DNSBL Safety Report 5/14/2011

SpamTips.org, a website devoted to SpamAssassin Tips (SpamAssassin being the wildly popular open-source spam filter) recently posted a wonderful DNSBL Safety Report, showing hit rates against both spam and non-spam (false positives) for various blacklists commonly used in SpamAssassin.

Interestingly, they specifically warn AGAINST using UCEProtect and the Lashback UBL.

For Lashback's UBL, I'm not so surprised about the results. I don't mean that Lashback's list is broken -- it's just very specifically "IPs of somebody who mailed someone after they unsubscribed and should not have been mailed." There are probably a lot of ISP outbound mail servers that have had individual email messages or intermittent issues with spam emission that meet that criteria. It is probably more appropriate to use it for scoring/vetting reputation in certain scenarios only, moreso than using it to block mail outright.

With UCEProtect, it's disappointing to hear that they have a 1.7% false positive rate as measured against this specific email stream.

I've written about blacklists (and even similarly tracked their effectiveness) over on DNSBL Resource for many years -- so it's very nice to see somebody else doing something similar. The more data, the better, as far as I'm concerned.

(H/T: Box of Meat)

AOL blocked? Don't try this at home.

Gee, ya think THIS will scale?

Over on the AOL Postmaster blog, a commenter tells a tale of his alternate method of finding a human at AOL to assist with his spam blocking issue:

"Since I felt that this was beginning to rise to the level of something that AOL execs should really be concerned about, I did the only remaining thing I could think of - I bought a share of AOL stock, and contacted AOL Investor Relations with an explanation of how, as a shareholder, I was very concerned with AOL's complete lack of inbound email delivery support and how I felt this would likely adversely impact shareholder value.

Yesterday, I got a response from a nice guy named Lothar their IR department with an offer to provide assistance in resolving our issue. I've forwarded our mail server/IP address info to Lothar, and am awaiting response. As a share of AOL stock is on par with the cost of a month of AOL service at this point, it might represent a cheaper way to get access to some attention/help. I'll post here again when I know how this approach works out."

Uhhhh....really? I have to admit, this gave me a good laugh. But is it likely a winning strategy? I'm doubtful.

What would you present?

In a couple of weeks I'll be presenting to a class of paralegals-in-training, talking about the legal aspects of compliance in marketing online (CAN-SPAM, DMCA, CDA, etc.). I'm pulling together information about various cases that might be most interesting to share with the class and generate topics of discussion. Could I impose upon you, dear reader, to share with me what your thoughts are here? Got any links or info you'd like to share with me? What cases do you think merit looking at? Gordon v Virtumundo, for starters. What else? Thanks in advance for your thoughts!

Spamcop Blacklisting: Should you care?

I was asked today if Spamcop should be "trusted." After all, even the Spamcop Wikipedia page says that their blocking list is "controversial." Though, is it truly more controversial than any other blacklist out there? Let me tell you what I know.

The last time I looked at Spamcop from a receiver's perspective was back in 2007. Back then, I found it to be pretty accurate. A Spamcop listing truly seemed to be indicative of a sending IP address sending unwanted mail. That data is from a long time ago, but I haven't seen anything since then that would make me think they've changed for the worse by any significant measure.

Long, long ago, when Spamcop was a one-man show (created and run by a guy named Julian Haight), I did find the blocking list to be controversial. I regularly saw listings of IP addresses sending very clearly only opt-in email, with nothing funny or weird going on. Even confirmed opt-in email. But since that time, Spamcop has been sold to Ironport, who has since been sold to Cisco. So nowadays, Spamcop is a tiny little part of Cisco. With that transition to corporate ownership, came new hands and new policies, which (in my opinion) seemed to significantly improve the reliability of Spamcop.

From a sender's perspective, I regularly help clients monitor for and address Spamcop listings. Because my prior testing of Spamcop led me to trust that it was typically correct, I typically think that a Spamcop blacklisting of a client's sending IP address is probably "correct" -- I suspect it is properly indicative that there is a problem that needs to be addressed. I think if a sender is regularly finding themselves listed on Spamcop's blacklist, then their list is probably outdated, poorly permissioned, or otherwise flawed. In these cases, I do think it's appropriate to run a permission pass to clean up the list and resolve any list hygiene issues. At the same time, discard any list segments that contain anything other than opt-in subscribers. Bought list? It's time to throw it out.

That's my opinion, provided with my alternating "sender" and "receiver" hats. What's your opinion?

Is this permission?

I received an email the other day that went something like this: "Hello, A media site you recently visited would like you to participate in their user-survey. Your input will be combined with other users' across the country to improve their site. To encourage your participation, we are offering a chance to win one of two Apple iPads. Two participants will receive an Apple iPad 2 (valued at $499). To access the survey, simply click on the hyperlink below. We estimate that it will take approximately 15 minutes to complete."

Well, I know which media site it was, because I gave them a tagged (unique) address. When you send me an email to COMPANYNAME@example.com, it's not exactly a secret. Regardless, I'm peeved -- why is this media site giving my email address to a third party? Why is this third party emailing me? Where is the permission? Where is the informed consent?

Keep in mind, when emailing a subscriber, it is EXTREMELY bad from to try to be coy about where you got the recipient's email address from. Seriously-- only spammers do this. And this email is in fact spam. I didn't give permission to this survey company to email me. The mail was not transactional; this notification was not a necessary part of my subscription to the online media site. It was probably quite legal, due to some clause or other in the media site's privacy policy. But that doesn't make it right, and it doesn't change the fact that this is a very poor practice.

I would have mentioned this all to the survey company themselves, but the email address they emailed me from doesn't seem to work.

Survey companies, I challenge you to get with the modern age. I understand the desire to do surveying a certain way, but whatever this model is, it conflicts with email best practices and permission. It's time to modify the model.

Why are you in my inbox?

Who are you? Wait -- now I remember you. Long ago, I was visiting some far away city, biding my time in some mall or airport or something, some place where the only option for wi-fi was via your company, so I paid you for a day's worth of Internet access or whatever. Now, two years later, you're sending me an email telling that you've updated your privacy policies and terms and conditions. And you say they're under some sort of legal obligation to send me this information. I can click on the unsubscribe link, you tell me, but you warn me that you'll continue to send me this kind of thing regardless of my stated preferences.

Sorry, what? Okay, that's your point of view. Let me give you my point of view.

I'm not a current customer. I don't have an ongoing relationship with you. Our transaction is long done. And I don't agree that this email was legally required. I'm not seeing how you have any legal mandate to send past customers new policy information that might impact future transactions. If it's necessary for a return customer to be appraised of a new policy before entering into a new transaction -- why not inform them at the point of sale, instead? During the signup or checkout process.

Instead, what you did was email a legal notice your entire database of email addresses, even subscribers who have previously unsubscribed. Like many, I feel that my inbox is my personal space. You get in only when invited, and no matter what you think, you're not allowed to force your way into it.

You may have an opinion about what you think you have to send, what you have a right to send, but I have a spam filter, and ISPs have engagement and reputation metrics.

If you fill inboxes with something of low value (a legal notice that few care about) and if you fill the inboxes of a bunch of people don't want it (who didn't opt-in to receive followup emails from you) and you've got a recipe for lower than average engagement and higher than average spam complaints. And on top of it, you insult me by implying that I am not allowed to make these emails stop.

It may not be a spam, just barely, but this kind of thing is exactly why some classes of "non-spam, completely legal" senders end up in the spam or bulk folder.

Which is exactly where I put this email.