“Twitter malware and spam uses a pretty straightforward attack vector. You get a twitter message from an account (usually with an attractive female avatar) telling you that you’ll get something awesome if you click on the helpfully provided link. Most people don’t click, because they realize that if a hot chick sends you a link on twitter claiming you’ll win a free iPad, it’s probably not legit.”

The author goes on to predict that twitter spam will get a lot more sophisticated and targeted, and it will get harder and harder for people to determine who to trust and who’s a bot (speaking of bots) and who’s not a bot:

“Twitter link spam will get a lot more context aware in 2012 and it’s going to be difficult to make an eyeball determination whether someone you don’t know has sent you a link because they follow you and they think you will be interested in a topic, or they are just trying to spam you”

As a matter of fact, we get a lot of tweets from scantily clad fembots that try to make us click malicious links, so we built an app to deal with that. It’s called Unfurlr, and you’re free to use it too, whenever the fembots come knocking –>  http://unfurlr.com  (bookmark it now, because they will come knocking)

And here’s a little more background info about Unfurlr.

Even though these reports center around personal webmail services and personal social accounts, ESP customers should look into beefing up their security as well.

Over the last couple years, attacks on ESPs have been on the rise. Sometimes, the ESP has been breached, but more commonly it’s an end user (or the end-user’s marketing agency) that unwittingly gives their account credentials to spammers (usually via malware on their computers).

So here’s a not-so-gentle reminder to MailChimp users, and especially MailChimp users who manage multiple accounts: GO ACTIVATE OUR SECURITY FEATURES.

In case you missed the recent announcements:

• Alter Ego 2-factor Authentication
• Security TXT Alerts
• Location-change security question

New Feature: Generate Strong Passwords

The experiment only involved sending roughly 7,000 email campaigns over to be reviewed. But within the first 2 days, we started getting back some unexpected, yet fascinating results.

In particular, there were certain email templates that kept getting repeatedly flagged as spam by these human reviewers, even though they weren’t spam at all.

All these “false positives” had some common design traits, so we thought we should share our findings…

How Did The Experiment Work?

When Omnivore detected an email that had traits of potential abuse, we sent it to Mechanical Turk. A copy of the email (sans private data, like recipient information) was displayed inside of an interface that looked something like this:

In general, we listed some rules at the top, then presented the campaign below it, then asked the reviewer to tell us if the email violated any of the listed rules, back at the top of the page. User Interface snobs will notice that in general, this interface looks like it was QWERTY-fied (designed to slow users down a little). We could’ve used very simple “Is this spam? Yes/No” buttons, but you don’t want people judging too fast.

How Effective Was The Experiment?

The experiment went as well as you’d expect, using people who weren’t heavily trained on the intricacies of permission-based email marketing. Generally speaking, Turkers like to work fast, so they’re best for picking out the most egregious offenders (think along the lines of porno or pharma spam). To that end, they’re great at catching the really evil spammers who try to penetrate into our system and send extremely bad stuff that would jeopardize our deliverability.

But when it came to reviewing an email from, say, a reputable business that purchased a not-so-reputable list from a local chamber of commerce, the reviewers experienced some difficulty. So crowdsourcing is good, but not a silver bullet with respect to abuse prevention (we are still crowdsourcing, but the experiment has changed significantly).

Though we weren’t thrilled with the initial results, this exercise revealed a lot about how people look at email design.

21 Seconds To Decide

Mechanical Turk measures how much time people spend performing each review, so we can tell when people are just clicking random stuff and moving on to their next task. On average, the human reviewers spent only 21 seconds reviewing these “false positive” emails. Now, we can’t read their minds, so there’s no reliable way of telling if they bothered to check for “permission reminders” or “CAN-SPAM compliance” in the footers. But it’s safe to say they weren’t doing a very thorough analysis. I’d wager that most of that 21 seconds was spent reading the criteria at the top of the interface, and not the email itself. They definitely weren’t visiting the senders’ websites to see if there was a proper signup form, and testing to see if they used opt-in best practices. They were making relatively quick, gut-level decisions on whether or not an email “looked spammy.”

The False Positives

Below are some email designs that kept getting marked as spam by Mechanical Turk reviewers. Keep in mind that at the time of this experiment, none of the senders of these emails were determined to be abusive. Their email stats suggested they were sending permission-based emails. Their recipients probably knew the emails were legit — but our independent reviewers did not.

1. Want to learn Photoshop?

In general, I think the above email has got some layout issues that make it look a bit sloppy. Their images are breaking the template. At the top, where people are accustomed to seeing a logo, the sender only used text. In fact, the text isn’t even the company’s name, but a bright red “salesy” kind of question: “Want to learn Japanese or Chinese?” Doesn’t exactly inspire confidence that you know your recipient, or what he’s interested in. Unfortunately, the Chinese characters don’t help their reputation much either. We’ve all received a bit too much of this in our inbox:

2. The Red Flyer

I’m sure that loyal customers of this local pizzeria were happy to get an offer for a free t-shirt:

But I don’t think our human reviewers liked the “hyperlink blue” verdana font, then the giant red “FREE” text below that (then the green text below that, then the blue text below that, then the gray text below that). Something about this email made it look more like a stock template for a flyer, not an email newsletter to loyal customers. I couldn’t help but think that the scrunched up airplane logo looked like those images that spammers try to skew, in order to get around anti-spam filters who scan the content of images:

Aside from the image quality issues, some extra copy could’ve been added to demonstrate that this email was being sent to their customers. Don’t get me wrong. T-shirt giveaways can be  extremely effective (here are some stats to prove it), but you should probably do more than just yell “FREE T-SHIRT!”

At the very least, an image of the actual t-shirt seems in order.

Here’s a nice example from ScoutMob:

3. Not Plain Enough Text

This email repeatedly got marked as spam by our reviewers:

You’ll notice it has no images. No branding, no logos, no photos.

Yes, one could make the case that plain, old-fashioned, text-only emails can be more personal, and therefore more effective under some circumstances.

But if you’re gonna go all-text, you need to go all the way, baby. Centered text, colored backgrounds, and colored borders look like you’re going for an HTML email look. But when you fail to include any logos or images, it looks half-baked. Like a spammer, getting all “Rich Text:”

Even if you don’t have a logo, one way of showing your brand is to include your website’s domain. But this sender used the bit.ly URL shortener instead:

In their defense, that’s probably because the link to the event they’re promoting was really long or something (webinar links get that way sometimes). The problem is that spammers are known to hide malicious links behind reputable URL shorteners (see: URL Shorteners and Blacklists), so that helpful little link just ends up hurting them.

4. Read it and Weep

This one was actually surprising to me, because I thought it was well designed:

The title font even looks customized (it’s not arial, it’s not verdana, and it’s certainly not comic sans). It’s laid out pretty nicely. The pink is a custom color, too. The only possible problem that I can see is that it’s extremely text-heavy, with zero images. To the untrained eye, it almost falls into that “not plain-enough text” category above, but this doesn’t look half-baked or sloppy at all to me. This email shows signs of actual craftsmanship and skill with typography (web design is 95% typography, right?). This sender’s subscribers are probably fine with all this text (the sender is an author, after all). But to our independent reviewers, this email apparently looked pretty spammy. In this case, I personally wouldn’t change my design or behavior. If I had to make recommendations, I’d consider adding elements that made it look more “newslettery.” Perhaps a small avatar of the author could be worked into the template’s footer, or some “share this on social sites” icons. If this is all about the written word, and images are forbidden, text can be ornamental too.

5. Set it and Forgot it

Senders that used one of our stock RSS-to-email templates seemed to get flagged the most:

As I write this article, we’re actually working on tweaking this template so that the header is more customizable (forcing the title to be ALL CAPS, in retrospect, was not a great idea).

But many of the bloggers who used this template didn’t bother customizing the RSS merge tags any further to include images from their posts. They didn’t customize the fonts, link colors, or anything at all, it seems.

I also wonder if, in some cases, the Table of Contents was so large, our independent reviewers didn’t bother scrolling down to look for real content. All they saw was a bunch of nonsensical looking TOC links. This happens if you update your blog frequently, but you schedule your RSS-to-email campaign to go out in weekly or monthly batches. Not that I’d change my behavior just for random Mechanical Turk reviewers. What your subscribers want is more important.

But there’s a broader lesson here on image vs. text balance. A similar example plucked from my spam folder in Gmail:

Why this is important to email marketers

When you send a lot of email marketing, even to a totally permission-based double opt-in list, you’re going to get some spam complaints from your recipients. It’s inevitable. Sometimes, it’s because they’re too lazy to click your unsub link, they think the “spam” button is the unsub link, or sometimes it’s because they forgot signing up to your list (maybe because you send infrequently, like me).

And sometimes, when your email is marked as spam, a human from an ISP, or a human from an anti-spam organization, will actually do a manual review of your email (See: “Who’s secretly reading your emails?”). Some anti-spam organizations use volunteers, who are driven by passion more than pay (nothing wrong with that, but you have to wonder how detailed their training is). We’ve experienced enough “your client’s email has been reviewed by our team, and determined to be spam, so we’re blocking your IP range” situations to know that those reviewers don’t always do a thorough analysis of your list management practices (not part of their job description anyway). This is partly why our own terms of use seem so strict to some. ISPs get complaints, they look at your email, and they make a split-second decision to “blacklist or not.”

So even if you do your list management right, and you design everything perfectly around your subscribers’ expectations, we always recommend that you give some consideration to this “secret” audience that also reads your email (See: “What makes a good permission reminder?”). Don’t bend over backwards for them, or anything.

It’s kind of like how your mother always told you to wear clean underwear, “in case you’re in an accident.” Take a good look at your email templates, and ask yourself, “If my email got reported as spam, and some spamcop laid his eyes on it, what would they think? Would mom be proud?”

Related:

• How your email design can get you blacklisted
• Stupid Email Design Mistakes
• How to avoid spam filters (the non-human kind)
• Want 700,000 HTML email templates? (more fun w/Mechanical Turk)
• Is your email marketing human?

It would be all fine and dandy if people would follow delivery status notification best practices and guidelines. But they don’t. Sometimes this is a reaction to spam, and sometimes it’s just ignorance.

For example, some server admins insert snarky messages in their email headers, like “We don’t want your message. If you send email to us again, we’ll report you.” Well, that’s their prerogative and all, and we’re happy to never send to them again, but if they simply hard bounced the email, we’d be able to clean it from the list faster.

Then there are some ISPs who are downright deceptive with their bounceback codes…

They’ll send back a bounce that tells us that the intended recipient doesn’t exist. But look closely at their bounce headers, and you see little messages like, “but if you wait a few hours and try again, it’ll get through — wink wink.” An interesting way to tell if there are humans sending the email.

Then there’s the problem of “silent dropping:”

“As discussed in Section 7.8 and Section 7.9 below, dropping mail without notification of the sender is permitted in practice. However, it is extremely dangerous and violates a long tradition and community expectations that mail is either delivered or returned. If silent message-dropping is misused, it could easily undermine confidence in the reliability of the Internet’s mail systems. So silent dropping of messages should be considered only in those cases where there is very high confidence that the messages are seriously fraudulent or otherwise inappropriate.” Source: wikipedia

And there have been cases where an ISP will temporarily go down for hours (or days), and in the meantime, they send you back hard bounces or erroneous “you’ve been blocked” reports. Should you clean those hard bounces from your list? Technically, it’s a “best practice.” But clearly, the ISP was broken when you sent. Hardware just breaks sometimes (See: Not All Delivery Problems are Spam Related).

Some receiving servers have sent back hard bounced messages that were intended for recipients that we know exist, because we have double opt-in evidence, and open/click actiivtiy. We find out about these problems when recipients complain to the sender about not getting the email they requested, and the sender escalates it to us, and then we trace it back to the recipient’s IT guy setting up “custom” rules. To be clear, it’s their prerogative to setup their custom rules. We don’t hold it against them (spam’s ruining it for everyone). But this does create a problem that requires a custom solution of our own.

Good Deliverability Depends on Proper Bounce Management

See why bounce cleaning can be frustrating? No wonder people who try to manage their email marketing in-house see such dramatic improvements in deliverability when they switch to an ESP (case study). They’re usually unable to properly clean the bounces from their lists.

So they don’t.

And if you keep sending messages to non-existent accounts, ISPs will block you because you look like a spammer who purchased an old email list.

Improper bounce cleaning can seriously damage your domain reputation.

Also, we’re seeing new trends in the way our customers send emails. People are automating more with RSS-to-email, and via our API. More daily senders with extremely large lists (daily deals, mobile apps, location-based check-in services, etc) are depending on us to get their emails delivered, but also depend on us to intelligently manage those lists. Simplistic bounce cleaning rules, combined with deceptive bounce errors, can result in their lists shrinking faster than new members can opt-in. This, in turn, often results in irrational behavior by the sender (purchasing lists, using bad/old lists, un-bouncing everybody, ESP-hopping with old, uncleaned lists, and on and on).

So we’re tweaking the way we handle bounces.

Our strategy for a long time now has been to perform deep, ongoing analysis of bounce headers in order to create “the most insanely thorough bounce back interpreter holy-grail known to man” (and we usually end that statement with an evil, nerdy laugh). And we’ve come a long way with that approach.

Moving forward though, MailChimp will be factoring engagement activity into our bounce cleaning decisions (read about how MailChimp measures engagement).

For example, if we send an email and a receiving server tells us that a recipient “does not exist,” but we have open and click activity in the last 45 days to prove otherwise, we’re not going to blindly clean that recipient from the list. We know they exist, and we know their account works, so we’re going to give them a few more chances than we normally do. If, however, we see that there’s very little (or no) activity by that recipient, we clean them under the same rules we’ve used in the past.

We’re not going to get into specifics about how many stars justifies a “clean vs. a keep,” or exactly how many chances we give hard and soft bounces. The algorithm will surely be adjusted and tweaked over time. The point we’re trying to make is that email is evolving faster than ever (thanks to changing social and mobile behaviors of recipients and senders), and MailChimp is adapting and innovating along with it. Even in the very un-sexy area of bounce management.

For those of you who don’t know, we built Omnivore in order to prepare for our big Freemium plan that we launched back on September 1st, 2009. We didn’t want to offer a free email marketing service without having a scalable system in place to protect our deliverability (not to mention the sanity of our Compliance Team).  Good thing, too.

In just under a year, MailChimp grew from 85,000 users to over 430,000. We couldn’t have grown 5-fold like that without Omnivore.

Here’s an update on what we’ve learned so far…

Since September 1st 2009 Omnivore has:

• Issued 69,927 warnings to 24,119 users for exhibiting bad behavior. Warnings like, “Hey, we detected a lot of unsubscribes from that last campaign — if it continues, we’re going to have a deliverability problem.” Another warning example would be something like, “Whoah, that last campaign had a higher than normal bounce rate. Something’s going on with your list hygiene. Here are some tips for you to address that issue before it gets worse.” Warnings usually never need a reply. They’re simple observations that let you know something’s wrong, and if it’s not corrected, could lead to more issues, which could lead to suspension.
• Automatically suspended 8,770 users. This typically happens when Omnivore sees something really alarming, and just can’t allow an email to leave our system. When a user’s account gets suspended, it’s placed into a queue for human review. Our compliance team basically investigates to see if it was a false positive, sends tips to users if it was an innocent mistake, or in some cases, might decide to permanently shut down the sender.
• Of those suspended accounts, 1,879 ultimately had to be shut down. Shutdowns don’t always mean the sender was evil. Sometimes they just mean that a sender might be sending content that’s too risky, and receives more than the normal amount of delivery problems or abuse reports. Even if they’re totally innocent, they can still cause harm, and we have to shut them down.

When I first wrote about Omnivore, I was very careful to explain that it was new, and still had a lot to learn.

Over the last few months, it’s learned a lot.

New Shades of Gray

Our approach with Omnivore has been primarily to look for those things that spam filters don’t. For example, we could simply scan outgoing email with Spam Assassin’s criteria, and block offending messages. But that would only catch the “black and white” stuff. That’s fine for catching the horrible appendage-enlargement spam we’re all so familiar with. But ESPs deal with “ignorant spam” more than “evil spam.” Ignorant spam is harder to define. It’s a gray area.

Speaking of shades of gray:

And that’s the stuff Omnivore looks for.  Stuff that looks like perfectly legitimate business mail, and that would slip past most spam filters, but then generate a ton of spam complaints from recipients (traits that humans think are spammy, but that spam filters miss).

Since launching, we’ve discovered even more shades of gray in the abuse spectrum.

Lots more.

Investing in the ecosystem

And we’ve built new tools to detect those shades of gray. I won’t divulge our entire budget for the Omnivore program, but I can tell you that we’re investing $20,000 per month on monitoring just one of those new “shades of gray.” Not to mention our investment in new staff, and in training. We are committed to protecting the email ecosystem. That’s not to say that our colleagues, like ConstantContact, ExactTarget, and other major ESPs, are not. They all devote a tremendous  amount of time, energy, money and resources on this stuff, and we’d be remiss not to mention them. Especially since they’re so willing to share their research with each other. Without a properly functioning ecosystem, we’re all dead.

We just want our customers to know how much thought goes into abuse prevention. It’s important to convey that.

For example, if we catch a spammer trying to hack away at our system, we almost always trace them back to some small, free ISP that they’re using to host all their malware. What do those ISPs usually tell us? “Abuse is inevitable and a part of life, and we’re sorry, and the account’s been shut down. Goodbye.” Hmm. We can’t help but wonder if they’re doing much to prevent that abuse in the first place. We’re sure they are, and we’re sure they’re being terse for legal reasons. But we still wonder.

We don’t want our customers to wonder.

New “Three Strikes” Policy

We don’t think Omnivore is perfect. But we’re much more confident in its ability to detect and prevent abuse now. So we’ll soon be implementing a new policy. If any sender on MailChimp is suspended three times in 6 months (whether the suspensions are a result of bad behavior or innocent mistakes, and whether the suspension was initiated by Omnivore or staff), Omnivore will permanently shut down the account. As I explained above, suspension isn’t always because of evil. Often, the sender made a totally innocent mistake. And after each suspension, our team always sends helpful recommendations to get senders back on the right track. We’ll even point some of them to 3rd party deliverability specialists, who can train them on best practices. So there’s rarely a valid reason for having 3 suspensions inside a 6-month period.

Related:

• Project Omnivore Declassified
• Spam lawsuits – What’s the worst that can happen?
• Preventing False Abuse Complaints

Think you might need a refresher?

• Is My List Ok to Use in MailChimp?
• How To Grow Your Email List in 3 Easy Steps
• When Email Addresses Go Stale
• Warning Signs That Your Client is Spamming – Free Guide

There are two ways that SPAM can make its way into this feed– either by using the #tcdisrupt hashtag when you send your spammy tweet out into the world, or by logging into your Twitter account through the event’s Twitter Chat and posting it directly.

The fact that spammers would want to target the event is simply a numbers game. Trending topics, especially when there’s a hashtag associated, mean a lot of people are watching or paying attention. Eyeballs mean potential clicks, and that’s exactly what Twitter spammers are after.

So what can you do about it?

Use a curation platform that gives you (the event organizer) more control over what’s being displayed, and more importantly, what isn’t. One company that’s providing an innovative solution in the curation space is TweetRiver. Another option is to roll your own aggregator, like the elegantly executed A Feed Apart. My personal prediction? Annotation and curation will be one of the next explosive areas of growth within the Twitter ecosystem. Apps, plugins, you name it.

On a final note, Marketing Ninja Amy and Client Relations Rock Star Lance are actually in New York right now representing MailChimp at TechCrunch Disrupt. If you’re there, please say hello!

Mailman Steve Padgett, age 58, stood before a Federal Court judge recently to receive his sentence. The crime? Delaying and destroying the very mail he was supposed to be delivering– third class mail, or more commonly, the JUNK.

This spring, authorities were contacted by a utility worker who noticed what appeared to be an excessive amount of mail piled at Steve Padgett’s home in Raleigh. When postal authorities went to investigate, they discovered third-class mail stacked in Padgett’s garage and buried in his lawn.

According to Padgett’s attorney Andrew McCoppin, it wasn’t a conscious stand against waste or a junk mail protest that spurred the mailman to hold onto the mailers. Rather, it was the inability to meet the demands of a job in a growing part of the county while contending with heart problems and complications from his diabetes.

Padgett was given probation, fined and also sentenced to 500 hours of community service.  And as a way to express our support for Mailman Steve and his junk mail minimizing tactics, MailChimp has helped bail him out by contributing to a fund that will cover Padgett’s fines.

How does this relate to email marketing you ask? Mailman Steve was keeping the spam out of people’s physical mailboxes, in the same way that MailChimp works to keep it out of your inbox. By taking simple steps like creating a good permission reminder and adhering to proper emarketing etiquette, you can take steps to ensure your email’s relevance and deliverability.

Major Source of Online Scams and Spams Knocked Offline (Washington Post)
“We looked into it a bit, saw the size and scope of the problem you were reporting and said ‘Holy cow! Within the hour we had terminated all of our connections to them.”

And have you ever wonder how spammers make money anyway? And how much?

Study shows how spammers cash in (BBC News)

“After 26 days, and almost 350 million e-mail messages, only 28 sales resulted…the response rate for this campaign was less than 0.00001%…these conversions would have resulted in revenues of $2,731.88—a bit over $100 a day for the measurement period,” said the researchers.”

So how do spammers send so many emails, anyway? If they can do it, there must be some legal loophole allowing anyone to do it, right? So that means we can all buy emal lists and blast out spam. Right?

Um, no. Spammers have to hijack computers to do their dirty work:
http://en.wikipedia.org/wiki/Botnet (scroll down to “Formation and Exploitation”)

If spammers can get away with this, then so can I, right?
They don’t. And no, you can’t:
Authorities Shut Down Spam Ring (NYtimes.com)

http://directmag.com/magill/0729-suicide-spammer/index1.html

Includes interesting back story about a vendor that once worked with that spammer.

Over the last week or so, I’ve heard from a few programmers and developers who’ve been forced in some way or another to help their employer send spam. I’m talking about the kind of spam where you buy lists from a 3rd world country, setup offshore servers, then repeat the process over and over again as you get blocked by ISPs (the developers eventually wound up finding new jobs out of disgust).

It’s easy to spot obvious spammers like that.

But what if you’re working with a client, and something about their email project just doesn’t sound right? But you can’t quite put your finger on it, and you don’t quite know how to tell the client that what they’re doing is wrong? This free guide might help you:

Warning Signs Your Client is Spamming