Getting it Half Right

I'm now utilizing “second stage” filtering, using the primary Spamhaus blacklist, the SBL. For me, it's an experiment. I just wanted to see how well it works and what kind of mail it catches. I know that a large number of email addresses are now behind this kind of filtering – at least one domain registrar (who hosts mail for a zillion different domains) has been using this type of filtering for at least the past few months. So I wanted to see what kind of senders are getting tripped up in this kind of filtering, and how well it works as a spam-blocking methodology.

Here's how it works. For every URL in the email message, the following process takes place, automatically:
  1. Find all the URL links in the email message.
  2. For each, look up the IP address of the host name or domain used in the URL.
  3. Check the blacklist (usually the SBL) to see if that IP address is blacklisted.
  4. If that IP address is blacklisted, then that email message is rejected or filtered.
It's a bit like SURBL or URIBL “URI/URL” filtering. SURBL and URIBL are blacklists that help you block spam based on the “spammishness” of a URL link in an email message. They work on host names or domains. A domain is on SURBL as text, not as an IP address. Spamhaus still works off of IP addresses, so a spam filter, to use this new “second stage” filtering, has to be smart enough to convert that host name or domain to an IP address to perform the lookup. This is new, and not everybody's using the SBL this way. But, already, enough people are checking a blacklist or two in this manner, that this type of issue is going to significantly impact a sender's ability to send email.

Anyway, after running this for a couple of weeks, I've been watching the data for anything interesting. So far, nothing has jumped out at me. I haven't seen any significant false positive issues. Until today.

It looks to me that a rather large hotel chain (and the rather large company they've outsourced their email sends to) doesn't know about this kind of filtering. Because, while they were careful to send from an IP address that wasn't on a Spamhaus blacklist, the message contains URLs that map to Spamhaus-blacklisted IP addresses. That means that any receiving site that uses second-stage filtering is blocking their mail.

The sad thing was, the email might have been a misguided attempt to “go straight” and clean up their sending reputation. The email explained what kind of emails I'd be getting from this company if I chose not to opt-out. Oops, what? It's (kind of) like a Permission Pass, only backwards.

A permission pass, also called a re opt-in email, or a re-engagement campaign, is a process a sender uses when having deliverability issues. It helps them re-confirm the addresses on their list. Doing so weeds out spam complainers and spamtrap addresses that were likely causing the sender problems. If you do it right, your spam complaints and spamtrap hits nearly evaporate overnight, and you're left with a smaller (but solid) list of recipients who really want your mail.

There are a few different ways you can do it, but the successful ways all boil down to: First, you send an opt-in request (“click here to stay on the list”) to the people on the list. Then you track people who click on the link, safely considering them interested recipients. People who don't click, you don't mail again. The reason you do it that way is because a spamtrap or an invalid address can't click on a link.

If you do it the opposite of that, telling people, “Hi, we're going to keep mailing you unless you opt-out,” you don't lose those spamtrap addresses or invalid addresses. As I said, spamtrap addresses can't click a link. So you can't tell if one of those non-responders is a spamtrap or an actual, interested recipient, and your list will continue to have both. If you do it the “opt-out” way, you don't lose the spam complainers, either. A few might choose to opt-out -- but many won't. They might not have noticed your email – this time. But they will next time, and they will report it as spam.

In short, sending an “opt-out” email like this is just sending another email. It doesn't clean your list, and it doesn't clean up any problems you're having.

Sending me an opt-out email like this is probably well meant, but at best, it's only half right. But similarly, sending from a non-blacklisted IP, while using blacklisted URLs, means their understanding of blacklists is probably just about half right as well.

Does that make them half blacklisted?

No comments:

Post a Comment

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.