bad ideas
Lucas Ropek for Gizmodo explains: “Turns out it’s pretty damn easy to spam the entire Air Force using just one email address.”Oh, no. Really? Yep, as it turns out.
Rene Holt writing for We Live Security has shared a recent tale that gives me pause: What can go wrong if you get your SPF record wrong. Usually the risk here is that you make your SPF record too restrictive, resulting in the rejection of legitimate mail. But here’s an alternate case — what if your SPF record is so wide, so broad, that bad guys can easily send spam from certain IPs and pass authentication checks, successfully pretending to be you (or at least, successfully sending from your domain).I think the moral of the story is that you’ve got to get SPF right, both in how tight and how loose your SPF record should be. Don’t just blindly add a zillion IP addresses because somebody told you to; investigate and question and review.Rene Holt: How a spoofed email passed the SPF check and landed in my inbox
Deceptive Design is a website that highlights “tricks used in websites and apps that make you do things that you didn’t mean to, like buying or signing up for something.” Read through their Hall of Shame and you’ll see that a lot of them are email related. Hidden/unclear/assumptive opt-in practices, forced newsletter subscriptions, inverted opt-in checkboxes, and more. Don’t be on this list, and don’t do things that are on this list!
SocketLabs’ Brian Godiksen and Campaign Monitor’s Travis Hazlewood joined forces in this excellent blog post to explain what can go wrong when you use a subdomain (under a domain you don’t own) to send mail. Example? Some registrars offer up this goofy thing where you can buy a “domain” “under” uk.com, like spamresource.uk.com. Neat idea, except it’s really just a subdomain. And the domain uk.com has a poor reputation at Gmail, making it kind of hard to get email delivered to the inbox reliably, if I use a uk.com subdomain as my sending domain.So as to not totally steal their thunder, I’ll make you click on through to get their thoughts on what to do instead, and how to measure risk with regard to your choice of TLD (top level domain). This is one you need to read before you buy a new domain name to use for email!
Do you use any of the Spamhaus blocking lists (DNSBLs) to protect yourself from inbound spam and email threats? If so, you’re not alone. The Spamhaus data is quite popular and used by many ISPs as a front door gatekeeper for IP (and domain) reputation.If you do use any of Spamhaus’s DNSBLs, though, make sure you’re not doing it via a public DNS resolver or via any DNS server that is attempting a high volume of queries against Spamhaus without being registered with them. If you do, you risk the queries triggering blocks simply due to the sheer volume of DNS traffic Spamhaus is receiving. Meaning you’ll end up blocking mail that wasn’t spam and that you probably didn’t mean to block.Here’s how to catch that. Look in your server’s mail log for response codes or response text from Spamhaus queries. For text responses, look for things like “Error: open…
If you subscribe to Spam Resource via email, thank you! No matter how you choose to consume this content, I appreciate you. But the email subscribers are helping me keep my skills sharp, allowing me to build and run my own mailing list manager software, and write my own automation to send out the actual posts as email messages, from my own server.For you email subscribers, you’re going to see some changes here shortly. This will be the last “old style” of email that Spam Resource sends out. Instead of emailing you every post, my friendly helper robot will send you a summary, every Monday morning, of all the posts from the past week.There will still be the occasional “breaking news” email when I hear of an ISP or spam filtering system being down, or when a major email service provider acquisition occurs, but barring that, Spam Resource will disturb…