Deliverability.com

At OtherInbox, we help hundreds of thousands of users to manage email overload by automatically identifying commercial email and organizing it into folders. We send out a daily digest to our users showing all of the email that we organized for them the day before. We get a great open rate on these emails and monitor it closely as an indication of user activity.

Recently, we introduce a bug that prevented us from tracking opens (started on Thursday). The bug only affected new digests, but old digests that we had sent were still working. This chart shows how our open rate declined over time, providing a view that you don't get to see very often - how do the opens trickle in over time? 

As you can see, 60% of the opens happen within the first 3 days. But 4-5 days later we're still getting a significant number of opens from old digests. Then on Tuesday we fixed the bug and the number jumped back up again.

There is probably going to be a slightly different distribution for different types of messages that are sent, but I bet the shape of the curve looks very similar for most email.

Today I received a spam message from a saleperson. It was like many others that I receive, except that I immediately noticed how respectful the tone was. Then at the end of it, he tells me that I should reply to his email so that he can show his boss that his respectful spam is more effective than the other spam I get. 

I know for a fact that this guy purchased my name off a list. I never contacted him or asked to receive anything about his services.

I thought to myself, "This is clever. I'm not going to fall for it, but I bet a lot of people feel guilty and write back to this guy."

From: ***** ******
To: Joshua Baer
Subject: Please answer a quick question for me.

Dear Josh,

As promised it's been a while since I contacted you and a lot has happened here at Layered Technologies. But my own respectful approach has not changed. I certainly do not want to waste your time, or annoy you with lots of cold calls.

[more about their services]

Out of respect and a desire not to spam, you will be the only recipient at your company. Help me prove to my own management that this respectful approach is what people want by shooting me a quickie email letting me know if you do or do  not have projects in these areas.

Thank you in advance and have a great year,

*****

***** ******
Enterprise Sales Executive
Layered Tech

I wrote back to him with a simple reply:

Take my name, phone, and email off your list.

He wrote back to me offended, and in not so few words called me an asshole:

Josh I looked up my records to be sure I haven't over contacted you. It looks like the last time was 7/09. Since it's a very respectful note and it's been 7 months since I last made a contact attempt I wonder are you always so friendly or do I just bring out the best in you?

You have been removed from my list.

This is the first time I've ever felt like I was being reprimanded for not being polite in how I unsubscribed!

I was digging through my closet today and found this hat. The hats were given out as chachka at a unique email industry meetup hosted by the Berkman Center at Harvard University on a very cold winter day in January, 2004. I think Trevor Hughes was responsible for the hats.

I believe this meeting was one of the first times that SPF, Sender-ID and Domain Keys were revealed publicly. I remember Hans Peter Brøndmo speaking about the vision of Project Lumos a lot of passionate debate about the future of email and the need for Authentication, Accreditation and Reputation systems.

My how far we've come! 6 years later SPF is gone, Sender-ID is predominantly used by Microsoft, and DKIM has been adopted by Google, Yahoo! and many others. Authentication is real. Return Path is the de-facto reputation system and also provides accreditation services along with Goodmail and others.

Back then all reputation was IP based. Now we're finally seeing significant movement towards domain based reputation authenticated with DKIM.

Did it "solve" the spam problem? Certainly not. I do think it has helped the overall ecosystem and it surely has made it easier for legitimate senders to get reliably email deliverability.

Were you at that meeting on the cold January day in 2004? What do you remember? What do you think about how far we've come?

We're seeing reports at OtherInbox of spam emails sent to email lists that are hosted at iContact. Our users give each website a different email address so it's easy to see when they get abused. I received an email with the subject "Pharmacy Best Product Vicodin.Viagra!!!!!" to an email address that was only given to Shoeboxed.com (a great service that I love). 

Other users are reporting emails to other companies that have no affiliation to Shoeboxed - but the one common thread seems to be that they all use iContact. Another list that is hosted at iContact and seems to be stolen is eApps.com. We know of at least 8 different companies affected by this so far.

Marek Isalski did a great job documenting the breach here. 

There may be another explanation, so we've reached out to iContact on Twitter and are watching their blog for more info but so far they have not responded. Understandably, they are probably doing their own research before they make any announcements. (update: iContact has updated their blog acknowledging the issue but with few other details.)

Is your list hosted at iContact? Do you have any unique seeds on it? If so, leave a message in the comments and tell me if you received this same spam email.

I'm amazed that what is probably the largest data breach in email marketing history has gone largely unnoticed by the email marketing community. Suppression lists get stolen all the time, but I've never heard of an ESP getting hacked and compromising the subscriber lists of all of its customers. 

I haven't seen a single article about it in any of the trade magazines not to mention that TechCrunch usually loves to cover this sort of thing. A few bloggers have talked about it (here and here) and Al Iverson wrote a short post but I'm surprised how little it was covered by the mainstream press. Maybe its due to the timing right before the holiday?

At the end of December, AWeber says their database was hacked by an "overseas organized group" and some, if not all of their subscribers started receiving Viagra spam and other unsolicited email messages. AWeber is an email service provider that claims 65,000 customers. Each of their customers uploads a list of email addresses, so AWeber probably holds tens of millions of unique email addresses.

According to the AWeber blog, they had vulnerabilities in their software that allowed a malicious hacker to gain access to the database containing the email addresses. It's unclear if they got the whole database or just part of it (and probably impossible to know for sure). AWeber assures us that its all fixed now. 

I'm not sure that a customer reading AWeber's description would get the right idea or understand the significance of what really happened. 

AWeber points out with little red flags all the things that were NOT stolen, and make a laundry list of everything they can think of. Pointing out that no "from email addresses" or "website URLs" were stolen seems to be really grasping at straws - maybe they thought that by making the list of NOT bigger it would draw attention away from what was really stolen.

They also point out that the spam being sent to your customers isn't being sent from AWeber, so it won't hurt their deliverability. I'm sure that's comforting for AWeber, and I'm sure its a common question their customers might have - but the way its written downplays the primary issue that their email list was stolen.

They lost the subscriber lists. That's the most valuable thing they have! If I were a customer of theirs, I'd much rather that they lost my credit card number than lose my list of subscribers. I can cancel my credit card - but I can't ever get my email addresses back from the foreign criminals and everyone else they sell it to. Those users can never unsubscribe now - they will just get more and more spam until they switch to a new email address.

I have a unique OtherInbox address that I gave to AWeber when I signed up to try out their service a few years ago. I haven't received any email at that address since it was first used. But in the past week it has received 5 messages with various subject lines and the same NSFW body showing the before and after images of a penis enlargement device. 

You know what I haven't received? An email from AWeber notifying me that my email address was compromised. I guess they think that posting it to their blog is enough. But considering that none of the owners of the email addresses that were stolen even know who AWeber is, its pretty unlikely that they would be reading the AWeber blog. I don't think it is adequate notice.

Fortunately, because that email address was only given to AWeber, I can just Block that one email address and be done with it. But if they had your work email address, there is nothing you can do to fix it and it is just going to get worse over time.

If AWeber was the secret service, this is like having the president get shot on their watch. Complete failure to protect their most important asset. I don't have anything against AWeber and have always respected them - but I don't see how we can let this one slip under the radar. Customers need to have higher expectations of their Email Service Provider and consumers have to higher expectations of the companies they purchase from. 

If I were AWeber, I would be groveling to my customers and begging forgiveness, not pretending that it wasn't a big deal. It seems like their attitude is all wrong - their original blog post didn't even have an apology to their customers, it was added afterwards. When I ran SKYLIST and UnsubCentral, if for any reason I felt that our service had not lived up to the expectations we set with our customers I compensated them in some way (a month of free service at a minimum).

If you are an AWeber customer, you should probably consider sending notice to your own customers who were affected by this, the way that ProBlogger did and Seesmic did.

If you are an Email Service Provider, you need to make it clear to your customers that this is NOT something that is acceptable or expected to happen. You need to make it clear to your customers that their subscriber lists are safe and are not going to get hacked.

If you are a salesperson at an Email Service Provider, you should be calling up AWeber customers. Email Data Source can probably show you a list of them.

I'm very excited about Google Wave and have been playing with the developer preview for a few months. On the one hand, I see how this could someday replace much of current email conversations, IM, Twitter,  and Campfire. I'm trying to figure out how this interacts with deliverability. Do you think Wave will be used for convesations and you'll still have an old school email address for getting receipts, shipping notices, newsletters, new friend notifications? Is it just the same game with a different name?

Please share your comments and suggestions! If you're on Wave, my account name is "joshuabaer". I will send one Google Wave invite to one of the people who comments on this blog post with a suggestion.

It's not the first time this has happened to me, but it still surprises me every time. I send an unsubscribe request by email as instructed in the email I received, and then it bounces back to me because of a spam filter. Here is the latest:

Delivery failed:
421 This server implements greylisting, please try again in 236 seconds

----- Original message -----
Message-Id: <1F669FC8-C55A-42C8-843E-E2548DF7CC61@xxxxxxxxxxx.com>
From: Joshua Baer
To: unsubscribe@walkersresearch.com
Content-Type: text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Subject: Unsubscribe
Date: Sat, 18 Jul 2009 10:10:50 -0500
X-Mailer: Apple Mail (2.935.3)

Please unsubscribe me

----- End of message -----

It's an easy mistake to make, but one that email marketers should be aware of and prevent. You don't want to send your unsubscribe requests through a standard email system with a standard spam filter because they can catch legitimate unsubscribe requests and block them as spam.

Not only is this a bad customer experience, but it can get you busted by the FTC for violating CAN-SPAM. Your obligation is to honor unsubscribe requests. Getting caught in your spam filter is not a good enough excuse to avoid responsibility.

To make things worse, the very word "unsubscribe" is a common spam term in filters. SpamAssassin will increase the score of your email just for including it.

So what's a marketer supposed to do? This is one reason for sending unsubscribe requests to a web page or to an email address directly at your email server, rather than using the instinctive <unsubscribe@example.com>. Any address @example.com is likely to be going through the corporate spam filter. By using an address that goes directly to the mail server such as <listname-unsub@lists.example.com> you're probably going to bypass the default spam filters that would be applied.

How else do you handle this with your email?

Joshua Baer
Chief Evangelist, Datran Media
Founder & CEO, OtherInbox

You can follow @deliverability on Twitter here

The Email Senders and Providers Coalition (of which I am the co-chair of  the Technology committee) announced today that all members must support MD5 suppression lists by the end of the year. Most ESPs support this already, but there are still some laggards.

Download the full document at http://www.espcoalition.org/042309encryption.php

http://www.espcoalition.org/042309encryption.php

The m-SPAM Act of 2009 is intended to crack down on what the senators described as a "growing nuisance for millions of wireless customers."

Apparently, they plan to link mobile phone numbers in the Do Not Call Registry to SMS spam as well. There isn't much more, but you can find it here.

Thanks to Josh Janicek from UnsubCentral for bringing this to my attention!

I saw this at Texadelphia today and had to share it with the group.

Brian Krebs at the Washington Post reports that "Google's free services are being heavily exploited by spammers to redirect visitors to sites touting knockoff designer drugs and scams, according to the latest rankings from Spamhaus.org, a group that tracks unsolicited commercial e-mail.

"Last month, Security Fix called attention to Microsoft's persistent ranking on Spamhaus's running list of the "Top 10 Worst Spam Service ISPs". Now that Microsoft has cleaned up its act, it appears the bad guys are moving on to Google, which is now ranked #4 on the list (#1 being the worst).

"Tough new Irish laws will see businesses face fines up to €250,000 if they are found guilty of sending unsolicited email.

Communications Minister Eamon Ryan has signed new legislation to tackle spamming and other unsolicited communications.

Under the new regulations, unsolicited mail for direct marketing purposes will be an indictable offence.

The Data Protection Commissioner can refer serious breaches of the legislation for prosecution through the Circuit Court where fines of up to €250,000 or 10pc of the company’s turnover, whichever is greater, can be imposed.

Fines for less serious offences will increase from €3,000 to €5,000.

Common Craft produces short video tutorials on popular topics such as Blogging, Twitter and more. They are some of the best instructional videos I've ever seen. Here is the latest installment, covering Phishing scams in email. Send this to your mom!

MailChannels points out that SpamCop is showing spam on the rise again, after it took a big drop when the McColo facility was shut down in November. Not surprisingly, it seems that the spammers just picked up and moved to new hosts. Plus its that time of year again - when everyone is sending out just "one more email blast" to try and make their numbers for the year.

I found it pretty interesting to read that Apple's MobileMe service blocks outbound emails to addresses @spamcop.net. Apparently because they were having problems getting blacklisted on SpamCop and implemented this as a way of reducing their number of SpamCop spamtrap hits.

An automated dialer from Blockbuster called me today to tell me that I had an overdue movie. I received a similar call about a week ago for the same movie. The problem is, I don't rent movies from Blockbuster!

It seems like someone else registered with my phone number (maybe just a typo) and now they are calling me about someone else's movies. To make matters worse, this is my mobile phone.

The automated message was about 2 minutes long and included a phone number for the Blockbuster branch that the overdue movie was rented from.

I waited until the end of the recording, hoping to hear "If you've received this message in error, press 2 to be connected to an operator" or "If you don't want to receive calls like this in the future, please press 2" but there wasn't anything like that.

Shouldn't automated phone calls include an "unsubscribe" just like emails?

Technically, this would be a "transactional" email or phone call, since Blockbuster isn't trying to sell me anything. However, I think this shows a good example of why even transactional emails should have an unsubscribe on them.

Spam doesn't just happen in email. Facebook just won a lawsuit against Adam Guerbuez for almost a billion dollars. It's unlikely that he can pay even a small portion of that, but we'll take every win against spammers that we can get.

Chris Wheeler from Datran Media (formerly of Amazon) wrote a great summary of email deliverability basics in DM News. Chris focuses on the following five concepts:

• Get Permission
  
• Maintain Your Lists
  
• Authentication Matters
  
• Follow the Rules and Regulations
  
• Develop the Right Creative

  Read the article for the full scoop.

The Washington Post reports that one of the largest spam supporting ISPs was shut down.

Joe Stewart, director of malware research for Atlanta based SecureWorks, said that these known criminal botnets: "Mega-D," "Srizbi," "Pushdo,""Rustock" and "Warezov," have their master servers hosted at McColo.

Collectively, these botnets are responsible for sending roughly 75 percent of all spam each day, according to the latest stats from Marshal, a security company in the United Kingdom that tracks botnet activity.

This is good news for senders everywhere!

If you use Twitter, you may want to follow @deliverability for a notification of each blog post as well as other breaking email news.

If you're looking for other email industry tweets to follow, check out some of these:

People

• @jordanayan - Jordan Ayan, Subscriber Mail
  
• @joshuabaer - Joshua Baer, Datran Media & OtherInbox
  
• @davidbaker331 - David Baker, Avenue A
  
• @mattb2518 - Matt Blumberg, Return Path
  
• @dtboyd - Dylan Boyd, eROI
  
• @neinstein - Nicholas Einstein, Datran Media
  
• @johnengler - John Engler, Pipeline Success
  
• @davidhhendricks - Dave Hendricks, Datran Media
  
• @LorenMcDonald - Loren McDonald, SilverPop
  
• @Lanadatran - Lana McGilvray, Datran Media
  
• @samrpath - Stephanie Miller, Return Path
  
• @empg - Jeanniey Mullen
  
• @4Stefan - Stefan Pollard, Responsys
  
• @tamaragielen - Tamara Gielen, OgilvyOne
  
• @EmailKarma - Matt Vernhout, EmailKarma
  
• @djwaldow - DJ Waldow, Bronto Software
  
• @RetailEmailblog - Chad White, EEC

Companies

• @blueskyfactory - Blue Sky Factory
  
• @bronto - Bronto Software
  
• @campaignmonitor - Campaign Monitor
  
• @datranmedia - Datran Media
  
• @deliverability - Deliverability.com
  
• @EISummit - Email Insider Summit
  
• @eROI - eROI
  
• @exacttarget - ExactTarget
  
• @mailchimp - MailChimp
  
• @otherinbox - OtherInbox
  
• @returnpath - Return Path
  
• @strongmail - StrongMail
  
• @subscribermail - SubscriberMail
  
• @VR4SmallBiz - VerticalResponse

If you're on Twitter and not listed here, please add yourself to the comments below!

BlueTie is beta testing the Return Path feedback loop for the domains it hosts including excite.com, iwon.com, and myway.com. Right now its only open to Return Path customers but it should open up to the public sometime soon.

If email marketers could set the rules for ISPs, what would be different? What would be the characteristics of DreamMail, the ISP of our dreams? (note: there is no connection between this imaginary ISP and any of Epsilon Interactive's various products).

• DreamMail would verify incoming messages with both Sender ID and DKIM. Email marketers would feel safe that no one is forging email and hurting their reputation or deliverability.
  
• Images and links would always be enabled in DreamMail. No one would ever open an email message only to see broken HTML and links. Using images to track opens would be a reliable metric.
  
• Flash and video would work in DreamMail. No longer limited to animated gifs, email would now contain rich media, streaming video, and interactive flash applications.
  
• HTML and CSS would render just like web pages in DreamMail. There would be no more coding a different version with different rules for email. We could use the same modern editing tools and best practices for emails as we do for the web.
  
• JavaScript would execute in DreamMail just like on web pages. This would allow for AJAX and dynamic content inside the email and enable traditional web analytics to integrate with email campaigns.
  
• Forms would work within DreamMail. Rather than always linking to a landing page, we could have a call to action within the email itself and gather responses directly. Combine this with AJAX for email dashboards and control panels.
  
• There would always be clear bounce messages from DreamMail. If a message did not get delivered, we would receive immediate and obvious feedback that followed RFC standards.
  
• DreamMail would have a feedback loop that uses the standard Abuse Reporting Format (ARF). If any recipients clicked the Spam button, the sender would receive an immediate email notification.
  
• DreamMail would provide an Unsubscribe button to users. If the message had a good reputation and contained a List-Unsubscribe header, DreamMail would display an Unsubscribe button to its users.
  
• Registered senders could verify sends, bounces, opens, clicks, spam complaints similar to Microsoft SNDS. It would be easy to verify how much email was sent and what actually got delivered. This information would be available as an XML feed as well.
  
• DreamMail would have a great website that explained how to get good delivery and how to contact them if there is a problem.
  
• DreamMail would proactively notify us of problems and recommend solutions.
  
• DreamMail would have a responsive staff that was available via email or phone.
  

What else would DreamMail, the ISP of your dreams do? Tell us about it in the comments below.