16 Years And Counting

LinkedIn just reminded me: Spam Resource is just about sixteen years old, give or take a week or two. After sixteen years (and over 1.6 million page views), I don't always get the chance to post as often as I used to; life is busy and fast moving. I really can't complain, though, and I'm glad to be able to share what I can, when I can. I hope you all still find it valuable.

People still seem to be visiting; looking for information on topics like backscatter, how list-unsub works in iOS, how to use Microsoft SNDS, or what domains are hosted by Yahoo. I'll keep trying to add to this knowledge base as time permits.

Thanks to everyone who was kind enough to drop me a note and thanks to everyone who has visited the site, left a comment, or been kind enough to author a guest post at some point over these past years.

-- Al Iverson

DMARC will (not fully) fix it!

Over on the Word to the Wise blog, Laura Atkins raises the concern that in response to the recent "prank" email scandal, email technologists are likely to say that this couldn't have happened if the White House had implemented DMARC. She's correct in that DMARC wouldn't have helped in this case, but that doesn't mean we should write off DMARC just yet. It's actually part of the solution to this very issue. Just not the whole solution.

The use for DMARC here is to close a door before this or some other prankster or hacker decides to open it. The White House and other government agencies should be using DMARC, because keeping bad mail from using the legit entity's exact domain name is part of a best practice anti-spoofing strategy.

Internet privacy and security guru Jim Fenton tackles the user interface issue at play here, that only the "friendly from" text was displayed, and not the actual email address. He suggests that mail clients and webmails should change their user interface to show some level of trust-like information, when it's available. Is the email address of this sender in your address book? That's a good start. I'd add to it: Is this email address one you have emailed previously? If you initiated conversation to them previously, that's a potential starting point for trust. (And of course, did each message received authenticate properly, and does it comply with DMARC policy for the domain?)

So that's two considerations so far: preventing mis-use of a specific domain name, and deciding when you can or should trust the friendly from of a sender.

There's a third: The end user, or how much do you trust the end user to do the right thing? In the screen shot shown on CNN, the email message has a big [SUSPECTED SPAM] tag right on it. I wonder why -- because it didn't authenticate properly? If I were a super elite hax0r trying to twiddle the friendly from field, I'd probably be doing this from a linux box with a script, or via some open source email application, and I'd probably be trying to hide tracing messages back to me, maybe by using "open relay" insecure mail servers or something along those line. Something in the process made the receiving server suspicious of that message. But the server delivered the message to the recipient anyway. Should it have? And after it did, shouldn't the end recipient been suspicious and shouldn't they have looked into it further?

I imagine the ISP's point is that they're loathe to block a message that could be legitimate, even though it appears not to be. But I think we just found a gap in that process, trusting that the end user knew what this meant or that they knew what they should do about it. Maybe this message shouldn't have been delivered to begin with? There's a third consideration right there.

And there's a fourth consideration as well, the cousin domain problem. Agari's Bob Boucneau touches on that here. That problem is a real one and can be tricky. But ultimately, email authentication still helps here, too. That other "White House" can authenticate, but that authentication gives them a steady identifier to attach reputation to. If somebody registers whitehouseemail2.com, they can easily apply SPF, DKIM and even DMARC, but if they do something bad with that domain, that domain's reputation is going to suffer, and it'll be easier for smart ISPs to block mail using that domain. (And at the same time, don't confuse users by using cousin domains for legitimate reasons if you can prevent it. The more variables you legitimize for end users, the more you diminish their ability to understand how to know whether or not that message is legitimate.)

There's probably even some other fifth aspect of this that I haven't considered. But off the top of my head, it sure looks to me like email authentication and anti-spoofing measures would be part of any comprehensive solution to try to prevent or mitigate this type of thing, and it looks to me like that ought to include DMARC.

So, yeah, I'm going to keep pushing people to implement DMARC. I still think it's the right thing to do.

Most federal departments aren’t using DMARC: Wyden

Found on the Sophos Naked Security blog:  Senator Ron Wyden (D-Oregon) contacted the US Department of Homeland Security in a July 18 letter where he 'asked the agency to “take immediate steps” to mandate that all federal agencies implement DMARC (Domain-based Message Authentication, Reporting and Conformance), an email authentication, policy, and reporting protocol launched in 2012 that helps prevent email domain spoofing.' He noted that DMARC has been implemented by very few government agencies to date.

This is good to see, and one hopes it helps drive DMARC adoption. It's not a phishing cure-all, but I still think it's an important step in the fight to reduce the risks around email forgery.

AOL: Reputation corrected and request denied

Check out the reply I received in response to a recent AOL Whitelist Request submission:
Subject: Reputation corrected and request denied
Your Whitelist request, with the confirmation code X, has been denied. 
The requested IP address(es) is receiving temporary failures due to poor reputation. We have corrected the reputation and this should help in better delivery of mails. Please monitor the spam complaints via the feedback loop and re-apply for Whitelist after you have built a good 20-day history on your IPs. Also, check the reputation of the IP before opening the ticket at: https://postmaster.aol.com/ip-reputation.
Feedback Loop Request form can be found at: https://postmaster.aol.com/fbl-request
Have you seen this one before? I haven't. I think it's really cool, though. It explains what they've done and what you need to do, if you want to get whitelisted at AOL.

Here's what they're saying:
  1. Your sending IP address doesn't have a great sending reputation today.
  2. But, AOL has reset the sending reputation of your IP address, giving you another chance to build a good reputation.
  3. They're telling you to keep your nose clean (build a good reputation) for at least 20 days before applying for whitelisting.
  4. They're reminding you to sign up for AOL's ISP Feedback Loop.
Seems pretty straight forward to me. I wish all ISP responses were this clear and easy to understand. Good job, AOL!

Text to Image ratios in email

Laura Atkins of Word to the Wise explains: "The text to image ratio is not going to make or break delivery." I've certainly had people try to tell me that they think the secret to inbox placement is based on a certain specific text-to-image ratio. Like Laura, I know that this is not true, and I am happy to link to her excellent explanation of how this all works.

Verizon Email Transition Update

From Network World, here is an update on the winding down of Verizon's email service, which I previously reported on here. When is the transition happening?
"Once customers are notified, they are presented with a personal take-action date that is 30 days from the original notification. If you happen to miss the deadline and still want to retain your address, you can choose Option 1 and switch over to AOL.  
"Based on the current rate of migration it looks like Verizon will probably get through all of the customer notification waves by mid-summer. At that point, the company will assess when the platform might be entirely wound down."
Note: Like I mentioned before, keep in mind that subscribers can indeed keep their verizon.net email if they like. It'll just be handled by AOL's systems and user interface going forward.

Network World says that "Verizon controls 4.5 [million] Verizon.net email accounts, and [Verizon] figures about 2.3 million of them are active." Active meaning that they have been accessed in the last 30 days.

June 26, 2017 Update: As related to me and others by AOL, the Verizon mailboxes that remain have now been transitioned to AOL's mail servers.