Tag Archives: spam

Defusing Subscription Bombs

1 Reply

subscription bombs
On Monday, August 15, people all over the world woke up to find their email inboxes stuffed with unwanted email, victims of an organized and relentless “subscription bombing” attack. This attack used a bot designed to find sign-up forms and enter thousands of email addresses on a site before moving on to the next one, where the process was repeated. Before the bot was through, each address ended up subscribed to hundreds of newsletters. The owners of the email addresses remained unaware of what had happened until they started receiving the emails. Faced with what appeared to be unsolicited emails, they did what many people would do in this situation: they flagged the mailings as spam, which sent the reputation scores for the attacked companies spiraling down.1

Most of the companies that were victims of this attack were respectable, legitimate companies whose only crime was that they made their newsletter sign-up processes too easy, also making it easy for attackers to enter false information. Many well-respected email senders suddenly were having trouble landing in the inbox and were getting relegated to junk status. Even the New York Times felt the effects of this attack.

The attacks started over the weekend, but because not everyone checks their mail services on Saturdays and Sundays, by Monday morning some accounts were packed with new, unwanted emails. In many cases, the amount of emails was massive enough to make it impossible to identify and separate the legitimate mailings from the junk. More diligent people took the time to try and unsubscribe from these emails, but as security expert Brian Krebs noted, “By the time I’d finished deleting and unsubscribing from the first page of requests, there would be another page or two of new newsletter-related emails.” For most people, the easiest solution was to select all the new email and either delete it or mark it as spam, which sent reputation scores spiraling. Suddenly, hundreds of a company’s mailings were being identified as spam, landing several legitimate companies on blacklists.

High-profile companies that use a single opt-in method without a verification test appeared to be the most at risk, but were, by no means, the only ones affected. Many of the sign-up email addresses ended in “.gov,” suggesting that the attack might have had a political motive behind it. A belief strengthened by the recent Russian hacker reports. Some people have speculated that it was simply the work of bored computer geeks out for kicks. Whatever the reason, it caused many legitimate companies to wind up being blacklisted.

No Easy Unsubscribe

The problem was exacerbated by the fact that, by its very structure, there’s no quick way to mass unsubscribe from several email subscriptions. It’s easy to select a dozen emails and either delete them or send them to the spam folder, because both of these actions occur within the mail reader. Unsubscribing is a little trickier. Each piece of email must be unsubscribed from separately. There’s no way to select a batch of emails and unsubscribe from them en masse because the unsubscribe information for each piece of email is going to a different place and is handled in a different fashion. Some require verification, others present a display of settings that need to be unchecked.

Some services, such as Gmail, Outlook.com, and the latest update to the iPhone’s Mail app feature an unsubscribe button, but only when the unsubscribe link in the email leads to automatic unsubscribe. Links with multiple choices, or multiple step unsubscribes don’t show up. So when hundreds of emails arrive in the inbox at the same time, nobody (Brian Krebs notwithstanding) is going to go to the trouble of trying to unsubscribe separately from all those mailings. It is far easier to accomplish the same effect by selecting everything and deleting it, but since none of these emails were actually solicited, it is even more likely for people to use the spam button to show their dissatisfaction. When enough people do this, blacklisting services, such as SpamCop, Junk Email FIlter, Barracuda, and especially Spamhaus, sit up and take notice.

Blacklists

How each of these blacklist services handles junk mail varies, with equally varied results in terms of effectiveness. The most well-known and commonly used blacklisting service is Spamhaus. When Spamhaus decides to put you on their “Spamhaus Block List” (SBL), you’ve got a serious problem. Everyone from Yahoo to McAfee, and Gmail (to some extent) use the SBL data, so staying off this list is mandatory of you ever want your mailings to be read.

After this latest subscription attack, we saw several obviously legitimate news organizations end up on blacklists after this attack. Getting on this list is relatively easy. Getting off it often takes a concerted effort by your ESP or deliverability team. How difficult that process is will depend on several factors, such as past transgressions as well as subjective considerations, such as the general impression of your site by the people at the blacklist service (and not just Spamhaus either).

The Double Opt-In

Spamhaus has always maintained that the double opt-in (DOI—also known as the confirmed opt-in) will help prevent surreptitious sign-ups. Some services, such as MailChimp, now use double opt-ins exclusively (much to the dismay of their subscribers if the questions Quora and Reddit are any indication). But a DOI doesn’t solve the initial problem of bot sign-ups. Even Spamhaus acknowledges that a DOI does not automatically prevent your company from landing on their blacklist. The recipients will still receive that annoying first deluge of DOI verification mail, which, when thousands have been entered, is enough of a problem by itself. The double opt-in might keep the problem from compounding though, which is certainly preferable than continuing to send emails to increasingly more annoyed recipients.

For Canadian and European emails, where adequate verifications of acknowledged sign-ups are required, the double opt-in is already the safest option. While most ESPs (Goolara included) let you decide what sort of opt-in procedure you want to implement, you should be aware that a single opt-in puts you in greater danger of a malicious and erroneous sign-ups. If your site is popular enough to experience more than one or two sign-ups a day, you should consider switching to a double opt-in.

CAPTCHAs

Currently, Spamhaus recommends the use of a CAPTCHA as part of your sign-up process. A CAPTCHA requires an action by the user, such as solving an equation or identifying two words that are either distorted or partially obscured by a pattern. They are easy to implement and may be the only way to get your company off the SBL. The most common one is ReCAPTCHA, which is provided by Google, but there are others on the market. We also recommend using a CAPTCHA, but this technology brings its own set of issues, which we’ll take a look in more detail in our next blog post.

Worst Case Scenario

So what do you do if you’ve already fallen prey to an attack? Preventative maintenance is always the best course of action. Besides double opt-ins and the use of a CAPTCHA, a regular practice of looking at your report metrics and subscription sign-ups can alert you to potential problems before they get out of hand. Noticeable increases in the amount of email being greylisted or sent to the junk folders might be a warning sign of worse things to come. Sudden increases in sign-ups from “gov” sources can also indicate potential bot attacks, so you may want to segment out these mailings for closer examination. In most cases, though, these attacks are sudden and unexpected, and nothing you do once the attack starts will stop the problem from escalating.

If you do end up on a blacklist, you should notify your ESP immediately and see what steps they can take to solve the problem. Some ESPs, such as Goolara, also offer deliverability services, and they can help you get your IP removed from the blacklist. Otherwise, you might want to seek the services of a professional deliverability expert. As long as you don’t have a history of sending to spam traps (which will normally only occur if you don’t keep your list up to date, or have a nasty habit of buying questionable lists), you should be okay.

Next time we’ll take a closer look at CAPTCHAs and other methods of sign-up verification.

Go to Goolara website

1. The reputation score is how email services identify whether a mailing has any value. The higher your reputation score, the better your chances of ending up in the inbox. For more information on this, see our white paper Deliverability Enhanced.

Watch Out For Typos!

Leave a reply

Email typos
Here at Goolara we’ve been seeing a recent rise in a peculiar method of gathering and hijacking information. The basic mechanism isn’t new, but the fact that it’s being used with clickthroughs appears to be a new twist. It is based on exploiting mistyped email addresses by purchasing domain names that are either misspelled or have letters added or removed. You might, for instance, intend to send an email to someone at a Gmail address, but because you typed too quickly, it’s going to “gmial.com” instead; or maybe your finger hit two keys at once, and the mailing is sent to “gmailk.com.” In both cases, the domains are registered and your mail is actually being processed by these sites. To put it another way: That mail you accidentally sent to the wrong address is being received by someone who has intentionally chosen their domain name to take advantage of this mistake. Is that someone you really want to have any of your email data?

This technique, called typosquatting, has long been used to trick people into visiting sites (called domain doppelgangers) that look a lot like the sites they are imitating.1 Most of it disappeared after laws were passed and some successful lawsuits were filed against these pretenders, but the legislation didn’t address the other part of the equation. The law can prevent them from mimicking an existing website, but anyone who has registered one of these domains still has the ability to receive any email sent to it. While a website could be construed as attempted fraud, simply receiving misaddressed email falls into a very gray area. Even this isn’t that new. These fakes sites have always accepted email. The new twist is that they are now apparently clicking on the links in the email they receive.

The Man-in-the-MailBox

It’s hard to know the reasons for these clickthroughs. It’s possible that they are intended to keep the address active and defray suspicion. Or it might be part of more complex scheme, such as the “Man-in-the-MailBox” scam detailed in a report on domain doppelgangers put out in 2011 by Peter Kim and Garret Gee of the Godai Group. In that report, Kim and Gee explained how they set up set up 30 doppelganger accounts for various firms and received 120,000 e-mails in the six-month testing period. Acting as middlemen, they would pass on data to the correct address and then send the information back to the intended recipient. In this way, they accrued 20 GBs of data that included everything from trade secrets to individual passwords.

It is also a method of verifying the links, which can be useful for ascertaining the value of each email address. This may seem like an inefficient way to collect addresses, but the evidence suggests that the processes here are handled primarily by bots, so minimal manpower is required. Like an army of ants, they achieve their goals methodically over time. If you intended, for instance, to send something to a specific address at Gmail, the typosquatter can now figure out the correct address without much difficulty and add it to their list. With the amount of email data passing through the Internet every hour, it is possible to build up a substantial list of names in no time.

Why It’s Important

You might be tempted to ask why this is important? After all, it’s only a few addresses here and there, but there are costs involved. Keep in mind that you’re paying for those addresses, and you’re paying for sending to those addresses. If you’re using an automated system to relay leads to your sales department, then clickthroughs from these sources can cause your sales staff to waste valuable time chasing down these imaginary leads and doing follow-ups that go nowhere.

It is also possible that some of these people are up to things far worse than merely collecting addresses. While many companies don’t accept email responses, some set up their mailings so that they send email replies to specific staff members. You don’t want to put your sales team in a situation where clicking on links from these sources—either accidentally or absentmindedly—lead to bigger problems. It is also worth remembering that these address mistakes simultaneous keep those subscribers from receiving your intended email while opening them up to receive email from these questionable sources.

Protecting Yourself

As you might imagine, protecting yourself against this problem can be tricky. Checking for typos only goes so far, and when your mailing list includes thousands of names, it’s almost impossible to catch them all. In Symphonie, we’ve added logic to the process that identifies and blocks these domains when we encounter them, so you don’t have to worry about the most commonly mistyped addresses. This doesn’t mean you shouldn’t stay on your guard, though. Like rust, these scammers never sleep and they are coming up with new naming variations all the time. Catching these people in that act is a responsibility we all share.

Requiring a double opt-in will help somewhat. Since, in most cases, the email address is initially entered by the subscriber, getting them to verify it will eliminate a lot of the potential for typos. It won’t keep you from accidentally sending the verification email to an incorrect address, but it will help keep that address off your recipient list. The mistyped address still has the potential to end up on scammer’s list, but at least you won’t be sending wasting your time and money sending mailings to them.

Go to Goolara website

1. Technically, there is difference between typosquatting and domain doppelgangers. Typosquatting means a domain that is similar to the intended domain, but is misspelled, while a domain doppelganger will appear almost the same, but with periods either added, removed or misplaced (for instance yourcompanyc.om instead of yourcompany.com).

The Great Unsubscribe Myth

Leave a reply

Spam from Unsubscribing

A few months back, computer maven David Pogue wrote an article about finally getting over the fear of clicking the “Unsubscribe” button. “[T]he rule, for 15 years, has been: Never respond. Don’t even try to unsubscribe,” he wrote. “…You’ll wind up getting put on even more spam lists as a result.”

Pogue is one of the smartest journalists in the technology field. The fact that he would think that responding to an unsubscribe link might cause you to get more email just goes to show how pervasive this myth is. And make no mistake about it: it is a myth.

Just to make it clear, I’m not talking about the obviously questionable messages that continue to fill our junk folders every day. There is no profit in sending any kind of message back to someone who is trying to sell you Viagra or nude pictures of  Russian models. You shouldn’t respond to one of these anymore than you should engage in conversation with the guy selling “Rolex” watches on the street. I’m talking about the email you receive as the result of some online action, be that purchasing a laptop, or signing up to receive a whitepaper. Painting these emails with the same broad strokes does a disservice to them, and, in the era of the CAN-SPAM Act, is patently wrong.

The story started in the early days of email, when, every time you tried to unsubscribe from an email, twenty more unwanted emails showed up in your inbox. “Don’t ask to be removed from a junk-mail list,” wrote Amy Harmon in the New York Times back in 1998. “…Some of them may actually remove you. But many more appear to simply take the reply as confirmation that they can continue to reach you there.” Ms. Harmon doesn’t really explain what she means by “junk-mail list,” nor does she attempt to distinguish between legitimate business email (those ones that honored the request to be removed from a list, I suspect), and the spammers. Back then, unsubscribes were accomplished by replying with “unsubscribe” in the subject line. While there may be a few legitimate businesses that still handle unsubscribes in this fashion—although, frankly, I’d be suspicious of any that do—most email marketing today uses an unsubscribe link that takes you to a page where you can opt to stop receiving email from that source.

The different email marketing service providers handle unsubscribes in their own ways. Some require a double opt-out. As a rule, we don’t recommend this technique. A double opt-in is put in place to make sure the recipient really wants to receive that email from you and the recipient knows it. A double opt-out, on the other hand, is seen as a nuisance, and actually may qualify as a violation of the CAN-SPAM Act. Others require the recipient to re-enter their information, even though all of this information could easily be included in the link. Some go to the other extreme, automating the entire unsubscribe process so that clicking the link  is all it takes. We don’t recommend this approach either. It is too easy to accidentally unsubscribe, and people might not bother resubscribing after that. The best approach is to take the recipient to an email page where they can unsubscribe with one click. If they accidentally clicked the link (or, the person to whom they forwarded the email clicked it in error), they have the opportunity to leave the page without changing anything. Some sites includes short surveys to help them understand the cause of the unsubscribe. This is fine as long as it is optional. Force a recipient to wade through a survey and they will simply go back to their inbox and mark that email as spam.

In 2003, the CAN-SPAM Act made it a law that clicking on those unsubscribe links will actually do what they say, and yet, the Unsubscribe Myth persists. Many people will tag email as spam—even though they agreed to receive it—simply to stop getting it. There is a misperception that tagging an email as junk is a better way to stop receiving unwanted email than clicking the unsubscribe link; that somehow this bypasses notifying the sender. If that were true, it would be very easy for anyone to scuttle another company’s email efforts with just a few clicks. If a recipient tags an email as spam, any ESP worth its salt will know about it immediately and will take steps to ensure that that this doesn’t affect a company’s email deliverability. Nonetheless, clicking Unsubscribe is still the preferred way to eliminate email you no longer want. Flagging an email as spam if best done only if the sender doesn’t respect an unsubscribe request. It’s nice to see that David Pogue finally realizes this. Hopefully, others will follow.

Go to Goolara website