The Testimony of a Customer

I’ve been reading a lot over the last few weeks about “customer evangelists”, “citizen marketers”, and the like. The basic thrust of the reading has been about turning happy customers into folks who will go out and shout to the world about how great your company is.

Partly I think this is great because by definition you have to be making a lot of customers happy before you’ll reach the few who will really make some waves in your behalf. And while I believe that there is good intent behind the discussions, part of it seems disingenuous. Forced, almost. Maybe I'm just jaded.

Webmail.us Testimonials

There were a lot of things that I liked about Webmail.us before I started here. Not least of which was a great page full of testimonials. I remember reading the one from MacGurus.com where they talked about actually being kicked off of other email providers because their domain was the victim of so much spam. Between that and the demo, I knew that the basic product was excellent.

We have an unofficial policy about testimonials here: if someone sends us an email to support thanking us profusely for our help, we ask if they would be willing to contribute a testimonial. If they send one in, I proofread it. I make minor spelling and wording changes and have a web developer post it. Fairly simple & we try not to force someone to feel something if they haven’t already expressed a lot of happiness.

Think we ought to do it differently or have a suggestion? Email me!

What Makes A Really Happy Customer

I spent more hours than I care to admit surfing blogs one week not too long ago. I had made a PubSub feed on the words “customer service”. I read through everything it hit—hundreds of items. My goal was to find patterns of root causes of customer’s reactions to customer service experiences. Here is what I can share, in order of importance:

#1 Successfully resolving the problem

#2 Meeting explicit or implied commitments

#3 Responding in a context-appropriate amount of time

Other things like politeness, for example, only seemed to be mentioned if one of these core things stood out as really good or really bad.

So the extremely happy customers come from going beyond the scope of the problem, from exceeding commitments, and from responding more quickly than a customer expected.

We’re working now to make sure we have extremely happy customers!

-Kirk

Email Chain Letters & Urban Legends

Today I received a copy of an email that said I would be paid hundreds of dollars if I forwarded the message to a bunch of people. It claimed to be real, to have been on the nightly news, and to have been on a 2-page spread in USA Today.

If only.

My favorite website to visit to check out various myths as fact or fiction is http://www.snopes.com. And I’m sorry: they now have a few ads. Of course, the banner ad they had was for Mythbusters on the Discovery Channel—an awesome show.

Anyway, I’ve used Snopes for years and have found it be to very thorough and accurate. Every now and then, I check something out that I think is a myth and find it to be partly true. Maybe this site will be useful to you, too. It’s fun just to poke around and see what myths are out there!

-Kirk

More Phishing In The News

Here's a good article about the impact of phishing on small businesses: http://www.messagingpipeline.com/159903381.

It includes lots of interesting pie charts with survey results from small businesses.

-Kirk

Webmail 3.1- Improvements & Bug Fixes

On Monday of next week there will be a complete press release about this (subscribe to that RSS feed here). But I thought I’d give a little preview to blog readers.

Product Improvement Requests

We love getting product improvement requests! It’s a sign that our customers like our product well enough to give feedback and believe (correctly) that we’re the sort of company who will do what it can to make things better. That being said, some improvement requests people send to us are really bugs that have to be addressed immediately and they are.

But a lot of other fixes and improvments are more optional. We’ve lumped a bunch of these together and are releasing them together as Webmail 3.1.

Fixes and Improvements

One of our biggest requests was to have an easy way to flag a message as spam or as non-spam (good). Now you just view the email and click “Trust Sender” or “Report Spam” and you’re done!

Some other changes are:
· Full support for the Safari web browser on Mac’s
· Small tweaks to improve support on the Firefox and Netscape web browsers
· Speed enhancements
· View plain text attachments inside Webmail
· Shift-click to select multiple emails
· Auto-complete now optional
· More message sorting options
· Better signature customization support

There are more than 30 total fixes and improvements.

When

Well, the 1-click demo will soon be version 3.1 if you just want to give it a quick peek later tonight. On Monday all new mailboxes that are created will default to 3.1 since the changes aren’t all that noticeable for most people. We’ll be moving everyone else to 3.1 over the next month or so.

Testing

We’ve been testing 3.1 internally for quite a while and haven’t had any issues. Our support email account has been using it—high volume with lots of attachments—and things have been good. The speed enhancements really help for users with a lot of email.

Enjoy!

-Kirk

Follow-up To Domain Name Fraud

So almost a month ago I sent an email to ILSCorp in response to a domain name scam letter they sent to me. Despite their website's promise of a 2-day turnaround on email, I just received a reply yesterday. Go to my old entry's comment section if you want to read what they sent to me.

[2:24pm] Rather than make you skim past the old post down to the comments, here is what they said:

"ILS is a search engine ranking and submission services firm. We do not provide domain name, web hosting or email services. We apologize for any confusion."

You would think that after waiting 4 weeks for my question to be answered, they could give me more than three sentences. Oh well.

-Kirk

Pharming: Worse Than Phishing

I wrote about phishing a few days back. It’s all about redirecting a user to a real-looking website and asking for personal information.

There is a worse form of the same trick called pharming. Pharming works by playing a nasty trick with a core Internet protocol called Domain Name Service or DNS.

DNS

Generally speaking, computers on the Internet have what’s known as an IP address. This is a 4-digit number with the numbers separated by dots/periods (like 192.168.100.47). When computers communicate on the Internet, they rely on IP addresses that are unique worldwide to get a message from one computer to another.

Most people would have a hard time remembering the IP addresses of their favorite 10 places on the Internet. Enter DNS. DNS translates a name like “www.webmail.us” into an IP address that will work on the Internet. So we can all use these names instead of IP addresses. But our email programs and our web browsers and every other Internet-aware program we have really rely on IP addresses to do their work for us.

Poisoned DNS

What if someone reprogrammed DNS so that when a whole bunch of computer users typed in www.bigfacelessbankwithallmymoney.com they were given the IP address of a real-looking but fake website? The users might never know because we hardly ever look at IP addresses directly. The scammer running the website could collect personal information from hundreds or thousands of unwitting victims.

How DNS Can Get Poisoned

DNS, like any complicated thing, has a lot of steps required to make it work. There are Host files on every computer that can be reprogrammed; so a computer virus or trojan that affected Host files could do a lot of harm. These same malicious programs could change the listing of DNS servers that a computer uses to look up names and IP addresses; the computer would be asking the wrong servers to translate the names.

If a cracker broke into the DNS servers of a major ISP, hundreds of thousands of computers would be asking for the IP addresses of banks and online retailers from compromised servers. Worse yet, there is a group of DNS servers that are the backbone of the DNS system: the root DNS servers. If these were to ever be compromised, users all over the world would soon find that they were giving personal information to complete strangers.

Unfortunately there are a dozen other ways for DNS to get poisoned.

What You Can Do

Keep your anti-virus program up to date and scan your computer for viruses regularly. Use anti-spyware software, too. Microsoft has a program out there for free or use Spybot Search & Destroy or Ad-aware or any of a dozen other decent programs. These will all help keep your computer free from the malicious programs that might poison the DNS on your computer.

As for DNS poisoning at our ISP’s and the root servers…well, we just have to hope that the network professionals who manage those servers stay ahead of the bad guys. So far, this has mostly held true. And with pharming making more and more news network managers will be more vigilant than ever.

-Kirk

Sender Policy Framework (SPF) Helps Stop Spam & Phishing

Spammers, like everyone else who sends email, have to send their email out using a computer that knows how to act as an email server. You and I use the outgoing (SMTP) mail server of our email provider or our local Internet Service Provider (ISP). But ISP’s and email providers block bulk mailings so spammers have to find vulnerable computers on the Internet to hijack and use to forward their spam while using fake “From” addresses inside the email message to hide their real identities.

How it works

SPF can help with this in a big way because it helps to filter out the fake “From” addresses. SPF just means that an ISP has taken the time to add a few (easy) lines to their DNS servers that clearly state: “This is a list of Internet addresses on my system who are allowed to send email for this group of email addresses”.

So…if I get a message claiming to be from joebob4billion@aol.com, my anti-spam service can ask AOL if the computer that sent that message really is authorized to send email for AOL. If AOL says yes, then I continue on with my anti-spam checks.

But if AOL says no, then this email message is very likely to be a spam email or a phishing email.

Raising the bar

As with all forms of security when SPF gains major acceptance spammers will find a way to respond. They will work harder and be creative to find another way to accomplish their ends.

But for a little while the SPF bar will make a dent in their ability to send unsolicited email. The hope is that someday the bar will be high enough and cost enough that spammers can't make a profit selling the things they do now.

-Kirk

Phishing

I’m reading a lot about phishing lately. Phishing is when a Bad Person sends an email pretending to be from a company that we know and trust. The email usually encourages us to go to a familiar looking but fake website that asks for personal information. Credit card numbers, addresses, phone numbers, and Social Security numbers are the usual targets because these things help the Bad Person steal our identities and spend lots of money on our credit.

What To Do

There are several approaches that ought to be used together to prevent and identify phishing scams:

1. Filter out the phishing email before we have a chance to click on anything bad. Webmail.us does this for our customers (how could we do otherwise?). No such technology is foolproof, however. This is why we should use multiple techniques.

2. Education. My bank, Ebay, Microsoft, and pretty much every respectable business out there will not ask for our passwords, credit card numbers, etc. unless we tell them we need something from them. It does not happen the other way around. If you know a business that really does send people such requests inside email messages: tell them to stop! They will confuse their own customers.

3. Get your computer up to date. Use windowsupdate.microsoft.com to get the latest updates for Internet Explorer. Windows XP users can also download service pack 2 which, among many other things, has some anti-phishing patches.

4. Get protection into your web browser. I use Firefox with a nifty little extension called Spoofstick. Spoofstick is also available for IE. It adds a new toolbar that does nothing except tell you which website you’re really on. A phishing email that takes you to a fake version of Ebay can’t fool Spoofstick-- it will report your real location as something other than Ebay in large print at the top of your web browser. Look out for clever misspellings!

Another free tool is Phishguard. If someone sees a phishing email they can forward it to the folks at phishguard.com. And when someone later tries to open a website that is known to be fake a big warning window pops up letting the computer user know not to proceed.

What’s Around The Bend?

Smarter browsers and email programs. IE 7 is supposed to have some serious anti-phishing technologies when it’s released for Windows XP users, as will the Thunderbird 2.0 email client.

Smarter email servers. Email servers will soon be doing more to make sure that a message from my Cayman Islands bank (I wish) really is from my Cayman Islands bank. This is similar to what is already being done to catch spammers sending email from computers that are not authorized to send any email. Read up about SPF on spf.pobox.com - we recently integrated this into the Webmail.us filtering system. More on that in my next post.

Learn more at: www.antiphishing.org and at an FTC web page dedicated to phishing: www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.

-Kirk