Peter Bowyer's Spamblog

Challenge/Response = BAD BAD BAD!

2006-11-18T08:24:00.000Z

Finally an issue that has brought the Spamblog out of semi-retirement. Richi Jennings has responded to a piece by Steve Bass of PCWorld. Steve lists some anti-spam tools, including several which fall in the Challenge/Response camp.

Now at first sight to the naieve user, C/R solves the spam problem at a stroke - all those spam messages I used to get - my system sends an email back to the sender to get them to prove they're a human - when they do, the message comes straight through, otherwise it gets tossed away. Sounds great.... but the huge drawback is that almost all spam arrives with forged addresses in the headers; usually the forged addresses are real users or at least from real domains. All those challenge emails will go to real people, or clog up real domains' systems - creating extra unwanted email for innocent bystanders.

Is the solution to spam really to create more spam? I don't think so.

And another problem just pointed out by John Levine on SPAM-L (login required - are there public archives of SPAM-L somewhere?) who reminds us...

"... if someone asks a question on a list or usenet group, I send an answer, and I get back a challenge, I usually conclude that he didn't really want to know the answer. On the other hand, if I get C/R blowback from spam, I approve it since that's the quickest way to make a C/R system stop sending challenges"

I must admit that I do the same when I get challenge/response blowback from forged spam - a few clicks makes the challenge emails go away - the side-effect is that the orginal recipient now gets the spam, and any more that's forged with my address without bothering me again - result! (not..)

Guy Kewney on Goodmail

2006-03-24T07:59:00.000Z

It's Goodmail time again.

Guy Kewney, a man whose writing I've followed for 30 years, blogs on Digital Lifestyles about Esther Dyson and Richi Jennings comments on the paid-for-email topic.

Guy writes:

The Goodmail idea is simple enough; you create a world in which only mail from known sources gets through. You and I, as mail users, tell our email system that if we don't have someone's name in the address book, then it's spam. And our email system then says: "I've been given money to let this person through" and we say: "Well, I trust my email system

This is right up to a point. But it omits an important part of the Goodmail CertifiedEmail service (and the other similar offerings) - the element of reputation. Only those senders who meet Goodmail's accreditation criteria will be allowed into the program, and if they don't maintain a good spam complaint threshold with the ISPs involved, they'll not stay in the program for long. Thus the reputation loop is preserved - if enough users press the 'this is spam' button, a sender loses their accreditiation.

This is a really key point which many commentators have missed - the pharmacy, performance enhancement, stock picks etc spammers won't get anywhere close to joining the program because their mail will always be unsolicited and unwanted - however much money they stump up, they won't get in the club.

Goodmail and the EFF - more debate

2006-03-08T15:10:00.000Z

A good thread running on CircleID about Goodmail and the rights of an email sender to have their messages delivered.

I won't repeat my arguments here - head over to CircleID to read them.

An introduction to spoetry

2006-03-07T09:57:00.000Z

Jolly amusing, and typically Guardian - Eva Wiseman writes about spoetry - a study of the random collection of words that spammers sometimes use to stuff an message in order to try to fool spam filters.

Clickz on how to get your email delivered to AOL

2006-03-06T18:41:00.000Z

In the wake of the introduction of CertifiedEmail at AOL, the folks at Clikz have written an interesting guide for non-technical email senders to help them decide if getting certified by Goodmail is worth the money, and a reminder of how to maximise your chances of getting your email delivered to AOL members if you choose not to get certified.

The authors suggest that emailers experience an average 43% loss when emailing AOL members. This is due to a combination of the spam filters dropping the messages altogether, and the disabling of images and links in the content, making it more difficult for the recipient to click through from the message.

Some fairly simple maths in the original article demonstrate the potential cost-effectiveness of CertifiedEmail for a bulk mailing organisation.

Tag: goodmail

Another type of Spam

2006-02-15T12:14:00.000Z

Time to leave Goodmail and email spam for a while. There are many other spam vectors, and one of interest is 'comment spam' - leaving comments on blogs and visitors' books, either directly soliciting clicks or in an effort to increase the spamvertised website's ranking on Google.

In a post to the SecuriTeam blog, Gadi Evron has outlined the early stages of some analysis they have been doing on the sources of comment spam - seems there are big connections between comment spam and zombies. I'll definitely be following Gadi's research.

Tag: blogspam

An interesting challenge for spam filters

2006-02-17T05:46:00.000Z

A couple of years ago I wrote an eBook (free registration required) for Windows IT Pro magazine, which was sponsored by Postini, the spam prevention / email security outsourcers.

A couple of the main points I made there were:

To do spam filtering properly you need a mix of content-based and connection-based algorithms
One man's spam is another man's business email - one size doesn't fit all, and you can't use one company's content filtering rules (whether pre-defined or learned by Bayesian techniques) for another company's email

A recent article in Government Computer News illustrates a good example of these principles - it's a case study about the US Food & Drug Administration and their unique problems with spam.

The vast majority of us would happily allow our spam filters to discard any emails about Viagra, Cialis and hundreds of other drug names which regularly show up in spam ads. But the FDA can't - some parts of the Agency deal with those drugs every day and can't afford a single false positive. So their antispam solution had to use mostly connection-based algorithms and apply reputation scoring on senders.

They chose an appliance from IronPort, which uses data from IronPort's SenderBase email reputation system to judge the 'spaminess' of the sender of a suspicious message, and a SURBL-like URL checker for spotting likely suspicious URLs inside the message.

This way, the FDA can receive the Viagra emails it's interested in and reject those it's not based on the reputation of the sender of the message, not the content.

It's a bit like playing Quake - sometimes you need a rocket launcher, sometimes only a rail gun will do. But you need them both in your armoury to win the game.

Tag: antispam

Goodmail and AOL, round 2

2006-02-25T19:20:00.000Z

In another round of knee-jerk reactions, Email Battles is battling on (or should that be 'rattling on') about AOL and DomainKeys. I've almost lost count of the number of factual errors and confusions in this article (eg - it says DomainKeys and DKIM are the same thing; it says that Microsoft gave SPF a 'shot in the arm' when in fact the SPF supporters regard Microsoft as their biggest enemy; and says that 'AOL flirted with dumping SPF' when actually AOL have never implemented SPF for anything other than managing their whitelists.

So how much weight should go behind Email Battles' claim that AOL has 'lost' DomainKeys? AOL runs the biggest email system on the planet, and as such is entitled to watch how a new technology is adopted in the rest of the world before jumping one way or another. You can be sure that the company is experimenting with DomainKeys and following the DKIM developments closely, and if it sees sufficient benefit, will implement something which makes sense for them. But don't expect them to do this overnight - they've the biggest legacy in the world of the internet to deal with first, and they're not doing too badly at managing it so far.

Tag: goodmail

It's not about free speech

2006-03-01T21:35:00.000Z

Much excitement concerning the EFF's campaign against the AOL/Goodmail CertifiedEmail arrangement.

The EFF suggests it's all about free speech - I guess if all you have is a hammer then you see a lot of nails. Whilst the EFF have done good work in the past campaigining against attempts to regulate the internet, I think they're wide of the mark when they make this a free speech issue. AOL has the right to sell its members a service which consists of their brand of junk mail filters, and their brand of CertifiedEmail. Their members will either like it, or leave. Or perhaps sign up for a gmail, hotmail, yahoo etc free webmail account go with their AOL email if they wish to participate in an alternative arrangement. Whichever, it's a commercial thing, and the free market will decide whether it's good or not.

Those groups who consider themselves disenfranchised by this will have to find some other way of getting their message across - if indeed they do find their message less deliverable.

Paul Hoffman expands on this point on CircleID. Richi makes good points, too.

Tag: goodmail

The Email Wars: What The Generals Are Saying about...

2006-03-02T15:28:00.000Z

In his posting to the Email Wars blog (which is generally written from the EMail Marketing side of the fence, and addresses deliverability issues amongst other things), dylan has quoted a number of well-known experts from the world of spam fighting, all writing about the EFF 'DearAOL' petition.

The quotes he has gathered are all pretty much aligned with my view that the EFF (and moveon.org in particular) are wide of the mark in this issue. Hopefully they'll soon take the hint.

Tag: goodmail

AOL in crowd-pleaser shock

2006-03-05T05:52:00.000Z

In order to quell some of the chattering around the EFF's Anti-AOL campaign, the company has announced 2 important clarifications (or should that read 'concessions') to help non-profit organisations continue to get their (solicited) message across to AOL members.

Firstly, they've re-iterated that the Enhanced Whitelist is still around, and many NFPs will qualify. And the EWL gives the same unfettered access to AOL inboxes as it always has - provided the sender stays within AOL's rules (ie doesn't generate too many 'This is spam' reports).

Secondly, and more significantly, AOL has said it will pay the sign-up costs for an NFP which wants to use 'one of several third-party email accreditation services providers to authenticate their email'. They don't say (yet) which providers that covers - presumably it will include Goodmail, about whose CertifiedEmail system all the fuss has been, but significantly they're also including alternative providers - thus addressing the 'eggs in one basket' objection to AOL's choice of Goodmail as its only partner.

Smart move.

The orignal AOL press release can be found here, and David Daniels' usual excellent commentary here.

Tag: goodmail

Yahoo and Goodmail

2006-02-15T06:40:00.000Z

In an article on DMNews.com, Christine Blank discusses a difference between the approach taken by AOL and Yahoo - while they both intend to adopt CertifiedEmail to allow qualified senders enhanced access to their users' inboxes, Christine quotes a Yahoo source

Yahoo is also planning to implement Goodmail, but only for transactional mail," J.D. Falk, a product manager at Yahoo Mail, wrote in an e-mail to ESPs that was obtained by DM News

... while AOL hasn't made the distinction about transactional mail, which suggests that they expect take-up of the Goodmail route for promotional mail as well.

It will be interesting to see how the results of these two approaches pan out. Will a 'CertifiedEmail' indication in Yahoo mail mean more or less than the same indication in AOL?

Tag: goodmail

EFF on Goodmail: Further Confusing an Already Conf...

2006-02-13T21:56:00.000Z

Suresh started an interesting thread on CircleID to which I've commented thusly:

Most people would agree that from a non-technical user�??s perspective, the ability to have an indication next to an email from the bank which assures them that the email in question has, according to some pre-defined publically-available mechanism, been verified to have indeed originated at the bank or at an agent of the bank, is definitely a Good Thing.

AOL�??s agreement with Goodmail says nothing about spam, but plenty about the fact that the mass market is ready for an authentication and reputation system, and that major players consider that there are folks out there willing to pay for it (presumably some market research took place).

Proponents of Domainkeys/DKIM should be very pleased at this, since it adds real-world credibility to the solution model.

As Daniel has already stated in an earlier comment, Goodmail is a player in the Domainkeys world and supports the development of the technology. One might hope that Goodmail will consider moving to DKIM from its current proprietory technology, leaving the reputational service as its USP.

So, what�??s bad about ISPs representing �??50% of the mail reaching the inboxes of U.S. consumers�?? (from Goodmail�??s website) offering a service based on CertifiedEmail?

I think we�??re left with the issue of risk involving a single source of reputation - and one which only considers senders headquartered in the US (contrary to some opinions, not all email originating outside the US is automatically suspect). That�??s what Goodmail needs to work on, and that�??s also what widespread adoption of DKIM will fix.

Spamhaus hits out at paid-for email delivery plan ...

2006-02-07T11:33:00.000Z

Spamhaus hits out at paid-for email delivery plan - silicon.com

A bit short-sighted, this. It's true that AOL are already good at handling spam, but the effect of even a small number of false-positives attacks the perceived value and reliability of email.

When you don't get travel confirmations, emails from your bank, etc due to over-agressive spam filtering, you stop regarding email as a useful communication tool. Which has to be a Bad Thing.

The concept of a 'certified sender' who pays to get their requested email through to large user bases is a useful one - part of the cost of doing business online for reputable senders.

Tag: goodmail

Technology Watch Blog Archive Yahoo! and AOLs em...

2006-02-07T18:30:00.000Z

Technology Watch Blog Archive Yahoo! and AOLs email charging plan

More scare-mongering about the AOL/Yahoo/Goodmail plans. Knee-jerk reactions are just not helpful!

Tag: goodmail

Richi Jennings on Goodmail

2006-02-07T22:39:00.000Z

Richi Jennings bloggs about the Goodmail / AOL / Yahoo tie-up - but misses the point a little. If mom gets used to recognising the 'this mail's ok, it's from your bank' icon on her AOL client, then she gets used to not opening the mail if the icon's not there. This has to encourage good behaviour amongst all the moms out there.

Tag: goodmail

Goodmail again

2006-02-08T08:45:00.000Z

Having slept on this a bit, I think I see it a little more clearly.

The people who are likely to cough up 1c per recipient to send email to AOL and Yahoo users are not the same people who spam through trojanned Windows PCs - those people are unlikely to be able to contract with Goodmail, and wouldn't spend the money.

The likely customers are either those engaged in transactions with the intended recipients (e-commerce outfits, banks etc), who can afford the 1c per email as part of their cost of sale (it's cheaper than a stamp) and need reliable email delivery o support their service, and those spending their online marketing budgets in a responsible opt-in way.

Tag: goodmail

A view from the other side

2006-02-08T09:07:00.000Z

I've just been discussing the Goodmail issue with the Head of Ecommerce from a UK travel company, who plan on sending 24m opt-in marketing emails in 2006. They also increasingly use email for transactional purposes - booking confirmations, payment reminders etc.

The marketing emails go out through a service house, and deliverability is a big issue. The service house deals with relationships with big ISPs, and they've already decided that the Goodmail levy is worth paying - it's a simple equation, since they know what their click rate and subsequent value chain is from someone who opens their emails, it's easy to work out whether it's worth spending 1c up-front to guarantee that the email gets into the inbox.

The transactional emails are less of an issue for this company - they go out through an entirely different route, have much less marketing content, they are much fewer in number, and they don't know of any deliverability issues. They wouldn't be happy if they had to pay to ensure that these non-marketing emails are delivered.

Looks like Goodmail, AOL and Yahoo will have some serious customers.

Tag: goodmail

SPF project appeal to IAB

2006-02-09T11:32:00.000Z

The SPF project has finally submitted an appeal to the IAB (Internet Architecture Board) over a conflict between the SPF Internet draft and the SenderID draft.

While the details are somewhat complex, the argument comes down to the SPF people objecting to their standard being bent by the SenderID proposals, such that domains publishing SPF records are at risk of having those records interpreted out of context by domains checking for SenderID.

A lot of politics going on here, and not very much real solution, which is a shame.

Tag: spf

Finally something attributable from AOL

2006-02-09T23:24:00.000Z

In a posting to the SPAM-L mailing list (archives here, subscription required), Christine M. Borgia, Technical Manager - Anti-Spam Operations with AOL, made a definitive statement on what AOL plans to do with its whitelists in conjunction with the Goodmail CertifiedEMail program.

The existing 2-tier whitelist system stays. The regular whitelist stays unchanged; the Enhanced whitelist is already changing incrementally, and will continue to do so in order to deliver what it was intended to do. This incremental change has nothing to do with the CertifiedEmail progam, which is a separate initiative.

There, now will everyone who has blogged about AOL charging money to be on its whitelist sit up and take note?

Tag: goodmail

Vanquish on CertifiedMail

2006-02-10T14:45:00.000Z

In CertifiedMail = Certified Disaster, Philip Raymond, CEO of Vanquish posts a thinly-disguised trashing of Goodmail's CertifiedMail, the rough summary of which is:

It's not made by Vanquish.

Tag: goodmail

Ted Leonsis - the final word

2006-02-11T08:08:00.000Z

AOL's Vice Chairman Ted Leonsis has made a pretty definitive summary of AOL's position with respect to CertifiedMail in his blog.

Interestingly, he attributes much of the recent storm about this to Goodmail's competitors - and Matt Blumberg of Return Path has acknowledged this in a comment to Ted's blog.

Tag: goodmail

David Daniels - A Week in The Life of Certified Em...

2006-02-12T23:07:00.000Z

In A Week in The Life of Certified Email, David Daniels of Jupiter Research provides a good summary of recent events, and makes some good recommendations to those emailers who might get value from spending a cent or so to get their message through.

Tag: goodmail

It really makes me mad....

2006-02-08T09:22:00.000Z

As a freelance consultant, I have my CV registered with a number of online job boards, some of which are read by people who offer me work.

Mostly, though, I get mailshots from companies offering to re-write my CV so I can get more mailshots....

There's an increasing trend, however, of low-tier recruitment agencies sending bulk emails to poorly-targetted lists of candidates, in a scatter-gun model, hoping they'll hit someone who is the least bit interested in the job they're offering.

However much I explain to these people that I don't want to do their side of the work for them, that they're being paid by their clients to find the right person for the job, and should do some legwork before they contact a potential candidate, they persist.

Today's example - a solicitation for a Project Manager (I'm not one of those), must speak Italian (I don't), specialising in EMC SANs (about which I know nothing). And to top it all, they attached a 500k Powerpoint presentation full of marketing speak about the agency (but nothing about the client).

Doh!!!!!

Network Associates awarded antispam patent

2004-06-02T22:39:00.000+01:00

Hot on the heels of Postini, who were awarded a patent on email-scanning service recently (see Industry Standard story here, now NAI have landed a very wide patent on spam filters. News.com article here.

Need to find some more detail on this.