Tag Archive for 'Standards'

How to be a spammer

Published
by
laura
19Feb
in Best Practices
.

JD had a comment on my Valentines day semi-fluff post, that really summed up the reality for senders. He said

Make sure your mail doesn’t look anything like spam — not just in the text and formatting, but in all of your mailing practices.

Good advice, your mail will not be blocked if it does not look like spam. What kinds of things do I mean? Here are things that spammers do, that often non-spammers do as well.

Ignore bounces. One of the absolute quickest ways to get blocked is to keep sending mail to non-existent addresses. Purge your lists, make sure you are removing those addresses that will never deliver.

Hide contact information. Do not use a domain privacy service, put your real business address in your whois records.

Fake contact information. Do not use blatantly fake information in your domain registration. Register your actual business address. Do not use 555-xxxx phone numbers.

Use free or very low cost vendors. Do not use free or advertising supported vendors for your webhosting, mail hosting, or DNS. Geocities hosted webpages, mydyndns.org hosted name servers, freemail addresses (aim, gmail, hotmail, yahoo addresses), these are ways spammers get around blocks.

Shift IP addresses. If you get an IP address blocked, for any reason, do not just start mailing from another IP. Figure out what the problem is and fix it. Skipping around blocks is what spammers do.

Mail from many different places. Do not send emails from a diverse set of IP addresses located all over the world. Spammers spread their sending out in order to dilute their spam metrics to avoid threshold based blocks. They have done this so often there is even a term for it: snowshoeing.

Use bad HELO values. Many botnets and spam infected windows machines use badly formatted or incorrect HELO values. Use a fully qualified domain name, in your domain, for a HELO value.

Use generic rDNS. Set a reverse DNS value for your IPs that does not contain the IP address or otherwise look programatically assigned.

Use incorrect HTML. Spammers hide text and use fake HTML tags in order to avoid content filters. Consequently, filters check HTML against the HTML specification.

Send different HTML and text in multipart/alternative email. In addition to using badly formatted and fake HTML, spammers put drastically different text in the text portion of HTML emails. Filters check for this and if too many differences between email parts makes mail look like spam.

Send no text part in HTML email. Spammers do this to avoid the above two filters. Do this and you look no different than they do.

Use multiple corporate identities. If you have separate divisions or brands that is one thing, but often spammers set up completely separate companies and conceal the relationship between those companies.

All of these things are spammer tactics meant to confuse, fool, deflect and avoid filtering mechanisms.

How many of them does your company do?

0 Comments

Yahoo and Spamhaus

Published
by
laura
04Jan
in Industry
.

Yahoo has updated and modified their postmaster pages. They have also put a lot of work into clarifying their response codes. The changes should help senders identify and troubleshoot problems without relying on individual help from Yahoo.

There is one major change that deserves its own discussion. Yahoo is now using the SBL, XBL and PBL to block connections from listed IP addresses. These are public blocklists run by Spamhaus. Each of them targets a different type of spam source.

The SBL is the blocklist that addresses fixed spam sources. To get listed on the SBL, a sender is sending email to people who have never requested it. Typically, this involves email sent to an address that has not opted in to the email. These addresses, known as spamtraps, are used as sentinel addresses. Any mail sent to them is, by definition, not opt-in. These addresses are never signed up to any email address lists by the person who owns the email address. Spamtraps can get onto a mailing list in a number of different ways, but none of them involve the owner of the address giving the sender permission to email them.

Additionally, the SBL will list spam gangs and spam supporters. Spam supporters include networks that provide services to spammers and do not take prompt action to remove the spammers from their services.

The XBL is a list of IP addresses which appear to be infected with trojans or spamware or can be used by hackers to send spam (open proxies or open relays). This list includes both the CBL and the NJABL open proxy list. The CBL list machines which appear to be infected with spamware or trojans. The CBL works passively, looking only at those machines which actively make connections to CBL detectors. NJABL lists machines that are open proxies and open relays.

The Policy Block List (PBL) is Spamhaus’ newest list. Spamhaus describes this list as

The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer’s use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.

PBL IP address ranges are added and maintained by each network participating in the PBL project, working in conjunction with the Spamhaus PBL team, to help apply their outbound email policies.

Additional IP address ranges are added and maintained by the Spamhaus PBL Team, particularly for networks which are not participating themselves (either because the ISP/block owner does not know about, is proving difficult to contact, or because of language difficulties), and where spam received from those ranges, rDNS and server patterns are consistent with end-user IP space…

Generally, email service providers and bulk senders only need to be concerned about the SBL. Being listed on the SBL is a sign that your subscription processes allow addresses to be subscribed by people who do not own those addresses. Removal from the SBL involves fixing subscription processes and verifying that all recipients do actually want to receive your email.

Generally ESPs and bulk senders should not be listed on either the XBL or the PBL. I am aware of a couple cases where senders were listed on the XBL, but in all these cases there was a Windows machine inside the company infected with a trojan sending spam. Once the machine was cleaned, the listing was removed promptly. Senders listed on the PBL should talk to their ISP for resolution.

8 Comments

Changes at Comcast

Published
by
laura
11Dec
in Industry
.

I can usually tell when one of the ISPs makes some change to their incoming spam filtering just by my call volume. The past few weeks the ISP in most of my calls has been Comcast. And, what do you know, they have made changes to how they are filtering email.

According to their bounce message, Comcast is using ReturnPath’s proprietary SenderScore product to filter mail. Reports on thresholds vary, but IPs with SenderScores of 70 and below have been blocked with messages similar to:

Remote host said: 554 IMTA06.emeryville.ca.mail.comcast.net comcast
10.01.01.01 Comcast BL009 Blocked for spam. Please see
http://www.comcast.net/help/faq/index.jsp?faq=SecurityMail_Policy19053

In addition to blocking based on SenderScore, Comcast also appears to be blocking based on complaints from their users. Comcast is testing a feedback loop. I have heard from one FBL user that there are some kinks to work out, but that the FBL provider is working with them to resolve the problems.

This new process is a complete change from the previous way Comcast handled email blocking. Previously they were primarily using Brightmail to filter spam from their mail stream, now they are using complaints to identify bad mail. During the the transition mailers are seeing an increase in blocked email.

There are solutions. Use the forms Comcast directs you to use when they reject your mail. If there are extensive problems, talk to your delivery monitoring company or your delivery consultant. Most of us have the ability to escalate issues and talk to people internal to ISPs in order to determine if there is some specific problem and what you can do about it. But, don’t panic, Comcast doesn’t hate you, in fact, I expect these changes are going to better for everyone in the long run.

5 Comments

Blocklists and standards

Published
by
laura
03Oct
in Best Practices
.

I received a comment this morning on my post about e360 v. Spamhaus, which I think brings up a point that deserves a post of it’s own. Skinny says:

If spamhaus can create their own list of what Spam is or isn’t, Then what is to stop us applying this rule in the real world. A joy rider can carry a mission statement declaring that in his terms car theft is ok (a over the top compression but does give the idea).

First off, I do not agree that what happens online is somehow not real. Sure, on the Internet no one knows you’re a dog, but the Internet is real. It is a place where people meet, form communities, interact, make purchases, play, work, research and hundreds of other things. I’ve personally made connections over the Internet that have resulted in a lot of real world things, including friendships, jobs and job offers, this company and even my marriage.

Secondly, I think his analogy is flawed. In my opinion, Spamhaus is not in the position of the joy rider. Rather, they are more like the private security company hired by a group of people to patrol an area and interrupt joy riders as they are stealing cars. The security company has no authority to create laws and cannot arrest or detain someone who might be a criminal. Their job is as a presence and deterrence. They enforce the standards of the communities using their services.

Of course, my analogy is not completely accurate, either. Spamhaus does set standards for what IP addresses they list. Companies that use Spamhaus, and other blocklists, endorse those standards when they use the blocklist. Spamhaus’ users trust Spamhaus’ judgment on what IP addresses are sending spam. If Spamhaus or other blocklists do not exhibit good judgement and are too aggressive in their listings, then receiver sites will not use them.

Spamhaus has set their standards for listing as “unsolicited bulk email.” Their userbase clearly supports this standard, if the SBL started blocking email that users wanted, then people would stop using the SBL. If people stop using the SBL, then it loses the ability create standards.

0 Comments