Much analysis and guidance has been written about the new requirements (and significant penalties) imposed on senders of unsolicited e-mail by the Canadian Anti-Spam Law set to go into effect in the fall. What seems less thoroughly addressed to my non-lawyerly eyes is what specific liability is created by violations of CASL upon the ESP used by their clients to transmit the infringing commercial electronic message (CEM).
Author Archives: hey4ndr3w
Our neighbors to the north may be the last of the G8 countries to adopt an anti-spam law, but when it’s enacted later this year (as most analysts agree it will), Canada’s new law will be among the very strictest, creating penalties of up to 10-million Canadian dollars (or just under 9.87-million U.S. dollars) for businesses who send spam into or within Canada.
The new tabbed Gmail interface and the new ads that come with it has ruffled the feathers of many marketers and senders for a variety of reasons. In the course of the discussion of those reasons arises an interesting question: are the new ads subject to CAN SPAM requirements?
Possibly: they are presented in the inbox in a manner that very much resembles all of the other e-mail messages you’d expect to find there. Recipients can interact with the ads using the same Gmail interface metaphors as any other e-mail message received in Gmail. Viewers can even forward, “Star” and dismiss the new ads.
Possibly not: they are not actually e-mail messages – they’re web-based advertisements formatted and presented in such a way as to closely resemble actual e-mail messages, but are otherwise very much like the ones Gmail users are accustomed to seeing to the right and above the inbox. There’s even some evidence to suggest that the new ads employ the same engine as the ordinary Gmail display ads to select and present those that Google deems a viewer is most likely to click. Read the rest of this entry »
In my time consulting for senders on deliverability issues, I’ve heard more than a few clients try to explain to me why inactive recipients are never really a problem – until there’s a problem.
Starting July 15th, there is going to be a problem. Read the rest of this entry »
In August, Google announced that it was testing a new feature that would include search results from a user’s own Gmail account on search results pages. (If you want to see it in action on your own mail box, Google is still accepting users in the field trial.) Participants will now see results from their Gmail account appear in a separate column on the right side of the results page, like this:
This is a remarkable opportunity for e-mail marketers for a pair of reasons. First, it can extend the shelf-life of their messaging indefinitely. Even if the recipient failed to interact with the message at the time it was received, the message can re-appear before their eyes when they perform Google searches on related content. Second, senders now may have valuable additional opportunities to re-engage with their subscribers without actually sending more mail. Read the rest of this entry »
Laura and Steve Atkins over at Word to the Wise has been providing invaluable education to senders and deliverability people alike — and all for free — on the WTTW blog for five years now. She recently posted an article that really hit home:
Delivery experts are about risk management. They are the parents requiring everyone in the car wear seat belts, even though the driver has never had an accident. They are the fire department enforcing fire codes, even though it’s the rainy season.
The rest of the article is even better.
If you’re having trouble getting mail to the inbox, or have customers who do, have a look and pass it along.
My long time friend and colleague Kelly Molloy of Return Path recently posted some observations on her Facebook timeline regarding some opt-in mail she recently received from a well-known brand. She’s given me permission to repost them here:
”Starwood Hotels and Resorts wants you to make the most of the Starwood experience. That’s why you’ll soon be receiving exclusive emails from us, featuring special offers and preferred rates at over 850 hotels and resorts worldwide.”
I don’t actually care about 850 hotels and resorts worldwide. I care about, like, three or four. But I can’t narrow my choices, and special offers for 850 hotels sounds like more mail than I want, so I’ll unsub. If you had given me a choice, I would have chosen the locations I want to know about.
I doubt Kelly believes she would have received mail from each of 850 Starwood properties, and I don’t think Starwood had actually intended to do that. But Kelly makes a good point in a humorous way. Starwood surely can get to the data about which properties its repeat customers usually stay at and how often. They should have used that information to finely target offers to the recipients that are most likely to engage with them.
Plastering an opt-in list with generic offers that aren’t tailored to anyone is not just a wasted opportunity, it actually causes recipients to revoke hard-won permission to send (or worse, to report permissioned e-mail as spam).
The first few words of the mail are quite telling: “Starwood wants.” Starwood would be better served by considering their recipients’ wants instead. And, of course, so would their customers.
Twitter lit up earlier today with news that The New York Times subscriber list must have been hacked. It seems a few million folks received messages purporting to be from the Grey Lady, advising that their subscription had been cancelled per the recipients’ instruction, and asking them to reconsider.
News that the message had originated from Epsilon Interactive, who earlier this year were themselves a target of a now-infamous ESP breach seemed to confirm the assumption that hackers had sent the message.
I’m a current subscriber and received my own copy of the message, so I had an opportunity to inspect the headers. The message seems to authenticate correctly; SPF designates the sending IP (which belongs to Epsilon) as a permitted sender on behalf of email.newyorktimes.com. The DKIM signature seems to have some formatting issues, and Gmail renders a “neutral” opinion on its authenticity
I think it’s safe to conclude that the mail did indeed come from Epsilon; the question is whether NYT’s account at Epsilon had been breached, or if the message was sent in error by an authorized user of the Epsilon account.
Word comes now from NYT that it’s the latter case – a NYT employee sent the message to over 8-million recipients in error; it was intended for only about 800 recipients. I’m guessing that the employee ticked the wrong box in Epsilon’s customer application, and selected one or more incorrect segments of their lists to receive the message.
The mistake is easy enough to understand and forgive, but it has to have been an awfully expensive one nonetheless. Recipients already on edge following the well publicized breaches were quick to assume the worst, and quicker to share those assumptions on Twitter. I am sure a significant number of recipients marked the message as spam, which will likely have a measurable impact on sender reputation, thereby hampering deliverability of future sends. Also, sending eight million messages is a lot more expensive than sending 800. The Times also sent a follow-up notification to recipients selected in error, essentially doubling the cost of the initial mistake. And it appears that the Times’ inbound call center was swamped with inquiries, which itself carries measurable cost.
There are probably a few lessons to be drawn from the incident. The one that springs quickest to my mind is, “Aim carefully.”
Edit: Headers included below, for the edification of various interested parties:
<pre>Delivered-To: firstname.lastname@example.org Received: by 10.204.68.75 with SMTP id u11cs308277bki; Wed, 28 Dec 2011 10:14:50 -0800 (PST) Received: by 10.50.17.195 with SMTP id q3mr36902675igd.11.1325096088086; Wed, 28 Dec 2011 10:14:48 -0800 (PST) Return-Path: <email@example.com> Received: from dmx1.bfi0.com (dmailer0121.dmx1.bfi0.com. [22.214.171.124]) by mx.google.com with ESMTP id en3si23815262igc.11.2011.12.28.10.14.47; Wed, 28 Dec 2011 10:14:48 -0800 (PST) Received-SPF: pass (google.com: domain of firstname.lastname@example.org designates 126.96.36.199 as permitted sender) client-ip=188.8.131.52; Authentication-Results: mx.google.com; spf=pass (google.com: domain of email@example.com designates 184.108.40.206 as permitted sender) firstname.lastname@example.org; dkim=neutral (bad format) email@example.com Return-Path: <firstname.lastname@example.org> DKIM-Signature: v=1; a=rsa-sha1; d=email.newyorktimes.com; s=ei; c=simple/simple; q=dns/txt; email@example.com; t=1325096067; h=From:Subject:Date:To:MIME-Version:Content-Type; bh=eAJBhggz56bI1iAGtnD6v787ib8=; b=XtriQSLHzmhMsaITYZDGYIS3VRsGlWGjP/3aELRkLaOawj6tlMWioBwo5yok6ipT rK73yfllp2Mk/NjAw4VBEOJtaRSwwhmGQOQKRp7rhi4aVtqXq5N8OJAExKKiH7pd GOJHgOIlmc42UkaqzlyQwJ/Zdppkp+coxwtB+Rwyt0Q=; DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws; s=ei; d=email.newyorktimes.com; h=List-Unsubscribe:Received:Reply-To:Bounces_to:Message-ID:X-SS:X-BFI:Date:From:Subject:To:MIME-Version:Content-Type; b=aVU70NLC7DPVnsy+oTRKCWYM8JFro8ZQ4q1rx4bKKIISSiLhLuq4lMayMhnZrKJN DTBukp3y6+dCQIv7VZgu1tXJ5BkcwQXZAuhBV2QH1RjaHiucsKuPX470y8Ybc25E 76S+SiSLDknfSKurAlEJcmAQZyrx6f1WUvfVNcy3gUc= List-Unsubscribe: <mailto:firstname.lastname@example.org?subject=unsubscribe> Received: from [10.150.20.107] ([10.150.20.107:56117] helo=dlspvhcimailer7) by dmx1.bfi0.com (envelope-from <email@example.com>) (ecelerity 220.127.116.11 r(34222M)) with ESMTP id DD/83-28890-38C5BFE4; Wed, 28 Dec 2011 13:14:27 -0500 Reply-To: =?iso-8859-1?B?Im5vLXJlcGx5Ig==?= <firstname.lastname@example.org> Bounces_to: email@example.com
You might have thought that a large, e-commerce-centric company like Pro Commerce, Inc. – owners of well-know brands like ProFlowers and Red Envelope – would know better than to send e-mail with deceptive subject lines, a clear and blatant violation of the CAN SPAM Act.
You’d have thought wrong.
I received the solicitation below with the subject line, “Flower Delivery Notice Failure.” I immediately assumed the message was a phish, possibly sent with data obtained in one of the recent ESP breaches. After all, I do have a Pro Flowers account, but I haven’t purchased from them in a few months.
But the message is signed with a valid DKIM signature and is authenticated with SPF, and both point at network assets under Pro Commerce’s control. They are not using an ESP; the mail came from their own servers, hosted in Cogent IP space.
Maybe they should consider using an ESP. They obviously could use a little help. I realize that businesses of every size are under enormous pressure to make their Q4 revenue numbers, but this is not the way to do it.
The Messaging Anti-Abuse Working Group today has published it’s Best Common Practices document for E-mail Service Providers to use in vetting prospective customers. MAAWG is the foremost professional association in my industry, bringing together some of the best minds and well-known companies in the space to develop and promulgate strategies and policies designed to combat abuse of messaging networks (including, of course, e-mail). The practices detailed in the document should provide a much-needed benchmark among senders of high volume e-mail who are serious about curtailing abuse of their own networks, as well as those of their recipients.
Careful vetting of prospective clients isn’t just good for fighting abuse; it also makes good business sense for ESPs. Whenever an ESP brings on a new client, the ESP assumes a significant amount of risk. As the document explains, ESPs “are at the mercy of their worst clients’ worst practices.” Bad clients create reputational problems for themselves and for their own mail, and can damage the reputation (and therefore the deliverability) of all of the ESP’s other clients, as well as for the ESP itself. More than one large ESP has made itself a pariah within the industry by paying scant attention to the types of customers to whom they’d sold their services.
The existence of the document underscores an important industry truth that has been long understood, but to my mind has been historically under-emphasized: it’s never enough for ESPs to kill the spammers that appear on their networks. We must expend at least as much effort to ensure that we’re not giving birth to new spammers in the first place. After all, it makes little sense to keep bailing water out of the boat without troubling to plug any of the leaks.
And the document has lots of practical advice for the plugging of leaks that can be implemented right away. It contains a questionnaire that ESPs can copy and paste as-is for vetting new, high touch clients during a pre-sales cycle, and includes important advice for the monitoring of existing clients once they’ve successfully completed the on-boarding process. I’m very pleased to be able to report that my own employer, North Carolina-based iContact Corporation, has implemented the questionnaire to vet large managed customers, and is developing sophisticated tools that can automate the on-going vetting of existing customers who make use of our popular self-service options. We’re proof that the policies and recommendations contained in the document can be implemented to useful effect in a high-volume production environment.
I think it’s a pretty good document. If you work for an ESP, or for an agency that partners with an ESP, you should check it out.
On a more personal note, the adoption of the document represents a notable professional accomplishment. I’ve been shepherding the BCP for the last eight months, over two major rewrites and any number of less invasive drafts, and I’m very proud to have played a useful role in what I think has been an important collaborative effort among my professional peers. I sincerely believe that all of the folks who contributed so much of their time and expertise to the effort have much to be proud of here.