Do you need COI/DOI? Probably.

In case you've been living under a rock, or you've been lucky enough to not be affected, here's the deal: Some bad guys, probably Russian or Eastern European, have decided to mail-bomb unsuspecting folks by signing them up for many hundreds or thousands of mailing lists. The bad guys built a tool that either searches for or has a list of signup forms at many hundreds or thousands of websites. The bad guys then submit many email addresses to those forms.

The net result is, if you're on the wrong end of this attack, your mailbox gets filled up with a bajillion newsletters. Some from big brands. Some from small brands. Some from companies you've heard of. Some from non-profits you've never heard of.

In a recent post, Brian Krebs of Krebs on Security shared his own experience with being mail-bombed in this way. Brian said that it's targeting .gov addresses, but I know from what I'm seeing that it's broader than that. It's definitely not targeting just .gov addresses. It also seems to be targeting various anti-spam groups, security researchers, email administrators, and so forth.

For senders, this is bad news, because you end up with a bunch of subscribers that don't want your mail, and they're drowning under mail. They're mad that you're part of the flood. They're going to report that mail as spam, if they can. It's not going to help your sender reputation.

And on top of that, Spamhaus has gotten involved. As Laura Atkins of Word to the Wise reports, the problem has grown large enough for anti-spam blacklist group Spamhaus to take notice. Their position is that the senders operating open mailing list signup forms are running attractive nuisances, and that the best way to stop this problem is for list managers and email marketing managers to update their signup forms to implement functionality to prevent or deter the bad guys from mass submissions of non opt-in email addresses.

How? What I'm hearing is that the best things you can do are implement a double opt-in process and/or implement a CAPTCHA process on your signup page, to prevent bots from signing up.

Double opt-in, aka confirmed opt-in, isn't new, and isn't very hard to set up. (Heck, here's a link to me talking about it on this very blog, thirteen years ago.)

And if you're already using double opt-in? Now would be a bad time to turn it off. Spamhaus has taken to blacklisting senders whose lists were fed by these bad guy bots. Spamhaus has listed more than FIFTY different ESP/ISP senders in the past two weeks over this issue. It's clearly an issue Spamaus is taking seriously, and is watching out for.

Whether or not you like or respect Spamhaus or not, getting blacklisted by them just kills your deliverability. Their blacklists are broadly used and they as an organization are widely respected by internet service providers. My recommendation is, if you run a mailing list or an email marketing program, implement double opt-in and CAPTCHA today, to avoid the huge deliverability woes that come with a Spamhaus blacklisting.

Want to learn more about this email subscription bombing problem? You can read more about it over at the Return Path blog.

Yahoo: Deferring Inbound Connections Today

Since about 6:00 am eastern this morning, Thursday, August 25, Yahoo has been deferring delivery attempts from almost everyone ESP or mail platform I'm hearing from. My guess is that there's a spam filter update issue or system capacity issue over at Yahoo. As far as we can see, almost all inbound mail is affected. Inbound connections are timing out, or giving unexpected TS01 errors, or giving "temporarily deferred" errors.

Stay tuned, I'm sure the good folks at Yahoo are on it and will address the issue as soon as possible.

Where do I get a new IP address?

Someone asked me the other day, where can they get a new IP address? Their current IP address is "blacklisted" at Yahoo and Hotmail, I was told. It's easy enough to get a new domain name, but what about the IP address?

They let me know that their deliverability was suffering and that getting this fixed was very important to them.

I had to ask, though, why do they think the new IP address wouldn't have deliverability issues? Deliverability issues are reactive. Something has to have happened to make the ISP take a dim view of your mail, of your IP address. You don't just get blacklisted because your IP address contains a "7" in it. Something has to change in your sending or list hygiene practices. Are you engaging in email append? Are you buying lists? Are you sending to very old data?

Until you figure out what's causing the "blacklisting" and actually fix that, don't expect a new IP address to just magically fix everything. What will happen is, you'll try to warm that IP address up, it'll seem to go okay for perhaps a few weeks, but then you'll start to see the same issues on the new IP address that you saw on the old IP address.

It's kind of like changing your shirt because it's got blood on it. If you've got a bloody wound, changing your shirt doesn't actually close the wound.

Gmail now requiring SPF or DKIM

Google just announced that if a message received at Gmail cannot be authenticated by way of either DKIM or SPF, the user interface is going to show a question mark in place of the sender's avatar or logo. Click here to learn more.

Yahoo, AOL to both be owned by Verizon

Verizon announced today that they are buying (most of) Yahoo for 4.8 billion dollars in cash. Back in 2015, they purchased AOL for 4.4 billion dollars. This means that three different email receiving platforms are now owned by one entity: Verizon. It's hard to saay what becomes of the Verizon, AOL and Yahoo! Mail platforms in the future. Since purchasing AOL, Verizon seemed to continue to invest in the AOL mail platform, and some Verizon email users were transitioned to AOL infrastructure. But now that Verizon will own both the AOL and Yahoo! Mail email platforms, both of which I suspect are pretty robust, there could be some internal competition regarding which email platform ends up being the primary one used across all users. Or would they keep both the AOL and Yahoo! Mail platforms running separately? We will see.

TL;DR? Verizon now owns both Yahoo and AOL. Future impact to senders unknown, sit back and stay tuned.

Edited to add: Here's another take on how the consolidation of the two platforms could go, courtesy of Litmus's Chad White.

Spamcop: Declines to send reports to ESPs

If you work the abuse desk for an email service provider, you've undoubtably gotten spam reports from angry Spamcop users who think that your ESP, your employer, is "refusing" Spamcop reports.

Truth be told, Spamcop disallows reports to be sent to email service providers (ESPs) if that email service provider doesn't require 100% confirmed opt-in of all clients. This effectively means no ESPs receive Spamcop reports, as just about any ESP is going to allow a client to upload a list. There's legitimate reasons for this; if people opted-in during purchase doing a commerce purchase on a different platform, or if a company switches ESPs, for example. They have a list already ready for use, the people on the list did truly sign up to receive email messages from that company, a confirmed opt-in (or double opt-in) confirmation isn't necessary.

Some people may disagree with my take on when COI/DOI is required. That's fine, but that's not the point.

The point is, Spamcop explains this policy poorly. Their system has historically provided a misleading error message to their users saying that any given ESP is "refusing" reports from Spamcop -- making it sound like Spamcop wants to send the report, but the ESP will not allow them to do so. That is simply not the case.

Spamcop has long had this policy, though it's not well documented. (And to be clear; I think it's a perfectly fine policy. It's not what I would do if it were up to me, but it's not up to me and reasonable people can and often do disagree. I just wish it was better documented.)

Here's the best source of proof for this policy I can find online. This 2011 Spamcop forum discussion thread starts with a post from Spamcop (Cisco) employee Kelly Molloy explaining that "we decline to send [Spamcop reports to various ESPs] because our policy is to only send reports to ESPs that send only confirmed opt-in (COI) email."

She adds, "There are basically only a few reasons we don't send reports:

  • 1) We know the entity listwashes.
  • 2) Reports are bouncing.
  • 3) The responsible party told us they didn't want reports.
  • 4) It's a non-COI ESP."
And now you know. I'm documenting this information here, purely as a public service, to make it easier for the next interested party to find.

Steve's Co-Reg Inbox Saga

Periodically I create a virgin Gmail account and sign it up for something, to see what other kind of stuff might end up in the inbox. On February 22, 2010, I clicked on a single "free ipad" co-reg marketing ad, and left the checkboxes checked. I watched the mail coming in for a while, but then forgot about it.

Flash forward to July, 2016. The Gmail account is still receiving marketing mail. Mostly from "Steve" of "" who apparently doesn't care about mailing addresses that haven't shown any source of life for six plus years. "Steve" is mailing that virgin Gmail address two to four times per day, and has been since April, 2013. Actually, no, it looks like "Steve" was called "Big Daily Sale" before that and has been mailing that address for even longer.

Steve seems to have a dedicated IP address running Lyris software,, which has a sender score of 82.

Is it spam? I'm not sure. It might have been one of the original co-reg things I allowed the address to be signed up for, but the brand name changed at some point, and I certainly didn't sign the address up for email from "Steve" directly. And if they're ignoring subscriber engagement, I don't doubt that they're having inbox delivery issues. ("Steve's" mail seems to be going back and forth between the inbox and spam folder in this Gmail account.)

What I can tell you is that I don't think being like "Steve" is the path to inbox success.

Wired on Email Reputation

Word to the Wise's Laura Atkins is quoted in this article from Wired, "Mailchimp Sends a Billion Email a Day. That's the Easy Part." It's not a bad primer on Email Reputation 101, and why you can't just shovel spam at ISPs and except them to take it.

Author Klint Finley explains: "What many people don’t realize is that today’s spam filters don’t just scan an email for questionable keywords, like references to pharmaceutical products or porn. Nor do they look merely at the email address of the sender. Crucially, they also look at the servers sending the email. Most of today’s biggest email services, such as Gmail, Yahoo Mail and, use reputation scoring to rank the likely spamminess of a server that’s sending an email. Think of it as a sort of credit rating for email senders."


What is SPF Lockdown?

I've been asked this question pretty regularly: How do I tell the world that a certain domain of mine isn't valid for sending email? What about typo domains, bad domains? How can they configure things to tell the world that no legitimate mail should have this domain in a from address?

Easy! You do it with what I call an "SPF Lockdown." SPF (Sender Policy Framework) is a simple way of telling the world what IP addresses are allowed to send mail for your domain. In this example, we're going to tell the world that NO servers are allowed to send mail for a given domain. To do that, create a TXT record in DNS, at the top level of your domain, and put this value in that TXT record: v=spf1 -all

The "v=spf1" is what you preface an SPF record with, when creating it as a TXT record in DNS. The "-all" means "hard fail" any mail that doesn't match the list of "mechanisms." In between, you would usually put a list of IP addresses or other information that says which servers are allowed to send that mail. Since you've included none, any mail using this domain will always fail an SPF check. No servers are allowed to send mail for that domain.

There you go, that's all there is to it. Now, any email server, email software, or anti-spam software that checks SPF records will know that any mail using that domain name in its from address is invalid. Here's an example you can lookup showing an obviously bogus domain name and how its SPF record is configured.

LinkedIn for list building: Still bad news

It's been just over five years since a particular goober harvested his LinkedIn contact list and spammed me and a bunch of other folks. Consider that the next time it happened, with somebody else doing it, was just now, I guess that means that it's safe to say that not EVERYBODY plans to use LinkedIn to haphazardly build their list. I think it's good that perhaps most folks wouldn't think of doing that. A five year interval is better than a five week interval. But the couple of times it has happened to me -- and when I've observed it happening to others -- it always seems to be a "digital strategist" or "email strategy expert" behind it.

Real email marketing experts don't send spam! I'm sure you're all very nice people and the person in this latest incident seems like a nice enough guy. Maybe we'll get to work together on a project with a mutual customer. I'd like that.

But I do have a problem with you taking your LinkedIn contact list and importing it into an ESP and sending to it. That's spam. It wasn't cool in 2011, and it still isn't cool now.

(I'm not even calling this latest guy a goober. He just needs a bit of education. That previous guy who did it, he wanted to argue about it for days, then resorted to name calling when the discussion didn't go his way.)

Apple iOS 10 to support List Unsubscribe

Various online sites are reporting that Apple's iOS operating system version 10 is going to add support for the list unsubscribe header found in many email messages. In case you're wondering, it does sound like this unsubscribe feature supports the "mailto" version of the list unsubscribe functionality. A reddit user posted an example of a generated unsubscribe request here. I'm unclear as to whether or not it will support the "http" version of the list unsubscribe functionality.

The beta version of iOS 10 was released just yesterday, and the full public release is expected to happen sometime this fall.

FBI Raids Spammer Outed by KrebsOnSecurity

Another spammer put under the microscope! Brian Krebs reports on the FBI arrest of Michael A. Persaud, reported to be one of the world's top ten spammers.

Sanford Wallace gets jail time for FB scam

Ah, Sanford Wallace. 1990s spammer, widely blocked and blacklisted, one of a few big bad spammers who made the rest of us realize that spam was a real problem and that we had to do something about it.

Way back in 1999, in a Usenet discussion thread about Sanford, one of my fellow spam fighters asked this question: "My question would be when Wallace is going to find another loophole that allows him to cost-shift his advertising? If he could find a way to print flyers and get them glued onto everyone's car, then sue them for removing them, I'd bet that he'd do it. He's just that kind of scumbag."

Uh, well, here's something. "Last August, Wallace admitted to compromising around 500,000 Facebook accounts, using them to send over 27 million spam messages through Facebook's servers, between November 2008 and March 2009."

When is a phish not a phish?

How about, when the email is actually legitimate? But, how do you know, if the company isn't using their brand or company name in the from address? John Levine shares a scary example of what turns out to be a legitimate email, just with really, really poor branding. It makes me seethe, because it goes against everything we're supposed to be teaching end users to know about how to tell a good email from a bad one. (For more on what phishing is, click here.)

Can't send to Dad, sorry.

"Send to Dad by Sunday midnight!" the email's subject line exclaims. My father is currently in hospice care. He isn't reading a lot of emails. He probably doesn't need this valuable offer.

This reminds me a lot of the multiple "Don't miss out on Mother's Day reservations" emails from last month. My mother was cremated at the end 2014, so she probably doesn't need a reservation.

But please keep reminding me of the past and pending deaths of people dear to me, marketers! It's thoroughly endearing-- kind of like an un-ending emotional colonoscopy.

My mother passed away right around Thanksgiving in 2014. When Thanksgiving rolls around, that doesn't itself get me down. It's the explicit reminders that marketers blast via email and Facebook on those couple of holidays that actually suck.

It only took about a year after our last dog died to get the vet to stop sending us "it's time for Solly's checkup!" reminders.

You'd think marketers would do better at making it easy to stop this kind of thing.

They don't, though.

Internet, Web Enjoy One Final Day As Proper Nouns

I have never liked capitalizing internet or web, previous versions of the AP Stylebook be damned. I guess I'm some sort of trailblazer or something, because now my way is the right way, because the latest version of the AP Stylebook says it is no longer appropriate to capitalize the words internet or web.

Putting the "free" myth to bed

Word to the Wise's Laura Atkins, like me, often gets asked about words to avoid in subject lines. Is it OK to use the word "free" in a subject line? I read that causes spam filtering! Not true, Laura patiently explains. Like Laura, I've been trying to explain that to people for years, myself. Back in 2007, I wrote:

"Since when did the world "free" become a bad word?" The answer is: It didn't. It's not. The vast majority of spam content filters don't do anything so simplistic as to filter or block a message just because it contains the word "free." Don't be afraid to use the word "free." If you're not sending spam, it's not likely to get you blocked.

Still true today.

Scott Walker's got a list for you

Why does it seem like all politicians are spammers?
Want to spam everybody who signed up for emails from Wisconsin governor Scott Walker during his failed presidential bid? That'll cost you $10,500. Makes me wish I had signed up for his email list, so I could see what kind of junk he's allowing people to send through today.

Boy, that'd make me mad if I signed up for his email list and started getting random ads for unrelated things. I don't know about you, but I try not to give my email address out to people who plan to share, sell, or repurpose it after the fact.