Email

Noteworthy

Blogs

Marketo's Path to Being Acquired

Happy Early Memorial Day. Once an ESP or marketing automation company declares itself for sale, there seems to be a mass exodus by investors, which sends up a red flag, (well in this case, a red & white striped flag). This past week there were rumblings about the potential suitors for Marketo. While it is rumored that German company SAP is the front-runner, there are many other potential suitors circling the marketing automation software company. more»

Perfect Storm Brewing at ESPs Amidst Growing PowerMTA Admin Crisis

Sometimes, a software company is as much about people as it is about technology. Who says PowerMTA admins don't have influence? Not only are they the influencers of our brand [Port25] they are also the main influencers and decision-makers when it comes to purchasing decisions. more»

Macro Observations Facing Email Infrastructure

Last month I attended the 36th annual M3AAWG conference in San Francisco, where esteemed members of the online messaging and anti-abuse community come together to make the Internet a safer and more secure environment. The sending community is highly influential especially among Email Service Providers (ESPs) and truly dominated the two-macro conversations that I participated in. These conversations have the industry in somewhat of a transition. more»

Internet Governance Forum Publishes BPs on Regulation and Mitigation of Unsolicited Communications

The IGF this morning published a number of reports, including the aforementioned one, at the URL provided, titled 'IGF 2015 Best Practice Forum Regulation and mitigation of unsolicited communications.' The reports can be found in the included URLs on the IGF Website. more»

What's ARC?

DMARC is an anti-phishing technique that AOL and Yahoo repurposed last year to help them deal with the consequences of spam to (and apparently from) addresses in stolen address books. Since DMARC cannot tell mail sent through complex paths like mailing lists from phishes, this had the unfortunate side effect of screwing up nearly every discussion list on the planet. Last week the DMARC group published a proposal called ARC, for Authenticated Received Chain, that is intended to mitigate the damage. What is it, and how likely is it to work? more»

Logjam, Openssl and Email Deliverability

RHEL6/Centos6 (and presumably RHEL7/Centos7) machines with the latest openssl packages now refuse SSL connections with DH keys shorter than 768 bits. Consider RHEL6 sendmail operating as a client, sending mail out to a target server. If the target server advertises STARTTLS, sendmail will try to negotiate a secure connection. This negotiation uses openssl, which will now refuse to connect to mail servers that have 512 bit DH keys. The maillog will contain entries with "reject=403 4.7.0 TLS handshake failed". more»

The Cycle of E-Mail Security

Stepping back from the DMARC arguments, it occurs to me that there is a predictable cycle with every new e-mail security technology... Someone invents a new way to make e-mail more secure, call it SPF or DKIM or DMARC or (this month's mini-fiasco) PGP in DANE. Each scheme has a model of the way that mail works. For some subset of e-mail, the model works great, for other mail it works less great. more»

Rodney Joffe Wins a Well-Deserved Mary Litynski Award

Every year M3AAWG gives an award for lifetime work in fighting abuse and making the Internet a better place. Yesterday at its Dublin meeting they awarded it to Rodney Joffe, who has been quietly working for over 20 years. I can't imagine anyone who deserves it more. more»

Facebook and PGP

Facebook just announced support for PGP, an encrypted email standard, for email from them to you. It's an interesting move on many levels, albeit one that raises some interesting questions. The answers, and Facebook's possible follow-on moves, are even more interesting. The first question, of course, is why Facebook has done this. It will only appeal to a very small minority of users. Using encrypted email is not easy. more»

M3AAWG & i2Coalition Collaborate on Best Practices on Anti-Abuse in Hosting & Cloud Environments

I am excited to announce the recent release of the industry first Best Common Practices document for Cloud and Hosting providers for addressing abuse issues that was created by M3AAWG and the i2Coalition. M3AAWG has been collaborating with the Best Practices Working Group of the i2Coalition over the past 2 years to discuss ways to solve malicious activity within hosting and cloud ecosystems.  more»

End-to-End Email Encryption - This Time For Sure?

Phil Zimmerman's Pretty Good Privacy (PGP) and its offspring have been encrypting and decrypting email for almost 25 years -- but require enough knowledge and determination to use them that adoption has never taken off outside the technoscenti. Now initiatives from several quarters aim to fix that -- but will it all "just work," and will end users adopt it even if it does? more»

Who Is Sending Email As Your Company?

You might expect that the IT department or security team knows who's sending email using your company's domains. But for a variety of reasons these groups are often unaware of many legitimate senders -- not to mention all the bad actors. Fortunately you can get a more complete view by using DMARC's reporting features. How does it happen? Product teams managing a new product launch or customer survey hire marketing consultants and Email Service Providers (ESP)... more»

When DNSBLs Go Bad

I have often remarked that any fool can run a DNS-Based Blacklist (DNSBL) and many fools do so. Since approximately nobody uses the incompetently run black lists, they don't matter. Unfortunately, using a DNSBL requires equally little expertise, which becomes a problem when an operator wants to shut down a list. When someone sets up a mail server (which we'll call an MTA for Mail Transfer Agent), one of the tasks is to configure the anti-spam features, which invariably involves using DNSBLs. more»

Email Vendors: Time to Build in DMARC

DMARC is extremely useful, yet I've heard some vendors are putting their implementations on hold because of the IETF DMARC working group. You really shouldn't wait though -- it's been in wide use for nearly three years, enterprises are looking at DMARC for B2B traffic, and the working group charter is limited in it's scope for changes. Let's compare this to a similar situation in the past. more»

The EFF and Hanlon's Razor

The EFF has just posted a shallower than usual deeplink alleging an "email encryption downgrade attack" by ISPs intent on eavesdropping on their customers. They, along with VPN provider Golden Frog, have additionally complained to the FCC reporting this. Here, they've just noticed something that's common across several hotel / airport wifi networks... more»

News Briefs

Security Firm Recovers Over 272 Million Stolen Credentials from a Collector

U.S. House of Representatives Passes H.R. 699, the Email Privacy Act

Internet Infrastructure Coalition (i2Coalition) Joins M3AAWG to Reduce Hosting Industry Abuse

In Memory of Ray Tomlinson, April 23, 1941 - March 5, 2016

Email More Secure Today Than Two Years Ago, Research Suggests

Group Working on Securing Email Using DNS

Dave Crocker and John Levine Discuss Current Dealings With Spam (Video)

FBI Pushing Plans to Force Surveillance Backdoors on Social Networks, VoIP, and Email Providers

Iran Blocks HTTPS, 30 Million Reported Losing Email Access

Happy Canada Day from the CRTC

Chinese Newspaper Warns Google Against Playing a Risky Political Game

New Anti-phishing Initiative Introduced by Yahoo!

Google: China Interfering with Gmail and Attempting to Conceal the Act

Microsoft, Federal Agencies Take Down Rustock Botnet

Conflict Over Efforts to Develop a Best-Practices Document for Blacklist Operators

Canadian "Fighting Internet and Wireless Spam Act" Introduced Into the House of Commons

Spamhaus Uncovers Fake DNSBL: nszones.com

German High Court Says No to Retaining Telecom, Email Data for Tracking Criminal Networks

A Word of Warning About Your Haiti Charity Donations

Addressing Search Engine, Website, and Provider Accountability for Illicit Online Drug Sales

Most Viewed

Most Commented

Port25 Updates – Sponsor

An Update on Port25 and the Future of PowerMTA - One Year Later​

The following is written by Juan Altmayer Pizzorno, the original author of PowerMTA. Pizzorno has been developing email server software for over 25 years and currently serves as Sr. VP of Research & Development at SparkPost. He co-founded and was CTO of Port25 Solutions. ›››

Encrypting Inbound and Outbound Email Connections with PowerMTA

Encryption is becoming increasingly necessary when transferring data across the internet, and email is no different. In PowerMTA 4.5 and later there are several methods to encrypt both inbound and outbound connections. Here we'll provide a quick overview of how they may be achieved. Keep in mind, this document only deals with encrypting the channel, not the content. ›››

V12 Group Sustains Customer Satisfaction by Deploying PowerMTA for Launchpad Platform

With more than 8,000 platform users, 85 percent of which are brand-name retailers, reaching out to 110M US households, V12 needed an MTA (Messaging Transfer Agent) that would execute high delivery rates, offer more control, and easily enable the latest authentication protocols. ›››

PowerMTA Now Offers Scheduled Delivery Control

In PowerMTA v4.5 and later versions messages can now be scheduled for delivery. The feature allows for scheduling multiple delivery windows. ›››

DKIM for ESPs: The Struggle of Living Up to the Ideal

Given the increase in email fraud (phishing) and an increasingly complex email landscape, it is increasingly important for email service providers to implement email authentication properly. ›››

Reactivation Campaign: Shared vs. Dedicated IPs

Within the digital messaging industry, an opportunity will sometimes arise for an email marketing manager to send a re-activation campaign to dormant email addresses, in order to galvanize subscribers who don't respond to your messaging. ›››

To Where are Bounce Messages Sent?

This seems to be one of the greatest mysteries to new postmasters. It can be confusing as the messages go to the SMTP MAIL FROM address, which can be different from, or the same as the from header. The key to understanding bounces (sometimes referred to as DSNs, Delivery Status Notifications or NDRs, Non-Delivery Reports) is that they should always be sent to the SMTP MAIL FROM address. Some mail platforms may not adhere to this rule, but most do. ›››

Industry Updates

Participants – Random Selection