For the brands:  Understanding the anti-phishing ‘takedown’ process

A phishing ‘takedown’ is when a brand owner requests that a website hosting provider or ISP remove the website domain that is being used for phishing on their network. Akin to a good mixed martial artist’s takedown technique, the best phishing takedown advice is to do it as quickly and forcefully as possible because the main impact of a phishing campaign takes place within 24 hours of the email being sent. In most cases, a brand is better off using one of the professional service providers who specialize in these requests and have pre-existing relationships with global networks rather than trying to identify and reach out to the networks themselves. The Anti-Phishing Working Group (APWG) has authored an excellent white paper on this topic which can be found online here. Contact the APWG directly for more information on a list of their members who provide these takedown services or refer to their membership directory online here.

For the corporate employee (or consumer):  don’t get ‘spear phished’

According to IBM research, while overall phishing attempts are down from past years, ‘spear phishing’,  or phishing emails that are personalized to specific users or to domain name recipients, have dramatically increased in the past year. The goal of these types of campaigns is not to collect the recipients’ personal or financial information as with most consumer phishing attempts, but rather to get a user to click on a link so a software program can be downloaded to the users’ machine. Afterwards, the criminals will use this software program to install what’s called a ‘keylogger’ program to collect user names and passwords to various types of accounts, which often times includes web-based access to corporate databases where the criminals can easily steal intellectual property or otherwise make use of the corporate network. InformationWeek describes these types of these attacks in detail online here. In some cases, these emails will appear to be sent from current or former colleagues whose names were harvested off business directory websites. Examples such as ecards are regularly abused due to their innocuous nature.  If you ever receive an unexpected e-card or odd link from a current or former colleague, whether by email or IM, then it is immediate grounds for suspicion.

For everyone: some easy tips to avoid getting phished

Identify the real ‘sender’: Most of the time, an email recipient simply looks at the friendly ‘from’ address to see the name or domain name of the sender. This is what the phishers rely upon – that users don’t check what the actual sending domain name is behind what’s visible by default in the message. Every email program, including Microsoft Outlook, enables users to easily see the real ‘transmission’ domain name the message is being sent from, which often times is completely unrelated to the domain name in the visible ‘from’ address.  To do this in Microsoft Outlook, users can simply open an email and click the  icon in the middle of the top-header of email message. This will open up a ‘Message Options’ box which will show the true message transmission information and include the transmission domain name that reveals who really is the sender. As you can see from the below example, the friendly ‘from’ address from this corporate email includes a shortened corporate domain name ‘chtah.com’ while the transmission information includes the full transparent corporate domain name of ‘cheetahmail.com’. In this case, a user may not easily recognize the visible ‘from’ domain, but would easily recognize the “Received:from” sending transmission domain name. With a phishing campaign, it’s the “Received:from” sending transmission domain name that will either be from an ISP (usually associated with a foreign top level domain name like ‘example.ru’ for Russia) or another domain name that is unrecognizable to the recipient.   In either case, it will not reflect the same brand or domain name used by the phisher because they do not have the technical rights to use this domain for email transmission purposes.

To be sure, check the ‘whois’ record: If you are ever unclear about the domain name that is listed in the ‘from’ or the ‘Received:from’ address, then the easiest way to validate its legitimacy is to check the public record ‘whois’ database listing the respective owners of the domain name. The most comprehensive whois database is hosted by Network Solutions and can be found online here. Other than a reference to the official corporation name and address, the main thing to look for is whether the domain name was registered within the prior days or week. Almost all phishing domains are registered within  a week of the phishing email being sent. Even if the corporation is not listed or it’s hidden by a ‘proxy’ registration, the date when the domain name was registered is always publicly referenced and is the most important factor to raise suspicion.

• A subject line should be as short and descriptive as possible. The subject line should be informative and true. If your from name and address are not branded, the subject line should also provide assurance that the email comes from a trusted source. A general rule of thumb is to keep subject lines between 30-50 characters.
• A strong offer can be put right in the subject line. Evaluate your content to understand the likelihood of your message hitting spam filters, particularly if a high percentage of your list is at corporate domains. Corporate domains rely more on phrases or words that have been “tainted” by the spamming community. The major web-based email clients focus on your reputation more than your content.
• The from name and address can be as important as the subject line. A strong offer can be put right in the subject line, but it is important to use punctuation and grammar carefully to ensure that you are not perceived to be a spammer by the receiving ISP.
• The ‘from’ name and subject line should work in tandem. The ‘from’ line should communicate who you are as the sender. Do your best to not change this entry frequently and make it recognizable so that recipients understand that the email was sent by a reliable source.
• If you are cross promoting a sister brand, use the subject line to introduce the sister brand and do not change the ‘from’ address of the originally subscribed-to brand. Any other ‘from’ address is likely to increase complaints. For more information on cross promoting sister brands, please see our recent post on promoting sister brands.

That said, spammers use various tactics to fool people into opening their emails. Spammers often use words that announce a big incentive or urgency. We suggest testing certain keywords or alternative words to optimize your subject lines.

• Some key words and phrases such as “act now,” “trial,” “quote,” and “guarantee” can be tested against “complimentary,” “estimate,” “be our guest,” and “giveaway.”
• While “Free” performs well in subject lines (see Experian CheetahMail’s Free Shipping Report) you might try using “our treat” or “on the house” to see what works best for your brand.
• Avoid excessive punctuation — exclamation points, multiple periods (…), dollar signs ($$), etc.
• In the past putting full words in ALL CAPS was considered equivalent to shouting. Using all caps is a practice used by spammers. Test the use of all caps and monitor any drops in open rates potentially due to filtering.
• Using ‘Re:’ at the beginning of a subject line falsely leads the recipient to think the email is a reply to a previous email. This is a misleading tactic. This tactic is not CAN-SPAM compliant and creates a poor customer experience. If the recipient feels duped into opening an email, you might see an increase in abuse rates or unsubscribe requests.

Just a few little words/phrases in your subject line can make or break the success of your email marketing campaign, not just by impacting open rates but affecting deliverability too. To learn what works best, test. Following these subject line best practices can save your client from losing both excellent reputation and good subscribers.

• Now is the time to emphasize the “please add us to your address book” requests and instructions during the email registration process and in welcome emails. Not only will you get added to user whitelists which overrides ‘junk’ or ‘spam’ folder delivery, but also recipient response rates should be better, as well as brand perception, because images are displayed by default. A new trend for marketers is to consider sending a dedicated message solely to drive address book adoption in advance of the holidays. For example, “We are going to have some fantastic deals during the holidays. Add us to your address book to make sure you don’t miss them.” In light of the recent Facebook ‘Messages’ announcement, it is also now important to use such a dedicated email to request users become a ‘fan’ or ‘like’ your content.  [See example below]
• If you have a group of recipients who haven’t been mailed in a long time, before mailing them all at once, consider testing small segments to gauge complaint and bounce rates and make creative and segmentation adjustments with subsequent campaigns to ensure these metrics don’t become a risk to your overall messaging reputation.
• It is critical to maintain the same ‘from’ addresses and formulate subject lines that highlight the email’s ‘call-to-action’ and is not too ‘cheeky’ that it could be confusing or misleading to recipients where it may lead to user complaints.

In 2009, holiday email volume rose, increasing over  26% from the 2008 holiday season. We can predict this trend to continue for the 2010 holiday season meaning the ISPs will be working in overdrive to ensure all relevant and legitimate email is delivered into the Inbox while keeping out the large amount of true spam. Following these holiday best practices, and others such as maintaining ‘engaged’ users will help keep your clients’ IP reputation strong, your Inbox delivery rates high, your targeted customers happy and ultimately your revenue numbers up.

Even without seeing the new Messages user interface and only seeing ‘Zuck’ and ‘Boz’ demonstrate a portion of it yesterday, it seems apparent that the Facebook email application is not a ‘Gmail killer’ or intended to be competitive with any full-fledged email client webmail or software program. But what it does have that no one else has captured is the notion of a truly personalized messaging platform.

However, my wake-up moment on the webcast yesterday was when they disclosed that any user can change their privacy settings to restrict emails just to their friends, friends of friends, or everyone. More importantly, should the user tighten their settings to exclude everyone, Facebook will bounce all emails from that sender to that user. In other words, if a marketer does not have a ‘fan’ or ‘friend of friend’ relationship with that user, then they should assume the address will bounce.

It is important to note that there apparently will not be a ‘junk’ or ‘spam’ folder for these unrelated messages to be filtered into, just an ‘other’ folder that isn’t designed to be a ‘reputation’ or anti-spam filter since all emails from unrelated senders will just bounce away. There is no ISP ‘Batphone’ when trying to resolve deliverability to ‘friends’, so even the most experienced and skillful deliverability team in the world won’t be of much assistance with most Facebook deliverability problems.

The clear conclusion from this is that marketers should not attempt to collect an @facebook.com email address without making a strong effort to first ensure that the user is a ‘fan’ or logs in through Facebook Connect.   This should require Facebook-specific language on the email registration or transaction page, or most certainly on the post-registration or transaction page. Because if you don’t do something to befriend these users, then your ‘Messages’ may not get there at all.

Here’s a personal story about why it doesn’t make a lot of sense to bounce remove after the first attempt.

I purchased my personal domain name in 1998 and have used it for select personal email relationships ever since. I had a problem with my domain registrar a couple years ago that involved them accidentally expiring my domain without notifying me. It then took weeks to get it fixed. In the meantime, all personal email to me hard bounced. Some of my most important contacts reached out to me through other channels, a few even sending snail mail informing me of the bounced email.

While this situation is rare, it is just one of many reasons why emails hard bounce and yet will be valid once again in short order.

In the past, ISPs used to focus on hard bounces as a critical anti-spam metric. With today’s sophisticated filters focused primarily on complaints and other data, very few ISPs see a reasonable (<5%) hard bounce rate as an indicator of spam as long as the other performance metrics are also in line with legitimate email.

Some additional tips when considering bounce removal rules:

1. Every ISP is different, therefore a liberal bounce rule at less sophisticated ISPs (like those without real-time complaint data) could result in deliverability problems.
2. Re-mailing bounces again is not the same as ‘re-trying’ a message. If the address is invalid now, it likely won’t be valid again the same day or even a few days from now. Wait a week or more before re-mailing that user.
3. Never re-mail bounces more than a few months old. Some ISPs turn bad data into spamtraps, which are used as an anti-spam filter. In some cases, ISPs will share defunct addresses with 3^rd party blocklists like Spamhaus. In other cases, an ISP may recycle that address to another user.
4. If the relationship is really important (or if you have the resources), consider a personalized snail mail effort following a bounce. I was pleasantly surprised about the letters from my commercial relationships and valued those relationships even more as a result.