Word to the Wise

Recently there has been a massive uptick in forgeries. I have been seeing hundreds of bounce back messages, peaking at more than 1000 in an hour. I have been talking about this with people who monitor large spamtrap feeds, large MTAs and spamfilters and it seems this is not an isolated experience. The consensus seems to be that there is new spamware out there which is using email addresses on the spam list as a From: address

The volume itself is annoying. Thousands of messages a day from “mailer-daemon” telling me that the mail I sent with the subject line “Get a longer tool” cannot be delivered to some random address some where. These are coming to at least 3 separate email addresses. One of them was given to Intuit back in 2001/2002 when I registered a copy of Quicken, and ended up leaked to loan spammers and is all over spam lists. The other two are addresses scraped from websites. Same spammer has them, same spammer is using them as part of his spam run.

Even more annoying than the volume, though, is the challenge/response emails. “Your email to jobobjimbo@example.com cannot be delivered until you click this link.” I have been adding every domain I can find that is using c/r to my filters, and just discarding the c/r emails so I do not have to deal with them. That is not my ideal solution, it does mean that if someone using c/r ever tries to contact me I will not see the challenge and our communications cannot happen.

Some people have recommended that the right way to deal with challenges from forged spam are actually to answer the challenges. As the reasoning goes, if someone using c/r is going to outsource their spam filtering to a victim of spam forgery, then they should expect that the “spam filter” may have a different opinion than they do. While I always sympathized with this viewpoint, I was not sure I would ever confirm spam forgeries. The sheer volume of c/r stuff I have received in the last few weeks has almost convinced me that people who use c/r deserve every bit of spam they get. If a c/r filter lets in spam, then perhaps they will reconsider their choice to spew challenges out to forged email addresses.

The amount of c/r spam I am getting as part of the forgery runs is decreasing, I think I have finally managed to block the primary sources. It does mean I will not be able to communicate with people who use c/r in the future, but I find this a small price to pay for not having to be an outsourced spam filter. I get enough of my own spam, I really do not want to have to deal with yours.

No Comments »

Ken Magill reported today that Responsys has unveiled a tool to measure the relevancy of email marketing programs. This tool is intended to help marketers implement the advice “be more relevant.”

No Comments »

I’ve been hearing stories from other deliverability consultants and some ISP reps about what people are telling them. Some of them are jaw dropping examples of senders who are indistinguishable from spammers. Some of them are just examples of sender ignorance.

“We’re blocked at ISP-A, so we’re just going to stop mailing all our recipients at ISP-A.” Pure spammer speak. The speaker sees no value in any individual recipient, so instead of actually figuring out what about their mail is causing problems, they are going to drop 30% of their list. We talk a lot on this blog about relevancy and user experience. If a sender does not care about their email enough to invest a small amount of time into fixing a problem, then why should recipients care about the mail they are sending?

A better solution then just throwing away 30% of a list is to determine the underlying reasons for  delivery issues, and actually make adjustments to  address collection processes and  user experience. Build a sustainable, long term email marketing program that builds a loyal customer base.

“We have a new system to unsubscribe people immediately, but are concerned about implementing it due to database shrink.” First off, the law says that senders must stop mailing people that ask. Secondly, if people do not want email, they are not going to be an overall asset. They are likely to never purchase from the email, and they are very likely to hit the ‘this is spam’ button and lower the overall delivery rate of a list.

Let people unsubscribe. Users who do not want email from a sender are cruft. They lower the ROI for a list, they lower aggregate performance. Senders should not want unwilling or unhappy recipients on their list.

“We found out a lot of our addresses are at non-existent domains, so we want to correct the typos.” “Correcting” email addresses is an exercise in trying to read recipients minds. I seems intuitive that someone who typed yahooooo.com meant yahoo.com, or that hotmial.com meant hotmail.com, but there is no way to know for sure. There is also the possibility that the user is deliberately mistyping addresses to avoid getting mail from the sender. It could be that the user who mistyped their domain also mistyped their username. In any case, “fixing” the domain could result in a sender sending spam.

Data hygiene is critical, and any sender should be monitoring and checking the information input into their subscription forms. There are even services which offer real time monitoring of the data that is being entered into webforms. Once the data is in the database, though, senders should not arbitrarily change it.

No Comments »

The Comcast FBL has been moved out of beta testing an into production. ISPs and senders can sign up for the FBL at http://feedback.comcast.net/

All of the applications are currently reviewed by hand, so there may be some delay as they deal with the launch rush. Please be patient. If you currently have a FBL through the beta program, you do not need to do anything, the FBL will continue.

3 Comments »

I have recently become aware of 2 new blog communities based around email marketing.

One is a feedburner community Email Marketing Expert

The other is Box of Meat

Enjoy.

No Comments »

One thing I frequently mention, both here on the blog and with my clients, is the importance of setting recipient expectations during the signup process. Mark Brownlow posted yesterday about signup forms, and linked to a number of resources and blog posts discussing how to create user friendly and usable signup forms.

As a consumer, a signup process for an online-only experience that requires a postal address annoys and frustrates me to no end. Just recently I purchased a Nike + iPod sport kit. Part of the benefit to this, is free access to the Nike website, where I can see pretty graphs showing my pace, distance and time. When I went to go register, however, Nike asked me to give them a postal address. I know there are a lot of reasons they might want to do this, but, to my mind, they have no need to know my address and I am reluctant go give that info out. An attempt to register leaving those blanks empty was rejected. A blatantly fake street address (nowhere, nowhere, valid zipcode) did not inhibit my ability to sign up at the site.

Still, I find more and more sites are asking for more and more information about their site users. From a marketing perspective it is a no-brainer to ask for the information, at least in the short term. Over the longer term, asking for more and more information may result in more and more users avoiding websites or providing false data.

In the context of email addresses, many users already fill in random addresses into forms when they are required to give up addresses. This results in higher complaint rates, spamtrap hits and high bounce rates for the sender. Eventually, the sender ends up blocked or blacklisted, and they cannot figure out why because all of their addresses belong to their users. They have done everything right, so they think.

What they have not done is compensate for their users. Information collection is a critical part of the senders process, but some senders seem give little thought to data integrity or user reluctance to share data. This lack of thought can, and often does, result in poor email delivery.

1 Comment »

Yesterday we talked about social networks that harvest the address books of registered  users and send mail to all those addresses on behalf of their registered user. In the specific case, the registered user did not know that the network was going to send that mail and subsequently apologized to everyone.

That is not the only way social networks collect addresses. After I posted that, Steve mentioned to me that he had been receiving invitations from a different social network. In that case, the sender was unknown to Steve. It was random mail from a random person claiming that they knew each other and should network on this new website site.  After some investigation, Steve discovered that the person making the invitation was the founder of the website in question and there was no previous connection between them.

The founder of the social networking site was harvesting email addresses and sending out spam inviting people he did not know to join his site.

Social networking is making huge use of email. Many of my new clients are social networking sites having problems delivering mail. Like with most things, there are some good guys who really do respect their users and their privacy and personal information. There are also bad guys who will do anything they can to grow a site, including appropriating their users information and the information of all their users correspondents.

It is relatively early in the social networking product cycle. It remains to be seen how much of an impact the spammers and sloppier end will have. If too much spam gets through, the spam filters and ISPs will adapt and social networks will have to focus more on respecting users and potential users in order for their mail to get delivered.

1 Comment »

The next killer ap on the Internet seems to be social networking. Everyone has a great idea for the next facebook or or myspace. All of these sites, though, have to find users. The site will fail if there are no users. One way to get new users is to ask all your current users to invite all their friends to join. This tends to lead to the marketing / product decision to insert functionality into the social networking site which allows current users to upload their address book and the site itself will send out invitations to all your friends and contacts.

This is not actually as great as an idea as it sounds, however. First, you end up with situations like what happened to me this past week.  On Wednesday I received the following email:

Hi,

I looked for you on Reunion.com, the largest people search service — but you weren’t there.

See who else has been searching for you! Click here.

—Bob

Reunion.com - Life Changes. Keep in Touch.™
You have received this email because a Reunion.com Member sent an invitation to
this email address. For assistance, please refer to our FAQ or Contact Us.
Our Address: 2118 Wilshire Blvd., Box 1008, Santa Monica, CA 90403-5784

Bob is actually a current client and I recognized his full name in the from address. Bob has my current information and we have had contact within the last few weeks so I know he is not actually using reunion.com to try and find me. I spend a few minutes poking at reunion.com trying to figure out how to make the mail stop and make sure they never bother me again, discover they do not want to make that easy and give up. I can always block them if their email becomes annoying.

The next day, I receive an email from Bob, it says:

All,

If you received an email from reunion.com on my behalf, please IGNORE it as that email was sent without my knowledge and I have not sent it willingly. This email was sent to all my contacts in my email address book.

I have already cancelled my account on that site and it is really weird that the site would do this without my permission.

The site is “force inviting” people from your contacts if you register on the site, which is very annoying.

Thanks,

–
Bob

Because of this behaviour, reunion.com has now lost one registered user, and he has told all his contacts to avoid the site in the future.

Reunion.com is not alone in their rush to grab any address they can get a hold of. Most sites will let you upload address books, or your account information so they can mail all your contacts introducing their new product. It is an attempt to appear to be organic viral marketing, but it is not. In point of fact it is no different than randomly harvesting addresses off websites and mailing them.

Social networks need to be very careful about appropriating addresses and assuming permission. This week, reunion.com appropriated both Bob’s address and my own and assumed they had permission to email me on Bob’s behalf. In fact, they did not have Bob’s permission to appropriate his address and they certainly did not have my permission to contact me.

Many newborn social networks are using similar types of spam to spread their presence. It remains to be seen if this is a working strategy or if they are forced to actually start actually caring about permission.

1 Comment »

Yesterday Judge Zagel ruled on Comcast’s motion for judgment on the pleadings. I think the tone of the ruling was clear in the first 3 sentences.

Plaintiff e360Insight, LLC is a marketer. It refers to itself as an Internet marketing company. Some, perhaps even a majority of people in this country, would call it a spammer

In the end, the judge ruled that Comcast has immunity for their actions under 230(c) and ruled in their favor.

I grant judgment on the pleadings with respect to the complaint as a whole on the grounds that § 230(c) precludes proceeding on any of the claims. Alternatively, I dismiss the remainder of the claims for the reasons stated above.

The judge has one of the better summaries of 230(c) in regards to email.

The initial question is whether the kind of unsolicited and bulk e-mails (whether you call them spam or mass marketing mailings) are the sort of communications an entity like Comcast could deem to be objectionable. A few courts have addressed the issue and answered “yes.” See Optinrealbig.com, LLC v. Ironport Systems, Inc., 323 F.Supp.2d 1037 (N.D. Cal. 2004) (company that forwarded spam complaints to ISPs entitled to immunity). Indeed, section 230 imposes a subjective element into the determination of whether a provider or user is immune from liability. Zango, Inc. v Kaspersky Lab, Inc., No. 07-0807, slip. op. at 6-7 (W.D. Wash. Aug. 28, 2007) (noting that section 203(c)(2) only requires that the provider subjectively deems the blocked material objectionable); Pallorium v. Jared, 2007 WL 80955, at *7 (Cal. Ct. App. Jan. 1, 2007) (same). This standard furthers one of section 230’s goals “to encourage the development of technologies which maximize user control over what information is received by individuals, families, and schools who use the Internet and other interactive computer services.” § 230(b)(3). Here, there is no question that Comcast, through the use of its numerous programs, software, and technologies, considers the material sent by e360 via e-mail objectionable.

He goes on to evaluate the protections of 230(c) against the text of CAN SPAM

But compliance with CAN-SPAM, Congress decreed, does not evict the right of the provider to make its own good faith judgment to block mailings.  Section 7707 of the Act says that nothing in the Act shall “have any effect on the lawfulness . . . under any other provision of law, of the adoption, implementation, or enforcement by a provider of Internet access service of a policy of declining to transmit, route, relay, handle or store certain types of electronic mail messages.”  See White Buffalo Ventures, LLC v. University of Texas, 420 F.3d 366, 371 (5th Cir. 2005); § 7707(c).

Under the law, a mistaken choice to block, if made in good faith, cannot be the basis for
liability under federal or state law.  To force a provider like Comcast to litigate the question of
whether what it blocked was or was not spam would render § 230(c)(2) nearly meaningless.

As the judge has now determined that the protections of 230(c) do apply, and goes on to answer the question “was Comcast acting in good faith” with the answer “e360 did not adequately plead Comcast wasn’t acting in good faith.”

Two other things of note in the ruling. One was the Judge’s comment on the alleged denial of service attack. It was a footnote in the ruling, but worth mentioning.

e360 says, in its brief, that Comcast has also engaged in “denial of service” attacks on their system which acts overwhelm e360’s system and prevent it from sending or receiving e-mails.  e360 also claims that Comcast sends incorrect bounce information to their system with respect to e-mail addresses of those on e360’s opt-in list.  I do not understand what is being alleged.  If e360 means that Comcast is refusing to transmit the e-mails and communicates this fact to e360 by bouncing them back, then it is e360’s choice to submit very large numbers of e-mails for transmission which, after the first Comcast block, it should have known of this possibility and been prepared for it (perhaps by altering its protocols to allow for a connection to be disconnected).  It is hard to see that sending e-mails back, in this context, is a denial of service
“attack” when it is designed to prevent legitimate users of a service from using the service.  It is not an “attack” to prevent users not believed to be legitimate from using a service.  It is also impossible to see the allegations here as stating that Comcast intentionally accesses a computer without authorization.  Unless these computers operate in non-standard ways, the initiation of access is laid at e360’s door, not at Comcast’s.

The other was the judge’s agreement with Comcast that even if 230 did not apply, that e360 failed to state claims on all counts. Another footnote:

Comcast argues that, absent its statutory protection, e360 has failed to state claims on all of its Counts.
(A)  I agree that the Tortious Interference with Prospective Economic Advantage Count is difficult to understand.  I have found no cases in which refusal to allow a plaintiff to run an advertisement in a medium with wide circulation (and thus reducing sales) of plaintiff’s products  or those from whom he is selling constitutes such tortious interference.  Usually the prospective economic advantage is far more concrete than selling to public which consists of people on a very, very long opt-in list.  It is illegal to interfere with a fair number of prospects, but usually they are a class of easily identified individuals and usually the interference is that of the defendant interacting directly with the prospective buyers.
(B)  The claim under CFAA under the “ denial of service” theory fails for the reasons
stated above.
(C)  Comcast is a private enterprise and has no obligation to honor the free speech rights of e360.  C.B.S. v. Democratic Nat’l Comm., 412 U.S. 94 (1973).  Comcast provides services traditionally performed by private enterprises, not the government.  The government does not,  with very few exceptions, connect people with one another through the Internet.  Jackson v. Metropolitan Edison, 419 U.S. 345 (1974) (publicly regulated utility).  The fact that an enterprise is regulated, licensed, or funded by the government does not make the enterprise part of the state.  Wilcher v. City of Akron, 498 F.3d 516 (6th Cir. 2007).

There we go. Comcast prevails, e360 loses. There is no word yet on whether Comcast will continue with the countersuit.

Not being a lawyer, I do not have the credentials or training to fully comment on the ruling. However, in my non-legal opinion, I think the judge demonstrated a firm grasp of the policy and technology involved in blocking spam and applied the law in a way that makes it very, very clear that blocking mail is legal and that a marketing company cannot use the law to attempt to get mail delivered.

Full text of the ruling is up at SpamSuite. I hear he’s currently /.ed so his site might load a little slowly.

No Comments »

Here is some advice on dealing with ISPs over a blocking issue.

1. Do know what IP is blocked if it is an IP based block.
2. Do know what domain is blocked if it is domain based block.
3. Do know what the rejection message is and have it handy.
4. Do be polite.  Most of the ISPs get hundreds of contacts a day, many of which are decidedly impolite. If you are the polite one you’re much more likely to float to the top than if you are one of the thousand screamers.
5. Do not make threats. There is nothing you can threaten that they have not been threatened with before.
6. Do not lecture them about the law. It is unlikely you understand the legal issues better than they, and their lawyers, do
7. Do respect everyone’s time. Arguing is not productive. Asking for information and clarification is productive.
8. Do remeber that they’re extremely busy. The ISP does not need to hear about your business model - brevity is a virtue.
9. Do not mention CAN SPAM. That’s like saying “I do the bare minimum the law requires and expect you to accept my mail anyway.”
10. Do not ask them to remove the block. Ask them what you did to get blocked and how to avoid being blocked in the future.
11. Do remember this is probably the same person you will need to deal with in the future and that this is not a one time conversation. Leave them remembering you, if not fondly, at least productively.

The above all go for talking to the major blacklists, too.

Edited to add: 12. Do use the proper channels to contact them. 

6 Comments »