As the holiday season comes to an end and the beginning of a new decade dawns upon us, thoughts turn to that age old tradition – the New Year’s Resolution. Here at Cloudmark, we’ll resolve to identify more spam in 2010. Nothing too ground-breaking there but it is what we do best. If you’re struggling to think of some resolutions for 2010, we’ve come up with a list of some possible suggestions, to suit senders of all shapes and sizes.

Authenticate

If you aren’t signing your mails with DKIM (DomainKeys Identified Mail) yet, make 2010 the year that you start! Whilst DKIM alone won’t help improve your deliverability, if you have other good sending practices, you should be able to take advantage of your good reputation.

If you aren’t too sure about what the various flags mean, J.D. Falk recently posted a quick guide which should get you up to speed.

Additionally, if you publish SPF (Sender Policy Framework) records for a sending domain or hostname, consider being more specific about where your mail might be sent from. Stating that mail will come from a handful of servers makes the record much more useful to receivers than blanket coverage of every IP address that your email or Internet service provider has.

De-clutter the Inbox

Even when recipients are receiving newsletters that they want, sometimes the volumes they receive can overwhelm and lead to unsubscribes, or worse, the spam button. If you’re sending more than one newsletter to a recipient per week, consider if that really is the best policy; you should definitely be giving them the option to define how often they receive your mails in this case.

Go truly Opt-In

Are you still making new subscribers un-tick the checkbox on your signup forms? You really, really shouldn’t be. If your signup form has the checkbox pre-ticked and you make them un-tick it in order not to receive your newsletter, this makes your list an opt-out one, not an opt-in one. This is not best practice. Christine Borgia has a good example of this topic and goes on further to talk about engagement on the AOL postmaster blog.

While we’re at it, make sure that the accompanying text that explains what happens if the checkbox is ticked or not is written in simple and plain language. You don’t want to not confuse them into not signing up for your list, after all.

Reply and Exist

Please do not reply using this e-mail address. If you have any problems or questions regarding this survey, you can click here

Please do not reply directly to this email as no-one will respond. If you wish to contact [sender], please do so via the ‘contact us’ section of our website

We’ve all seen mails containing sentences such as these. The intent behind them has some validity; you don’t want your mailboxes to fill up with lots of queries and it is more efficient to channel recipients through your already established processes. Just think about this for a moment though, if you don’t want to get mails from your recipients, why are they going to want to get mails from you? Beware the perils of getting this really wrong!

Promote the Unsubscribe Link

Unsubscribes are not what you want but they are a lot better than getting the spam button treatment. If the recipient doesn’t want your mail anymore they probably won’t want to scroll all the way to the bottom of your mail. Make it easier for them to unsubscribe from your list than to hit that spam button, which could have knock on effects for your reputation. It isn’t a particularly new concept either.

Be Transparent

If you use shortened domains, either for the reverse DNS of your IP allocations or for links within your content, make it easier to spot and more obvious that those are yours. Consider directing HTTP requests to those domains to your own website, perhaps a specific set of pages that outlines exactly what these domains are used for.

Whilst we’re on a transparency trip, step out from behind that domain whois proxy service. If you are a legitimate business then there is no reason to be hiding your details behind one of these services, intended more for private individuals. Laura at Word to the Wise has commented on this same topic as part of her Thats What Spammers Do series.

Hopefully there is at least one resolution for you in there to stick by. Above all, just resolve not to engage in practices that make it hard to distinguish you from a spammer; oh, and try not to break it before the end of January, OK?

Happy New Year!

As the end of the year draws near, we wanted to highlight some of the spam methodology and attacks Cloudmark observed over the past year.

Snowshoe/hailstorm attacks:

Snowshoe spam is a campaign which is distributed across multiple IP addresses within a /24 netblock (256 IP addresses) and migrates through large portions of a /16 (65,536 IP addresses). These campaigns commonly feature hashbuster text within the body of the messages, rotating domains in the call to action, and/or random word combinations in rDNS.

A hailstorm attack is a snowshoe campaign across smaller netblocks (/25 and /27 observed, not always contiguous), mailing over a shorter duration (under one minute, usually within seconds) with simultaneous connections. Typically, spammers engage in snowshoe and hailstorm attacks to evade DNSbls and other IP address and volume based spam filters.

Over the past 30 days, over 60% of the IP addresses sending new snowshoe spam campaigns to the Cloudmark Global Threat Network were located in Romania. IP addresses in the United States were responsible for almost 27% of snowshoe campaigns.

Botnet driven spam:

We have observed a significant amount of spam originating from the Cutwail botnet leading to installers for Zeus/Zbot. Recently, messages telling recipients to register in the CDC’s H1N1 program have been observed.

URL obfuscation:

Although URL obfuscation is nothing new, we continue to see it used by spammers to evade spam filters and trick the recipient. Some of the obfuscation methods we observed included the use of hex, octal, and HTML numeric and character entity encoding in URLs, the use of extra characters in href tags, and the use of style tags within the domain of the call to action.

Example of HTML numeric entity encoding:

<a href=”http://ffq&#8211;bz.d107ptsn&#178;01.com/ “>Click here</a>

&#8211; is an en dash:  –

&#178; is a superscript two:  ²

HTML numeric and character entity encoding are decoded and successfully rendered by many mail clients and browsers. In the example above, the domain is ffq–bz.d107ptsn²01.com.

Example of the use of style tags within the domain:

• http://<STYLE>Uqbysa for varykuto Qzufyce jzy</STYLE>fairsha<STYLE>Aziw for suilto Yhaxjnary lygavun</STYLE>pe.com

In a mail client (such as Outlook) or a webmail client, the recipient would only see http://fairshape.com. However, it would be a non-clickable link, so the recipient would need to copy and paste the URL into the web browser.

We have also observed spam containing Google properties (e.g., groups.google.com, docs.google.com, writely.google.com), spaces.live.com, and many other places hosting user-generated content as the call-to-action URL ultimately serving up landing pages advertising online pharmacies. These online pharmacy landing pages are hosted off of the same IP addresses as domains advertised in wavy image spam.

Perfectly innocent websites are being compromised as well and are being used to host spam content (usually redirectors leading to online pharmacy landing sites). These web pages are appearing as the call to action in spam, and unfortunately, due to the high number of insecure websites, the spammers have a dynamic set of hosting resources to burn through.

We also observed an increase in economy related spam. The content varied from debt consolidation services to work at home scams.

One of the most egregious work at home scams advertised through email, Facebook, and Twitter spam was the Google work at home scam. The messages promoted a free kit for recipients to make money through Google. Unfortunately, recipients were required to provide their credit card information to pay for a small shipping and handling fee. Subsequently, the recipients were charged a substantial recurring monthly fee, and most were unable to reverse or stop the charges. This scam has no legitimate ties to Google. In fact, Google recently filed suit in US District Court in Utah against Pacific Webworks, Inc. and John Does for violations of trademark, cyberpiracy, and consumer sales practices laws.

Jamie Tomasello, Abuse Operations Manager at Cloudmark, sits down with Chris Wheeler Director of Deliverability at Bronto, a leading email marketing service provider, to discuss tough questions on deliverability.

Will email become nonexistent in the face of new age media? Is seeking permission the most important act of email senders? What is an engaged recipient? These questions and more answered in the BrontoBlog.

http://blog.bronto.com/2009/12/18/deliverability-forum-cloudmark/

Recently, Ken Magill posted an article entitled, Let’s Play the Email Blame Game. In this article, Robert Consoli, director of deliverability for ESP Silverpop was quoted as saying, “It’s very cyclical. Each [Christmas] shopping season, ISPs hunker down and tweak their filters to be more aggressive because they know they’re going to have a higher volume of e-mails coming in.”

I disagree with this statement. Speaking from a filtering point of view, we do not tweak our filters to be more aggressive merely because there is a higher volume of emails coming in during the holidays. Year round, we are constantly updating our filters and implementing new approaches to address mail which attempts to circumvent policies, filters, and blocklists. On the other hand, the holiday season is the time of year that ESPs and senders pull out mailing lists they haven’t touched since last year, blow the dust off of them, and try mailing to them in the hopes of garnering a few last-minute click-throughs. That behavior is likely to cause a lockdown on filters, as ISPs see an increase in bounces, attempts to deliver to old addresses, and complaints from users who, having not heard from you in a year, are no longer engaged.

Keeping your recipients engaged and your lists clean are year-round activities. If the only time you think of your recipients is the holiday season, don’t be surprised that they’re not thinking about you, either. Monitoring bounces and feedback loops, aging out unresponsive recipients, re-engaging jaded customers… these are basic list hygiene actions and should be performed year-round.

Over the past decade, I have been hearing the same excuses, and I have not seen significant improvement in sender behavior. In fact, over the past 18 months, I have seen the clients of ESPs get away with murder. In the past, I have theorized that ESP clients’ are engaging in questionable/bad practices because of economic pressures, and ESPs allow these practices to continue due to the same pressures. Unfortunately, that is not acceptable. You cannot park in a No Parking Zone instead of paying for street parking without facing consequences of a ticket or being towed. Other laws and regulations do not become more lax during hard economic times, the holidays, or at the end of the year, so why should there be an exception in email?

This past year, Cloudmark has been conducting ESP outreach to promote open and transparent communication between ESPs and anti-spam vendors/receivers.  We understand the senders’ role in the email ecosystem. Although it is important to block and filter spam from being delivered to the inbox, it is just as important to allow permissioned, legitimate, wanted email to be delivered to the awaiting recipient.

However, if senders engage in practices which abuse the recipient (e.g., lack of explicit permission, lack of relevancy, excessive frequency) and/or abuse the receiver (e.g., circumventing filters, obfuscating identity, rotating IP space), it is the responsibility of the entire email ecosystem to take action to preserve email as a viable channel of communication. Historically, anti-spam vendors, receivers, and recipients have been bearing the load and addressing these issues. It is time for ESPs and senders to do the same. ESPs, if you are serious about reducing abusive messages being sent through you as well as preventing your company (reputation, account managers, deliverability folks, etc) and industry from being abused, then I am willing to help and provide as much input and insight as I can. However, if it is just lip-service, I cannot help you unless you are willing to help yourselves.

The Zeus botnet is making another attempt at stealing your personal information this week. Starting early in the morning on 1 December 2009, email messages began going out telling recipients that they need to register themselves in the CDC’s H1N1 program. Messages with subject lines like “Create your personal Vaccination Profile” and “Governmental registration program on the H1N1 vaccination” are enticing recipients to visit a webpage proudly displaying the Center for Disease Control logo, from which they can download their “H1N1 Vaccine Profile Archive”. The ‘archive’ is, in reality, the installer program for the Zeus bot, which will place a keylogger on your machine and try to steal your personal data.

Most anti-virus vendors have signature updates that will mark this installer as malware, so one way to protect yourself is to make sure that your A/V software is up to date. All of the fake CDC URLs we visited were detected as forgeries by the newest versions of Firefox, as well.

It seems like a simple and basic concept of email marketing. Get permission from the intended recipient before sending. Confirm permission. Maintain records of when, where, and how you got permission. Engage the recipient with your mailings to compel them to purchase your product/service. Nurture your relationship with your customers and grow them into a loyal evangelist.

Instead of following these basic tenets of email marketing, I am seeing marketers (clients of ESPs) engaging in practices which are questionable at best.

They rent or purchase lists of email addresses, obtain addresses through co-registration programs in which users did not expect their email addresses to be indiscriminately distributed, and acquire addresses from email appending vendors through fuzzy logic matching.

In any of the situations above, did the recipient give undeniable permission to you, the sender? Just because you acquire an email address does not mean you have the right to send to it.

ESPs, you are not off the hook. You need to require permission practices of your clients, or you need to reconsider your relationship with these clients. Is what the client is paying you enough to cover the cost of resolving deliverability issues and the damage to the reputation of your IP addresses and the reputation of your company?

- Having clients who do not know the provenance of the email addresses in their mailing lists should not be acceptable.
- “Inadvertently” mailing to a suppression list should not be acceptable.
- Having clients who also send through another ESP and do not remove invalids or respect unsubscribes should not be acceptable.
- Providing the excuse of  “But, my client is a large and recognizable brand!” for a client’s bad practices should not be acceptable.

ESPs who require and enforce best permission practices should be applying peer and industry pressure within the ESP community to adopt these policies. Ultimately, ESPs need to take responsibility for their clients’ practices. If you are aware that your clients are engaging in questionable or bad practices, address those issues before contacting an ISP or anti-spam vendor to resolve the issue.