DomainKeys – spammer’s new BFF?

My pet peeve is Yahoo!’s ability (or lack thereof) to filter spam effectively because even legitimate emails using DomainKeys Identified Mail (DKIM) are being routed to the spam folder while spam’s going to my Inbox. As if this wasn’t bad enough, even spammers have started using DKIM, thereby rendering this authentication method useless.

The way DKIM works is that it allows verification of the domain that an email originated from, so a spammer can’t use a fake email address. However, this system is seriously flawed as I realized recently because now even spammers use it. Here’s an example:

Both Yahoo and Google use DKIM email authentication protocol to ensure legitimate emails are delivered but spam is blocked. But if this protocol is so easy to manipulate that even spammers have started using it,  then what’s the point of authentication?

What’s up with Facebook (virus)?

I walked into work (my real job) this morning and found a warning from the corporate information security team in my Inbox. They had verified reports of a worm virus spreading via Facebook related emails.  

As I’ve realized since, the problem isn’t just confined to ’related emails’, these are malicious emails within the Facebook system. The link takes to a website to look at a video clip. If you, the user tries to watch it, a message appears saying that they need to install the latest version of Flash Player in order to watch the clip. Unfortunately, by the time I received this warning, I had already received such an email in my Facebook  Inbox from a co-worker. I am so embarassed to even admit this, but yes, I did click on the link. So when I got this email from the security team, I did a virus scan, it detected and deleted the ‘Koobface’ virus.

I am extremely paranoid when it comes to online security and highly unlikely to click on anything if it’s even remotely suspicious, regardless of whom it came from. If I had received that email via Outlook or Gmail or Yahoo! mail, I would have deleted it right away. However, I was completely fooled by that, this email came from a trusted source and came to the one place that I thought was ’safe’ – the FaceBook Inbox.

What ticked me off most of all in this sordid saga on a monday morning is that I couldn’t find any mention of this email security threat, anywhere on Facebook. There’s no warning or any kind of information related to this. Would it really have been that difficult to put a note in everyone’s Inbox that there’s a virus threat and not to click any links even if the email is from someone you know?

What’s also extremely disturbing is that if the user accounts can be manipulated to send out malicious viruses to other other accounts, how secure is the Facebook platform?

But questions around Facebook platform vulnerability aside, first things first – make sure you update your virus definitions and run a complete virus system scan. And lastly, don’t trust anyone…I mean don’t trust any emails with links no matter where they originate.

UPDATE: Here’s more information from Mashable on the latest phishing scams on Facebook.

Why Yahoo! mail sucks

One of my pet peeves is why companies who have been around a long time are still unable to get the basics right. A great example is Yahoo! mail that,  even after 11 years of being in existence, can’t distinguish between legitimate emails and spam. It’s annoying enough when tons of junk mail gets routed to your inbox but the last straw is when legitimate emails get sent to your spam folder.

This interview with Mark Risher, anti-abuse product manager for Yahoo Mail in Network World on introduction of DomainKeys Internet Mail, as the standard for authentication, back in February makes it sound like the greatest invention since sliced bread. I found that there’s more truth in the comments than in the interview itself. 

This technology is something we felt would be very helpful for receivers so we can confer special privileges to a message. For this other message that lacks a signature, we can penalize it. We can treat it with more suspicion and run it through additional filters.

Yes, authentication of emails sound great in theory, the assumption being that Yahoo! system can identify the authentified piece of mail. But when their own mail system can’t distinguish between authentified mail and spam, what’s the point?

The incident that inspired my post today was an email I received from another Yahoo! mail user, a friend of mine who was responding to my previous email, and guess what?! His email was DomainKeys authentified and yet, it ended up in the spam folder. If I hadn’t checked my spam folder I would have missed the email with his flight details and would have left him stranded at the airport.

That’s why theory doesn’t always add up to reality and that’s where Gmail atleast has its basics right. Gmail system is smart enough to identify and compile emails in the same thread so subsequent emails in the same thread don’t get blocked. I mean, the fact that I’ve responded to a given email address multiple times should render it kosher.

That being said, how much can one expect from a free mail service but wait a minute…Gmail’s free and it’s not even out of Beta yet (which is curious, why is it still in Beta?). From what I’ve heard, the paid business mail hosted by Yahoo! has even worse spam filters, resulting in more spam than the free account, so much for paying for better service.

And as if it couldn’t get any worse, for the last few months, it’s been nearly impossible to log in to the mail account. You keep trying and trying, and you can see your emails in the tiny box on My Yahoo page but you can’t get to them. Yahoo! mail is supposed to be the third-most popular site according to Hitwise, a number which is no doubt helped by frustrated users who have to keep visiting the site multiple times because it’s so friggin darn impossible to get in.

Here’s how not to do email marketing

I started the week, raving about how TiE did a good job of leveraging WOM in email marketing. It’s ironic that I am ending the week with a stunning example of how NOT to do email marketing.

To say that I’ve never been a big fan of Sears is an understatement. In my haste to find the best bargain exercise equipment, I managed to get suckered into signing up for their credit card. They have a few good people in their stores, but their processes and (phone) customer service are terrible.  It takes hours to get anything resolved or even a basic question answered. If you sign up for their credit card, rest assured, you will be on a gazillion telemarketing and mailing lists. So when I got this email from them, needless to say, I was very ticked off.  

Who the heck is Donna Robinson? I knew that it couldn’t be spoof, because even scamsters would have atleast gotten my name right. A few minutes later, I got an apology email claiming that this was indeed a legitimate email.

We apologize for the confusion this may have caused and want to assure you that the email is a legitimate Sears card email.

If you have any questions, please call the Customer Service number on the back of your card.

I don’t get it. It’s bad enough that they spammed with someone else’s name, but why not provide a #800 number in the follow up email for me to call them? I am already irate, why make it worse by making me hunt for their phone number? The email also had the last 4 digits of my card number, so that raises even more concerns about privacy and identity theft. But there were no reassurances forthcoming from the (obviously) hastily crafted email.

This highlights yet another reason why I don’t give two hoots about what technology or super-duper tool companies use to do their online marketing, there’s no substitute for good old-fashioned doing-it-right-the-first-time. And if you get it wrong, own it and fix it. And ‘fix it doesn’t mean a shoddy email.

In the Silicon Valley bubblesphere, we’re always evangelizing the latest and greatest technologies and tools. All of which are useless, if companies are still struggling with the basics – you know, like getting their customer’s name right.

Update:

I just read Seth Godin’s post on how someone from Forbes spammed him and didn’t even pretend it was a personal note. Here are his thoughts on spam,

The end result of spam (email spam, blog spam, Twitter spam, Squidoo spam, comment spam, phone spam, politician spam) is that it eats away at your brand. If you don’t have a brand, you might make some short term cash but it gets tiresome creating annoyance everywhere you go. If you do have a brand, a brand like Forbes, say, you don’t notice the brand erosion… until it’s too late.