Dig a Little Deeper!

I recently re-watched The Princess and the Frog and realized it could be interpreted on yet another level, as an allegory for how to be more successful as a Sales Engineer. For those who haven’t seen the film (and I recommend you do), you can catch up on the plot at http://en.wikipedia.org/wiki/The_princess_and_the_frog.

The film has a great villain in Doctor Facilier, a witch doctor who is well-written and expertly performed by Keith David, with a certain charm and a great motivation. Doctor Facilier is a great sales guy, he builds trust and gets right to giving the customer what he asked for.

Check out the following video for an example of how he works:

He really does a good job tailoring his message and taking control of the conversation. In four minutes he has their trust and buy-in, even though he’s selling to two different buyers at once.

At the end of the day Doctor Facilier gets what he wants, but he is lacking one thing that proper sales people need to be successful in the long term: repeat business.

When you give a customer what they “want” you risk selling something that doesn’t really fit their needs. They want feature X, thinking it will solve their problem, without realizing the true underlying issues at play. It’s important to give the customer what they want, but if you sell the sizzle when there’s no steak, they end up looking bad when everyone figures out just how much they spent on shelfware.

Now compare Doctor Facilier with Mama Odie, who quickly quashes the idea that “want” and “need” are the same thing:

Mama Odie looks deeper than the initial statements she hears and gets to the underlying issues, creating a proper, permanent solution. Like Doctor Facilier she certainly takes charge and manages the conversation, she talks to each member of her audience on their terms, but she also teaches them and, more importantly, she “digs a little deeper”.

It is so important when working with customers that you fight the urge to jump into selling mode when working with customers. They will inevitably talk about something they are looking for that you provide, and at that point it is incredibly tempting to start talking and expound on how your product does what they are asking for.

When you’re tempted to start talking, STOP. The most you should be saying at that point is “tell me more”. Every issue has multiple layers, and there’s always a number you need to discover. That number needs to either go up or go down, don’t rest till you find out what it is and what direction it needs to move. The further information you gather not only helps you find out the true challenge, it helps you make your case later.

Not only does “digging a little deeper” help improve your chance of closing, it greatly improves your chances of delivering an effective solution that addresses the customer’s needs (which is what they really want), which in turn means you get a satisfied repeat customer who refers others.

Pictures from Life as a Sales Engineer

There’s not many memes that I jump on the bandwagon for, but I’ve seen enough people having fun with this that I have to join in.

When my demo hits a snag…

When my Sales Exec calls to say the deal is closed…

When my Sales Exec says he wants to move forward after I tell him there’s red flags all over an opportunity…

When the SE Manager is looking for volunteers to work on an RFP…

 

What the Sales Exec expects me to do when he forgets to invite me to a meeting until the last minute…

My expression when the Sales Exec claims our product has a non-existent feature…

When the guy at the prospect (whose app has been called junk by everyone else) tells me things are fine, they don’t need my solution…

When the client asks me to click on an un-configured section of the demo…

When the client doesn’t ask about the un-configured section of the demo…

When the presentation goes off perfectly…

When I spend two days building a demo, only to find out the prospect wasn’t qualified after all…

What I want to do to the person who didn’t qualify the prospect…

When the Proof of Concept comes together perfectly…

When the customer asks me if it’s true that <insert wild claim made by Sales Exec>…

And now a small plug: I’m not the SE anymore, I’m the Manager, and at Message Systems I’m hiring multiple Senior SE’s right now (we call them Solution Consultants) in multiple regions! Head on over to our jobs page and check it out! I poked a little fun at the Sales Exec stereotype but we’ve got a great group to work with, a solid product and a great team. Join us, won’t you?

Disclosure: Borrowed and modified extensively from http://martinvalasek.com/blog/pictures-from-a-developers-life

Does Multiplayer Need to be so Massive?

I was watching a documentary on Mojang that is well done and very inspiring, I highly recommend it. It got me thinking about Minecraft.

There is no shortage of information on the Internet regarding what Minecraft is, how it works, and why it is appealing. I’d also refer you to the documentary itself for more insight into those topics. What struck me about Minecraft as I watched the documentary is the Multiplayer aspect of the game, and how its particular brand of Multiplayer reminded me of when I used to play games on BBS systems, particularly TradeWars, a space trading game that I found quite addictive back in my day. Games such as TradeWars provided a multiplayer, persistent world where players could either collaborate or compete as they saw fit, just like what we now get with multiplayer Minecraft.

These days, most of the multiplayer offerings available to casual gamers through Zynga and other Facebook game developers offer multiplayer, but only in the superficial sense: everyone is really playing a single-player game where their friends occasionally visit their instance of the game, or act as NPCs to compete against. There’s no going into another’s space to mess around, no depletion of resources by another player before you can get to them, or careful navigation in case you come across a stronger player.

Contrasted with MMO games such as World of Warcraft, you still often find yourself in a different kind of Multiplayer. There’s always going to be plenty of things to kill, everyone can complete a given quest, even the big bad guys will respawn shortly. Outside of a PVP server, the other players often feel like complex NPCs, with most of them just passing you by on a road here and there, and in a guild or on raids, you’re interacting with a limited number of players regularly. Most MMO games can certainly feel massive, and they are multiplayer, but for a number of reasons they are not truly “massively multiplayer” in the sense that hundreds or thousands of players would be interacting simultaneously.

In fact, the need for the world to persist prevents people from seriously impacting each other or the dynamics of the world. Imagine a massively multiplayer Minecraft for a moment; if there were thousands of people playing at once, you could never have a long-term persistent world because someone would TNT significant chunks of it in short order. Instead, most people are content to play on a smaller, more intimate server that may occasionally get recycled (or at the very least they can walk several KM away and start fresh). It was the same with TradeWars, you would play with at most a couple of dozen people, and when it looked like things were entering a static state, you would start over again.

I think there’s a potential future middle-ground market here for game companies: building and maintaining an MMO is an expensive proposition, but for a good number of players it may actually be overkill anyway. Instead look at building moderately-sized world (most likely procedurally generated) where players can interact, build, explore, grow, etc. Either host the games or allow for self-hosting, and allow for players to invite a relatively small circle of friends to play with (or against) eachother. It is significantly easier to host a large number of small instances than a small number of large instances, and I think most players would enjoy both equally well.

Personally I believe this is a direction that Facebook itself could benefit from pursuing. Currently a game developer needs to not only develop a game, but also build and support infrastructure for hosting the game itself, as Facebook provides only the page wrapper around the game, but no infrastructure resources. As a result, a lot of what we see on Facebook are simple Flash-based games that involve repetitive clicking, and no real multiplayer. These kind of games require fewer server resources and are therefore easier to build and support. If Facebook built out scalable multiplayer server resources it would lower the barrier to entry for a new generation of more truly multiplayer game experiences among a circle of friends. It would be much more interesting to get a notification that someone had invaded your territory than to find out they had completed a quest to click on 20 cows. Facebook could in return collect a larger percentage of the monetization from a game, with such games likely generating greater revenue in the first place thanks to their advanced nature.

Personally I would love to see the return of the small-scale persistent world multiplayer concept, somewhere that gets you logging in regularly to keep ahead of your friends and to make sure they haven’t gotten the drop on you since you last logged in. A multiplayer game concept that falls between the traditional MMO and the deathmatch game that only lasts as long you you’re all logged in and playing. An approach where someone can eventually pull well ahead of the others and in doing so affects the balance of the game, requiring either a restart or a combined effort by the remaining players. It was compelling back in the BBS games, it’s compelling in Minecraft (though the game’s mechanics don’t really support the idea of game inbalance), and I think it could be compelling in a number of genres today.

Why Your Email Marketing Sucks

There’s a great article over at Hubspot that talks about “16 Things People Really Hate About Your Email Marketing” and it’s a good read. I especially liked:

The content of your email — whether the copy itself or the offer you’re promoting — should be something the email recipient actually wants to receive. And you would know what they want to receive if you’ve spent time collecting lead intelligence, segmenting your email lists based on that intelligence, and mapping the appropriate content to each segment of your list.

What some email marketers do, however, is email blast a 10% off coupon for dog food when half of their email list only owns a cat. If the content you’re sending out won’t be helpful to everyone on your current list, slowly back away from the ‘Send’ button, and refine the list to which you’re sending your email.

If you want me to stay subscribed, keep it relevant to my interests!

Via: http://blog.wordtothewise.com/2012/06/things-people-hate-about-your-email-marketing/

More Wisdom From Ed Catmull

Another great video of Ed Catmull speaking at the 2012 General Commencement of the University of Utah:

http://webapps5.utah.edu/digvid/?id=2012-05-04~88

Jump to 98:25 for the commencement address. What follows are my notes as I watch the video myself.

I love the importance he ascribes to creativity, even in industries that are not typically considered creative. He also had a good warning about the risk of creative people becoming un-creative: he warns that unseen corporate forces can be at work to send a successful company off the rails that management cannot even detect. He talks about finding the systemic and cultural forces that block creativity and how to eliminate them.

At 110:00 he speaks of the need for change and the fear of change, and provides great insight into one of the greatest risks to companies is a tendency to latch onto the familiar because of a fear of failure. He then relates a story that really struck me about the movie Bolt; how the hamster character was so complicated the movie could not be completed in the 8 months remaining. When asked about retooling the character, the management team was told it would take 6 months to retool the character, something that obviously would not work given the fixed deadline. Instead, a pair of animators managed to retool the character in four days, deciding it was better to seek forgiveness than permission. How did they manage to do in four days what others said would take six months? It turned out there was so much fear of error and fear of failure in the animation department that the whole creative process was wrapped in excess process and procedures to try and prevent errors.

One of the best insights that Ed Catmull brings in this speech is what I’d describe as being aware of your blind spots: he emphasizes the importance of being aware of what he cannot see, either because he cannot see it coming or because his position means that others act differently around him. It’s clear that Dr. Catmull focuses as much or even more on unseen threats as he does on those facing him directly.

“We should plan for the unseen, not try to prevent it.”

“We face the problems, we face the hard questions. The answers are the mere byproducts of addressing interesting questions. The questions are the doorway into the unknown.”

At 131:30 Ed gives a unique insight into Steve Jobs, and how he learned from failure and improved and grew as an individual. He also gives a new perspective on the concept of Job’s Reality Distortion Field:

“If you believe, as I do, that your actions make a difference, then this means that you do modify your reality, you do change the future.”

The more I learn of how Dr. Catmull built and leads Pixar, the more I want to find effective ways to emulate him.

Management Lessons From Phineas & Ferb

One of the best things about having small kids is they can be used as a cover for watching cartoons, and one of our favorites is Phineas & Ferb. For those unfamiliar with the show, here’s a sample:

This is a great show because it’s one of those shows that can entertain both adults and children and doesn’t dumb things down but instead respects kids and their ability to get things, while being entertaining for parents and not annoying them to the point of changing the channel like some shows for kids. And hey, it has some lessons for you managers out there:

You need a Phineas and a Ferb

A great team can get more done than a collection of individuals, and one of the key elements of a good team are individuals who bring different but complimentary skills to the larger group. Look at Phineas and you see someone who brings ideas to the table, evangelizes them to others and has enough technical know-how to support their implementation. In Ferb we see someone who has the deep knowledge & skills to make Phineas’ ideas a reality. A strong team is made of T-Shaped people, those with depth in a few key areas and breadth to allow them to collaborate across the team.

Dream Big, Don’t Apologize

Too often we impose limitations when we brainstorm new ideas, imposing the lens of “what is possible” on our discussion of “what is best”, which prevents us from coming up with some really great ideas. When you watch Phineas & Ferb you’ll see occasions when they call this kind of thinking out directly. In many episodes you’ll see a typical interaction of a character asking Phineas “Aren’t you a little young to <INSERT IMPRESSIVE ACTIVITY HERE>?” to which he generally replies “Yes, yes we are.” Phineas never apologizes for dreaming big, neither do successful organizations. This doesn’t mean that everything you dream up will be immediately possible; I’ve been reading some great books on the history of Pixar (see links at the bottom of this entry) and one aspect of Pixar’s history that I loved is they had a vision that served are their compass (of creating a movie in CGI), but which was not achieved for well over a decade.

Share Openly

There’s a real tendency in organizations to play things close to the chest, whether it’s companies staying in stealth mode as long as possible, or even individual departments keeping things to themselves in the interest of secrecy. When you watch an episode of Phineas and Ferb, you’ll see that the brothers are quick to share their work at all stages of development. The result of this is always positive, with others offering them assistance, ideas and materials. Another great example comes from my Pixar reading: at Pixar there is a requirement for each production team to show their work in progress on a weekly basis with the entire organization, sessions that are literally open to all employees in the company. This approach not only recognized that good ideas can come from anywhere (even the janitor), but also builds a community feeling among all employees and helps with morale. I like to support the startup community in my city by attending demo days and other events, and it’s great to see small startups share what they are doing rather than worry about someone stealing their ideas because it enables me to share ideas and experience to hopefully make them more successful.

Trust Your People, Don’t Worry About Being Surprised

If you’ve hired your team of Phineas and Ferb types, trained them well, and given them the resources they need to succeed, then the next thing to do is get out of their way! Here’s a quote I love from Ed Catmull, founder and CEO of Pixar and a man full of management wisdom:

…managers need to learn that they don’t always have to be the first to know about something going on in their realm, and it’s OK to walk into a meeting and be surprised.

For an example of this, just compare the responses of Ferb’s father, Lawrence Fletcher, to Phineas’ older sister Candace. Candace is focused on having authority, doesn’t trust her brothers, and spends the majority of most episodes trying to get in their way and prevent them from achieving their goals, all because they think outside the box she has mentally created for them. Lawrence shows a certain nonchalance about the boys’ activities, presumably because he’s aware of Ferb’s abilities and trusts him not to get into (serious) trouble.

Now of course one could argue that Lawrence is more oblivious than trusting, but the fact remains that you need to respect & trust those who you work with, and avoid micromanagement. Too many managers spend too much time managing, and too little time leading.

On that note I’d like to leave you with one of my favorite definitions of leadership, again from a book on Pixar (the Pixar Way) that I have been re-reading lately:

The ability to establish and maintain a creative climate in which individuals and teams are self-motivated to the successful achievement of long-term goals in an environment of mutual respect and trust.

Recommended Reading

Bonus Sample Episode

Fixing Issues With Dodge / Chrysler Radios and iPhone 4

I recently moved to a 2011 Chrysler Town & Country and ran into an issue where my iPhone 4 simply would not get along with the 430n RHB radio built into the vehicle. This was frustrating as the radio in this (and the 2010 Dodge Grand Caravan I had previously) have pretty good iPhone/iPod integration for a stock radio. When I plugged the iPhone into the USB port of the RHB, I would get “Reading…” and then “Error Occured”, and when I would use the Bluetooth A2DP feature the sound would be garbled and stuttery any time the screen on the iPhone was active. The Bluetooth audio issue would present itself even though Uconnect was working fine for handsfree calling.

The good news is this is fixed via a software update that I found at http://www.challengertalk.com/forums/archive/index.php/t-61355.html, here’s the important part:

1) First check to see which version of software your Uconnect came with. On my Patriot the module is behind the glove box and is easy to get to. I am not sure how easy this is to access on other vehicles.

Look at the SW number on the module. If you have SW 43.01.10 or 43.1.30, this update should work for you. This is where you find the SW number:

2) Download the file:
For US mid-large vehicles (Wrangler, Durango, Grand Cherokee, Town & Country van, RAM), download this file (http://www.mediafire.com/?ym7cudem8c9lb96)
For US small vehicles (Compass, Challenger, Patriot, Caliber, 200) download this file (http://www.mediafire.com/?ygm74est6j6pj19)

For Euro large vehicles, download this file (http://www.mediafire.com/?qbjepsjq2g5jcjj)
For Euro small vehicles, download this file (http://www.mediafire.com/?mp2zbywzdmd2o87)

3) Put this file onto an empty usb drive

4) Plug the usb drive into the vehicles remote USB port (NOT on the radio). It should be either in the center console or glove box

5) Press and hold the Uconnect Phone button for approx. 15 seconds, until you hear Software Update started

6) Wait until the update is completely finished (about 10-15 minutes or so) During this update, the radio will beep over and over (you can turn this down with the volume knob). If after about 5 minutes you hear “This file archive not compatible with this vehicle,” than either you used the wrong download, OR your radio does not currently have an update available

On my Chrysler Town & Country (and likely on 2011 Dodge Grand Caravan models) the Uconnect module was located roughly behind the headlight switch on the lower-left of the dash and I was able to contort near the brake pedal to see it without having to disassemble the dash.

For those feeling less adventurous, you can take your vehicle into your dealer to have the fix applied, ask about TSB Number 08-036-11.

The Management Wisdom of Ed Catmull

I greatly admire Pixar and its people, and one of the people I admire greatly is Ed Catmull, the Pixar founder. His personal contributions to computer science and computer graphics are phenomenal, but he’s also an excellent leader and businessman. The following video from an Economist conference provides a good example of his wisdom:

And here’s another, older example:

It’s wisdom like this that puts books like this on my desk:

See You At The Message Systems User Conference!

I’m looking forward to the upcoming Message Systems User Conference next month in San Francisco, not only for what looks like an excellent venue, but for the great set of quality sessions on the agenda.

There’s a number of sessions I’m looking forward to attending, but I’d like to invite you to attend the sessions I’ll be delivering next month (read to the end to save on conference admission):

What the Convergence of Data Security & Privacy Concerns Will Mean to Companies

The barrage of news stories about data breaches and privacy violations is taking a toll on consumer confidence.

What You’ll Learn:

  • Why data security and privacy issues are converging and how an erosion of consumer confidence can jeopardize data availability for communication and commerce.
  • How security and privacy are connected to Message Convergence and why they should now be of concern to all ecosystem players and at all levels, Marketing as well as IT.
  • What principles companies should embrace to address security and privacy in their own environments.
  • How companies can safeguard their customer data and messaging streams.

New Directions in Email Deliverability

Our panel of industry experts will explore the ongoing evolution of deliverability management and new technology advances, such as adaptive delivery, that will make it easier.

What You’ll Learn:

  • How deliverability is a tactic companion to Message Convergence – getting messages delivered, read and acted on.
  • How new advances in technology can improve deliverability management effectiveness and remove the hassles for all stakeholders.

Building Multi-Channel Apps

This session will introduce participants to the whys and wherefores of multi-channel messaging applications ­ how they deliver business value, and how to construct them. You¹ll gain both an understanding of the business strategy behind multi-channel apps, and a nuts-and-bolts working knowledge of the tools and techniques required to design, build and deploy them. Topics will include how to access multiple data sources on the fly and how to make routing determinations. For instance, once you¹ve made a judgment on content, context and preference, how to go about actually getting a message routed to its ultimate destination. We’ll go in depth on the subject of multi-channel message type (MCMT), a proprietary content container format that makes it possible to inject messages into the delivery stream with content alternatives dependent on the preferred message channel.

Target Audience:

Product and program managers, developers, line of business owners.

What you’ll learn:

  • How multi-channel messaging delivers business value across any number of industry verticals.
  • The messaging and data systems/architectures needed to deploy multi-channel messaging.
  • Introduction to MCMT.
  • How to configure Momentum, Mobile Momentum and Message Central for multi-channel apps.
  • Understanding and acting on customer preference data.

Advanced Momentum & Message Scope

This session will extend the sessions on “Introduction to Lua” and “Momentum Essentials and Message Scope” by taking participants through advanced, Lua-based message parsing APIs. Advanced policy scripts for database-driven binding assignment and DKIM signing will be demonstrated. Participants will see practical, but advanced remediation list usage with Message Scope and learn how to create custom remediation actions.

Target Audience: System administrators, operations and support personnel and developers.

What You’ll Learn:

  • Various parsing techniques using Lua API functionality.
  • Write Lua policy scripts that implement database-driven binding assignment and DKIM signing.
  • How to integrate Momentum bounce information with an external database.
  • How to integrate Message Scope with 3rd-party data feeds.
  • How to create custom remediation actions with Message Scope.

It’s going to be a great conference and I look forward to meeting everyone, to make it even more appealing, register now and use discount code VIP2S2 to save $250!

See you there!

14 Email Security Do’s & Don’ts

Note: This article originally appeared at http://www.messagesystems.com/wordpress/?p=84

Introduction

Anyone who follows the email marketing industry news is no doubt aware of the increasing number of well-publicized data breaches that have been occurring at the various major ESPs. In addition to the major ESPs, there are no doubt a number of less-publicized or even non-publicized data breaches occurring all the time at both smaller ESPs and in-house enterprise senders. The days when most of us in the email industry could watch from the sidelines and shake our heads have surely passed. Henceforth we should all operate on the assumption that we’re either now under attack as well, or will be shortly.

Email marketers have two valuable resources that malicious parties want to capture and exploit: information and infrastructure. Attackers want to access the information you hold, including email addresses, personally identifiable information (PII) and affiliation information (which organizations send to which recipients). Using this information the attackers can send spam or phishing messages and (in an unlikely worst-case scenario) even perform identity theft.

In addition to getting to the information you hold, attackers will also try to gain access to your infrastructure. In a recently reported breach at CheetahMail (http://blog.wordtothewise.com/2011/04/another-security-problem/) it was reported that an attacker had gained control of a customer account to send malware (UPDATE: The same thing just ocurred at Bronto: http://blog.bronto.com/2011/05/02/shared-security-responsibility-and-a-compromised-password-incident/). While many reports focus on attacks that result in data leaks, it’s also very common for attackers to access infrastructure to send their own messages from trusted systems, ruining reputation for the operator of the compromised infrastructure.

It’s time for all email marketers, whether sending themselves or through service providers, to make security a fundamental principle in their operations. The Online Trust Alliance (http://otalliance.org) recently published a set of guidelines (https://otalliance.org/resources/securitybydesign.html) that I highly recommend reviewing and following. I’d like to make a few additional recommendations of my own.

People

All the security technologies in the world can often be defeated by a simple phone call or a few dollars. There are multiple cases where attackers have been able to get into a system through social engineering: calling up someone in the target company and presenting themselves as a trusted co-worker and asking for the unsuspecting employee’s login credentials. In other cases a simple offer of cash in exchange for information or access can bypass any number of security measures.

Whether they are acting innocently or maliciously, your own employees (and customers) can easily be your downfall. There are a number of security measures that can help alleviate this:

  1. Educate your employees and users. Make sure they understand what social engineering attacks are and how to identify and prevent them. Teach them to never disclose their usernames and passwords, and enforce a policy of never asking customers for their credentials and make it clear to your customers that you will never do so.
  2. Do your homework. Employ best practices in your HR department. That includes performing background checks on your employees (at least the ones with access to sensitive customer information), including credit checks. Keep in mind that people in positions with access to sensitive data could be susceptible to enticement – this is particularly true if you’ve made it easy for them to act on that temptation.
  3. Apply the ‘need to know’ rule. Consider who really needs to be able to see customer information, and how much needs to be visible. Does someone who manages message templates really need access to your recipient list? Does someone who manages segmentation really need to be able to see both the user and domain portion of an email address? Perhaps they can do their job with access to the domain information only. Do customer service reps really need to be able to see lists of recipients or do they just need to be able to look up a specific recipient to do their job? There will always be people who need to access sensitive information, but not as many as you might initially think, and few need access to absolutely all the information rather than just a subset of it.

Data Storage

There are a number of best practices around securing the data you store, but I want to share a few ideas about what to store, to be used in combination with data security best practices.

  1. Store as little as possible. An attacker cannot steal information that you don’t possess. Do not ask for information you do not need or can’t use. Marketers tend to err on the side of over-collection because it ‘might’ come in handy. (Example: are you asking for a physical address when you do not send anything by regular mail?)
  2. Use encryption where possible. Consider a suppression list to prevent sending to people who have unsubscribed (hopefully you followed step one and purged everything but their address when they unsubscribed); you need to have their address in order to prevent sending to it, but you can store their address as a one-way hash and compare a one-way hash of recipient addresses to identify if a recipient should be suppressed. I’ve worked with senders who encrypt the user portion of every recipient address (mike@messagesystems.com would be stored as 18126e7bd3f84b3f3e4df094def5b7de@messagesystems.com as an example) in the database, with a custom Lua script in the messaging server decrypting the user portion of the address on the fly just before sending. With this approach, they can still do domain reporting and segmentation, while making it much more difficult for attackers to extract useful information.
  3. Purge data as soon as possible. Again, you cannot lose what you do not have. Purge information as soon as feasible, both customer data and the various logs that can contain customer information. If you need a piece of information for a specific mailing, purge the data once the mailing is complete.

Email Infrastructure

While I have no reports to date of email infrastructure as an attack vector there are still some steps you can take to better secure your email infrastructure.

  1. Secure the server. Implement security at the operating system level as well as at the network level. Restrict access to the web UI to internal machines only (use a VPN for external access). Strongly consider using two-factor authentication including password-protected SSH key-based authentication.
  2. Secure your logs. Remember that your logs will often contain address information, so you need to secure your logs with the same vigilance that you secure your database. Ensure that your file system permissions are properly set and that you retain your logs for no longer than necessary.
  3. Customize your logs. If your system supports customizable logging, consider trimming your logs down to the bare minimum data required for your purposes. Instead of storing the recipient email address, store a customer identifier that you can use to lookup the customer address (high-end solutions will let you store just the domain portion of the address so you can still do reporting on domain volumes and deliverability).
  4. Secure against being an open relay. Grant permission to inject mail on a per-IP basis if possible, use TLS and authentication if you need to allow relaying to external hosts.
  5. Scan your outbound mail streams. An effective way to mitigate infrastructure attacks is to filter all traffic as it leaves the server to prevent sending mail that contains viruses, spam or malware. The incident at CheetahMail I mentioned at the start of this entry could have been prevented with outbound traffic filtering. Keep in mind I’m speaking about AV/AS filtering on a per-message basis. It’s not enough to send a test message to a preview tool if you’re trying to protect your infrastructure; you need a messaging server that can filter traffic on egress.
  6. Implement Feedback Loops. While this may not seem like a security tool, I’ve worked with senders who were able to use a spike in incoming FBL messages to identify an unusual sending pattern coming from their servers, leading them in turn to identify that their network had been compromised and a malicious attacker was using their system to send mail.
  7. Implement authentication tools such as DK/DKIM/SPF/SenderID. Again, this does not directly secure your data, but if a list is compromised it will be harder for a malicious party to deliver mail from their own servers and make it appear to come from you (especially when making phishing attempts with your data).
  8. Monitor Block Activity. As with spam complaints, a sudden burst in rolling blocks could be a red flag that an infrastructure beach has occurred. Set-up alerting system for blocks and automated suspension processes to catch and shut down malicious mail streams before serious damage is done. The good news, if you’re running Momentum, is that our Adaptive Delivery product does this for you automatically.

Conclusion

The latest security breaches in the email marketing industry have re-enforced that an attack is a matter of when, not if, and senders need to plan accordingly. The recommendations of the OTA, combined with the recommendations above (and constant vigilance) should provide a good start at avoiding (and minimizing the impact of) a malicious attack.