Ask Al: Help! My email address is being used in spam! What do I do?

Evan writes, "Hi Al, My email address has just been compromised and now I am receiving hundreds of System Administrator and Mail delivery failure notices sent to my inbox from all those poor people who have received unwanted spam from my address. I noticed your name on the web when I went searching to find out how and if I can stop this happening and was hoping that you might have some ideas other than changing my email address?"

Rest in Peace, Nadine

Michael Rathbun recently commented on my old 2007 post linking to his "Story of Nadine" website. He notes, "A while back I located an obituary notice for "Nadine". She still gets between 50 and 200 messages per day, all of which now feed the Spamcop service."

Neat. (And sorry to hear about Nadine.) If it were me, I'd probably make it all bounce for about a year, then see if somebody at Spamhaus or other spam handling services wanted copies. By that point, it would be a pretty pristine spamtrap. And it would still receive tons of trash.

The Return of the Open Relay

Open relays are back! Spamhaus shares the sad story that history is repeating itself and spammers are once again finding and exploiting open relaying mail servers to shovel spam at you.

Fighting the open relay problem was a big part of my initial spam fighting efforts, back in the day.

A bunch of us sort of chuckled back in 2004 when the FTC finally came around to start talking about stopping the scourge of the open relay -- too little, too late, it seemed. But, maybe that's not so long forgotten as we had hoped.

Dynamic Dolphin Dies

Over at Word to the Wise, Laura Atkins reports on Scott Richter's domain registrar Dynamic Dolphin getting its accreditation yanked.

I'm not sure why this took so long. This was one of those open secret kind of things that everybody talked about in the hallways at just about every industry event I've ever attended. The perception and belief is that this entity was owned by Richter, who has a long history of lawsuits and settlements and related to unsolicited email and/or other alleged bad acts. My assumption is that you probably could have blocked all mail and links to/from any domain registered there without losing the tiniest bit of desirable mail.

I think we might owe Brian Krebs a beer for his work on this one, tipping off ICANN to a prior criminal conviction that ultimately led to the recent de-certification of Dynamic Dolphin.

I believe I've only met Scott Richter once-- I believe he bought me a beer at an industry event a very long time ago. Since then I think things have changed a lot. I suspect that buddying up to ISPs and anti-spammers didn't really give him long term inbox success that he had hoped for.

Ask Al: Remove me from APEWS?

Andrej writes, "Hello, I would like to ask you to remove my IP address from APEWS.org blacklist. Thank you very much."

Andrej, thanks for reaching out. I wish I could offer you my assistance. But I cannot help you. Every once in a while, somebody will email me thinking that I work for APEWS or some other blacklist. I think this is because my blog posts show up in search results when one searches for information on various blacklists. But the truth is, I don't run any blacklist at all. I do not have any way to add you to a blacklist nor am I able to remove you from a blacklist. Thus, there is nothing I can do for you.

I would add, if my IP address(es) were listed on APEWS, I don't think I would worry too much about it. Here's why.

Payday Loan Stories on NPR

(Hat tip to: Laura Atkins of WttW)

This is almost timely -- I was teed up to speak at a recent email/anti-abuse conference on the topic of Payday Loan marketers and what a challenge they can be, but had to bow out at the last moment. Thankfully, my colleague Mickey Chandler was able to step in and run with it and I'm told it went very well.

Signing up for a single payday loan site's signup form means you're going to get lots of mail, from lots of different senders, for a long time. I've pointed that out for years. Mickey Chandler just posted about it. And National Public Radio reported on it as well. Reporter Pam Fessler received numerous calls and many emails for months, in response to her single online application submission. It's a hell of a story; listen to the various callers as they try to claim that they're calling from legitimate financial institutions located in the US.

In another story, NPR's Pam Fessler reports on why you're suddenly seeing fewer payday loan advertisements on television. Regulators seem to be cracking down lately. In both of these stories, a couple of lenders/marketers tried to angle themselves to get the sympathetic response, but I'm not buying it. One person says, but where else will these people go? Well, you can still give them loans, you just can't charge them the usual 1300% interest. Darn.

Payday loans are illegal (or effectively illegal) in thirteen states, and payday lenders aren't able to do business with active military, since Federal law would cap their interest rates at 36%. It feels to me that perhaps the writing is on the wall. Ten years from now, will people even remember what a payday loan was?

Looking at a spam stream: The story of Jimmy Walker

Over at Spamtacular, Mickey Chandler explains how one single submission on one form resulted in his test account receiving hundreds of emails. This is a big part of why payday loan senders are such a deliverability nightmare; everybody seems to buy/sell/trade email addresses, branding is poor, targeting is poor, volume is high. If it's not spam, then it's so similar to spam as to be nearly indistinguishable.

Checking the SBL "Latest Listings" Page

Every once in a while, maybe every few days, I pull up my bookmark for the SBL Latest Additions and Removals over on spamhaus.org. It's usually pretty interesting to watch. It's basically the only public announcement that a new sender, ISP, ESP or ESP's client has gotten blacklisted. If you keep a close enough eye on it, after a while you'll start to get a feel for which ESPs and ISPs have the most ongoing issues or perhaps the most permission-challenged clients.

If you're really fancy, you'll figure out that you can bookmark links to various domain name groupings of SBL listings, allowing you to check for listings relating to the network of a particular ISP or ESP. Here's an example.

I'm not the only person who keeps an eye on these, am I?

LinkedIn Sued by Users

Ars Technica reports: "Four plaintiffs filed a class-action suit in US district court in San Jose on Friday claiming that LinkedIn used its member's identities without consent and broke into their third party e-mail accounts to send promotional e-mails to the members' contact lists."

It sounds like this is "upload your address book" functionality and that the plaintiffs allege that what happens next is poorly disclosed. I'm not quite sure what to make of this, but it would be fair to say that I'm not a big fan of "upload your address book" as a list building strategy. I believe that even got Twitter blacklisted by Spamhaus back in 2010.

SpamArrest Loses in Court

Here's my take on it, and here's John Levine's take. I really like John's breakdown of the clickwrap license issue and detail on how the parties included email addresses in filings, leaving it to the judge to point out that this was totally unnecessary.

Mail merge?

Do you know what a mail merge variable is? I used the term the other day in an email to a coworker and they were confused. An email list attribute? A personalization string? What do you call those? What does your email platform call those? You know, the bit where you put in DEAR $FIRST_NAME, and it gets swapped out with DEAR BOB, DEAR EDNA, DEAR KATY PERRY, etc.

I call them mail merge variables, I guess. Mail merge predates the common use of internet email; I was doing it on an Epson dot matrix printer attached to an Apple //e, a hundred and fifteen years ago.

But how does this relate to deliverability? Well, at one place I worked, we had to implement a profanity filter for mail merge, because by default, the recipient's "friendly from" was the first name field submitted in the signup web form. People got...colorful...there. And they'd occasionally flip out if they received a marketing email, from a company they actually do business with, just because it said DEAR SH*THEAD on it. Geez, are people fussy, or what? Apparently, fixing that falls to the deliverability manager. So, I got to help define this functionality, and the set of words to watch out for and remove. (Special thanks to George Carlin for his assistance.)

Ah, those were the days.

Gmail Tabs Roundup

Do you have any other links to articles about Gmail's new tabbed inbox user interface? Leave details in a comment and I'll update the post.

Let's start with two from Ken Magill: His August 20th article talking to Kirk Gray of APUS, and his August 27th article explaining list lack of agony.

Act-On Software's Kent McGovern provides this overview and later suggests that it's too soon to worry, but suggests that you do watch your stats.

StrongView's Sean Wirt provides this overview of the new Gmail inbox. StrongView's Justin Williams wrote up this article for ClickZ, offering his thoughts on how to prevent yourself from getting tabbed out of existence. He provides more guidance in this good blog post, Responding to Gmail Tabs.

Stephanie Miller of the DMA explains that this "definitely changes the game for how consumers will behave in their Gmail accounts." Her article also contains links to more info from Return Path, Silverpop and others.

HubSpot's Ginny Soskey explains how the new Gmail inbox works and why marketers should pay attention.

From Lyris: Matt Strzelecki helps the reader get familiar with the new look and feel of Gmail tabs. Eric Dezendorf explains that Engagement and value win out. And Andrew King provides real life examples of "how to tackle Gmail tabs."

Here's an overview from Sendgrid's Brian O'Neill.

Bronto's Chris Kolbenschlag asks "Will Gmail's New Inbox Tabs Affect Deliverablility?"

MailChimp's Matthew Grove dives deep into the data, explaining how Gmail's new inbox is affecting open rates. MC's Knowledge Base team followed up with, "How do I get my emails to the Primary tab in Gmail?"

Over on Inbox Marketer's Digital Dexterity blog, Matthew Vernhout helps to answer the question, "What do Gmail Tabs Mean for Email Marketers?"

Constant Contact's Ryan Pinkham explains that, "for Gmail subscribers, we saw small decreases in open rates between May and June," but goes on to add that there's no need to panic.

Here's an overview (with inbox strategy samples) from Anne Koskey-Wagoner over at Ebay Enterprise.

Laura Atkins of Word to the Wise with a series of posts: Overview, Inbox challenges and dull email, and Good for marketers?

And from ExactTarget (disclosure: my employer), Mickey Chandler explains that "Gmail Updates Reward Recognizable and Consistent Branding." I explain that "Marketing Messages Aren’t Dead Yet." And Jay Baer and Kyle Lacy share their "Adventures in the New Gmail Inbox."

Update: Here's a couple more. One from Aweber's Amanda Gagnon, and one from Jordan Loriaux at Mailjet. Thanks to readers for pointing these ones out!

Ken Magill on Gmail Tabs

From his August 20th article talking to Kirk Gray of APUS: "The more I read about Gmail tabs, the more I think a bunch of folks are getting worked up over a whole lot of nothing."

From his August 27th article quoting another author's extreme concerns: "You know what I don’t agonize over? Gmail tabs. Send stuff people want and whatever the various inbox providers do with their interfaces will have little effect on you."

He's right. So far, the people I'm talking to aren't really seeing any sort of significant dip in stats. Time will tell, maybe it's just too new. But right now, I'm not worried.

There's a good caveat in Ken's second quote. It's worth calling out: "Send stuff people want." If you're shoveling large amounts of low-value content at recipients, Gmail tabs makes it easier for those recipients to ignore you. If so, you're probably going to have some struggles.

CAN-SPAM Ruling: Domain Ownership Masking Deceptive

Over on his blog, John Levine shares his thoughts on the default judgment in Zoobuh v. Better Broadcasting. Though it's a default judgment, the judge actually seems to have spent some time researching the law and didn't just blindly affirm everything the plaintiff presented.

Venkat Balasubramani covers this over on Eric Goldman's Technology & Marketing Law Blog, as well.

TL;DR? If you're a marketer, what this tells you is. 1. You should not hide domain ownership info behind "Domains-by-Proxy" or similar; and 2. It is not acceptable to make the unsubscribe link an image.

(Smart marketers already avoided WHOIS ownership masking services, because they know that their use makes ISPs and anti-spammers hate you.)

DMARC: Please Be Careful!

Every couple of days, somebody new pops up on the DMARC-Discuss mailing list to ask some question or share an observation. It's great to see people interested and joining the conversation. Clearly, DMARC interest and adoption are growing. What's really frustrating, though, is that for about a quarter of the new subscribers, their first mailing list message goes to the spam folder in my Gmail account. It has become sort of an intelligence test I apply to new subscribers -- I've stopped digging those messages out of the spam folder. I'm figuring that if they can't figure out how to implement a DMARC record, or they don't understand that it's not really compatible with mailing lists nor is it meant for hobbyist domains, then I think perhaps they've got some things they've got to figure out before they're ready to join the discussion.

To that end, let me take a moment to jot down some recommendations for folks who are considering implementing DMARC.
  1. Testing and monitoring is very important. When you sign up to DMARC-Discuss, please also create a Gmail account, and subscribe that address to the list as well. If your list messages go to the spam folder, take a look at your DKIM or DMARC settings-- my experience is that when this happens, you've probably got something set wrong, or your policy/configuration choice is overreaching (and perhaps poorly considered). Keep in mind that you're making it harder for people to read your posts and respond to them. Not everybody's going to go to the trouble of whitelisting you or clicking "not spam" every time you post.
  2. Remember that DMARC doesn't play nice with mailing lists. DMARC is all about preventing misuse of your domain name, and it is very strict, by design. It's very easy for mailing lists posts from a DMARC-using domain name to fail a DMARC check, because most mailing lists rewrite the return path or make other changes to the message, potentially invalidating a DKIM signature. Some folks would say that DMARC really has no place for usage on a domain with real, live users. That's open to debate, but certainly, operational complexity increases.
  3. Remember that DMARC wasn't really intended for use on hobbyist domains. If your domain name only has three valid users, and this includes your wife and dog, then you probably aren't a valuable phishing target. I see a lot of people struggle to configure DMARC, spending effort on implementing it on domains that just do not need it. (Though I understand the desire to learn by testing it on your own domain name, or a small domain name, before implementing it on some large known-brand domain name you manage.)
It amazes me how many people have never thought of signing up for a Gmail or other account to see how their own messages are being handled by a large ISP. Please, please, please consider doing that.

Twitter Rolls Out Two-Factor Authentication

It's Twitter's turn to jump on the two factor bandwagon. I'm sad that it didn't happen sooner, but still happy to see them joining the ranks of Apple, Yahoo, Google, Microsoft and Facebook.

Please, please, please consider turning on two factor authentication on your accounts! Yet another industry colleague found their Twitter account hacked yesterday, used to send me some sort of weight loss spam link. If they had turned on two factor authentication, I don't think that would have happened. Two factor authentication really does improve your chances that you'll keep bad guys from accessing your accounts and data.

Apple Rolls out Two-Factor Authentication

I'm a big fan of two factor authentication. I've been using it on my Google accounts forever. Yahoo has it. Microsoft has it. Now, Apple has it, too! I'm very glad to hear this. I'll be setting it up for my account this weekend.

A New DNSBL: DNSBL Chile

It's been a long time since I've noticed a new anti-spam blacklist (DNSBL) out in the wild. For more information, click on over to the DNSBL Chile article on DNSBL.com.

Dutchman Arrested in Spamhaus DDoS

Brian Krebs reports on the arrest made in response to the recent massive distributed denial-of-service attack against anti-spam group Spamhaus.

(Hat tip: Laura Atkins)

COI: Another List Manager's View (or two)

Ken Magill posted today on "Why Fully Confirmed Opt-in Sucks." It's definitely worth reading, and I hear where Ken's coming from.

To "lose a subscriber" through their failure to confirm, that can really hurt when a list is pretty small. I should know -- I do know this myself -- because I managed the email list for my friend's wonderful jazz club in St. Paul, Minnesota, from late 1998 through mid-2006. (That would be the Artists' Quarter, by the way, and you should definitely go there next time you're up in the Twin Cities. Tell Kenny and Davis that Al sent you.)

For the AQ email list, I used COI from the start. It wasn't necessarily a political statement. It was born of using the tools I had handy. I had previously written a confirmed opt-in list management tool myself, so that's what I used.

Payday Loans in the News

It looks like email permission is not the only challenge for some payday loan marketers. Case in point: This weekend I ran across this story on Slashdot explaining how a Wordpress plugin was hacked to include a link to a UK payday loan site.

Tons of Misdirected Mail

In Laura Atkins' blog post where she shares her thoughts on COI, she links to this amazing article from the New Yorker, where Matthew J.X. Malady shares a bit of insight about the vast amounts of misdirected mail received at his own vanity Gmail account.

Does COI make sense?

You've read one point of view somewhere else. Now go read this different, very well thought out take on the subject. It provides a very good overview of the considerations surrounding whether or not you would want to implement confirmed opt-in.

Two-step auth coming to Microsoft?

I'm very happy to hear that two-step (also call two-factor) authentication is coming to Microsoft, supposedly in the near future. Yahoo! and Google have had it for a while now, and I'm a big fan. Getting spam from a friend's hacked account is a common attack vector and anything that a platform and its users can do to better lock down accounts to prevent unauthorized access means less spam for you and me.

Sky.com Transitioning to Yahoo! Mail backend

One of the UK's largest ISPs, Sky.com, has hired Yahoo! Mail to run their email infrastructure. For more information, surf on over to this page with current status and details. Sounds like it's not going so well for subscribers.

What does this mean for senders? Smart UK deliverability consultant Richard Bewley brought two very important questions to my attention: Does this mean that the Yahoo! FBL now covers sky.com? And also, does this mean that a poor sending reputation with sky.com recipients will impede your overall ability to get mail to the inbox at any Yahoo-hosted mailboxes? I'm not sure of the answers to those questions today, but I rather suspect we'll eventually hear "yes" to both of those. Stay tuned!

(H/T: Richard Bewley)

Worst Write-up?

Can't blame this on the date, as it was posted days ago. This publication would like you to know that "the attacks were focused on a company called Spamhaus, which maintains a "domain name system" to connect a typed-in URL to the correct server hosting the appropriate content."

Uh, what? You probably shouldn't be allowed to write any more stories covering tech until you learn what a spam filter is, what a DNSBL is, and even what DNS is.

Spamhaus DDoS in the News

Spamhaus sure seems to be in the news a lot lately. Or at least, I'm mentioning them on my blog an awful lot lately.

The latest coverage concerns a rather large DDoS (Distributed Denial of Service) attack against Spamhaus, which effectively pushed bits of their infrastructure offline for a time, as the internet connections linking to this infrastructure were flooded with garbage traffic.

That Wasn’t Funny

I’m married to a feminist. My wife, Kate Harding, knows a thing or two about rape culture, bad guys and misogyny. (In fact, she’s the author of “Asking For It” forthcoming from Da Capo Press in Fall 2013.)

Another Dead DNSBL

It seems as though my website over at DNSBL.com has turned into a graveyard for dead DNSBLs. Over the past few years, I've observed more than a dozen blacklists go missing, and I've written  about more than a dozen others who were shut down prior to that or weren't valid to begin with.

On Spamhaus and Anonymity

A number of months ago, Steve Linford of Spamhaus replied to columnist Ken Magill on the topic of why Spamhaus editors don't typically provide their names. I highly recommend reading it, then coming back to my post to get my thoughts on this.

A bit of spam history

Steve Atkins of Word to the Wise has posted a very interesting story, detailing a little bit of spam history from just over ten years ago. According to Steve, a gentleman who used to work for a spammer participated in a Reddit AMA (Ask Me Anything) question and answer session, talking about his participation in spam-related activities and what he remembers about the industry at that time.

On the Recent Yahoo! Mail Exploit

Over on the ExactTarget blog, Carlo Catajan explains the recently discovered (and since closed) Yahoo! Mail account security issue.