Yahoo using Spamhaus lists

In case you needed more fuel for the fire regarding why staying off of Spamhaus's blacklist matters, check this out: Yahoo is now indicating that they will refuse email messages from IP addresses on the Spamhaus SBL, XBL, or PBL blacklists.

This is just another in a long line of ISPs using the Spamhaus lists. The difference here is that Yahoo is A. very large, and B. very open about it.

I've heard of entities listed on ROKSO or the SBL threaten to sue ISPs for using the Spamhaus lists; I'd love to see somebody try to sue Yahoo over this. My prediction there is that Yahoo will gleefully allow the listed entity waste as much lawyer money as possible before failing. Tangling with a top tier ISP's legal department is NOT something anybody smart would ever want to do.

01/05/08 update: Here is Yahoo's official notice of their new spam blocking moves, utilizing the Spamhaus lists.

Best Practices & ISP Rules

Over on Email Insider, Loren McDonald talks about the convergence of best practice recommendations and ISP guidelines for senders.

Loren correctly highlights that CAN-SPAM isn't enough. You need real permission and real adherence to best practices. A must read!

Here is why people get blocked

Today I got spam from something called "Bloglines" from IP address

Purchased Lists Are Still Lame

Check out this blog post from Wired editor Chris Anderson. Chris talks about lazy PR flacks sending him misdirected and unwanted press releases and other junk. He names names, too, posting a long list of folks he's never going to accept mail from ever again.

One of those on the list, a guy named Dan Bannister, responded in comments:

I spent $10,000 this year on lists, email software, promotional cards etc. to promote my business and my work. You're on a list of people who buy creative work that is sold to photographers every day. If you don't really buy photography, why not just hit the unsubscribe button? Why give out your email?

Congratulations, Dan, for standing up and telling the whole world that you're a spammer.

Dan clearly doesn't get it, but let's answer his question anyway: Why doesn't Chris just unsubscribe?

Because Chris gets 300 emails like this a day, that's why. What's he supposed to do, spend all day hitting delete or clicking unsubscribe? That'll become a full time job.

But enough about Chris; let's talk about Dan. He spends $10k/year on lists. Lists that apparently many other people buy, because Chris gets enough of this email to suggest that the list(s) he's on have been distributed far and wide. Was that a good list purchase for Dan? To set himself apart, as one of the 300 jerks who sends Chris spam every day?

Sadly, this is typical with purchased lists. It'll contain a bunch of spamtrap addresses, or it contains an admin address for somebody who runs a blacklist, or it contains addresses of people who are fed up with spam and are going to report your mail as spam and embarrass you publicly.

Dan, this list is apparently not quite the gateway to an exclusive club like you might have thought it would be. You might want to ask for your money back, because your list purchasing strategy just backfired. Oops.

David Ritz lawsuit

It'd take too long to get into the whole story, so here's the short version: Anti-spam activist David Ritz is being sued by a guy named Jerry Reynolds, apparently for, uh, performing DNS and WHOIS lookups. You know, asking public servers for public information that they publish, necessary to keep the internet running? If that seems crazy to you, maybe you could spare a few bucks to donate to David's legal defense fund. Of course, don't just take my word for it. Read around on your own, maybe starting here.

Definitely form your own opinion. In the mean time, here's mine:

Tools like WHOIS and DNS lookups are things that I use every day, in both my day job, and hobby projects. Vetting a potential client, looking up to see the business name of a domain owner, tracing who owns an IP address, these are all public tools, standard tools, that anybody tracking spam, investigating email, or even looking up who owns a business, would use and does use.

Ever been sued for paging through the phone book? Yikes.

Address portability? Already got it!

I'm not even sure why this is garnering press coverage. But, that's not going to stop me from jumping on the bandwagon.

The short version is: Gail Mortenson, a freelance writer from Washington DC, lost her AOL account, which she had been using for business. So, her response is to complain to the FCC that the rules need to be changed. As Declan McCullagh says, Mortenson's proposal is silly.
  • First, this highlights that it's not wise to use somebody else's domain for your important email. If you're a business person, or if you're a business, why don't you have your own domain? At their most expensive, back in the day, they were $70/year. Domain registration was cheap then, and it's even cheaper now -- it currently costs on average $8-$15/year to own a domain name.
  • Second, email address “portability,” which would essentially be free email forwarding for life, blows up spam filtering. Most spam filtering is based on the reputation of the sending IP address. Email forwarding makes email appear as though it comes from the first ISP's mail server, instead of the actual source of the message. Yeah, you can build complex technical things to try to work around this, but it's a huge hurdle and there is no easy solution. It's not like porting a phone number, folks.
  • Third, email address portability already exists! I've been doing it for years, and it only costs me $12/year. Here's how I do it. I register my domains (example: with domain registrar That costs me $12/year. They provide me with a control panel (at no extra charge) where you can set up email addresses and set the destination for those addresses. That means that today, mail sent to my address can automatically land in my Hotmail account. Tomorrow, I could change it so mail lands in my Gmail or Yahoo account. If I want to get more fancy, I can have Google Apps host the domain more directly, with excellent spam filtering and a branded webmail interface that's easy to use. Still for free. (This is in fact what I do with currently.)
So, hopefully the FCC won't mandate changes to fix a problem that doesn't exist. I assume the top tier ISPs are busy drafting memos to various government types telling them exactly why this is a bad idea. Do you think the FCC will listen?

McAfee vs Barracuda

I ran across this interesting press release the other day. It's from McAfee, talking about how their Secure Internet Gateway appliance compares to a similarly-positioned device from Barracuda.

When comparing the two devices for spam filtering over a two week period, the Barracuda Spam Firewall failed to correctly tag six times as many spam messages as the McAfee device did.

Find the full report from McAfee here.

(One interesting thing it doesn't touch on is backscatter. See, Barracuda devices send backscatter by default, due to their "accept all mail, then process it" methodology. The big ISPs have been working for years to move away from this methodology. It's not a best practice and hasn't been, for quite a while.)

DNSBL Resource Updates

Last week, at the MAAWG (Messaging Anti-Abuse Working Group) 11th General Meeting held in Arlington, VA, I presented my updated Blacklist Statistics Center. I also gave everyone within earshot a lot of data and a healthy dose of opinion regarding various blacklists, and shared my take on what senders and receivers should consider when measuring the value and reputation of a blacklist.

And, I'm finally fleshing out the blacklist review section of the site. To that end, I've just published reviews of PSBL, FIVETEN, and Spamhaus ZEN. This is to add to the list of ones I've already written (APEWS, SORBS, Spamcop, CBL, Korea and UBL).

I also invented a new blacklist. LUCKYSEVEN isn't suitable for spam filtering, but it helped to put a graphical face on arbitrary spam blocking methodology. Did you know that if you block mail from any IP address containing a 7, you'll block about 50% of spam? Of course, you'll block about 43% of non-spam at the same time, making it just about completely useless. But....still! 50%? Isn't there some value to that? No, not really, but it makes for a neat graph.

Psst...wanna buy a list?

Back in March, Mark Brownlow posted some good info on his Email Marketing Reports site about list rentals, list purchasing, and co-registration.

Is list purchasing a good idea? "With very, very few exceptions, purchasing a bulk list like this is a shortcut to email marketing hell." "No self-respecting list owner is ever going to sell copies of their address list. Not if they want to preserve its value."

Great advice! Click here to read the entire article.

Update: I had missed this new bit of commentary from Mark Brownlow on the same topic, posted just the other day: "
Any list building method not based on gaining an explicit opt-in strikes me as like eating fugu, the Japanese pufferfish dish. It's expensive, not a particularly rewarding experience, and runs the risk of killing you."

Spot on!

Tracking Blacklists

With the latest batch of additions today, I'm now tracking over 50 different blacklist zones for the newly revamped DNSBL Resource Blacklist Statistics Center. Thinking back to when I created the RRSS blacklist (the Radparker Relay Spam Stopper) in 1999, I am not sure there were even fifty anti-spam blacklist filters across the entire globe. Mine was definitely not the first, but I suspect that RRSS was probably one of the first ten.

Right now, I've got 13-week charts showing the effectiveness of 21 different blacklist zones. Look for public stats on additional lists soon, as I slowly compile effectiveness data on the lists I've just added. (And I've got even more tricks up my sleeve, so stay tuned!)

Opt-in Censorship?

As I said to Ken Magill for his recent article regarding Truthout: From what I know of how spam blocking works, and how ISPs make the determination regarding what mail to block, I don't think Truthout's issues (being blocked at Hotmail and AOL) relate to their politics. I think they relate to their opt-in procedures, bounce handling, feedback loops, and whitelisting. The issues are technical, not political.

Getting it Half Right

I'm now utilizing “second stage” filtering, using the primary Spamhaus blacklist, the SBL. For me, it's an experiment. I just wanted to see how well it works and what kind of mail it catches. I know that a large number of email addresses are now behind this kind of filtering – at least one domain registrar (who hosts mail for a zillion different domains) has been using this type of filtering for at least the past few months. So I wanted to see what kind of senders are getting tripped up in this kind of filtering, and how well it works as a spam-blocking methodology.


MailChimp is looking for a few good....monkeys. Ha.

Oh, please.

Another political group is complaining about the big meanies at AOL and Hotmail not accepting their mail.

This is nothing new, but I'll mention yet again what I mentioned then: Delivering mail to Hotmail and AOL is hard only when you don't know what you're doing. When you're driving spam complaints and garnering a poor sending reputation, then yeah, you get blocked. Politics have nothing to do with it.

Carl Hutzler agrees. In case you don't know who Carl is, he is the guy who used to be in charge of all that spam filtering stuff at AOL.

Sad to see Truthout wasting their time playing the blame game, instead of fixing their practices.

More on this topic from Mark Brownlow.

Spam, the Documentary

You can catch anti-spam professional (and Internet for Dummies author) John Levine on TV tomorrow. He writes:

Last year I helped some Canadian film makers do a TV show called "Spam, the Documentary". Now US viewers can see it on Court TV tomorrow Sept 18th at 11pm EDT or the 19th at 3am EDT. (Well, at least the insomniacs or the ones with TiVo can see it.)

It came out quite well; they start by interviewing Terry Jones about the original Monty Python spam skit, then you can see Dave buy a genuine fake Rolex, try a weight reduction wrap, and discuss the likely effects of enlargement products with an actual doctor (ewww). You also see quite a lot of me doing narration from a cybercafe in Toronto.

The CBC's web page at has more info and a promo clip.

I got to see this when it first came out last year. Good stuff!

The Real Spam Has Stood Up

In "Will the Real Spam Please Stand Up?," Kevin Stirtz disagrees with the statement, "until a user has opted-in to your email list, you are sending spam."

All fine and good. Nothing wrong with a bit of disagreement. I'll prove it: I disagree!

Do any of the following apply to what you're doing?
  • You add people to an email list and start mailing them without their prior knowledge.
  • Recipients on your list aren't expecting your mail.
  • You bought an email list.
  • You found one or more email addresses on the web and added them to your list.
If any of those apply to what you're doing: You're a spammer, dummy.

Forget about Web Marketing 101, let's talk about Email Marketing 101, and how to get your email delivered.

Target it all you want, avoid including a sales pitch, whatever. But if you build a list of people who didn't ask to hear from you, and are not expecting to hear from you, you're not going to have the ability to successfully deliver to that list. It's that simple.

Forget what Kevin thinks. Forget what I think. What do ISPs think? Let me clue you in: ISPs hate spam, because their users hate spam. When you send unwanted and unexpected email, recipients report it as spam in overwhelming numbers. Those spam reports significantly damage your sending reputation. Hotmail, Yahoo, and AOL will filter or reject your mail as a result. You're likely to get blacklisted by Barracuda, Spamcop, Brightmail, and Spamhaus, as a result.

In spite of a cheekily-written blog post containing a clever redefinition of what constitutes spam, permission remains key to getting your email delivered. Sure, you can get away with bypassing permission -- for a little while. Until your sending reputation catches up to you. Just because it hasn't caught up with Kevin (yet), doesn't mean it makes for a sustainable marketing model or best practice.

It seems that I'm not the only one with this viewpoint, either.

Zombie Pfizer Computers Spew Viagra Spam

Look, it happens to everyone. Run a large network some time. Put a Windows box, or two, or a thousand, on it. Eventually somebody will find a way to bypass the Anti-Virus, and there'll be an infection.

I've had to call a big company here or there, having traced a spam source back to an infected desktop on their network. Usually their response is, "Ugh, we know! Thanks for the report, you're one of thousands who let us know. We're in the midst of a security audit to clean it all up."

Unless you're Pfizer. Then what do you do? If this article is to be believed, you stick your head in the sand and hope it all goes away. Hopefully this wake up call from Support Intelligence can get them to clean up their network.

How much of your spam came from an IP address on Pfizer's network? I smell a project for the weekend.

More on the Spamhaus Ruling

From noted anti-spam professional and "Internet for Dummies" author John Levine:

By my reading this is as close to a complete victory as Spamhaus could have hoped for. There was no chance the appeals court would throw out the default, since that would have been an invitation to every losing defendant in the midwest to tell their lawyers to withdraw so they could start the case over again. Beyond that, E360 now has no damages and no injunction, and a steep hill to climb to get either of them back.

As I read the decision, the only injunction that E360 is entitled to at this point is one forbidding Spamhaus from saying that E360 was spamming in September 2006. (Well, OK.) If they have been spamming since then, which I happen to know they have since they've sent quite a lot of it to users on my network, Spamhaus is free to re-list them, and any plausible injunction forbidding that would fail as prior restraint. (emphasis added)

Read John's full commentary here.

7th Circuit Court Opinion on e360 v Spamhaus

Hot off the press, courtesy of the excellent legal document site Mickey Chandler breaks it down:
  • The default judgment stays (e360: 1, Spamhaus 0)
  • The money judgment is overturned (e360: 1, Spamhaus: 11,715,000)
  • The injunction is overturned (e360: 1, Spamhaus: 11,715,001)

Important bits:
Page 12: "We perceive no error in the district court’s conclusion that Spamhaus intentionally elected to abandon its available defenses when it withdrew those defenses from consideration by the court and indicated that it was prepared to accept a default. Spamhaus’ then-counsel confirmed that it wished to “participate in the defense no further” and “do absolutely nothing.” See R.56-1 at 3, 5. It was not erroneous to treat this kind of voluntary abandonment of defenses, raised but not pursued, as a waiver."

Pgs 18-19: "Mr. Linhardt’s affidavit is a conclusory statement of the lost value of his business, based largely on his calculations of lost future profits. It provides a list of businesses involved in “actual and pending contracts” and a total calculation of his calculation of loss, but says nothing about the status of his relationship with those businesses before e360 was listed on the ROKSO. That is, the affidavit claims profit loss in absolute numbers, but provides no information whatsoever to support a finding that such future profits were certain prior to Spamhaus’ act. Particularly given the difficulties that Illinois courts have acknowledged in proving non-speculative amounts of lost future profits, [citations omitted], this affidavit alone cannot provide the requisite “reasonable certainty” for a damages award without the necessity of a hearing. We therefore vacate the damages award and remand to the district court for a more extensive inquiry into the damages to which e360 is entitled."

Pg. 24: "According to the complaint, however, Spamhaus lists entities on the ROKSO for violating ISP terms of use, not “United States law.” The complaint does not allege that Spamhaus defamed e360 by claiming that e360 operated in violation of law. The facts supporting the default judgment, therefore, show only that e360 improperly was listed as a “spammer” by Spamhaus, applying Spamhaus’ own criteria. There is no basis in the judgment for an injunction that modifies Spamhaus’ generally applicable criteria for determining what entities qualify as spammers."

Now things will go back to the district court for redetermination of damages to be paid under the default.

Click on through to the page on this topic for more info and excellent analysis from Mr. Chandler.

SPEWS Memorial Day?

I see a very strange thing today (August 30th). APEWS, an "anonymous" anti-spam blacklist (whose listing policies are very broad and of questionable accuracy) has taken down their home page. When you go to, what you find today is a memorial message.

The message pays tribute to the administrator supposedly behind the previous SPEWS blacklist. It's true that SPEWS website and blacklist data stopped being updated approximately a year ago. However, here's no indication beyond this message that somebody actually passed away, or that a single person that somebody knew was actually previously maintaining the SPEWS data.

Here's a copy of the message found on the APEWS website, in case it's changed back by the time you look for yourself:

Today our website and our mailservers are not available, because it is 30. August - SPEWS MEMORY DAY

Our beloved SPEWS operator got hit by a truck and died 30. August 2006. One of his dreams was to make the world a spam free place. As long as spam exists we therefore recommend all of you to shutdown all mailservers at every 30. August for 24 hours.

Be creative to make today a black day for all spammers and spam supporters and a day without mail and spam.

It is just one day in the year so it will not hurt you nor your company, but it will set a wideley visible sign if enough people do so.

Our blacklists are online, but we will not display reasons for listings nor do any removals by today. We will be back by tomorrow. APEWS - Anonymous Postmasters Early Warning System.

An open letter to DNSStuff

Over on, you'll find my open letter to DNSStuff, where I take them to task for providing incorrect and out-of-date information in their blacklist lookup tool results, even after being warned (and not just by me). Click here to read more.

An open letter to DNSStuff

Dear DNSStuff,

You call your site “the center of the DNS universe” and position yourselves as experts on DNS, but it's time for me to question the DNSBL data and advice you hand out.

On multiple occasions, you've portrayed blacklisting issues as significant by returning blacklist results for certain DNSBLs, even though those lists don't drive any significant blocking issues (or don't block any spam) because they're dead or severely broken.

I've been around the block long enough to know that not every blacklist hit means there's an issue you need to worry about. Some lists have been dead for many months, and others list half the earth. In both of those instances, they're not really blacklists any more as much as historical artifacts waiting to be shut down and carted away.

If DNSStuff is going to continue to provide a widely used blacklist lookup tool, it's time to refine that tool so that it's actively maintained, and change the process so that DNSBL experts are actually involved in its upkeep. I'm not angling for a job here; I've already got one. But clearly, this section of your website needs more direct and active oversight, including involvement from people with significant DNSBL expertise.

Why? Well, let's start with a recap of how that whole APEWS restriction/ transition was handled by DNSStuff.

I contacted Kristina O'Connell, DNSStuff's VP of Marketing, on August 18, 2007. In that email I explained to her how because DNSStuff is incorrectly telling the whole entire world that it is listed on APEWS. UCEProtect had revoked its hosting of the APEWS zones five days previous and subsequently decided to replace the zone with a wildcard entry, to nudge sites to stop using the zone. As this is how DNSStuff was checking APEWS, it was returning data that was scaring email administrators unnecessarily.

She forwarded that email to Kevin Hutchins from DNSStuff support, who responded to me two days later, on August 20, 2007. Kevin explained that DNSStuff is already aware of the issue, and that they had to ask UCEProtect to put in a special text entry to “buy [DNSStuff] some time” to update their DNSBL tool and that they hoped to fix the problem sometime that week. He also went on at length about their responsibility to not judge a list and how they should continue to show all public DNSBLs, to provide a full picture of the space.

All fine and good – except that's not only what they're doing. They're also showing broken lists (APEWS) and dead lists (SPEWS). Leaving them in place produces a myriad of false positives, especially in the case of the UCEProtect APEWS zone.

Kevin also indicated that I was definitely not the only person to raise this issue to them recently.

This has been resolved – finally. I don't know exactly when, but they do seem to be querying APEWS directly now. It was only broken for days.

But wait – maybe it's not all fine and good. APEWS has blacklisted the IP address of DNSStuff's web server. Why? Does DNSStuff send spam? Or is APEWS an overly aggressive, broken list that shouldn't be relied upon?

And then there is SPEWS. Just the other day, I ran across this thread on the DNSStuff Discussion Boards, a paying DNSStuff user points out how the SPEWS blacklist has been dead for more than a year. He's right: It's dead and gone. The website still sits there, and who knows, maybe it could come back someday. But for now, it's frozen and not usable. The SPEWS data files are empty.

Kevin's answer in this thread is that they'll consider adding another asterisk of “not to be used.” As opposed to “doesn't exist,” or removing it because it no longer exists. In my opinion, that's not good enough. It doesn't stop the poor souls, who are not DNS experts, from thinking they have an issue, from running around asking for help, trying to solve an issue that doesn't actually exist.

As a long-time participant in various usenet newsgroups relating to spam fighting, I'm one of a multitude of first hand observers who've watched as system administrators come to these newsgroups begging for assistance. Why? Not because they saw a piece of mail being blocked; not because they've got a reject message in hand linking them to a specific DNSBL, but because they put their IP address into a webform on and were informed that they were blacklisted, because DNSStuff told them that they were.

For DNSStuff to continue to show SPEWS in lookup results is laughable. It's the exact opposite of expertise. Please, fix it. Please, bring actual DNSBL experts in to help you build a better tool.

I know you read my site – as you've reached out to me, looking for my help in the past. So I know you'll see this letter. I hope you'll heed this wakeup call.

Al Iverson and

Blowback sucks

I hate blowback. Or call it backscatter, or outscatter, if you prefer. Either way, it's no fun.

If your mail server sends it, you're contributing to a growing problem.

I don't know what's worse:
  1. All the blocked messages from the poorly designed Barracuda anti-spam filtering devices out there in the wild. (Accept-then-reject spam filtering is so 1998.)

  2. All the random "Confirm your YahooGroups signup request" emails. (Allowing email signup requests to be originated via email is so 1998.)

  3. All the rest of it I get (bounces from spams forging my domains, etc.).
Actually, I do know which is worse. Consider that list ranked in order of my personal annoyance.

MAPS Blacklisted? It's True!

If this isn't proof that it can happen to anyone, I don't know what is: Apparently MAPS has a compromised computer, found to be sending spam, and that IP address is now blacklisted.

A recent post to the SPAM-L discussion list tipped me off. Someone there noted hits in their maillog from August 15th, suggesting that connected to their mail server, forged an unrelated domain in the envelope sender, and tried to send a message with a subject of “Movie-quality e-card.” Reliable sources suggest that this is an indication of a “Storm” infected desktop.

Secure Computing's TrustedSource Research Portal indicates that traffic from this IP address was first seen back in March. According to that site, the current reputation of this IP address is “Malicious.”

The EmailStuff DNSBL lookup indicates that this IP address is listed on the following blacklists as of August 19th, 2007: CBL, Spamhaus XBL, and SORBS web.

The IP address maps to the FQDN (fully qualified domain name) SJC-Office-DHCP-155.Mail-Abuse.ORG, suggesting that this is a DHCP-assigned IP address in a San Jose office of MAPS (the Mail Abuse Protection System).

Way back about a hundred years ago (okay, about seven years ago), I worked for MAPS. Back then, they were the most feared anti-spam blacklist around. Find yourself on the wrong end of the listing, and 40% of your mail would likely be rejected, because so many internet mail servers around the world utilized the MAPS blacklists.

Since then, many things have changed. The MAPS lists went from free to for-pay usage. MAPS itself went through layoffs and multiple asset transfers. Nowadays, the MAPS data seems to be components of commercial products available from Trend Micro.

Division of Permission

Chad White breaks it down for Email Insider.

Question: When is it okay to start emailing people info about company Y, after they signed up for emails from company X?
Answer: It's not.

It doesn't matter that they both have the same parent company, or that it's perfectly legal. It dilutes your list. You lose relevancy and focus. And you create deliverability issues.

Chad highlights good and bad practices -- how to do it properly, and examples of companies you may not want to emulate if you're looking for email success.

On the APEWS Blacklist

Lots of talk about the "anonymous" APEWS blacklist lately. Over on DNSBL Resource, I summarize everything I've seen on the topic, and include some info regarding its effectiveness as an anti-spam filter against my own spamtrap and hamtrap.

Additionally, I've added a page with tips on what to do if you find yourself blacklisted by APEWS.

The Virtumundo/Jim Gordon Affair

Internet email and security guru John Levine sums it up a lot better than I ever could, so I'll simply point you in his general direction.

Update: John Levine pulled his post down, replacing it with this text: "This post has been withdrawn due to objections from Virtumundo's lawyers."

He links to a copy of the judge's order, which can be found here.

Also, has more information on the topic, which can be found here. In addition to commentary, SpamSuite highlights the following excerpts from the order:
"the Court begins by expressing serious doubts about the accuracy with which Defendants’ attorneys recorded and billed both costs and fees in this litigation."
"Furthermore, the prospect that ... well over 1,000 hours—was spent on the Linke Log is absurd."
"Having seen the results of this project, the Court finds that spending the equivalent of over thirteen 40-hour weeks on this process is far more than was reasonable."
"Moreover, the inaccurate documentation presented with the instant motion reinforces the Court’s separate conclusion that the hours requested exceed the reasonable time spent on this case. Given that in making the instant motion Defendants have inexplicably inflated the total hours for which they request compensation by almost 27% beyond what was even recorded in their own billing records, the Court finds it entirely appropriate to cut their requested senior attorney hours by at least that much to account for other inflation that likely occurred in daily billing and overcharges to their clients, which may or may not have been partially balanced out by bill cuts and discounts."
"it appears to the Court that Defendants have deliberately doubled the requested compensation"
"It is unclear how Defendants arrived at the total of $26,338.01 requested in their motion. Moreover, as discussed, the individual expense requests that total $28,839.36 here also are inexplicably inflated when compared with the actual billing records submitted to the Court."

Blah on Challenge Response

Richi Jennings breaks it down: Peter Brockman, and open questions on C/R success rate determination methodology. As Richi puts it,

"Statistics aside, asking C/R users if they're happy isn't the be-all and end-all of anti-spam research. C/R users may indeed be happy -- happily unaware that their spam filter is sending spam by replying to innocent third parties who's addresses have been forged by spammers."

Spot on.

Justin Mason's take on it is accurate and insightful, as well:

"Now, here’s the first problem. The “Spam Index” therefore considers a false negative as about as important as a false positive. However, in real terms, if a user’s legit mail is lost by a spam filter, that’s a much bigger failure than letting some more spam through. When measuring filters, you have to consider false positives as much more serious! (In fact, when we test SpamAssassin, we consider FPs to be 50 times more costly than a false negative.)"

Justin hits the nail on the head. Part of the problem a number of anti-spam "researchers" have in common is discounting the damage done (or even inaccurately counting FPs) by doing things like relating the number of "hits" a blacklist or spam filter gets and assuming that the more hits you get, the better.

Then add in the, um, awesomeness of C/R, in that you're bouncing unwanted spam back to unrelated parties who were forged in from lines. C/R is a good way to block spam, by bouncing it off your bad filter and in to somebody else's inbox. That's like keeping criminals away from you by helping them break into your neighbor's home. Yuck.

Happy Friday from...the Baron!

I've apparently been dubbed "the Baron of Blacklists" for "waxing lyrically" on the subject of DNSBLs. If you're wondering what that's all about, Melinda Krueger published some information about blacklists in a recent Email Diva column. A long time subscriber myself, I thought it would be helpful to provide some more detail and clarification. So, I dropped her an email, which landed in a follow-up Diva column with my blessing. Neat!

Of course, to see what the Baron of Blacklists will be waxing lyrically about next, head on over to my other site, DNSBL Resource.

Where was the consumer?

My friend Neil Schwartzman asked me a question during the FTC Spam Summit a couple of weeks ago. He asked me, “Where's the consumer?”

Neil, executive director of CAUCE (the Coalition for Unsolicited Commercial Email) in North America, had a point. The whole point of this exercise is figuring out how to answer the question, how do we protect the consumer? Problem is, there were a lot of consumer groups completely unrepresented at the event. It's great that they got Consumer Reports and Consumer Action to participate. In particular, Consumer Reports teased us with an upcoming review of spam filtering applications. Good stuff!

But, there was still a glaring omission: Where were the consumer groups actually focused on dealing with the spam problem? Where were the blacklists? How come CAUCE wasn't on a panel?

These are the groups actively fighting behind the scenes to preserve email. Working across countries, across boundaries, to solve the spam problem. The blacklists work hard to identify bad actors (often at significant personal legal liability), enabling receiving sites to more easily reject unwanted mail. Not everybody agrees with their methodology, and not everybody agrees with their goals. That's OK-- the same can be said of just about anybody else who was represented at the event. That doesn't mean they don't deserve a seat at the table.

That seat is important, for two simple reasons. One, so they can educate the rest of us of their point of view and all the valuable information they have. Two, so we can educate them. Put everybody in as room, get them to listen to each other, and something rubs off in both directions – usually for the better.

By not including CAUCE, or any of the blacklist groups like Spamhaus, SURBL, NJABL, PSBL, etc., in any of the panel discussions, we all lost out on that opportunity.

I'm very disappointed.

Blocklist notifications? Think again.

Infacta's "Messaging Times" posted a generally good article today on what you should be doing to minimize blocklistings. Except...

The article posits that "blacklist agents" should "contact senders that were reported prior to listing them with a plain-English explanation of what was reported and give them an opportunity to respond appropriately prior to being listed. This process should be clear with instructions that are easy to follow."

Whoa. This is untenable on every possible level. Why?
  • The vast majority of this spam is coming from forged addresses, overseas IPs, or infected machines (or all of the above). Notification to the listee is far from trivial and it will send bogus notifications to the wrong person 99% of the time. It is not worth it just to notify the 1% person who is actually reading his postmaster/abuse mailbox and speaks English.
  • It just doesn't scale. Consider: My tiny random site receives, on average, ten thousand spams each day. Of the (approximately) 807,998 spams I've received since March 10, they came to me from 532,958 unique IP addresses. You expect me to send out over five hundred thousand notifications? Now explode that out exponentially to the real levels that blocklists deal with (which reveal my volumes to be puny).
  • Smart senders check their bounces. The default configuration for blocklist usage includes a clear message with every bounce containing a link to a site or reference code with more information. This is notification. Do your due diligence and you'll notice a listing within minutes or hours of it taking place. In most cases it is then easily and simply resolved.
  • Smart senders periodically check blocklists to see if their IP addresses are listed. Any good email service provider (ESP) offer this service. Sites like DNS Stuff and Open RBL make it easy to check a bunch of lists at once.
  • Good email actually doesn't get blocklisted very often. Sure, there are badly run blacklists out there (and I catalog both good and bad ones over on, but most lists are not run by bad guys and are not out to attack people sending regular opt-in mail. If you are regularly ending up on lists like Spamhaus, NJABL, CBL, etc., then you're probably doing something wrong. If you're regularly getting blocked at Yahoo, Hotmail, or AOL, then you're probably doing something wrong. Fix your list. Stop trying to blur the lines of permission. Stop mailing to bounced email addresses repeatedly. Confirm new signups. Re opt-in your existing lists. Be proactive. It's not up to some external third party to tell you that you screwed up; if you let it go and got bitten by a listing, you've usually got nobody to blame but yourself. The real problem is whatever caused the listing, not the lack of a notification.
Notifying everybody listed on a blocking list is a noble goal. It was a goal of mine, back when I created the RRSS DNSBL in 1999 (that later went on to become the MAPS RSS). Back then, I found that notifications did nothing but annoy unrelated parties and generate more bounces back to my own mailbox. It's telling that today, no list I'm aware of notifies somebody before placing them on the list. For a lot of these lists, the point is to mitigate the potential damage of spam being received from listed hosts, while the host's owner or ISP is asleep at the wheel, not to prod the host owner to be friends with them.

Next, the article mentions "email authentication systems" referring to things like Goodmail and Sender Score Certified. These are actually email certification services, not authentication systems. You can choose to participate in a certification system, but it's not required on any level to get your mail delivered. Email authentication systems are actually things like SPF (Sender Policy Framework), Sender ID, DomainKeys, and DKIM. These all make it easier for receivers to identify senders and help their efforts to improve their ability to discern the good mail apart from the bad mail. They don't cost anything. SPF and Sender ID are things you set up in your DNS and can be done in about five minutes if you're technically inclined. DK/DKIM require support at the mail server sending side. Sometimes this is free, sometimes it might require an upgrade. This is like upgrading any piece of software, though, and it it's part of some conspiracy to make you pay to have to send email. (I think in the future you'll find just about every free or commercial mail server software will support DK or DKIM.)

And finally, the article asks the question, "Since when did the world "free" become a bad word?" The answer is: It didn't. It's not. The vast majority of spam content filters don't do anything so simplistic as to filter or block a message just because it contains the word "free." Don't be afraid to use the word "free." If you're not sending spam, it's not likely to get you blocked.

Ask Al: My email address is being used in spam!

Gerald writes, "Help! I need to call the spam police and I don't know where to turn. My email address has been used to SEND spam. I know this only because an email sent under my name was undeliverable, and so the 'undeliverable' email report was sent to me. The subject line or sender's name was 'Free online secrets.' What can I do?"

Gerald, thanks for writing. Unfortunately, there's really not a ton you can do about this. There's no central spam police to report things to, nobody you who'll jump in and chase down those who forge your domain. Well, there is the FTC, but good luck getting this issue onto their radar – their resources are limited to the point that they really are only going after the biggest, baddest couple of bad guys at any given time. (And who's to say that yours is even in the US.)

But, if I were in your shoes, here's what I would be doing.
  1. Make sure there's really something significant going on here. Lots of spam has variable from lines. Some of it purposely tries to look like it's coming "from" you "to" you. It could just be that your copy had you on the from line. That alone wouldn't mean millions of other random joes got mail from you. One bounce back alone wouldn't be a concern. Getting dozens, hundreds, thousands? Then it would be safe to say that this is taking place on a wider scale. If not, I wouldn't bother with the rest of this (except authentication).
  2. Contact your ISP and let them know what's happening. Give them one example of the spam, and explain that you are being “joe jobbed” and that you're not responsible for the mail in any way. You don't condone it, you don't want it. I would do this pro-actively to ensure some over-zealous ISP doesn't take down your site after receiving spam complaints and making the false assumption that you must be up to something nefarious.
  3. After things have calmed down, look up your domain in the SURBL and URIBL "URI" blacklists. If you find that your domain is listed, contact them and ask to be removed, via the process they list on their sites. Like you did with the ISP, explain that you were the victim of a joe job, and that you don't send spam. They will likely remove you. If they don't, any mail you send to any site using SpamAssassin or other filters that check these lists will likely junk your mail if your domain or URL is mentioned in the body of messages.
  4. If you have the money to spare, you can hire lawyers and consultants to track the source of the forgery, figure out who to sue, and sue the offender. I'm happy to recommend someone who can help, but I would warn you that it's going to be expensive, and unlikely to be rewarding. My recommendation would be not to bother.
  5. For the long term: authenticate your mail. We're not quite there yet, but we're moving in the right direction. The big ISPs are just starting to pay attention to email authentication. For example, if you published the right kind of SPF or Sender ID record in DNS, Hotmail would automatically have discarded all of the forged spam attempts aimed at its user base. SPF and Sender ID records are a simple bit of text added to your domain name service record, and don't usually require any sort of additional infrastructure on your part. For more on SPF look here and here.
Another important thing to keep in mind is that spammers are constantly cycling through domains to try get around spam filters and blocks. With many millions of domains out there in the world, spammers are probably only going to focus on yours for a short while. The data I've collected seems to support my point: For the 764,813 pieces of spam I've received from March 10th through July 14th, the spammers have used 223,393 different domains in their from addresses. That averages out to 3.4 spams per domain. That suggests that in the long term, the effect is very diffuse and the specific impact against any one email address or domain is generally going to be pretty limited.

I realize it's very annoying, and I wish I had better answers for you. Thankfully, your online reputation isn't likely to be tarnished over this issue, especially not in the longer term.

Blink: 32 new spams.

Hi from DC. I'm taking a break from the FTC Spam Summit 2007 to swap laptop batteries and check email.

Just as I got back to my hotel room, I got a page from a monitoring script I had set up. One of my spamtrap mailboxes was almost full and needed housecleaning. I logged in, and with the push of a few buttons, I emptied out the account (hey, there's always more spam) and turned the monitoring back on.

For the 30-60 seconds it took to empty out the mailbox's trash folder, I received 32 new spams. Click delete all, empty it, go back to the inbox and bulk folders, and I had 6+26 new messages. Man, I get a lot of spam.

A lot of discussion surrounding harvesting is taking place this time around. I am strongly anti-harvesting and it's clearly a bad practice. So, great. But harvesters are fairly easy to catch, and Project Honeypot seems to be spending significant effort going after them, so I wonder if this is something that really needs to be discussed in so much detail. Harvesting bad, check. What's next?

That's not to say that you shouldn't still protect your email addresses when putting them out on the web. On a whim, I had set up a special email account with a tagged address that I put only on one website back in May. After a couple days it started getting spam, and from May 26th through today, that address has received 189 spams. Man, what a pain.

But, as Suresh Ramasubramanian of Outblaze, and others have pointed out, keeping your address off the web doesn't prevent you from getting spam. You mail a friend, that friend's computer gets infected with malware, and that malware scoops all the email addresses it can find out of your friend's address book, and suddenly you're getting pharma spam served via botnets.

Blogger listed on Spamhaus blacklist

It would seem that this SBL listing means that if you have a blog at http://(something), your mail is going to be blocked by any site that checks the IP addresses of URLs found in messages, to see if those IP addresses are blacklisted.

Read more about it here.

I don't necessarily have an opinion on this at the moment. The devil's in the details, and I'm short on details. Generally speaking, I do want Spamhaus (and other blacklists) to bring the smack down on the bad guys. And if Google is (even unintentionally) being one of the bad guys by not doing enough to prevent spammers from using Blogger blogs as landing pages for spam, then that's a bad thing.

TQMCUBE Blocking List Status

The TQMCUBE Blocklist seems to have been abandoned, and/or the creator and admins are missing in action. Over on, I've collected all the information I have on the topic.

Even More on Confirmed Opt-in Best Practices

Down in the trenches, as it were, I see a lot of miscommunication and misdirection on the subject of confirmed opt-in/double opt-in. Here's some quick notes, thoughts spurred by recent discussion on various forums I participate in.

Confirmed opt-in and double opt-in both mean the following and only the following: A potential recipient submits an email address at a web page. This triggers a confirmation request email. No further emails are sent to the end recipient until and unless they take positive action to confirm the subscription in response to this confirmation request email. That means the person who received the confirmation message has to click on a link (or respond to a token, but I prefer the link method) to confirm the subscription. If they didn't do that, then you don't consider them opt-in, and you don't email them further.

Sometimes you have people doing the right thing but in the worst possible waydon't be like Goofus and pound on unconfirmed recipients over and over and over, unless you like poor deliverability. A second confirmation request might be reasonable, but anything more and you're guaranteeing spam complaints against you. It defeats the whole purpose (improved deliverability) of doing the right thing.

If somebody uses the term confirmed opt-in to mean filling out a web form and receiving an email saying “Your subscription is confirmed. If this is incorrect, click here,” then they are mistaken. This isn't confirmed opt-in or double opt-in. It's a signup form with a welcome message. The welcome message lets the recipient opt-out if necessary, and that's great – but it's not confirming anything as far as the opt-in police (ISPs, blacklists, etc.) are concerned. I see a lot of confusion surrounding this and it's important to remember the following: It's not confirmed opt-in or double opt-in unless the recipient has to take that active step of clicking on a YES link or taking some other YES-affirming action.

Confirmed opt-in doesn't make it okay to buy/sell lists. If somebody offers to sell you a guaranteed double opt-in list that they've been compiling for years and it's super awesome and you'll get great response!!!, run for the hills. There's no way that people on this list know about you or expect to get your email. It might be totally legal, but it'll put you on the fast track to getting blocked by all the large ISPs. (And the list seller is probably lying about it being double opt-in, anyway.) (Looking for legit ways to build your list? Here's a previous article on the topic.) And if you're taking your confirmed opt-in list and selling it, everybody buying it is a sucker. All of those people are going to start sending to that list, diluting its value and driving high spam complaints. Regardless of how clear the opt-in was, people who send to a list like that are going to get blocked.

I spend lots of time working with clients undoing damage from co-reg lists, append list, etc., because somebody told the client (before I was involved) that this list is guaranteed opt-in and it'll have a great match rate, everybody wants to hear from you, and it'll drive great response. So the client signs on the dotted line, some append vendor does a poor “opt-out introduction” email, then passes over any addresses that don't opt-out, and you never hear from the vendor again.

What happens next? The client's ability to deliver email begins to suffer, shortly after beginning to mail this fabulous new list segment. That's when they end up pulling me into the loop (because, of course, I'm awesome!) to figure out what went wrong. Fixing the problem inevitably boils down to jettisoning these “not direct opt-in” list segments. Save your money and avoid this in the first place.

There are best practices you can and should apply to confirmation emails just like you would for any other email you send.
  • HTML tends to work better (drive a higher confirmation completion rate) than text. My tests have always confirmed this. If you're not sure, test it for yourself.
  • Branding is important. Make sure people know that the message is from you. The from line, subject line, and header in the email should all clearly refer to the sender. A logo is an excellent idea, but also make sure the email degrades gracefully if images are blocked by the recipient.
  • The opt-in process should be nothing more than a simple, easy-to-click hyperlink. Nothing fancy, no captchas, no enter a code, etc. (But make sure that link can't be spoofed to opt-in a different recipient.)
  • Include clear wording that says what the person is signing up for, how often you're going to send them emails, and how they can unsubscribe from the list if/when they change their mind.
  • Include information about the source of the opt-in request. The IP address from where the web form submit occurred, and the date/time (with time zone) are necessary bits of data to include. (You're tracking this already, right? If not, uh oh.) What this does is it allows people who get forged subscription requests to hunt down the source ISP on their own and leave you alone. Anti-spam groups really like this step.
  • Short and sweet is the key. If it takes a three page email to explain why people want to opt-in or how to confirm, then you're doing something wrong. Recipients' eyes will glaze over and your confirmation rate will suffer. You should be able to fit the key messages of why to opt-in, how to opt-in, and anything else you want to convey, in just a few inches of email space.

You will find that none of this is a 100% guarantee against blacklisting. Sadly, there are some people who will attack you , even though you're doing COI/DOI just because they don't like you, or they don't like that somebody forged their address, or that your email contains HTML. Ignore them and do the right thing regardless. Why? Because the smart anti-spam folks who control the keys to the inbox at the large ISPs have significantly fewer issues with folks who run confirmed opt-in/double opt-in. If you do it and stick to it, you'll get blocked much less often and have a strong message to convey to any anti-spam group or ISP who takes issue with you.

And finally, DON'T LIE! If I had a nickel for every time somebody lied to me about a list being confirmed opt-in, I'd be a rich man. How stupid do you think ISPs are? They can instantly tell when you're hitting spamtraps, when too much of your mail attempts bounce, and when your mail generates too many complaints. Just because some ISPs provide data on this back to you doesn't mean it'll help you evade their filters and processes. Trust me, I've met most of these ISP guys, and they're smarter than both me and you.

Know when to quit!

I sign up for hundreds upon hundreds of lists. I maintain multiple "hamtraps," collections of received mail that I actually asked for. So it's not spam, but sometimes the line gets a little blurred.

Take, for example, a random veterans affairs site. In April I signed up on their site, but never completed registration.

In the past thirty days, they've sent me five requests to complete my registration. They may have sent me more requests to complete; I don't know, because Gmail claims to empty out my spam folder every thirty days.

Yup, they're going to the spam folder at Gmail.

I have some idea why. It's for something they did. Or rather, something they won't do: They won't let go.

If you keep sending mail to unconfirmed signups every week, you're driving people nuts. People who don't want your mail, so they're reporting it as spam every single time. People who didn't complete because they don't want to complete. Maybe sending them a second nudge to complete was OK, but five is far beyond what I'd call an acceptable best practice.

Is it legal? Absolutely. Is it blockable? Absolutely. It wouldn't suprise me to find that they were having delivery issues at other ISPs, not just Gmail. ISPs, especially the big dogs (AOL, Yahoo, Hotmail) do not take kindly to senders who generate complaints, and it seems very likely that this practice does exactly that.

If you want to be a good sender, confirming your list is great. Asking people to complete their registration is fine. But stop and think: What is reasonable? Five requests (so far, I might add) is overkill. The whole point of confirming is to validate them as a user, counting them as engaged, knowing they want your mail. It's silly, and damaging, to keep nudging people over and over and over, if they're clearly choosing not to join this group.

As a sender, you greatly improve your deliverability by jettisoning non-responders. If you keep pinging them repeatedly, you're denying yourself the benefit of this process, and ensuring that ISPs are going to block your mail.

Not smart.

Vonage did WHAT?

This has been making the rounds in the blogosphere these past few days: Vonage is taking months/years old addresses, submitted ONLY for a forward-to-a-friend promotion, and sending advertising to those people years later.

If true, it violates all best practice guidelines for appropriate email marketing.

If true, it's questionably legal.

The worst/best part is that the emails Vonage sent claim to be new referrals, saying "Andy Sernowitz asked us to tell you..." even though Andy Sernowitz apparently hasn't asked Vonage to do this in many, many months.

Psst, Vonage? Ever heard of Jumpstart? If not, I suspect you will be learning more about that particular FTC action soon enough.

Opt-in vs. Relevancy

I spoke at both INBOX and Internet Retailer recently, and at both events heard smart marketers ask, "Why do readers unsubscribe, ignore or complain about my emails? They opted-in!"

-- Stephanie Miller from Return Path. Worth reading.

I'd like to extend Stephanie's argument from senders to receivers and question whether permission is as relevant as it once was in terms of how ISPs, filters, and blacklists determine whether or not to block mail.

-- Matt Blumberg from Return Path keeps the discussion going.

My two cents to add here is simply this (very brief, as I'm on an awful keyboard): Permission still matters. Opt-in still matters. ISPs define spam as mail their users don't want, and if you don't have permission, you're clearly sending mail users don't want. Spam complaint data shows a clear correlation: Mail that isn't opt-it gets you much higher spam complaints than mail that is opt-in.

The RP folks raise great, valid points though, in that opt-in isn't good enough. You can be all 100% opt-in, and still have very poor delivery, spam foldering, and blocking, because you're still not sending users mail they want. That's why even with opt-in permission, or even 100% confirmed opt-in/double opt-in, you don't get a "get out of jail free" card directing your mail straight to the inbox.

That's why relevancy matters, too.

Spamming That New Account

Q: How long does it take a new Gmail account to get spam?
A: In my case, one day.

May 26: Create account. Address has never been given out to anyone.
May 27: Receive weird spam in Chinese.

Q: How long does it take for an address, published on the web, to be harvested?
A: In my case, two days.

May 26: Create email address at (non-webmail) domain. Post address on one website.
May 28: Receive weight loss spam and fraudulent lottery notifications, to that address only. And fourteen spams since.

Greetings from San Jose

Greetings from the San Jose airport, where I am waiting to fly home after attending the INBOX Event. I was there to participate in a panel on deliverability and authentication, along with my good friend Morgan Witt from BlueHornet.

The highlight for me was Patrick Peterson from Ironport. He spent an hour detailing the nefarious things spam gangs are up to. He laid out the details of their investigation into a single spammer's operation over a two week period, covering about twenty billion pharma spams (wow), where they lead, and how they trace back to the same sender. Lots of what happens with credit cards, merchant accounts, do the spammers actually ship the promised pills, etc. Very insightful.

Robert Soloway Arrested

I'm at a conference, so I don't have much time to blog about it, but helpful folks keep forwarding me this over and over, convinced that I need to be told. So, for the record, I am aware that Soloway was arrested. More on the topic from Forbes, CNet, and Yahoo. I really don't have much to add to their excellent summaries of the situation.

AOL Image Blocking Link Roundup

Here's links to the most relevant takes on the recent webmail changes at AOL, in my own humble opinion.

Re-thinking Spamcop

It's time for me to go back to the drawing board for a new opinion on Spamcop's SCBL blacklist. In the past, I had consistently observed significant false positive issues, but no more -- any false positive issues seem to have been resolved.

For more on the topic, including metrics showing how well Spamcop is working in my test environment, click here.

ESPs, their clients, and ISP blocking

I loved this post, and here's what I loved about it:
[The prospect who got himself blacklisted] thought he could solve all his problems if he switched to MailChimp, because we apparently have a good reputation, and because he thought we had some kind of secret-handshake arrangement with ISPs (actually, that's not the case---they'll blacklist anybody that generates too many spam complaints).
Ben @ MailChimp is 100% correct. ISPs will block and blacklist you, regardless of who your email service provider (ESP) is, or what IP address you send from. And they're smart enough to figure it out when you change ESPs. If they blocked you at the other ESP, it will take anywhere from immediately to very soon before they find you and block you at your new home. Your reputation follows you. You'll hit the same spamtraps, have the same volume of complaints. Since these are what drive ISP blocks, switching ESPs isn't going to magically wash all that away.

Mark Mumma News Roundup

Mark Mumma, if you weren't aware, is the anti-spammer who sued Omega World Travel a/k/a over spam allegations, and lost. It seems to me that this may have been a situation where hubris and anger took control, getting in the way of facts and logic.

How big and how often?

Averaging out the last 149,623 spams I've received, the average size of each message is 7.8kbytes.

Over the past twenty-one days or so, I've received an average of 6,959 spams a day, or 4.8 spam emails every minute of every hour, twenty four hours a day.

I'll share information like this periodically, to help others who are looking for data. Feel free to share info like this with others.

Get your Sender ID on!

If there’s one thing I wish somebody would have warned me about a few months ago, it’s this: Get proactive with Sender ID, and do it NOW!

Sender ID suddenly just became a big deal at Hotmail. If you don’t have a Sender ID record, or you don’t have it exactly right, get a move on! If you don’t, you’re going to eventually run into issues trying to get mail into the Hotmail inbox.

Here’s what you need to do, in three easy steps:
  1. Create an SPF record. Go here. Put in every IP or netblock allowed to send mail on your behalf. Include a reference to your ESP or outsource providers. Take the record you create and drop it in as a DNS text record for your domain. Need examples? Look up the SPF record for other people’s domains to get an idea of how they do it.
  2. Make sure it covers your PRA (visible from domain), too. This is the important bit. An email sent to Gmail will pass an SPF check just fine with the record covering your MFROM (return path domain or bounce domain). That doesn’t mean it covers your visible from domain (PRA). If your visible from domain isn’t covered by an SPF or Sender ID record, Hotmail problems will follow.
  3. Test it. For work, I built an SPF/Sender ID/DomainKeys tester that we use for this. But, for the rest of y’all, I recommend using this tool from Return Path. It’ll break down PRA and MFROM results. Make sure they both pass. If the PRA test fails, you mail is likely to fail at Hotmail, too.
Not everybody failing Sender ID (or choosing not to sign) is having delivery issues to Hotmail. But, it is proving to be a reputational black mark. For some folks, that’s enough to start causing problems. For others, less so-- today, anyway. Tomorrow will likely be a different story.

Remember: authentication matters. Read more on the topic, including overviews of SPF and DomainKeys, over on my other blog post.

(I'm muddling Sender ID and SPF a little bit here, in the interest of making this a short article. SPF and Sender ID are very similar; Sender ID is essentially the newer version of SPF. I've focused on putting in SPF records in place, because Sender ID is backwards compatible, and I've found it easier and quicker to do SPF alone, which covers me for both Sender ID and SPF, when done correctly.)

Tracking lots of spam for fun and profit

It dawned on me today that I haven't been logging the recipient addresses identified in the spam messages I'm cataloging and reporting data on. I think it'd be a good idea to expand my data set sideways and start adding that info, as spot checking the data has been quite insightful. I've found, for example, that spammers are dumb enough to harvest from Google Groups, because I have a fair number of recipient addresses with “...” in them, indicating they were truncated versions of real addresses I used when posting to newsgroups years ago. Then there's lots of spam directly to those newsgroup-harvested addresses, spam to addresses obviously harvested from the web, spam hitting abused co-reg addresses, and god knows what else to actual once-valid but long-dead actual user addresses.

There's one alias that is getting just a metric ton of spam, and the construction of the username portion makes it clear to me that it was an alias I gave to somebody and they misused it, or somehow leaked it to some real bad dudes. I wish I could remember who I gave the address to – but that info is stored on a drive pulled from my old unix server when I moved to Chicago. I'm dying to know which random bad actor is responsible for that bit o' feed, because the mail it's getting is so far from CAN-SPAM compliant that it's not even funny.

Even though I'm getting more than six thousand spams a day, I've only been tracking an average of 2200 a day for the past forty-one days. At first I had to do a lot of manual review of the spam to ensure that it wasn't accidental ham, there was a fair amount of that to be weeded out. It was easily weeded out and rules were put in place to help keep it out, but doing so took time, and I couldn't run the whole spamtrap feed through the measuring stick until I reviewed it all.

Now that this is out of the way, the only things holding me back here and there are software bugs and/or server issues. Occasionally the drive on the server handling this mail fills up, so I had to do a lot of fancy coding around that, to make stuff sit and pause and wait for the disk usage to come back down. That's no fun. But now that I'm able to work around it, I should start consistently logging data about at least five thousand spams each day.

Here's some random statistics for you. I recently added Gmail bulk foldering to my spam results, and so far I'm seeing that Gmail is only 88.8% affective against my spam feed. Meaning, 11.2% of spam I receive is not going to the spam folder in Gmail. Of the 92,730 spam messages I've tracked so far, over the past forty-one days, they have come my way from 68,516 unique IP addresses, and 58,022 unique /24 blocks.

Just yesterday it dawned on me that I should start tracking domains used in spam. I decided to focus on from lines, and log unique from domains that actually exist. Just since I turned it on, I've tracked over 5,500 unique domains. I have a few ideas of neat things I can do with this data, after I compile enough of it, but I'm not sharing any of those secrets quite yet.

What I will share though, is information showing what IP addresses and netblocks actually send me the most spam. It'll be interesting to see how it compares to what other people are seeing on their own mail streams. Look for that soon!

Are you a good blogger?

OK, not spam related, but still topical. Hot on the heels of my own post on the top ten dos and don'ts of blogging comes this whiny article from Pete Blackshaw, published on ClickZ.

Pete probably should quit blogging; he sounds tired. As for the rest of us, there's a lot of info just waiting to be shared with the world, and blogging is a good way to get it out there. I'm not tired. I love it, and want to see more people doing it.

(I promise that the non-spam posts here will be very rare. There's nothing I hate more than off-topic posts on a specialist content blog...remember, kids, do as I say, not as I do!)

Sweepstakes and List Building

Jamie Schissler, Strategy Director at Avenue A | Razorfish, has this to say on the topic:

Having worked in the promotion marketing space, I love sweepstakes. They should be a staple in every brand and marketer's toolbox, and I've seen them executed with tremendous success. But just as you wouldn't use a tape measure to drive a nail, sweepstakes are not particularly effective for database growth and development. As a promotional strategy, they are great; as an acquisition strategy, less so. Let sweepstakes supplement your acquisition activities, not spearhead them.

Always good to see somebody agreeing with me on that subject. I've seen many senders run into many issues by using a sweepstakes as a list building approach. It's definitely not something I personally would recommend.

Switching hats for a case you're wondering which address(es) of mine started out legit but ended up geting the most spam? It was the address that I gave for a sweepstakes in 2003. Buried in the T&Cs was legalese that said they were allowed to sell my address, and wow, did they ever. This address now gets every kind of spam with every kind of falsity and deception. Bad subject lines. No postal address. No way to unsubscribe, etc. All traced back to this one address that I used in this one place.

As a consumer, this was a huge turnoff, that made me never want to give out an email address for a sweepstakes ever again. Yuck.

The very first spam?

Lots of people think that Canter and Siegel are the first internet spammers. Not exactly true. Long before their first excursions into bad taste in 1994, came another: Gary Thuerk of Digital Equipment Corporation. It all started in 1978, with his mass email to all the email addresses in the world (or at least as many of them as he could find and type in to his terminal by hand), advertising the latest and greatest in DEC Systems.

Read the whole story here.

I would love to say I was actively aware of this when it happened, but I can't. In 1978, I was beginning my computing career by writing BASIC programs on an HP mainframe computer to which I was connected over a 110 baud acoustic coupled modem link from a brown-paper teletype. An ASR-33, if I recall correctly. Keep in mind, that was over a hundred years ago, and I was very young.

As far as the first spams I recall personally receiving, or being involved in tracking down and blocking, that's a tough one. Frank Virga and Zvika Lichter were two well known (at the time) bad actors in the email space that I, in collaboration with many other folks, worked hard to push off the 'net. For a long time in the 90s, I had some weird/gross spam from Lichter printed out and taped to my wall at work, as an example of what spam was all about. Back then, not everybody knew what spam was, or why it was bad. I found that showing them one of Lichter's disgusting spam messages was an excellent educational tool. (I won't even described what the spam was offering, lest it haunt your next meal.)

Email Diva: Industry Standard For List-Cleaning

Over on Email Insider, Melinda "Email Diva" Krueger provides some wise advice on list cleaning best practices.

Two second summary:
  • Get non-responders off your list.
  • Test reconfirmation/renewal re-engagement methodology
I love it. If it's not yet considered industry standard practice, it's about time for that to change. Removing people who haven't clicked in years removes dead weight without killing your list. I regularly see it improve ROI, as you get the spamtraps and complainers out of the way, leaving only the people who actively want your mail and are most likely to respond. And you improve their ability to respond, by clearing out the bad addresses that cause spam filtering and blocks.

Read it, bookmark it, share it with your friends. This info should forever be ensconced in your personal "Email Marketing 101" handbook.

There's always more spam!

So, were you wondering how many average spams it takes to fill up a Gmail account?

I find today that the answer is: 280,570. Just over two hundered and eighty thousands spams is enough to make my Gmail account cry uncle. Ouch!

So, at this moment, my spamtrap is empty. I cleaned it out, making room for another 6200+ spams/day. This should get me another forty-five days or so.

It took me a bit of thinking to decide if I really wanted to delete all my spam. But, I have been logging it as of late, so I do have most of the sending IPs, subject lines, etc. logged. So, flushing away this sample doesn't really lose me all that much.

And, there is always more spam.

Ask Al: How do I publicize my new site?

Patrick Writes,

Hi. I like your blog! I run a doctor search engine, a new business looking to run a legit email campaign to get the word out to doctors. I don't know where to turn or who is legit, etc. Can you recommend anyone? Thanks for any help or referrals, etc.

Hi Patrick,

Thanks, glad you like the blog! I know it's tough starting a new site or business and trying to get the word out. I've helped others do this before, and there are actually quite a few things you can do.

As far as doing email campaigns, let's start with what you shouldn't do. Don't harvest email addresses. Harvesting addresses involves using software to find email addresses out on the internet and add them to your email list. Those people didn't opt-in to get mail from you, so if you send mail to lists like that, you're going to end up blocked fast and far and wide. It's spam, plain and simple, regardless of how well targeted it is. Don't buy lists either. There's no such thing as a guaranteed opt-in list for sale. The people on those lists don't know you, don't recognize you, and aren't keen to hear from you – they're already getting tons of unwanted spam from every other fool that bought that list. I can guarantee that such a list is going to garner more spam complaints than new visitors to your site.

If you want to get the word out via email, the way to do it is by partnering. Find sites that cater to doctors and find out what advertising opportunities they offer. I don't know a ton about this space, but a quick search says that WebMD, OneHealth, and Medscape might be places to start. Will they send an email to their list on your behalf? This type of third-party emailing is legal and common, though it can get spendy. Ask them if it's okay to send them press releases – maybe you can generate some buzz that will cause them to write articles about you, and get you free traffic and interest.

You could also partner with a list rental firm. I've guided clients toward Return Path's Postmaster Network in the past, with good results. I find them to be very reputable. Beware, though. For every good Postmaster Network, there a thousand fly-by-night firms whose lists aren't truly opt-in and who turn out to be run by people whose ethics are questionable. I'm technical enough that I've caught list rental brokers trying to deceive my clients with falsified proof of opt-in details (No, this Michigan RoadRunner user did not opt-in from an IP in London), or proof of delivery (no, an SMTP transaction handoff does not mean the recipient received it and therefore opted-in). Etc. The space is filled with bad guys changing company names every few months, selling opt-out access to lists compiled from questionable methodology. My recommendation would be to get references from anybody you're going to go with, and force the vendor to use an opt-in process, instead of opt-out, if the process involves the people being able to sign up to get emails from you later. With opt-out, the match rate is higher, and you will pay the list rental vendor more money. But, the complaints will be higher and you'll end up angering some important ISP like AOL and having to opt-in those names later. (Throwing away 90% of them in the process.)

Besides email campaigns, organic search is very important. If your field is unique enough, or you can find a unique enough angle, this actually can work pretty well. Start a blog or a content site. Write and post intelligent and relevant articles on the topic in question. Link to it legitimately by participating in blog and online forum discussions on the topic. Link back to appropriate content on your sites, but only in the context of the discussion. (Don't just post and say things like, “Hi! Great discussion. Visit my site at for more info! That's pretty close to blog spamming, and if it happens enough, Google will end up removing your site from their index. When that happens, the results are devastating and it can take months to clean up. )

Hope that helps! And thanks for your question.

Double opt-in: For and Against

Double opt-in, confirmed opt-in, email address verification, whatever you call it -- nobody ever universally agrees on whether or not you should do it. I see a lot of people in the anti-spam community try to recommend it based on their feelings. They relate specific experiences where a company annoyed them by not confirming subscriptions. Interesting, but it doesn’t always speak to senders in the language they need to hear. Unhappy anecdotes don’t provide the necessary info to convince marketers, who generally work by way of a data driven decision making process.

Surveys, Profile Information, and Hamtraps

As part of my massive spam/ham tracking project, I’ve been signing up for lists. Hundreds of lists. Somewhere north of four hundred and I keep adding more every day.

I’m practicing safe signup – each retailer, newsletter publisher, media outlet, or other list owner gets a unique address that isn’t easily found by way of dictionary attacking. I’ve got multiple domains and the ability to bounce/filter out certain addresses. Thankfully, too, as there’s already a few senders who have done things with the addresses that I don’t agree with. They’re no longer a part of the feed, as I don’t consider them “good” senders.

This isn’t exactly “shout it from the rooftops” fun to do. I’d much rather be over on Navy Pier, relaxing at a table in the beer garden, with some sort of tasty beverage. But, it’s been providing me with good, useful data, and for the most part, I’m able to stand the monotony of signing up for list after list after list after list.

What really is dragging it down for me, though, is excessive profiling. I’m not new to marketing. I know profiling is good. I love self selection and self segmentation. Let people tell you what lists they want to be on. It’s wise. It puts the consumer in charge of the messaging. Let them hear what they want to hear about, and it’ll make them happy. Don’t offer that capability, or don’t utilize the data you’re collecting, and you end up looking silly. Heck, get it wrong enough, and people are even going to blog about it. Heh.

But some of these sites go overboard with five and six page surveys. Screen after screen of required fields and “tell me more about yourself.” Dude, I just want to receive your newsletter. I’m not applying for a car loan. Sure, I'm subscribing for a unique purpose when compared to most other newsletter subscribers, but is it really that different? When I sign up for something for myself (XM Radio, technology newsletters, etc.), my eyes start to glaze over if they want to ask more than ten questions (and I’m counting “enter your email address twice” as two of those).

How can people stand these? If my office had a window I would’ve jumped out of it rather than finish the most recent of these long, slow forms that I just came across. And I can't be the only person who feels this way.

I just can’t help but wonder about the drop off rate is for these long, multi-page survey-based signup forms. I bet it’s fairly significant. If your prospective registrant gets bored and wanders away mid-process, you’ve lost a chance to sell to him.

Flixster Wants Your Passwords

Anne Mitchell pointed me toward a post on her Internet Patrol blog about how Flixster’s “invite a friend” functionality either asks you for or allows you to give Flixster your AOL, Hotmail, Yahoo and Gmail passwords.

Then Flixster logs in to your email account, finds your address book, and sends out invites to your friends in your name from your own email account.

Flixster founder Joe G (Joe Greenstein?) posted a comment in response to Anne, confirming that this was indeed the case. He goes on to state that users are “then ALWAYS given the list of contacts and asked to select whom to invite.”

Well, that’s good. But still, yikes.

Are there still people out there ignorant enough to give out their email passwords to strangers? Joe may be trustworthy, but Joe’s still a stranger, and so is Flixster.

In my opinion, there should never be a reason to give an account password to some site other than that site itself. If that other site ever gets hacked, or if their data security is lax enough to allow employees to steal data, it’ll end up being a privacy (and spam) disaster.

This reminds me of something. Recently, SpamHuntress talked about how Myspace accounts get hacked, and it sounds similar to this. Give us your username and password so we can do something cool with your account….and then we’ll do a bunch of other bad stuff too, without your knowledge.

I am not suggesting that Flixster are a bunch of privacy thieves. I am not implying that they’re going to do something bad with your email accounts. I am, instead, suggesting that you shouldn’t give your passwords out, to prevent something like that from ever happening to you, regardless of how trustworthy the site/service actually is or claims to be.

Do you know how much it would suck if somebody hacked into your AOL or Gmail account and were able to send emails as you? It could be used to send spam to your friends and others, matched up with your saved emails to find your passwords to financial or other accounts, be used as part of a phishing scam to get bank info from other unsuspecting people.

Which blacklists work well?

Just for kicks, I've embarked upon a large spam and blacklist tracking project. Wondering how well Spamhaus works? Preliminary results are showing me that it's actually very accurate and has a much better (lower) false positive rate than every other blacklist I've tested. At the other side of the spectrum, Fiveten blocks nearly a third of desired mail, and isn't as good at tagging spam. Read more about it, and link to the actual data I'm publishing every day, over here on