Gmail, End User Privacy, and Harassment

Gmail gets a lot of things right, but gets one really important thing very wrong.

I'm going to tear into Google momentarily, but before I do that, let's start with the good things. Praise before criticism, and all that. And rightly so -- I don't want to skim over the fact that Gmail has some cool features that really do take email to the next level. Here's just a few of the things that I really like about their email platform:
  • Tons of storage,
  • Easy-to-use interface,
  • Strong search capabilities,
  • Support for automatic filtering and forwarding rules,
  • Support for sending mail using your vanity email address, and
  • Free POP3 support.
I'm on a few different high-traffic mailing lists, and I wouldn't be able to manage the traffic without Gmail. Their automatic rolling up of discussion by topic ("threading") makes it very easy to skim updated discussions at a glance and decide which ones I want to participate in. Since search is Google's forte, I'm able to easily look back and see if a discussion point was already raised by somebody else in the past few months before bringing it up myself. Managing email on multiple computers with Gmail is a breeze. I use Mozilla Thunderbird on my desktop computer at home, retrieving mail with Google's free POP3 support. On the road, I have easy access to Gmail's web interface from my laptop, and from my PDA phone.

Google has done a great job with search integration into Gmail, as well as adding cool geek-friendly features like POP3, custom from address support, and the ability to set up mail filtering and forwarding. That makes sense. They've hired some of the smartest people in the world to help them imagine, design and deploy new things that people will want, even if they might not have realized they wanted them before. Often, their new features are things you don't usually see in a free webmail service.

But, Google's not perfect. Some of their views on email handling, spam, and end user privacy are out of date and extremely myopic. I think that also makes sense; a side effect of hiring a bunch of very smart people, who all think they can change how the world thinks of email, like they did (successfully) for search. In the search realm, they really did create something new and amazing. Unfortunately, email is different. There are a base set of issues that all mailbox providers (ISPs and webmail services) have to deal with, and have been dealing with for many years. It's not just about search and threading and a neat interface. It's also about: Blocking spam into their systems. Preventing bad guys from using their services. Providing guidance and feedback (both positive and negative) to people who want to send mail to Google users. These are all areas where it seems to me that Google's views are about ten years out of date.

I could go on for days here, but instead, I'll focus on the most important thing I think they're getting wrong: preventing bad guys from using their services. Google enables use of Gmail for bad things by hiding the source IP address on mail sent by their users; and it's lame. It's scary. It's outdated. It lets bad guys use their services as long as they stay under the radar. If you want to start a low-level harassment campaign against somebody, Gmail's the way to do it.

To give you a bit more understanding, let's take a walk down memory lane together. I've been in this industry a long time, and I've angered a lot of morons over the years. Getting spammer accounts shut down often draws harassment and threats. Lots of idiots think that a Yahoo or Hotmail account is anonymous. It's not. They clearly stamp all outgoing mail with the IP address showing from where the user logged into Yahoo or Hotmail. This is important, because it tells you the real ISP that somebody is harassing you from. You are then able to contact that ISP, and provide them more proof, showing what the guy's doing wrong, which helps nudge the ISP to get it stopped.

In the case of one idiot spammer, he thought it would be cool to harass me from Hotmail, not realizing that the email headers clearly told me that this "new person" was really connecting from rea-alp.com, the same ISP that I was working to get the guy thrown off of. It turned out to be another nail in his coffin; feigning ignorance (and putting up web pages about how I'm a big meanie, and that I made it all up) while sending me harassing email from an IP address traceable back to him was ultimately what ended up getting him banned from that ISP.

(If you want to read this guy's rant about me, perform a Google search on my name, and it'll be somewhere down the list. Look for a small man crying in a loud voice about dictators and nerds. Pretty funny. That dude in particular was quite clearly a spammer, and quite clearly unhappy that I busted him for it. I'm not linking directly to him here though, as there's no point in helping his search ranking.)

Anyway, that's how it works with Hotmail. And Yahoo, and AOL, and just about any other ISP or webmail provider. But not Gmail. Google hides that source IP address, preventing you from determining which ISP the harasser connected to Gmail from. Why do they do that? I don't know for sure, but I theorize that it's done in the name of end user privacy. I take issue with that, because an IP address isn't a private piece of data. It's a license plate, not a social security number. Any website you connect to for any reason knows your IP address. An IP address doesn't trace you, it just traces your ISP. That means somebody can tell you emailed them from a computer at the Chicago Library. It doesn't tell them who you are or what books you checked out of the library. That means that somebody can tell I'm one of 25 million AOL users. It doesn't tell them which one of those 25 million users I am.

Sure, Google has record of the connecting IP address. (That goes without saying, because as I said, every connection you make to every website you visit tells that website your IP address.) And they have the cell phone number (or friend's invite) that was involved in creation of the Gmail account. If they get a subpoena from law enforcement, they'll provide this info. So, if somebody stalks you via Gmail and then actually kills you, then Gmail can do something about it. Yikes.

Problem is, that's not how most harassment works. Most of it is low level F-bombs and racist taunts sent by morons who think that the internet is untraceable, though it's not. I've been able to get people fired before for sending harassing emails from work. I can't identify them personally; I don't have to. I just contact the company and provide them the info showing the date and time and IP address of the source of the harassment. They check their internal logs, figure out who did it, and deal with it. Reprimand, training, termination, whatever their company policy dictates.

This works well, except if the harassment originates with Gmail. Because if somebody harasses you via Gmail, and it's not serious enough to get law enforcement interested in pursuing it, the best you can do is complain to Google. And hope something happens. And maybe the harasser loses their Gmail account. Which was free to begin with, and probably set up just for this purpose.

Strangely, if you post to Usenet newsgroups via Google Groups, your source IP address is included in the headers. Smarter people than me tell me that this is because Usenet is a smaller, more directly cooperative environment of server operators. Google previously found that when they didn't include the source IP address, lots of sites got fed up with spammers and harasses attacking Usenet through Google Groups, and started "aliasing out" (filtering out) all posts from all Google Groups users. This is fairly common in the world of usenet; run your site poorly and you're pretty quickly shunned by way of being aliased out, or by way of applying the Usenet Death Penalty.

How long until somebody proposes a similar "email death penalty" for Gmail? Eventually, other ISPs (and frustrated end users) get tired of not being able to track the source IP of harassment (and other bad things) from Gmail users. I'm not sure how long it'll take, but my bet is that it will happen eventually. I know I'm not the only one frustrated by their ill-conceived IP address-hiding policy, and the buck stops right at Gmail's SMTP servers.

Well-Known E-mailers Back Spamhaus in Amicus Brief

From Ken Magill, published on Direct Magazine's website:

Twenty-nine individuals and organizations have signed onto an amicus brief filed last week in support of anti-spam blacklisting service Spamhaus in its court battle against e-mail marketer e360 Insight.

Some well known, smart guys weighed in here. John Levine, as an example: “In think the court made a mistake in that they really should have figured out that Spamhaus is in London and not in Chicago,” said Levine. “Beyond that, Spamhaus is by far the facility that gets rid of the most spam with the fewest bad side effects. It would be really bad for the community if they couldn't keep doing that. … Spamhaus does try reasonably hard to make sure they don’t block good mail.”

Read more here...


You'll find the brief itself here.

e360 vs Spamhaus: Sparring in the Newsgroups

Oh boy, the things you find on the newsgroups sometimes.

Here's a link to a thread on the news.admin.net-abuse.email newsgroup where Spamhaus and E360 decided to battle it out in the court of public opinion on Friday. What's the goal here? This works to the advantage of whom, exactly? Didn't the old adage used to say that the best case to try a lawsuit was in a courtroom?

I wonder how many of these newsgroup posts are going to end up as evidence in the ongoing appeals in the whole E360 versus Spamhaus lawsuit.

Riddle me this, if you please: If Spamhaus loses their appeal, then what's the actual impact to them? That the Spamhaus folks won't be able to travel to the US? That US ISPs will be afraid to use a foreign blacklist with judgements against it? It seems like a long shot that E360 will actually silence Spamhaus, regardless of the outcome here. But, as they say, "IANAL" (I am not a lawyer), so I'll just have to keep an eye out to see what happens next.

On another note, is E360 apparently telling anti-spam activist Mark Ferguson that he did indeed sign up for email from E360. True? False? Forgery? Harvested address? I wonder if E360 will be able to produce information that ties a signup request back to the person in question.

In a possibly-unrelated item, E360 has also posted the following information on their website:
Eant et fugiant a te inquieti iniqui. et tu vides eos et et ecce pulchra imperium tuum dehonestaverunt,distinguis umbras, et ecce pulchra imperium tuum dehonestaverunt, a caelis usque.aut in quo imperium tuum.

What are spamtraps?

In short, spamtraps are bad addresses that you don’t want on your list. They’re old email addresses that haven’t been used for real people for a long time, or addresses that are put out to ensnare bad guys who are obtaining addresses in ways other than opt-in.

If you have spamtraps on your list, you’re going to be labeled a bad sender and blocked as a spammer. That’s why it’s important that you have good signup process to prevent fraudulent signups, and good bounce processing so that you expire out invalid addresses before an ISP would ever turn them into spamtraps.

For more about spamtraps, check out my recent blog posts on the topic (part one here and part two here), where I talk in detail about what they are, how they end up on your list, how you prevent them from getting there, and how to clean your list and get rid of spamtraps in the process.

Spamtraps are addresses that drive you directly into ISP spam filters and anti-spam blacklists. Consider them the express route to having your email blocked. Stefan Pollard recently wrote an excellent article on the topic of blacklists for ClickZ (find that here). Since many blacklisting issues are spamtrap-driven, there's great overlap between best practices on how to keep your list clean and what you should be doing to prevent and remove spamtraps.

On the Glossary page of anti-spam blacklist group Spamhaus, you'll find their definition of "spamtrap," one that I find generally to be accurate.

Dealing with spam to your abuse desk?

Among other things, I run the abuse desk for a large service provider with lots of clients. We get a handful of complaints a day. For example, over the past three days, we’ve received about sixteen complaints. And about two hundred spams.

The “fun” part of our job (for various values of “fun”) is going through the abuse mailbox and separating the wheat from the chaff every day. More than 90% of that inbound mail stream is spam. Just random, stupid spam emails from people dumb enough to send spam to an abuse desk. We take turns taking out the trash, moving this mail out of the way so that we can focus on the actual, actionable reports that need to be reviewed and investigated.

How can I reduce the amount of spam our abuse desk receives? I’ve used a lot of different blacklists over the years to reduce the amount of spam received. Problem is, most of them have some level of false positives associated with them. I don’t ever want to knowingly reject a complaint from somebody trying to report abuse from one of our users.
Time to do a bit of testing. On February 2nd, I wrote a script that tags all inbound mail sent to our abuse desk. The sending IP is checked against the Spamhaus ZEN combined list. If the sending host is on the ZEN list, our script adds [SPAM] to the subject line. This helps us sort the mail faster. We spend less time looking at the mail with [SPAM] in the subject line, and more time reviewing the mail that isn’t tagged.
Reviewing the over 2,200 spams I’ve received to our abuse desk from February 2nd through today, Spamhaus has successfully tagged 79.3% of them as spam. I’m very happy with that rate – this correct classification significantly reduces the amount of spam I have to deal with in the long term.
But what about false positives? Since I’m tagging mail, and not rejecting it, it’s very easy for me to find and note false positives. (A false positive in this instance would be a spam report that I wanted to receive, but might have missed because it was tagged as spam.) To date, I haven’t had a single false positive! I’ve saved all the mail in question, and reviewed it multiple times, looking for mail that I might want, but could have missed previously. There doesn’t seem to be any. Score another point for Spamhaus!

If you run an abuse desk that gets a lot of spam, how do you deal with it? I’d love to hear your thoughts. And if you’re in the same boat as me, and wondering what to do? It might be worth your while to tag the mail with Spamhaus ZEN. I think you’ll find that it’ll correctly identify most of the spam, and that false positives, if any, will be few and far between.

The Changing Definition of Spam

Over on CIO Magazine's website, capable jounalist Esther Schindler posted an interesting article on the topic of spam defined, and how that definition has been changing over the years. The spark that led to her writing this came from a discussion on an anti-spam mailing list we're both members of, and it was a topical discussion that I myself delved into.

I perhaps don't agree with her conclusions 100%, but I credit her for tackling a tough topic, and stirring up discussion and debate. It is true that the definition of spam is changing. It's also true that there's a hard-core group of anti-spam advocates who are resisting this change. Anti-spam mailing lists are sliding from the center out to the edge of the anti-spam universe; they once were the core and forefront of development and discussion relating the latest anti-spam technology, blocking tools, best practice methodology, etc. Nowadays, that's all shifted away, to discussions internal to ISPs and industry groups, spam filtering device manufacturers, and other areas, far from the view of the folks who used to call for "heads on pikes" as the only reasonable response to a single piece of (perceived) spam received.

To me, it highlights that the world is changing, and the Linux users with their access control lists don't hold the keys to the inbox like they once did.