The Messaging Anti-Abuse Working Group sent a letter to congress yesterday (PDF link), outlining the issues with SOPA and PIPA. I found it explained the bills and the flaws much better than many other summaries.

One of the best things about the document is the discussion of how spammers attempt to hide their identity. All too often I’ve been called in by ESPs to help them identify how a spammer got on their network and where their process failed. As filtering gets better at blocking spam, spammers are spending more and more time trying to steal good reputations to get their unwanted mail through.

Providers who follow these rules may still find themselves with spammers as customers, but the spammers will have to work harder to get on clean networks.

They’re a bit late to the party, though. Most of the major commercial ISPs have been implementing significant botnet controls for many years now. Control involves a number of different techniques, but notification has been designed into the system from day 1.

“There is no need for mandated action in this area since the market is already moving forward. Many ISPs are already doing a great deal to combat the menace of bots and malware. All over the U.S., ISPs currently have notification systems in place to tell their users they are infected and — whether they deliver these warnings via email, phone, walled gardens, or inline warnings — the warnings are being delivered,” says Michael O’Reirdan, chairman of the MAAWG. “Other ISPs currently have pilot programs or technology development efforts in place, and there will be more deployments in the near future.”

O’Reirdan says ISPs handled the spam battle on their own, and can also do so for battling bots. It has become a business issue for them, he says. “No one had to mandate anti-spam platforms: ISPs put them in place to deal with the menace of spam because, if they had not, they would have lost customers if customers’ mailboxes were overrun with spam. The same is happening with anti-bot platforms. It is becoming a ‘table stakes’ issue for ISPs, and legislating in this arena will merely lock the response of ISPs in stone to conform with the legislation rather than allow innovation and development to meet the rapidly varying nature of the bot challenge posed by the bad guys,” he says. Kelly Jackson Higgins

The ISPs have taken a leadership position in the area of protecting consumers from botnets. This has been a major discussion point at MAAWG for years. Many ISPs have worked closely with vendors to create detection and notification systems to mitigate and clean botnet infections.

The only surprise in the Messaging Anti-Abuse Working Group’s statement last week condemning email appending was that it didn’t publish one sooner.

However, MAAWG’s implication that email appending can’t be accomplished without spamming is nonsense.

Ken does have a point. I can come up with a number of scenarios where recipients give permission to have their data appended. It’s not totally impossible to append with permission. I don’t think MAAWG would argue that appending with permission is a violation of MAAWG core values.

But that’s all in theory. The fact that someone could do email appending with permission doesn’t mean they are. In fact, no one is. It’s expensive to do appending with permission and the return is low. There is a very practical reason no one is doing appending with permission: it’s not cost effective.

Let me put it another way. You can’t actually get enough people to opt-in to an appending process to pay for the cost of appending.

And that is why I am OK with MAAWG publishing a strong statement against appending without any nuance. Appending with permission is not a valid business model, so no appending service is going to offer it. I’m also convinced if someone did, somehow, come up with some magic business model that makes appending with permission cost effective that MAAWG would amend their statement.

But spending months (or years given the actual conversation) coming up with the right carve out language to accommodate non-existent business models seems a waste of time.

It is the position of MAAWG that email appending is an abusive practice. Sending email to someone who did not explicitly give informed consent for his or her email address to be used in this way is never acceptable. It will result in complaints, which only further illustrates how much end users find this practice abusive. It will result in delivery issues, largely as a result of those complaints. Legitimate marketers do not engage in email appending.

(bold in the original)

MAAWG isn’t mincing words here. They do not support sending mail without permission. They do not believe that matching an email address with a customer record constitutes permission to mail to that customer.

They are continuing to claim that Microsoft is scanning email before the email gets to Microsoft (or Yahoo) owned hardware.

Holomaxx has sufficiently alleged that Microsoft intercepted and scanned the contents of Holomaxx!s emails ” in transit without consent by using Bayesian techniques and a collaborative filtration system before the emails reached Microsoft’s servers [...]

Best I can figure Holomaxx seems to have convinced their lawyers that “Bayesian techniques” are some sort of magic, psychic filters that can look at packets on a wire and see what’s in them. This is so far from the truth as to be ludicrous.

Bayesian classifiers work by correlating the use of tokens (typically words, or sometimes other things), with spam and non spam e-mails and then using Bayesian inference to calculate a probability that an email is or is not spam.

A Bayesian filter is software. It has to run on hardware somewhere. Someone owns that hardware. In this case, it’s Micosoft and Yahoo.

I can see that Holomaxx is trying to get across that the filtering happens before the ISPs accept the emails. But this doesn’t mean the filters aren’t running on hardware owned by Yahoo or Microsoft. It is possible to content filter email during the SMTP transaction, often referred to as “on the wire.” But, in reality, the filters are still running on hardware owned by the recipient’s ISP. The receiver is just looking at the mail before it makes a decision whether or not to accept responsibility for delivering the email to the final recipient.

A new argument in this motion is that the emails were all confidential and that Holomaxx had a reasonable expectation that the mails would not be overheard or recorded. I’m not sure the advertisements Holomaxx has used as examples (Free HBO from Dish Network!) are actually confidential.  As a layperson I find it hard to see how this argument will work.

Holomaxx also doubles down on their argument that the MAAWG abuse desk best practices document is an objective industry standard.

Yahoo makes much about the fact that the MAAWG Abuse Desk Common Practices paper was from an October 2006 meeting. This is a mischaracterization of the document. The document specifically states that it was assembled with feedback received in sessions from three MAAWG meetings beginning in October 2006. (See Request for Judicial Notice submitted by Yahoo in support of MTD, Ex. 1.) The document was published in October 2007. (Id.) Regardless if it is 3 1⁄2 years old, no other set of practices have been promulgated by MAAWG or any other group concerning the topic of filtered emails. Until that happens, the MAAWG Abuse Desk Common Practices paper serves as the only industry guidelines or standard on that topic.

Once again, the document in question is not a standards document. Holomaxx conveniently ignores what the actual document is about: Abuse desk common practices. In many ISPs, abuse desks do not deal with blocking issues at all. The committee chose to comment on this because some abuse desks handle both inbound and outbound abuse. We’ll see what the judge says, though. I think that Holomaxx is taking the document totally out of context in order to demand, somehow, that their mail shouldn’t be blocked.

There is a hearing on both cases July 15th. I’m considering going down to the courthouse to listen in on the arguments.

Previous blog posts on the Holomaxx case:

• Futher amendment would be futile
• Holomaxx Status
• Amendment is futile, part 2
• Holomaxx v. MSFT and Yahoo
• Amendment is futile
• Email and law in the news
• Holomaxx dismisses part of lawsuit
• Comments on Holomaxx post
• The myth of the low complaint rate

The folks at MAAWG work hard and play even harder.

I came away from the conference feeling more optimistic about email than I have in quite a while. Not just that email is vital and vibrant but also that the bad guys may not be winning. Multiple sessions focused on botnet and crime mitigation. I was extremely impressed with some of the presenters and with the cooperation they’re getting from various private and public entities.

Overall, this conference helped me to believe that we can at least fight “the bad guys” to a draw.

I’m also impressed with the work the Sender SIG is doing to educate and inform the groups who send bulk commercial messages. With luck, the stack of documents currently being worked on will be published not long after the next MAAWG conference and I can point out all the good parts.

There are a couple specifics I can mention. One is the new list format being published by Spamhaus and SURBL to block phishing domains at the recursive resolver. I blogged about that last Thursday. The other bit is sharing a set of security resources Steve mentioned during his session.

If your organization is fighting with any messaging type abuse (email, social, etc), this is a great place to talk with people who are fighting the same sorts of behaviour. I do encourage everyone to consider joining MAAWG. Not only do you have access to some of the best minds in email, but you have the opportunit to participate in an organization actively making email, and other types of messaging, better for everyone.

(If you can’t sell the idea of a MAAWG membership to your management or you’re not sure if it’s right for you, the MAAWG directors are sometimes open to allowing people whose companies are considering joining MAAWG to attend a conference as a guest. You can contact them through the MAAWG website, or drop me a note and I’ll make sure you talk with the right folks.)

Plus, if you join before October, you can meet up with us in Paris.

If you’re going to MAAWG be sure to stop by and say hi!

So what’s the status of both cases?

The Yahoo case is going to arbitration sometime in July. Yahoo also has until May 20 to respond to the 1st amended complaint.

The Microsoft case is not going to arbitration, but they also have a response deadline of May 20.

I’m not a legal expert, but I don’t think that what Holomaxx has written fixes the deficits that the judge pointed out in his dismissal. We’ll see what the Y! and MSFT responses say a month from today.