What is Microsoft BCL?

Now that Microsoft has merged their Office365 and Hotmail/Outlook.com platforms, this should apply to anybody sending to either platform. Microsoft calculates a "BCL" (Bulk Complaint Level) for a sender's IP address or sending domain name. (Which? I'm actually not sure at the moment. Let's assume both for now.)

The BCL score is a 0-9 score, where higher basically means "sent by a bulk sender, and more spammy." See this Microsoft Technet article for more details.

How do I tell what my BCL score is? Select "View Message Source" on an email message received at Microsoft Hotmail/Outlook.com. Find the "X-Microsoft-Antispam" header. Here's an example:

X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(5000109)(4604075)(4605076)(610169)(650170)(651021)(8291501071);SRVR:CY1NAM02HT241;

That first entry -- BCL:0 tells us that this message is from a sender that has a BCL score of zero. (This message is not from a bulk sender.)

What do those other entries mean? PCL means "Phishing Confidence Level" per this document. So it's good to see that is zero. The rest? I'm not sure. I'll share more as I learn more.

Please Hire Mike Teixeira!

My esteemed industry colleague Michael Teixeira is looking for an opportunity in the anti-abuse or email fields. Got something suitable that you’d like to interview him for? I hope you'll consider him. He and I have something in common – we’ve both worked spam issues for MAPS (Mail Abuse Prevention System-- the first anti-spam blacklist group) – me, for a time before Trend Micro acquired MAPS, and Mike, after.

PSA: Time to update your ReCAPTCHA

Google's "ReCAPTCHA" API-based user validation process is very popular. So popular, that internet users are running into warnings here and there on the web, suggesting that it's about to stop working on some websites.

The reason? The V1 version is deprecated and about to be retired. It's going to stop working at the end of March, in just a couple of weeks from now.

The problem? Lots of sites have yet to update from V1 to V2. What happens to those sites on March 31st? I'm not sure, but it probably won't be a good thing.

What's the connection to email? Why am I posting about this?

Because Cloudmark is running V1 of the ReCAPTCHA. The spamrl.com spam filtering service is running the old version, too. The SURBL blacklist's lookup page, too. (Though SURBL just fixed theirs.)

There's probably a lot of other sites out there running the old version of ReCAPTCHA, as well. Do you use ReCAPTCHA on any of your websites? Have you upgraded to the latest version? If not, the time to do so is NOW.

Fun fact: Gmail has two domains

Did you know? Gmail actually has two domains. They are gmail.com and googlemail.com. The latter was used primarily in Germany from the launch of Gmail up through some time in 2012. At first, the Gmail trademark was taken by somebody else in Germany. Looks like it may have also been an issue in the UK up until sometime in 2010.

Google does not otherwise use "localized" domains elsewhere. There are no Gmail users at the email domains gmail.ca, gmail.co.uk, or anything like that. Just gmail.com and googlemail.com.

DMARC: sp= policy not always needed

I've started to search for and catalog big brand DMARC records to look for ideas and suggestions, and also to develop some best practice recommendations.

One thing I'm seeing quite often is that a big company will put "p=reject" and "sp=reject" in the same DMARC record. In this scenario, the "sp=" setting is actually not needed-- it is extraneous.

The "p" setting is for your choice of DMARC setting. The "sp" setting is for your choice of DMARC setting for any subdomains. If you don't set "sp" then the "p" policy is applied to any subdomains. So the only reason you would want to add "sp=" is if you want to specify a different policy for subdomains. If you want to give this domain and any subdomains the same policy, you don't need to include the "sp=" directive.

In short, there's no need to add "sp=" unless you want subdomains treated differently. Why would you add the "sp=" setting? If you don't have any legitimate subdomains, you could set your domain policy to "p=none" (safer for the main domain) but "sp=reject" (more restrictive for subdomains) to tell the world that any subdomains seen should be bounced (because they wouldn't authenticate properly, because you in theory don't have any subdomains).

Here's an easy guide to the variables present or optional in a DMARC record. This seems worth bookmarking.

250ok on DMARC adoption among top US colleges

Matt Vernhout of deliverability monitoring service provider 250ok reports that US colleges are slow to adopt DMARC. I'm not totally surprised; my personal observation is that the financial sector and top tier ISPs/webmail providers seem to be leading the DMARC charge. But I do agree with 250ok that it's time for higher ed to get schooled on DMARC.