Spam Resource
Brian Krebs posted his usual “Patch Tuesday” update for Fat Tuesday (yesterday, February 13th) and listed in there was a doozy, an email-client specific bug that I almost missed: “CVE-2024-21413, a critical remote code execution bug in Microsoft Office that could be exploited just by viewing a specially-crafted message in the Outlook Preview pane.” Brian points out today: “Microsoft has updated its security advisory for [this] critical Outlook bug they patched on Tuesday: They’re now saying it’s under active attack.” Not good. Be safe, and make sure you’re up to date with latest versions and all security patches!
Mickey Chandler and I go way back. He’s been working in the realms of email deliverability, policy, abuse prevention, and more for the entire time I’ve known him. Way back in the day, we both spent a brief stint working for the Mail Abuse Prevention System, one of the first big blocklist spam filterers out there. Later, he worked for and then with me at ExactTarget, later to become Salesforce Marketing Cloud, working very hard to keep clients on the right side of legal and best practice requirements. His most recent experience even overlaps with the world of mobile messaging abuse prevention. And he’s looking for a job. Are you hiring? You can find his Linkedin profile here: https://www.linkedin.com/in/mickeychandler/ Mickey, thank you for taking the time to talk to me today! Can you tell me how you came to get started in the email industry? Like many others, I fell
CheckMyLink (at https://www.checkmylink.gr/) is a cool tool I stumbled across the other day that lets you check domain names and URLs that might be malicious. I wasn’t quite sure of the scope or exactly what they’re checking, so I reached out to my friend, Sarah Papadopoulou, who happens to be the person who runs this useful checker, which has been created along with Scamadviser.com. Here’s what she had to say about CheckMyLink: “Along with members of the anti-scam community we built and support an anti-scam online checking system for domain names / urls, to protect consumers! “CheckMyLink lets consumers quickly check a suspicious link they received via WhatsApp, WeChat, Facebook, email, or other social media. In combination with an annual marketing campaign CheckMyLink can “train” consumers to always first check a link before they click on it. “CheckMyLink is already live in several countries: United Kingdom: with GetSafeOnline and CIFAS
Email infrastructure vendor Halon is hiring! “The leader in email infrastructure for service providers” is looking for fill the role of Integrated Solutions Engineer II. That person should be coding savvy, a pro at all things Linux, and would assist in onboarding customers, in addition to providing support during installations and evaluations, including installations, building integrations and services, answering customer support questions, and more. Interested? Find more details and/or apply here.
I thought it would be fun to take a moment and look back at a prior webinar. This presentation that Tonya Gordon and I put together for Klaviyo users in early 2023 was one the most popular webinar I put together for my then-employer. Klaviyo users seem to hunger to learn more about deliverability and best practices, and I think the guidance here is still accurate and will help put folks on a solid deliverability footing. In the webinar, Tonya and I break down the difference between delivery and deliverability, how to put your best deliverability foot forward (it starts with your authenticated domain name), how to measure and monitor for deliverability issues, and much much more! Google and Yahoo’s new sender requirements had yet to be announced when we presented this webinar; thus we did not touch on them. Klaviyo has put together a Yahoo/Google compliance guide here; and
Just recently discovered in my own inbox: a notice from Google indicating that they’re going to require OAuth access for third party applications connecting to “Gmail, Google Calendar, Contacts via protocols such as CalDAV, CardDAV, IMAP, SMTP, and POP.” Most modern apps support OAuth already, but there are a number of legacy tools out there that do not — anything where you might have configured an app password to link that third party functionality to your Google (Workspace) account. Starting June 15, 2024, Google will remove the allow “less secure access” app password settings from Google Workspace admin. Currently configured apps and passwords should continue to work until September 30, 2024, at which time support for that functionality will be disabled for Google Workspace users. Read more details here. Does this affect you? Impact here likely isn’t broad, and certainly I’m a fan of better security. But I also do
It’s time to decode another deliverability acronym. Today, we’re going to tackle DMARC, which stands for “Domain-based Message Authentication, Reporting and Conformance.” It’s a bit of a mouthful, but it’s actually a relatively simple and good thing. This domain-level setting allows a domain owner to: Tell receiving internet service providers (ISPs) and mailbox providers (MBPs) (think Gmail, Yahoo, Outlook.com and others), what to do with email messages sent to email users on their platforms, purporting to be from your domain, but failing authentication checks. Protect your domain name by locking it down, setting a policy that says that mailbox providers should not trust mail from my domain unless it authenticates properly. Instruct mailbox providers where to send reports to help summarize and monitor for email authentication compliance. DMARC is implemented via a DNS text record. Learn more about that here. DMARC effectively requires correctly configured SPF (Sender Policy Framework) and/or
As part of their continuing efforts to lock down unrestricted public access to their reputation data, Spamhaus has announced that as of February 14, 2024, they’ll be blocking DNSBL queries made via Digital Ocean’s Cloud Server infrastructure. Read more about it here. This isn’t really a bad thing; those who want can still sign up for the free tier of “DQS” access from Spamhaus for small volume or hobbyist usage. Requiring registration for this (and using their unique subdomain-based process) reminds me a bit of email authentication — the goal is so that Spamhaus can see you as you, not as just some random bits of data in the blob of all the requests coming from public servers. I’ve blogged about this before. So if you’re wondering how to safely query Spamhaus reputation data, read this and be informed. Email admins asleep at the wheel tend to wake up weeks
It all starts with a list of top domains. Top ten million, in this case. Of those top, around 12% of them have published a DMARC record. Of those, which ones have a BIMI record in place? That’s what this data shows. That means that it’s a percentage of a percentage of an arbitrary measure of “top domains.” But hey, we can still have fun with this — sort of questionable data set, so let’s do that! BIMI logo adoption is growing in this data set. Perhaps not exploding like gangbusters, but it is still good to see it growing, from 1.26% of top domains up to 1.38%. Today, that’s nearly 17,000 domains (of that top 10 million) that have published a BIMI record. From June through December 2023, the rate at which BIMI-publishing domain owners also implemented a Verified Mark Certificate (VMC) rose from around 10% to around 14%.
Google’s Gmail might be the preeminent mailbox provider. Launched in 2004, Gmail has grown from the “new kid on the block” into one of the biggest hosts of individual email mailboxes in the world. Depending on what data you look at, you might even see Gmail as the #1 mailbox provider, at least here in the US. Gmail’s spam filtering systems incorporate user feedback and engagement. And they know what they’re doing. If you are not sending wanted mail to people who requested that mail and who read that mail at high enough percentages, you’re going to struggle. You won’t reliably get your mail to the inbox. Their systems are too good — their magic spam fighting robots look at metrics very closely — and their view of certain metrics can even change over time! What got you to the inbox in 2019 might not be good enough to get