The more things change

I was doing some research about the evolution of the this-is-spam button for a blog article. In the middle of it, I found an old NY Times report about spam from 2003.

At the same time, the argument is intensifying over what represents legitimate e-mail, particularly when it ends up being blocked by an antispam filter. Last November, AOL threatened to block e-mail from Gap. Even though Gap said it only sent e-mail to people who explicitly signed up for its mailing list, AOL said that many of its members reported Gap mailings as spam. When it investigated, AOL found that Gap had been offering people a 10 percent discount for providing their e-mail address. Nearly a third of the addresses collected were fake, but they often belonged to other people who did not want the Gap e-mail.
“You can’t underestimate the power of people to make up an e-mail address to get a 10 percent discount,” said Matt Korn, AOL’s executive vice president for network operations. NY Times April 22, 2003

And, yet, 9 years after that article was written the Gap was still collecting email addresses at the register and still getting fake addresses. While the Gap was not mentioned directly in my article confirming addresses for transactional mail they were one of the SBLed retailers.
Can mailers really not get past doing the same exact things that got them blocked in 2003? I’ve been writing here for almost 7 years now, over 1600 blog posts. It’s almost depressing that many of my early posts are still relevant. Mailers are still making the exact same address gathering, sending and delivery mistakes they have been. Ken Magill even mentioned the same thing this week in his newsletter article Umm, What Year is This?.
Don’t get me wrong, I do love the job security. But some days I wish we could move past advice I was giving to people 10 years ago and get on to new things and challenges.

Related Posts

Beware the TINS Army

When consulting with clients, I spend a lot of time trying to help them better understand the concept of sender reputation. Spam reports, feedback loops, and other data that comes from a collection of positive and negative reputational feedback about a company sending email.
Certainly, the “This is not spam” action – moving an email from the spam folder to the inbox, or clicking the “not spam” button in a web mail’s interface, is a strong positive reputational action. Some webmail providers use this data to decide which bulked senders deserve being let out of the penalty box – which should have their mail once again delivered to the inbox.
A client recently theorized that a great solution to their delivery problems would be to do this “en masse.” Sign up for hundreds or thousands of webmail accounts, send my mail to them, and click on the “not spam” button for each of my own emails. That’ll greatly improve my sending reputation, right?
NO! ISPs have already thought of this. They watch for this. They’re really good at picking up on things like this. I know for a fact that Yahoo and Hotmail and AOL notice stuff like this, and I strongly suspect other webmail providers notice it as well.
What happens when Yahoo or Hotmail pick up on this type of unwanted activity? Well, if it’s at Yahoo, they’re likely to block all mail from you, 100%, forever. I’ve seen it happen more than once. Yahoo might even identify all of your netblocks, ones beyond the ones sending today’s mail or originating today’s activity. And good luck trying to convince them that you’re not a spammer – you have a better chance of winning the lottery two weeks in a row.
As for Hotmail – what would Hotmail do? Ask Boris Mizhen. Microsoft is currently suing him, alleging that he and/or his agents or associates engaged in this very practice.

Read More

DMARC and organizations

Comcast recently published a statement on DMARC over on their postmaster page. The short version is that Comcast is publishing a DMARC record, but has no current intentions to publish a p=reject policy for Comcast user email. Comcast will be publishing a p=reject for some of their domains that they use exclusively to communicate with customers, like billing notices and security notices.
Comcast does point out that Yahoo! and AOL’s usage of p=reject is “not common usage.”
This is something a lot of people have been arguing loudly about on various mail operations lists and network lists. DMARC is about organizational identity. In fact, I was contacted about my DMARC primer and told that I didn’t mention that it’s not about domains, it’s about organizations.
The way I read the DMARC spec, it is all about organizational identity. The underlying theme being that the domain name is linked to a particular organization and everyone using email at that domain has some official relationship with that organization. I’ve always read the spec mentally replacing organization with corporate brand. This was for brands and organizations that strictly control how their domains are used, who can use those domains and how the mail is sent with those domains.
I never expected any mailbox provider or commercial ISP to publish a p=reject message as it would just break way too much of the way customers use email. And it did break a lot of legitimate and end user uses of email. Many organizations have had to scramble to update mailing list software to avoid bouncing users off the lists. Some of these upgrades have broken mailbox filters, forcing endusers to change how they manage their mailboxes.
Even organizations see challenges with a p=reject message and can have legitimate mail blocked. At M3AAWG 30 in San Francisco I was talking with some folks who have been actively deploying DMARC for organizations. From my point of view anyone who wants to publish a DMARC p=reject should spend at least 6 months monitoring DMARC failures to identify legitimate sources of email. The person I was talking to said he recommends a minimum of 12 months.
This is just an example of how difficult it is to capture all the legitimate sources of emails from a domain and effectively authenticate that mail. For a mailbox provider, I think it’s nearly impossible to capture all the legitimate uses of email and authenticate them.
It remains to be seen if the other mailbox providers imitate Yahoo! and AOL or if they push back against the use of DMARC reject policies at mailbox providers. Whatever the outcome, this is a significant shift in how email is used. And we’re all going to have to deal with the fallout of that.

Read More

Links for 1/15/10

A lot has happened this week.
Spammers and scammers are attempting to steal money from people attempting to donate money to those in earthquake devastated Haiti. A number of places, including CNN and CAUCE, are warning people who want to donate online to do so through trustworthy links. Don’t click on links in unsolicited emails nor on random websites.
AOL laid off most of their postmaster team. This is going to have a significant impact on sender support provided by AOL. The background chatter I’m hearing indicates that there is likely to be response delays of days to weeks for support tickets.
Pivotal Veracity was acquired by Unica, a marketing software company. Industry buzz says that PV will be run as a subsidiary and maintain their independent customer base.
Spamhaus launched a new website, which includes a link for a domain based URI blocklist. There’s not much information available about this new blocklist, but it’s likely to function similar to SURBL and URIBL.
The lethic botnet was penetrated and disabled. Dark Market, one of the large credit card number trading sites, was taken down and the proprietor arrested.

Read More