John's a famous guy. A self-described "entrepreneur and civil libertarian," he's probably most recently famous for being the guy who challenged the government over requirements that you produce ID before you are allowed on an airplane: "In 2002, Gilmore refused to show his ID while checking in for a cross-country flight. He was told he could fly if he agreed to a "secondary screening," which he also refused. Gilmore said he was told that there were security directives that mandated the showing of ID, but that he was not allowed to view said rules. [He sued, and] the case wound its way up to the 9th Circuit Court of Appeals, which privately viewed the rules and decided that airline passengers could either present identification OR opt to be subjected to a more extensive search."
There's something else about John that you might not know, however. One of his systems is an open relaying mail server.
What is an open relay, you ask? Wikipedia has a detailed overview, if you're curious. The short version is: internet mail servers used to be available for anyone's use. This was common and expected, until the rise of spam in the 1990s. It came to be that these unlocked open relaying servers were widely abused to send spam. Spammer used open relays to bypass spam blocks and attempt to disguise the actual source of their messages. It was a huge problem for those of us who dislike spam. Many server operators rushed to reconfigure their servers to prevent this type of abuse, and multiple spam blacklists were created to facilitate the blocking of open relaying mail servers that weren't yet reconfigured. Usually because the server's admin was asleep at the wheel; very rarely because they purposely wanted their server to be used to relay spam.
I've created more than one blacklist myself, and I've helped out with a few other ones over the years. The most widely-used one I created was called the Radparker Relay Spam Stopper (RRSS), which became the MAPS (Mail Abuse Prevention System) Relay Spam Stopper in 1999. We were tracking, and helping people block mail from, open relaying mail servers that had been utilized to relay spam. The thought behind this process was that where one spam was seen, more was likely to follow, and the statistics showed that to be correct. So, I know quite a bit about open relays.
Even way back then, John Gilmore was running one of these servers. On purpose. Spammers have used his open relay server to vector their mail to unhappy end recipients multiple times. Yet, he persisted in running the open relay, because he felt it was his right. It probably is his right, but I am of the opinion that it's also the right of everybody else to block mail from this server because it has on occasion relayed spam, and is being purposely left configured in a state that allows more spam to be relayed through it. I think that's true now -- I'm not personally going to poke at his server and see for myself. But the IP address 209.237.225.244 seems to be assigned to him, and it's currently on the Spamhaus SBL blacklist. Spamhaus's website indicates that this IP address has been identified "mailbombing the full disclosure mailing list amongst others." That's from March 2006, as is this information indicating that "there's another spam run underway" from 209.237.225.244.
I believe that this server could be configured to disallow abuse by spammers, and that John chooses not to go that route. His website rant against Verio (a previous provider who declined to continue to provide him internet access over this issue) says that's missing the point. "The point is that contract terms created by negotiation are fair, but contract terms imposed by blacklisting anyone who won't accept them ("refusal to deal") are a violation of antitrust law, if those who are doing the blacklisting have market power."
So, John indicates that it's a legal issue. John's standing up for his rights, which he's absolutely certain he has, even though he's been blacklisted on and off since at least 1999 and is still blacklisted as of December, 2006. Even though his server is STILL periodically being as a conduit for unwanted email traffic. I'm not an anti-trust lawyer, but I still think John's in the wrong. He's not being a good net neighbor, and I believe that he's putting his "dammit, I'm right and you can't stop me" attitude ahead of doing the right thing to help reduce spam on the internet.
John's website has a section containing more commentary from him relating to this issue: "If you're a friend and you've tried emailing twice, it's probably one of our mail handling systems. I suggest phoning me. It seems that in the last few years, large numbers of ISPs have started using "blacklists", even the ones that never did before. The blacklisters hate me, so they put me on their lists, even though I have never sent a single spam message. They don't like the way I administer my machine. (I don't like the way they administer their machines either.)"
I take issue with this. I think "the blacklisters" actually hate spam, not him. Most likely learned about him only due to the receipt of junk (spam, virus or worm) email transmitted to them via his server. Even if they've knowingly facilitated the blocking of mail from his server, I suspect they only start to hate him after a frustrating debate (or Google search) reveals that he runs his server this way on purpose.
I, myself, received reports of spam from the server, back in 1999 or 2000. A quick Google search finds a ton of online discussion about John and his open relay. It also confirms that the server has been utilized to vector more spam in the days since my involvement in open relay blocking, in at least 2002 and 2006.
After years of this, you'd think the point was made. John, delcare your victory and configure your server to disallow unauthenticated relay.
Under the US Federal "CAN-SPAM" anti-spam law, it looks to me like ISPs are free to block mail from whomever they choose in their best efforts to stop spam. ISPs use a variety of methodologies, including blacklists, to measure your "sending reputation" and determine whether or not they should accept your mail. I deal a lot with reputation issues in my current job, helping clients clean up and do mail right, so they're not labeled as spammers and blocked. I respect how ISPs handle this -- most do so in a very fair-handed and easily understandable way. Egos are set aside and decisions are primarily data-driven. There's very little hate involved. Maybe what John says was true seven years ago, but since then, there's been a very interesting power shift. In 1999, MAPS held the keys to the inbox. Get listed on their Realtime Blackhole List (RBL) and find 30%-40% of your mail bouncing. Today, the ISP is the greater gatekeeper. AOL, Hotmail, Yahoo, combine to house around 50% of end user mailboxes. They and other major receivers all have different reputation mechanisms, blocks, and filters in place, and they're whom you have to deal with if you're trying to clean up an IP address's reputation. Spamhaus still has a fair number of users, but I suspect John's blacklisting stance amounts to tilting at (mostly crumbled) windmills nowadays.
If mail from John's IP address is still getting blocked by the top tier ISPs, the resolution is so amazingly simple. Modify the server's configuration so it's no longer perceived by receivers as an attractive nuisance. Prevent unauthorized relaying and proxying. Maybe he'll have to reach out to those ISPs and ask for them to check the reputation of his server anew. ISPs would most likely lift the block and that'd be the end of it.
Others have posited that an open relay is a necessary thing to support the roaming internet user. Maybe that was true in the earlier days (note that the date on that defense is from 2001), but nowadays, it's simply not necessary. I'm living proof -- I travel constantly for work and for pleasure. I connect from four different ISPs. I have email addresses at multiple personal domains that I host with various means. Yet, I am easily able to securely relay mail through the authenticated SMTP relays of both my wireless broadband ISP (Verizon Wireless) and my webmail provider (Gmail). Even if SMTP is totally blocked I can use Gmail's web interface to send and receive mail just fine. The geek set has access to free tools and methods like SSH tunneling, the ability to set up their own authenticating SMTP servers, or even installing an open source webmail platform like IMP.
Blast from the past: RFC Ignorant
RFC Ignorant (RFCI) is a blacklist. It lists sites that don't have working postmaster or abuse addresses, among a few other reasons. The name "RFC Ignorant" comes from the belief that not having these addresses working on your system means that you're out of step with Internet RFCs (Requests for Comments), the guiding documents regarding Internet interoperability.
It's on my mind lately, as I found a site I assist listed on it. It's easy enough (in this case) to fix the perceived issue and get the site delisted (removed). I'm more interested in resolving issues than starting a fight with a blacklist operator. So, I'll just deal. Still, it's surprising to me that the list is even still around, as I recall that the disagreements over its value (or lack thereof) started shortly after the list was created, way back in 2000 or 2001.
Not a lot of people use this blacklist, because it really has very little to do with spam blocking. Lots of sites send no mail, or have some reason that they wouldn't have a postmaster or abuse address. But, even if a site's reason for not having such an address is a bad reason, it still doesn't mean they're a spammer.
So, if you use the RFCI blacklist to block mail, you will potentially block mail from some sites that violate RFC guidelines, as interpreted by the blacklist operators. But, that doesn't mean it'll block any spam. Lots and lots of spam-spewing sites comply perfectly with the RFCs, and wouldn't be eligible for listing.
Here's one example of the kind of disagreement the RFCI blacklist engenders.
Here's another, slightly more calm take on why a site wasn't able to continue using the RFCI blacklist.
It's on my mind lately, as I found a site I assist listed on it. It's easy enough (in this case) to fix the perceived issue and get the site delisted (removed). I'm more interested in resolving issues than starting a fight with a blacklist operator. So, I'll just deal. Still, it's surprising to me that the list is even still around, as I recall that the disagreements over its value (or lack thereof) started shortly after the list was created, way back in 2000 or 2001.
Not a lot of people use this blacklist, because it really has very little to do with spam blocking. Lots of sites send no mail, or have some reason that they wouldn't have a postmaster or abuse address. But, even if a site's reason for not having such an address is a bad reason, it still doesn't mean they're a spammer.
So, if you use the RFCI blacklist to block mail, you will potentially block mail from some sites that violate RFC guidelines, as interpreted by the blacklist operators. But, that doesn't mean it'll block any spam. Lots and lots of spam-spewing sites comply perfectly with the RFCs, and wouldn't be eligible for listing.
Here's one example of the kind of disagreement the RFCI blacklist engenders.
Here's another, slightly more calm take on why a site wasn't able to continue using the RFCI blacklist.
Topics:
bad ideas,
blacklists,
rfci
Ask Al: How do I track abusive spam?
Cindy from NY writes: "Hello -- I am receiving abusive e-mails and am trying to track them through Sam Spade et.al. I think I know who is sending them and am trying to match IP addresses with old legitimate e-mails from the sender. Is this possible? I've spent many hours tracing -- it is exhausting."
After reviewing the spam samples you provided, it looks to me like the mails are just spams. Spammers do a lot of weird stuff in the code to try to sneak through spam filters. That's why they have all those words and sentences all over the emails. Spam filters read them and can occasionally become confused. At least, this is what the spammers hope will happen. I wouldn't worry specifically about those emails. Spam sucks, but there is not a ton you can do on your own to stop it. It's really up to your email provider (Gmail) to take care of it for you. Unfortunately, Gmail is not the best in this regard. Others, like AOL and Hotmail, are far better at it.
I say that because Gmail doesn't report spam back to the source network or ISP. This means that when you hit the “this is spam” button in Gmail, less happens compared to hitting that button at AOL or Hotmail. Gmail will put the spam in your spam folder, and based on metrics relating to your “vote” and others, they decide which mail goes to the spam folder by default, and which does not. Other ISPs and mail providers do the same. But, many do much more than that.
AOL and Hotmail both have very aggressive reporting programs where they work with other ISPs and email senders directly, doing things like providing feedback regarding complaints and notifying sending ISPs and companies that things need to change else mail will get blocked. Gmail, on the other hand, is more of a "black box" where nobody outside of Gmail receives feedback about which mail is causing problems or what needs to change. I wouldn’t be surprised if Gmail reconsidered this stance in the future, but for now, your best bet may be to switch to AOL or Hotmail for your email needs.
After reviewing the spam samples you provided, it looks to me like the mails are just spams. Spammers do a lot of weird stuff in the code to try to sneak through spam filters. That's why they have all those words and sentences all over the emails. Spam filters read them and can occasionally become confused. At least, this is what the spammers hope will happen. I wouldn't worry specifically about those emails. Spam sucks, but there is not a ton you can do on your own to stop it. It's really up to your email provider (Gmail) to take care of it for you. Unfortunately, Gmail is not the best in this regard. Others, like AOL and Hotmail, are far better at it.
I say that because Gmail doesn't report spam back to the source network or ISP. This means that when you hit the “this is spam” button in Gmail, less happens compared to hitting that button at AOL or Hotmail. Gmail will put the spam in your spam folder, and based on metrics relating to your “vote” and others, they decide which mail goes to the spam folder by default, and which does not. Other ISPs and mail providers do the same. But, many do much more than that.
AOL and Hotmail both have very aggressive reporting programs where they work with other ISPs and email senders directly, doing things like providing feedback regarding complaints and notifying sending ISPs and companies that things need to change else mail will get blocked. Gmail, on the other hand, is more of a "black box" where nobody outside of Gmail receives feedback about which mail is causing problems or what needs to change. I wouldn’t be surprised if Gmail reconsidered this stance in the future, but for now, your best bet may be to switch to AOL or Hotmail for your email needs.
Ask Al: Help, I'm being blocked as a spammer!
Bill from the UK writes: "I'm 66 and not a tech guy. I've just been kicked back as a "KNOWN SOURCE OF SPAM (NJABL)" although I don't generate spam. I do occasionally send large files to business associates, and some get kicked back because of size, but that's all. How can I become 'unlisted' or at least get in touch with the generators of this incorrect information. Thank you very much."
NJABL ("Not Just Another Bogus List") is a DNSBL ("DNS-based blacklist"). If you don't know what that is, don't worry -- it's basically just a kind of spam filter. It's used by mail server administrators to try to block incoming spam. According to NJABL's website, their listing critiera includes "known and potential spam sources (open relays, open proxies, open form to mail HTTP gateways, dynamic IP pools, and direct spammers) for the purpose of being able to tag or refuse email and prevent at least some spam."
Bill, here's the deal. You're trapped in a situation where NJABL has chosen to list your ISP (Tiscali). If they're mad at anybody, they're mad at Tiscali, and not at you. Ultimately, what you need to do is contact Tiscali, tell them that because of this, you are being incorrectly labeled as a spammer, and you need them to address this issue with NJABL.
If you contact NJABL directly, they are going to likely just tell you the same thing. It's all about who owns the mail servers, not individual users on the mail server. So, there is a spam issue (or perceived issue) with Tiscali -- not with you. You're finding out that end users often get stuck in the middle when these types of issues occur. One point of view here is that it's Tiscali's fault, for perhaps allowing enough spam to come from their network that their users' mail is getting blocked. An alternate viewpoint holds that it's NJABL's fault, for being too agressive in their blocking policies, allowing non-spamming end users like yourself to be negatively affected.
Regardless of who is to blame, it's not an issue that you're going to have success fixing on your own. Contact Tiscali, detail the issue for them, and request that they contact NJABL to resolve this problem. When you reach out to your ISP, be sure to include the entire error message. There is information about the issue contained in this error message that both Tiscali and NJABL will need to figure it out.
NJABL ("Not Just Another Bogus List") is a DNSBL ("DNS-based blacklist"). If you don't know what that is, don't worry -- it's basically just a kind of spam filter. It's used by mail server administrators to try to block incoming spam. According to NJABL's website, their listing critiera includes "known and potential spam sources (open relays, open proxies, open form to mail HTTP gateways, dynamic IP pools, and direct spammers) for the purpose of being able to tag or refuse email and prevent at least some spam."
Bill, here's the deal. You're trapped in a situation where NJABL has chosen to list your ISP (Tiscali). If they're mad at anybody, they're mad at Tiscali, and not at you. Ultimately, what you need to do is contact Tiscali, tell them that because of this, you are being incorrectly labeled as a spammer, and you need them to address this issue with NJABL.
If you contact NJABL directly, they are going to likely just tell you the same thing. It's all about who owns the mail servers, not individual users on the mail server. So, there is a spam issue (or perceived issue) with Tiscali -- not with you. You're finding out that end users often get stuck in the middle when these types of issues occur. One point of view here is that it's Tiscali's fault, for perhaps allowing enough spam to come from their network that their users' mail is getting blocked. An alternate viewpoint holds that it's NJABL's fault, for being too agressive in their blocking policies, allowing non-spamming end users like yourself to be negatively affected.
Regardless of who is to blame, it's not an issue that you're going to have success fixing on your own. Contact Tiscali, detail the issue for them, and request that they contact NJABL to resolve this problem. When you reach out to your ISP, be sure to include the entire error message. There is information about the issue contained in this error message that both Tiscali and NJABL will need to figure it out.
Topics:
ask al,
blacklists,
njabl,
tiscali
How to deal with Challenge/Response?
Over here, I help answer a question about Challenge/Response filters, in MediaPost's EmailInsider newsletter.
I was already a reader before the "E-mail Diva" reached out to me. It's worth signing up for.
I was already a reader before the "E-mail Diva" reached out to me. It's worth signing up for.
Topics:
bad ideas,
challenge-response,
mediapost
Groklaw on the Spamhaus case
Here's an update from Groklaw on the lawsuit brought against Spamhaus by e360. Good reading, good insight. As always, the comments from the peanut gallery contain a lot of armchair lawyering, much of it suspect.
Who's been sued under CAN-SPAM?
I received the question yet again today: Who's been sued under CAN-SPAM? Let's take a look and see what our good friend, the Internet, has to say on the subject:
Topics:
can-spam,
lawsuit,
scott richter,
yesmail
Ask Al: Help, my domain is being forged!
John from the UK writes: We have recently -- the last 2 weeks -- become victims of a spamming outfit. They have borrowed our domain name and are sending out emails from random fictitious addresses within the domain. We know about it because of the bounce back messages from corporate and ISP email servers. The emails are not being sent via our hardware and software. They are being sent from a large number of IP addresses, most probably falsified. Is there anything we can do to address this problem?
I asked around on John's behalf. What I heard back wasn't overly encouraging. The answers I got ranged from colorful variations on "too bad, welcome to the Internets" (I'd never heard the acronym "BOHICA" before) to "implement complicated technical solutions that kind of help, but not really."
The short answer here is that you don't have a ton of options other than just putting up with it. If the level rises to the point where it'd be appropriate for you to bring lawyers into the fray, I'd recommend finding a savvy internet consultant or anti-spam group to help you track down the offenders. I'm sure the spam is coming from hosts all around the Internet and I doubt that they correctly indicate who the sender is (both are clear violations of the US CAN-SPAM law). Spamhaus, the anti-spam group most well known, is especially adept at this type of thing. I don't know if they consult for folks in your situation, but it's worth investigating. Their website is at www.spamhaus.org.
In the realm of a technical solution, BATV (Bounce Address Tag Validation -- see http://mipassoc.org/batv/) is a process that a mail server can employ to help determine good bounces from bad.
Matt Sergeant of email security and management service provider MessageLabs was kind enough to explain to me how it works. Here's what he had to say:
Instead of sending MAIL FROM: your MTA (mail transfer agent) munges that into MAIL FROM: (the "cookie" part is usually based on the date, but it can get more complex than that). If you get a bounce back (MAIL FROM:<>) your MTA checks the RCPT TO -- If it's not RCPT TO: but instead to plain old then you know it was a forged mail, because all your outbound mail has the cookie attached.
It's very effective, but breaks any remote end system that keys off the MAIL FROM address (and there are lots of such systems, making a roll out on a large and diverse system problematic). Very effective on systems you have lots of control over though.
If that sounds a bit technical, that's because it is. It also doesn't stop the bad guys from doing what they're doing, it just helps you filter out the bounces more easily.
SpamAssassin offers a "Virus Bounce Toolset" which is supposed to help in a similar fashion.
Eventually, email authentication technologies like SPF (Sender Policy Framework) and DK (DomainKeys) could help with stuff like this. If you publish an SPF record, you're telling the world that your mail only comes from a certain set of IP addresses. The spammer's mail would not be coming from those specified IP addresses, and receiving ISPs could filter or reject the mail based on this fact. Look for this in the future, but it's not widely deployed or enforced currently.
I asked around on John's behalf. What I heard back wasn't overly encouraging. The answers I got ranged from colorful variations on "too bad, welcome to the Internets" (I'd never heard the acronym "BOHICA" before) to "implement complicated technical solutions that kind of help, but not really."
The short answer here is that you don't have a ton of options other than just putting up with it. If the level rises to the point where it'd be appropriate for you to bring lawyers into the fray, I'd recommend finding a savvy internet consultant or anti-spam group to help you track down the offenders. I'm sure the spam is coming from hosts all around the Internet and I doubt that they correctly indicate who the sender is (both are clear violations of the US CAN-SPAM law). Spamhaus, the anti-spam group most well known, is especially adept at this type of thing. I don't know if they consult for folks in your situation, but it's worth investigating. Their website is at www.spamhaus.org.
In the realm of a technical solution, BATV (Bounce Address Tag Validation -- see http://mipassoc.org/batv/) is a process that a mail server can employ to help determine good bounces from bad.
Matt Sergeant of email security and management service provider MessageLabs was kind enough to explain to me how it works. Here's what he had to say:
Instead of sending MAIL FROM:
It's very effective, but breaks any remote end system that keys off the MAIL FROM address (and there are lots of such systems, making a roll out on a large and diverse system problematic). Very effective on systems you have lots of control over though.
If that sounds a bit technical, that's because it is. It also doesn't stop the bad guys from doing what they're doing, it just helps you filter out the bounces more easily.
SpamAssassin offers a "Virus Bounce Toolset" which is supposed to help in a similar fashion.
Eventually, email authentication technologies like SPF (Sender Policy Framework) and DK (DomainKeys) could help with stuff like this. If you publish an SPF record, you're telling the world that your mail only comes from a certain set of IP addresses. The spammer's mail would not be coming from those specified IP addresses, and receiving ISPs could filter or reject the mail based on this fact. Look for this in the future, but it's not widely deployed or enforced currently.
Topics:
ask al,
backscatter,
batv,
forgery
Co-Registration Woes
In March 2005, I was helping a top-tier ISP with an issue related to a sender utilizing co-registration. The sender wasn't a client of my (then) employer, but the ISP had asked me to assist them with an issue. When you signed up on this sender's site, if you opted-in, your data was passed to a co-reg vendor for various other purposes. This process was supposed to be all double opt-in. It clearly wasn't. At various stages in testing the processes, I had given them unique addresses, so I could test the system without appearing to be a repeat visitor. I shared info with the ISP (who passed it on to the sender) on what process flaws I found. After some go arounds with everybody involved, address and consent verification was properly enabled. I called it a win and moved on to my next fire of the day.
Moving on to today, October, 2006. I'm looking through one of my big "spam" folders. I note that from August 31 to October 6, I've received 549 email solicitations to one of the addresses that was passed along to the co-reg vendor. That single email address has received 14 advertisements every day, for as far back as I have data handy. It suspect it goes back further, but I don't have any data to determine this.
I'm not looking very deeply at the messages themselves to see if they're CAN-SPAM compliant. They probably are. That's not really the issue. My focus here is more on the volume of messages being received: More than 500 in just about five and a half weeks. That's very excessive.
Think about it. If you're a savvy email marketer, you know about the concept of email frequency. How often you should mail your list. Smart strategists spend a lot of effort testing to determine what mailing frequency will get you the best click through and conversion response rate. But if you buy a co-reg list, you don't know who else is mailing it and how often. You can control your frequency, but you can't control everybody else's frequency. So you have no idea if the list is being burnt out through excessive mailing (as it clearly is in this case), or even if the other senders messages are appropriate and non-objectionable. Your mail becomes just one of the potentially many messages the people on the list are receiving. Are you sure these people are going to respond well? I'm not.
Just another data point on why buying co-reg lists from a list broker isn't that great of a practice.
Moving on to today, October, 2006. I'm looking through one of my big "spam" folders. I note that from August 31 to October 6, I've received 549 email solicitations to one of the addresses that was passed along to the co-reg vendor. That single email address has received 14 advertisements every day, for as far back as I have data handy. It suspect it goes back further, but I don't have any data to determine this.
I'm not looking very deeply at the messages themselves to see if they're CAN-SPAM compliant. They probably are. That's not really the issue. My focus here is more on the volume of messages being received: More than 500 in just about five and a half weeks. That's very excessive.
Think about it. If you're a savvy email marketer, you know about the concept of email frequency. How often you should mail your list. Smart strategists spend a lot of effort testing to determine what mailing frequency will get you the best click through and conversion response rate. But if you buy a co-reg list, you don't know who else is mailing it and how often. You can control your frequency, but you can't control everybody else's frequency. So you have no idea if the list is being burnt out through excessive mailing (as it clearly is in this case), or even if the other senders messages are appropriate and non-objectionable. Your mail becomes just one of the potentially many messages the people on the list are receiving. Are you sure these people are going to respond well? I'm not.
Just another data point on why buying co-reg lists from a list broker isn't that great of a practice.
Topics:
bad ideas,
co-reg,
co-registration
Google Code Search
On Friday, NetworkWorld talked about Google's new "Code Search" tool:
"The company's new source-code search engine, unveiled Thursday as a tool to help simplify life for developers, can also be misused to search for software bugs, password information and even proprietary code that shouldn't have been posted to the Internet, security experts said Friday."
The best (or worst) part of this is that Google Code Search can also be used to harvest email addresses.
Uh oh.
"The company's new source-code search engine, unveiled Thursday as a tool to help simplify life for developers, can also be misused to search for software bugs, password information and even proprietary code that shouldn't have been posted to the Internet, security experts said Friday."
The best (or worst) part of this is that Google Code Search can also be used to harvest email addresses.
Uh oh.
Who has your personal information?
Be careful about giving your information out for sweepstakes.
I signed up for some sweepstakes hosted by Peel.com on May 6, 2003. Like I always do, I gave them a tagged (unique) address, so I could tell how my address was used (or misused) later. Flash forward a few years. I've since moved, and am not running my own mail server at the moment. I'm still getting tons of spam every day, and occasionally I want to search through it for various things, so I forward the spam into one of a couple different Gmail accounts. I check them periodically, weed out any non-spam with forwarding rules and so forth, and keep an eye out for anything that looks interesting.
Which brings us back to Peel.com. From September 20th thru October 8th, I've received 22 spams to the address I gave only to Peel.com. Personally identifiable information in the mails reinforces my belief that whoever is sending me this mail has access to all the information I gave out when signing up for this sweepstakes.
The messages do not identify themselves as a commercial advertisement, do not contain the postal address of the sender, and do not include a mechanism to opt-out. These are all clear violations of the US CAN-SPAM law. None of the company or companies behind the mail haven chosen to identify themselves. Each of the 22 messages has a different sender, a name of an individual, which I suspect is false.
Links in the messages seem to drive to various sites hosted on Geocities. I haven't clicked on the links to find the actual destinations.
The subject lines are a combination of the nonsensical and deceptive. Examples: "Bad info on your Experian Credit Score", "Shipment Info", "Superintendent was just suspended from work", "Credit score resolution submitted", et cetera. The source IPs are from the UK, Australia, China, and other places. I assume they're infected computers on broadband connections.
This is a perfect example of how NOT to handle customer or recipient data. I don't know if Peel.com is behind the sending of this mail, or if they are just list brokers that sell the captured data to whoever can afford to pay, or what. If this is a situation where Peel.com is feeding this data to a co-reg list broker, then we've got the perfect example of why you shouldn't ever buy a co-registration list, because the recipients on these lists are already probably receiving deceptive messages, and your messages are not likely to be any more warmly received.
Let's be clear. I don't even know who is sending these messages. All I know from the data I have in my inbox is that I'm getting spams to an address that I gave only to Peel.com, and it contains information that I reasonably believe that I gave only to Peel.com. I have no idea what happened to it from there, but whatever happened, there seems to be a connection between me submitting my personal information to a web form on Peel.com and me now receiving deceptive mail routed through computers overseas.
I signed up for some sweepstakes hosted by Peel.com on May 6, 2003. Like I always do, I gave them a tagged (unique) address, so I could tell how my address was used (or misused) later. Flash forward a few years. I've since moved, and am not running my own mail server at the moment. I'm still getting tons of spam every day, and occasionally I want to search through it for various things, so I forward the spam into one of a couple different Gmail accounts. I check them periodically, weed out any non-spam with forwarding rules and so forth, and keep an eye out for anything that looks interesting.
Which brings us back to Peel.com. From September 20th thru October 8th, I've received 22 spams to the address I gave only to Peel.com. Personally identifiable information in the mails reinforces my belief that whoever is sending me this mail has access to all the information I gave out when signing up for this sweepstakes.
The messages do not identify themselves as a commercial advertisement, do not contain the postal address of the sender, and do not include a mechanism to opt-out. These are all clear violations of the US CAN-SPAM law. None of the company or companies behind the mail haven chosen to identify themselves. Each of the 22 messages has a different sender, a name of an individual, which I suspect is false.
Links in the messages seem to drive to various sites hosted on Geocities. I haven't clicked on the links to find the actual destinations.
The subject lines are a combination of the nonsensical and deceptive. Examples: "Bad info on your Experian Credit Score", "Shipment Info", "Superintendent was just suspended from work", "Credit score resolution submitted", et cetera. The source IPs are from the UK, Australia, China, and other places. I assume they're infected computers on broadband connections.
This is a perfect example of how NOT to handle customer or recipient data. I don't know if Peel.com is behind the sending of this mail, or if they are just list brokers that sell the captured data to whoever can afford to pay, or what. If this is a situation where Peel.com is feeding this data to a co-reg list broker, then we've got the perfect example of why you shouldn't ever buy a co-registration list, because the recipients on these lists are already probably receiving deceptive messages, and your messages are not likely to be any more warmly received.
Let's be clear. I don't even know who is sending these messages. All I know from the data I have in my inbox is that I'm getting spams to an address that I gave only to Peel.com, and it contains information that I reasonably believe that I gave only to Peel.com. I have no idea what happened to it from there, but whatever happened, there seems to be a connection between me submitting my personal information to a web form on Peel.com and me now receiving deceptive mail routed through computers overseas.
Topics:
can-spam,
peel.com,
personal information,
pii,
sweepstakes
Spamhaus in the News
Here's a lawyer's take on the $11.7 million lawsuit and summary judgement against the UK anti-spam group Spamhaus.
If it's good enough for the cops...?
I was pleased to discover today that even the Chicago Police Department utilizes double opt-in for their newsletters signup. I wonder what led them to implement their signup form in this fashion? I've dropped them a line asking for more info, we'll see if they respond. If they do, I'll mention it here.
Sending an attachment with your email campaign?
It seems pretty basic, but I often get asked how to attach a file to an email campaign. Maybe it's just going to a handful of folks, but you don't always want the hassle of sending it to each person individually from Outlook. The problem is, you'll find that most email service providers decline to provide functionality that would allow you to embed or attach a file to your email message.
Security is the primary reason why. Thank the creators of viruses for screwing everything up for the rest of us. If you sent out any sort of big email attachment, nearly any corporate anti-virus/anti-spam filter is going to reject it, or remove the attachment. That's because there are so many different kinds of viruses and worms out there that try to propagate themselves via email. Those emails started out with simple attachments, trying to entice the gullible to click-to-open an attached application. As filtering evolved and that became harder, they eventually evolved to locking the virus payload up in a password-protected ZIP file, with instructions and password email written out in the body of the email message. You might think that people wouldn't be dumb enough to open something like that, but you'd be wrong. Actually, some of the deceptions are quite complicated. They look like emails from somebody you know, and you might even think that your friend is sending you something you want.
Even if the attachment doesn't get blocked, smarter recipients are wary of big attachments. Some will suspect the email is a virus delivery attempt. They'll question the email, ignore it, or report it as spam.
Also, email size is a concern. Big email messages can choke the recipient. That big attachment would take up a lot more space on the email servers between the sender and recipient. If the recipient was on a slow connection, it will take a lot longer for them to download the email message. They could be stuck downloading the attachment, even if they didn't want to. Not everybody has broadband yet, so you would not assume that your recipients can handle a giant-sized email.
Think of how HTML email messages work: When a legitimate email service provider serves a rich graphical email with HTML and images, they're not really sending all those images directly inside of the email. None of the images are actually embedded in the email. The HTML source code just links to them, usually back to the email service provider's website. If all the images were embedded, the email would be pretty large - but this way, the email itself is only a few kilobytes in size.
Do the same thing when you need to share a file with recipients on your list. Instead of attaching the file, link to it in your email. You do that by hosting it on a website, then pasting the link into your email message.
Don't have a website to host it on? Try Google Pages. This probably isn't the best way to share a file with hundreds of recipients, but if you're sharing it with just a few folks, it's very easy to set up. Creating a Google Pages account gives you a website at (your handle).googlepages.com, and you can upload and host files, and create webpages, up to a hundred megabytes worth. After you create a Google Pages account, just click on the "browse" button on the right hand side of the Google Pages screen. Locate your file and hit the "OK" button. It'll upload, and show up in your list of files along the right edge of the screen. You can copy and paste the shortcut to the link from that list, and drop it into your email message. Include that shortcut link in your email message, and recipients will be able to click on, or cut-and-paste, the URL, and they'll be able to download your file. It's pretty easy to do, and it works with just about any kind of file.
Security is the primary reason why. Thank the creators of viruses for screwing everything up for the rest of us. If you sent out any sort of big email attachment, nearly any corporate anti-virus/anti-spam filter is going to reject it, or remove the attachment. That's because there are so many different kinds of viruses and worms out there that try to propagate themselves via email. Those emails started out with simple attachments, trying to entice the gullible to click-to-open an attached application. As filtering evolved and that became harder, they eventually evolved to locking the virus payload up in a password-protected ZIP file, with instructions and password email written out in the body of the email message. You might think that people wouldn't be dumb enough to open something like that, but you'd be wrong. Actually, some of the deceptions are quite complicated. They look like emails from somebody you know, and you might even think that your friend is sending you something you want.
Even if the attachment doesn't get blocked, smarter recipients are wary of big attachments. Some will suspect the email is a virus delivery attempt. They'll question the email, ignore it, or report it as spam.
Also, email size is a concern. Big email messages can choke the recipient. That big attachment would take up a lot more space on the email servers between the sender and recipient. If the recipient was on a slow connection, it will take a lot longer for them to download the email message. They could be stuck downloading the attachment, even if they didn't want to. Not everybody has broadband yet, so you would not assume that your recipients can handle a giant-sized email.
Think of how HTML email messages work: When a legitimate email service provider serves a rich graphical email with HTML and images, they're not really sending all those images directly inside of the email. None of the images are actually embedded in the email. The HTML source code just links to them, usually back to the email service provider's website. If all the images were embedded, the email would be pretty large - but this way, the email itself is only a few kilobytes in size.
Do the same thing when you need to share a file with recipients on your list. Instead of attaching the file, link to it in your email. You do that by hosting it on a website, then pasting the link into your email message.
Don't have a website to host it on? Try Google Pages. This probably isn't the best way to share a file with hundreds of recipients, but if you're sharing it with just a few folks, it's very easy to set up. Creating a Google Pages account gives you a website at (your handle)
A question about your practices.
Today I got mail from "Angela Brobst," with a subject line of "question about your site." She apparently works for "The Search Doctors," located in Aliso Viejo, CA.
"I can put your site at the top of a search engines listing. This is no joke and I can show proven results from all our past clients. If this is something you might be interested in, send me a reply with the web addresses you want to promote and the best way to contact you with some options."
Well, she's right. This truly is no joke, and I'm definitely not laughing. Why not? Because the mail is spam, and here's why. It was sent to a role account that has never signed up for anything. The website URL linked to has a different domain (seo-placement-services.com) than the from address domain (thesearchdoctors.com) in the mail. The mail came from a RoadRunner cable modem, and it has fake additional headers added in to try to fool spam tracking applications. (It claims the mail came from glenayre.com; it did not.)
I've done a lot of work in paid and organic search over the years. Search is important. You need to utilize it if you have a website and a business. It brings traffic. It brings leads. No question. It's just as important not to do it wrong. If you do things like set up link farms, add questionable tags, or hide behind rotating domains, eventually Google figures it out and blocks your site from showing up in their index. I've seen it happens to clients who tried to do it on their own. Watch your organic traffic dwindle down to nothing overnight! No joke!
Because it's so important to do correctly, would you really trust search to somebody who already obviously doesn't comply with email best practices? I wouldn't.
"I can put your site at the top of a search engines listing. This is no joke and I can show proven results from all our past clients. If this is something you might be interested in, send me a reply with the web addresses you want to promote and the best way to contact you with some options."
Well, she's right. This truly is no joke, and I'm definitely not laughing. Why not? Because the mail is spam, and here's why. It was sent to a role account that has never signed up for anything. The website URL linked to has a different domain (seo-placement-services.com) than the from address domain (thesearchdoctors.com) in the mail. The mail came from a RoadRunner cable modem, and it has fake additional headers added in to try to fool spam tracking applications. (It claims the mail came from glenayre.com; it did not.)
I've done a lot of work in paid and organic search over the years. Search is important. You need to utilize it if you have a website and a business. It brings traffic. It brings leads. No question. It's just as important not to do it wrong. If you do things like set up link farms, add questionable tags, or hide behind rotating domains, eventually Google figures it out and blocks your site from showing up in their index. I've seen it happens to clients who tried to do it on their own. Watch your organic traffic dwindle down to nothing overnight! No joke!
Because it's so important to do correctly, would you really trust search to somebody who already obviously doesn't comply with email best practices? I wouldn't.
Europe hasn't caught up yet
Over on MediaPost's EmailInsider, Paul Beck talks about his experiences at an email marketing conference in Holland.
One thing that hit home for me was Paul's comment that lots of e-mail related issues are new to the Dutch. My experience isn't with Holland, but it does seem to me that Europe isn't yet to the same level as the US when it comes to spam/list management/deliverability issues. I'm not seeing a lot of process and policy in place on the ISP front with regard to blocking issues. In the US, the top ten ISPs pretty much govern your email practices. In the EU, policy is set (at a very general level) by privacy directives, and the laws they instruct member states to create. But there's quite a big gap when it comes to ISPs enforcing best practices, working with senders to reward the good ones and incent the bad ones to reform.
It's a model that I think is successful in the US. My gut instinct is that the EU will get there, but I wonder how long it will take.
One thing that hit home for me was Paul's comment that lots of e-mail related issues are new to the Dutch. My experience isn't with Holland, but it does seem to me that Europe isn't yet to the same level as the US when it comes to spam/list management/deliverability issues. I'm not seeing a lot of process and policy in place on the ISP front with regard to blocking issues. In the US, the top ten ISPs pretty much govern your email practices. In the EU, policy is set (at a very general level) by privacy directives, and the laws they instruct member states to create. But there's quite a big gap when it comes to ISPs enforcing best practices, working with senders to reward the good ones and incent the bad ones to reform.
It's a model that I think is successful in the US. My gut instinct is that the EU will get there, but I wonder how long it will take.
Topics:
europe,
international,
isps,
news
Double Opt-in How To
Here's a link to a document I wrote back in February, 2006. It gives an overview of how to implement double opt-in. How does it work? What do you need to be careful about? How do you track opt-ins? How do you handle replies? Etc.
Multiple anti-spam groups and ISPs have contacted me over the years, asking for this type of overview. If you find it useful, please let me know!
My eventual goal is to build a free software library of double opt-in libraries and scripts, that would allow an individual or small company quickly and easily set up their own double opt-in name capture process.
Anybody want to write some perl code for me?
Multiple anti-spam groups and ISPs have contacted me over the years, asking for this type of overview. If you find it useful, please let me know!
My eventual goal is to build a free software library of double opt-in libraries and scripts, that would allow an individual or small company quickly and easily set up their own double opt-in name capture process.
Anybody want to write some perl code for me?
Topics:
best practices,
coi,
doi,
double opt-in,
howto
Sender Policy Framework (SPF) trick of the day
Since SPF records are DNS TXT records, they can only contain up to 255 characters of information. In some situations, you might not be able to fit all your sending networks in a small, 255-character text string.
So, what do you do?
Easy! Just use SPF's "include" functionality to link multiple SPF records together. Click on the string below to see the dnsstuff.com SPF lookup for a example domain:
Processing SPF string: v=spf1 include:spf-dc1.digitalriver.com include:spf-dc2.digitalriver.com include:spf-dc3.digitalriver.com include:spf-dc7.digitalriver.com include:spf-dc5.digitalriver.com include:spf-dc6.digitalriver.com ~all.
Notice where it says "include:xxxx1.domain.com"? That's instructing the SPF resolver to also look up the SPF record for xxxx1.domain.com and include it as part of the results for domain.com.
Not only does this help you when your networks won't fit, but it can help you make changes and updates easier.
So, what do you do?
Easy! Just use SPF's "include" functionality to link multiple SPF records together. Click on the string below to see the dnsstuff.com SPF lookup for a example domain:
Processing SPF string: v=spf1 include:spf-dc1.digitalriver.com include:spf-dc2.digitalriver.com include:spf-dc3.digitalriver.com include:spf-dc7.digitalriver.com include:spf-dc5.digitalriver.com include:spf-dc6.digitalriver.com ~all.
Notice where it says "include:xxxx1.domain.com"? That's instructing the SPF resolver to also look up the SPF record for xxxx1.domain.com and include it as part of the results for domain.com.
Not only does this help you when your networks won't fit, but it can help you make changes and updates easier.
- Adding a second domain? The second domain's record would only have to contain an "include" statement that references your primary domain. When the primary domain's SPF record is updated, the one for the new domain is also updated, automatically.
- Have multiple facilities on different networks? Utilize the "include" functionality to link to additional facility-specific SPF entries. Then when a single facility's network changes, you only have that one SPF record to update.
Topics:
authentication,
howto,
sender id,
spf
I'm back!
I've finally transitioned spamresource.com from its old home on my DSL connection in Minneapolis. It's now hosted on Blogger, which seems like a quick and easy platform for me to post various articles and links as I run across them.
For most of the time during the long gap between articles, spamresource was an online software store. That was fun, but I now feel that it was more important to focus the site on it's original purpose, which is to share information and news on spam-related topics.
It's easy to add this site's content to your RSS reader. Just copy the XML/RSS link from the navigation links on the right, and paste it into your RSS reader wherever you add the XML link for a new feed.
Any questions or feedback? Please contact me using the link on the right.
For most of the time during the long gap between articles, spamresource was an online software store. That was fun, but I now feel that it was more important to focus the site on it's original purpose, which is to share information and news on spam-related topics.
It's easy to add this site's content to your RSS reader. Just copy the XML/RSS link from the navigation links on the right, and paste it into your RSS reader wherever you add the XML link for a new feed.
Any questions or feedback? Please contact me using the link on the right.
Subscribe to:
Posts (Atom)