Surveys, Profile Information, and Hamtraps

As part of my massive spam/ham tracking project, I’ve been signing up for lists. Hundreds of lists. Somewhere north of four hundred and I keep adding more every day.

I’m practicing safe signup – each retailer, newsletter publisher, media outlet, or other list owner gets a unique address that isn’t easily found by way of dictionary attacking. I’ve got multiple domains and the ability to bounce/filter out certain addresses. Thankfully, too, as there’s already a few senders who have done things with the addresses that I don’t agree with. They’re no longer a part of the feed, as I don’t consider them “good” senders.

This isn’t exactly “shout it from the rooftops” fun to do. I’d much rather be over on Navy Pier, relaxing at a table in the beer garden, with some sort of tasty beverage. But, it’s been providing me with good, useful data, and for the most part, I’m able to stand the monotony of signing up for list after list after list after list.

What really is dragging it down for me, though, is excessive profiling. I’m not new to marketing. I know profiling is good. I love self selection and self segmentation. Let people tell you what lists they want to be on. It’s wise. It puts the consumer in charge of the messaging. Let them hear what they want to hear about, and it’ll make them happy. Don’t offer that capability, or don’t utilize the data you’re collecting, and you end up looking silly. Heck, get it wrong enough, and people are even going to blog about it. Heh.

But some of these sites go overboard with five and six page surveys. Screen after screen of required fields and “tell me more about yourself.” Dude, I just want to receive your newsletter. I’m not applying for a car loan. Sure, I'm subscribing for a unique purpose when compared to most other newsletter subscribers, but is it really that different? When I sign up for something for myself (XM Radio, technology newsletters, etc.), my eyes start to glaze over if they want to ask more than ten questions (and I’m counting “enter your email address twice” as two of those).

How can people stand these? If my office had a window I would’ve jumped out of it rather than finish the most recent of these long, slow forms that I just came across. And I can't be the only person who feels this way.

I just can’t help but wonder about the drop off rate is for these long, multi-page survey-based signup forms. I bet it’s fairly significant. If your prospective registrant gets bored and wanders away mid-process, you’ve lost a chance to sell to him.

Flixster Wants Your Passwords

Anne Mitchell pointed me toward a post on her Internet Patrol blog about how Flixster’s “invite a friend” functionality either asks you for or allows you to give Flixster your AOL, Hotmail, Yahoo and Gmail passwords.

Then Flixster logs in to your email account, finds your address book, and sends out invites to your friends in your name from your own email account.

Flixster founder Joe G (Joe Greenstein?) posted a comment in response to Anne, confirming that this was indeed the case. He goes on to state that users are “then ALWAYS given the list of contacts and asked to select whom to invite.”

Well, that’s good. But still, yikes.

Are there still people out there ignorant enough to give out their email passwords to strangers? Joe may be trustworthy, but Joe’s still a stranger, and so is Flixster.

In my opinion, there should never be a reason to give an account password to some site other than that site itself. If that other site ever gets hacked, or if their data security is lax enough to allow employees to steal data, it’ll end up being a privacy (and spam) disaster.

This reminds me of something. Recently, SpamHuntress talked about how Myspace accounts get hacked, and it sounds similar to this. Give us your username and password so we can do something cool with your account….and then we’ll do a bunch of other bad stuff too, without your knowledge.

I am not suggesting that Flixster are a bunch of privacy thieves. I am not implying that they’re going to do something bad with your email accounts. I am, instead, suggesting that you shouldn’t give your passwords out, to prevent something like that from ever happening to you, regardless of how trustworthy the site/service actually is or claims to be.

Do you know how much it would suck if somebody hacked into your AOL or Gmail account and were able to send emails as you? It could be used to send spam to your friends and others, matched up with your saved emails to find your passwords to financial or other accounts, be used as part of a phishing scam to get bank info from other unsuspecting people.

Which blacklists work well?

Just for kicks, I've embarked upon a large spam and blacklist tracking project. Wondering how well Spamhaus works? Preliminary results are showing me that it's actually very accurate and has a much better (lower) false positive rate than every other blacklist I've tested. At the other side of the spectrum, Fiveten blocks nearly a third of desired mail, and isn't as good at tagging spam. Read more about it, and link to the actual data I'm publishing every day, over here on


From Mickey Chandler over on the SPAM-L mailing list:

I've set up a new site at using Drupal. The site's express purpose is keeping track of the public record papers involved in spam-centric lawsuits. The site is public in nature and any links to documents found on the site should be assumed to be public in nature as well.

Please do note that I'm not intending this site to be one full of commentary. It's for tracking public records associated with these cases. However, if there are any _attorneys_ out there who would like to start up a blog with commentary on the cases we're tracking I'd be open to that idea.

I've decided to start with two of the current cases out there: e360insight LLC, et al. v. Spamhaus LLC, et al. (Spamhaus) and e360insight LLC, et al. v. Ferguson, et al. (Ferguson). I'm pretty sure that I have all documents from both cases up, even though many of the ones from Spamhaus have not been OCR'd yet. If there are others, please let me know and I'll see about getting access to the files.

If someone sees a document that hasn't been put into text format and you have the time and inclination to OCR that document, then please do. You just need to register.

Gmail, End User Privacy, and Harassment

Gmail gets a lot of things right, but gets one really important thing very wrong.

I'm going to tear into Google momentarily, but before I do that, let's start with the good things. Praise before criticism, and all that. And rightly so -- I don't want to skim over the fact that Gmail has some cool features that really do take email to the next level. Here's just a few of the things that I really like about their email platform:
  • Tons of storage,
  • Easy-to-use interface,
  • Strong search capabilities,
  • Support for automatic filtering and forwarding rules,
  • Support for sending mail using your vanity email address, and
  • Free POP3 support.
I'm on a few different high-traffic mailing lists, and I wouldn't be able to manage the traffic without Gmail. Their automatic rolling up of discussion by topic ("threading") makes it very easy to skim updated discussions at a glance and decide which ones I want to participate in. Since search is Google's forte, I'm able to easily look back and see if a discussion point was already raised by somebody else in the past few months before bringing it up myself. Managing email on multiple computers with Gmail is a breeze. I use Mozilla Thunderbird on my desktop computer at home, retrieving mail with Google's free POP3 support. On the road, I have easy access to Gmail's web interface from my laptop, and from my PDA phone.

Google has done a great job with search integration into Gmail, as well as adding cool geek-friendly features like POP3, custom from address support, and the ability to set up mail filtering and forwarding. That makes sense. They've hired some of the smartest people in the world to help them imagine, design and deploy new things that people will want, even if they might not have realized they wanted them before. Often, their new features are things you don't usually see in a free webmail service.

But, Google's not perfect. Some of their views on email handling, spam, and end user privacy are out of date and extremely myopic. I think that also makes sense; a side effect of hiring a bunch of very smart people, who all think they can change how the world thinks of email, like they did (successfully) for search. In the search realm, they really did create something new and amazing. Unfortunately, email is different. There are a base set of issues that all mailbox providers (ISPs and webmail services) have to deal with, and have been dealing with for many years. It's not just about search and threading and a neat interface. It's also about: Blocking spam into their systems. Preventing bad guys from using their services. Providing guidance and feedback (both positive and negative) to people who want to send mail to Google users. These are all areas where it seems to me that Google's views are about ten years out of date.

I could go on for days here, but instead, I'll focus on the most important thing I think they're getting wrong: preventing bad guys from using their services. Google enables use of Gmail for bad things by hiding the source IP address on mail sent by their users; and it's lame. It's scary. It's outdated. It lets bad guys use their services as long as they stay under the radar. If you want to start a low-level harassment campaign against somebody, Gmail's the way to do it.

To give you a bit more understanding, let's take a walk down memory lane together. I've been in this industry a long time, and I've angered a lot of morons over the years. Getting spammer accounts shut down often draws harassment and threats. Lots of idiots think that a Yahoo or Hotmail account is anonymous. It's not. They clearly stamp all outgoing mail with the IP address showing from where the user logged into Yahoo or Hotmail. This is important, because it tells you the real ISP that somebody is harassing you from. You are then able to contact that ISP, and provide them more proof, showing what the guy's doing wrong, which helps nudge the ISP to get it stopped.

In the case of one idiot spammer, he thought it would be cool to harass me from Hotmail, not realizing that the email headers clearly told me that this "new person" was really connecting from, the same ISP that I was working to get the guy thrown off of. It turned out to be another nail in his coffin; feigning ignorance (and putting up web pages about how I'm a big meanie, and that I made it all up) while sending me harassing email from an IP address traceable back to him was ultimately what ended up getting him banned from that ISP.

(If you want to read this guy's rant about me, perform a Google search on my name, and it'll be somewhere down the list. Look for a small man crying in a loud voice about dictators and nerds. Pretty funny. That dude in particular was quite clearly a spammer, and quite clearly unhappy that I busted him for it. I'm not linking directly to him here though, as there's no point in helping his search ranking.)

Anyway, that's how it works with Hotmail. And Yahoo, and AOL, and just about any other ISP or webmail provider. But not Gmail. Google hides that source IP address, preventing you from determining which ISP the harasser connected to Gmail from. Why do they do that? I don't know for sure, but I theorize that it's done in the name of end user privacy. I take issue with that, because an IP address isn't a private piece of data. It's a license plate, not a social security number. Any website you connect to for any reason knows your IP address. An IP address doesn't trace you, it just traces your ISP. That means somebody can tell you emailed them from a computer at the Chicago Library. It doesn't tell them who you are or what books you checked out of the library. That means that somebody can tell I'm one of 25 million AOL users. It doesn't tell them which one of those 25 million users I am.

Sure, Google has record of the connecting IP address. (That goes without saying, because as I said, every connection you make to every website you visit tells that website your IP address.) And they have the cell phone number (or friend's invite) that was involved in creation of the Gmail account. If they get a subpoena from law enforcement, they'll provide this info. So, if somebody stalks you via Gmail and then actually kills you, then Gmail can do something about it. Yikes.

Problem is, that's not how most harassment works. Most of it is low level F-bombs and racist taunts sent by morons who think that the internet is untraceable, though it's not. I've been able to get people fired before for sending harassing emails from work. I can't identify them personally; I don't have to. I just contact the company and provide them the info showing the date and time and IP address of the source of the harassment. They check their internal logs, figure out who did it, and deal with it. Reprimand, training, termination, whatever their company policy dictates.

This works well, except if the harassment originates with Gmail. Because if somebody harasses you via Gmail, and it's not serious enough to get law enforcement interested in pursuing it, the best you can do is complain to Google. And hope something happens. And maybe the harasser loses their Gmail account. Which was free to begin with, and probably set up just for this purpose.

Strangely, if you post to Usenet newsgroups via Google Groups, your source IP address is included in the headers. Smarter people than me tell me that this is because Usenet is a smaller, more directly cooperative environment of server operators. Google previously found that when they didn't include the source IP address, lots of sites got fed up with spammers and harasses attacking Usenet through Google Groups, and started "aliasing out" (filtering out) all posts from all Google Groups users. This is fairly common in the world of usenet; run your site poorly and you're pretty quickly shunned by way of being aliased out, or by way of applying the Usenet Death Penalty.

How long until somebody proposes a similar "email death penalty" for Gmail? Eventually, other ISPs (and frustrated end users) get tired of not being able to track the source IP of harassment (and other bad things) from Gmail users. I'm not sure how long it'll take, but my bet is that it will happen eventually. I know I'm not the only one frustrated by their ill-conceived IP address-hiding policy, and the buck stops right at Gmail's SMTP servers.

Well-Known E-mailers Back Spamhaus in Amicus Brief

From Ken Magill, published on Direct Magazine's website:

Twenty-nine individuals and organizations have signed onto an amicus brief filed last week in support of anti-spam blacklisting service Spamhaus in its court battle against e-mail marketer e360 Insight.

Some well known, smart guys weighed in here. John Levine, as an example: “In think the court made a mistake in that they really should have figured out that Spamhaus is in London and not in Chicago,” said Levine. “Beyond that, Spamhaus is by far the facility that gets rid of the most spam with the fewest bad side effects. It would be really bad for the community if they couldn't keep doing that. … Spamhaus does try reasonably hard to make sure they don’t block good mail.”

Read more here...

You'll find the brief itself here.

e360 vs Spamhaus: Sparring in the Newsgroups

Oh boy, the things you find on the newsgroups sometimes.

Here's a link to a thread on the newsgroup where Spamhaus and E360 decided to battle it out in the court of public opinion on Friday. What's the goal here? This works to the advantage of whom, exactly? Didn't the old adage used to say that the best case to try a lawsuit was in a courtroom?

I wonder how many of these newsgroup posts are going to end up as evidence in the ongoing appeals in the whole E360 versus Spamhaus lawsuit.

Riddle me this, if you please: If Spamhaus loses their appeal, then what's the actual impact to them? That the Spamhaus folks won't be able to travel to the US? That US ISPs will be afraid to use a foreign blacklist with judgements against it? It seems like a long shot that E360 will actually silence Spamhaus, regardless of the outcome here. But, as they say, "IANAL" (I am not a lawyer), so I'll just have to keep an eye out to see what happens next.

On another note, is E360 apparently telling anti-spam activist Mark Ferguson that he did indeed sign up for email from E360. True? False? Forgery? Harvested address? I wonder if E360 will be able to produce information that ties a signup request back to the person in question.

In a possibly-unrelated item, E360 has also posted the following information on their website:
Eant et fugiant a te inquieti iniqui. et tu vides eos et et ecce pulchra imperium tuum dehonestaverunt,distinguis umbras, et ecce pulchra imperium tuum dehonestaverunt, a caelis usque.aut in quo imperium tuum.