Address Validators: What are you Validating?

Posted by Al Iverson on Wednesday, January 25, 2012
Labels: , , , / Comments: (0)
Laura Atkins wrote this really good post yesterday talking about email address validation, asking the question, "Can you verify email addresses in real time?" In it, she highlights her poking at a specific address verification service, immediately finding an example of how it identifies a specific handle of hers as a valid address when it isn't.

I've talked about email address validation for a long time now. Specifically, the pitfalls-- why it doesn't really do what you think it does; why it gets you blocked as a spammer by ISPs. Since 2007 (actually, longer), I've been warning people that the most common email validation methodology involves noisy SMTP transactions that land you on an ISP's "bad guy" radar. It started with SMTP VRFY, which just about every ISP now disables outright. To get around that, validation services (and spammers) moved to "faking it" via a series of SMTP commands. They walk through a sequence of MAIL FROM and RCPT TO commands (identifying who you might be trying to send a message to) without issuing a corresponding DATA command (meaning you never actually transmit a message to send). If the RCPT TO command fails, then it's a bad address. The recipient, the person you're trying to validate, never receives the message and never is the wiser. All good, right?

Wrong. When you do this, ISPs notice. You're a blazing red alarm that you might be a spammer, potentially up to no good. ISPs have long ago decided that this is spammer behavior, and they'll block you. I know from experience that Hotmail, in particular, considers this akin to a dictionary attack -- which may or may not be an accurate term for it, but that is what Hotmail has decided, so it's something you've got to deal with.

But let's set aside the technical and policy limitations that prevent this from being a success. Let's pretend everybody allowed this. When you perform this address validation, when it doesn't get blocked, what are you actually validating?
  • A verification service isn't going to know if an address is a spamtrap. It'll say that a spamtrap is a valid address, in that it accepts mail.
  • A verification service isn't going to know if the recipient is the right recipient. It's not like a double opt-in (aka confirmed opt-in) process. It does no verification of consent.
  • And some verification services provide false positive responses (as Laura Atkins was able to demonstrate)
So when you subscribe to an email address verification service, what are you actually buying, exactly? It sounds like you're buying a best guess that the address won't bounce....which you could have figured out yourself if you sent the subscriber a welcome message after they signed up.

Where's the value here? I'm not seeing it.

If the email’s legal, it can’t be spam. Can it?

Posted by Al Iverson on Monday, January 23, 2012
Labels: , / Comments: (0)
Answering an important, and often-raised question by senders finding themselves blocked, Mark Brownlow explains that no ISP is going to let your mail through just because it is CAN-SPAM compliant. Read all about it here.

CheetahMail "Gives Up" Email Append

Posted by Al Iverson on Thursday, January 19, 2012
Labels: , / Comments: (1)
Over on the Email Responsibly blog, Experian CheetahMail's Ben Isaacson explains "that Experian CheetahMail believes that opt-out email appending is no longer an acceptable practice, and that marketers should no longer use this practice to acquire customer email addresses."

For those of us banging the best practices drum every day, this is fantastic news. For an email service provider like Cheetah, who has seemingly engaged and supported the practice for many years, to stand up and say yeah, it's played out, don't do it, this has to signal a major shift in the industry.

Some, but not all, email service providers have banned use of email append for some time now, and a rallying cry disaffected clients, when told not to utilize it, was often "but company X would let us do it!" The list of company Xs that would allow that sort of thing has just shrunk significantly today.

ETA 1/25/2012: Ken Magill covered this in the Magill Report this week.

Still Delicious in 2012

Posted by Al Iverson on Thursday, January 5, 2012
Labels: / Comments: (0)
Link-sharing site Delicious may have changed owners last year, but my account is still alive and chock full of deliverability-related links. Click here to check it out.

Append a keyword to a URL if you want to bookmark a certain section. For example, if you want to bookmark all of my links to Comcast or Gmail-related info, you would want to bookmark http://delicious.com/deliverability/comcast or http://delicious.com/deliverability/gmail.
 

A Heck of an Oops

Posted by Al Iverson on Tuesday, January 3, 2012
Labels: , / Comments: (2)
On December 28th, the NY Times sent an email, intended to go to about 300 people, out to over eight million email subscribers. At first, Times employees said it didn't come from them; it's forged, it's spam, ignore it. Many of us started to review the message source, noting proper email headers, proper links, email authentication, etc., noting that the email sure-as-heck looked to us like it was legitimately sent by the Times. Right about the same time I reviewed those headers, and came to the conclusion that it had to be legit, the Times clarified that it was an oops, and they did really send it.

That was one heck of an oops. Enough of one to actually make the mainstream media, where I'm sure you've all read about this already.

Jim Romensko gave me a good laugh today, which is why I'm posting this. Like him, I'm dying to know, what happened to the person who pulled the trigger on that email send? Is that person still employed? Sadly, the Times isn't telling.

Is this type of error career suicide? What do you think?

2011: The Year in Spam

Posted by Al Iverson on Saturday, December 31, 2011
Labels: , , / Comments: (0)
"Spam is Lame" of the "I Kill Spammers" blog has posted a pretty comprehensive and delightful recap of legal action taken against spammers in 2011. I'm glad I stumbled across this as I hadn't known about the arrest of Alan Ralsky's stock broker back in February.

Ask Al: Help, I'm blocked at AT&T!

Posted by Al Iverson on Friday, December 30, 2011
Labels: , , , / Comments: (0)
Jay writes: Al, I am getting the following message on several email related to AT&T: flph260 DNSBL:ATTRBL 521< xxx.xxx.xxx.xxx>_is_blocked.__For_information_see_http://att.net/blocks After going the ATT site, using Spamhaus to check the IP as well as using AT&T's submittal removal site, I am at a dead end as to how to get this resolved. Spamhaus came up showing no problem. Any help would be appreciated.

Jay, there are a few different reasons somebody can get blocked at AT&T, from what I can tell.
  1. A significant spike in sending volume or spam complaints.
  2. A significant spike in sending volume or spam complaints in the same network neighborhood as you (meaning other sending IP addresses in a /24 may have caused the blocking).
  3. Some really bad stuff is going on, sending some sort of affiliate spam or really, really unwanted stuff that they're able to identify and/or fingerprint through various means that they don't disclose.
Maybe there are other reasons or circumstances under which AT&T will block mail from an IP address, but those are the three that I'm most familiar with.

Assuming the issue is #1 or #2, the way to resolve it is to submit that unblock request via AT&T's website. Alternately, if you've had no response after many days, you could try sending mail to postmaster at att.net. However, if there's a reason they're not responding, because they're busy, behind, or not able to assist, pinging them again via another method isn't likely to get you a response.

It's the holiday season right now, which means lots of people are on vacation and away from work. Maybe there's a backlog of unblocking requests awaiting review and approval at AT&T. Also keep in mind that ISPs don't view their postmaster teams as the treasured and necessary resource that they once did; lots of ISPs used to have whole teams of people managing these things, and in most cases, that has been reduced to a web form and some tiny part of some single person's job. Responding to blocking requests is just not a priority for most ISPs.

And if the issue is #3, then forget about it. They'll probably just go radio silent on you, and not respond at all. Most ISPs simply don't respond to inquiries about really bad stuff. I could only theorize as to why, but if it were me, I'd figure there's no point in helping the bad guy understand how we caught him. I know that could feel unfair, because what if you're not a bad guy, and you're given no opportunity to make your case. That's just the way the world works, sometimes.

I don't see any evidence to suggest that Spamhaus is used by AT&T, nor would I make any sort of assumption that your mail would or would not be delivered to AT&T subscribers based on a Spamhaus lookup.

AT&T also publishes a postmaster site at http://www.att.com/esupport/postmaster/. I strongly recommend reading all the recommendations they provide there as far as best practices and how to ensure your mail is delivered successfully.

Netprospex Blacklisted By Spamhaus

Posted by Al Iverson on Thursday, December 1, 2011
Labels: , / Comments: (0)
I've written about Netprospex before. For example, talking about how I think their "opt-out" guidance on email marketing is misguided (and how so many others feel the same way). And then there was Peter Seebach's post questioning their touted "verified!" business lists for sale. And most recently, there was that commenter who asked me what I thought of using Netprospex as part of an email acquisition strategy. (My response: "It's like buying a lottery ticket as part of your retirement savings strategy.)

I feel like it's all been said before, so I won't bother going in to any depth on my opinion of companies such as Netprospex. Instead, I'll just link you to their latest Spamhaus blacklisting. The entry is light on details, so I could but speculate as to what happened. But clearly, the blacklisted IP addresses 38.101.213.238 and 174.122.201.114 are now having significant issues attempting to deliver mail to Yahoo, Hotmail, Gmail, Comcast and many other ISPs. Ouch.

(Update: Two SBL entries, from the looks of it. Click on the IP addresses above to link to each.)

The Passing of J.D. Falk

Posted by Al Iverson on Thursday, November 17, 2011
Labels: / Comments: (0)
I'm very sad to pass along the news that J.D. Falk has passed away after a year-long battle with cancer.

I feel like I've known J.D. forever, and I most definitely had come to greatly respect and admire him. Occasionally someone would ask me if I'm trying to sound like Seth Godin, when I loudly attempt to espouse a consumer-centric point of view, I reply that no, I'm channeling J.D. Falk. Helping to stop spam and improve the email ecosystem have been his day job for so many years, across Yahoo, Hotmail, the Mail Abuse Prevention System, and most recently, Return Path. That job occasionally involved hitting marketers with a stick, reminding them that the email universe does not revolve around them.

The world is a slightly less better place today without J.D. Falk in it.

What does Spamhaus think of email append?

Posted by Al Iverson on Thursday, November 3, 2011
Labels: , / Comments: (3)
Today I stumbled across SBL listing SBL120550, which says the following:

"Several IPs in this /28 are sending spam to spamtraps advertising the services of ADT Home Security. The IPs belong to InfoCanada, a division of InfoUSA, via their Yesmail ESP.

InfoUSA also sells purchased and e-pended lists. We do not know whether the purchased list that the customer is using is using came from InfoUSA, but we consider the sales of purchased and e-pended lists to be spam support by definition. Use of such lists is a reliable path to an SBL listing." (Emphasis added.)

There you have it, straight from Spamhaus themselves, explaining exactly what they think of purchased and e-pended (email append) lists.

Laura Atkins of Word to the Wise has compiled some very helpful ISP Summary Information, showing that, for starters, the SBL is used as a spam filter at AT&T, Comcast, Cox, RoadRunner, and Yahoo. Meaning, use of email append can lead to a blacklisting by Spamhaus, which leads to blocking at those ISPs. And they're not the only ones who use Spamhaus; I think Hotmail and Gmail do, too. Not to mention, many other smaller ISPs and corporate sites.

On Validating Email Addresses

Posted by Al Iverson on Friday, October 28, 2011
Labels: , / Comments: (0)

Visualizing Yahoo Spam Blocking

Posted by Al Iverson on Monday, October 17, 2011
Labels: / Comments: (0)
This cool website from Yahoo shows how many emails they're processing every second. Of most interest to me is the amount of spams they're blocking: Click on the "show blocked spam" button to see for yourself. Doing some rough math this morning, it appears that right this second, only 84% of inbound mail attempts into Yahoo are unwanted spam, meaning that "only" 84 out of every 100 servers in the Yahoo inbound mail server farm are wasting their entire existence on processing mail that nobody wants. Ouch, what a waste.

Dutch ISP Picks Fight with Spamhaus

Posted by Al Iverson on Friday, October 14, 2011
Labels: , , / Comments: (1)
eWeek reports that Dutch internet service provider A2B has filed two police complaints against anti-spam blacklist Spamhaus for refusing to terminate a provider Spamhaus alleges is known for "hosting malware, phishing and websites selling fraudulent goods advertised via spam."

I didn't know much about the story at first, other than noticing A2B principal Erik Bais on Twitter and thinking to myself, wow, that guy is really mad about this.

Today, we have Spamhaus's side of the story, as published on their own website. Seems pretty straightforward to me; I've dealt with Spamhaus enough times to know that if you don't terminate the bad guys after Spamhaus notifies you, there's a potential that they will escalate the listing in question. Like it or not, Spamhaus regularly lists ISPs and providers it feels to be "spam supporting" through their connection to a given spammer. It feels like Erik Bais is perhaps new to this particular kind of rodeo.

In their published statement, Spamhaus explains that the alleged bad guy in question is "CB3ROB A/K/A "CyberBunker" [and] has a long history of run-ins with the law. It was also a host of the infamous 'Russian Business Network' cyber-crime gang broken up by the FBI and other law enforcement agencies."

A2B alleges that the Spamhaus action amounts to a denial-of-service attack. I'm not sure how; there's a pretty commonly understood technical definition of what constitutes as DOS attack and a Spamhaus listing doesn't seem to fit that definition.

Is A2B likely to see any action taken as a result of the complaint? My guess is, "probably not," especially considering the following bit at the end of the Spamhaus statement: "With no irony lost, this week senior staff from Spamhaus and the Dutch high-tech crime-unit tasked to investigate the very criminal activity CB3ROB hosts and A2B Internet routed, were meeting together at an anti-cybercrime conference. CB3ROB, A2B Internet and the phishing, malware and counterfeit goods outfits both were tacitly servicing were discussed and Spamhaus handed its files on CB3ROB and A2B Internet to the Dutch NHTCU's investigator."