CAN-SPAM Ruling: Domain Ownership Masking Deceptive

Posted by Al Iverson on Tuesday, June 11, 2013
Labels: , , , , , , / Comments: (0)
Over on his blog, John Levine shares his thoughts on the default judgment in Zoobuh v. Better Broadcasting. Though it's a default judgment, the judge actually seems to have spent some time researching the law and didn't just blindly affirm everything the plaintiff presented.

 Venkat Balasubramani covers this over on Eric Goldman's Technology & Marketing Law Blog, as well.

TL;DR? If you're a marketer, what this tells you is. 1. You should not hide domain ownership info behind "Domains-by-Proxy" or similar; and 2. It is not acceptable to make the unsubscribe link an image.

(Smart marketers already avoided WHOIS ownership masking services, because they know that their use makes ISPs and anti-spammers hate you.)

DMARC: Please Be Careful!

Posted by Al Iverson on Monday, June 10, 2013
Labels: , , / Comments: (0)
Every couple of days, somebody new pops up on the DMARC-Discuss mailing list to ask some question or share an observation. It's great to see people interested and joining the conversation. Clearly, DMARC interest and adoption are growing. What's really frustrating, though, is that for about a quarter of the new subscribers, their first mailing list message goes to the spam folder in my Gmail account. It has become sort of an intelligence test I apply to new subscribers -- I've stopped digging those messages out of the spam folder. I'm figuring that if they can't figure out how to implement a DMARC record, or they don't understand that it's not really compatible with mailing lists nor is it meant for hobbyist domains, then I think perhaps they've got some things they've got to figure out before they're ready to join the discussion.

To that end, let me take a moment to jot down some recommendations for folks who are considering implementing DMARC.
  1. Testing and monitoring is very important. When you sign up to DMARC-Discuss, please also create a Gmail account, and subscribe that address to the list as well. If your list messages go to the spam folder, take a look at your DKIM or DMARC settings-- my experience is that when this happens, you've probably got something set wrong, or your policy/configuration choice is overreaching (and perhaps poorly considered). Keep in mind that you're making it harder for people to read your posts and respond to them. Not everybody's going to go to the trouble of whitelisting you or clicking "not spam" every time you post.
  2. Remember that DMARC doesn't play nice with mailing lists. DMARC is all about preventing misuse of your domain name, and it is very strict, by design. It's very easy for mailing lists posts from a DMARC-using domain name to fail a DMARC check, because most mailing lists rewrite the return path or make other changes to the message, potentially invalidating a DKIM signature. Some folks would say that DMARC really has no place for usage on a domain with real, live users. That's open to debate, but certainly, operational complexity increases.
  3. Remember that DMARC wasn't really intended for use on hobbyist domains. If your domain name only has three valid users, and this includes your wife and dog, then you probably aren't a valuable phishing target. I see a lot of people struggle to configure DMARC, spending effort on implementing it on domains that just do not need it. (Though I understand the desire to learn by testing it on your own domain name, or a small domain name, before implementing it on some large known-brand domain name you manage.)
It amazes me how many people have never thought of signing up for a Gmail or other account to see how their own messages are being handled by a large ISP. Please, please, please consider doing that.

Twitter Rolls Out Two-Factor Authentication

Posted by Al Iverson on Friday, May 24, 2013
/ Comments: (0)
It's Twitter's turn to jump on the two factor bandwagon. I'm sad that it didn't happen sooner, but still happy to see them joining the ranks of Apple, Yahoo, Google, Microsoft and Facebook.

Please, please, please consider turning on two factor authentication on your accounts! Yet another industry colleague found their Twitter account hacked yesterday, used to send me some sort of weight loss spam link. If they had turned on two factor authentication, I don't think that would have happened. Two factor authentication really does improve your chances that you'll keep bad guys from accessing your accounts and data.

Apple Rolls out Two-Factor Authentication

Posted by Al Iverson on Friday, May 10, 2013
Labels: , , / Comments: (2)
I'm a big fan of two factor authentication. I've been using it on my Google accounts forever. Yahoo has it. Microsoft has it. Now, Apple has it, too! I'm very glad to hear this. I'll be setting it up for my account this weekend.

A New DNSBL: DNSBL Chile

Posted by Al Iverson on Wednesday, May 1, 2013
/ Comments: (0)
It's been a long time since I've noticed a new anti-spam blacklist (DNSBL) out in the wild. For more information, click on over to the DNSBL Chile article on DNSBL.com.

Dutchman Arrested in Spamhaus DDoS

Posted by Al Iverson on Monday, April 29, 2013
Labels: , , , / Comments: (0)
Brian Krebs reports on the arrest made in response to the recent massive distributed denial-of-service attack against anti-spam group Spamhaus.

(Hat tip: Laura Atkins)

Groupon is Hiring

Posted by Al Iverson on Wednesday, April 17, 2013
Labels: , , , , / Comments: (0)
Groupon is looking for an email deliverability engineer to be based in Sidney, NSW, Australia. From the posting: "The role of Email Deliverability Engineer will ensure optimal inbox rates through daily monitoring of outbound mail and inbox placement, following best practices, and keeping up with changing industry laws and regulations. This person will report to the head of the deliverability department delivering regular reporting and analysis on deliverability performance." Click here to learn more.

Edit: I almost missed that Groupon is also looking for someone in Berlin as well. 

COI: Another List Manager's View (or two)

Posted by Al Iverson on Tuesday, April 16, 2013
Labels: , / Comments: (0)
Ken Magill posted today on "Why Fully Confirmed Opt-in Sucks." It's definitely worth reading, and I hear where Ken's coming from.

To "lose a subscriber" through their failure to confirm, that can really hurt when a list is pretty small. I should know -- I do know this myself -- because I managed the email list for my friend's wonderful jazz club in St. Paul, Minnesota, from late 1998 through mid-2006. (That would be the Artists' Quarter, by the way, and you should definitely go there next time you're up in the Twin Cities. Tell Kenny and Davis that Al sent you.)

For the AQ email list, I used COI from the start. It wasn't necessarily a political statement. It was born of using the tools I had handy. I had previously written a confirmed opt-in list management tool myself, so that's what I used.
Read more »

Payday Loans in the News

Posted by Al Iverson on Monday, April 15, 2013
Labels: , , , / Comments: (0)
It looks like email permission is not the only challenge for some payday loan marketers. Case in point: This weekend I ran across this story on Slashdot explaining how a Wordpress plugin was hacked to include a link to a UK payday loan site.

Tons of Misdirected Mail

Posted by Al Iverson on Friday, April 12, 2013
Labels: , , , , / Comments: (0)
In Laura Atkins' blog post where she shares her thoughts on COI, she links to this amazing article from the New Yorker, where Matthew J.X. Malady shares a bit of insight about the vast amounts of misdirected mail received at his own vanity Gmail account.

Does COI make sense?

Posted by Al Iverson on Thursday, April 11, 2013
Labels: , / Comments: (0)
You've read one point of view somewhere else. Now go read this different, very well thought out take on the subject. It provides a very good overview of the considerations surrounding whether or not you would want to implement confirmed opt-in.

Two-step auth coming to Microsoft?

Posted by Al Iverson on Tuesday, April 9, 2013
Labels: , , , , / Comments: (0)
I'm very happy to hear that two-step (also call two-factor) authentication is coming to Microsoft, supposedly in the near future. Yahoo! and Google have had it for a while now, and I'm a big fan. Getting spam from a friend's hacked account is a common attack vector and anything that a platform and its users can do to better lock down accounts to prevent unauthorized access means less spam for you and me.
Read more »

Sky.com Transitioning to Yahoo! Mail backend

Posted by Al Iverson on Monday, April 8, 2013
Labels: , , , / Comments: (0)
One of the UK's largest ISPs, Sky.com, has hired Yahoo! Mail to run their email infrastructure. For more information, surf on over to this page with current status and details. Sounds like it's not going so well for subscribers.

What does this mean for senders? Smart UK deliverability consultant Richard Bewley brought two very important questions to my attention: Does this mean that the Yahoo! FBL now covers sky.com? And also, does this mean that a poor sending reputation with sky.com recipients will impede your overall ability to get mail to the inbox at any Yahoo-hosted mailboxes? I'm not sure of the answers to those questions today, but I rather suspect we'll eventually hear "yes" to both of those. Stay tuned!

(H/T: Richard Bewley)