Usenet.com Gets Ass Handed To It By Court

Nate Anderson reports for ARS Technica: "A federal judge yesterday found Usenet.com liable for just about every copyright infringement claim on the books: direct infringement, inducement of infringement, contributory infringement, and (just for good measure) vicarious infringement. Not content to be loud and proud about its pro-pirate agenda, Usenet.com also resorted to stonewalling legal questionnaires, sending employees to Europe to avoid depositions, wiping hard drives, and failing to turn over e-mail after being sued in 2007 by the music labels."

Hey, wait a minute. Isn't Usenet.com Jerry Reynolds? The guy who went after anti-spam activist David Ritz for using common spam fighting tools like "host" and "whois"? (Note to self: Don't try to acquire or use free, legal and common unix utilities in North Dakota.)

Why yes, yes indeed.

I've been eagerly awaiting the outcome of this case ever since I first heard about it. All I've got to say now is: Karma can be a real bitch sometimes, huh?

Find the court documents here.

Ask Al: Help prevent a bad thing!

Terry writes, "My manager wants to take all of our emails addresses in our "pending" list (ones that haven't clicked the link for the double opt-in confirmation) and convert all 10,000+ of those addresses to active and start mailing them. My problem is no matter what I say he feels that he has the right to do it. Is there anyway you can help convince him that this is bad of business, will get blacklisted which will then get us booted from our ESP and I believe that this could even affect our capabilities of sending emails through our company email accounts. What can I do to make him see the light?"

Since I'm on vacation for a few days, I turned to my good friend Mickey Chandler (of Spamtacular) for help with a response. Here's what Mickey has to say:

Okay, first take a deep breath. The world is not coming to a crashing halt because your boss insists on making a mistake. Second, remember that spamming is, in fact, legal in the United States. So, no one is going to jail no matter how this plays out.

Now that we've calmed down a little, let's consider the possible downsides to what is being proposed.

First of all, there is the potential for lawsuits. Your contract with your ESP may mandate that you use double opt-in exclusively (and yes, there are a few of those out there). What your boss is proposing to do would be to change the level of permission from double to single opt-in. That may put you in breach of contract with legal repercussions that need to be considered by your boss in conjunction with his attorneys.

If your company promised to only add addresses via a double opt-in practice and were obtaining emails while making that promise then there is also a possibility of a lawsuit to be considered if you break that promise. Someone, somewhere could decide to sue based on fraudulent misrepresentation. Would they win? Probably not. In fact, lawsuits based upon explicit promises in privacy policies have never won in court. But that hasn't kept people from trying. The question that I always ask clients when they start doing something that could get them sued is "Do you want to fund the lawsuit?" That's just a slick way of asking how much this practice is worth to them monetarily. In other words, does the money we hope to make from this strategy sufficiently offset the amount of money that we would have to pay an attorney to defend us against an angry user or two in court? While it's a bit off the wall, it should be a consideration.

You seem to already have a handle on the various normal ways that these things tend to go bad. Double opt-in is not the key to not spamming. It is one very good way to make certain that you have clean, responsive lists of people who really do want to receive your message. The people who are in that pending file should represent something to you. That something isn't "a list of potential prospects that we're missing out on" but rather "a list of people who now won't be complaining about our messages." That means lower complaint rates than you should otherwise see. If you add those people then some large percentage of them will complain about your messages because they didn't click the link in the confirmation message for a reason.

The biggest thing to be concerned with here, though, is that you're taking a list of potentially very bad addresses and adding them to your active file. The list of addresses in your pending file is likely going to include addresses that have bounced, that are spamtraps, or are people who were added for spite (like DNSBL operators) decided they didn't really want to receive your company's mail and will mark it as spam. These are all addresses that you really don't want on your list.

Of course, higher complaint rates, sending mail to spamtraps, or sending unsolicited mail to DNSBL operators will mean that blocks will increase. When discussing the possibilities of blocking, don't forget the magic of all three methods used to block spam. First and most obvious is the IP-based DNSBL, like Spamhaus. Depending on the aggressiveness of the list, they may list your ESP's IP, all of your ESP's IPs, or your business IPs, or some combination of all three. Then there is the Right Hand Side Blocking List (RHSBL) which looks at the part of the From: line to the right of the @. The RHSBL, of course, represents a bigger danger for catching corporate communication outside of the mail stream sent by your ESP, but it isn't as widely used as the DNSBL or the URIBL. The URIBL, of course, looks to block mail based upon the URIs or links in your email. This, again, represents a bigger danger of catching your corporate communications than the DNSBL.

Finally, there is your ESP to be concerned with. Your ESP may have set up some things which are dependent upon the type of mail flowing from that IP. A good example of this is ISIPP's IADB DNSBL-like information lists. They give certain responses for different levels of permission. When your IP is set-up with them, you have to say if the mail from that IP is double opt-in, single opt-in, or opt-out. And they will be (understandably) upset if you change the level of permission being used, especially if that level of permission is moving the wrong direction. ESPs tend to guard their relationships with outside companies fairly zealously. You don't want to make changes to the permission levels being used without closely working with your ESP and giving them time to make any adjustments needed to their representations to other groups who are helping to get your mail delivered. This will also give your ESP some time and an opportunity to step in and encourage your boss to do the right thing.

What your boss is proposing to do is far more serious than just dropping permission levels from double opt-in to single opt-in. It is damaging to your company's reputation because if people can't trust your company to do the right thing with their email addresses, how can they trust your company to do the right thing with their money and business? It is damaging to your company's reputation with your ESP and all of the ISPs you are sending mail to. And that reputation damage comes at a steep price.

SORBS Information Roundup

SORBS, a blacklist run by Australian Michelle Sullivan, has announced that its hosting agreement is being revoked at that it will soon be homeless. Click here for the announcement and my thoughts on what this means for SORBS users, over on my companion site, DNSBL Resource. EmailKarma and Deliverability.com cover this story as well.

Ms. Sullivan characterizes this latest action as the current host in a way that suggests that the University of Queensland no longer wishes to have SORBS on its network. "[They] have decided not to honor their agreement with myself and SORBS," she writes.

I've written about and discussed SORBS on multiple occasions over the years (including this review over on DNSBL Resource), which has led to an acrimonious relationship relatonship between SORBS and Spam Resource. There have been various attempts at retaliation against my perceived attacks on SORBS; things like Ms. Sullivan putting one of my domains in her usage examples, a typo-laden web page containing rants against my testing methodology (quickly pulled down after I responded loudly and publicly), legal threats, and "personal" SORBS listings that reference individuals by name, not spam issues. Strangely, I was also accused of being a principal at my employer, based on confusion over the Australian usage of the term "director."

Here's a few sites with other criticism and commentary relating to SORBS:

• The IADL SORBS.net Story. Appears to be written by Dean Anderson, relates to a public disagreement between SORBS and AV8.com. This isn't that uncommon; Dean has had multiple public fights with anti-spammers before, and loves to accuse blacklist operators of secretly being spammers. However, it takes two to tango, and if SORBS really is/was listing AV8.com over an issue other than spam, then it highlights a potential failing of a blacklist supposedly focused on fighting spam.
• A commenter on this SORBS Sucks thread suggests that as of April 2009, SORBS was blocking Network Solutions.
• Here's a story where an email administrator talks about issues run into when trying to get addresses removed from SORBS dynamic list.
• Here's a similar issue reported by a frustrated individual in the UK.
• MTA (mail transfer agent; mail server) publisher Kerio noted in 2006 that SORBS was blocking various well-known ISPs/webmail providers, and recommended Kerio users remove dnsbl.sorbs.net from their mail server configuration.
• According to this request for assistance, SORBS is blocking at least some Hotmail outbound IP addresses as of 6/22/2009.

ETA 6/24/2009: Ken Magill covers "SORBS on the Ropes" over at Direct Magazine. Note that there's an incorrect statement made by Ms. Sullivan in that article; SORBS is not used by Microsoft or Google. The SORBS story was also covered by Slashdot. It is telling that the very first comment is not a kind one: "A blacklist that charges you to get your IP removed will inevitably block far more than real spammers."

Ask Al: Getting my Controversial Email Delivered

Steve writes, "My email list has grown very large over time (it's about 80,000 now). I'm sending out a non commercial email article of a religious nature. It covers a controversial issue which I believe may lead to some recipients flagging it as SPAM, (even though I have an unsubscribe button with my dedicated hoster). I want to be able to link to articles at various websites but I don't want those websites to be in danger of getting blacklisted. How do I avoid this?"

Steve, thanks for that great question. Controversial email topics are ones that tend to attract higher-than-average spam complaints and deliverability issues, but not always for the reasons you might assume. Fact of the matter is, millions of people sign up for email lists talking about lots of controversial topics every day. People don't typically report those messages as spam, because those messages are desired. If your mailings are generating a high number of spam complaints, you've got a bigger problem that you've got to address. Because of the topic of your email, it wouldn't surprise me to find that people "forge subscribe" other people to your newsletter. Somebody who wants to upset someone who is anti-religious runs across your site, and decidezs it would be funny to subscribe a bunch of other people, to get them all mad at you. Maybe even hoping to shut you down, get you closed down by your ISP for sending spam.

My recommendation on the best way to avoid that is to utilize confirmed opt-in (also called double opt-in) for your email signups. Just about every ESP out there offers this as an option. And any time you have a special kind of list that tends to have problems with forged subscriptions or other shenanigans, it can make a lot of sense to secure the list (and keep bad guys from messing with you) by switching to confirmed opt-in.

In a confirmed opt-in scenario, signup becomes a two step process. First, a subscriber would submit their email address on your website. Next, they would receive an email from your ESP or list management tool, asking them to confirm their subscription. The recipient clicks on the opt-in confirmation link in their email, validating that they were really the one who wanted to be on your email list. It keeps bad addresses off your list (as the confirmation email bounces harmlessly), and it keeps spam complainers off your list (because people who don't want to be on your list don't complete the confirmation step). Confirmed opt-in lists tend to have much lower spam complaint rates than other lists.

As far as not getting other sites blacklisted, the best thing you can do here is be really careful not to send spam, and not to do anything that will generate spam complaints in any significant number. That's why I suggest confirmed opt-in above. Beyond that, there really isn't much you can do. Some domain blacklists do indeed look for domains referenced in spam and consider them for blacklisting. But, this doesn't typically happen over a single spam report. Keep your nose clean, and it's not something you're likely to experience.

(There's a huge caveat here: If you're going to be talking about something that is referenced in spam all the time. Say, for example, erectile dysfunction medication, then all bets are off. Mail that mentions things like this are probably going to run afoul of spam filters in ways you'll have little opportunity to address.)

By the way, if you don't think forged subscriptions are a huge problem, please send me your email address. I'm kidding….mostly. I've been getting forged subscribe to crap for years, and it's very frustrating for both recipients and senders.

Ask Al: Blacklisted IP Address?

Tayo writes, "Our Outlook client suddenly stopped relaying mails with the error "Sending' reported error (0x800CCC78) : 'Cannot send the message. Verify the e-mail address in your account properties. The server responded: 550 5.7.1 This system is configured to reject mail from (IP ADDRESS) (Host blacklisted in uce3.dnsbl)' "

The IP address (IP ADDRESS) was traced to our ISP source. I think somebody blacklisted their IP Address. We called and they had been working on it since three days now with no solution yet.

Can you be of help? What can be done from ourside to solve this problem?"

Tayo, thanks for writing. It sounds to me like your ISP is blocking your own legitimate emails due to incorrect configuration on their part. It sounds like they use the UCEPROTECT blacklists, but haven't configured it in a way that would exempt their own customers from being able to send their own mail.

You're on their network. You're connecting to their SMTP server. This isn't a connection to an outside server. This is, very simply, the proper way for you to send mail. Maybe another ISP might block your mail (if they so choose), but your own ISP's mail server is supposed to be configured not to reject mail originated from legitimate connections on their own network.

Unfortunately, this is something you have to have your ISP fix for you. It's probably not something you can resolve on your own.

Check Your CAN-SPAM Checklist

Over at Spamtacular, Mickey Chandler offers up a helpful checklist to make sure you're in compliance with CAN-SPAM. You'd think CAN-SPAM compliance would be a no-brainer, but sadly, that's not always the case.

And you do know that CAN-SPAM is a starting point, not a finish line, right? You need to comply with CAN-SPAM *and* adhere to permission best practices, if you want your email to get delivered.