Is there a war on small mail servers?

A few days ago, a Slashdot user asked, “Is there a war on small mail servers?” The admin went on to state that he or she works for a company hosting their own mail server. Their two ISPs (Comcast and Verizon) both block port 25 outbound, and they’re complaining of getting caught in blacklisting crossfire when trying to relay mail out through a third party service. In short, they’re telling us, the world is preventing them from hosting a small mail server.

As somebody who runs two separate small mail servers myself, hosted on two separate ISPs, I can tell you that it’s not really a problem to send mail from a small mail server. I think there’s a huge misconception in this admin’s mind about what constitutes a business-grade internet connection and how best to configure your connection and/or server to mitigate any potential issues.

Allow me to run through the stated issues.
  1. Help, both of my ISPs are blocking port 25 outbound. This strongly suggests that the company this admin is working for does NOT have business level connectivity. I host a tiny little server on the end of a slow and inexpensive, but business-grade, RCN cable connection here in Chicago, with a dedicated IP address and no port blocking. I investigated previously and found that the same thing is available is available from Comcast. I rather suspect that something similar is available from Verizon. In short, this company probably has a consumer-grade service, and is complaining that it’s not a business-grade service. ISPs regularly block port 25 connections for consumers, because consumers’ computers are easy to infect and zombify. To prevent them from becoming a useful part of the botnet army, ISPs block port 25 outbound, making the connection less useful for serving spam. Like it or not, this is a long standing practice.
  2. “A lot of ISPs just started blocking any mail coming from any IP in the address block of cable modems.” That’s true – sort of. ISPs often use blacklists like the Spamhaus Policy Block List (PBL) – to reject mail from machines that should not be serving mail, according to the ISP or owner of the network space. If your IP address is listed in one of these “dynamic” blacklists, again, you probably have a dynamic, consumer-grade connection, not a business-grade connection. Many ISPs subscribe to these “dynamic” blacklists for the same reason that ISPs block port 25 – to help mitigate the spam attack from infected zombie computers. If your ISP doesn’t block it on the way out, a dynamic blacklist will help me block it on the way in. Either way, a significant amount of spam gets blocked. Like it or not, this is a long standing practice.
  3. Help, I’m caught in the middle of a blacklisting situation. The admin mentions both MAPS and McAfee (who are not the same company – MAPS is part of Trend Micro), and I don’t entirely know what the issue there might be. It sounds like the provider this company chose to SMTP relay their mail through is blacklisted as a spammer. Your options there are limited. Either move away from this provider, or nudge the provider to resolve the issue to the blacklist’s satisfaction. Some blacklists are not widely used, and perhaps can be ignored. I don’t know if that’s the case here. Ultimately, if you fixed your connectivity issues as identified above, and went for that business-grade connection, you could stop routing your mail through a third party.
Note that I’m not even touching on the typical issues any email admin has, dealing with IP address reputation, blacklists and whitelists, rate limiting, and so forth. Everybody deals with these issues; they’re not specific to operators of small mail servers.

Running your own mail server can be challenging, that’s for sure. Maybe that explains why email service providers and similar services are so popular nowadays. But is this a war against small mail servers? Absolutely not.

Return Path hires Sam Masiello

Read all about it here. Sam is a very smart guy; this is probably a really good fit for both parties, and quite a loss for McAfee.

Now Hiring: Who?

Last week, a coworker suggested I pay closer attention to the ads on Facebook. He pointed out that somebody is trying to specifically target a few of us who work for a couple of different companies.

Looking right now, I see that there is this little ad along the right side of my Facebook screen that says: "Hiring Email Expert. We are Hiring an Email Deliverability Expert in Denver, CO. If you are working at a major ESP as a deliverability expert we want you."

When you click on the ad, you are taken to a website in the "yolasite.com" domain, which is a free website host. The landing page explains the following:

The entire purpose of this webpage is to provide you with information about our company so you can decide if you would like to apply for our open position for an email deliverability expert.

We are an online media company in Denver, CO with approximately 30 employees. We own many web properties, have a large survey research business, and a growing email platform business.

Our email platform currently delivers tens of millions of emails a month and is growing rapidly towards hundreds of millions of emails per month. We are in need of an email deliverability expert to anaylze stats, recommend improvements, and resolve any deliverability issues.

The target candidate is currently working at a large email service provider such as X or Y.

If you are an email deliverability expert currently working for a large ESP, please contact us at: (a webmail address)

My thought is, I have dealt with a lot of spammers and/or "very aggressive marketers" who hide behind layer-upon-layer of company names, private mailboxes, and masked domain registrations. Obfuscation is a common trait found in the whole lower end of the email marketing industry. A company using obfuscation and redirection in the recruiting process might be also doing this in other facets of their operation. I'm not exactly inspired by their recruiting methodology here.

I wonder who this is. Anybody have any clues?

Cloudmark developing SMS spam filter

Hey, this is cool: According to Engadget, Cloudmark seems to be working on the next frontier of spam filtering: SMS spam. Give it a few years, and something like this will be baked into every provider's infrastructure or handsets. Can't wait.

On an unrelated note, I never got a drop of SMS spam in the years that I was a T-Mobile customer. Last week I switched to Verizon (iPhone 4!), and within a few days, I got my first SMS/billing scam, from somebody called SendMe Mobile, where they tried to sign me up to a $9.99/mo SMS trivia thing without my consent. I wonder if I'm going to see more of these kinds of things, now that I've moved to the US wireless provider with the largest customer base.

Making Permission Assumptions

Do you know Romer? He's just this guy, you know. As he points out over on his WordPress blog, he's been in the anti-spam field for the last decade, doing a little bit of everything. Most lately, he's an engineer for a major anti-spam product.

I just noticed a very insightful post from Romer, where he talks about a recent email he received from Kodak.

The email from Kodak was just a plain old opt-out message. It explained that Kodak wants you to receive exciting emails and as such, we've just assumed that you want those exciting emails, so you are now opted-in. If you don't like it -- click on the unsub link.

It's the opposite of a permission pass -- and it's a heck of an assumption. Romer's take on it: Now, I don’t mind companies with whom I’ve done business asking me for permission to share my personal data. In some instances, I’ve been more than happy to allow it. But to assume that I will allow it, to require me to actively tell them that I do not want this, and to “update” my “permission status” without getting my permission first, is presumptuous in the extreme.

So Kodak just grew that list, but they did it in a way where an engineer for a major anti-spam product just made a face when ending up on that list. That's ... not a position I would want to be in. Do you think that bodes well for your deliverability when your practices catch the eye of somebody who controls the keys to the inbox?

This is why I occasionally raise the red flag about the emails I receive...if I notice these things, I know the spam filterers notice them, too.

(Update: Another spam filterer blogged about this as well. Click here to read.)

Who/what is RESMAIL?

There's somebody sneaky in my Gmail spam folder. Some company I've never heard of, apparently called RESMAIL, keeps showing up there, once or twice a week. The footer always says "RESMAIL - 63 Madison Ave 9th Floor - New York, NY 10016 US." The source IP addresses have varied over the past months -- from 173.244.163.182, 66.151.5.167 and most recently 98.126.20.140. They seem to be trying to advertise some semi-legitimate stuff -- Columbia University's School of General Studies, a NY Real Estate Expo, hotels in the New York area, etc. Seems legitimate, except for the fact that I never signed up for it and it's pure unwanted third-party advertising. I'm not even sure how they came to be in possession of that Gmail address -- the only other unwanted mail this account gets is the typical Russian pill and gambling stuff.

Anybody else out there familiar with RESMAIL?

Goodmail to Shut Down

Laura Atkins reports on this over on the Word to the Wise blog, and Dennis Dayman covers this for Deliverability.com: Goodmail services are to be wound down on February 8th, 2011. I don't have much to add beyond what they've already said, but I do have a question: Know anybody who was using Goodmail? What does this mean to Goodmail users out there? Where do you go from here?

I also wonder if this is an opportunity for Return Path to buy the assets and if existing ISP agreements would be maintained. Is this an opportunity for RP to buy their way into certification at AOL? Contracts are complex beasts; I'd be surprised if it would be as simple as RP writing a check. But one assumes that Return Path people are discussing this internally.

February 8, 2011 update: As promised, Ken Magill covers the Goodmail shutdown today, and quotes ex-Goodmail customers as they ponder the answer to the question, "What now?"

Thought of the Day: Permission

What permission is:
Permission means your potential subscriber initiated the request to sign up for your emails.

What permission is not:
I got a list of email addresses and I sent everybody a double opt-in request.

Don't take my word for it -- ask Spamhaus. "You can not simply buy a list from a 3rd party and conduct a permission pass on it, you will simply be considered to be spamming and treated as a spammer."