Word to the Wise

Ken has a followup to his article last week about the EEC spamming.

Multiple e-mails obtained by this newsletter clearly show VIV was prospecting the EEC member list from its servers in violation of the EEC’s own privacy policy. […] Moreover, one reader sent this newsletter two separate free issues of two different editions of VIV that were spammed into his inbox on two different days. So Mullen’s claim that the effort only involved one issue of the magazine is nonsense.

So let’s recap: That’s at least two issues of the magazine—one of which was sent three times—and at least one standalone prospecting e-mail spammed into the inboxes of the members of an organization ostensibly dedicated to setting standards in the e-mail marketing industry.

I have to admit, I am not hugely surprised that the EEC is behaving this way. The DMA has long been the organization pushing for no limits on spamming. In 2003 I was sitting on a panel with Bob Wientzen at the FTC spam summit where he stated that direct marketers did not want to spam people, they just wanted the opportunity to take a single bite out of the apple. With millions of small businesses in the US, it does not take long before that apple is gone. In my experience the DMA has never been on the side of restraint or control in marketing. They seem to be all about sending more and more advertising at consumers, with the consumers unable to control  either their own personal information or the amount of junk they have to get rid of.

If this seems contrary to my post on the EEC mailing from last week, it is. I was giving the EEC the benefit of the doubt. Taking their statements at face value and giving them the opportunity to use their experience as an example of how not to do things. This week there is even more evidence contradicting their statements and explanations.

I was not the only person to give the EEC the benefit of the doubt. Ken takes a little bit of issue with that.

Does everybody get this now? Because judging by various blog entries last week, it seemed some people were simply chalking up to a learning experience the fact that the EEC handed over its members’ e-mail addresses to a private company—for whom the EEC’s co-chair, Mullen, just happens to be the vice president of marketing—to spam them multiple times with an irrelevant and inappropriate acquisition campaign.
Folks, this is not a teachable moment. Everybody in this industry knows not to pull the nonsense Zinio pulled in cahoots with the EEC—everyone, that is, except apparently the one organization claiming to be dedicated to pointing out sh*t everyone else should and shouldn’t do.

He is right. The EEC is supposed to be a leader in the industry and they should not be pulling these boneheaded moves. They should know the pitfalls and be held to higher standards than the rest of the industry.

No Comments »

Chris Marriott over at iMediaConnection talks about all the reasons email is a non-starter as a replacement for direct mail. This is something I have been telling clients for a while now. Chris mentions a number of reasons for why email is not an acquisition tool.

Today, banks can flood your mailbox with all the credit card offers they want, but they can’t flood your email box with the same offers. First, it’s not as easy to get your email address as it is your postal address. Second, even if a business has your email address, you can opt-out of that first prospecting email and be free forever from further offers. For these very important reasons, there is no direct linear progression from mail to email in the marketing world. Email is the most cost-effective retention, cross-sell and loyalty tactic in the universe, but it is not a viable acquisition tool in the way that direct mail is (though some would argue both are equally bad due to the sheer amount of wasted impressions).

The big reason he missed is complaints. It is difficult, if not impossible, to complain about direct mail. Even the opt-outs listed on the circulars do not work. For email, though, complaints are trivial. The ISPs have set up and manage a way for recipients to tell a sender they do not want any mail from that sender. Those complaints feed a scoring engine that allows the ISP to block mail that the recipients mark as spam. This feedback process makes it extremely difficult to use purchased email lists to acquire new customers.

Hat tip: BeRelevant

No Comments »

Ben over at MailChimp has an article talking about a recent experience with Postini and an actual bug that causes Postini to interact badly with another spamfilter and block non-spam.

No Comments »

Al wrote a post commenting on my post from last Thursday on spamfilters talking to senders who are being filtered. I think his take on it is close to mine. I would point out that Google has a pretty opaque system and no feedback to senders, but a lot of people seem to think their filters are accurate and do a good job.

Overall, I think there is room for discussion and feedback between senders and recipients, but on both sides the goal needs to be improving the enduser experience.

No Comments »

JD posed a question in my post about Postini and trying to sort out a customer getting marked as spam by their filtering mechanism and I think it bears more discussion than can be done in comments.

And sure, it’s a best practice for filtering companies to respond politely to requests from filterees. But is it a requirement? Do senders have a right to demand explanations?

There is not really an easy answer for that. My first response is “of course not!” but then I think about some of my clients who really have been trying to do the right thing and how we work through issue after issue and finally fix everything I can think of, but they still have delivery problems. These are not spammers, they are sending mail to people who have asked for it and by all measures do actually want it, but some mail is being blocked for reasons neither my client or I can figure out. In those cases it would be really nice if someone from the group doing the blocking would take 10 minutes to point me in the right direction and show me what I missed.

I have been doing this long enough to know that spamfilters are not 100% accurate. I know there are times when a specific block is outside the scope of what email the filter designer, or user, expected to block. Look at what happened when Yahoo started using the PBL a few months back. There was a bug in the implementation that neither Yahoo nor Spamhaus expected and that caused mail from IPs not listed on the PBL to be blocked because of the PBL. With a valid report of the problem, I could contact both Spamhaus volunteers and someone at Yahoo to point out there was a problem with the implementation. Yahoo and Spamhaus figured out the issue and fixed the problem and Yahoo is no longer blocking IPs not on the PBL for being on the PBL.

I do believe that there are times when feedback from senders and blockees is beneficial and can help improve the overall filters. I have clear evidence this is the case.

On the flip side, I also have been in the email business long enough to know that more than 99% of senders just want their mail delivered and do not care about anything other than getting into the inbox. They believe every block is a mistake and the ISP / spamfilter is wrong or broken. They are not interested in actually making sure the implementation of the filter meets the design goals, usually they do not care what the goals of that filter are. They are just interested in delivery of their mail. This creates a signal / noise ratio into the filters or ISPs that is so weighted to the noise side, there is almost no value to the filter or ISP in even having a channel for the small amount of signal.

The reality is that most senders do not spend a lot of time looking into a block before contacting the ISP. They use the ISP points of contact as a way to avoid doing hard work internally. This transfers lot more work onto the ISPs and makes them less conducive to working with any senders at all.

I also think there are slightly different obligations on commercial spamfiltering companies and ISPs in regards to listening to senders. Commercial spamfiltering companies are further removed from the end user than the ISPs are. In many cases the end user has no idea that the spamfiltering at their ISP has been outsourced to a commercial company and they have no internal resolution path. They can contact their ISP, but that is only useful if the ISP has an escalation path back to the filtering company. I think that this distance, and the fact that the spamfiltering companies are profiting directly from blocking mail, means that spamfiltering companies have more of a responsibility to be accessible to the people they are blocking. The irony is that the spamfiltering companies are generally less accessible to senders than ISPs are.

Overall I do not think that good spamfiltering happens in a vacuum, and that reliable reports from senders about inaccurate filtering help improve blocking schemes. Senders are not in a position to be making any demands of ISPs and filtering companies, however, I do believe that the end user experience would be better if there were more communication between senders and recipients. The problem is that the history of communication between the two groups has been contentious at best and there are only so many times the receivers are going to spend time listening to the senders, again.

I guess it boils down to no, senders do not have a right to demand explanations, but things might be better if more ISPs and spamfiltering companies engaged with non-spamming but blocked senders more often. Sorting out those non-spamming but blocked senders from legitimately blocked senders is the real trick and I expect if receivers could do that reliably, there would be no false positives.

2 Comments »

Mail from one of my clients is being filtered at Postini and they asked me to look into this. Not that there is anything that can be done, of course. Even before they were bought out by Google, they were the poster child for a spam filtering company that believed they could do no wrong. It was difficult, if not impossible to get a straight answer from Postini about filtering, and the only statement they would ever make in regards to blocking problems was ‘have the recipient whitelist your mail.’

It is not just that Postini will not talk with people who are blocked, they will not talk to their own customers, either. Many years ago, I was dealing with another Postini issue for a customer. This customer was a Postini customer and was sending mail to themselves to test their new ESP. Postini was blocking the mail and the customer wanted me to find out why. After a couple days of digging I did actually find a really-o truly-o human at Postini. [1] He explained to me that a single line of text, followed by an unsubscribe link was spam, always spam and nothing but spam. He also explained that the only way for that mail to be let through, was for my customer to turn off his Postini filters.

Fast forward 4 years and I once again have a customer blocked by Postini.  Usually, I tell customers there is nothing to be done for Postini blocks and that no one can find any information about them, but this customer is insistent. This particular customer has extremely clean mailing practices, sends highly relevant and wanted mail and consistently gets 95+% inbox delivery. They are not spammers, not even a little bit. Because I know this customer is so clean, I poked around a little to find some information about them. They do use the ReturnPath Mailbox Monitor so I have a copy of the headers Postini is adding. I also discovered that Postini is now providing a decoder service for their headers at https://www.postini.com/support/header_analyzer.php

The response you get back from pasting in a header is not that useful if you have found any of the numerous explanations of Postini headers, but it does show some willing. Note, there is no way to ask a question or provide feedback to Postini on the listing.

There is not much that can be done to deal with Postini filtering your email. The best you can do is have your recipients whitelist you.

[1] I believe I am the only person on the delivery end that has ever been able to actually talk to a live human at Postini, and I think that is only because I called them from the same area code they are in and some engineer decided to return the message I left on their corporate voicemail.

13 Comments »

Recently there has been a massive uptick in forgeries. I have been seeing hundreds of bounce back messages, peaking at more than 1000 in an hour. I have been talking about this with people who monitor large spamtrap feeds, large MTAs and spamfilters and it seems this is not an isolated experience. The consensus seems to be that there is new spamware out there which is using email addresses on the spam list as a From: address

The volume itself is annoying. Thousands of messages a day from “mailer-daemon” telling me that the mail I sent with the subject line “Get a longer tool” cannot be delivered to some random address some where. These are coming to at least 3 separate email addresses. One of them was given to Intuit back in 2001/2002 when I registered a copy of Quicken, and ended up leaked to loan spammers and is all over spam lists. The other two are addresses scraped from websites. Same spammer has them, same spammer is using them as part of his spam run.

Even more annoying than the volume, though, is the challenge/response emails. “Your email to jobobjimbo@example.com cannot be delivered until you click this link.” I have been adding every domain I can find that is using c/r to my filters, and just discarding the c/r emails so I do not have to deal with them. That is not my ideal solution, it does mean that if someone using c/r ever tries to contact me I will not see the challenge and our communications cannot happen.

Some people have recommended that the right way to deal with challenges from forged spam are actually to answer the challenges. As the reasoning goes, if someone using c/r is going to outsource their spam filtering to a victim of spam forgery, then they should expect that the “spam filter” may have a different opinion than they do. While I always sympathized with this viewpoint, I was not sure I would ever confirm spam forgeries. The sheer volume of c/r stuff I have received in the last few weeks has almost convinced me that people who use c/r deserve every bit of spam they get. If a c/r filter lets in spam, then perhaps they will reconsider their choice to spew challenges out to forged email addresses.

The amount of c/r spam I am getting as part of the forgery runs is decreasing, I think I have finally managed to block the primary sources. It does mean I will not be able to communicate with people who use c/r in the future, but I find this a small price to pay for not having to be an outsourced spam filter. I get enough of my own spam, I really do not want to have to deal with yours.

No Comments »

Here is some advice on dealing with ISPs over a blocking issue.

1. Do know what IP is blocked if it is an IP based block.
2. Do know what domain is blocked if it is domain based block.
3. Do know what the rejection message is and have it handy.
4. Do be polite.  Most of the ISPs get hundreds of contacts a day, many of which are decidedly impolite. If you are the polite one you’re much more likely to float to the top than if you are one of the thousand screamers.
5. Do not make threats. There is nothing you can threaten that they have not been threatened with before.
6. Do not lecture them about the law. It is unlikely you understand the legal issues better than they, and their lawyers, do
7. Do respect everyone’s time. Arguing is not productive. Asking for information and clarification is productive.
8. Do remeber that they’re extremely busy. The ISP does not need to hear about your business model - brevity is a virtue.
9. Do not mention CAN SPAM. That’s like saying “I do the bare minimum the law requires and expect you to accept my mail anyway.”
10. Do not ask them to remove the block. Ask them what you did to get blocked and how to avoid being blocked in the future.
11. Do remember this is probably the same person you will need to deal with in the future and that this is not a one time conversation. Leave them remembering you, if not fondly, at least productively.

The above all go for talking to the major blacklists, too.

Edited to add: 12. Do use the proper channels to contact them. 

6 Comments »

Many of my clients come to me when they end up with delivery problems due to the actions of affiliates. These can either be listings in some of the URL blocklists (either public or private) or escalations of IP based listings. In many of the cases I have dealt with affiliates, the affiliates have sloppy mailing practices or are out and out spammers.

Recently the FTC settled with Cyberheat over their liability for the behaviour of their affiliates. In this settlement Cyberheat is required to monitor their affiliates as follows:

• Contractually requiring the affiliate to identify any subaffiliates it intends to us
• Providing each affiliate a copy of the Order
• Obtaining from each affiliate an express agreement to comply with the Order and the CAN SPAM Act
• Contractually requiring each affiliate that intends to use email marketing to provide Cyberheat, at least 7 days before the campaign, the email address from which the email will be sent, the subject line, the proposed dates the email will be sent, the email addresses to which the email will be sent, and a certification regarding how the addresses were obtained
• At least 3 days prior to an email campaign being conducted, Cyberheat must review the campaign for compliance with the CAN SPAN Act and provide written acknowledge that it has reviewed the campaign and that it complies with the CAN SPAM Act, and
• Requiring each consumers that signs up for Cyberheat service to identify the manner through which they heard of the service. If they heard of the service via email, Cyberheat must monitor the affiliate that sent the email for continued compliance with the CAN SPAM Act.

These conditions are very similar to the conditions I helped some clients establish when they ended up on the SBL due to the behaviour of their affiliates. We did set contractual limits on what the affiliates could do, and require they comply with an AUP. We also set out a vetting process to verify that the affiliate would not send spam. Questions all affiliates had to answer included:

1. Company name, address, domain, opt-in policies
2. Main website
3. Outgoing mail IP(s)
4. Domains used in email
5. Where do they get their email addresses?

Each candidate must pass the at a minimum checks:

• Check the opt-in policies as listed on the website.
• Check mail IPs on spamhaus and other blacklists
• Check rDNS on IPs
  • Is their reverse DNS set up
  • Is it reasonable
  • what is rDNS of nearby space
• Check whois record
  • How new is the record
  • Is there valid contact information in the record?

Additionally, a unique address will be signed up at every affiliate.

One of the difficulties my client and I discovered while vetting affiliates is that many affiliate programs hide their mailing IPs and will refuse to reveal any information about where the mail comes from. This makes it difficult, if not impossible, to determine if they are associated with any reports of spam.

I have yet to find the silver bullet for determining the cleanliness of an affiliate program. I think it is clear, though, that the FTC expects companies to know who their affiliate mailers are and to not patronize affiliates who are sending spam.

Hat tip: Venkat

1 Comment »

Yahoo is aware of the recent problems and have been working feverishly to fix them. A Yahoo employee posted to a mailing list earlier today, explaining some of the recent issues. The summary is:

1) The Yahoo delays are a result of a tighter spam filtering policy. The delays are the result of the system erroneously recognizing email as spam and deferring delivery. They do believe that retrying long enough will result in all mail being delivered to Yahoo recipients.

2) They have been continually making fixes to the system over the last few days and senders should see queues start to empty over the next few hours.

3) They believe the adjustments made will resolve the deferral problems. If you continue to see problems, you can contact them through the form at http://postmaster.yahoo.com/.

4) They are working to provide more self-serve information at http://postmaster.yahoo.com/ as well as timely service updates.

Loose ends from my previous Yahoo posts:

1. The rumors of an attack were just that, rumors.
2. The Yahoo blog post about outbound servers is unrelated to the problems seen by senders recently. Outbound SMTP servers are not the same as the MX machines.

Good news all around. Thanks to the people at Yahoo for working so diligently to fix the problems.

5 Comments »