500 million Yahoo users compromised in “worst hack in history”

tumblr_inline_nww8j3j32c1tnywua_1280On Thursday, Yahoo issued a statement confirming that at least 500 million users’ account data had been compromised in late 2014, supposedly by a “state sponsored actor,” or an individual hired by some governmental body to carry out the hack.

According to the statement, the data “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords …and, in some cases, encrypted or unencrypted security questions and answers.” Yahoo indicates no financial data was breached.

Users who had or used Yahoo services, including Mail, Flickr, Fantasy Sports, and others, during that timeframe are being advised to change their passwords for Yahoo and any other services that may use the same login credentials, as well as changing security questions for other services.

Lots of questions surround this breach, with one of the most notable being why Yahoo waited so long to announce the hack. Many speculate information was concealed to prevent souring the sale of Yahoo to Verizon. CNN reports that Verizon learned of the hack for the first time this week.

As email senders and recipients, most of us care much less about Yahoo and Verizon’s financials than about potential fallout from the breach including identify theft, spam email, and even blackmail. Even if credit card data wasn’t stolen, the hackers now have personal information about millions of Yahoo users, including answers to some of the questions most commonly used to verify their identity.

Yahoo’s wait to announce the hack could mean the greatest damage has already been done: hackers often act quickly with stolen data, selling or sharing it quickly to outrun detection attempts. However, if the breach truly was initiated by a foreign government, the motivation may not be so clear.

Yahoo has said they are cooperating with Federal authorities to investigate, and it’s a safe bet we’ll hear more details as the investigation continues.

– BG

Is my ESP lying to me?

Collodi_PinocchioIf you use an email service provider, you most likely have tracking reports that tell you the disposition of each message you send. These reports usually indicate the message falls into the broad categories of “delivered” or “bounced“. While many ESPs use more detailed categories, you just want to see if your email made it to the recipient or not…right?

Of course. So what happens when you send out that nice shiny new email and you get a response rate far lower than what you were expecting? Naturally, you check in with some of your best recipients to make sure they got the message. Your tracking shows delivered, but when you reach out they say they didn’t see the message at all. Not in the inbox. Not in the spam folder. Not even in quarantine…now what?

Why is your ESP telling you the message was delivered when it clearly wasn’t?

To answer this common question, let’s dive a bit deeper into what that “delivered” status really means.

When you hit the Send button at your ESP, your mail server will attempt to hand off your message to the mail servers for each recipient. The initial contact between the sending mail server (your ESP) and the receiving mail server (your recipient’s email provider) is often referred to as the “handshake.”

At the time of this handshake, the ESP server will attempt to hand off the message to the receiving server. When this happens, there are a few potential outcomes:

  1. The receiving mail server rejects the message due to the address not existing, the sender being blocked, or other errors considered permanent. These are hard bounces, and usually the receiving server returns a code in the format 5xy, where x and y are additional digits that indicate the specific type of hard bounce. This error typically causes a bounced status in your ESP reporting.
  2. The receiving mail server returns a temporary bounce or deferral. These bounces indicate the mail cannot be delivered at this time, but the sending server should try again later. These are soft bounces, and are typically accompanied by a 4xy error code. These can generate a bounced status in your ESP reporting if the subsequent delivery attempts are not successful. If the later sends do make it through, these will show as delivered. 
  3. The receiving mail server accepts the message for delivery. This is considered a successful delivery, and is accompanied by the code 250 OK. These are reported by your ESP as delivered. 

Once this handoff takes place, the sending server (your ESP) has no further visibility into the delivery of the message. There could be additional spam filters in place after the message is accepted, or individual user settings could cause the message not to be delivered, with no further notification to the sender.

While it’s not extremely common, even major ISPs have been known to have messages “dropped on the floor” if the sender’s reputation is not up to their standards. This is the (highly technical) term for a message that is accepted by the receiving server, but then essentially disappears. It’s not returned to the sender, but it’s also not delivered to the recipient’s inbox or spam folder. It’s simply deleted.

So how do you find out what really happened?

That can be the tricky part. Since the information is not shared with the sender or ESP, the only way to find out for sure what happened to one of these messages is to check the mail logs for the receiving server. In most cases, this will require working with IT staff on the recipient’s side who can search for the message(s) in question and provide a definitive answer on what happened to the message and why.

If the recipient’s IT team isn’t an option, you can also check the content of your message, as well as the reputation of your domain and the domains of any links within the message body. In many cases the initial handoff looks primarily at the reputation of the mail server (IP address), while the subsequent filters can include message content, link URLs, domain reputation, and other factors.

Check out the Resources page for links to some of the most popular reputation tools, and feel free to comment with any additional questions.

– BG

That old ESP magic

Eva Paris via Flickr

Recently I was involved in a mostly-serious conversation with some industry folks that centered around political mailings and how they get routed to the spam folder vs. the inbox. As the conversation went on, some of the points discussed got me thinking on the unrealistic expectations many senders (political or otherwise) can have when it comes to working with an email service provider or consultant.


These expectations usually revolve around what I like to call “ESP magic.” The term refers to the mystical ability to get mail routed to the inbox, regardless of the quality of the list or the engagement of the recipients. Many senders are convinced that every ESP deliverability expert wields this extraordinary power, and with that power comes a great responsibility – to get their mail to the inbox, period. I couldn’t count the number of times in my career I’ve heard a client say, “it’s your job to get my email delivered” – but that’s only half true. Every deliverability expert is tasked with getting the best possible delivery results for their clients, whether they work with an ESP or separately, but for many senders that’s where their view of the delivery team stops. It’s often “fix my spam folder placement or else.”

What these senders fail to realize is the other (and arguably more important) part of the delivery pro’s responsibility: education. No one can get you to the inbox consistently if you’re sending to outdated, purchased, or scraped lists with no engagement. That blacklist isn’t going to remove you if you keep sending to spam traps – no matter who reaches out to ask. As delivery folk, we can look for common symptoms and take necessary steps (blacklist delisting, ISP remediation, etc.), but often the root of these problems lies in the quality of the lists or the sending practices of the marketer.

The real “ESP magic” comes from years of experience, research, testing, and even failing that have taught us all what to do (and not to do) to reach the inbox. The hours of industry conversations at various events and in online discussions that once had the effect of meeting the “right person” to resolve issues at a specific ISP. Now they help shine light on best vs. worst practices, ISP requirements, and advances on both the sender and receiver sides of the aisle. It’s our job to compile that knowledge and present it to senders in a way that helps get mail delivered while also improving the email ecosystem.

If you want to reach the inbox, you have to start by learning how to reach the inbox. And if you’re ready to learn, we’ll be happy to teach you.

– BG


Shield your sender reputation

capshield05UPDATE: The webinar is over, but don’t worry! You can download the recorded version here. 

Do you know how a blacklist works? How about a blocklist? Did you know there’s a difference?

Or that complying with anti-spam laws doesn’t guarantee a good reputation?

If not, don’t worry – most senders have lots of questions when it comes to sender reputation.

Chances are, you’re probably doing something right now that could get your IP address or domain blacklisted, which could have a major impact on your email deliverability. And even if you’re not, there’s likely more you could be doing to safeguard your sender reputation.

Tomorrow afternoon, I’m hosting a webinar designed to break down how blacklists work, what happens when you’re listed, and some steps you can take to help ensure your reputation is in top form. It’s at 2pm EST, and you can sign up at the link below.


If you can’t make the webinar but still have questions about reputation or blacklists, feel free to post in the comments here or email me!

– BG

Why buy the cow when you can get the whitepaper for free?

Durham_Bull_flip_sideRecently I’ve been helping a client who has been hitting spam trap addresses. Like most senders we see, they weren’t doing anything malicious but needed improvement in some of their practices. One of these practices involved their method for collecting data via whitepaper downloads, and it’s an error I’ve seen a lot of marketers repeating.

It’s not exactly a secret that one of the best list growth strategies is to offer useful resources – such as whitepapers, webinars, and other best practice guides – that require the recipient’s email address to receive the content. However, mishandling the sign-up process can lead to delivery headaches – most of which can be avoided by following some simple rules.

  1. Require an email open to download the resource. In the case of the client I mentioned earlier, users who entered their details were immediately taken to a download link for the whitepaper. There was no confirmation required, and no incentive for the recipient to open (or even look for) emails from the sender.Without this step, users can enter any information they please in that contact form. This can lead to hard bounces if the address doesn’t exist, complaints if the address exists but belongs to someone else, and possibly even spam trap hits. I’ve even heard anecdotally from anti-spam advocates who will intentionally use monitored or trap addresses for these types of forms (see #2 for more on that).You could include a direct link to the resource in the email or link to a specified landing page where the resource is located.
  2. Be transparent about your intentions. If you plan to send ongoing marketing messages to the recipient, say so. I’ve heard so many senders argue that anyone who submits the form knows to expect email from them, and that may be true in many cases. But I can assure you that appealing a block from a blacklist provider or ISP with the assertion that they “should have expected” your email isn’t going to get you very far.As with any opt-in form, you should set clear expectations of the type and frequency of mailings you intend to send. Whether it’s quarterly industry updates, daily news nuggets, or anything in between, the recipient should know exactly what to expect. Don’t limit yourself to bland legalese copy – let them know about all the great information they can get and how often they’ll see it in their inboxes.When these expectation are not set (most of the time in my experience), the likelihood of getting bogus information greatly increases. Even those users who provide accurate data will be more likely to report the message as spam later if proper expectations are not set at the time of sign-up.
  3. Provide value beyond the download. If you’ve gotten a reader to provide their (valid) information in exchange for a resource, they’ve already indicated they see value in your content. Your challenge now becomes giving them continued value. You can start this with those proper expectations mentioned above: promise the reader lots of engaging, relevant, and effective content in their regular email updates, then make sure you deliver it!Providing value to your subscribers helps your delivery by ensuring that recipients remain engaged with your content, which in turn helps improve delivery rates.

Much like contests or social media promotions, providing resources in exchange for email addresses can provide a boost to your email list growth efforts as long as you keep these principles in mind.

– BG

The persistent lie of “targeted” purchased lists

ecto1aIn recent days, I’ve noticed a few missed calls from an unfamiliar phone number based out in Southern California’s beautiful San Fernando Valley. Once or twice I’ve even answered but there was no one on the other end. Today, I finally got to speak with the man behind these mysterious phone calls.

“Hello Mr. Bradley, this is [mumbled] from [mumbled] and we have many databases of qualified leads. I’d love to go ahead and send over some samples. Do you do any email marketing?”

I understand Mr. Mumbles has a job to do, so I didn’t want to be too hard on him. I politely (but somewhat incredulously) informed him that I was in fact the person in charge of making sure purchased leads don’t get sent through our system, and that it was best for all parties if he kindly removed us from his database.

We could simply laugh this off as poor targeting, but think about it in a different perspective: what if you bought this list? What if you sent me an unsolicited email as a result? Not only did he have me in his database, but he didn’t know if I did email marketing – even though he called me on a phone number owned by an ESP! If he has my details in that list, it’d be a smart bet he also has the contact details of others in the anti-abuse and deliverability industry, and probably more than a few spam trap addresses.

But my list broker is different!

Unfortunately, they’re not.

Think about your in-house contact database – customers, paid members, newsletter subscribers, and others. How large is that list? And what did it cost you to acquire that list? Now, let’s ask the most pertinent question: would you sell it?

You likely answered “no” to that question, but if you didn’t, what price would be adequate to profit from selling your list? To compensate for the time and effort you put into building that list, you’d have to see a pretty high premium, right?

Why would any list broker be willing to sell a much larger list for a smaller fee? If the list is as qualified and targeted as they claim, surely they had to expend significant resources to acquire it – does the cost reflect that?

The sad truth is that even the most reputable list vendor is selling a list of indeterminate origin, and full of people who have never even heard of you. They didn’t ask for your emails and – if they’re even a real person – they will be far more likely to report you as spam than actually buy your product or service. Recent statistics put the response rate of emails sent to purchased lists at just over 1 percent. Is that worth the potential of trashing your sender reputation and seeing mail to your confirmed subscribers delivered to the spam folder or outright blocked?

– BG



Return Path will offer Certification for Domain Reputation

ReturnPath-LogoReturn Path has long been a fixture in the email delivery community as a provider of tools for monitoring and improving inbox delivery rates, in addition to their newer data and intelligence products. One of Return Path’s most well-known offerings is their Return Path Certified program (formerly Sender Score Certification), which provides some additional metrics and benefits at certain ISPs for senders who meet the high standards of the program.

Certification has previously been available only to clients on a dedicated IP with an established sending history, but today the company announced their forthcoming Domain Certification – allowing senders on shared IPs and pools to use their domain reputation as the basis for certification.

With so much of the industry moving towards domain-based reputation and the advent of IPv6, this allows many good but small or inconsistent senders to reap the benefits of the program. Over the years I’ve personally worked with many clients who wanted to be certified but didn’t qualify, so I’m sure there’s a sizable market for this service. It will be interesting to see how the benefits at different ISPs play out – are they the same as the IP certification? Given that not all ISPs weigh domain reputation as heavily as IP, it seems there would have to be at least minor changes.

Domain Certification is currently in beta, but senders interested in beta testing can reach out to the Return Path team through the link posted above to get involved.

– BG