2011: The Year in Spam

"Spam is Lame" of the "I Kill Spammers" blog has posted a pretty comprehensive and delightful recap of legal action taken against spammers in 2011. I'm glad I stumbled across this as I hadn't known about the arrest of Alan Ralsky's stock broker back in February.

Ask Al: Help, I'm blocked at AT&T!

Jay writes: Al, I am getting the following message on several email related to AT&T: flph260 DNSBL:ATTRBL 521< xxx.xxx.xxx.xxx>_is_blocked.__For_information_see_http://att.net/blocks After going the ATT site, using Spamhaus to check the IP as well as using AT&T's submittal removal site, I am at a dead end as to how to get this resolved. Spamhaus came up showing no problem. Any help would be appreciated.

Jay, there are a few different reasons somebody can get blocked at AT&T, from what I can tell.
  1. A significant spike in sending volume or spam complaints.
  2. A significant spike in sending volume or spam complaints in the same network neighborhood as you (meaning other sending IP addresses in a /24 may have caused the blocking).
  3. Some really bad stuff is going on, sending some sort of affiliate spam or really, really unwanted stuff that they're able to identify and/or fingerprint through various means that they don't disclose.
Maybe there are other reasons or circumstances under which AT&T will block mail from an IP address, but those are the three that I'm most familiar with.

Assuming the issue is #1 or #2, the way to resolve it is to submit that unblock request via AT&T's website. Alternately, if you've had no response after many days, you could try sending mail to postmaster at att.net. However, if there's a reason they're not responding, because they're busy, behind, or not able to assist, pinging them again via another method isn't likely to get you a response.

It's the holiday season right now, which means lots of people are on vacation and away from work. Maybe there's a backlog of unblocking requests awaiting review and approval at AT&T. Also keep in mind that ISPs don't view their postmaster teams as the treasured and necessary resource that they once did; lots of ISPs used to have whole teams of people managing these things, and in most cases, that has been reduced to a web form and some tiny part of some single person's job. Responding to blocking requests is just not a priority for most ISPs.

And if the issue is #3, then forget about it. They'll probably just go radio silent on you, and not respond at all. Most ISPs simply don't respond to inquiries about really bad stuff. I could only theorize as to why, but if it were me, I'd figure there's no point in helping the bad guy understand how we caught him. I know that could feel unfair, because what if you're not a bad guy, and you're given no opportunity to make your case. That's just the way the world works, sometimes.

I don't see any evidence to suggest that Spamhaus is used by AT&T, nor would I make any sort of assumption that your mail would or would not be delivered to AT&T subscribers based on a Spamhaus lookup.

AT&T also publishes a postmaster site at http://www.att.com/esupport/postmaster/. I strongly recommend reading all the recommendations they provide there as far as best practices and how to ensure your mail is delivered successfully.

Netprospex Blacklisted By Spamhaus

I've written about Netprospex before. For example, talking about how I think their "opt-out" guidance on email marketing is misguided (and how so many others feel the same way). And then there was Peter Seebach's post questioning their touted "verified!" business lists for sale. And most recently, there was that commenter who asked me what I thought of using Netprospex as part of an email acquisition strategy. (My response: "It's like buying a lottery ticket as part of your retirement savings strategy.)

I feel like it's all been said before, so I won't bother going in to any depth on my opinion of companies such as Netprospex. Instead, I'll just link you to their latest Spamhaus blacklisting. The entry is light on details, so I could but speculate as to what happened. But clearly, the blacklisted IP addresses 38.101.213.238 and 174.122.201.114 are now having significant issues attempting to deliver mail to Yahoo, Hotmail, Gmail, Comcast and many other ISPs. Ouch.

(Update: Two SBL entries, from the looks of it. Click on the IP addresses above to link to each.)

The Passing of J.D. Falk

I'm very sad to pass along the news that J.D. Falk has passed away after a year-long battle with cancer.

I feel like I've known J.D. forever, and I most definitely had come to greatly respect and admire him. Occasionally someone would ask me if I'm trying to sound like Seth Godin, when I loudly attempt to espouse a consumer-centric point of view, I reply that no, I'm channeling J.D. Falk. Helping to stop spam and improve the email ecosystem have been his day job for so many years, across Yahoo, Hotmail, the Mail Abuse Prevention System, and most recently, Return Path. That job occasionally involved hitting marketers with a stick, reminding them that the email universe does not revolve around them.

The world is a slightly less better place today without J.D. Falk in it.

What does Spamhaus think of email append?

Today I stumbled across SBL listing SBL120550, which says the following:

"Several IPs in this /28 are sending spam to spamtraps advertising the services of ADT Home Security. The IPs belong to InfoCanada, a division of InfoUSA, via their Yesmail ESP.

InfoUSA also sells purchased and e-pended lists. We do not know whether the purchased list that the customer is using is using came from InfoUSA, but we consider the sales of purchased and e-pended lists to be spam support by definition. Use of such lists is a reliable path to an SBL listing."
(Emphasis added.)


There you have it, straight from Spamhaus themselves, explaining exactly what they think of purchased and e-pended (email append) lists.

Laura Atkins of Word to the Wise has compiled some very helpful ISP Summary Information, showing that, for starters, the SBL is used as a spam filter at AT&T, Comcast, Cox, RoadRunner, and Yahoo. Meaning, use of email append can lead to a blacklisting by Spamhaus, which leads to blocking at those ISPs. And they're not the only ones who use Spamhaus; I think Hotmail and Gmail do, too. Not to mention, many other smaller ISPs and corporate sites.

Visualizing Yahoo Spam Blocking

This cool website from Yahoo shows how many emails they're processing every second. Of most interest to me is the amount of spams they're blocking: Click on the "show blocked spam" button to see for yourself. Doing some rough math this morning, it appears that right this second, only 84% of inbound mail attempts into Yahoo are unwanted spam, meaning that "only" 84 out of every 100 servers in the Yahoo inbound mail server farm are wasting their entire existence on processing mail that nobody wants. Ouch, what a waste.

Dutch ISP Picks Fight with Spamhaus

eWeek reports that Dutch internet service provider A2B has filed two police complaints against anti-spam blacklist Spamhaus for refusing to terminate a provider Spamhaus alleges is known for "hosting malware, phishing and websites selling fraudulent goods advertised via spam."

I didn't know much about the story at first, other than noticing A2B principal Erik Bais on Twitter and thinking to myself, wow, that guy is really mad about this.

Today, we have Spamhaus's side of the story, as published on their own website. Seems pretty straightforward to me; I've dealt with Spamhaus enough times to know that if you don't terminate the bad guys after Spamhaus notifies you, there's a potential that they will escalate the listing in question. Like it or not, Spamhaus regularly lists ISPs and providers it feels to be "spam supporting" through their connection to a given spammer. It feels like Erik Bais is perhaps new to this particular kind of rodeo.

In their published statement, Spamhaus explains that the alleged bad guy in question is "CB3ROB A/K/A "CyberBunker" [and] has a long history of run-ins with the law. It was also a host of the infamous 'Russian Business Network' cyber-crime gang broken up by the FBI and other law enforcement agencies."

A2B alleges that the Spamhaus action amounts to a denial-of-service attack. I'm not sure how; there's a pretty commonly understood technical definition of what constitutes as DOS attack and a Spamhaus listing doesn't seem to fit that definition.

Is A2B likely to see any action taken as a result of the complaint? My guess is, "probably not," especially considering the following bit at the end of the Spamhaus statement: "With no irony lost, this week senior staff from Spamhaus and the Dutch high-tech crime-unit tasked to investigate the very criminal activity CB3ROB hosts and A2B Internet routed, were meeting together at an anti-cybercrime conference. CB3ROB, A2B Internet and the phishing, malware and counterfeit goods outfits both were tacitly servicing were discussed and Spamhaus handed its files on CB3ROB and A2B Internet to the Dutch NHTCU's investigator."

Another Experience with Email Append

A couple of years ago I posted here how my wife and I started getting oddly addressed email from a supposedly legitimate company, addressed to an address we never use, addressed to a person we don't know. Why? How? Email append.

Email Append: Not a Great Practice

As widely reported, MAAWG, the Messaging Anti-Abuse Working Group put out a statement a couple of weeks ago basically condemning email append. Find a link to the statement here, or click here to read Laura Atkins' coverage of the announcement.

MAAWG is a broad ISP, email and network ecosystem-focused organization dedicated to stopping abuse. As email abuse (spam) is a big challenge, email spam continues to be one of the things that MAAWG members work together collaboratively to try to mitigate and otherwise address. There are lots of heavy hitters in the email space represented in MAAWG's public membership roster: Yahoo, Microsoft, AT&T, Cloudmark, Comcast, Time Warner, Spamhaus, and many others. These are the folks who decide whether or not your mail gets through to the inbox, is sidetracked to the bulk folder, or blocked outright. And they're standing up and saying, flat out, email append is a bad idea.

As a followup, industry agitator (and I mean that term with respect) Ken Magill shared his thoughts: That the message from MAAWG was painted with too broad a brush. That not all email append is bad news. A statement I agree with ... sort of. And MAAWG probably has no issue with it, either. If it's all truly opt-in. Confirmed opt-in before any sort of data transfer happens.

But, as I pointed out when Ken interviewed me for his second followup, the colorfully titled "That Sound You Hear is my Head Coming Out of my Ass," nobody ever does email append that way! I'm aware of exactly one single retailer bothering to go through the trouble of doing opt-in email append. Why so few? I think that it's because the email append vendors don't want to do it this way; an opt-in process means fewer matches and fewer new subscribers, thus, a smaller amount of revenue for the append provider.

I've actually seen these guys try to tell people that opt-in is overkill, but the truth of the matter is, when somebody goes off and does email append, against my advice, they end up with deliverability problems down the line. Use email append, spam complaints rise, and you get blocked at Yahoo. It's pretty much that simple. If you've done email append and not have that problem arise, it's probably because you did it on such a small scale that you were able to stay below the radar. Congratulations! You didn't get caught when you broke the rules! That's hardly a scalable or wise business practice, however.

But don't take my word for it. Microsoft's Terry Zink just posted a very easy-to-follow explanation of what actually goes wrong when you do an email append.

Push Clickers Across the Conversion Finish Line

Nothing really wrong with the guidance in this blog post over at the Bronto Blog, but I can't be the only person who read the head line and thought, hey, I'm a person, not a lost shopping cart. Don't "push" me. Invite me. Am I right? (No, I'm not channeling Seth Godin. I'm channeling J.D. Falk.)

No surprise: Holomaxx loss.

Well, maybe it wasn't quite a sure thing, because you never know how a judge is going to rule. You just don't. Even if the law seems clear as the blue sky (and this one does). But, good news -- as most folks expected, Holomaxx got spanked again in court today, the judge reminding everybody within ear shot that Section 230(c)(2)(A) of the CDA holds ISPs immune from liability in their spam blocking efforts. Read more over at Laura Atkins' Word to the Wise blog.

MAPS/Trend Micro Spamtrap Issues?

Over on the Word to the Wise blog, Steve Atkins reports on something very alarming: That Trend Micro's MAPS blacklists seem to be playing silly buggers with spamtraps. Specifically, that while their stated requirements for list management best practices has always mandated double opt-in (aka confirmed opt-in), they may still blacklist an ESP or sender anyway, based on mail to supposed "spamtrap addresses" that have actually clicked to confirm the subscriptions in question. OUCH. This seems like really bad form for Trend Micro -- it is absolutely worst practice to click on links in mail sent to spamtrap addresses, then use that mail or subsequent messages as a basis for blacklisting.

What's your (telephone) reputation?

Well, I knew this was going to happen eventually: Google now has global spam filtering for Google Voice. It works in a way very similar to how ISPs track the sending reputation of email senders based on feedback from their users (i.e. spam reports). Now, if you opt-in to Google Voice's new "Global Spam Filtering," calls and text messages from phone numbers determined to be "spammy" won't make your phone ring. They'll land in your Google Voice "spam" folder, out of sight and out of mind, until and unless you go specifically looking for them.

I think this a great idea -- collaborative reputation systems are cool. What do you think?

Is DKIM evil?

The email authentication protocol DomainKeys Identified Mail, aka DKIM, is winding its way through the standards track, and seems to be the future of email authentication. Recently, a lone voice, a security researcher with Trend Micro, seemingly upset at being sidelined during various industry association and standards track discussions, has taken a specific concern public. He's gone so far to label DKIM an "evil protocol," because of a possible exploit he has identified.

Problem is, this hack supposedly exploits a "potential hole" that is not even open, by most measures. This involves taking a legitimate message and adding another from address to that message, fooling recipients into perhaps looking at, and believing, the wrong from header. Problem is, an email message with multiple from addresses is already prohibited under the current SMTP specification (which is currently RFC5322, a descendant of RFC822). Messages composed in this manner are already heavily filtered and not trusted. It really has little to do with DKIM or email authentication.

Not only is this much ado about nothing, but I believe that Trend Micro's unwarranted hyperbole on the topic is harmful. And I'm not the only one who thinks so. Software engineer Barry Leiba calls Trend Micro's warning "severely flawed," "laughable," and "ridiculous."

Dave Crocker, the author of RFC822, many other RFCs, and longtime participant in multiple anti-abuse and standards track forums and organization, agrees. He says that "the blog's description of the facts, its premise about the requirements, and its apparent understanding of DKIM's functionality all suffer from basic flaws."

In short: Nothing to see here-- move along.

DNSBL Safety Report 5/14/2011

SpamTips.org, a website devoted to SpamAssassin Tips (SpamAssassin being the wildly popular open-source spam filter) recently posted a wonderful DNSBL Safety Report, showing hit rates against both spam and non-spam (false positives) for various blacklists commonly used in SpamAssassin.

Interestingly, they specifically warn AGAINST using UCEProtect and the Lashback UBL.

For Lashback's UBL, I'm not so surprised about the results. I don't mean that Lashback's list is broken -- it's just very specifically "IPs of somebody who mailed someone after they unsubscribed and should not have been mailed." There are probably a lot of ISP outbound mail servers that have had individual email messages or intermittent issues with spam emission that meet that criteria. It is probably more appropriate to use it for scoring/vetting reputation in certain scenarios only, moreso than using it to block mail outright.

With UCEProtect, it's disappointing to hear that they have a 1.7% false positive rate as measured against this specific email stream.

I've written about blacklists (and even similarly tracked their effectiveness) over on DNSBL Resource for many years -- so it's very nice to see somebody else doing something similar. The more data, the better, as far as I'm concerned.

(H/T: Box of Meat)

AOL blocked? Don't try this at home.

Gee, ya think THIS will scale?

Over on the AOL Postmaster blog, a commenter tells a tale of his alternate method of finding a human at AOL to assist with his spam blocking issue:

"Since I felt that this was beginning to rise to the level of something that AOL execs should really be concerned about, I did the only remaining thing I could think of - I bought a share of AOL stock, and contacted AOL Investor Relations with an explanation of how, as a shareholder, I was very concerned with AOL's complete lack of inbound email delivery support and how I felt this would likely adversely impact shareholder value.

Yesterday, I got a response from a nice guy named Lothar their IR department with an offer to provide assistance in resolving our issue. I've forwarded our mail server/IP address info to Lothar, and am awaiting response. As a share of AOL stock is on par with the cost of a month of AOL service at this point, it might represent a cheaper way to get access to some attention/help. I'll post here again when I know how this approach works out."

Uhhhh....really? I have to admit, this gave me a good laugh. But is it likely a winning strategy? I'm doubtful.

What would you present?

In a couple of weeks I'll be presenting to a class of paralegals-in-training, talking about the legal aspects of compliance in marketing online (CAN-SPAM, DMCA, CDA, etc.). I'm pulling together information about various cases that might be most interesting to share with the class and generate topics of discussion. Could I impose upon you, dear reader, to share with me what your thoughts are here? Got any links or info you'd like to share with me? What cases do you think merit looking at? Gordon v Virtumundo, for starters. What else? Thanks in advance for your thoughts!

Spamcop Blacklisting: Should you care?

I was asked today if Spamcop should be "trusted." After all, even the Spamcop Wikipedia page says that their blocking list is "controversial." Though, is it truly more controversial than any other blacklist out there? Let me tell you what I know.

The last time I looked at Spamcop from a receiver's perspective was back in 2007. Back then, I found it to be pretty accurate. A Spamcop listing truly seemed to be indicative of a sending IP address sending unwanted mail. That data is from a long time ago, but I haven't seen anything since then that would make me think they've changed for the worse by any significant measure.

Long, long ago, when Spamcop was a one-man show (created and run by a guy named Julian Haight), I did find the blocking list to be controversial. I regularly saw listings of IP addresses sending very clearly only opt-in email, with nothing funny or weird going on. Even confirmed opt-in email. But since that time, Spamcop has been sold to Ironport, who has since been sold to Cisco. So nowadays, Spamcop is a tiny little part of Cisco. With that transition to corporate ownership, came new hands and new policies, which (in my opinion) seemed to significantly improve the reliability of Spamcop.

From a sender's perspective, I regularly help clients monitor for and address Spamcop listings. Because my prior testing of Spamcop led me to trust that it was typically correct, I typically think that a Spamcop blacklisting of a client's sending IP address is probably "correct" -- I suspect it is properly indicative that there is a problem that needs to be addressed. I think if a sender is regularly finding themselves listed on Spamcop's blacklist, then their list is probably outdated, poorly permissioned, or otherwise flawed. In these cases, I do think it's appropriate to run a permission pass to clean up the list and resolve any list hygiene issues. At the same time, discard any list segments that contain anything other than opt-in subscribers. Bought list? It's time to throw it out.

That's my opinion, provided with my alternating "sender" and "receiver" hats. What's your opinion?

Is this permission?

I received an email the other day that went something like this: "Hello, A media site you recently visited would like you to participate in their user-survey. Your input will be combined with other users' across the country to improve their site. To encourage your participation, we are offering a chance to win one of two Apple iPads. Two participants will receive an Apple iPad 2 (valued at $499). To access the survey, simply click on the hyperlink below. We estimate that it will take approximately 15 minutes to complete."

Well, I know which media site it was, because I gave them a tagged (unique) address. When you send me an email to COMPANYNAME@example.com, it's not exactly a secret. Regardless, I'm peeved -- why is this media site giving my email address to a third party? Why is this third party emailing me? Where is the permission? Where is the informed consent?

Keep in mind, when emailing a subscriber, it is EXTREMELY bad from to try to be coy about where you got the recipient's email address from. Seriously-- only spammers do this. And this email is in fact spam. I didn't give permission to this survey company to email me. The mail was not transactional; this notification was not a necessary part of my subscription to the online media site. It was probably quite legal, due to some clause or other in the media site's privacy policy. But that doesn't make it right, and it doesn't change the fact that this is a very poor practice.

I would have mentioned this all to the survey company themselves, but the email address they emailed me from doesn't seem to work.

Survey companies, I challenge you to get with the modern age. I understand the desire to do surveying a certain way, but whatever this model is, it conflicts with email best practices and permission. It's time to modify the model.

Why are you in my inbox?

Who are you? Wait -- now I remember you. Long ago, I was visiting some far away city, biding my time in some mall or airport or something, some place where the only option for wi-fi was via your company, so I paid you for a day's worth of Internet access or whatever. Now, two years later, you're sending me an email telling that you've updated your privacy policies and terms and conditions. And you say they're under some sort of legal obligation to send me this information. I can click on the unsubscribe link, you tell me, but you warn me that you'll continue to send me this kind of thing regardless of my stated preferences.

Sorry, what? Okay, that's your point of view. Let me give you my point of view.

I'm not a current customer. I don't have an ongoing relationship with you. Our transaction is long done. And I don't agree that this email was legally required. I'm not seeing how you have any legal mandate to send past customers new policy information that might impact future transactions. If it's necessary for a return customer to be appraised of a new policy before entering into a new transaction -- why not inform them at the point of sale, instead? During the signup or checkout process.

Instead, what you did was email a legal notice your entire database of email addresses, even subscribers who have previously unsubscribed. Like many, I feel that my inbox is my personal space. You get in only when invited, and no matter what you think, you're not allowed to force your way into it.

You may have an opinion about what you think you have to send, what you have a right to send, but I have a spam filter, and ISPs have engagement and reputation metrics.

If you fill inboxes with something of low value (a legal notice that few care about) and if you fill the inboxes of a bunch of people don't want it (who didn't opt-in to receive followup emails from you) and you've got a recipe for lower than average engagement and higher than average spam complaints. And on top of it, you insult me by implying that I am not allowed to make these emails stop.

It may not be a spam, just barely, but this kind of thing is exactly why some classes of "non-spam, completely legal" senders end up in the spam or bulk folder.

Which is exactly where I put this email.

Neil Schwartzman: CASL Compliance

It started innocently enough. I asked ex-Return Path'er Neil Schwartzman to tell me about his new gig, focusing on Canadian anti-spam law compliance. He offered up his reply in a mock interview format, which I offered to post here and share with the world. So, here it is, as he himself puts it, Neil Schwartzman interviewed by an invisible person who is far more enthusiastic than they should be about the topic at hand:

NS: Hi.

IP: HI!!! So what are you doing now that you are out from under the oppressive Return Path régime? It must have been hell! (ed: joking, obv.)

NS: You've been watching too much CNN, hombré. Return Path was great. Always will be. They have a strict no goatee policy, and I wanted to grow a beard, so we had to part ways. I worked for them for five years on policy issues, and it was time to help apply those policies with the force of law.

IP: Return Path makes law now? Wowee!

NS: Not exactly. Canada's Anti-spam Law, CASL, was passed into law in December. I helped get the law passed in a variety of ways, including encouraging enlightened companies like Return Path support the law, which they did, by writing a letter to the Prime Minister.

Now that the law is about to come into force, I wanted to start a new project helping companies to become complaint with the strict new rules in play in North America.

IP: That sounds amazing! But, Canada isn't all the countries in North America, I think the U.S. is considered part of it too. Surely you can't mean the law applies in the States, too?

NS: Don't call me Surely. And yes, that is what I mean. Here's the skinny:

CASL has strict opt-in standards for all types of electronic messaging: SMS, Social Network stuff, and email. It applies to any message that crosses Canadian wires, or is sent to a Canadian. That covers a lot of ground, and a lot of companies, whether they know it or not. Canada and the U.S. do about $1.5 billion dollars of business …

IP: Per year? Wow!

NS: Don't interrupt! $1.5 billion per day, dummy. That is a lot of Simoleans. My point is, case law is well established to have laws applied in one another's countries. For example, Facebook spammer Adam Guerbuez was sued under CANSPAM in California, and Facebook had the law applied, to get their $1 billion dollar judgment, in a Québec court. It works the other way too.

The new law has specified damages, and can be applied by Canadian law enforcement, Canadian individuals, or Canadians as a class-action lawsuit. Damages can be as high as $10,000,000 per email, per day. It adds up fast.

IP: Um, I bought a list once. Actually, I 'rented' it, if you know what I mean. Can you help me?

NS: Well, maybe. You probably should stop buying email addresses, and get rid of that list. Or reconfirm every address on that list really wants to receive your mail. And by reconfirm, I mean Confirmed Opt-in. Anything less leaves you with your butt hanging out, and an angry Canadian will very politely sue you.

IP: Gulp. So what are you doing to help legitimate senders like me?

NS: Well, I have partnered with a Ottawa-area law firm who specialize in this type of law. Kris Klein is one of my partners, and he helped write and apply PIPEDA, (Canada's privacy legislation) for the Office of the Privacy Commissioner, and the Justice Department.

IP: You guys have a Justice Department too? No way!

NS: Way. You don't get out much, do you? If you are done, I'll continue … Shaun Brown, one of my other partners, contributed to developing CASL when he worked at Industry Canada. I was on the Canadian Federal Task Force on Spam, so we figured among us, we have a solid understanding of law, email sending practices, and company policy.

IP: About that list I bought …

NS: I'm getting there. Our other partner, Adam, is the former CTO of IATA, the airline people. Together we have the knowledgebase to not only tell a company where their shortfalls are, why they will cost them huge sums of money, but also how to fix their business problems, and how to implement solutions, probably the trickiest part of all of this.

We call it an end-to-end practices and legal audit. Think of us as your CPA, but for email and electronic messaging. For example, when someone 'Likes' your company Facebook page, does that really give you the affirmative opt-in you need to send messages to them?

At the end of the day, if you follow our advice, we can even give you a clean bill of health, in the form of a legal opinion, saying you have taken serious steps to fix yourself up to be compliant with the law. That's important, because there are CASL clauses that talk about good faith efforts, which can buy you some time, and get you off the hook if you happen to mess up.

IP: Well that's fine. I'll just get an ESP to start mailing that list I bought, and they'll be on the hook, not me.

NS: Sleazy, but almost right. Anyone who has a hand in sending the email could potentially be liable under the law, even your unwitting ESP. They need to do a few things to avoid the likes of people like you.

IP: Me?

NS: Yes you. For example, headers and tracking technologies probably need to be set up to clearly indicate who the actual sender is (that would be you, my friend). As well, they will want to review all of their contracts to hand off liability to the client, make sure their clients are well-educated about the law, and so on.

IP: Tell me more! Pleeease?

NS: Well, no. Our time has come to an end, and since your enthusiasm has waned, I think it is time we went our separate ways. Remember what I said about rented lists though. See you in court!

IP: OK BYE!

What changed?

How come my list of third-party opt-ins from two years ago is now having problems, the question goes. What changed? I'm still doing everything right.

I'm getting that question a lot lately, and a colleague suggested that I post my answer here, to share it with readers.

So, what happened? Why are you getting blocked today, based on utilization of a practice that was considered perfectly acceptable a few years ago?

Keep in mind that ISPs never were really all that keen on allowing in third-party opt-in mail to begin with. Going back for years, if you ever ran into deliverability issues requiring ISP involvement to resolve the issue, they would regularly decline to assist when confronted with an obvious case of mail being sent to third-party lists. But, unless it was obvious, blatant, they didn't always notice. Ultimately, quite a few marketers were able to successfully send third-party advertising emails, keeping complaints low enough to stay under the radar.

But, things have changed since then. Recently, various ISPs have gotten much better at blocking that kind of mail. A whole bunch of squiffy senders who ride the line of permission so close suddenly found their ability to deliver mail take a sharp turn for the worse back in November or December.

Why? Because the ISPs just got smarter. Yahoo, in particular, became much better at figuring out who the co-reg/third-party guys are. Now that they are more easily identified, Yahoo is able to more easily apply policy decisions to this mail. The net is, Yahoo, and other ISPs have clamped down.

Based on that alone, senders are learning that what was OK a few years ago is no longer OK.

Also, keep in mind that an email address isn't forever. The days of just mailing somebody forever until they unsubscribe are gone. Hate it or not, ISPs are looking at engagement rates to identify good vs bad list senders.

What does this mean? ISPs can tell which emails are rarely interacted with, which lists are mostly dormant. If you're sending to a lot of people who never open or click any emails, if you're sending emails that get very few opens or clicks, you're ending up on the low end of the reputation measuring stick, as measured by these engagement-related metrics. The solution is to implement subscriber life-cycle management strategy -- figure out what to do with dormant addresses. (Short answer: stop sending to them.)

"This was a valid opt-in two years ago" is as useless a statement as "my email is CAN-SPAM compliant." They're both true statements, but they no longer have any relevance as it relates to your sending reputation or your ability to get your mail delivered to the inbox.

Permission and deliverability are moving targets. ISPs are constantly stack ranking senders and blocking the ones on the bottom. Eventually, if your practices don't improve over time, and keep up with the times, you're going to eventually find yourself at the bottom of that stack ranking.

Score one for the Good Guys

The Composite Blocking List, a very popular anti-spam blacklist, reports that the Rustock botnet seems to have been disabled. Spam levels have plummeted as a result. Likely not forever, but it's still nice to see the bad guys struggling. Security journalist Brian Krebs covers it in more detail over on his site.

On the Legality of Spam Filtering

But my email fully complies with CAN-SPAM, the argument goes. How can ISPs be allowed to block my mail? I comply!

Here's how. Read section 8C of the CAN-SPAM law. It says:

NO EFFECT ON POLICIES OF PROVIDERS OF INTERNET ACCESS SERVICE-- Nothing in this Act shall be construed to have any effect on the lawfulness or unlawfulness, under any other provision of law, of the adoption, implementation, or enforcement by a provider of Internet access service of a policy of declining to transmit, route, relay, handle, or store certain types of electronic mail messages. 

Seems pretty straightforward, no?

No false-starts, do-overs, or mulligans for Email

Guest post by Neil Schwartzman. Reposted from the Word to the Wise blog with the permission of the author and publisher.

Josh Baer, former VP of Datran Media and current CEO of OtherInBox.com has been floating an idea at the DMA’s Email Experience Council and a few other places, and recently got some traction in Ken Magill’s Magill Report.

What Josh is proposing is to create the technical means by which a Sender can decide when email ‘expires’ and is automatically removed from a recipient’s inbox, either by deletion, or perhaps archiving (in the case of Gmail). This would supposedly help the end-user, by removing marketing offers that are no longer available.

Why this Idea Shouldn’t Happen

Email users’ rights trump everything. We get to decide what comes into our inbox, and what doesn’t. Just as fundamentally, we get to decide what is removed from the inbox, too. I no more want a marketer to decide for me to remove email they have sent, than I do deciding to add me to their list without permission.

Adding the ‘expires’ header, and having an email provider complicity remove an email from my inbox borders on 1984-like creepy. I want to know what has been sent to me, and not have Big Brother, or Big Business, remove stuff they decide is no longer relevant. Perhaps my goal in life is to create a complete archive of every Groupon offer ever sent to me – this would put an end to my dreams.

Beyond users’ rights, this scheme will confound receiving systems’ and reputation systems’ ability to determine the complaint rate of a given email campaign, which will be quite dynamic under this plan.

Email providers use complaint rates (and bounces, and myriad other data-points) during a campaign to determine if they should continue accepting email (some campaigns can take hours to complete their run, depending upon the size). If I send 10,000,000 emails over the course of a couple of hours, and set half of them to expire in say, 3 hours, the receiving system sees leading-edge complaints are taken with a number eventually reaching 10MM as the denominator, and so the actual complaint percentage may be kept artificially small, at the end of the day.

Why This Idea (Probably) Won’t Happen

Some folks are dismissing this out-of-hand, saying it would “never” get traction at any of the big receivers, like Hotmail, Gmail, and Yahoo! But I’m not entirely sold on that argument. It seems to me that when marketing, sales and a receiver come into close contact, it would be natural to treat a source of revenue with kid gloves, and as receiver revenues ebb, there may be a temptation to consider an idea such as this one with more gravitas than it merits. One need only look at Goodmail’s long-term attempts at revenue sharing with Receivers like AOL, Yahoo! And Comcast (apparently the revenue was never more than a trickle, if anything) to realize not everything is always rosy in that regard. Marketers may hold disproportionate sway in an uncertain email provider economy.

That aside, this is asking a lot of the email providers in terms of infrastructure change on behalf of a small slice of the area of their concern. Marketing email accounts for a reported 10% of the legitimate email load (in other words, everything a typical user gets that isn’t spam, rejected at the router, or by other filtering means).

As an official of a very large American ISP said to a group of marketers at a conference some years ago, “On my list of 10 things to do today, you are number 11”.

There would have to be a compelling groundswell of user desire and need for this idea to be considered, and I don’t see that happening, particularly at this point in time. There is a very large technical need to implement domain—based reputation systems looming, and the deployment of DKIM on inbound and outbound email is a pressing concern for both Senders and email providers. Their technical docket is very full, and will be for the foreseeable future as IPv6 deployment, the replacement for depleted IPv4 IP addresses pushes this agenda ever-higher.

Expiring email is a distraction that benefits only a few people in the community, and offers a tempting manner to game reputation systems and complaint rates. And, it ignores the right of end-users to determine what shows up, and stays, in our inboxes.

Spamhaus & URL Shortening Services

On March 5th, Spamhaus announced a change to its DBL (Domain Block List). They're now breaking out a separate category of listings specific to spamvertized URL redirectors that appear in spam. Meaning, if URL redirectors like bit.ly show up in a lot of spam, they're likely to be listed in this new zone and are likely to be blocked by users of the Spamhaus DBL.

Spamhaus provides a mechanism by which ISPs and filterers can choose whether or not to block based on these listings -- there's a separate result code specific to this type of listing. If your spam filter allows it, you can customize your settings to block or not block based on this type of listing.

This new functionality from Spamhaus is rather a big deal, in my estimation. What they're doing is putting redirect services on notice that the days of blacklists avoiding listings of these services to prevent false positives are over; if your redirect domain shows up in spam, you have a problem that you need to address, and your domain is likely to get blacklisted if that problem persists.

By offering that separate result code, Spamhaus is effectively allowing filterers and ISPs to decide whether or not to respect these listings (block based on these listings). The choice is left to the ISP or filterer, but I am pretty sure that ISPs *will* indeed block based on these listings -- causing new, significant pain for redirect services who have ongoing spam issues.

I wouldn't want to be in bit.ly's shoes right now, but as somebody who receives over 750,000 spam emails every month, I applaud these efforts by Spamhaus to help address the ever-growing problem of spammers utilizing these redirectors to try to get around blacklistings. Redirect services need to put measures in place to prevent malicious misuse of their services -- and not few do that today. A site like a bit.ly needs to check and ensure that a URL doesn't land on a bad, blacklisted domain -- or else it risks finding itself blacklisted as a result.

Comcast’s Impressive System for Notifying Infected Users

Return Path's J.D. Falk reports on Comcast's efforts to let customers know when their home computers are infected: Pushing infectees into walled garden, redirecting them to a page warning them that their network connection is infected.

J.D. Writes: "As one of the world’s largest access providers, our partner Comcast has put a ton of thought into developing a notification system for their users. Their motivation is clear, and close to the heart of anyone working in security for end user systems: 'to advise the user that their computer is infected with malware, that their security is at severe risk and/or has already been compromised, and that it is recommended that they take immediate, corrective action NOW.'"

J.D. also touches on the concern over network neutrality, and the potential concern over this type of monitoring being considered at odds with network neutrality. I'm an advocate for network neutrality, for sure. But I am also an advocate for locking down and securing computers that are spewing infections and spam. I, personally, think this is the right thing to do, and I don't think that this process is incompatible with the broader goals of network neutrality. What do you think?

China cleans up spam problem

Techworld reports: "Once the largest source of the world's spam, China has been gradually fading off the list of the world's top spam-producers. Right now Cisco Systems' IronPort group ranks it at number 18 in terms of spam-producing countries. That's a big drop from two years ago, when it consistently ranked in the top five.

"'This is the first time in recent memory that China has not been in the top 10,' said Cisco Research Fellow Patrick Peterson, in an e-mail interview."

(H/T: Slashdot)

Is there a war on small mail servers?

A few days ago, a Slashdot user asked, “Is there a war on small mail servers?” The admin went on to state that he or she works for a company hosting their own mail server. Their two ISPs (Comcast and Verizon) both block port 25 outbound, and they’re complaining of getting caught in blacklisting crossfire when trying to relay mail out through a third party service. In short, they’re telling us, the world is preventing them from hosting a small mail server.

As somebody who runs two separate small mail servers myself, hosted on two separate ISPs, I can tell you that it’s not really a problem to send mail from a small mail server. I think there’s a huge misconception in this admin’s mind about what constitutes a business-grade internet connection and how best to configure your connection and/or server to mitigate any potential issues.

Allow me to run through the stated issues.
  1. Help, both of my ISPs are blocking port 25 outbound. This strongly suggests that the company this admin is working for does NOT have business level connectivity. I host a tiny little server on the end of a slow and inexpensive, but business-grade, RCN cable connection here in Chicago, with a dedicated IP address and no port blocking. I investigated previously and found that the same thing is available is available from Comcast. I rather suspect that something similar is available from Verizon. In short, this company probably has a consumer-grade service, and is complaining that it’s not a business-grade service. ISPs regularly block port 25 connections for consumers, because consumers’ computers are easy to infect and zombify. To prevent them from becoming a useful part of the botnet army, ISPs block port 25 outbound, making the connection less useful for serving spam. Like it or not, this is a long standing practice.
  2. “A lot of ISPs just started blocking any mail coming from any IP in the address block of cable modems.” That’s true – sort of. ISPs often use blacklists like the Spamhaus Policy Block List (PBL) – to reject mail from machines that should not be serving mail, according to the ISP or owner of the network space. If your IP address is listed in one of these “dynamic” blacklists, again, you probably have a dynamic, consumer-grade connection, not a business-grade connection. Many ISPs subscribe to these “dynamic” blacklists for the same reason that ISPs block port 25 – to help mitigate the spam attack from infected zombie computers. If your ISP doesn’t block it on the way out, a dynamic blacklist will help me block it on the way in. Either way, a significant amount of spam gets blocked. Like it or not, this is a long standing practice.
  3. Help, I’m caught in the middle of a blacklisting situation. The admin mentions both MAPS and McAfee (who are not the same company – MAPS is part of Trend Micro), and I don’t entirely know what the issue there might be. It sounds like the provider this company chose to SMTP relay their mail through is blacklisted as a spammer. Your options there are limited. Either move away from this provider, or nudge the provider to resolve the issue to the blacklist’s satisfaction. Some blacklists are not widely used, and perhaps can be ignored. I don’t know if that’s the case here. Ultimately, if you fixed your connectivity issues as identified above, and went for that business-grade connection, you could stop routing your mail through a third party.
Note that I’m not even touching on the typical issues any email admin has, dealing with IP address reputation, blacklists and whitelists, rate limiting, and so forth. Everybody deals with these issues; they’re not specific to operators of small mail servers.

Running your own mail server can be challenging, that’s for sure. Maybe that explains why email service providers and similar services are so popular nowadays. But is this a war against small mail servers? Absolutely not.

Return Path hires Sam Masiello

Read all about it here. Sam is a very smart guy; this is probably a really good fit for both parties, and quite a loss for McAfee.

Now Hiring: Who?

Last week, a coworker suggested I pay closer attention to the ads on Facebook. He pointed out that somebody is trying to specifically target a few of us who work for a couple of different companies.

Looking right now, I see that there is this little ad along the right side of my Facebook screen that says: "Hiring Email Expert. We are Hiring an Email Deliverability Expert in Denver, CO. If you are working at a major ESP as a deliverability expert we want you."

When you click on the ad, you are taken to a website in the "yolasite.com" domain, which is a free website host. The landing page explains the following:

The entire purpose of this webpage is to provide you with information about our company so you can decide if you would like to apply for our open position for an email deliverability expert.

We are an online media company in Denver, CO with approximately 30 employees. We own many web properties, have a large survey research business, and a growing email platform business.

Our email platform currently delivers tens of millions of emails a month and is growing rapidly towards hundreds of millions of emails per month. We are in need of an email deliverability expert to anaylze stats, recommend improvements, and resolve any deliverability issues.

The target candidate is currently working at a large email service provider such as X or Y.

If you are an email deliverability expert currently working for a large ESP, please contact us at: (a webmail address)

My thought is, I have dealt with a lot of spammers and/or "very aggressive marketers" who hide behind layer-upon-layer of company names, private mailboxes, and masked domain registrations. Obfuscation is a common trait found in the whole lower end of the email marketing industry. A company using obfuscation and redirection in the recruiting process might be also doing this in other facets of their operation. I'm not exactly inspired by their recruiting methodology here.

I wonder who this is. Anybody have any clues?

Cloudmark developing SMS spam filter

Hey, this is cool: According to Engadget, Cloudmark seems to be working on the next frontier of spam filtering: SMS spam. Give it a few years, and something like this will be baked into every provider's infrastructure or handsets. Can't wait.

On an unrelated note, I never got a drop of SMS spam in the years that I was a T-Mobile customer. Last week I switched to Verizon (iPhone 4!), and within a few days, I got my first SMS/billing scam, from somebody called SendMe Mobile, where they tried to sign me up to a $9.99/mo SMS trivia thing without my consent. I wonder if I'm going to see more of these kinds of things, now that I've moved to the US wireless provider with the largest customer base.

Making Permission Assumptions

Do you know Romer? He's just this guy, you know. As he points out over on his WordPress blog, he's been in the anti-spam field for the last decade, doing a little bit of everything. Most lately, he's an engineer for a major anti-spam product.

I just noticed a very insightful post from Romer, where he talks about a recent email he received from Kodak.

The email from Kodak was just a plain old opt-out message. It explained that Kodak wants you to receive exciting emails and as such, we've just assumed that you want those exciting emails, so you are now opted-in. If you don't like it -- click on the unsub link.

It's the opposite of a permission pass -- and it's a heck of an assumption. Romer's take on it: Now, I don’t mind companies with whom I’ve done business asking me for permission to share my personal data. In some instances, I’ve been more than happy to allow it. But to assume that I will allow it, to require me to actively tell them that I do not want this, and to “update” my “permission status” without getting my permission first, is presumptuous in the extreme.

So Kodak just grew that list, but they did it in a way where an engineer for a major anti-spam product just made a face when ending up on that list. That's ... not a position I would want to be in. Do you think that bodes well for your deliverability when your practices catch the eye of somebody who controls the keys to the inbox?

This is why I occasionally raise the red flag about the emails I receive...if I notice these things, I know the spam filterers notice them, too.

(Update: Another spam filterer blogged about this as well. Click here to read.)

Who/what is RESMAIL?

There's somebody sneaky in my Gmail spam folder. Some company I've never heard of, apparently called RESMAIL, keeps showing up there, once or twice a week. The footer always says "RESMAIL - 63 Madison Ave 9th Floor - New York, NY 10016 US." The source IP addresses have varied over the past months -- from 173.244.163.182, 66.151.5.167 and most recently 98.126.20.140. They seem to be trying to advertise some semi-legitimate stuff -- Columbia University's School of General Studies, a NY Real Estate Expo, hotels in the New York area, etc. Seems legitimate, except for the fact that I never signed up for it and it's pure unwanted third-party advertising. I'm not even sure how they came to be in possession of that Gmail address -- the only other unwanted mail this account gets is the typical Russian pill and gambling stuff.

Anybody else out there familiar with RESMAIL?

Goodmail to Shut Down

Laura Atkins reports on this over on the Word to the Wise blog, and Dennis Dayman covers this for Deliverability.com: Goodmail services are to be wound down on February 8th, 2011. I don't have much to add beyond what they've already said, but I do have a question: Know anybody who was using Goodmail? What does this mean to Goodmail users out there? Where do you go from here?

I also wonder if this is an opportunity for Return Path to buy the assets and if existing ISP agreements would be maintained. Is this an opportunity for RP to buy their way into certification at AOL? Contracts are complex beasts; I'd be surprised if it would be as simple as RP writing a check. But one assumes that Return Path people are discussing this internally.

February 8, 2011 update: As promised, Ken Magill covers the Goodmail shutdown today, and quotes ex-Goodmail customers as they ponder the answer to the question, "What now?"

Thought of the Day: Permission

What permission is:
Permission means your potential subscriber initiated the request to sign up for your emails.

What permission is not:
I got a list of email addresses and I sent everybody a double opt-in request.

Don't take my word for it -- ask Spamhaus. "You can not simply buy a list from a 3rd party and conduct a permission pass on it, you will simply be considered to be spamming and treated as a spammer."

Nice email, but...

I'm a big fan of Progressive Insurance. But I'm not so much a fan of email newsletters lacking easy unsubscribe links. When you click on the "update preferences" link below, you're led to a password-protected profile center. You have to login to unsubscribe. Yet, this email isn't transactional; it is not a necessary part of my car insurance coverage.

Let's talk about a practical consideration. By making it anything-but-simple to unsubscribe, Progressive is tempting subscribers to hit the "this is spam" button, instead of bothering to unsubscribe. I'll bet you a dollar that their FBL complaint rates are elevated as a result.

Guest Post: Reader Feedback Week

By: Huey Callison

[Transcription errors are my own. Listen to the voicemail here.]
This is Anderson from n.a.n-a.e. Oh man, what a piece of shit. Are you guys- ...are you the one that owns the uh- ...the uh- ...DNSBL blacklist thing you're running there, you piece of shit? The one that fucks with peoples' money? I just figured I'd give you a call every day and fuck with you since you wanna fuck with me. I'll see you on n.a.n-a.e, bitch.
Mister Anderson:

Regrettably, Mr. Iverson is travelling for an industry conference, and was unavailable to take your call. However, as your reader satisfaction is important to us, I appreciate the opportunity to address some of your concerns.

First, like many requests for assistance in the deliverability field, yours failed to include nearly enough information to identify the underlying problem, much less recommend a remediation strategy going forward. But, as a veteran of the US Army and a frequent bar-patron, I'm reasonably fluent in semi-coherent obscenities, so I'm going to make an educated guess as to what the problem is, and attempt to offer some suggestions that I hope you'll find useful.

To answer your initial question, probably not, no. DNSBL Resource and Spam Recource are websites focused on the discussion of various DNSBLs and issues relating to spam and deliverability in general, but do not actually operate any DNSBLs, so they don't actually do anything to anybody's money, other than the token amount it costs the owners to maintain a few domains and websites.

In re: your second point, we regret to inform you that we are uninterested in sexual intercourse with you at this time, and calling every day is unlikely to help, at least in the near term. We will be happy to keep your request on file, and let you know if any positions open up in the future.

As to your last point, I'm sorry to disappoint you again, but news.admin.net-abuse.email ceased to be a useful information source to email industry professionals somewhere around ten years ago. At this point, the nicest, most genuinely helpful person still reading and posting to n.a.n-a.e semi-regularly is a programmer named Vernon Schryver, and I'm confident that even he will admit that he is unlikely to win many Miss Congeniality awards.

But I can't help but notice that you sound very angry, and I strongly suspect that this is due to some interaction with a DNSBL (probably a listing, or a threatened listing) that has affected you financially in some way. Again, I'm operating on somewhat limited information here, so I can't definitively identify if that's even the case, much less which one. But again, I can guess: the only DNSBL with the reach and influence that I would suspect could provoke financial difficulties and this much ire would be the Spamhaus SBL.

A disclaimer: I am in no way connected to Spamhaus beyond being a fan and occasional user of services that they provide, so some of this information is conjecture on my part, based on observations of how they seem to work. It seems to me that an SBL listing is generally indicative of an emergent danger somewhere in your business process, and would most often indicate that you, or perhaps one of your affiliates, or possibly someone else on the same IP address as you, is sending a lot of spam. It could also indicate that your IP address also hosts a webserver serving a link that is mentionend in a lot of spam, or a nameserver that serves DNS records for a domain linked to a lot of spam. In general, an SBL listing is a pretty severe symptom of some kind of spam-related problem.

So, if you were listed by the SBL, and it's because of some link between your business and spam, getting angry at us will not help you. When our machines are listed by Spamhaus (it's rare, but it has happened) we have to go through the same delisting procedure as everyone else. Getting angry at Spamhaus will not help you either. The solution is relatively simple: cease any current involvement and avoid any future involvement with spam, and follow the published delisting procedures on the Spamhaus website.

I'll grant that it is possible that you are already avoiding any involvement with spam, and still find yourself SBL listed. Your SBL listing could be for a virtual server or shared webhosting arrangement on the same IP address as someone else who is involved with spam, in which case your solution is to move the affected services to a more reputable provider.

In summary: although I am unsure what exactly your DNSBL problems entail, I am certain that they are not being caused by DNSBL Resource or Spam Resource, and I can't really make any more specific recommendations without further information about your situation. I hope I've addressed your concerns to your satisfaction, but if I have not, please don't hesitate to contact us again. We always appreciate hearing from our loyal readers.

Have a blessed day,

Huey Callison

An Informal Definition of Spam

I was talking to a guy the other day about the whole LinkedIn harvesting incident (or non-incident, depending upon your point of view), and this guy offered up that he had previously been in a somewhat similar situation before -- but on the other side of it. I offered up the opportunity to guest post about that here, and that leads us to today's guest post authored by Robby Slaughter. Robby runs Slaughter Development, a productivity consulting firm in Indianapolis, IN. Take it away, Robby:

Last year, I wrote a book called Failure: The Secret to Success. As part of the marketing campaign for the book, and generally because I was really excited, I wanted to share the news with everybody I knew.

Spreading a message to your contact sphere is almost certainly going to involve email. Sending lots of emails is going to flirt with the official, legal definition of spam. Like anyone trying to self-promote, I didn't want upset people, but at the same time I didn’t want to establish any undue limits on spreading the word about my new book. Spam puts all of us at a crossroads between the important role of marketing and the unacceptable behavior of abuse. I had to make a choice.

Email vs. Email


You don't have to be a technical wizard to recognize that there are two very different kinds of electronic messages landing in inboxes. On the one hand, there are personal emails sent by people through the act of typing, pointing and clicking. Billions of emails like this circle the planet every day, most of which represent a conversation between just one sender and one recipient.
Then, there's an entire universe of bulk email. The phrase "bulk" does not mean that every message is exactly the same or delivered at precisely the same time, of course. Each one goes to a different recipient and may have all kinds of complex personalization. Rather, "bulk" merely indicates that these emails are part of a larger campaign and are sent en-masse. Some bulk messages are entirely legitimate, opt-in newsletters or announcements, and others promote lucrative Nigerian business opportunities or pharmaceuticals hawked with peculiar spellings.

It is sometimes difficult to tell the difference between spam and not-spam, but it's almost always easy to tell the difference between personal emails and bulk emails. The content of personal messages absolutely ooze with the eccentricities of the sender. They were written in a text box in an email client, and were probably sent by a laptop computer, not a "deliverability network." We all might complain about that uncle who forwards chain emails that could be refuted in ten seconds on Snopes, but that doesn’t seem like bulk email. Therefore, messages written in Microsoft Outlook using BCC which have a personal touch do not seem like spam.

What I Did: Genius? Evil? Or Evil Genius?

Here’s what I did last summer: I took a lifetime of personal contacts—over 5,000 people—and sent them all the same, friendly email message. I did this 100 email addresses at a time and used blind carbon copy. It wasn’t really an automated process, and the message wasn’t all that commercial. Here’s what I wrote to a bazillion of my closest friends:
Hi!

First of all, this is one of those big BCC-everyone-you-know emails, so if I haven't talked to you in a while please REPLY to this message to let me know how you are doing.

Second: I wrote a book! It's called "Failure: The Secret to Success." You can learn all about it (and buy an advance copy even) at:

http://www.failurethebook.com/

Third: These things sometimes get duplicated. So if you get more than one copy of this email, accept my apologies. Or: forward it to a friend! Or: if you have no idea who I am and think this is spam, please let me know.

That's it! Hope you're having a fantastic day.

Regards,
Robby Slaughter
Spam vs. spam and is this spam?

To answer the question about whether or not what I did was spam I want to make a difference between the legal definition of Spam (according to CAN-SPAM and industry experts) and the practical definition of spam. CAN-SPAM doesn’t exactly define what Spam is but instead clarifies appropriate behaviors for "commercial email." But what does that mean? The law speaketh:
[commercial email is] any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.
From my point of view, the primary purpose of the message is laid out in point my first point: "REPLY to this message and let me know how you are doing!" So I think I have an argument that the message is in fact, not covered under CAN-SPAM.

But at the same time, clearly I wanted people to buy the book! I also added language about replying to the email to effectively "opt out," which sort of implies intent to conform to CAN-SPAM if in fact this really is a commercial message.

What about the lowercase, practical definition of "spam?" To me, that would be "a solicitation message that was sent to lots of people including me, which I did not expect and would rather have not received." Well, for most of my thousands of recipients, this was not spam with a lowercase "s." Many of them did reply, and I engaged in a few weeks of email catch-up on people I had not seen in ages. But a few did reply harshly. They explained (or rather, cursed) that the message was spammy and wrong.

In Summary

I did not want to upload my entire contacts database to an email service provider (ESP) to send a commercial email message. Many specifically advise against doing exactly this, but then again they are likely to bear the brunt of any complaints. Furthermore, most ESPs probably assume that you will send many messages, whereas I only intend to send one. Or at least, one every time I write a book.

I feel pretty good that what I did was right, clever, and effective. I don’t think I broke the law. But I do believe I demonstrated that email is complicated. I won’t repeat the process in the future without talking to an email expert.

What do you think? Am I spammer?

Dennis Dayman: Watch out for DeepWWW

Over on Deliverability.com, Dennis Dayman shares a tale of spam and information about an uncooperative seller of email list data. Anybody else heard of this DeepWWW? Never heard of them before, myself.

How to Generate Leads with LinkedIn

I guess I’ve still got LinkedIn on the brain. In response to my complaint about being spammed by somebody due to harvesting of my email address from LinkedIn, the individual in question decided to aim a scattershot blob of tweets consisting of a whole bunch of old "B2B social media strategy" articles at me. I’m not sure why -- they’re good articles -- many of them were written by a very smart colleague of mine -- but none of them advocate doing anything like "export your contact list from LinkedIn and start sending emails to those people."

LinkedIn: A list-building opportunity?

Wow! 500+ new subscribers! It seems an exciting and easy opportunity, doesn’t it? If you’re like me, you’ve got a big list of contacts that you’ve “linked up” with on social (business) networking site LinkedIn. So many email addresses!

Microsoft, Holomaxx, ISPs Reading Your Email

Way back on December 19th, John Levine posted Microsoft's response to the Holomaxx lawsuit. I haven't had a chance to read it in depth until now -- and let me tell you, it has been an interesting read. I'm not a lawyer (and I don't even play one on TV), but I think Microsoft is going to squash Holomaxx like a bug. John Levine calls this first response from Microsoft a "crushing brief" and I find that a suitable description.

Top 5 Spam Resource Posts in 2010

As we transition to the new year, I thought it would be fun to share with you the top five most popular posts on Spam Resource, based on number of page views in the past year. Enjoy!