment thread was hijacked by somebody very mad about Spamhaus and who seems to be screaming "terrorism!" and trying to make a lot of other points that I'm not totally understanding.

So, yeah. There's that. Which pretty well aligns with what I said on the subject recently.

I did a bit of Googling the other day to look for more info on who hates Spamhaus and the people involved with Spamhaus. There's a whole Facebook group filled with stuff about "killing them all" and "stopping the US Government Zionist Conspiracy." So, yeah. They're dealing with that kind of thing, too.

Yuck.

(Edit: Uh, there USED to be a bunch of wacky comments at the bottom of that Magill post. They all seem to have disappeared.)

Another Dead DNSBL

2013-02-11T16:31:00.001-06:00

It seems as though my website over at DNSBL.com has turned into a graveyard for dead DNSBLs. Over the past few years, I've observed more than a dozen blacklists go missing, and I've written about more than a dozen others who were shut down prior to that or weren't valid to begin with.

Here's a new tombstone for you to review: DNSBL bl.csma.biz no longer exists.

Remember when there used to be hundreds of live and useful DNSBLs out there? Well, maybe not hundreds. There did, however, used to be more than three, once upon a time.

On Spamhaus and Anonymity

2013-02-06T11:56:00.001-06:00

A number of months ago, Steve Linford of Spamhaus replied to columnist Ken Magill on the topic of why Spamhaus editors don't typically provide their names. I highly recommend reading it, then coming back to my post to get my thoughts on this.

This occasionally comes up at the day job, clients can get (understandably) frustrated that they don't necessarily know who they're dealing with, why all communication must be via email, and that the Spamhaus people don't seem have a hotline you can call and get answered by a live person.

I've talked to a few of the Spamhaus folks, in email and at various conferences, and they've mentioned to me multiple times that there are real threats out there, real criminal gangs, who would probably take physical action against Spamhaus people, given half a chance. They tell me they get various threats periodically, and I don't doubt it. I've even observed it once myself. Way back in 2003, I saw an alleged spammer come to an FTC event on spam law in Washington, DC and start screaming at people who worked for Spamhaus.

Sometimes people are just crazy. Just "all mouth." Maybe they wouldn't follow through on their crazy threats. I hope so, because I've got my own "hate pages" out there, too. One where an angry spammer made up this stuff about how I "make a woman do my fighting for me" because he couldn't get me on the phone, 12 years ago when I worked for a spam filterer. Or the guy who thinks that it's appropriate to call me a pedophile because he doesn't like that I talked about some specific spam issue on my blog. And I don't really do anything but blog. Can you imagine how much more and how many more crazy people would hate me if I was actually blocking their spam?

A representative from a known brand sending mail through a known, respected email service provider is a far cry from a crazy person. They're generally good folks all around, for sure. They invariably ask if Spamhaus is painting them with the same "crazy brush" by declining to provide names and contact information. They sometimes assume so, and this makes them upset. But, I always explain that I don't think that is the case. My guess is that it's not that Spamhaus is painting them all with the same brush. My guess is that Spamhaus is just being smart. The fewer people that know the backend details, the greater chance there is that some of it could leak to somebody, then to somebody else, then to somebody else, and then on to a really bad guy who might try to attack somebody.

Heck, I wish I knew more about the internal workings of Spamhaus myself, but I don't really fault them for playing it close to the vest.

A bit of spam history

2013-01-28T11:37:00.003-06:00

Steve Atkins of Word to the Wise has posted a very interesting story, detailing a little bit of spam history from just over ten years ago. According to Steve, a gentleman who used to work for a spammer participated in a Reddit AMA (Ask Me Anything) question and answer session, talking about his participation in spam-related activities and what he remembers about the industry at that time.

On the Recent Yahoo! Mail Exploit

2013-01-09T11:36:00.002-06:00

Over on the ExactTarget blog, Carlo Catajan explains the recently discovered (and since closed) Yahoo! Mail account security issue.

Friends in high places?

2012-12-13T14:38:00.002-06:00

If you're looking for something ranty to read today, head over to Slashdot, where Bennett Haselton goes off at length about how his messages got spamblocked by Yahoo and Hotmail due to something related to bad/blacklisted domains in the body of his email messages.

I can understand his frustration. I know it's not always easy or fun to deal with a blacklisting issue. But I did want to call out one piece of pure balogna: That ESPs somehow have backchannel agreements with ISPs or have "friends" at those ISPs who help to get the mail delivered.

In response to "what are you paying for when using an ESP," he writes, "What you're paying for is the fact that [ESPs] have friends in the right places at Hotmail, Yahoo, and Gmail, so if your mails are getting blocked, they know the people to call to fix the problem."

Sorry, but that's just flat out not true. When you're sending through an ESP and you get blocked at an ISP and you're working with your ESP, the ESP doesn't have a hotline to call, an individual to reach out to, to get you personalized service. That just doesn't scale at all for the ISP or webmail provider. Most of the ISPs have web forms you submit, then eventually, somebody will get back to you. And sometimes that reply comes from a tier 1 support rep who didn't understand your issue. It's a slow and frustrating process. What ESP people really do is try to train their clients to not get blocked in the first time, because prevention has a much greater chance of success versus cure.

So, whatever you do, don't utilize an ESP based on the strength of Bennett's statement, because it's just plain wrong.

Email is Not Anonymous

2012-11-13T12:44:00.002-06:00

Just ask former CIA Director Gen. Davis Petraeus. And truth be told, 99.9% of the time it doesn't even require the FBI's help to figure out where that email message actually came from.

Ask Al: What of the MAPS RBL?

2012-11-06T10:18:00.001-06:00

Jerry writes, "I have a question about spam of all things. I'm on the client side now at company X and I am talking with their email group about opt-in permission. I'm learning they're not exactly worried about the opt in status of the customers getting their promotional emails.

I remember from back in the day that the MAPS RBL was the main group going after people who didn't respect opt-in permission. Has the RBL relaxed its stance since the last time I did promo emails so many years ago? Do spam complaints no longer carry the threats they once did?

I know our company is purchasing lists for prospecting. How do we avoid getting blacklisted? We just need to more closely verify that these people have opted-in, right?"

Jerry, thanks very much for your question.

The MAPS RBL (Mail Abuse Prevention System Realtime Blackhole List) was the first anti-spam blacklist (or blackhole list), created by Paul Vixie. Back when I had my turn as a volunteer (1999), and then an employee (2000), for MAPS, a MAPS RBL blacklisting was like deliverability death. A typical sender's bounce rates would skyrocket to more than 60%. A lot of time has passed since then. MAPS still exists as a brand or subdivision of anti-spam/security vendor Trend Micro, and certainly, their security/reputation services are widely used. It's not like it was in the old days, though.

The blacklisting risk is still there, though. Today the risk is from Spamhaus and their SBL (Spamhaus Block List). Spamhaus representatives watch their spamtrap feeds to look for evidence of senders (companies, organizations) not complying with best practices, and will then list a sender's mailing IP addresses on the SBL. The SBL is very broadly subscribed to. Bounce rates will jump to over 60%. More than half of the top ten US consumer ISPs subscribe to the SBL, meaning you're very widely blocked when they blacklist you. Also, Spamhaus is very widely respected in the security and anti-abuse community.

As far as how to make purchased lists work, I really don't think they're going to work for your company. You might not get instantly blacklisted -- for the same reason you're not going to get caught speeding every time you do it. The cops aren't always watching the same corner every day. But eventually, it'll catch up to you. You'll end up blocked at a Yahoo or a Hotmail. Or you'll end up blacklisted by Spamhaus. And cleaning up from that issue is really, really painful. You'll have to throw away all the purchased records and probably run a reconfirmation run against the rest of your subscriber database. It'll decimate your database. Response rates will be poor. In my experience, it's much less painful to try to keep your data clean and clear of bad stuff on the front end, then have to try to clean it up after the fact.

I do think that Spamhaus has made an active effort to sort of "step up their game" when it comes to big brands sending unsolicited email. I check the Spamhaus "latest entries" page a few times a week and I'm starting to see bigger brands more often. Occasionally a Fortune 500 company and/or Hot 100 retailer. And I overhear people talking at conferences about how Spamhaus seems much more aggressive than in years past. So I would theorize that the risk of a blacklisting is higher today than it was in the past.

CRTC Issues Updated Canadian Spam Law Guidelines

2012-10-12T16:37:00.001-05:00

Canadian privacy lawyer Shaun Brown shares the latest info over on EmailKarma.net.

Confirmed Opt-in in the Wild

2012-09-17T08:00:00.000-05:00

Every once in a while I have to inform somebody that it is necessary to move their signup process to confirmed opt-in (aka double opt-in) to fix a delivery or blacklisting issue. Not everybody wants to do it. Some folks will tell me that they shouldn't have to do it because nobody else in the whole world does it.

Turns out, that's just not true.

I run across lots of sites utilizing COI/DOI as part of their email list signup process. Here's one I ran across today: Cook Brothers, a large discount retail store located here in Chicago. They claim to "Stack em Deep and Sell em Cheap." Not sure if that's true, as I haven't checked the store just yet. But having just signed up for their email list, I can tell you that it does indeed utilize confirmed opt-in. Check it out for yourself.

RFC Ignorant Blacklist Shutting Down

2012-09-15T12:14:00.003-05:00

Find more details over at DNSBL Resource.