Data Breaches and Email List Data Theft

In a comment on another blog, Neil Schwartzman reminded readers that the recent theft of email list data from Aweber wasn't the first time in history that spammers stole email addresses from a service provider. As he points out, something similar happened to Lyris' Sparklist service back in 2002. He also pointed out that convicted felon Jason Smathers stole 30,000,000 addresses from AOL in 2003. The Ameritrade data leak from a few years ago comes to mind, as well. In that case, it may have been an ongoing issue from 2005 through 2007. Yuck.

In 2006, email marketer Datran settled with the New York Attorney General over allegations of misuse of email list and/or subscriber profile data. On that issue, Fox News reported that "Spitzer accused Datran of knowing of the companies' pledges [never to share data with a third party], but [that Datran, as a third party, was] spamming those consumers with unsolicited e-mails anyway, advertising discount drugs, diet pills and other products. [...] Spitzer's staff said they believe it is the largest deliberate breach of Internet privacy discovered by U.S. authorities."

It strikes me that perhaps the Aweber breach wasn't quite the "largest data breach in email marketing history" as suggested elsewhere.

On a semi-related note, this Chronology of Data Breaches, published by the Privacy Rights Clearinghouse, is very interesting. Maybe somebody needs to start something similar for email-specific data breaches? Sadly, there may have been enough of them by this point to warrant a standalone time line.

Mickey Chandler, Deliverability Consultant

My friend Mickey Chandler has finally taken the plunge and hung out his shingle as a deliverability consultant.

Mickey's a sharp guy. We go way back, all the way back to working together at the Mail Abuse Prevention System (MAPS), before it imploded under the weight of many lawsuits. (Ah, to be young and stupid again.) Since then, we've both migrated to the deliverability and email realms. Most recently, Mickey was the director of ISP relations for an email service provider. He and I work together periodically on various industry-related stuff, and I find his expertise and insight to be very strong.

Mickey also runs the blogs Spamtacular and Spamsuite, sharing commentary highlighting his wealth of knowledge and building up a very useful repository of spam-related legal documents.

If you're looking for a consultant to guide you through the complicated world of email deliverability, I'd recommend Mickey without hesitation. To learn more, head on over to Mickey's website at www.whizardries.com.

Top Five Spam Resource Posts in 2009

As the last few days of the year come to pass, I thought it might be fun to revisit the top five most viewed articles this year right here on Spam Resource.

"Herbal King" Spanking Continues

"A New Zealand citizen living on the Sunshine Coast has been ordered by the Federal Court to pay a $210,000 fine for taking part in the world's largest spam operation. The fine comes after the 'spam king' has received fines from all over the world for his actions, including a massive $US16 million fine from the Federal Trade Commission in the United States.

"Lance Thomas Atkinson has been fined and banned from sending unsolicited commercial emails for the next seven years, after he took part in an operation advertising fake prescription drugs such as 'male enhancement' and weight-loss medication."

Read the rest of the story here.

Aweber Hacked; Email Addresses Stolen

As discussed here, here, and confirmed here, the email service provider Aweber was the victim of some sort of cyber-attack that resulted in bad guys getting access to email addresses stored in the Aweber system. This was tracked by way of spam starting to be received at unique addresses only given to various companies using Aweber for their email list management.

Not good news at all, for anyone involved. What can you do about it? I'm not sure, to be honest. There is no easy answer; no way to undo this. If anything comes to mind, I'll be happy to share it here. And to my readers, if you have any ideas on what an ESP's client should do if their ESP gets hacked, resulting in the loss of list data, please feel free to share in comments.

On List Growth and Buying Lists

Today, I'm following up on my last post about how one must be able to have a way to tell the world about their super product and service.

Jonathan writes, "I came across your web-site and I'd really appreciate some help regarding opt-in lists! I'm about to start a email marketing campaign and I want to use 6-7 different firms simultaneously. The issue I've run into is that each of the firms I've found has a plethora of complaints against them! I was wondering if you could kindly recommend some reputable opt-in/double opt-in firms which are cost effective. I look forward to hearing from you."

I can't. Anybody who wants to sell you a list is trying REALLY hard to do you a disservice.

Wahhh, "Just Hit Delete"

Anonymous writes, "If someone can't use e-mail lists for marketing to potential customers how does one then share the message about a super product or service. I enjoy receiving information. If I do not wish to view the e-mail, then I simply delete. Please advise."

I asked around for a bit of feedback on this one, and the universal response seemed to be that nobody cares what you think. My friend Doug Lim provided this reply, my favorite: “You seem like a total douchebag. Please advise.” This was typical of most of the responses.

The Case of the 500-mile Email

I present to you a random email-related geek funny from 2002:

"We're having a problem sending email out of the department."

"What's the problem?" I asked.

"We can't send mail more than 500 miles," the chairman explained.

I choked on my latte.  "Come again?"

"We can't send mail farther than 500 miles from here," he repeated.  "A little bit more, actually.  Call it 520 miles.  But no farther."

Click here to read the whole story.

More Anti-Spamhaus Fun

Yesterday, I pointed you at an anonymous blog, written by some angry random dude who happens to be really upset about Spamhaus. Anonymous ranty blogs are no fun; it's much more fun to mock the person behind them when you have a face go to along with the angry confusion.

Fire up the ROFLCopter!

This hilarious anti-Spamhaus blog has decided that the best way to get the word out is by pirating content from other sites about how people who have been blacklisted for spamming are angry. Yes, it's true. People who have been blacklisted are angry. Shocking.

Receiving Duplicate List Messages?

The other day, somebody asked me what causes a recipient to receive the same message more than once. I run into duplicate message issues perhaps once or twice a year; not too often, but often enough that a recipient gets really angry at the sending ESP, assuming it's they're fault, because it doesn't seem to be happening with other email.

Not How It Works

The context: Over on Laura Atkins' Word to the Wise blog, she talks about the coming changes. The coming storm, if you will. How ISPs are fed up with sender practices. She rightly points out, that the rope ISPs currently give ESPs, is going to be used to hang a bad guy sometime soon, if it's not happening already. In the comments on that post, this reply caught my eye:

SURBL Announces New Experimental Blacklist

Read about it over on DNSBL Resource.

Check Your Rep @ AOL

AOL has significantly updated their Postmaster site today. One thing of particular interest is their new IP reputation checker. You can use this tool to look up the AOL sending reputation of your IP address. Mighty handy, if you ask me. I got to see a preview of this a while back, and I've been eagerly awaiting its official launch.

Is an Unsubscribe Link Required?

A reader contacted me the other day, showing me an email message he had received from his bank.  They had sent him a transactional message, and he took umbrage at the fact that the message did not have a way to unsubscribe from future messages. He contacted the bank, and the bank brushed him off, saying an unsubscribe link was not required.

Did you catch that?

Good ISP info from Annalivia Ford, Christine Borgia, and Laura Atkins.

Permission, Co-Reg Sucks, and ESPs

Here's a good thing to read: Jamie Tomasello from Cloudmark reminding us of the basics. Permission matters. Co-reg is bad. Making assumptions in place of getting explicit permission.

IT'S A RACKET!

Over on her fancy new blog, Annalivia Ford talks about the supposed "spam/anti-spam racket," like somehow ISPs want spam and find spam fighting to be a fabulous revenue stream (ROFL).

"Herbal King" Ringleader Fined $15 Million

Spamhaus writes: "The Herbalking aftermath continues with a federal judge ordering ringleader Lance Atkinson to pay the FTC a hefty US$15 million. After already admitting his involvement to the New Zealand authorities last year now the US Federal Trade Commission steps in with its findings." Read more here.

John Levine points out that this fine really matters. Why? "Spammers are in it for the money, and to the extent they can keep what they get, they'll keep spamming. Fines that wipe out the profits, and in particular fines that can actually be collected are essential if we're going to make any progress against spam." You can find his take on it here.

Ken Magill reports on it here.

Ralsky Gets 51 Months in Prison

Alan Ralsky, a pump-and-dump spammer noted by Spamhaus as one of the world's top ten worst spammers for "quite some time," is off to camp fed for 51 months. Anti-spammers are torn between cheering for his downfall and annoyance that the sentence doesn't include longer prison time, or banishment to a desert island. For more on the story, head over to Brian Krebs' Security Fix website.

Ask Al: Delivering a Monthly Newsletter to 350 People?

Lynn asks, "Al, I'm hoping you can help me out. I belong to a group that has a mailing list of 350 people. Every month the group sends them a PDF, and there are always problems. Some people can't open the PDF attachment. Some people get the mail in their spam folder. Some people (usually Hotmail users) don't get the email at all. What's the right way to get this mail delivered to the inbox?"

Lynn, thanks! Great question. Here are some general suggestions, things I would do if I were in your shoes.

O HAI TAG44 WTF?

My friend Mickey Chandler mentioned to me that TAG44 emailed him yet again.

They're apparently still putting a stupid "this is not spam" disclaimer in their email. As with last time, they reference a law that doesn't exist.

Loren McDonald on FISUE Syndrome

Yesterday, Loren McDonald blogged about "FISUE Syndrome." What is it? It's where a recipient "Forgot I Signed Up for Email." He writes: "Was That Email Spam? Or Just Spam-Like? Earlier this year, I received an email from a presentation company that I was sure I had never heard of nor done business with. [...] I didn't know who this company was or whether I knowingly opted in for email, and I still don't."

Ask Al: What are filters checking?

Jerry writes, "Al, a recent email from 'Get to the Point' quoted you as below. My question is this: What, exactly, are spam [content] filters picking up from a generic template that could reduce delivery? Thanks in advance for your reply."

Breaking News: Spambag is Still Dead

Mangesh writes, "Can you verify and help me out to remove my exchange server at IP address XXX.XXX.XXX.XXX from blacklist.spambag.org? You can email me on same email address or alternate email address i.e. address@example.com . My contact number is XXX-XXX-XXX."

The Legitimate Email Marketer Isn't

As Laura Atkins points out, everybody who uses the phrase "legitimate email marketer" seems to have some huge horrible problem caused by their own bad practices. And she's right. Actual legitimate marketers don't need to brag. They're too busy making money and friends. Those in the know recognize that waving the phrase around is gauche; a badge of honor worn only by those who don't deserve it.

Karmasphere Reputation Services Shutting Down

Karmasphere, founded in 2005 by Meng Weng Wong as a reputation service provider, provided some neat tools, allowing any Joe internet user to publish their own blacklist or whitelist. Neat! How does one make money doing that? Sounds like they weren't too sure, either, based on the email I received on Monday, November 2nd, 2009.

Two New Zealand Spammers Fined

Vincent Hannah of Spamhaus reports: "Two New Zealanders well known to Spamhaus have been fined for their roles in the biggest pharmaceutical spamming operation in the history of the internet, officials of the nation's Department of Internal Affairs (DIA) said on Monday.

"They were part of a business based in Christchurch that sent more than two million unsolicited emails promoting Indian-made herbal products to New Zealand addresses over four months in 2007, the DIA reported.

"Shane Atkinson was fined $100,000 New Zealand dollars (USD71,600) and Ronald Smits $50,000 in the Christchurch High Court last week, the DIA said in a statement."

Read the rest here.

Ask Al: Bad things happening?

Perry writes, "I keep coming back to re-read your comments about AOL being the good guys. I must admit, that when our ISP is on their blacklist, bad things happen."

Well, unless AOL has suddenly implemented a new policy of picking up a bus full of day laborers from the parking lot in front of the Home Depot, driving them over to your home, and beating you with zucchini while you sleep fitfully on a carpet remnant in your unheated basement, I don't really believe that bad things are happening to you.

Judge rejects TD Ameritrade breach settlement

In early 2007, Ed Falk, John Levine, and other trusted anti-spam and network security folks started to note that email addresses given only to TD Ameritrade were beginning to receive spam from unrelated entities.

Ask Al: The Strange Case Of The Help Request Gone Awry

Jeremy asks, "Al, Help! I submitted a support ticket to [an ISP] for my IPs which were getting tempfailed, and 24 hours later they were completely blocked! Why?"

C-27 Canada's Electronic Commerce Protection Act passes Committee Review

The Canadian anti-spam bill everyone is talking about, bill C-27, passed an important milestone on Monday October 26, at 17:30 when it passed clause-by-clause committee review and was referred back to the Canadian House of Commons materially intact and without controversial amendments that would have significantly altered the bill.

Top Five Tips for Dealing with Blacklists

Some self-styled "email marketing insider" recently posted a "Three Tips for Dealing with Blacklist Issues" articl0065 and wow, it turned out to be simplistic, useless advice.  Let's pretend it never happened, let's pretend we got that five minutes of our life back, and let's try again.

FRIDAY LOLZ: BALLOON BOY SPAM!

The spam subject lines? Little boy trapped in balloon; Boy-balloon-madness; balloon kid’s full story; Balloon boy died; Little boy trapped in balloon; Balloon boy died; balloon kid’s full story; Boy-balloon-madness; Drama with balloon(exclusive).

I missed the balloon boy drama, because I was on the road the day it was all going down. Also, I don't own a TV. Thankfully, through the magic of spam, I am able to make my own mystical, magical connection to the balloon boy saga, if not to to little Falcon Heene himself. Thank you so much for giving me this opportunity, Canadian Pharmacy! It's true; spam can bring us together.

And thank you, McAfee TrustedSource, for giving me something to blog about today. My work here is done.

Barry Don't Play That

Riffing on two recent themes here at Spam Resource, on the topic of ISP abuse desk/ email staff (now universally called Barry), and how some people mistakenly expect unblock magic to happen even though their mail streams suck, an employee of an ISP's abuse desk wrote in, offering up the following points of wisdom, thoughts on what annoys an ISP representative. Take it away, Another Barry!   

Why do we need an opt-in spam law?

As you saw in my previous blog post, I've come out in support of opt-in being the legally mandated permission standard in Canada. I don't think it's all that big of a deal; as I said before, opt-in is already a best practice. In response to that, one of my Twitter followers asked, what's the point? "Why, if opt-in is best practice in Canada does the government have to get involved?"  

I Support Opt-In Legislation for Canada

There's an effort underway to undermine support for the Canadian anti-spam legislation currently in development. Why do people want to kill or gut Bill C-27? I'm having a hard time seeing a problem with an opt-in requirement; it's already best practice. People who don't follow opt-in as a best practice are already doing things wrong. We want less spam in the world, not more. Even marketers should agree, shouldn't they? Spam undermines legitimate marketing efforts. It "dirties the channel." So what's the big deal?

I'd recommend you take a moment and read what CAUCE has to say on the topic today.

Another Day, Another 419 Scam

I must have landed in some scammer's address book, because I'm receiving some variant of this thing every day or two. Who is dumb enough to fall for this stuff? Besides the occasional Canadian, I mean.

Spamfighting Spam?

Why is Spamfighter.com sending spam? Isn't it ironic? Like rain, on your wedding day?

No.

Zombie Blacklists: Life Goes On

J.D. Falk expresses some legitimate concern about zombie blacklists over on the ReturnPath blog. Blackholes.us resurrected from the dead, and looking for delicious brains to snack on. Or something.

Cleaning NDRs out of a Spamtrap Feed?

Friends, Romans, Countrymen......could I lean on you for some tips on how to clean NDRs out of my spamtrap feed? As I ramp it back up I want to make sure I'm tagging mail correctly. I may include NDRs and other types of backscatter in some of my calculations, but I definitely want to denote what it is, as accurately as I can.

Could you offer up some suggestions on things to look for? Null return path/sender header is the big thing, if every NDR was formatted properly, that would catch it all. But I'm seeing a significant amount of bounces that don't have a null sender, so I'm probably also going to resort to some sort of text string matching. So if you have a big ole list of strings or individual string suggestions, please feel free to leave them in comments.

All feedback is welcome, and thanks!

Auth Don't Fix That!

Over on Spamtacular, Mickey Chandler answers the question, "Our last mailing had 30 complaints at AOL. Will signing with DKIM and SPF help with our reputation there?" As Mickey explains, it boils down to, no, not really, that's not what authentication does.

In short, auth don't fix that.

Staying Safe Online

Box of Meat recently linked to a couple of bits of really good info from two different webmail providers, talking about how to stay safe and secure online.

Let Us Count Up The Fail

Let us pretend the situation is as follows. (I hope, for your sake, that the situation is not really as follows. If it is, your life probably sucks.)

A Twitter Conversation About List Rental

Yesmail: "Need an email list to kick start your marketing program? See Yesmail Direct's awesome promo for 100 free in your zip"

Too Much Contact

As my phone rings for the upteenth time this morning, I grumble to myself silently. It's good to be a popular guy, somebody whom a lot of folks want to call and ask questions of. But, it's a real time suck. Sometimes I feel like it keeps me from getting "real work" done. People will occasionally go outside of the established procedure and call me directly, looking to resolve an issue as quickly as possible. I like to help, and I do when I can. But, there's only one of me, and a lot of people have my phone number.

And then it dawns on me; I'm grumbling about something I myself am guilty of.

A message from me...but not!

Back when my wife Kate and I had our wedding reception in June, we hired a local photographer, the sister of one of our friends. She worked out very well, and we were very happy with the results.

The photographer partners with a site called Pictage, to allow online photo review and print selection. Many of our friends registered for the site so they could also purchase pictures from the event. All fine, all good. Until...

Spamhaus, Snoeshow spam, and You

From Slashdot: "Spamhaus [has] announced they are releasing a new list of IP addresses from which they've been receiving "snowshoe" spam — unsolicited email distributed across many IPs and domains in order to avoid triggering volume-based filters."

Don't Share Needles!

Ew, what a disgusting title. But, sharing needles is what it amounts to.

Google Voice and Phone "Spam"

I've become a heavy user of Google Voice these past few months, ever since I got my invite and was able to set it up. Finally! A local phone number. (I kept my old, out-of-state cell number when I moved to Chicago a few years ago.) I tried to get by with Skype and other solutions for a while, but none of them work as well as Google Voice does.

Symantec Says Illinois is #5

My current state of residence is in the top ten! Whoo! The top ten of what, you ask? Why, in the list of states ranked by how much spam people in those states, receive, of course. 

Rocky Mountain Bank WTF

So, if a bank accidentally sends you somebody else's information....they can now sue your webmail provider to have your account disabled? Uh, WTF?

Make it stop!

One of my friends is receiving unwanted email from a big motion picture studio, and can't make it stop.

Continuing to send email to a recipient after they have unsubscribed is lame, and illegal. It is a violation of US Federal Law, just as sending emails without an unsubscribe option would be. But, the fact of the matter is, that for the Average Joe Recipient of an email, there isn't a lot of recourse; no easy option to rain down a hell fire of pain on somebody who won't stop filling your inbox with their unwanted email. And no legal standing to sue -- only ISPs, the FTC or states attorneys general can take action under CAN-SPAM.

So, you don't really have a big stick to wield, Mr. Average Joe Recipient. But, that doesn't mean it's hopeless. Here's what I would do if I were in your shoes.

Funny T-Shirt

David Greiner of Campaign Monitor writes: "Way back in May this year, we asked you guys to come up with some new ideas for our popular range of email nerd t-shirts. I the end, we had nearly 150 hilarious (and some kinda scary) ideas that we then put up for vote. We announced the three winners in July, and have finally turned those winning ideas into something you can wear."

Spam Resource, New and Improved

Please allow me to break from our regular programming momentarily, so that I may brag to you about the most recent changes made to Spam Resource and DNSBL Resource. If you're one of those RSS reader kind of people, feel free to swing on over to www.spamresource.com and check out all the new, useful things that weren't there before.

Pivotal Veracity on Domain Reputation and ISP Insights


Pivotal Veracity's Deirdre Baird dropped me a line the other day, letting me know that PV has some very useful information available for sharing. In their ISP Insights for 2009 and 2010 whitepaper, they quiz top ISPs on their current and future plans with regard to spam filtering, domain reputation, authentication and more. They talked to AOL, Yahoo, Microsoft, Comcast, Road Runner, Verizon, Bell and Cloudmark and each shares their plans or thoughts for what's upcoming on the spam filtering and reputation horizon. Very insightful stuff. Thanks for sharing, Deirdre!

Click here to download the whitepaper.

Breaking: Goodmail Sued for Patent Infringement

Laura Atkins writes, "Late last week RPost sued Goodmail for infringing two patents. One patent authenticates content and delivery of documents. The second verifies the message was received by the recipient." Read all about it over at Word to the Wise.

Ask Al: Help! I'm Blacklisted!

Akhter writes, "Our company IP address X.X.X.X is on the dnsbl.sorbs.net blacklist. We have tried many ways of contacting the SORBS company but we have received no response from them. Is there a way to get delisted from their database?"   

DUDE: YR DOIN' IT WRONG!



Steven Champeon says, "If your PTR contains or ends with IN-ADDR.ARPA, you're Doing It Wrong. Go read a book. That is all."

Domain Reputation and Recipient Engagement

Today's guest post comes from Chris Wheeler, the Director of Deliverability at email service provider Bronto Software. No stranger to the email experience, Chris's past experiences have included building a deliverability program from the ground up at a major online retailer and manning the d-team at a enterprise level ESP. Chris contributes to several blogs online and is part of a handful of key industry committees and think-tanks for taking email to the next level, both for marketing and recipient effectiveness. When not neck deep in email related things, he's busy with his two dogs and enjoying his home town of Austin, TX. Take it away, Chris! 

Quick Hit: Blagojevich Spam

Patti Blagojevich, the wife of the embattled ex-governor of Illinois, Rod Blagojevich, seems to have done something she shouldn't have with an email list. The allegation is that she kept the email list from the non-profit she was previously working for and mailed to it, trying to promote Blago's awful book. Yeah, that's not good. Chicagoist has the story.

Online Privacy in the UK

Planning to handle consumer data in the UK? Then it's time to learn about the Data Protection Act 1998. Thankfully, Wikipedia has a very helpful overview. What are the key takeaways?

Ask Al: Trouble Sending From My Own Domain?


Adalbert writes: "Hi Al, I need to send emails from Outlook Express. I have a dynamic IP address. I have my own custom domain name. When I try to send, I receive this error: El mensaje no se pudo enviar, el servidor rechazó la dirección de correo electrónico del remitente: 'address@example.com.' Asunto 'prova2', Cuenta: '1.2.3.4', Servidor: 'smtp.mydomain.com', Protocolo: SMTP, Respuesta del servidor: '550 5.0.0 Rejected - zen.dnsbl', Puerto: 25, Seguridad (SSL): No, Error de servidor: 550, Número de error: 0x800CCC78

Help! Why can't I send?" 

Good Advice for Senders

Hey email senders, looking for some good advice? Here's a few things you should do or not do, if you want to walk on the right side of the line and enjoy email delivery success.

New FBL from Tucows/OpenSRS

There's a new feedback loop in town, according to Chris Wheeler over on Deliverability.com. It's being offered by Tucows, who is, among another things, a wholesaler of domain names and other Internet services to ISPs and web hosting companies worldwide. They do not sell domain names directly to consumers, but operate the OpenSRS reseller service that is widely and popularly used.

Jigsaw Blacklisted by Spamhaus

Last week Ken Magill interviewed Jigsaw CEO Jim Fowler, quizzing him on his company's stance on selling lists of email addresses. Jim makes it clear that it's perfectly legal to do so. Jigsaw doesn't deliver the mail, he says. They faciliate the unwanted mail, I say. If somebody does stupid things, they get what they deserve, Jim says.

New Maine Law Came...and Went

Chip House reported on the new Maine law over on his blog: "The law doesn’t specifically identify email marketing, [but] it does cover the collection and use of all personal information (also called PII) for minors under 18 without parental consent. An email address is PII by most accounts. The legislations also prohibits marketing based on this personal information. The act reads: '... A person may not use any health-related information or personal information regarding a minor for the purpose of marketing a product or service to that minor or promoting any course of action for the minor relating to a product.'"

How Google Looks at Spam Complaints

From WebProNews: "Google's Matt Cutts answered a user question about how the company handles spam complaints in the most recent video upload to the Google Webmaster Central YouTube Channel."

You Can't Buy an Existing Business Relationship

I ran across this on Box of Meat the other day. PogoWasRight.org: Pitney Bowes pays $2.9M to settle ‘Blast Fax’ lawsuit: "When you buy a client list as part of buyng a firm’s assets, do you have an established business relationship with the clients that allows you to fax them? The issue just cost Pitney Bowes $2.9M to settle...."

Wow, does that bring back memories. Not fax-specific memories, but email ones.

Happy Birthday, Internet!

J.D. Falk writes about the history of the internet and the relationship between the 'net and advertising. "Oh, Internet. You had such potential when you were born -- darling of the research community, supported by the wealthiest military the world has ever known. And you married well, into a powerful merchant family. Why are you so lost? Is it a midlife crisis?" Read it here.

(H/T: Box of Meat)

Internet Miracle Cures For Everything!

Quick Hit: Today, Consumerist talks about Slate's Big Money blog, where Chadwick Matlin asks and answers the question, "Who’s to blame for these hideous Internet ads that just won’t go away?" Read it here.

Don't Lie About Safe Harbor

The FTC recently announced what appears to be the first spotlight shined on somebody pretending to be Safe Harbor certified when they actually are not.

White House Spam, Signup Forgery, and GovDelivery

As guest blogger Jaren Angerbauer mentioned on Friday, after this whole White House spam email debacle, they promised to "implement measures" to verify and validate email addresses. So far, there's no externally visible proof that they've actually implemented any such measures, the most obvious one being a simple and clear double opt-in (aka confirmed opt-in) signup process.

Guest Post: Email and the White House

Today's guest post comes to us courtsey of Jaren Angerbauer, the founder and CEO of DeliveryVision, an email delivery consulting firm. Jaren has more than nine years of experience in the email deliverability space, and has established himself as an expert in the industry. Jaren also is an adjunct professor at Utah Valley University, where he teaches about email messaging technologies. Jaren lives in Salt Lake City, Utah, and is also an accomplished violist, and performs with professional ensembles on a regular basis. Take it away, Jaren!

Blocking specific domains?

Over on the Word to the Wise blog, Laura Atkins answers the question, is it wise for senders to block mail to various anti-spam companies? Read on for my take on the practice.

Ask Al: Not Receiving any emails!

Tami writes, "I've got a bit of a different problem than most. I own a small business and am afraid when people are emailing me to enter my 'Gift Box Drawing' that their emails aren't making it to me. I get absolutely nothing in my Norton anti-spam folder in Outlook Express. How do I get the messages so I can decide if I want to delete them or not?"

AOL to Stop Sending Report Cards

AOL says: "We are no longer sending report cards. If you have a complaint feedback loop, make sure you are monitoring your spam complaints and not relying on the report card to alert you to complaint issues."

More on Email Forwarding (and Fastmail.fm)

Following up to my recent post about email forwarding, Rob Mueller wrote in, talking up his particular email provider. It's called Fastmail.fm.

And the Most Popular Email Service Is...

Lifehacker reports that in their non-scientific reader poll, most of their users use Gmail as their email platform of choice. Is that surprising?

Permission Marketing: A Loaded Term?

I was talking to a group of friends the other day, and the topic of discussion turned to the term "Permission Marketing." How useless it is as a measure of best practices. Every ESP (email service provider) or direct sender uses the term, making it entirely neutral as a measure of whether or not a company is a spammer, or if they're a provider that would allow spammers on their network.

Wholesale e-mail data? Uh, no.

In Dissecting a Pitch that Smells, Ken Magill tears apart an email list offer that smells too good to be true. Ken runs down the myriad of reasons why you should never trust anybody wanting to sell you an email list, from the open question of who the vendor actually is, how they hide behind anonymizing WHOIS services and PO boxes, and how their sample data is obviously garbage.

Not to mention, if any of those email addresses are indeed valid, they didn't sign up to receive emails from anyone who buys that list. Making it spam.

Ask Al: Spam From Me To Me?

Dennis writes, "I don't send these various emails under my AOL address, but other people get them, and I get them myself. How can I notify AOL of this and hopefully get it stopped. I've changed my password, which was recommended, but such emails continue." 

Do you use SpamAssassin?

If you're a SpamAssassin user, I recommend you swing over to my DNSBL Resource site and read about the dead bl.open-whois.org blacklist -- it's used by default in up-to-date SpamAssassin installs, and it's probably slowing down final delivery of your inbound email messages due to DNS timeouts.

Yahoo handles email for Verizon?

No, not exactly. But, according to Mickey Chandler, it looks as though Verizon customers can have their account configured so that mail sent to their Verizon.net mailbox actually lands at AOL, Yahoo or MSN/Windows Live. Confused? So am I. Read all about it over at Mickey's great Spamtacular blog.

Neat Trick: Forwarding Webmail into Work Email

I've worked at a number of places over the years, with a ton of good folks, many of whom I consider friends. I keep in touch with just about all of them, via your typical social networking channels, but also directly via email. (After all, email is in my blood.)

Ask Al: Blacklisted by Spambag?

David Writes, "I was informed that (a company's domain) was being blacklisted by spambag.org which from my understanding is a dead listing. We are not able to receive emails from the company, and according to our email provider, 1&1, it is because of this dead blacklist. How can that be and how can it be fixed?"

Ask Al: Checking email addresses against URIBLs?

Scott writes, "I use URIBL lists in SpamAssassin, and these are configured according to their documented purpose (URI checks). I am getting a lot of spam now which spamvertise email addresses, rather than a URI. The bad domain might be in the From: field, or it might be in the message body. Example: 'Contact me at this address xyz@example.com'. These domains are already on RBLs such as URIBL_BLACK. The first question is, do you think this is a valid strategy, and how 'safe'? I can not see any negatives with the spam examples I have received. Second question is, how does one take advantage or URIBL etc to validate email address strings? Google for "spamassassin rhsbl" and you get no useful information."

Postini: Google's take on e-mail security

Multiple friends have forwarded a long this very detailed CNet News article on email filterer Postini (now owned by Google). Lots of good detail there, and it's definitely worth reading.

From my perspective of helping senders, Postini has always been a bit of a disappointment to me. Some of their filtering choices seemed pretty random and we often used to run into issues where somebody was filtered by Postini, but not by anybody else. And the mail being filtered would be order confirmations, details about your upcoming flight reservation, etc. When they were acquired by Google, I was hopeful that some of Google's good sense would trickle down on to Postini. Gmail has great spam filtering, and they do it while rejecting much less amounts of mail than other ISPs and webmail providers tend to. It's hard to say if my wish came true, standing here on the outside looking in.

Usenet.com Gets Ass Handed To It By Court

Nate Anderson reports for ARS Technica: "A federal judge yesterday found Usenet.com liable for just about every copyright infringement claim on the books: direct infringement, inducement of infringement, contributory infringement, and (just for good measure) vicarious infringement. Not content to be loud and proud about its pro-pirate agenda, Usenet.com also resorted to stonewalling legal questionnaires, sending employees to Europe to avoid depositions, wiping hard drives, and failing to turn over e-mail after being sued in 2007 by the music labels."

Hey, wait a minute. Isn't Usenet.com Jerry Reynolds? The guy who went after anti-spam activist David Ritz for using common spam fighting tools like "host" and "whois"? (Note to self: Don't try to acquire or use free, legal and common unix utilities in North Dakota.)

Why yes
, yes indeed.

I've been eagerly awaiting the outcome of this case ever since I first heard about it. All I've got to say now is: Karma can be a real bitch sometimes, huh?

Find the court documents here.

Ask Al: Help prevent a bad thing!

Terry writes, "My manager wants to take all of our emails addresses in our "pending" list (ones that haven't clicked the link for the double opt-in confirmation) and convert all 10,000+ of those addresses to active and start mailing them. My problem is no matter what I say he feels that he has the right to do it. Is there anyway you can help convince him that this is bad of business, will get blacklisted which will then get us booted from our ESP and I believe that this could even affect our capabilities of sending emails through our company email accounts. What can I do to make him see the light?"

SORBS Information Roundup

SORBS, a blacklist run by Australian Michelle Sullivan, has announced that its hosting agreement is being revoked at that it will soon be homeless. Click here for the announcement and my thoughts on what this means for SORBS users, over on my companion site, DNSBL Resource. EmailKarma and Deliverability.com cover this story as well.

Ms. Sullivan characterizes this latest action as the current host in a way that suggests that the University of Queensland no longer wishes to have SORBS on its network. "[They] have decided not to honor their agreement with myself and SORBS," she wrote.

Ask Al: Getting my Controversial Email Delivered

Steve writes, "My email list has grown very large over time (it's about 80,000 now). I'm sending out a non commercial email article of a religious nature. It covers a controversial issue which I believe may lead to some recipients flagging it as SPAM, (even though I have an unsubscribe button with my dedicated hoster). I want to be able to link to articles at various websites but I don't want those websites to be in danger of getting blacklisted. How do I avoid this?"

Ask Al: Blacklisted IP Address?

Tayo writes, "Our Outlook client suddenly stopped relaying mails with the error "Sending' reported error (0x800CCC78) : 'Cannot send the message. Verify the e-mail address in your account properties. The server responded: 550 5.7.1 This system is configured to reject mail from (IP ADDRESS) (Host blacklisted in uce3.dnsbl)' "

The IP address (IP ADDRESS) was traced to our ISP source. I think somebody blacklisted their IP Address. We called and they had been working on it since three days now with no solution yet.

Can you be of help? What can be done from ourside to solve this problem?"

Check Your CAN-SPAM Checklist

Over at Spamtacular, Mickey Chandler offers up a helpful checklist to make sure you're in compliance with CAN-SPAM. You'd think CAN-SPAM compliance would be a no-brainer, but sadly, that's not always the case.

And you do know that CAN-SPAM is a starting point, not a finish line, right? You need to comply with CAN-SPAM *and* adhere to permission best practices, if you want your email to get delivered.

Help! I'm spam blocked by DCC!

A friend of a friend mentioned that they're finding mail bounced back with a reference to the DCC. "Halp! How do we get unblocked? I'm not a spammer!"

Truth be told, you don't get unblocked. As I wrote back in 2007, DCC isn't a spam filter. It's a bulk filter. What does that mean? It means that it catches any mail that is being sent to a whole bunch of people. Newsletters, order receipts, notifications, whatever.

Speaking of Business Contact Databases

Check out Chad White's blog post today over on his Retail Email Blog. Kevin Akeroyd, COO of Jigsaw, is said to have presented at the EM9 Conference in San Francisco on Wednesday, April 22, 2009.

I'm on a List

Somebody is selling my work email address. I'm getting higher-than-previous amounts of B2B (business targeted) spam to my work email address lately, and it's driving me nuts.

If you run any of those "business contacts" sites, and you're looking for pain, let me tell you how to jump on the fast track: sell my email address.

Barnes and Noble Emails Opt-Outs

Hmm, I thought to myself. Why didn't I think of this? Barnes And Noble is sending emails to recipients who declined to opt-in, asking them to reconsider. Gosh, they must get a nonzero number of people who opt-in as a result of this email.And probably around a zillion spam complaints, and some ISP blocks. Because they're spamming. Oh yeah, that's why I didn't think of ever doing this. Because it's a really, really bad idea.

(Via Consumerist)

SCOTUS Declines Review of VA Anti-Spam Law Case

"The Supreme Court has passed up a chance to examine how far states can go to restrict unsolicited e-mails in efforts to block spammers from bombarding computer users." Read about it on CNN.com.

Many smart people have already pointed out to me that the net effect here is near nil. Jeremy Jaynes is still in jail, and the state of Virginia intends to try again by crafting a new anti-spam law in the near future.

John Levine points out: "Due to the peculiar facts and history of this case, the decision would be unlikely ever to affect anyone other than Jaynes, and he's still in jail on other charges, so in the big picture it's just a blip."

E360 Gets an Important Bit Wrong

I have a cold, which leaves me lacking energy and lacking the desire to do anything beyond sit on the couch and read. Read what, you might ask? Why, read the updates in the ongoing Amish rake fight between E360 and the entire world, of course.

JC Penney Does WHAT?

Consumerist reports: "Reader psionix bought some PJ's from JC Penney for his wife and, upon checkout, chose not to receive any emails from JC Penney. The retailer then emailed him to let him know that they won't be emailing him, and asked him to fill out a survey on why he didn't want to receive any emails from them."

What? WHAT!? LOL OMG FAIL.

Read all about it here.

No more, Direct Magazine

As of today, the tagged (unique) address I used to sign up for Ken Magill's newsletter now a spamtrap address. I just can't take it any more. I signed up specifically and only to receive newsletter updates - and Direct and its "partners" have been sending me a multitude of undesired offers and partner mailings every week. Over 15 mailings in January alone, and January isn't even over yet. Eight of these in the past week.

AT&T's 'American Idol' Text Message Stunt Backfires

Consumerist has the story. Some random (but large) number of AT&T subscribers got SMS-spammed by their cell provider. Lame.

The NY Times quotes Mark Siegel, a spokesman for AT&T Wireless, saying that the message went to subscribers who had voted for “Idol” singers in the past, and other “heavy texters.” He said the message could not be classified as spam because it was free and because it allowed people to decline future missives.

Neat Hack: Re-Assassinate

Over on his blog, Justin Mason shows us how you can re-run already received messages through SpamAssassin. This is a neat idea. He explains this in the context of coming back from vacation, and having a big pile o' messages to wade through. A lot of that is going to be spam that got by the spam filter, because various sending IPs and link URIs weren't yet blacklisted. On the theory that they may now be blacklisted, why not run it all through SpamAssassin one more time, and see if it finds more of the spam? It's a solid theory, and based on my various blacklist tests, I do know that a delay can help improve the hit rate of any DNSBL or URIBL.

Abuse Mailbox on Google Apps?

So, if you're like me, and you host email for your domain using Google Apps, you might be wondering how to read mail sent to abuse or postmaster. Every good domain administrator cares about this. It's also necessary to receive mail at abuse@ and/or postmaster@ if you're trying to validate ownership of a domain, for feedback loop and other types of registration.

But, Google Apps doesn't seem to allow this. It says "abuse" and "postmaster" are reserved addresses, or mailing lists that already exist. What do you do, if you need to work around this?

Steve Atkins of Word to the Wise has the solution. And it's a good one. Thanks, Steve!

Email Append and New Domain Spam

Spam to a new domain isn't uncommon. Lots of spammers comb whois, search the web, scrape forums, looking for any domain they can find, and then they try mailing to variations of made up addresses at that domain to see if they get through to a real live mailbox. So, setting up a new domain, and catching all email to the domain, this invariably means that very soon after creation, I'm likely to get 200 pieces of the same spam, addressed to different made-up address variations.

But this time around, it's happening a little bit differently.