EmailAppenders Has a Question

"Is there anything wrong with collecting business cards and selling the list?" -- Ian Cooper, president of new business development for EmailAppenders.

Yes, Ian, there's something wrong with everything you do. You enable people to send spam. Not exactly something to be proud off.

Michigan State to student: Political e-mail is spam

If you're mad about how something is run at your school, is it OK to spam 391 people complaining about it? If the school is Michigan State, the answer is no. (And it's an answer I agree with.)

Ken Magill, Laura Atkins on Zoominfo

Zoominfo -- a company that has created some sort of business contact database where you (you probably being "spammer") can buy lists of email addresses. Ken Magill talks about them here, quoting deliverability consultant Laura Atkins at length.

Here's my take on this.

Spam from Postini Servers

John Levine reports on yet another example of spam received from the servers of spam filtering service provider Postini.

Gmail Tempfailing

Word on the street is, if you're running an MTA that utilizes pipelining aggressively, you're probably having trouble sending email to Gmail right now.

Here's an example of the error message received when messages are being deferred: (host[] said: 451 4.5.0 SMTP protocol violation, see RFC 2821 (in reply to end of DATA command))

The issue is clearly affecting people running Postfix. I'm unclear on whether or not it is affecting others.

More on the issue, including a fix for Postfix users, can be found over on the Word to the Wise blog.

Backscatter Goes Mainstream

Quick Link: Looks like Backscatter, the annoyance of bounces you receive in response to something somebody else sent (usually spam), has finally made its way into the public eye. USA Today Reports: 'Backscatter spam' gums up many e-mail inboxes.

Tell me about this new opt-out list!

Over here, email marketer Dylan Boyd talks about the the DMA's "launch" of an email opt-out site.

What, you mean, eMPS? That thing that has been around since at least 2005? Actually, since 2000. This is just the same old thing in a shiny new wrapper.

Not only is this thing not brand new, it's not worth the pixels it's printed on.

Think about it. If you only send email to people who explicitly ask for it, then why do you need to work with an opt-out registry? Track who have opted-in to your own list, track (and remove) those who choose to unsubscribe, and that's pretty much all you need to do.

Also, you need to ask yourself, what does compliance with this opt-out registry get you? It's not mandated by law, nor could it have any observable impact on your ability to send email.

What does Spamhaus say about eMPS? "[We know] of no U.S. firm using the DMA's eMPS service that isn't automaticallly by definition a firm sending spam, since the sole reason for users to need to opt-out of bulk email advertising they did not opt-in to is because the sender is sending without consent, i.e: any DMA member that is using eMPS is using it because he is sending Unsolicited Bulk Email, i.e: Spam."

If you send spam, you're going to get blocked, filtered, and blacklisted, even if you use this kind of list. If you don't send spam, you don't need it, as opt-in permission overrides opt-out suppression.

Explain to me once again, what the merit of this thing is? I'm not getting it.

Tracking Spam From "Nett Solutions"

Do you get a lot of spam like this? I do:

Your current website is very strong although we believe your visibility could be greatly improved. We would love to give you a free site review and guide you in how to get more targeted web traffic to your site. Email us today at (gmail account) and we will give you a free analysis. Be sure to include your URL(s) and where you would like us to reach you with results.

The mail is invariably routed through open proxies or bots, and it's pretty darn near anonymous. The only point of contact is some random Gmail account.

It dawned on me after receiving many of these messages, that they are all written very similarly. That suggests to me that it's one person or group sending most of them (to me, anyway). I wasn't quite sure how to track these guys down, so I decided the direct approach was best.

I emailed one of these Gmail accounts, and told them I was interetested. I wanted to learn more. I asked them to contact me. I left no phone number; the only way to get back to me was my email address.

Shortly after, my work number started receiving calls from an unrecognized number. That particular work phone number just routes straight to my voice mail. It's set up to catch people who try to get ahold of me by working the automated phone directory at work. (Meaning, if you're calling me at this number, you probably don't know me.) The calls are logged, the voice mails come to me in email, and I have a record of who called me from where. In this case, the calls were coming from (949) 330-7464.

I didn't return the calls. I waited and figured that eventually, they'd email me. And, they did.

From: Travis Mailhiot []
Sent: Friday, September 12, 2008 10:43 AM
To: me
Subject: Getting back to you - Google & Yahoo!

Hello Al,

You requested a free website analysis to determine how we can improve your positioning on Google & Yahoo!.

We have been trying to get in contact with you to make sure we fulfill your request.

Give me a call here in the office ASAP so we can help you. We are in CA on PST and I can be reached until 7pm EST M-F.

I will continue to call, however you have my info and feel free to give me a call.

I look forward to it. Have a great day.


Travis Mailhiot
Account Executive
Direct - 949-330-7464
Fax - 949-330-7091
Email -
Website -

The mail came from []. And now, I know who is behind the spam, and I have full headers from them, a complete email message, tying it back to the pseudononymous spam that I've been receiving.

I don't know if Travis Mailhiot is just one of many people at this company trying to build leads through spam, or if this is the modus operandi of the entire company.

However, I do know who to submit to various blacklists, now.

If you're receiving spam like this, start responding. Ask them for more info. Wait and see who responds. There's a good chance the responsible party will be revealed.

(Also, if you're really looking for help with search engine placement and optimization? Look elsewhere. If these guys use spam and proxy abuse as their lead generation process, I can only guess what kind of worst practices their actual search optimization process likely include. I used to help clients with search engine optimization, and I've talked to multiple companies who have learned the hardway that hiring somebody who utilizes bad tactics can result in your website getting banned from Google or Yahoo's index. Not good.)

10/19/2008 Edit: Here's a bit more on Nett Solutions, information found and shared by a fellow spam fighter. Nett Solutions: SEO company pretends special deal with Google. Ripoff Report: Nett Solutions. SEP/SEO Spam: Nett Solutions discussion on Yahoo Answers.

Authorities Shut Down Spam Ring

From the NY Times:

The Federal Trade Commission won a preliminary legal victory against what it called one of the largest spam gangs on the Internet, getting an Illinois district court on Tuesday to freeze the group's assets and order the spam network to shut down.

The group, which used several names but was known among spam-fighting organizations as HerbalKings, sent billions of unsolicited messages to Internet users over the last 20 months, touting replica watches and a variety of pharmaceuticals, including weight-loss drugs and herbal pills that supposedly enhanced the male anatomy, according to the FTC.

This is wild. This a big deal; these guys were responsible for tons of spam.

Of course, nature abhors a vacuum, so I wonder if this will have any long term impact on the volume of spam out there. Maybe not. We shall see.

Message Timing FAIL

____ sent me an email today. ____ "would like feedback on my recent order."

My recent order. The one I February.

At first I thought it was spam. I didn't recall ordering anything from this company. I almost reported it as spam, until I decided to look through my archives, and I found information that reminded me of my order back then.

I suspect that I'm probably one of the few people who decided to bother to look closer before reporting this message as spam. That's why relevance and timeliness are so important if you want to get your email delivered. Send an email eight months late, and people are not going to remember who you are. They'll report it as spam, you'll get lots of complaints, and your ability to send mail will suffer.

Spam from Randolph Wine Cellars

A few weeks ago, I got spam from some wine store I had never heard of: Randolph Wine Cellars. Located in Chicago, it looks like a neat place, from their website. Except for one problem: They seem to be spammers.

There's a twist to this story, and in fact, it's what helped me catch them as spammers. See, Randolph Wine Cellars spammed me at an email address I gave only to Uncommon Ground, a local restaurant and bar. I know the date and time I gave it to Uncommon Ground, and I know exactly how it was an address I gave only to Uncommon Ground.

At first I thought Uncommon Ground was to blame. After all, a lot of people don't know that it's bad to sell email addresses. It turns out, from what I can tell, that this wasn't Uncommon Ground's fault. I've talked to a bunch of different people, including Michael Cameron, who owns Uncommon Ground, along with his wife. Michael's a nice guy, and the discussions we've had on this topic have gone well. He's not happy about email addresses on his list ending up on somebody else's list. My understanding is that this is not something that he engineered, advocated, or allowed. And I believe him.

I'm glad of that, because I don't do business with spammers. I am actively anti-spam, and I shun and shame spammers. I also report them to blacklists. My day job is educating list managers and companies on how not to be spammers, and throwing spammers off of my employer's network. Spamming me is not a smart idea.

When this first happened, when I thought it was Uncommon Ground's fault, I was really upset. Because the Uncommon Ground on Devon, near my home, is a really good restaurant and bar. My girlfriend and I love their food, love their commitment to local and organic foods, and we love the vibe. The location is great. We usually walk there when we go. But, I don't do business with spammers, so I thought we weren't able to be able to go back. Now that I know this wasn't Uncommon Ground's fault, we have been back there, and I heartily recommend that any of my Chicago readers visit Uncommon Ground as well. I've never had a bad meal there.

Of course, I didn't just take Michael's word for it - my own investigation, my own discussion with other parties involved, has led me to believe that Uncommon Ground wasn't behind this.

I'm going to have more on the Randolph Wine Cellars side of this story as my investigation progresses. Stay tuned for that.

In the mean time, let me ask you this: Who in their right mind thinks it's OK to buy or sell email addresses?

I signed up for emails from Uncommon Ground because I wanted to get emails from them. I did not sign up for emails from Randolph Wine Cellars, and I have no interest in receiving information about them. I don't know who they are, and in fact, the main thing I now know about them is that they sent me spam. That doesn't make me trust them, nor does it make me want to do business with them. Quite the opposite. It makes me distrust and dislike them. Spam is a sneaky, unethical, and underhanded way to advertise. Why would an ethical company send me spam?

Blocking list BCP and Dead DNSBLs

Over on DNSBL Resource, I posted a quick rant and link to the DNSBL best practice draft document. This BCP ought to be required reading for any current or future blacklist operator.

Spammers: SambaMail and The Data Supplier

Are you looking to buy a list? There’s no faster path to being identified as a spammer. If you’re looking to damage your ability to send mail, or if you’re looking to damage your online reputation, then this might be for you.
Check out The Data Supplier. One billion email addresses – only $795. Comes with:
  • 15 Million Companies Emails
  • 3 Million Fresh Bulk Emails
  • 8 Million Worldwide Emails
  • 9.4 Million Misc Emails
  • 250K Germany Emails
  • 1 Million Yahoo Emails
Gosh, what a value! If you want to send email to people who didn’t sign up to get emails from you, and if you want to get reported as a spammer.
So, where are you going to send your spam through? Legitimate email service providers would cancel your account within seconds of trying to send to lists like this.
Never fear! SambaMail to the rescue. Their FAQ helpfully explains: Can I rent or buy an email list to use with the service? service can be used with third party email lists, as long as they are opt-in. All lists purchased from our partner are considered opt-in lists.
Here’s a hint: Somebody calling something an opt-in list doesn’t make it an opt-in list. I could call a Honda Civic a Range Rover, but truth is, the Honda is still a four door sedan. These are spam lists, and if you use these lists, you’re spamming. It’s clear that SambaMail is okay with spamming. Yuck. If somehow you're a legitimate company, sending only to your customers, using SambaMail, my recommendation is to run away, and fast. Since they allow spam, ISPs and blacklists will go after them, and your legitimate non-spam mail will get caught in the crossfire.
So, who are these guys, anyway? Who knows. Looking up who owns their domains, I see that they’ve masked their contact info. Would you really do business with somebody who tries to hide who they are? Yet another sign that these people aren’t exactly ethical or trustworthy.
The Data Supplier tries to reassure visitors that it's OK to send spam: Is it legal to send email to the lists and what about the CAN-SPAM Act? Sending bulk email is legal as long as you comply with the CAN-SPAM Act. The CAN-SPAM Act basically states: 1) Your email's "From," "To," and routing information must be accurate and identify the person who initiated the email. 2) Your Subject line cannot mislead the recipient. 3) You must have an Opt-Out method. 4) You must identify your valid postal address.
That's bad advice, and completely wrong. They're misrepresenting what the law actually says, and they're leaving out important details, things like how every ISP will block you, no ISP wants this mail, and you'll probably end up getting threatened or sued if you buy and use these lists. The Data Supplier doesn't care. They'll be long gone by then, probably having changed names ten times and using new, different PO boxes in some other state.
This is yucky on every possible level.

Ask Al: Help! Am I blacklisted?

Celso writes, "Can you please help me verify that my IP addresses are not on any blacklist?"

No, I cannot, Celso. And here's why: You're going to be on somebody's blacklist somewhere. The IP address you use, the domain you use, they could be on anybody's blacklist anywhere. Even if you're not a spammer. Some blacklist maintainer could be mad at your ISP or their upstream provider, or they could be trying to list anybody who is associated with some company because they don't like that company.

Forget that. Whether or not you're blacklisted, that is the wrong question to ask.

What you need to ask yourself is: Where is your mail being blocked?

When you look at bounces, what are you seeing?

Are you seeing bounces that refer to a specific blacklist issue?

Are you seeing LOTS of bounces referring to some well-known blacklist?

If you're not answering "yes" to one of the questions above, then I wouldn't worry about it.

If the IP address you use to send mail is on Spamcop, Spamhaus, or UCEPROTECT, then you might have a problem. Being on any of those blacklists tends to indicate a real spam problem, and suggests you need to figure out what's going wrong, and you need to fix it.

But, there are a lot of blacklist lookup tools online that include tons of other blacklists-- including a number of blacklists that aren't widely used to filter mail. In short, they don't matter. Or the lookup site include blacklists that are long since dead. Or they do other things that don't exactly fill people with confidence. What really matters is what impact a blacklisting has on your ability to send mail. Being on "the blacklists" themselves is not the real problem.

As always, if you have a spam problem, you need to address it. Spam is bad. Stay away from spam, and you'll stay away from the blacklisting issues that can cause real trouble. And keep in mind, being listed on some tiny little blacklist you've never heard of does not mean you're ever going to see an email get bounced as a result. Look at APEWS -- well known ISP administrators openly refer to it as a joke, and nobody uses it to filter spam. Is an APEWS listing a problem? In short, no.

It all boils down to this: Not all blacklistings matter. Keep your nose clean (don't allow or send spam), watch your bounces for blacklist references (meaning you're on a blacklist that actually has an impact), watch for and deal with spam complaints properly, and you'll be just fine.

Uncommon Ground Post

I took down my post about Uncommon Ground while they look into the matter of the email address I gave them ended up in somebody else's hands. I'll repost, revice or replace it as more information becomes available.

Virginia Spam Law Overturned: Doesn’t Matter

Hey, there’s been a lot of news floating around out there about how we’re all doomed to suffer from more spam because the conviction of Jeremy Jaynes (aka Gaven Stubberfield) for sending illegal spam was recently overturned.

What it boils down to is this:

  • This applies to the Virginia State Anti-Spam Law, not CAN-SPAM.
  • This law predates CAN-SPAM anyway.
  • As John Levine says, “For everyone except Jeremy Jaynes, this decision has little or no effect.”

It’s not a license to spam, by any means. The US Federal Anti-Spam Law, CAN-SPAM, is still out there and still in force. Bad guys will continue to be prosecuted under the federal law. ISPs and the FTC will continue to chase down the most egregious offenders.

Though, for the record, the court did get some bits of it irritatingly wrong. An excerpt from the court’s ruling states: [The law] would prohibit all bulk e-mail containing anonymous political, religious, or other expressive speech. For example, were the Federalist Papers just being published today via e-mail, that transmission by Publius would violate the statute."

I couldn’t disagree more. There’s nothing stopping a future Publius from signing up for an anonymous Gmail account, or a blog, and explaining his viewpoints to the rest of the world, from his own anonymous soap box. Many thousands of anonymous inhabitants of the web do this every day, and it never was illegal, and isn’t now illegal.

That's nothing like what Jaynes did, however. His actions were far less noble. As an example, he was fond of doing things like forging the email addresses of unrelated parties into his spam runs. That’s more like writing your ex-girlfiend’s phone number inside the bathroom stall at your favorite watering hole-- you’re drawing complaints and harassment toward her. The same thing happens when you forge addresses into your email messages. Bounces go somewhere, but not back to the sender. They beat the snot out of whatever email system is being used by the unsuspecting owner of the falsely referenced email address. They draw spam complaints and threats to unrelated parties. It's an awful thing to be on the receiving end of, in any context. It's scummy, and it's (rightly) illegal.

But, as Quentin Jenkins of Spamhaus points out, “Considering that the vast majority of spam--over 90%--is already criminal due to its delivery via botnets, and that ISPs in the U.S. already are explicitly permitted to make spam-blocking decisions without recourse by the sender, Spamhaus expects that this decision will have no noticeable effect on most inboxes.”

I agree, and that’s why this adds up to a whole bunch of nothin'. Same as it ever was, as J.D. Falk says.

Friday Funny: Give Her Big Meat

My favorite email/spam-related blog, Box of Meat, points us toward SpamBLR, a site that takes spam subject lines and uses them for inspiration for funny and strange photo-montages and drawings. Give Her Big Meat, a fairly typical (and drab) spam subject line, is handled in a very funny, very atypical way.

Ken Magill Defends Blacklists

Read all about it:

Translation: Though Davidson's end was shocking, that a spammer would resort to violence was not. There are a lot of Eddie Davidsons out there, and Linford and other Spamhaus volunteers deal with them every day — and not without risk.

[...] Spammers [...] aren't just a nuisance. They're a cancer on society. And Linford has taken it upon himself to do something about them.

The overall tone of the article is a fair one, an accurate one. We need blacklists, and we should support blacklists, with reservations (as needed). Not a bad stance.

On Political Speech, DOI, and Mr. Poopyhead

Ken Magill (or shall I say, Mr. Poopyhead) makes a funny, yet very insightful point, in his recent article about an email he recently received from the Obama campaign. His article is fun, and silly, and it accurately highlights what can go wrong when you don’t confirm or verify information received from a web form.

Godaddy misusing the PBL?

According to Justin Mason, domain registrar (and email/web hoster) Godaddy is misusing the Spamhaus PBL: Using it as a URL filter. This is where you convert a URL hostname to its IP address, then look up that IP address (or its nameserver) on an IP-based blacklist. Great idea. I do it with the SBL. It's a horribly bad idea for the PBL, though, because the PBL is not meant to be a list of things that aren't allowed to have web servers. Using it this way is going to cause false positives like mad.

Ow, my Irony hurts!

Hey, what? Did I really just read that?

An email appender sending out a press release about how to combat spam?

Wait...the company name sounds familiar. Is it the company Ken Magill talks about here?

Ha. Methinks somebody is trying to spread some fluff around in an effort to modify what people find about them when searching online.

What is a Sender?

Somebody just asked me what I mean when I say "sender." I often refer to senders in contexts like this: A good sender should always do X. Somebody who does Y will always be labeled as a bad sender.

In my mind, a sender is simply somebody who sends email. Someone who causes email to be sent. If you are a list manager, a marketing manager, a list owner, or anything along those lines, you're a sender. If you have a list, people sign up for that list, and you send to that list, you are a sender. I'm a sender, through the list I set up and manage for my friend's jazz club.

On the other side of things, you have "receivers." A receiver is somebody who receives email. AOL and Hotmail and Yahoo are receivers. I tend to use the term "receiver" instead of saying internet service provider, because some sites that handle email only provide email access (webmail, for example), and don't actually provide internet connectivity.

I hope that gives a little more insight as to where I'm coming from when I use terms like sender and receiver.

More on Pizza Hut

Dylan at email service provider eROI points out that Pizza Hut's email sign up process is substandard: You have to opt-in to receive emails just to order a pizza online.

This is seemingly another sign of people who have ... interesting ... ideas about email best practices. Here's another FAQ question for my imaginary best practices FAQ.

Question: We want to grow our lists aggressively. Can we make people opt-in to receive emails from us when they register or make a purchase online?
Answer: You could, if you like pain. If you make people opt-in, you end up sending them emails they don't want. They report those emails as spam, and ISPs like Hotmail and Yahoo will come down on you like a ton of bricks.

Here's the deal. Recipients are looking to you to be a good list mom. Don't force people to get emails they don't want. Don't send emails people didn't explicitly sign up for. If you fail to be a good list mom, the ISP steps in and does it on your behalf. Look back to what I wrote in January: A sender started sending me extra emails. Made it hard to unsubscribe. What did I do? I marked the mail as spam, and appropriately so. If enough of us pebbles (recipients) vote that mail to be spam (and we often do), an ISP decides that the sender is not being a good list mom, and stops putting their email in the inbox.

This process is repeated thousands of times a day across hundreds of internet service providers.

Don't Spam to Apologize for Spam

The Consumerist headline says it all: Pizza Hut Sends Unsolicited Email To Apologize For Sending Unsolicited Email

Or does it? Let's talk it through.

Look, I can see something bad happening accidentally. For as many email platforms I've worked with, there are just as many ways to accidentally send the wrong thing to the wrong list. I've seen it happen more than once (far more than once). And since CAN-SPAM came into effect, sometimes a legitimate, non-spamming company has to do things like receive a suppression list (and keep it, and use it as such) from another company, if they're going to advertise that company's product. (Example If a pizza restaurant chain were going to send out an ad that advertised a specific cola, they'd probably be required, under CAN-SPAM, to take the cola company's suppression list and ensure they send no email to anybody on the list. The transfer of data involved irks me, but it can't always be avoided.)

So, sometimes somebody will send an email to the wrong list. Or to a list of people that was never intended to be mailed. People who didn't opt-in to receive emails from that company, or didn't opt-in to that list. What do you call that? Spamming. So, if everything I've read is correct, then Pizza Hut apparently spammed people.

That sucks. That's not good. But, they recognized that they made a mistake. They fixed whatever happened, and hopefully, it'll never recur. Great? Great. Almost....

Almost, except for the fact that they spammed again to apologize for their original act of sending spam.

I don't know who served the Pizza Hut email; if it was some internal system or some email service provider. But, if it was sent via an email service provider, and if they have an online help section, there apparently needs to be a FAQ question & answer like the following:

Question: We accidentally emailed people we don't have permission to send email to. Should we email them an apology?
Answer: No. You don't have permission to email them to begin with. Sending them email is sending spam. Don't send spam! The way to fix an accidental spam issue is not to send more spam intentionally. Vet your practices, fix your issues; stop retaining data you shouldn't be retaining. But, do not send more spam!

It seems me. Apparently not everyone sees it that way.

ReturnPath Buys Habeas

ReturnPath has purchased Habeas, according to all of the industry sources in the world, all of whom have sent me separate emails giving me a heads up about the acquisition.

Let the goofy haikus commence! My favorite:

It took Habeas
Millions to figure out that
Haikus don’t pay off

Also, don't miss Ken Magill's take on the sale.

Political Sending Reputation

Ever wondered what the sending reputation was for your favorite presidential candidate?

Here's the IP addresses and Sender Score ranking for the last three mailings I've received from each of them. The Sender Score number was noted at the time I originally received the message.

Candidate IP Score
Barack Obama 80
Barack Obama 70
Barack Obama 70
John McCain 65
John McCain 55
John McCain 65

A higher Sender Score number is usually considered better. Looks like very generally speaking, Obama's sending reputation may be a bit higher than McCain's. Of particular concern to me is both candidates seem to be mailing from multiple IP addresses. Why is that? I hope it's not to avoid blocking.

Beware the Fake News Spam

Terry Zink reports on the most recent ball of spam that he (and most of us) have been receiving: Fake news alerts that claim to be from CNN.

Yahoo Insights and Subcriber Engagement

Mark Brownlow talks about Yahoo's take on subscriber engagement here. After you read that, check out Mark's more generalized theory on what ISPs consider when determining whether or not email is unwanted. Comments from Yahoo's Mark Risher confirm what many of us already knew -- subscriber engagement matters.

Anti-spammers and deliverability people both get hung up on opt-in (alone) sometimes. A sender will say, this mail is opt-in, how dare an ISP choose not to deliver it. Various blacklists will harp on confirmed opt-in (alone) as the sole arbiter of whether or not mail should be delivered.

Truth is, they're both wrong.

Sure, opt-in matters. Your mail has to be opt-in, and confirmed opt-in is the best way to do it. If your mail isn't opt-in, all bets are off.

But, ISPs care about *more* than just that. They're figuring out whether or not recipients care about mail from any given sender. If the people on your list don't care about your mail, the ISP doesn't care about your mail, and that doesn't bode well for your ability to deliver that mail.

List Reconfirmation Example

Hey, fellow anti-spammers: "Re-Engagement Strategy" is what email service providers or deliverability people would call a reconfirmation email or a permission pass.

DJ Waldow has a good write up over on Bronto Blog of a recent re-engagement email he received from It's chock full of good tips you should share when you're working with some list manager having problems, and you want to convince them to reconfirm their list.

Ken Magill on the Eddie Davidson Coverage

Ken says what I'm thinking, as is often the case. Spam bad? Yup. Davidson a scumbag? Yup. Happy about a murder suicide? Nope. Happy about just the suicide? Nope, never.

All I can say is, if you can crack jokes about this guy killing himself and/or others, then you've never had to deal with the aftermath of a suicide. It's horrible, it's gross, it hurts you, it chews you up, and you never forget it. It's not something I would ever wish on anyone, worst enemy or not.

COI Can't Protect Against Stupid

Here's a tale from Matt Blumberg, CEO of ReturnPath, on how confirmed opt-in, aka double opt-in, isn't necessarily enough to 100% prevent spam complaints. Why? Because there's no fool proof guard against stupid. The stupid, in this case, comes from the recipient. The recipient who signed up, CONFIRMED, then went on a rampage of idiocy hassling Matt's wife and making threats. Over mail he signed up for, with confirmed opt-in.

Matt kindly decides against outing the waste of space responsible. Which is a shame, as they deserve to be outed.

Oddly enough, this reminds me of my days back at the Artists' Quarter in St. Paul, MN. Occasionally we'd have a patron who would go off the rails. Decide they don't like the music, or the guy next to them, or the phase of the moon. They'd start inappropriately shouting, yelling, poking at people around them, the bartnder, waitresses, door man. On the few occasions that I observed this, my solution was to physically eject that patron from the club, at whatever level of effort it took. In my estimation, this was the right solution. If you're an idiot, you forfeit your right to hang with us, and it's not inappropriate for me to push you out of the circle.

Sadly, it's probably not possible for ReturnPath to force this guy off of the internet. But if I were Matt, I'd probably be sure this guy never received a piece of ReturnPath-related email ever again, no matter how he signs up or verifies consent.

Backscatter in Detail

Backscatter has long annoyed me. But, I've been even more annoyed at the lack of comprehensive information online explaining exactly what backscatter is, and why it sucks. Without material to reference, it's hard to explain the problem to others. Thankfully, this is starting to change, as more savvier email administrators learn about the problem of backscatter, and share their expertise with the world.

Here's a great example of that. Terry Zink of Microsoft's Exchange Hosted Services has done a very detailed write up on backscatter. What it is, why it happens, what you can do to prevent it, and more.

Let's start at the end. Terry writes:

  • Don't make the problem worse by contributing to it:
  • Don't accept mail, and then bounce.
  • Don't use Challenge/Response, and don't allow your users to, either.
  • Configure your virus scanner to silently strip or discard viruses/worms instead of sending a notification back to the sender.
  • Don't run autoresponders, out-of-office notifications, etc. (Or maybe you only send auto-responses to senders who pass a DKIM or SPF check.)

After you've read and digested that, I recommend reading the rest of the series:

Terry's my hero for taking the time and spending the effort to document the backscatter problem in this much detail. Thanks, Terry!

Dear MediaPost (x4)

Dear MediaPost,

Was it really necessary to send me, "Oh noes! Your subscription expires today!!" four times, today?

Come to think of it -- was it really necessary to send it at all? Since it's a fake construct, attempting to push people to click through and provide profile information, and it actually has nothing to do with the ability to send me email messages?

I trust that since my subscription is "expiring," this'll be the last message I receive? Please?

When Terminology Attacks

I was reading a mailing list today, as I often do. Some random guy, nobody I know, he posted a request for help. He said, more or less: "Hey, blacklist XYZ has listed my double opt-in server. What should I do?"

Approximately 13 seconds after posting, he was verbally attacked in response. He was accused of being a spammer, and ridiculed, for daring to use such a term as "double opt-in."

That's what actually happened. What could have happened instead is that they could have congratulated him, or at least made mention of how good it was, that he is actually utilizing confirmed opt-in.

Instead, a discussion forum made up of supposed thought leaders, people who actively work to stop spam, accused the guy of being a spammer. They didn't accuse him of being a spammer because he sends spam -- but instead, they called him a spammer because he used a term that they do not like.

What's wrong with this picture?

E360 Failure Update

Ed Falk on E360 dropping lawsuits with prejudice (meaning E360 cannot refile).

Mickey points out that E360 reached a settlement agreement with Mark Ferguson but not with the others. I wonder what that means. Is Mark on the hook for something, and perhaps he should have just waited it out? Or does the settlement amount to both sides closing their mouths and getting on with their lives, as is often the case? I guess we won't know until and unless either party decides to clue us in.

Do you want to fund the lawsuit?

Mickey Chandler asks, "Do you want to fund the lawsuit?" Meaning, if you're splitting the hair very thin to make the case that what you're doing *must* be legally compliant, ask yourself: Do you really want to be that edge case that gets pulled into court? If not, do the right thing and back away from the edge. It's not about what you can get away with under the law. It's about following best practices, not sending spam, making it easy for people to unsubscribe, and doing what ISPs want.

If you're asking yourself, how close can we get to the line without stepping over, it may well be that you're asking the wrong question.

The "Report Moron" Button

Terry Zink blogs about the necessity of a "Report Moron" button. Ha.

Offers You Can't Refuse

Dylan from email service provider eROI talks about how he got an offer to sign up for services from a competing email service provider.

And, as Dylan puts it, "they are using my emailROI email address that I stopped using over 4 years ago. And this sender is something that I have never heard from before in my life nor have I got emails from them before."

Yikes. Spam, anyone? Read all about it here.

MAPS: Ancient History

Check out this very old presentation about the Mail Abuse Prevention System (MAPS) , from October, 2000.

I had already left MAPS at that point, but apparently, my personal brand was strong enough to leave my name in the presentation, as it indicates that RSS was created by me.

Also, I designed that presentation template, as well as the MAPS logo and logotype of the time. Oh, how horribly dated it all seems today.

MAPS created the first Realtime Blackhole List (RBL), the very first DNSBL, way back in 1997. It's hard to believe that anti-spam blacklists are over ten years old!

One of MAPS other blacklists, RSS, was a re-branded version of my original Radparker Relay Spam Stopper (RRSS) blacklist, which I first shared with the world back in May, 1999.

The EEC/Zinio Affair

Insight on the topic (and thoughts on industry leadership issues) from Ken Magill and Laura Atkins.

Postini Bug and False Positives

Ben at MailChimp takes us through it:
  • Postini causes wanted mail to not be delivered.
  • MailChimp tries to work with Postini.
  • Postini rather lamely says, "Yeah, they're known spammers."
  • MailChimp pushes hard enough and long enough that Postini actually looks into it.
  • And finds that it is an actual, honest-to-goodness bug where Postini is mangling mail headers. (Oooops.)
Remember what I was saying about how better spam filterers actually work with senders?

This is a perfect example of the type of situation where glazed over eyes and closed ears on the part of the spam filterer is unhelpful and useless. Postini was incorrectly labeling that mail as spam, and falsely calling somebody a spammer. But it took a lot of pushing to get to that point, before Postini actually investigated and admitted that they were at fault. It makes me wonder, "Does it make good business sense, does it make for a smarter and better spam filter, if you just assume everybody who asks you for help must be a spammer?" I don't see how it does.

(H/T: Word to the Wise)

Thanks, James Gordon

Remember James Gordon? The guy who sued Virtumundo, and lost? If you don't remember, here's some history: Ken Magill laughs at Gordon here. Mickey Chandler talks about it here. Ed Falk talks about how Gordon lost so badly that Virtumundo was awarded legal fees.

Behold the Box of Meat

Might I recommend you check out J.D. Falk's "Box of Meat" blog? It has rapidly become one of my favorites, the blog I check first when it's time to start reading my way around the blog-o-sphere. Quick links (and insightful one liners) take you straight to the articles you need to read. (And I'm not just saying that because he links to articles here every once in a while.)

Sender Complaints about Spam Filtering

Laura Atkins of Word to the Wise covers the topic capably, covering both sides of the ISP/blacklist filtering coin. Here’s my take on it, based on my experiences working both as a blacklist operator, and consultant working with senders on how to improve delivery by doing the right thing.

On one side, you have the Inbox Monsters – senders who care only about getting to the inbox. They don’t care about best practices, they don’t care about opt-in, and they think every filtering decision that impedes their inbox delivery must be a mistake, because, in their opinion, everybody wants their mail, even if stats suggest otherwise.

On the other side, you do you have spam filters that occasionally misfire. And you have some filtering companies that are notoriously unresponsive to requests for clarification or assistance with listings (companies like Postini and Barracuda). Do spam filterers owe it to senders to have a contact point, a web form where senders can reach out and request assistance to address a spam filtering issue?

Of course not. Filterers, ISPs, and blacklists are free to decline any sort of contact with the sending world. I don’t blame some of them for working this way; there are a lot of bad senders out there, and I am sure any sort of “sender help line” receives 90% lies all day long, every day. “Sure, that list is opt-in!” “No, we would never buy a list!”

But not all senders are Inbox Monsters. And sometimes spam filters do misfire. Sometimes, even if they didn’t misfire, a sender would benefit from a bit of clarity over what actually went wrong; what send practice or list hygiene failure actually caused the block. This is useful information that helps guide senders on how to clean things up and keep the problem from recurring.

And think about this: Who are the most successful, most respected spam filterers out there? The ones with the happiest customers, the ones with the best reputations? They’re the ones who actually talk to and work with senders to resolve problems. Entities like Spamhaus, AOL, Ironport. MXLogic, MessageLabs and Frontbridge. They’re all easy to talk to; easy to work with to resolve issues. They have staff and/or procedures for reaching out when there’s a filtering or blocking issue. They seem to want to help senders succeed, understanding that it results in less spam for them to have to filter, and it results in a lot fewer filtering misfires.

If you run a blacklist, make filtering decisions for an ISP, or sell a spam filtering service or appliance, ask yourself this: Do you work with senders? Do you help senders? Or are you rude to them, or do you ignore them?

I’ve observed that filterers that ignore senders, or are rude and short with them, tend to be less successful. Talking to senders doesn’t mean one has to bend to the will of every (or any) sender one talks to. But that dialog is valuable. Learning more about how senders work, what senders are actually doing provides valuable insight that helps making filtering efforts more successful.

On Blog Etiquette and Content Ownership

It's time for a friendly reminder:

It's not cool to steal content from somebody else's blog to put on your own.

If you're quoting 98% of somebody else's blog post on your own blog, you're pirating their content.

A quick excerpt and a link? Those are awesome. All bloggers, authors aspiring to share their message with the world, love and respect the shout out. Thanks for sending traffic our way. Thanks for telling us that you've enjoyed something we've written, enough to point it out to others.

But there are way too many people out there who take an entire blog post and quote it on their blog. When you do that, you're stealing our content, and you're stealing our traffic.

Tracking the traffic to my blog and to its specific posts, and tracking the comments I receive in response, these are how I measure the value of my blog. This is a strong component of how many bloggers measure the value of their blogs. If you duplicate my content elsewhere, you are impeding my ability to measure. People might visit your site and see only your copy of my words, and not see the copy on my site. That means that I don't see the traffic. People might comment on the copy on your site, and not mine. I won't see those comments. You confuse Google, and you risk search engines ranking both of our sites lower based on the perception of lesser value due to duplicative content.

Stealing content like that is not fair, nor is it right. It doesn't matter if you think we're over reacting; the law is very clear. I own those words, the contents of everything I post; you do not. I get to control what happens to my content, and you do not. Duplicating entire posts goes far beyond "fair use" and is potentially legally actionable.

Perhaps I'm a bit more familiar with copyright law and fair use guidelines, and the importance of ownership of one's writings, because I live with a writer (and I worked in print before I came to the online realm). I don't think I'm that out of the norm, though, and it does bum me out to people not pay attention to the rules.

My recommendation is that if you ever find your content substantively duplicated on another site, file a DMCA take down notice with the site owner. If the site owner ignores you, file a second one with the ISP. The ISP (or upstream) will usually not ignore it, and they will often take the entire site down, if the site owner doesn't comply.

My apologies if you feel that sending a DMCA notification is a draconian measure. I can understand -- I myself have been on the receiving end of baseless DMCA takedown requests -- but this is an actual, legitimate use of the law. These are real copyright violations. And a site owner or content publisher is given an opportunity to rebut the allegation and hold their ground, if they are doing something they feel is defensible.

(BTW, this problem is essentially why I set the RSS feeds for my sites to only show only the first bit of a post, and not every entire post. This is because there were a couple of lame, fake anti-spam blog sites out there that aggregate content from RSS feeds without asking, and were posting entire copies of my posts without my consent. Besides chasing after the sites to knock it off, I modified my RSS feeds to make it less easy to automate content theft.)

My apologies for the off-topic rant. We'll return shortly to our regularly scheduled topics.

Jam Productions

I figured I'd use this space to note for posterity that I've now unsubscribed from emails from Jam Productions for a second time now. If they continue to send me emails after this carefully logged unsubscribe request, whoa boy, sit back and watch the fireworks start to fly.

You Gotta Fight!

"You gotta fight!
For your right!
To connnnnnnnnnnnnnnnnnnnnntact!"
-- Beastie Boys (sort of)

Regarding the ongoing saga of E360 versus the Entire Universe, it looks like E360 has put out a press release explaining that they plan to soldier on.

The subheading ("E360 Continues To Fight For Its Rights To Communicate With Its Customers") and a lot of the subsequent exposition make mention of E360's customers and how the world is interfering with their ability to email their customers.

Wait a minute. All the people receiving this mail, they're customers? There has been paid consideration given, in either direction? These people all purchased something from E360 directly?

From what little I can tell, that doesn't seem to be the case. I don't know how E360 compiles their lists, but I can theorize, based on what I've read and what I know about the industry. I do know that people who are mailing direct customers tend not to have to issues sending to Comcast. I also know that others who seem to be in the same space as E360 tend to buy their lists from a co-registration broker or through co-registration partnerships.

Co-registration is basically another term for list selling. A user signs for some free magazine or online content, and the privacy policy or terms and conditions contains a clause that says it's OK for the data collector to sell your data to whomever they want. And that's exactly what happens. Sometimes it's a bit more restrictive, but the vast majority of the time, multiple companies can and do buy these lists and send to them.

Again, I don't know if this is how E360 does it. But everybody I've run into who runs a "big offer engine" seems to do it this way.

In that scenario, if you buy that list, and you mail to it, those people are not your customers. Those recipients don't even know who you are. They don't recognize your mail, they didn't sign up with you directly, and they hit the "this is spam" button every time they see your mail.

I have a theory as to why that is: Because it's spam. And not by my definition alone; every internet service provider I can think of would call this spam, as would most email service providers.


E360 (who is also fighting Spamhaus in court) just saw their lawsuit against Comcast laughed out of court.

The judge in this case really seems to be savvy on the issues involved.

Third sentence in: "Some, perhaps even a majority of people in this country, would call [E360] a spammer." He goes on to be clear that he gets it about spam filtering, and that the judiciary even uses spam filters. In a footnote, he question E360's claims of denial-of-service attacking, saying basically that if a receiving site blocking a sender makes their stuff fall over, then their stuff is might be poorly designed.

Ultimately, the court dismisses all claims brought by E360 on the basis that Comcast isn't doing anything that indicates they are acting outside of good faith.

Read it all here. (h/t to Mickey Chandler of SpamSuite)

The One Goes To Eleven

Over on her blog, Laura Atkins of Word to the Wise shares eleven timely tips on dealing with ISPs when you're blocked.

A lot of it is common sense, but then again ... I know that a lot of people need common sense training.

Promoting Transparency

I just received an email. It was sent an email list that I signed up for, in person, last week, at a wine tasting in my neighborhood here in Chicago. It was very much a desired email. I can't wait to go back to that wine store (once I'm over this cold) and stock up. I don't know much about wine, but I'm having fun learning, and this email got me excited.

Geek that I am, I took a look at the headers. I looked up the source IP address in WHOIS and found that it is registered to "ORCS Web, Inc.," a random web host. That's odd. It's not clearly registered to an ESP. Then I looked at the return path and click redirect domains. They both use a semi-generic "mail" domain. When I look that up in WHOIS, I find that it's registered to "Domains by Proxy, Inc." Meaning that the owner of the domain desires to hide their true business name.

Is this transparency? Is this ESP standing up and making it clear and obvious that they're the responsible party for this piece of mail?

The thing is, this isn't spam. I signed up for this. But the lack of transparency here is confusing, and I don't see a good reason for it. If you're a legitimate company, why isn't your domain actually registered to you? Why are you sitting in somebody else's IP space?

I know who the ESP in question is, cause it's obviously discernible for somebody like me, by looking at other bits of the data. But that's not the point; I'm a power user. Obfuscation isn't something I fall for easily. Even though I can see past it, you're still making me wonder why you would do it to begin with.

Is it meant to fool less savvy recipients, less savvy email administrators? Why would a legitimate list owner, or a legitimate email service provider, work that way?

Heck, let me ask a simpler question: What legitimate company doing business on the internet would want to hide behind Domains-by-Proxy? What kind of businesses do you think of, when you think of ones that might not want to be easily traceable? What domain owner, what proprietor of an online store, what professional business, would want to hide their business information?

I wonder.

Mourning the Loss of

Wow, how time flies. It's been more than a year since fell off the face of the internet.

Remember what that was? It was an astroturf site (i.e. a fake grass roots community movement) trying to strike fear in the hearts of us mere mortals about how the end of email was nigh. Goodmail would rule the land, they said. You wouldn't be able to deliver email to AOL without paying a fee, they said. Join with us to put pressure on AOL, else email breaks forever for everyone.

Complete balogna, those of us in the email industry said. Turns out, common sense prevailed. They were wrong. Goodmail is used by some, but in my reckoning, the vast majority of people, organizations, companies I know of sending to their mailing lists, are sending to AOL just fine, without having to pay a cent to AOL or Goodmail.

The few that struggle? It's because they have issues with list hygiene, engagement, or permission. I knew for a fact back then that MoveOn had significant list hygiene and permission issues. (I am not up to date on them currently; so I'm not speaking to current status. I just don't know.) But back then, they had problems with forged subscriptions and list sharing, the kind of problematic stuff that gets you blocked, no matter what year it is, and no matter what the email landscape looks like.

And they partnered with the EFF (Electronic Frontier Foundation). EFF does some good things, but they just do not get it about spam. Their desired solutions to the spam problem seem to involve giving spammers hugs and let end recipients sort it all out on their own. This scales horribly and means you'd be receiving with hundreds (or more) pieces of spam every day to deal with on your own. EFF co-founder John Gilmore, famously ran an open relaying mail server for many years, personally allowing his own resources to repeatedly be used as a public annoyance vector and spam delivery mechanism. He's not exactly known for exemplifying thought leadership on the abuse prevention front, or for being knowledgeable on the best practices required for managing a mailing list.

Enough about that. On a more interesting note, AOL's postmaster team has recently started up a blog. It's recommended reading if you work in email delivery or spam fighting; it offers up free insight into how one of the biggest receiving domains on earth works. I've bookmarked it, and you should, too.

More bites at the apple?

This is bizarre.

If you're a registered, opted-in user of Peachtree, and you unsubscribe from their emails, you could end up receiving this:

Our records indicate that [redacted] may have been inadvertantly [sic] opted out of e-mail communications.

If you did request to be removed, please click here to re-confirm your opt-out status.

Uh, yeah, what? CAN-SPAM doesn't allow for any sort of "mail them again, make them opt-out again, and if they don't, that's affirmative consent" exemption.

Failure to respond is not the same thing as an opt-in.

When asking people, hey, do you really want to get our emails, it is 110% wrong to do so passively. By passively, I mean, when you tell people "take no action and we'll consider you opted-in." That's not best practice. That keeps your list full of spamtraps and people who don't want your mail. It builds no proof that people on your list actually want to be there. It logs nothing about proof of affirmative consent to address a blacklist or blocking issue.

But, you run into senders who complain about that. Oh noes, they say. My list will get smaller unless I assume everybody wants in, instead of requiring them to respond.

Yes, your list will be smaller, and it will be comprised only of people who actually want your email.

That's called respecting permission.

Are you sure it's broken?

This press release suggests that the "report spam" button (found in common email interfaces like AOL, Gmail, Yahoo, etc.) is broken.

Good senders (send mail people want, don't send unwanted mail, set clear expectations in regard to all aspects of email sending) get few "report spam" complaints.

Bad senders (who don't have permission, send too much, don't care about what their subscribers want, hide mailing expectations in privacy policies) get many "report spam" complaints.

There's a reason why ISPs measure based on this data. Because it works. Draw a line between "high complaints" and "low complaints" and you're accurately drawing a line between "wanted mail" and "unwanted mail."

Is it any surprise that ISPs leverage this data to paint an accurate picture of good mail versus bad mail, and decide mail delivery or rejection policies accordingly?

Q Interactive calls this a bug. I call it a feature.

e360 v. Comcast: EPIC FAIL

Mickey Chandler says: "EPIC FAIL."

Another blogger (I'm not going to help his Google-fu by linking) states that he "hates to say it," but that Comcast's motion "looks like a winner." Hates to say it? You've got somebody suing over what seems to be a whole bunch of unwanted emails, an ISP apply their reasonable and common standards to reject such mail, and you hate to say that Comcast is likely to prevail?

I don't know why he'd say that, and the post isn't insightful. I don't know if he's had grumpy interactions with Comcast customer service over TV woes in the past, or if he is against private sector restrictions on commercial messaging, or who knows what. At any point, does not compute.

By the way, just for the record: I work with many clients who have had issues delivering mail to Comcast over the past year or two. I'm not going to go into details, as I'm not keen on giving e360 free legal advice, but let's just say that, in my opinion, much of what e360 alleges about their experiences with Comcast doesn't match up with what I've personally observed with many other senders.

Forced Opt-in

Forcing somebody to opt-in, by making them check a box that says, "I agree to X" before you'll let them buy from you (or even register) is a bad idea. It's just plain lame. I've run into this a lot over the years -- and I am well aware of what happens. When you force people to opt-in, you drive them away from your site, or you drive them to enter fake data and dirty up your list. If they do put in the right info, that still doesn't mean they want those follow up emails from you, and they're going to report that mail as spam.

So why is Pizza Hut forcing people to opt-in? A lot of those users, probably more than thirty percent of them, just want to order a pizza. They don't want to sign up for additional emails. (I pulled that thirty percent number out of a hat, but only slightly. It's potentially on the low end.)

Think about it, o savvy sender: Do you really want to end up with a list where 30% of the people don't want to be on it? Do you like spam complaints and a poor sending reputation?

Call me strange, but I'd prefer to have a smaller list of just people who want to be on it. Seems like more of the mail would get delivered, and you'd end up with more orders than if you had a bigger list that got your mail blocked all the time.

Ken Magill Gets It!

The keys to email delivery success?

"It all comes down to four words: List hygiene and relevance." -- Ken Magill

Couldn't have said it better myself! Thanks, Ken.

Las Vegas Spam via China

I get a new one of these every couple of weeks. The from addresses and names vary; usually it has a random Gmail address on the from address. The name associated is something like "Nathan Singer" or "Jeff Strum" and seems to vary with each mailing.

The CAN-SPAM info suggests that these folks are supposedly reputable, maybe even a real company: Receptionist Solutions, LLC, 10161 Park Run Drive, Las Vegas NV 89145.

But the email is coming from, an IP address in China. If these guys are so reputable, why are they sending from an IP address in China? With a Gmail from address? With an unsubscribe link and some other domain (also hosted in China)?

Seriously, can somebody explain to me who in their right mind would buy a product from somebody who has such a complete lack of branding and transparency, to the point where they're seemingly not even complying with CAN-SPAM?

I called the number from the spam footer, to find out that it is a company called "Intelligent Office" and they are indeed sending the emails in question. Yuck.

Liveblogging from MarketingSherpa

Just kidding; I didn't go. But I've seen that headline on about 18 different blogs today and decided to jump on the band wagon.

Help David Ritz

Please donate to David Ritz's legal defense fund.

Why? Read this. (My post also got picked up by CircleID and Slashdot.) Read this, too.

How? Go here. (It's managed by Ed Falk, whom I find trustworthy.)

It's good to help David, and that's a good reason to donate. But another good reason is if you're like me and you work in email or network security, you've done a lot of the things David was "accused" of -- "impersonating a mail server" by doing a telnet to port 25 to troubleshoot a mail server issue, performing DNS zone transfers, used the host command, etc. Uh, hi, these aren't illegal, regardless of what a judge may think. These are regular tools lawfully used thousands of times a day by thousands of internet professionals.

Don't let this bad decision stand!

More on the Obvious

Good advice from my industry colleague Mickey Chandler. A couple of highlights:
  • If people don’t ask for mail, they’ll report it as spam. It really is just that simple.
  • Are you sending mail to this list that people expect? If they don’t, then it will get marked as spam.
  • If enough people do that, you will get blocked.

Dear Direct Magazine

Today I got an email from Direct Magazine. Subject line: "Wake up! It's time to combat subscriber fatigue." It looks very similar to the email I got from Direct Magazine six days ago, with the exact same subject line.

Both of these emails went to my spam folder in Gmail. Why? Because Direct Magazine has yet to practice what they preach -- as I related previously, signing up for emails from Direct resulted in a bunch of extra emails that I didn't expect and had trouble figuring out how to unsubscribe from. Until Gmail took care of me, and started putting their messages in the spam folder.

Oh, the irony. Allow me to address it in an open letter to Direct:

Dear Direct Magazine,

I am a fatigued subscriber. I'm not opening these emails or loading images. I'm not clicking on links. I'm not moving your email messages out of the spam folder. It seems as though I am not alone in this regard.

Maybe it's time for you to combat subscriber fatigue to fix your sending reputation.

PS- Why did you send me the exact same email twice, six days apart?

What the heck is Notchup?

I seem to be getting random invites from people I "kind-of" know via some site called Notchup. No clue what this is, and the invites are all very boilerplate in nature. And there's some promise of getting paid for job interviews. And from talking to other folks, it sounds like somehow they get your contact info from LinkedIn. (Perhaps from a user giving up their username and password legitimately -- so likely not LinkedIn's fault -- but potentially this means Notchup is providing a tool for users to harvest their LinkedIn address book. Yuck.)

Then there's the WHOIS information for Notchup. See how it's owned by Domains by Proxy? That means the true owner of the domain doesn't want you to be able to tell who they are. No business name, no street address, no contact info.

That's who people are giving their contact info to? A site where the true owners of the site don't want you to know who they are?

Yeah, I don't think I'll be signing up, just yet.

(More good points to think about here.)

Domain Tasting to End?

John Levine reports that domain tasting is likely to come to an end, as ICANN plans to modify the domain registration process so that a $.20 fee paid by the registrar is non-refundable.

If you're not familiar with the practice, you can read how it works here. I am under the impression that there are a number of registrars exploiting this practice to let them dip their toes in the domain pool, see what's worth keeping, then dump the rest without paying anything. It seems to have opened the floodgates to domain speculation.

Domain tasting is a weird thing. I'm struggling to find what potential legitimate uses for this "feature" would be. John Levine's been schooling me on the topic since early 2006, and I have yet to hear of a good reason for it.

The only value I see in domain tasting is for questionable activities. For fast-flux spammers trying to hide long term evidence of their activities. (Send spam, then people trying to trace it more than five days later can't find any evidence of the domain. Rinse, lather, repeat, millions of times.) For strange things like grabbing up the domains you look up and trying to sell them back to you. For people putting up thousands of sites with nothing but pay-per-click ads on them. (Apparently Google doesn't like this practice, either.)

I'm hopeful that making the registrar fee non-refundable will effectively end this practice by making it cost-prohibitive.

Excellent comment(s) on the Ritz affair

First, swing over to Ed Falk's site to read a really good comment from a Slashdot reader.

Then, check out this most excellent response to trolling criticism on my CircleID post. Written by Brian McNett, it examines the blurred intersections and transitions between vigilantes and professionals. Excerpt:

During the period of David’s anti-spam activity, which ended around 2001 with a tragic accident which nearly took his life and has left him permanently disabled, I myself volunteered my time, resources and expertise to track down and identify spammers. It is only because I was more circumspect in my public postings to USENET, that I myself did not draw the attention of the plaintiff in this case. It is only because I was available for employment, and not in a medically induced coma, that I was able to become a professional, and now do my investigation in an official capacity.

Mr. Ritz performed the alleged criminal acts during a time when Mr. Iverson, Mr. Chandler, Mr. Schwartzman, and myself would also have been considered criminals had we fallen under the gaze of the plaintiff. Thus, Mr. Thorson, you are, knowingly or otherwise, continually impunging the defendant and acting as an apologist for the plaintiff among a group of professional who, were it not for a twist of fate, would also include David Ritz. Many of the “crimes” (isn’t this a civil case?) Mr. Ritz is accused of, are things all of us have done at one time or another as a routine part of both our efforts as volunteers, and our jobs as professionals. Mr. Iverson’s reputation as a professional was largely established based on his ability to, as the ruling puts it “disguise himself as a mailserver”. Mr. Schwarztman, has carried what the court calls “vigilantism” to the point of being Canada’s foremost expert on spam. Mr. Chandler has taken his legal, advocacy, and forensic skills (developed in the late 1990’s in what the court judges to be “criminal activity") to a position at one of Mr. Iverson’s employer’s direct competitors. Mr. Iverson and Mr. Chandler work for companies whose business is sending commercial email. Their needs and the needs of their customers are frequently at odds with the likes of Mr. Schwartzman, Mr. Smith and myself. Nonetheless, we are all here, firmly in opposition to the decision of your beloved North Dakotan legal system.

Very well written. Brian McNett is my hero.

David Ritz Story Gets Press

My recent post on Sierra vs David Ritz got picked up by CircleID (with my permission), and then by Slashdot!

Don’t forget to surf on over to the CircleID copy to see the ongoing discussion in comments. Lots of good stuff, plus a couple of trolls. Pretty typical, as these things go. My favorite quote: “I think there is something that people are missing. In the eyes of the court, Mr. Ritz is a menace to Sierra.” Uh, no, we actually get that that this is apparently the court's opinion. That’s the point here – the court got it wrong.

One guy took issue with me taking a swipe at North Dakota ("the one lone technology professional in ND") and (I assume, jokingly) invited me to visit the Microsoft campus there. Hey, if he's not kidding, and he makes a big donation to David's legal defense fund, I'm game.

Reminder: Donate! The handling of the money is being done by Ed Falk (who has had his own run-ins with this same plaintiff), and he assures me that every dime is going to the right place.

North Dakota Judge Gets it Wrong

....WAY wrong. This is just mind blowing.

Ever been prosecuted for tracking spam? Running a traceroute? Doing a zone transfer? Asking a public internet server for public information that it is configured to provide upon demand?

No? Well, David Ritz has. And amazingly, he lost the case.

Here are just a few of the gems that the court has the audacity to call "conclusions of law." Read them while you go donate to David's legal defense fund. He got screwed here, folks, and needs your help.

"Ritz's behavior in conducting a zone transfer was unauthorized within the meaning of the North Dakota Computer Crime Law." You might not know what a zone transfer is, but I do. It's asking a DNS server for all the particular public info it provides about a given domain. This is a common task performed by system administrators for many purposes. The judge is saying that DNS zone transfers are now illegal in North Dakota.

"The Court rejects the test for "authorization" articulated by defendant's expert, Lawrence Baldwin. To find all access "authorized" which is successful would essentially turn the computer crime laws of this country upside down."
That's untrue. The judge is trying to hang David out to dry, even when provided evidence of what actually constitutes hacking or cracking. Accessing a server on the public internet that is set up to provide that public info is not a crime, and saying that it is not a crime doesn't suddenly damage computer crime law. The judge just amended the definition of "unauthorized" to include public internet servers that were expressly configured to provide info to anybody who asks for that info.

"Ritz has engaged in a variety of activities without authorization on the Internet. Those activities include port scanning, hijacking computers, and the compilation and publication of Whois lookups without authorization from Network Solutions." I'm not touching the "hijacking computers" statement -- who knows what the judge means, and I don't think it's wise to assume that the judge's definition matches the common one. But what really jumps out here is this: Publication of WHOIS information. You know, business records. Who owns a domain. Public information. The judge has arbitrarily decided that it is illegal to take information from WHOIS data -- necessary information when compiling a report on a company or activity, to make sure you're talking about the right person -- and put it in a spam report or on a website.

Mickey Chandler calls the court documents in this case "12 pages of bad law," and I couldn't agree more.

Gmail's Taking Care of Me

So, a long time ago, I signed up to receive Ken Magill's "Magilla Marketing" email updates from Direct Magazine. I really enjoy reading Ken's articles, and though I have occasionally disagreed with his take on things in the email industry, I do think he's smart and sharp. He gets it, and even on those occasions I disagree, I find his take on things to be interesting and insightful. I consider every one of his articles a "must read" and have for years, going back all the way to my time at MAPS back in 1999/2000.

Good to leave your Wifi open?

There's a lot of buzz lately about Bruce Schneier's new essay on how great it is to run an open wireless network at home.

My take on this is going to be short and sweet: You're crazy if you leave your wifi open. Here's what can or will happen if you don't secure your wifi:
  • Your own download speeds suffer as neighbors' infected laptops find a new vector to spew spam and malware.
  • You'll find your home IP address blacklisted and receiving spam complaints over bad stuff people send via your connection.
  • The buck stops with you. Your ISP can trace it as far as you and no further. This means that if somebody uses your wifi network to send spam, or traffic in kiddie porn, you're the one whose door the feds or the FTC are going to knock on.
  • Running a mail server? You'll get blacklisted due to all of the above.
When I lived in Minnesota, I inadvertently left my wifi access point unsecured for a period of time -- and I did find mail server blacklisted. A neighbor's infected laptop used my connection to send spam. I was pretty embarrassed about it at the time -- an anti-spam guy's IP address was being used to send spam! It just highlighted for me how it's not wise to tempt fate.

It might be really neat to leave your car unlocked, with the keys inside, so your neighbors can borrow it as needed. But, is it wise? C'mon, people!

Alan Ralsky indicted

Spamhaus writes: "The US Department of Justice went public today with the indictment of Alan Ralsky and 10 others who helped him. Alan Ralsky topped our Top 10 Worst Spammers list for quite some time and was involved in almost any sort spam activity that's being done. His gang frequently sent millions of spam messages per day. In recent years his focus has been on stock spam, and that's a key part of what the US DOJ indicted him for."

Others can cover this much more capably than I, so I'll skip the insight and just link to posts on the topic from various smart folks.

(I recall Ralsky being the guy who cried foul when, a few years ago, his home address was made public, and people signed him up for hundreds-to-thousands of junk mail postal lists.)

My Prediction For 2008

I've only got one prediction for 2008, and it's this: Spam is going to be even less tolerated by internet service providers than it is in 2007.

ISPs are continually tightening up their sending guidelines and acceptable use policies, and things you might have gotten away with in 2006 or 2007 will no longer be kosher.

Opt-out append? Purchased lists? Third-party lists? Mailing to the same, tired list forever? Forget about it. You're going to the bulk folder, if you get through at all.

ISPs are belt-tightening; automating sender-review and spam-prevention processes. Spam isn't a profit center for them; it sucks up their resources that they feel are better spent elsewhere. They're taking less and less time to individually review every whitelist request; they're relying more on automated, statistics-driven processes to keep more of the spam out, and they're catching more and more edge case senders in their new mechanisms. ISPs aren't making any money from the mail you're sending, they don't have a financial responsibility to accept that mail. And in a lot of cases, they firmly believe that their users are happier without the mail

It's up to you if you want to stay ahead of this problem, and stay in the inbox. The way to do it is avoid becoming that edge case. Maintain clear permission. Don't buy or sell lists. Avoid email append. Re-confirm your lists. Send people only what they expect.