Today, we’re closing the book on that chapter by stating that Experian CheetahMail believes that opt-out email appending is no longer an acceptable practice, and that marketers should no longer use this practice to acquire customer email addresses. 

There are four main reasons for this change;

1. Even in 2001, most of us viewed email appending as a stop-gap measure until offline marketers achieved critical mass online and no longer needed this acquisition method to bolster their email programs.  Today’s offline marketers collect customer emails at every point of sale, and even through new mobile and social media channels.  There is no doubt that if a customer wants to subscribe to a marketers’ email list, they have ample opportunities to do so.
2. As one of the first email service providers to become a full member of the Messaging Anti-Abuse Working Group (MAAWG), Experian CheetahMail is committed to supporting their best practices and recent policy position against email appending, found online here.  We believe our position is in-line with that effort and is in the best interest of marketers who wish to maintain consistent Inbox deliverability. 
3. In a matter of months, the Canadian Anti-Spam Law (CASL) is going to come into force.    If you were not aware, the new law requires opt-in consent for email marketing, with limited exceptions where there is a prior business relationship.  Because the law does not require marketers to have knowledge of a recipient’s residency in Canada, it is probable that even some U.S. customers who are appended could now reside in Canada and fall under the jurisdictional requirements for Canadian compliance.  As a result, marketers who conduct opt-out email append would run afoul of CASL and be subject to a private right of action in a Canadian court. 
4. Email address turnover continues to increase, as well as the use of formerly active email addresses as ‘spamtraps’ by mailbox providers and filtering companies.  The increasing deliverability risk of mailing to potentially inaccurate or invalid recipients now exceeds the value they provided in the past. 

We believe eliminating this practice is in the marketers and consumers best interests.  I can appreciate that many marketers have had success with email appending efforts, however, the opt-out appending process should be discontinued for the betterment of the entire email marketing community.  I appreciate your consideration and support of this change, and welcome any comments, questions, concerns or suggestions on this topic by reaching me at privacyATcheetahmail.com.

On Wednesday, December 7, I’ll be participating on a session at the Email Insider Summit about integrating email campaigns with display advertising. For those of you who cannot attend, or for those that plan to attend but want a sneak preview, here are a few key points I’ll be making about the future of these integrated campaigns:

1. Emailers have always used pixels and cookies to better analyze open or click-through activity, or more recently with transaction reporting and remarketing efforts. In addition, most emailers have tested or implemented third party tools using pixels for analytics or creative optimization. So adding a new third party pixel to email campaigns for display advertising can be easily understood and implemented.
2. Many online marketers have integrated website re-targeting into their suite of display advertising efforts, and leveraging email pixels to enable re-targeting is similar to using a web based pixel. This is bolstered by the fact that most email recipients are now using web-based programs, which can render this type of pixel (and associated cookie) for use with display ads. However, as with any re-targeting effort, this type of display advertising is considered to be ‘behavioral’ and falls under the Digital Advertising Alliance (DAA) Self-Regulatory Principles for Online Behavioral Advertising . As a result, marketers must make sure their privacy policies reflect this practice, and provide advertising recipients with in-ad notice and choice through the ‘AdChoices’ icon.
3. The benefits of integrated campaigns are many, and include consistent messaging across channels, improved relevancy for online display ads, and increasing performance of re-targeting efforts by extending the reach to email recipients who may not be visiting your website. In addition, future integrated display ad campaigns will be able to leverage the same segmentation schema as with email, transactional data, and addressable demographic or psychographic data, all of which in a privacy-centric way.
4. The potential drawbacks of these campaigns includes making sure you are working with a large enough display ad partner to be able to reach these types of ad recipients , making the investment of time and resources to upgrade your privacy positioning, and avoiding over-personalization with display ad creative.

I look forward to sharing more with you in the future about this exciting topic, and welcome your comments or questions. Learn more about Experian Digital Advertising Services.

For the brands:  Understanding the anti-phishing ‘takedown’ process

A phishing ‘takedown’ is when a brand owner requests that a website hosting provider or ISP remove the website domain that is being used for phishing on their network. Akin to a good mixed martial artist’s takedown technique, the best phishing takedown advice is to do it as quickly and forcefully as possible because the main impact of a phishing campaign takes place within 24 hours of the email being sent. In most cases, a brand is better off using one of the professional service providers who specialize in these requests and have pre-existing relationships with global networks rather than trying to identify and reach out to the networks themselves. The Anti-Phishing Working Group (APWG) has authored an excellent white paper on this topic which can be found online here. Contact the APWG directly for more information on a list of their members who provide these takedown services or refer to their membership directory online here.

For the corporate employee (or consumer):  don’t get ‘spear phished’

According to IBM research, while overall phishing attempts are down from past years, ‘spear phishing’,  or phishing emails that are personalized to specific users or to domain name recipients, have dramatically increased in the past year. The goal of these types of campaigns is not to collect the recipients’ personal or financial information as with most consumer phishing attempts, but rather to get a user to click on a link so a software program can be downloaded to the users’ machine. Afterwards, the criminals will use this software program to install what’s called a ‘keylogger’ program to collect user names and passwords to various types of accounts, which often times includes web-based access to corporate databases where the criminals can easily steal intellectual property or otherwise make use of the corporate network. InformationWeek describes these types of these attacks in detail online here. In some cases, these emails will appear to be sent from current or former colleagues whose names were harvested off business directory websites. Examples such as ecards are regularly abused due to their innocuous nature.  If you ever receive an unexpected e-card or odd link from a current or former colleague, whether by email or IM, then it is immediate grounds for suspicion.

For everyone: some easy tips to avoid getting phished

Identify the real ‘sender’: Most of the time, an email recipient simply looks at the friendly ‘from’ address to see the name or domain name of the sender. This is what the phishers rely upon – that users don’t check what the actual sending domain name is behind what’s visible by default in the message. Every email program, including Microsoft Outlook, enables users to easily see the real ‘transmission’ domain name the message is being sent from, which often times is completely unrelated to the domain name in the visible ‘from’ address.  To do this in Microsoft Outlook, users can simply open an email and click the  icon in the middle of the top-header of email message. This will open up a ‘Message Options’ box which will show the true message transmission information and include the transmission domain name that reveals who really is the sender. As you can see from the below example, the friendly ‘from’ address from this corporate email includes a shortened corporate domain name ‘chtah.com’ while the transmission information includes the full transparent corporate domain name of ‘cheetahmail.com’. In this case, a user may not easily recognize the visible ‘from’ domain, but would easily recognize the “Received:from” sending transmission domain name. With a phishing campaign, it’s the “Received:from” sending transmission domain name that will either be from an ISP (usually associated with a foreign top level domain name like ‘example.ru’ for Russia) or another domain name that is unrecognizable to the recipient.   In either case, it will not reflect the same brand or domain name used by the phisher because they do not have the technical rights to use this domain for email transmission purposes.

To be sure, check the ‘whois’ record: If you are ever unclear about the domain name that is listed in the ‘from’ or the ‘Received:from’ address, then the easiest way to validate its legitimacy is to check the public record ‘whois’ database listing the respective owners of the domain name. The most comprehensive whois database is hosted by Network Solutions and can be found online here. Other than a reference to the official corporation name and address, the main thing to look for is whether the domain name was registered within the prior days or week. Almost all phishing domains are registered within  a week of the phishing email being sent. Even if the corporation is not listed or it’s hidden by a ‘proxy’ registration, the date when the domain name was registered is always publicly referenced and is the most important factor to raise suspicion.

Even without seeing the new Messages user interface and only seeing ‘Zuck’ and ‘Boz’ demonstrate a portion of it yesterday, it seems apparent that the Facebook email application is not a ‘Gmail killer’ or intended to be competitive with any full-fledged email client webmail or software program. But what it does have that no one else has captured is the notion of a truly personalized messaging platform.

However, my wake-up moment on the webcast yesterday was when they disclosed that any user can change their privacy settings to restrict emails just to their friends, friends of friends, or everyone. More importantly, should the user tighten their settings to exclude everyone, Facebook will bounce all emails from that sender to that user. In other words, if a marketer does not have a ‘fan’ or ‘friend of friend’ relationship with that user, then they should assume the address will bounce.

It is important to note that there apparently will not be a ‘junk’ or ‘spam’ folder for these unrelated messages to be filtered into, just an ‘other’ folder that isn’t designed to be a ‘reputation’ or anti-spam filter since all emails from unrelated senders will just bounce away. There is no ISP ‘Batphone’ when trying to resolve deliverability to ‘friends’, so even the most experienced and skillful deliverability team in the world won’t be of much assistance with most Facebook deliverability problems.

The clear conclusion from this is that marketers should not attempt to collect an @facebook.com email address without making a strong effort to first ensure that the user is a ‘fan’ or logs in through Facebook Connect.   This should require Facebook-specific language on the email registration or transaction page, or most certainly on the post-registration or transaction page. Because if you don’t do something to befriend these users, then your ‘Messages’ may not get there at all.

Here’s a personal story about why it doesn’t make a lot of sense to bounce remove after the first attempt.

I purchased my personal domain name in 1998 and have used it for select personal email relationships ever since. I had a problem with my domain registrar a couple years ago that involved them accidentally expiring my domain without notifying me. It then took weeks to get it fixed. In the meantime, all personal email to me hard bounced. Some of my most important contacts reached out to me through other channels, a few even sending snail mail informing me of the bounced email.

While this situation is rare, it is just one of many reasons why emails hard bounce and yet will be valid once again in short order.

In the past, ISPs used to focus on hard bounces as a critical anti-spam metric. With today’s sophisticated filters focused primarily on complaints and other data, very few ISPs see a reasonable (<5%) hard bounce rate as an indicator of spam as long as the other performance metrics are also in line with legitimate email.

Some additional tips when considering bounce removal rules:

1. Every ISP is different, therefore a liberal bounce rule at less sophisticated ISPs (like those without real-time complaint data) could result in deliverability problems.
2. Re-mailing bounces again is not the same as ‘re-trying’ a message. If the address is invalid now, it likely won’t be valid again the same day or even a few days from now. Wait a week or more before re-mailing that user.
3. Never re-mail bounces more than a few months old. Some ISPs turn bad data into spamtraps, which are used as an anti-spam filter. In some cases, ISPs will share defunct addresses with 3^rd party blocklists like Spamhaus. In other cases, an ISP may recycle that address to another user.
4. If the relationship is really important (or if you have the resources), consider a personalized snail mail effort following a bounce. I was pleasantly surprised about the letters from my commercial relationships and valued those relationships even more as a result.