Al Iverson's Spam Resource

O HAI TAG44 WTF?

2009-11-19T08:04:00.039-06:00

My friend Mickey Chandler mentioned to me that TAG44 emailed him yet again.

They're apparently still putting a stupid "this is not spam" disclaimer in their email. As with last time, they reference a law that doesn't exist.

"Note: We respect your Online Privacy. This is not an unsolicited mail. Under Bills 1618 Title III passed by the 105th U. S. Congress this mail cannot be considered Spam as long as we include Contact information and a method to be removed from our mailing list. If you are not interested in receiving our E-mails then please reply with a “remove” in the subject line and mention all the E-mail addresses to be removed with any E-mail addresses which might be diverting the E-mails to you. I am sorry for the inconvenience" -- the dumb, factually inaccurate footer from TAG44's email messages.

Free clues for TAG44:

A bill is not a law. Did you catch that? That was a bill from years ago. A proposed law. It never became law, because it never passed the House of Representatives. It has no legal standing. You might as well replace it with This email is not spam because my grandmother wears a fancy hat for all the legal standing it carries.
You're "murking" your own emails? On purpose? That is, uh, how do I put this? That is not a sign of intelligence. Don't take my word for it -- ask anybody who has ever written about the Murkowski disclaimer. What you're actually doing is making your email look like spam, and you're acting like a spammer.
That bill (the one that never became law) is from 1998. That's eleven years ago, friends. Your email marketing expertise is just a tiny bit out of date. Maybe you should hire Mickey, instead of spamming him.

I'm guessing that TAG44 never searches for their company name on Google, or else they would have run across Mickey's post about them, since it's the first hit you find after their own website. Let's see if this one ends up right behind Mickey's post in Google's search results.

Loren McDonald on FISUE Syndrome

2009-11-17T12:57:00.000-06:00

Yesterday, Loren McDonald blogged about "FISUE Syndrome." What is it? It's where a recipient "Forgot I Signed Up for Email." He writes: "Was That Email Spam? Or Just Spam-Like? Earlier this year, I received an email from a presentation company that I was sure I had never heard of nor done business with. [...] I didn't know who this company was or whether I knowingly opted in for email, and I still don't."

He makes good points on how senders can avoid FISUE Syndrome. I'm drawn to one in particular: "From/ Sender Names: Of the six emails I had received, the company used five different "From" names. Bad. Pick a simple, logical "From" name and stick with it."

I'd like to add to that one, because it's a pet peeve of mine. If I sign up for emails from a company, does that mean I'm going to recognize the name of the person who emails me? If you're sending to an email list, do recipients on that list know an individual at the company, or do they only know the company?

I run into this enough that I occasionally blog about it. In that case, Boxee was sending me an email that I had consented to receive, but I had no idea that the head guy's name is Avner Ronen. If I don't recognize you, I'm going to think it's spam, and I'm going to report it as spam. Lack of recognition is going to drive higher spam complaints and deliverability issues are likely to follow.

Ask Al: What are filters checking?

2009-11-11T14:58:00.001-06:00

Jerry writes, "Al, a recent email from 'Get to the Point' quoted you as below. My question is this: What, exactly, are spam [content] filters picking up from a generic template that could reduce delivery? Thanks in advance for your reply."

It looks like I was quoted by MarketingProfs: Here's how it happens. "If that partner works with a whole bunch of people sending email," explains Al Iverson in a post at the Spam Resource blog, "[and] if that template is out all over town, then there's a pretty good chance that somebody has sent emails using that template to poorly permissioned lists, causing spamtrap hits, spam complaints, and so forth."

"Spam filters that use content fingerprinting, meanwhile, see the same message coming from your company and lump you in with the abusive senders."

Jerry, thanks for your question. Though, I think a point is being missed here. There is NOT a list I can give you saying "avoid this tag, or avoid this image," or whatever. No such list exists; and it's impossible to compile one.

The thing that these filters catch is commonality. If your content has different variables in common with other messages tagged as bad (for whatever reason), then your messages get tagged as bad, too. What does commonality mean? It can mean a whole bunch of things, and nobody publishes a list of the exact variables that are checked. It probably is all of the following things, and more:

Your from domain.
What domains you link to.
The domain where images are hosted.
What images you use.
What HTML template you use.
What unsubscribe footer you use.

The HTML/text/source/etc overall -- some systems perform message hashing, converting a message to a short numeric or alphanumeric string string of characters, based on the various characteristics of the message. Similar messages will have hashes that are similar or the same, making them easy to identify.

Is email dead?

2009-11-09T22:44:00.001-06:00

No.

Breaking News: Spambag is Still Dead

2009-11-04T07:13:00.015-06:00

Mangesh writes, "Can you verify and help me out to remove my exchange server at IP address XXX.XXX.XXX.XXX from blacklist.spambag.org? You can email me on same email address or alternate email address i.e. address@example.com . My contact number is XXX-XXX-XXX."

You bet, my friend. I've got it covered. Here's what you need to do. It's a simple one-step process. It's so simple, I am not sure if I can patent it. I'll share it with you free-of-charge, as valuable as I suspect it is. Are you ready? Here goes:

Don't sweat it.

Seriously, that's all there is to it. Spambag has been DEAD since 2007. If somebody is blocking your mail due to a Spambag listing, they're probably blocking 100% of their inbound mail. Laugh at them for being stupid, or feel sad because they are so incompetent. Call them on the phone and try to educate them, if you like. But, don't expect that I can help you get just YOUR mail delivered through this block. Because there is no more Spambag, and there is nothing for you to be removed from.

The Legitimate Email Marketer Isn't

2009-11-03T17:01:00.000-06:00

As Laura Atkins points out, everybody who uses the phrase "legitimate email marketer" seems to have some huge horrible problem caused by their own bad practices. And she's right. Actual legitimate marketers don't need to brag. They're too busy making money and friends. Those in the know recognize that waving the phrase around is gauche; a badge of honor worn only by those who don't deserve it.

Karmasphere Reputation Services Shutting Down

2009-11-02T13:46:00.000-06:00

Karmasphere, founded in 2005 by Meng Weng Wong as a reputation service provider, provided some neat tools, allowing any Joe internet user to publish their own blacklist or whitelist. Neat! How does one make money doing that? Sounds like they weren't too sure, either, based on the email I received on Monday, November 2nd, 2009.

D.J. Stewart of Karmasphere posted the following message to the Karmasphere Users and Karmasphere Announce lists:

As a registered user of Karmasphere Reputation Services, we wanted to let you know that we are discontinuing the service, effective November 16, 2009. If you are using the services through DNS, BQuery or email plugins, please make plans to adjust your configurations ideally prior to November 9 and no later than November 16, 2009.

On that final date, we will disable the reputation servers so that you can no longer query them. Anybody who still has not removed Karmasphere's reputation service from their mail configuration when this happens may find that their mail servers appear to slow down while they wait for their queries to Karmasphere to time out.

You may be thinking "why are they doing this?". The answer is that we are moving the business in a different direction. We have applied the experience gained in manipulating and analysing large data sets in reputation services into developing software that makes it easier to use Hadoop.

This change in focus means that we no longer have the time nor resources to give the reputation service the attention it deserves. Rather than letting the service slowly decay, we are ending them.

This end of service will proceed in the following stages.

Stage 1: To November 9, 2009
Our services will continue as they have for the past 4 years.
This gives you a chance to remove karmasphere's feeds and feedsets from
your mail server configurations.

Stage 2: November 9 - November 16, 2009
Our servers will continue to respond but our feedsets will whitelist
everything.

Stage 3: November 16, 2009
The reputation servers will be turned off.

Thank you for using our services.

The Karmasphere Team.

Two New Zealand Spammers Fined

2009-11-02T11:01:00.001-06:00

Vincent Hannah of Spamhaus reports: "Two New Zealanders well known to Spamhaus have been fined for their roles in the biggest pharmaceutical spamming operation in the history of the internet, officials of the nation's Department of Internal Affairs (DIA) said on Monday.

"They were part of a business based in Christchurch that sent more than two million unsolicited emails promoting Indian-made herbal products to New Zealand addresses over four months in 2007, the DIA reported.

"Shane Atkinson was fined $100,000 New Zealand dollars (USD71,600) and Ronald Smits $50,000 in the Christchurch High Court last week, the DIA said in a statement."

Read the rest here.

Ask Al: Bad things happening?

2009-10-30T08:41:00.003-05:00

Perry writes, "I keep coming back to re-read your comments about AOL being the good guys. I must admit, that when our ISP is on their blacklist, bad things happen."

Well, unless AOL has suddenly implemented a new policy of picking up a bus full of day laborers from the parking lot in front of the Home Depot, driving them over to your home, and beating you with zucchini while you sleep fitfully on a carpet remnant in your unheated basement, I don't really believe that bad things are happening to you.

Truth be told, most responsible ISPs block mail based solely on a statistically-driven reputational computation. Meaning, your IP address sends unwanted or problematic mail, then its ability to transmit mail to that ISP is revoked. Usually not permanently, either. But keep in mind here, that this is driven by the mail being sent. It's reactive to the mail coming in. If AOL shut all of this off, stopped blocking mail from IP addresses that send bad mail, their entire mail system would probably collapse within twenty-four hours.

Also, keep in mind that when AOL blocks mail from your IP address, you're only blocked at AOL. They don't publish a blacklist. They don't make you get blocked at Yahoo or Hotmail. I wonder if perhaps your concern stems from noticing that when one ISP blocks you, other ISPs are likely to follow. If that's the case, there's no collusion; not even any coordination. Just multiple smart folks using their multiple sets of eyes to denote that you're emitting mail that their users don't want. AOL isn't causing other people to block your mail; AOL is the canary in the coal mine warning you that if you keep it up, you're likely to cause other ISPs to block you, just like AOL is doing.

Also, let's lose the hyperbole and misunderstanding about relationships and friendships. I get sick of reading about how "AOL must hate us" or "if only Yahoo knew we weren't bad guys." The ISPs don't think you're bad guys. It's not a question of making friends with them. Seriously, they don't hate you, they don't want to hate you, they don't have time to hate you. Keep in mind that you are one data point in a million. The solution isn't to buddy up to them. Ninety-nine percent of the time, the solution is to just stop emitting the unwanted mail.

Judge rejects TD Ameritrade breach settlement

2009-10-29T08:34:00.000-05:00

In early 2007, Ed Falk, John Levine, and other trusted anti-spam and network security folks started to note that email addresses given only to TD Ameritrade were beginning to receive spam from unrelated entities.

In September 2007, TD Ameritrade disclosed that this was due to intruders breaking into a database that contained sensitive customer information (including email addresses) and that more than six million customers may have been leaked to bad guys. Oops. Even worse, other sources suggest that the issue may have been ongoing back as far as 2005 or 2006.

Yesterday, Tech Target published an update on the story. "A federal judge has denied a proposed settlement of a class-action suit filed against TD Ameritrade Inc. for a 2007 data security breach that exposed its customers' personal information." The reason for the rejection? The judge seems to be saying that the proposed settlement terms, specifically that the company wasn't doing enough on the security and auditing front.

"[The proposed] measures are security procedures any reputable company would conduct and don't benefit those affected by the breach, Walker said in a court filing Friday." Try harder, he seems to be saying.

Read the rest of the article here.

Ask Al: The Strange Case Of The Help Request Gone Awry

2009-10-28T13:25:00.000-05:00

Jeremy asks, "Al, Help! I submitted a support ticket to [an ISP] for my IPs which were getting tempfailed, and 24 hours later they were completely blocked! Why?"

To answer this question, I thought it might be best to go to the source -- ask somebody who works for an ISP, somebody who deals with the other side of this very kind of issue. So, I turned to my friend Annalivia Ford at AOL. Here's what she had to say:

"Sometimes, asking an ISP for help regarding bulk- or list-mail sending IP addresses can backfire. If messages being sent from your IP address are being temp failed, do yourself a favor and check their reputation scores on the various sites first, and evaluate your mailing practices and content. Check your complaint rates. Ask yourself what you would think if the mail you send landed unexpectedly in your own inbox. If you bring your shoddy IPs to the attention of an ISP, be it Hotmail, AOL or Yahoo! or any other, you run the risk of handing them a perfect blocking opportunity. They have no obligation to deliver your mail, and have very good visibilty into the quality of your mail stream. If their stats say your mail stream is poor, they will do the opposite of what you were hoping for, and hard block the IPs instead.

"The take-away here is that an honest evaluation of your mailing lists can save you a lot of grief. A block is a lot harder to undo than getting them blocked in the first place, and fixing your mailing practices without involving the ISPs will result in better delivery and more revenue for you, the sender. If you don't know how to do this, consider hiring a consultant or an ESP to help you."

C-27 Canada's Electronic Commerce Protection Act passes Committee Review

2009-10-27T07:46:00.001-05:00

The Canadian anti-spam bill everyone is talking about, bill C-27, passed an important milestone on Monday October 26, at 17:30 when it passed clause-by-clause committee review and was referred back to the Canadian House of Commons materially intact and without controversial amendments that would have significantly altered the bill.

CAUCE board members followed the procedings intently, and are very pleased with the results thus far.

The bill faces a third and final reading in the house, before being sent to Senate, where it will face two more readings and votes, a committee review, and another final reading and vote.

It is expected to become law in Canada by the end of 2009.

--Neil Schwartzman

Top Five Tips for Dealing with Blacklists

2009-10-26T09:10:00.000-05:00

Some self-styled "email marketing insider" recently posted a "Three Tips for Dealing with Blacklist Issues" articl0065 and wow, it turned out to be simplistic, useless advice. Let's pretend it never happened, let's pretend we got that five minutes of our life back, and let's try again.

First, here's what you need to know about blacklists.

There are more than 200 blacklists out there in the world, and probably fewer than a dozen of them are actively used as spam filters at any large ISP or webmail provider. If you plug your IP address into a web form and go a reply that said "OH NOES! YOU'RE ON A BLACKLIST!" that does NOT mean you have a deliverability issue. Allow me to repeat: OMG YOU'RE LISTED ON A BLACKLIST DOES NOT MEAN YOU ARE GOING TO HAVE A PROBLEM DELIVERING MAIL.

Anybody can create a blacklist! You, me, some guy with his cat in his basement, a Linux user in Belgium, Huey Callison, anyone. Just because a blacklist exists does not mean it is widely used. You can hang a disco ball in your basement, but that doesn't make it Studio 54.

The only way a blacklist can cause your mail to get blocked at an ISP is if that ISP purposely chooses to subscribe to that blacklist. That means that a listing on Joe's blacklist, the one where he lists everybody who sends emails with the letter J in them, is not going to get your mail blocked at Yahoo.

Here are some real world examples. The various Spamhaus (SBL, XBL, PBL, etc.) blacklists are probably the most widely used blacklists in the world. If you're blacklisted on Spamhaus, you're going to have trouble delivering mail to Yahoo, Comcast, RoadRunner and a bunch of other ISPs. If you're listed on Spamcop or UCEPROTECT, the number of big sites that block your mail may be few, but lots of smaller sites use these lists to decide which mail to accept and which mail to reject. Getting listed on Spamcop or UCEPROTECT is something of an automated process; it is typically an accurate indicator that somebody sending mail from that IP address is sending mail to spamtrap addresses.

On the other end of the spectrum, a blacklist like Spam Cannibal or FIVETEN is likely to broadly list anything they don't like. Meaning, if somebody else on your network did something bad, they could and probably are listing the entire network. FIVETEN has a criteria wherein they blacklist entire ESPs who don't require confirmed opt-in/double opt-in. Sounds like a neat idea for a spam filter….unless you want to receive your shipping notification or flight status notification. All of that mail comes from ESPs and none of it is confirmed opt-in. Which is one of the reasons why you will never find the FIVETEN blacklist used by a major ISP. (Not that FIVETEN is inherently evil; to each their own, and email administrators have the right to use whatever spam filters they want. I mean only that in a typical production email receiving environment at a top tier ISP, users would scream bloody murder if this type of blacklist were used as a spam filter.)

If you think you have a blacklist issue, here's what you should (and shouldn't) do.

Don't panic. Calm and rational wins the race.
Check your bounces for reference to the blacklist. If you can't find any references to that blacklist in your bounces, forget about it and get on with your life. Read what I wrote above about how just because a blacklist exists, doesn't mean it's able to block your mail. Even if your IP address is listed.
Don't call the blacklist on the phone. Don't call your ISP or ESP and tell them to get the blacklist on the phone. Seriously, it doesn't work that way, and nobody that works for a blacklist cares about your business model. There is no, "if they could just understand how this impacts my business." Blacklist operators do what they're doing to stop spam, not make friends. And they're jaded from ignorant and/or bellicose listees driving them nuts. Be better than that. I can't say this enough times. Nobody cares, nobody cares, nobody cares.
Figure out what you did to upset them and fix it. If it's UCEPROTECT or Spamcop, you're hitting spamtrap addresses. What list did you mail on the day the listing started? That list may be dirty. It might be time to dump it, or reconfirm it. If it's a Spamhaus SBL listing, and it's because of a spamtrap hit, get ready to reconfirm your entire database. And too bad if you don't like it, that's the way it goes.
Request removal from the blacklist AFTER you've fixed your problem. After you've shelved the bad list, after you've reconfirmed the questionable database. Be mindful that many blacklists work in a way where listings expire automatically after a given amount of time.

Keep in mind that whitelisting does not prevent blacklisting. You could get Sender Score Certified, you could pay to be able to send Goodmail Certified Email, but you later send spam, buy a list, or send mail to a bunch of spamtraps, you are likely to end up blacklisted. No blacklist checks some magic list of whitelisted IP addresses and says "oh, we see all this spam from this IP address, but it's on a whitelist, so we won't blacklist it." (A very small number of blacklists occasionally make exemptions for technical issues, but that's not going to be something you qualify for.) And if you do bad things, you're similarly likely to get kicked off of the whitelist or certification program you're enrolled in.

And finally, if you're going to sue a blacklist, just go do it already and don't even tell us about it. Don't waste time commenting on the blogs, and don't bother sending angry hate mail to the maintainer of the blacklist. People that are going to sue, sue. People that aren't really going to sue, they just uselessly and lamely send hate mail and complain. It's useless noise. The quickest way to lose friends and alienate people who run blacklists is to threaten and bluster. It's all crap, and the blacklist operator knows it. You're not going to get delisted on the basis of your sheer force of personality. Or lack thereof, as the case may be.

(That Neko Case album? Really good, by the way.)

FRIDAY LOLZ: BALLOON BOY SPAM!

2009-10-23T07:38:00.021-05:00

The spam subject lines? Little boy trapped in balloon; Boy-balloon-madness; balloon kid’s full story; Balloon boy died; Little boy trapped in balloon; Balloon boy died; balloon kid’s full story; Boy-balloon-madness; Drama with balloon(exclusive).

I missed the balloon boy drama, because I was on the road the day it was all going down. Also, I don't own a TV. Thankfully, through the magic of spam, I am able to make my own mystical, magical connection to the balloon boy saga, if not to to little Falcon Heene himself. Thank you so much for giving me this opportunity, Canadian Pharmacy! It's true; spam can bring us together.

And thank you, McAfee TrustedSource, for giving me something to blog about today. My work here is done.

Barry Don't Play That

2009-10-22T12:02:00.004-05:00

Riffing on two recent themes here at Spam Resource, on the topic of ISP abuse desk/ email staff (now universally called Barry), and how some people mistakenly expect unblock magic to happen even though their mail streams suck, an employee of an ISP's abuse desk wrote in, offering up the following points of wisdom, thoughts on what annoys an ISP representative. Take it away, Another Barry!

As a Barry, there are things I really don't like to see come across my desk. A partial list, in no particular order:

Marketers who contact me directly for help, but fail to include even the most basic of data for me to look at, like IPs and error messages. This is especially annoying when accompanied by a rant about my system's incompetence.
Marketers that lie about the kind of mail they will be sending in order to game the system, or that abuse the trusted status of a transactional-only IP by sending marketing mail over it after some time has passed...thinking we won't notice.
Marketers that fluff their lists with a jillion "test" accounts...thinking we won't notice...and then ask me why their delivery and IP reputation are bad.
Marketers that use obfuscation services on their whois, have false-front websites or just an unsubscribe link for a site, have IPs scattered all over creation, and claim their mail stream is pure as the driven snow.
Marketers that send spam to my work email and then tell me their lists are legitimate.
Marketers that get my name from someone else who got it from someone else and contact me directly about netblocks that have a horrible IP reputation, whose mail is a voluminous stream of stuff that our stats clearly indicate that the recipients don't care about...and on the basis of this tenuous relationship demand that I whitelist them so they don't get blocked anymore.
Marketers that get blocked repeatedly and never change their mailing practices...and contact me directly asking me to intervene for them because they're special and our data are clearly wrong.
Marketers that don't understand what a deliverability emergency actually is, and escalate to me during non-business hours by way of media I cannot ignore. A hint: very few situations meet the criteria for "deliverability emergency."
Marketers who believe they have a deliverability emergency, and contact 6 different people at my company, without telling those 6 people that they have also contacted others. The resulting fire-drill does not generate warm fuzzy feelings.
Marketers new to the game who jump in feet first without doing any research, have no idea what they're doing or how to send marketing mail correctly, how to manage their mailing lists, etc...who then get legitimately blocked as a result and escalate to senior management. They get told the same thing by everyone from the bottom of the chain to the top, but continue to threaten legal action or to hold their breath until they turn blue...but don't actually take any of the advice they're given on how to solve their problems.

These are only some of my pet peeves.

I do this job for many reasons. One of them is that I actually really like helping people. I suspect this holds true for most Barrys. If you do any of these things I just listed, either you have created your own problem and we have no way to fix it for you, or you have annoyed us to the point where we have no desire to help you. Please, help us help you by not not doing these things.

Laura Atkins wrote an excellent post about the care and feeding of relationships of ISP reps, which should be required reading for anyone that thinks contacting an ISP is the necessary next step in solving their problems. Sometimes contact is the correct next step...but there are ways to go about it that will get better results than others.

Why do we need an opt-in spam law?

2009-10-21T07:02:00.001-05:00

As you saw in my previous blog post, I've come out in support of opt-in being the legally mandated permission standard in Canada. I don't think it's all that big of a deal; as I said before, opt-in is already a best practice. In response to that, one of my Twitter followers asked, what's the point? "Why, if opt-in is best practice in Canada does the government have to get involved?"

Since the 50,000 member-strong Coalition Against Unsolicited Commercial Email (CAUCE) has come out strongly in support of the proposed legislation (if done in an opt-in form), I decided to turn to CAUCE's Executive Director, Neil Schawrtzman, to give him a chance to respond. Take it away, Neil!

Al Iverson mentioned to me that someone took him to task on Twitter for his support of Opt-in, as it relates to the Canadian Electronic Commerce Protection Bill C-27 currently making its way through the legislative process here in my home and native land.

The task-master asked "If it's already best practice, why does the government get involved?"

Fair enough question.

I assume you mean why are we trying to codify (again) opt-in in law, and aren't questioning why we need a spam law. If the latter, I suggest you check your inbox, or your junk folder. The founder of the Canadian Pharmacy spam gang is a Montrealer.

So, onto the question I presume you are asking.

First off, opt-in already is the law here in Canada that you must have permission from a recipient to send them email. PIPEDA, our privacy law, has been in place for many years now. I have won judgments under it.

Laws strive to define what is under their jurisdiction and what isn't. The current best practice for email, indeed, the only logical one if a sender cares about complaints rates and IP & domain reputation, is opt-in. No 'ifs ands nor buts' about it, obtaining permission from the recipient in advance is fundamental if you want your email sends to get delivered to the inbox.

(I have written elsewhere that I'm not all that sold on Confirmed Opt-in, but opt-in still gets my vote, every time as an professional arbitrar of senders, and as a recipient of email. )

Bill C-27, indeed any anti-spam law has to take a stance on an integral part of email, the relationship between sender and recipient.

CAN-SPAM, for example, in the United States has taken the opposite of Opt-in, namely, Opt-out, wherein the recipient has to tell senders to stop sending them mail, and the results have been disastrous. Spammers register hundreds of domains, and cycle through them. Recipients must unsubscribe from each new false front mailed to them by abusive senders

Bill C-27 is reflecting not only best common practices, but an effective framing of the sender-recipient relationship as has been done in Australia and New Zealand, to great positive effect. It will become incumbent upon senders to maintain proper records of sign-ups for those instances when they are challenged with allegations of spam being sent. But that too is a best common practice anyway.

Bottom line: Bill C-27 must define the relationship, choose between opt-in or opt-out. and is happily reflecting the best possible version of reality by opting for opt-in, thus making it much more likely to be effective legislation towards its stated ends.

If you hate garbage ending up in your inbox, please consider signing our petition in support of bill C-27 and if you are Canadian, pick up the phone and call your member of Parliament. They can be found by entering your Postal Code here.

Neil Schwartzman
Executive Director
CAUCE: The Coalition Against Unsolicited Commercial Email
(P.S.: Al has graciously allowed me to add a little bit of a plug CAUCE. Check out our website at cauce.org where you can sign up for our newsletter and we have presence on Facebook, Linkedin and Twitter.)

I Support Opt-In Legislation for Canada

2009-10-19T13:40:00.000-05:00

There's an effort underway to undermine support for the Canadian anti-spam legislation currently in development. Why do people want to kill or gut Bill C-27? I'm having a hard time seeing a problem with an opt-in requirement; it's already best practice. People who don't follow opt-in as a best practice are already doing things wrong. We want less spam in the world, not more. Even marketers should agree, shouldn't they? Spam undermines legitimate marketing efforts. It "dirties the channel." So what's the big deal?

I'd recommend you take a moment and read what CAUCE has to say on the topic today.

Another Day, Another 419 Scam

2009-10-16T07:54:00.000-05:00

I must have landed in some scammer's address book, because I'm receiving some variant of this thing every day or two. Who is dumb enough to fall for this stuff? Besides the occasional Canadian, I mean.

A scamming idiot writes: "My name is Steven Morgan and I work with a finance house here in the Netherlands. I found your address through my countries international Web directory.

During our last meeting and examination of the bank accounts here in the Netherlands, my department found a dormant account with an enormous sum of US$ 6,500,000.00 (Six million five hundred thousand US dollar) which was deposited by late Mr. Williams from England.

Before his death he transferred the sum of US$6,500,000.00 (Six million five hundred thousand US dollar) to a bank here in Netherlands. From our investigation he had no beneficiary or next of kin to claim these funds. Because of our financial house regulations only one foreigner can stand as a relative or next of kin.

The request of a foreigner as a next of kin is base on the fact that the depositor was a foreigner and some body in the Netherlands can not stand as the next of kin.

On behalf of my colleagues, I need your permission as either a relative or next of kin of our deceased customer, so that the funds can be released and transferred to your account.

We need a foreign account, which could not be noticeable at the time of the transfer. I still work at the financial house and that’s the actual reason that I need a second party or person, to stand and work with me and apply to the bank here in the Netherlands as the next of kin.

At the end of this transaction, I want you to put aside 60% for me and my colleagues and the rest 40% for yourself for standing as the next of kin and also providing a reliable account.

I have in my possession all the necessary documents to have this transaction carried out successfully.

Further information will be provided upon the receipt of your prompt response."

Spamfighting Spam?

2009-10-15T07:07:00.002-05:00

Why is Spamfighter.com sending spam? Isn't it ironic? Like rain, on your wedding day?

No.

Zombie Blacklists: Life Goes On

2009-10-14T08:25:00.001-05:00

J.D. Falk expresses some legitimate concern about zombie blacklists over on the ReturnPath blog. Blackholes.us resurrected from the dead, and looking for delicious brains to snack on. Or something.

The guy that ran blackholes.us seems to be long gone and the new owners of the IP space and domain seem none too pleased with the residual traffic stinkin' up their network.And I can't fault them for that frustration.

"Listing the world" was their solution to the problem. Listing the world means hacking one's nameserver to return positive responses for every query. The net result is that for a domain being used as a DNSBL, every inbound email generates a "positive" result, meaning the sending IP is (supposedly) blacklisted, and the mail is rejected. Meaning that if you are using a long-dead blacklist in your mail server configuration, and that blacklist "lists the world," then you suddenly stop receiving inbound mail. One hundred percent of your inbound mail is deemed to be spam, until you yank that dead blacklist from your mail server's settings.

Okay, it's bad. It's not the right way to do things. It's not the best practice. I've talked a bit about shutting down blacklists before, and I can understand the frustration felt by those who feel that blacklist operators need to handle things better.

But, it's time to get over it and get on with our lives. This is the new way things work. Blacklists die, and people who run them aren't usually pros. They're just regular joes, and they want that traffic away from them, fast, because it irritates them.

And if you think a blog post is going to suddenly stop ex-blacklist admins from dropping in wildcard DNS entries, you're mistaken. It's the best way, it's the fastest way, to stop that traffic dead. And that's just not my opinion, because just about every recent instance of a blacklist shutting down is accompanied with mention of wildcard DNS entries.

Yes, it makes mail bounce. Yes, it causes some short term pain. What it really does, though, and rightfully so, is it reminds us that mail server administrators need to be more on the ball. They need to actually review their DNSBL stats and denote that blacklist X has never had so much as a single hit in the past year and a half. They need to do a Google search for that blacklist periodically and make sure it's still known to be up and running.

You've been sucking up my bandwidth uselessly for the past two years, an ex-blacklist operator is thinking, and you want me to care about how you might lose some legitimate email for a day until you realize that your mail server configuration is out of date? That ex-blacklist operator could care less, and I don't blame them.

If you're going to use a blacklist, make sure you sign up for that blacklist's announcement list. (And if you run a blacklist, make sure you have an announcements email list.) Watch sites like my own DNSBL Resource (RSS) and the excellent SpamLinks DNSBL info page. Set yourself a schedule, with a Google calendar or Outlook calendar reminder, to review the lists of blacklists you're using every six months.

By the way, in the past week, I've reported on three different dead blacklists. It's nice that somebody else highlighted the closing of blackholes.us, but what about the other two? They both make mention of wild card DNS entries as a possibility or likelihood in the near future.

Cleaning NDRs out of a Spamtrap Feed?

2009-10-13T08:30:00.001-05:00

Friends, Romans, Countrymen......could I lean on you for some tips on how to clean NDRs out of my spamtrap feed? As I ramp it back up I want to make sure I'm tagging mail correctly. I may include NDRs and other types of backscatter in some of my calculations, but I definitely want to denote what it is, as accurately as I can.

Could you offer up some suggestions on things to look for? Null return path/sender header is the big thing, if every NDR was formatted properly, that would catch it all. But I'm seeing a significant amount of bounces that don't have a null sender, so I'm probably also going to resort to some sort of text string matching. So if you have a big ole list of strings or individual string suggestions, please feel free to leave them in comments.

All feedback is welcome, and thanks!

Auth Don't Fix That!

2009-10-12T08:32:00.001-05:00

Over on Spamtacular, Mickey Chandler answers the question, "Our last mailing had 30 complaints at AOL. Will signing with DKIM and SPF help with our reputation there?" As Mickey explains, it boils down to, no, not really, that's not what authentication does.

In short, auth don't fix that.

Authentication helps your delivery, sure. It helps ISPs better tell good mail from bad mail. Authenticated mail means there is a proven connection that the mail you're receiving really came from who it claims to be from. It's a stable identifier for ISPs to use to determine domain reputation. Meaning, authentication allows internet service providers to easily compile data on how well-loved your domain is (or isn't), and that helps to them to exclude phishing and spoofing from that equation.

It's a good thing, but it's not some magical thing. “If you authenticate your mail, it will suddenly stop getting complained about” is not a true statement.

And there are a couple of really important things at ISPs that help senders, things that are tied to authentication.

Authenticate with Sender ID when sending to Hotmail, and you'll receive a modest deliverability boost. Why? Because they chose to build it that way. I read a white paper from 2007 that suggested that perhaps authentication was perhaps 11% of the overall deliver/don't deliver equation at Hotmail. Meaning, if you generate tons of bounces and spam complaints, that'll still damage your deliverability. But, if you're mostly good about what you send and whom you send it to, that little bit of positive boost from authentication can really matter.

And then there's Yahoo's Complaint Feedback Loop. The thing that, when you hit the “Spam” button, results in a spam complaint report being sent back to the sender or the sender's service provider. This is very valuable to senders, and their service providers, because it allows you to build your own stats on reputation. It lets you know which mailings have the most complaints, so you can focus your remediation efforts appropriately.

You only get access to Yahoo's feedback loop if you authenticate your mail with DomainKeys or DKIM (DomainKeys Identified Mail). Does it have to be that way? Maybe not, but that's what Yahoo has chosen to do.

So, authentication itself doesn't magically improve your deliverability, but it is tied to some things that can and do have a positive impact on a sender's ability to deliver mail.

But it's not going to make the spam complaints stop. That's a whole other problem.

Staying Safe Online

2009-10-10T08:37:00.032-05:00

Box of Meat recently linked to a couple of bits of really good info from two different webmail providers, talking about how to stay safe and secure online.

First, Michael Santerre from Google talks about how to pick a good password. Don't use the same password on multiple sites and how to pick passwords that are uniquely weird enough to deter guessing. Seriously, never, ever use the name of your husband, wife, dog, cat, child, or grandpa in your password. Never use anything from your own personal information, either. Not your middle name or the brand of car you own. Me? I always pick two random dictionary words, then cut them up a bit and add some numbers and punctuation to the mix. You would never guess my password based on what you know about my life.

Next, Mark Risher from Yahoo talks about how to avoid falling for a phish. Make sure any web page that asks for your password is really a yahoo.com page, pay attention to what you're doing, and don't use the same password on multiple sites (so that if you do accidentally give up your password, the bad guy's ability to access anything of yours is restricted). All wise advice. I used to ask myself, how do people fall for phishing attempts? I never have and I just couldn't imagine others falling for it. But, I'm paranoid and always paying attention to what page I'm on and what information is being asked for. And I suppose I'm a bit more technical than a lot of other internet users. So, it happens, and it's good to share info with others about how they can become more savvy to reduce the risk of them getting tricked out of their password or other sensitive information.

(H/T: Box of Meat)

Let Us Count Up The Fail

2009-10-09T07:33:00.001-05:00

Let us pretend the situation is as follows. (I hope, for your sake, that the situation is not really as follows. If it is, your life probably sucks.)

Your domain name is nonsense, a couple of words strung together.
Your website has nothing on it, except bragging up how great you are about lead generation.
Your privacy policy and company overview pages are blank.
Your about us page lists no people by name.
Your domain name is registered to a postal address that is obviously a UPS Store.
Your sending reputation is poor, because you're shoveling a lot of garbage mail that people don't seem to want.
You're blocked at a big ISP or two. Or four.
You email your contact at an ISP, saying "sup", talking like a frat boy, and asking for them to "do you a solid" and let the mail through.

What do you expect will happen next?

If you were expecting to get unblocked at that ISP, you were wrong.

If you were expecting that the ISP might take a closer look at ALL the mail you're sending, looking to see if there are other related IP addresses and domains that deserve blocking, you were right! You proved, by every possible data point, that your mail streams aren't trustworthy, and your mail doesn't even merit being delivered, because nobody knows who you are or how recipients opt-in. The only thing they know about you is that your mail generates spam complaints, nobody seems to care about it, and you're trying really hard to make it non-obvious who is behind the mail.

A Twitter Conversation About List Rental

2009-10-08T08:23:00.031-05:00

Yesmail: "Need an email list to kick start your marketing program? See Yesmail Direct's awesome promo for 100 free in your zip"

mihaisecasiu: "doesn't this go against every permission based marketing rule out there? some might even consider this as spam ..."
Yesmail: "these are consumers or small businesses that have signed up to receive information via email--All permission-based email addys"
mihaisecasiu: "whoever gives permission to perfectly unknown strangers to send messages to them must not be in their right mind"
Yesmail: "our email address data conforms to all relevant laws including CAN-SPAM. Email list rental is similar to renting postal lists."
jordanayan: "Your lists may conform to law, but u still sent me SPAM-no optin,-you are giving the industry a black eye and not ESPC compliant"
Me: "ROFL @Yesmail for saying "Email list rental is similar to renting postal lists." and touting legal compliance. Uh, NO."
Yesmail: "thanks @jordanayan, @allwebemail, @aliversion (sic) for your feedback! Glad to see folks care deeply about successful email marketing"
jordanayan: "We care, but you continue to send unsolicited SPAM that goes counter to industry best practices. Why not just stop the practice"

Allow me again to ROFL at the touting of one's CAN-SPAM compliance. (CAN-SPAM allows unsolicited email advertisements, so it's hardly a selling point to convince somebody that you don't send spam.)