All I can say is that it’s all been tried before. Cyberpromotions v. AOL started the ball rolling when they tried to use the First Amendment to force AOL to accept their unsolicited email. The courts said No.

Time goes on and things change. No one argues Sanford wasn’t spamming, he even admitted as much in his court documents. He was attempting to force AOL to accept his unsolicited commercial email for their users. Dela’s arguments center around solicited mail, though.

Do I really think that minor difference in terminology going to change things?

No.

First off “solicited” has a very squishy meaning when looking at any company, particularly large national brands. “We bought a list” and “This person made a purchase from us” are more common than any email marketer wants to admit to. Buying, selling and assuming permission are par for the course in the “legitimate” email marketing world. Just because the marketer tells me that I solicited their email does not actually mean I solicited their email.

Secondly, email marketers don’t get to dictate what recipients do and do not want. Do ISPs occasionally make boneheaded filtering decisions? I’d be a fool to say no. But more often than not when an ISP blocks your mail or filters it into the bulk folder they are doing it because the recipients don’t want that mail and don’t care that it’s in the bulk folder. Sorry, much of the incredibly important marketing mail isn’t actually that important to the recipient.

Dela mentions things like bank statements and bills. Does he really think that recipients are too stupid to add the from address to their address books? Or create specific filters so they can get the mail they want? People do this regularly and if they really want mail they have the tools, provided by the ISP, to make the mail they want get to where they want it.

Finally, there is this little law that protects ISPs. 47 USC 230 states:

(2) CIVIL LIABILITY- No provider or user of an interactive computer service shall be held liable on account of–

(A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or

(B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph (1).

There is existing case law that states that spam blocking falls is protected under the CDA, including e360Insight, LLC v. Comcast.

I’m sure if the ISPs start blocking mail users actually want, that the users will actually point this out and the ISPs will be forced to change what they’re doing. A class action lawsuit by a bunch of marketers who are annoyed their “VITAL MARKETING MESSAGES” aren’t being forced into the inboxes of unwilling recipients doesn’t seem to meet that standard, though.

Really, Marketers, is there any part of my mailbox you don’t want to control?

Isn’t technology wonderful?

I am somewhat sad to announce that the cult of SPF still lives. The most recent example is the number of people that have taken me to task for a recent post I wrote pointing out that SPF records aren’t actually that important for email delivery. My example was that a client of mine had incorrect SPF records (with a -all even) but was still getting inbox delivery at Hotmail. We repaired the records, re-registered them with Hotmail and Hotmail not only isn’t checking them but also sent mail to me admitting they don’t check SPF for incoming email.

My statement was that SPF wasn’t really important to getting email delivered. This seems to have upset a number of people. Someone on twitter pointed out that a valid SPF record gave you a positive score with SpamAssassin. What they didn’t mention was that a valid SPF record gives you an entire -0.001 with SpamAssassin.

Today I get a comment from Tom (which seems more like an ad for his company than an actual comment) that says

When the received timestamp on a message can make the difference as to whether or not you get a multi-million dollar contract or not, do you want to take the risk of having to explain to management that you didn’t take the 5 minutes to register a single DNS entry that may have made a difference?

Tom, I don’t think you understand what SPF is. SPF has nothing to do with timestamps. Having a record or not having a record doesn’t change anything about the time of a message. If a sender doesn’t have a SPF record the time of lookup for that SPF record is going to be the same as if they did.

In fact, in the quick and dirty test I just did here looking at two major ISPs: Yahoo, which doesn’t publish SPF and Hotmail which does publish SPF. Both records are coming back in less than 100 msec. If tens of milliseconds are the difference between getting the contract and not, you have bigger problems than the presence or absence of a SPF record.

So, yes, the cult of SPF still lives, and still makes no sense. SPF still doesn’t do anything to authenticate email. It doesn’t do anything to make any of us safer. Most of the major players in the SPF movement have moved on to other projects. Even Hotmail, that evangelized SenderID (spf v.2), has mostly abandoned it. But, still, the true-believers come out of the woodwork with anecdata about how SPF is vital and important.

Except it’s not actually vital nor important. And it’s long past time for the cult of SPF to die.

They are admitting they can’t persuade, cajole, influence or pressure their companies to actually follow best practices. Some of the comments public and private comments I’ve heard from various industry leaders:

• “But my boss tells me we can’t stop what we’re doing, even though we’re getting less than 80% inbox delivery.”
• “In my heart, I believe that most email marketers have good intentions. They are not out to spam you. They don’t want to send you email that you don’t want, that you’ll delete, or that your (gasp) mark as spam. They want to do the right thing. The challenge is that their [sic] is constant pressure to squeeze more juice out of email marketing. “
• “My company can’t stop customers from sending to purchased lists, but want a list of really bad vendors so we can ban lists purchased from them. What sellers should we ban?
• “as an individual who has been doing email marketing for over 10 years now, I can tell you that there are internal pressures, IT resource constraints and just about anything you can imagine that can hinder a email marketer from doing what is right for the subscriber. Understand that as a professional, I strive everyday to become a better email marketer, but I sometimes fail. That in no way makes me stupid…it makes me human.”

I know that people want to squeeze every possible bit of revenue possible out of email. The problem is that, as the above people have admitted, squeezing every possible cent out of email means adopting practices that are disrespectful of the recipient. They are practices that cause most recipients to label mail as spam. That mail is indistinguishable from spam. Delivery is poor and contributes to the general noise in all our mailboxes.

Email marketers need to stand up and stop adopting practices used by spammers. Your recipients don’t care that it might be hard or expensive to not send them mail they didn’t ask for and don’t expect. Your recipients don’t care that you have pressure from your boss to meet quotas this month. Your recipients really only care about themselves and their mailboxes. Respect your recipients ahead of your bottom line.

Other highlights from the report include:

• Spam accounts for over 92% of all email.
• 95% of spam was sent from botnets at the end of July 2010.
• One in 327 emails contains malware and one in 363 emails is a phish.
• The number of rustock infected machines is falling, but the amount of mail each one is sending is increasing.
• More than 107 billion emails are being sent through botnets every day.

The end of the report things that, to my mind, should be of significant concern to legitimate marketers. Spammers are adopting tactics from marketers in order to hook users and probably evade detection by ISPs. These include personalizing email (examples) and using image only spam (examples).

One of the recommendations that I’ve repeatedly made here is that legitimate senders should not do things that make their mail look like spam. Sending image only emails is one way for marketers to look like spammers.

The other thing that stands out to me from this report is how small the percentage of legitimate marketing email is. 92% of email is spam. Let’s assume that no one reading this blog is part of that 92%, that means only 8% of mail is not-spam. How much of that is marketing is probably up for debate, but I don’t think that more than 50% of legitimate email is marketing (the other 50% is mail from friends and family, social networking notices and discussion groups).

With those numbers, I can understand why ISPs don’t focus as much as some marketers might like on false positives with spam filtering. In percentage terms it is a tiny fraction of mail and most consumer ISPs provide end users with the ability to override bulk foldering if the recipients really want that mail.

ISPs are the front line against criminals on the Internet. Blocking email is one of the primary ways they protect people. Given the extent of spam and malevolence of spammers they are to be commended for creating systems that have such a low percentage of false positives.

“Project Conduit (or the ‘Company’) is a leading email certification provider guaranteeing delivery of email for senders (brands) and their distribution or marketing agents,” the pitch letter said. “The Company’s core solution is certified email – an email delivery technology designed to ensure that the email bypasses spam filters and reliably reaches the recipients with links and images intact.”

Ken talked to Goodmail, Return Path and ISIPP. Both Return Path and ISIPP denied being the company referenced. Goodmail, on the other hand, responded to Ken’s inquiry with a short statement.

Several months ago, Goodmail began a large scale industry initiative to leverage on its successful email certification business and its unique enhanced email technology which enables video and interactivity.

While we courted participation in this initiative, we caught the attention of several very large companies. These companies expressed interest that went beyond participation. In response, to help us evaluate this interest and determine whether a transaction is in the best interest of our shareholders, we retained the services of an investment bank.

Ken’s article also discusses the implications of Goodmail no longer in use by Yahoo. Go read the whole article (and sign up).

“SPAMHAUS BLOCKS GOOGLE!!!” the headlines scream.

My own opinion is that Google doesn’t do enough to police their network and their users, and that a SBL listing isn’t exactly a false positive or Spamhaus overreaching. In this case, though, the headlines and the original article didn’t actually get the story right.

Spamhaus blocked a range of IP addresses that are owned by Google that included the IP for www.gmail.com. This range of IP addresses did not include the gmail outgoing mailservers.

Spamhaus says

Some Google-owned server IPs hosting severe malicious spam problems – specifically Google’s “Google Docs” service – do get rightly listed in the Spamhaus SBL when Google does not take action fast enough to stop the serving of malicious sites via Google Docs. Such listings act as pointers to the abused resource but do not in any way affect Google’s Gmail service or any Google outbound mail service.

Spamhaus goes on to talk about the responsibility providers have to police their userbase and the fact that large providers who are not policing their users are cost shifting to the rest of us.

We at Spamhaus surely understand the challenges that the cloud service providers face. These problems are not easy to solve and the scale and complexity of the systems involved certainly does not make things easier. What we are puzzled by is how the rest of the internet has to keep carrying the burden of this abuse. The companies that host these services all without exception make hundreds of millions of dollars each year. They employ some of the best and brightest engineers. Surely they can spend a little of their immense resources on making the internet they rely on for their business, a better and safer place.

Unfortunately, Google doesn’t seem to see any value in policing their customers and users. If they can’t make a buck at it, then it doesn’t get done. And if Google’s costs of doing business are shifted to other companies, so much the better. Good for Spamhaus for standing up and pointedly telling Google they can’t keep supporting spam and spammers.

In a recent survey published by Help Net Security, approximately half of all employees said they would take data, including customer data, when leaving a job.

This has major implications for ESPs, where employees have access to customer data and mailing lists. There are at least 2 cases that I am aware of where employees have walked out of a company with customer mailing lists, and I’m sure there are other incidents.

ESPs should take action to prevent employees from stealing customer data.