I'm amazed that what is probably the largest data breach in email marketing history has gone largely unnoticed by the email marketing community. Suppression lists get stolen all the time, but I've never heard of an ESP getting hacked and compromising the subscriber lists of all of its customers. 

I haven't seen a single article about it in any of the trade magazines not to mention that TechCrunch usually loves to cover this sort of thing. A few bloggers have talked about it (here and here) and Al Iverson wrote a short post but I'm surprised how little it was covered by the mainstream press. Maybe its due to the timing right before the holiday?

At the end of December, AWeber says their database was hacked by an "overseas organized group" and some, if not all of their subscribers started receiving Viagra spam and other unsolicited email messages. AWeber is an email service provider that claims 65,000 customers. Each of their customers uploads a list of email addresses, so AWeber probably holds tens of millions of unique email addresses.

According to the AWeber blog, they had vulnerabilities in their software that allowed a malicious hacker to gain access to the database containing the email addresses. It's unclear if they got the whole database or just part of it (and probably impossible to know for sure). AWeber assures us that its all fixed now. 

I'm not sure that a customer reading AWeber's description would get the right idea or understand the significance of what really happened. 

AWeber points out with little red flags all the things that were NOT stolen, and make a laundry list of everything they can think of. Pointing out that no "from email addresses" or "website URLs" were stolen seems to be really grasping at straws - maybe they thought that by making the list of NOT bigger it would draw attention away from what was really stolen.

They also point out that the spam being sent to your customers isn't being sent from AWeber, so it won't hurt their deliverability. I'm sure that's comforting for AWeber, and I'm sure its a common question their customers might have - but the way its written downplays the primary issue that their email list was stolen.

They lost the subscriber lists. That's the most valuable thing they have! If I were a customer of theirs, I'd much rather that they lost my credit card number than lose my list of subscribers. I can cancel my credit card - but I can't ever get my email addresses back from the foreign criminals and everyone else they sell it to. Those users can never unsubscribe now - they will just get more and more spam until they switch to a new email address.

The criminals can now sell those email lists on the black market over and over. The problem is likely to get worse over time as each generation of the list gets resold. This is a Pandora's box that can't be closed after you open it.

I have a unique OtherInbox address that I gave to AWeber when I signed up to try out their service a few years ago. I haven't received any email at that address since it was first used. But in the past week it has received 5 messages with various subject lines and the same NSFW body showing the before and after images of a penis enlargement device. 

You know what I haven't received? An email from AWeber notifying me that my email address was compromised. I guess they think that posting it to their blog is enough. But considering that none of the owners of the email addresses that were stolen even know who AWeber is, its pretty unlikely that they would be reading the AWeber blog. I don't think it is adequate notice.

Fortunately, because that email address was only given to AWeber, I can just Block that one email address and be done with it. But if they had your work email address, there is nothing you can do to fix it and it is just going to get worse over time.

If AWeber was the secret service, this is like having the president get shot on their watch. Complete failure to protect their most important asset. I don't have anything against AWeber and have always respected them - but I don't see how we can let this one slip under the radar. Customers need to have higher expectations of their Email Service Provider and consumers have to higher expectations of the companies they purchase from. 

If I were AWeber, I would be groveling to my customers and begging forgiveness, not pretending that it wasn't a big deal. It seems like their attitude is all wrong - their original blog post didn't even have an apology to their customers, it was added afterwards. When I ran SKYLIST and UnsubCentral, if for any reason I felt that our service had not lived up to the expectations we set with our customers I compensated them in some way (a month of free service at a minimum).

If you are an AWeber customer, you should probably consider sending notice to your own customers who were affected by this, the way that ProBlogger did and Seesmic did.

If you are an Email Service Provider, you need to make it clear to your customers that this is NOT something that is acceptable or expected to happen. You need to make it clear to your customers that their subscriber lists are safe and are not going to get hacked.

If you are a salesperson at an Email Service Provider, you should be calling up AWeber customers. Email Data Source can probably show you a list of them.

Originally posted on Word to the Wise here following a discussion themed around ISP and ESP interactions and communication gaps.

My take...

After reading Laura’s and Steve’s posts on the gap between the “senders” and “receivers” (both excellent reads I recommend if you haven’t already done so), it really made me think about why I do what I do and why I think (hopefully not being too narcissistic here) that I’m reasonably good at it.

I was formally educated and then broken in after school with the technology world but have never considered myself a technology purist (I will never author a C# book or program my own killer app). However, I also enjoy people and working with (almost) all of them. Traditionally, these two skillsets have not meshed well in the technology industry to a nontrivial level. So, when I went into deliverability, I was intrigued by the fact that it is as much of a technology, business, marketing and people facing genre as any. And, one of the things I am highly grateful for was that I worked for a sender who really seemed to get it. Of course there were marketing jerks and revenue driven bullies there as well, but my management supported me in really trying to do the right thing by the end email recipient (and in this case, customer).

This helped me shape my view of my role in deliverability and decide which type I wanted to be. Mind you, I have never worked at an ISP. So, my bias is towards the senders. If you have a management team that understands that deliverability is not just a flashy word to throw around, push in prospects’ faces or otherwise excuse away as another service to potentially charge for when not necessarily needed, you’re in a good place. But, you also have to decide what you value as important and ethical for yourself. Unfortunately, there are a lot of folks who are in the deliverability space not because they like the work and are truly looking out for recipients, but rather (and as Steve’s post touches) out there to make money doing anything they can to drive revenue from their perspective without much respect or empathy for the person on the other end of the mailbox. ESPs have been given a bad name in the industry as the aggressors, those who are willing to use and abuse the email ecosystem to get money with no respect to the common rules of “best practices” or recipient perspective. Unfortunately, a lot of folks in the email receiving world have adopted this as their stereotype and dismiss anyone trying to triage a deliverability problem as one who is just wanting to get more emails in an inbox..to generate more opens…to garner more clicks…and ultimately put more cash in their pocket.

This is simply untrue. But, there are a lot of senders who do fit into this category, unfortunately.

The same can be said of ISPs, who seem to be on the defensive all the time and take every piece of incoming mail as having a negative relevancy score attached to the intended recipient and make the sender pay (literally in terms of some accreditation methods) to move towards what they perceive as a positive and user wanted email. The sloppy ISPs rely heavily on using highly automated systems to either do binary blocking outright on certain arbitrary indicators in mail or simply throw their hands up and call anyone not sending a one to one message from someone’s relative or friend spam. Again, though, this is an unfair stereotype that doesn’t apply across the board. I work with many ISPs that do take the time, effort and examination to help recipients get mail they want instead of just outright declaring jihad on mass senders altogether. If you pay close attention, these are also usually those who are very technically savvy (and thus breed a desire to keep the internet a free and open exchange for ideas to be messaged, including those that are marketing related and wanted). I enjoy reading the information they post. Our conversations. Listening to what they have to say. And in turn, I believe they do the same of me since they know I’m more about letting numbers and actions speak for themselves as opposed to trying to circumvent any process or “game” them. Numbers and actions, for me, are about spam complaints being driven down, email engagement being up, and benefit being gleaned from the messages sent via whatever method is most appropriate. CNN, for example, sends me transactional breaking news alerts. I may not read every one. And I certainly am not driven to purchase or pay into a service as a result. But, I do enjoy getting these and would be upset if that stream of information stopped. A lot of ISPs get this – the implied and real value I have as a result of knowing what’s going on in any facet of email communication when I don’t have a chance to proactively find out myself.

The rub is that ESPs are paid money to send email (with their hue changing based on types of email they send, the clients they onboard, adherence to their own rules, etc.). But, we are paid to send email (notice “quantity” is intentionally excluded from this sentence). It’s the core product of our systems…deliver communication via electronic mail. ISPs are not paid to receive email. Some ISPs are paid for the images or impressions they drop in which are driven by the mail a user gets being the catalyst for the times they check their mail. Or, some ISPs charge money for email (so in a sense, they are paid to deliver within their own confines of what is spam or not to the customer). Other ISPs just have email as an extension of their existing services (think cable providers or cellular companies) which ultimately can be ear marked for revenue.

So, not all senders are bad; neither are all ISPs good (and vice versa). But, at the end of the day, I can honestly say I don’t have that many problems when dealing with receivers since I tend to only really have a relationship with those I believe are trying to do the right thing, like me, in ensuring recipients get mail they want, need, or otherwise are just glad to have around. I don’t need to be yelled at as an abuser of the internet because I’ve found a living in sending email, as much as a mechanic does for contributing to global warming for putting gasoline burning cars back on the road. Nor, do the ISPs deserve to have fingers waved in their face either when, usually, they’re trying to keep their recipients happy and not melt under the deluge of true spam that technology has brought with it. I’m sure this will inspire some nasty comments, or at the least, a nonplussed double take, but ISPs are businesses as well. They are not run on cookies and rainbows. Same with ESPs. Finding a balance between the two with corporate management pushing down and reinforcing an intermediary relationship that doesn’t engage in an antagonistic or adversarial role is what will win every time.

It’s about the people, the personalities, and a new industry that’s evolved in the aftermath of the advent of spam and marketing mail. But, if your culture is one which doesn’t fit what makes you feel you’re successful or back your mores you’ve developed or adopted over the years, you must realize you’re empowered to make yourself respected and happy. No one else, though. And, at the end of the day, I think the issues between ISPs and ESPs not communicating effectively is more about what the company culture is and how well (or not) they respect and encourage their employees to drive for whatever measurement of success you both share (be it money, recipient satisfaction, client satisfaction, just putting in an honest day’s work, or the fact you get to work from Punxsutawney).

Chris Wheeler
Director of Deliverability at Bronto
@ChrisAWheeler

 

The preference center is a highly intriguing, untapped resource for Email Marketers and could be used in a variety of ways.  It has the potential to establish critical ground rules with both newfound and dormant subscribers.  When subscribers are awarded mission control to continuously manage their preferences, the amount of information that marketers can glean is truly unlimited.  During last week’s Email Insider Summit, Greg Cangialosi spoke about a “master preference center” which, in essence, puts the subscriber in complete control of different online messaging streams.  Additionally, subscribers would be able to divulge their social media and mobile credentials within the preference center.   By adding social media and mobile to the preference center, users garner an added benefit: they can proactively engage with your subscribers within the “online” marketing channel they prefer.  As Jeannie Mullen points out in her recent Web 3.0 column, subscribers now receive emails through a plethora of online channels. Optimizing the preference center will make for a more satisfying subscriber experience.

Balanced Online Messaging

When it comes to email, we understand the basics. How often do you, the user, wish to receive emails?  What email format do you prefer? However, to get to the next level of online messaging, we need to move beyond basic queries and product of interest questions.  The key to reaching the next level lies in adhering to your subscribers’ wishes and preserving a “balance of online messaging.”  To achieve the goal of balanced messaging, give subscribers social media and mobile preferences as well.  For example, subscribers may prefer to utilize Twitter for customer service inquiries, while other subscribers may choose to receive more “entertaining” messaging via Facebook.  I envision a preference center design, where subscribers can populate a matrix of radio buttons or checkboxes and choose the type of messaging and preferred online channel.  Tweetdeck's latest version is a good example, where the "notifications" tab allows clients to choose the level of detail on each type of message stream.  Perhaps in the future, we'll see more formal messaging dispatched through email instead, which underscores why the vision of a master preference center is so significant.    We’ve learned that subscribers engage with brands through various different online and mobile channels.  Engaging them through their preferred method will pique their interest and ultimately entice them to orbit your brand successfully.

Mini Surveys in the Preference Center

If we continue to explore the potential of a well-structured preference center, we will discover a way that marketers can induce a higher level of participation, intimacy and engagement.  To do this, marketers can devise a “mini survey” (just one or two questions) that updates regularly with relevant and timely questions.  The survey would be integrated into preference center itself.  By adding a mini survey to poll your subscribers, you’ll increase the attributes for a given record in a database, and thereby allow future messaging that is more detailed relevant to your subscribers’ needs and interests.  We learned last week that FedEx has 144 attributes associated with each subscriber.  FedEx utilizes this wealth of information to tailor their marketing to the needs of individual subscribers, which will increase intimacy and engagement.

When your subscribers develop their profiles via the "mini survey," they become "active" subscribers.  In doing so, they give you permission to ameliorate their experience with you even more.  By asking leading questions that will result in a more profound relationship, you will allow your subscribers to modify their behavior and attain a greater degree of engagement with your brand.  Leading questions can invoke a higher level of brand awareness, and the use of time sensitive questions will enable you to increase that level of engagement with your brand sooner rather than later.  For instance, pose questions such as, "How likely are you to purchase from us the holiday season?"  Or, something along the lines of "Do you anticipate making a purchase from use within the next 90 days?"  (Make sure to phrase questions in a sensitive manner, so that they will not alienate your subscribers!)  Questions like these effectively create a sense of urgency and may give you greater insight as to what types of promotions you can successfully "initiate" with each active subscriber.  

Detailed Information: A Prerequisite for Customized, Detailed Messaging

Now, if a newly active subscriber has been dormant since immediately after answering your leading questions, you should take steps to re-engage that subscriber.  When this situation arises, you have a valid excuse to send a re-engaging or “reminder” email with a single survey question that will lead the subscriber to a preference center landing page, without necessarily prompting a smattering of complaints.  A strategy you might consider is utilizing  the preference center as the landing page of choice when formulating re-engagement campaigns. In that case, installing follow up questions there can help you in your mission to engage subscribers.  Using these methods should significantly reduce your spam complaints in the event that the subscriber chooses to end your relationship.

Inevitably, preference centers will get more sophisticated over time, and as Morgan Stewart of ExactTarget quoted Amazon’s chief scientist, who opined, “The future of marketing is based on how we enhance the digital experience of a subscriber and provide more detailed messaging by asking the subscriber for more detailed information.”  You may wonder, “How can I ask my subscribers for more detailed information without seeming intrusive and drawing spam complaints?”  If that is your question, preference centers hold the key to a successful mission with your subscribers. 

 Fred Tabsharani

 Port25 Solutions, Inc.

@tabsharani

Fellow Deliverability.com blogger Andrew Kordek started a provocative conversation among a group of email marketers when he asked "If you had one wish in email marketing, what would it be?"

Andrew's wish (education for marketers, ESPs and clients alike), which echoed Martin Luther King's "I Have a Dream" speech, inspired me to take a page from John F. Kennedy's famous inaugural exhortation: "Ask not what email marketing can do for you. Ask what you can do for email marketing."

Many of the comments to Andrew's "Dream" post wished for things like getting Microsoft to dump Word as the HTML engine in Outlook 2007, or better video rendering, or standardized bounce codes and email metrics. Rather than throwing a penny into the proverbial wishing well, however, what are you going to do in 2010 to actually make a positive impact on the industry?

Here are three places to start:

1. What you can do to help yourself: Take your career seriously, and educate yourself on all the aspects of email marketing that make it different from other marketing channels. Learn the best practices that have worked for leaders in the industry, and try to do the right thing instead of the easiest or the quickest.

Attend conferences and Webinars, read blogs like this one and take advantage of all of the free resources on the Web that provide the knowledge and tools to guide you toward delivering a world-class email marketing program.

2. What you can do for your employer: Educate your managers and C-Suite on the role, value and ROI of email marketing. Show them what proportion of your budget email actually consumes and present facts and figures to back up your requests for more resources.

Also, show how email can be much more than a sales channel. It can build brand awareness and affinity, customer loyalty and retention, reduce costs and help other departments solve problems and achieve its business goals.

3. What you can do to benefit the industry: Email continues to suffer an image problem not just from spammers but also because legitimate marketers do stupid things, like buying mailing lists instead of building their own house lists and pounding them to death with indiscriminate volume and irrelevant messages.

Get involved in industry associations (the eec, ESPC, MAAWG for example) that strive to raise the bar for effective and ethical email practices.

Practice what you preach. Be willing to brainstorm solutions to problems instead of just complaining about ISPs blocking your emails and being overworked.
 
Join in the conversation about email on social networks like Twitter, Email Roundtable, Email Marketers Club or LinkedIn (where this discussion originated).

To revise yet another famous adage: "Be the change you want to see in email marketing" (Mahatma Gandhi).

What are you going to do for email marketing in 2010? Please share your thoughts.

I'm a bit of an email geek.

I evaluate nearly every email in my inbox and many in my spam folder. I read and contribute to many of the industry blogs and publications. I peek over my wife's shoulder as she's scanning her inbox to better understand how she "consumes" email marketing campaigns. Unfortunately, I'm often disappointed at the number of email communications that fail; those that miss the boat, forget to treat consumers like humans, and don't set proper expectations.

That's why when I see something like this from Chase (see landing page below), I get jazzed. I want to celebrate the good. They did it! Yay! Yay!

Brief Backstory

I recently made the switch to the Southwest Credit Card, mostly because I love Southwest Airlines. I signed up my Southwest/Chase credit card online and promptly forgot my username and password. Awesome, right? Thankfully, like most sites, they have a step-by step process to retrieve my information. You've likely stepped through this before. You answer a series of challenge questions. Then, your username and/or password is either displayed or some type of code/link are sent to you via email. Standard procedure.

Setting Proper Expectations

The Chase Online process was quite similar to the typical one described above, with a twist. When it came to the deliverability of the Identification Code, there was a nice alert informing me of what could happen with the recently sent email. Take a minute to read what's inside the red box. You may have to click the image to enlarge. (Note: I added the red box.)

They set clear expectations. Not only that, but they used language that was aligned with the average consumer - internet traffic, software settings, etc. They didn't barrage me with technical-speak. They told me what to expect and when.

Nice job Chase Online! You win today's gold star.

Are you setting proper expectations? Do people know what to expect, when, and how often?

DJ Waldow
Director of Community, Blue Sky Factory
@djwaldow

The Final Word on DKIM and Deliverability

By: J.D. Falk of Return Path

Seems like every week, I see another industry colleague asking for a detailed list of how each DKIM option affects deliverability. Everyone who's asked for this is a smart person, generally clueful, but this question stumps me. Perhaps it's that while I learned about email technology as a way to get a message from one autonomous system to another, he learned about it in the frustrating context of trying to figure out why his mail was being blocked -- so it has never before crossed his mind that new email technology might be invented that won't make delivery of his marketing messages more difficult.

See, DKIM isn't some wacky new anti-spam method intended to reduce your ability to get mail delivered (that's what that made-up word "deliverability" means, after all.) It's authentication, designed to make it easier to identify the good senders.

DKIM only answers two questions:

1. Does the message have a valid signature?
2. If it does, what domain signed it?

The signing domain, identified by the d= tag in the DKIM signature header, is the only part of the DKIM signature where the choices you make now will directly affect the continued deliverability of your messages. This is because d= is how you tell the receiving system who you are.

With a valid signature on the message, if the receiving system has a domain-based whitelist, and your d= is on it, the message gets in. If they have a domain-based blacklist, and your d= is on it, the message will be rejected. Few mailbox providers have either of those today -- but if they have a domain-based reputation system, which we know the big mailbox providers are working on, then delivery depends on reputation. It's exactly the same as with IP addresses today.

And just as with IP addresses, consistency is critical. If you want to separate different mailstreams, then instead of sending from different IPs like you were before, you can now sign with different domains: shipping.example.com, marketing.example.com, corporate.example.com. Within the context of authentication, each of those is an entirely separate entity. Reputation assessment systems will quickly figure out that there's a relationship between everything that's part of example.com, though, so you can't use this to escape the much-deserved bad reputation of a bad mail stream.

If you send through an ESP today, chances are they sign with their own domain. This means that if you switch to another ESP, you can't take your reputation with you. However, it also means you can borrow the ESP's reputation as long as you're their customer. Work with your ESP to choose the configuration most appropriate for your situation.

So you can stop worrying, sign your mail, and get back to the important work of making sure your recipients are happy to receive the messages you send.

If you're interested, here's a rundown of all the other options in the base spec -- RFC 4871 -- and what effect they're likely to have on delivery of signed messages. If you haven't read the introduction and the terminology and definitions section yet, please do so now.

There's currently only one acceptable value for the version (v=) tag. If yours isn't 1, then the DKIM signature isn't valid. Effect on deliverability: none if it's 1, otherwise the message will be treated as if it wasn't signed.

The algorithm (a=) is very important to cryptography geeks, but we're not talking about ICBM launch codes here. Unless you remember why DLG2209TVX was replaced with CPE1704TKS, accept whichever algorithm and key size your mail software vendor or ESP recommends and be done with it. (Just watch, someone will comment that rsa-sha1 is insecure because someone could decrypt it in a matter of months -- per message.) Effect on deliverability: none.

Canonicalization (c=) is a sneaky way to get around the fact that sometimes an intermediary mail server will make minor changes to a message, like capitalizing header field names or snipping empty lines at the end of a message. With the default "simple" algorithm, those changes would cause the signature verification to fail. With the "relaxed" algorithm, those changes may pass. Effect on deliverability: none unless the message fails.

You can choose to specify, in the h= tag, which header fields you're signing. There's a good description in the base spec of why you might or might not choose particular fields. If you use this, I'd go with the headers that users are likely to see in their mail client, plus anything you use for tracking. Effect on deliverability: none.

Similarly, you can copy all of the signed header fields into the signature with the z= tag. I'm not sure why you would, except for debugging. Effect on deliverability: none.

The selector (s=) is just a way to look up which key you're using, allowing you to use multiple keys with the same domain. You might have different keys for different offices, or systems, or create a key that you can give to your ESP to sign on your behalf. The selector is also useful for changing keys periodically, in case the private key is no longer private -- for example, you could change selectors every other month, removing old ones a few months after you've stopped using 'em. Effect on deliverability: none.

A somewhat controversial option is the body length limit, designated by the l= tag. This allows the signer to say "I signed this much of the message, but there might be more content after that -- and if so I'm not responsible for it." It's a reaction to discussion list software which may automatically add an informational footer to the end of a message. Thing is, these lists invariably make other changes also -- new headers, et cetera -- so the signature would be broken anyway. And, if your focus is on keeping the recipient safe (as it is for all mailbox providers), why would you deliver a message where the top part is from a trusted sender and the bottom part could be malware? Effect on deliverability: could be bad. Don't use this.

The q= value is easy: it can only be "dns/txt". Anything else is invalid. Effect on deliverability: none if it's dns/txt, otherwise the message will be treated as if it wasn't signed.

There are two optional tags referring to time: t= is the time the signature was created, while x= is when it expires. Both of these are designed to catch stupid criminals. If the signature was (allegedly) created after the message was received, it's not valid. Or if the message is received after the signature expires, it's not valid. While it's not entirely clear what will happen in the wild, I'd recommend skipping both of these. Effect on deliverability: none if the times match up or the tags aren't used; otherwise, the message will appear suspicious.

A formerly controversial feature is the i= tag, which looks like an email address -- but probably isn't. As I explained back in March, Cisco uses this to identify individual users: i=santaclaus@cisco.com, if Santa Claus worked for Cisco. And you know, he might. More common, I'd expect, senders will use i= to denote distinct mailstreams or internal divisions for their own tracking purposes: i=transactional@example.com, i=marketing@example.com, i=nyc-office@example.com. Thing is, there's simply no way for anyone on the receiving side to know whether marketing@example.com is a mailstream, a department, a individual email address, or simply a string of randomly generated characters. As such, reputation is more likely to accrue to the d= value. Effect on deliverability: probably none.

So unless you use l= or have unrealistic expectations about i= or s=, as we discussed above, d= is the only thing that matters. See? Nothing to worry about.

------------

-Dennis
Eloqua

Don't Just Send, Deliver!