Imagine if your reputation was linked to your domain name, rather than your IP addresses.
It would eliminate the need to "warm up" servers - a situation that exists now because ISPs are wary of new IP addresses with no sending history. Domain reputation would essentially make reputation portable - you could add new IPs, you could move IPs, you could send mail from different systems, even different ESPs - and you'd still enjoy the benefits of your good reputation.

The domain name is part of your brand identity, part of the "you" that you're trying to portray to your customers. An IP address is just a string of numbers.

Of course, the flip side is a bad reputation will also be portable. To some extent, this has always been true. ISPs have used the reputation of domains to block content for a long time now. This is why some companies that used bad third-party marketers found that their "regular" email took a hit when the links in both types of email got tarnished and caused blocking.

So why aren't ISPs using domains for good reputation, too? Unfortunately, the IP address has for decades been the only thing - the only "identifier" - associated with a message which cannot be forged. Enter authentication, which we talk about all the time on this blog. When a message is authenticated with a domain, the receiving site knows that the message really did come from that domain - which makes domain reputation possible.

Ken Magill has joined the conversation by writing a story on domain reputation, causing renewed buzz in the industry.

According to Magill's story AOL will implement a domain reputation system sometime between October of this year and March of 2010, a little later than they told us last year. Yahoo! says they will implement something similar "soon," likely building from their unique domain-based feedback loop.
But meanwhile, Gmail has already implemented an authenticated domain reputation system using both DKIM and SPF together. And, one of the interesting features of the Gmail implementation is the addition of a "trusted unsubscribe" for good senders.

Some of the metrics that Gmail looks at, and that Yahoo!, AOL, or anyone else creating a domain reputation system are also likely to employ, include:
How many times mail from this domain went into the spam folder automatically, due to IP reputation or content filters.

How many times mail from this domain went into the inbox automatically.
How many times a user marked a message from this domain as spam.
How many times a user marked a message from this domain as "not spam."
What should senders do now take advantage of domain reputation when it becomes more widely adopted? We recommend the following steps:

AOL is making a change which will affect the behavior of ALL bounce messages for both inbound and outbound mail.

Currently all bounce messages have the sender name of MAILER-DAEMON@aol.com.

With the changes for outbound mail, ALL bounce messages will have the sender name of MAILER-DAEMON@sender-domain. For example, an AIM account sending invalid recipients to the internet, will receive a bounce from MAILER-DAEMON@aim.com, and a switched.com member from MAILER-DAEMON@switched.com, UK member from MAILER-DAEMON@aol.co.uk.

With the changes for inbound mail, ALL bounce messages (mostly due to user-defined spam settings) will have the sender name of MAILER-DAEMON@recipient –domain. For example, a member of yahoo sending to an AIM account with a user-defined block, would receive a bounce message from MAILER-DAEMON@aim.com.

This may result in multiple bounce messages generated for a single piece of email being returned to the same sender. One bounce message is generated for each unique recipient domain.

For example, a member of yahoo sending a message with four recipients, two AIM accounts and two switched.com accounts (all with user-defined blocks), would receive ONE bounce message from MAILER-DAEMON@aim.com and ONE from MAILER-DAEMON@switched.com.

These changes will be installed into production over the next couple of weeks.

When an email references external images, Gmail usually doesn't display them automatically. Instead we show placeholders and present you with the option to "Display images below" or "Always display images from" that sender.

We do this to help protect your privacy from spammers, who can use images and links to verify that your email address is real.

But often the messages you get with images are from friends or family and there's no reason to worry about your privacy — you just want to see the photo of your newborn niece or the invitation design they're sending you. So, in these cases, we've decided to start displaying images by default. Now, whenever someone you've emailed at least twice sends you a message containing images, you'll see them right away. Note that we picked this threshold of two messages to start with, but we may tweak it if it doesn't seem right going forward. And we only display images by default for authenticated messages (using SPF or DKIM). Gmail and other big mail providers usually authenticate their mail, but other services might not, so it's possible you'll get an email from one of your contacts where images aren't displayed by default.

I was speaking at a webinar this week and the moderator said, "Stephanie, we have 30 seconds. How can marketers avoid being filtered as spam?!"

No pressure, right? Luckily, I talk fast!

I responded with something like this:

"Reaching the inbox is the only way you can earn a response. So it's pretty important to focus on this.
"Avoiding the spam filters is simple in concept: You must be welcome in the inbox - and you must maintain an ongoing reputation for being welcome in the inbox. The minute you bore me, or abuse my trust or send something irrelevant, you are spamming me.

"It's simple in concept, complex in practice. Being relevant and earning a high sender reputation is not a box you can just check off. It's an attitude. It's got to infuse every aspect of your email marketing approach - your content strategy, your frequency caps, your permission practices, your metrics and tracking, how you source your data, process your bounces, and in the approach of every person you hire and train and reward around email marketing success.

"Every time you send an additional mailing this week to pump up revenue, or you mail to a list with a dubious source or you send the same promotion to every person on your file; you are putting your sender reputation at risk. And you are also leaving money on the table.
"There is no good reason NOT to track your inbox placement and work a bit harder to be welcome in the inbox. It's too easy for subscribers to ignore us. And that isn't just for today's mailing, a poor sender reputation will harm you for all your mailings.

We're always looking for new ways to protect Gmail inboxes from spam and phishing. Last year, we started taking extra steps to protect you from fake eBay and PayPal emails, requiring that any email claiming to come from one of eBay's or PayPal's domains actually comes from them. We do that by looking at the "From" header, and when it says "ebay.com" for example, it means it really did come from ebay.com. Anything else is rejected; it won't even appear in your spam folder because Gmail won't accept it.

Now, unless you are a regular reader of this blog with a photographic memory, you may not be aware of this extra protection. So, we thought we'd add a little something to remind you. Turn on "Authentication icon for verified senders" from the Labs tab under Settings, and you'll see a key icon next to verified emails that are super-trustworthy.

"Super-trustworthy" is a technical term I just invented that means: (1) the sender, usually a financial institution, is a target of phishers, (2) all of the sender's email is authenticated with DKIM, and (3) Gmail rejects any fake messages that claim to come from this sender, but actually don't.

It's a bit of work for senders to make their email super-trustworthy, which is why this feature is limited to just eBay and PayPal right now. We hope to add more senders in the future, and when we do, you'll know because you'll see the super-trustworthy key icon magically appear by those senders too. Give it a whirl and let us know what you think.

URL: http://www.btobonline.com/apps/pbcs.dll/article?AID=/20090702/FREE/907029981/1085/FREE

The Canadian House of Commons in April introduced a bill to create the Electronic Commerce Protection Act (ECPA) (ECPA)—Canada’s version of the U.S. CAN-SPAM legislation, with some significant differences. The bill seeks not only to cut down on spam but also addresses phishing, spyware and unsolicited text messages. It also lays out penalties for spamming, allowing businesses and consumers to take civil action of up to $1 million (Canadian) against individuals and $10 million against companies or groups that violate ECPA.

But what exactly does this mean for marketers that send e-mail to Canada? Matthew Vernhout, director of delivery and ISP relations at e-mail marketing company ThinData Inc., explained the most significant highlights of the bill.

1) In or out. One of the main differences between CAN-SPAM and the Canadian bill is consent. CAN-SPAM focuses on opting out; marketers can send e-mail to anyone as long as they have not opted out and their e-mail address was not harvested. The Canadian legislation will require marketers to have explicit or implied consent, said Vernhout, who recently discussed the bill before the Canadian government’s Standing Committee. “In Canada for 10 years we’ve had our privacy law that advocates consent-based communications,” he said. Companies can e-mail people when there is a business relationship or nonbusiness relationship. So, for example, marketers will be able to e-mail a customer who purchased something from them even if they didn’t officially opt in, but only for a period of 18 months. This is why he suggested companies start adding fields to their databases today that will log when names are added to a list—the specific date—as well as what kind of relationship a marketer actually has with those contacts.

2) Update in time. Today, CAN-SPAM requires companies to remove someone who has opted out within 10 business days. The Canadian regulation will require opt-outs to be handled within 10 calendar days. “This might be an issue for companies that use ‘multiple affiliates,’ ” Vernhout said. Making sure all opt-outs happen in what could be as little as a single business week may take some getting used to.

3) Show your face. CAN-SPAM requires U.S. marketers to provide a “from” address, a postal address and a Web-based opt-out. Under the Canadian rules, marketers will need to disclose the identity of the person sending the e-mail—and if it’s being sent on behalf of a company, both companies involved must disclose their information, including company name and contact information, including a physical address. An opt-out link is not required, although unsubscribe procedures must be listed in messaging.

4) Share and share alike. The Canadian government is promising to “share information and evidence with their counterparts in other countries who enforce similar laws internationally,” according to a press release. This means the Canadian Radio-Television and Telecommunications Commission (CRTC), the Competition Bureau and the Office of the Privacy Commissioner would be able to share evidence with, for example, the U.S. Federal Communications Commission to ensure people in Canada who are spamming those in the U.S. could still be prosecuted.

Press Release
Federal Trade Commission
July 2, 2009

URL: http://www.ftc.gov/opa/2009/07/spear.shtm

A U.S. district court has ordered key players in an international spam ring to give up $3.7 million that they made by sending out illegal e-mail messages pitching bogus hoodia weight-loss products and a “human growth hormone” pill they claimed reversed the aging process.

In a Federal Trade Commission law enforcement action, the court found that the five defendants, located in Canada and St. Kitts, violated the FTC Act and the CAN-SPAM Act by participating in the spam operation. The court order bars the defendants from violating the CAN-SPAM Act and from making false or unsubstantiated claims about the health benefits of any food, drug, or dietary supplement.

The FTC charged that the operation used spammers to drive traffic to Web sites selling an extract of the hoodia gordonii plant it claimed would cause significant weight loss, and a “natural human growth hormone enhancer” it claimed would reverse the aging process. The FTC alleged that these claims were false or unsubstantiated, and charged the defendants with deceptive advertising in violation of federal law. It also alleged that the spammers sent e-mail that contained false “from” addresses and deceptive subject lines, and that they failed to provide a required opt-out link or physical postal address.

The case, filed by the FTC in October 2007, marked the first time the Commission invoked the US SAFE WEB Act, a federal law designed to protect consumers from cross-border fraud and deception. The Act enhances the agency’s ability to exchange information with foreign counterparts and helps protect consumers from cross-border spam and spyware distribution, as well as Internet fraud and deception. The FTC’s complaint charged eight defendants – Spear Systems, Inc., three other corporate defendants, and four individuals.

The Commission settled with three defendants in the case – Spear Systems, Inc. (a U.S. company) and two individuals, one in the United States and one in Australia – in May 2008. The agency was unable to reach settlements with the remaining five defendants, who are the subject of the court order announced today: Xavier Ratelle and Abaragidan Gnanendran, of Quebec, Canada; and corporate defendants 9151-1154 Quebec, Inc., 9064-9252 Quebec, Inc., and HBE, Inc. The final orders were entered by the United States District Court for the Northern District of Illinois, Eastern Division.

URL: http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=109242

In a ruling that could fuel debate about online privacy, a federal judge in Seattle has held that IP addresses are not personal information.

"In order for 'personally identifiable information' to be personally identifiable, it must identify a person. But an IP address identifies a computer," U.S. District Court Judge Richard Jones said in a written decision.
Jones issued the ruling in the context of a class-action lawsuit brought by consumers against Microsoft stemming from an update that automatically installed new anti-piracy software. In that case, which dates back to 2006, consumers alleged that Microsoft violated its user agreement by collecting IP addresses in the course of the updates. The consumers argued that Microsoft's user agreement only allowed the company to collect information that does not personally identify users. Microsoft argued that IP addresses do not identify users because the addresses don't include people's names or addresses. The company also said that it did not combine IP addresses with other information that could link them to individuals.
Last month, Jones sided with Microsoft and dismissed the case before trial.

But some say that Jones's decision about IP addresses is inconsistent with other recent opinions about the issue. Eric Goldman, director of the High Tech Law Institute at Santa Clara University, points out that the European Union considers IP addresses to be personal information. Last year, the EU said that search engines should expunge users' IP addresses as soon as possible.

Additionally, a court in New Jersey ruled last year that Internet service providers can't disclose users' IP addresses without a subpoena, on the theory that people expect their IP addresses will be kept private.
Marc Rotenberg, executive director of the Electronic Privacy Information Center, criticizes the Microsoft ruling as "a silly decision." "The judge didn't understand the significance of the IP address or the reason that it was collected," he says.

Rotenberg adds that the judge prematurely dismissed the case, arguing that more facts were needed to determine whether IP addresses were personally identifiable.

Today, industry observers say that IP addresses can be combined with other information to determine people's identity. In addition, even when IP addresses have been anonymized, it's possible to associate the account with a specific individual, given enough other information. The most famous example occurred in 2006, when AOL released search logs showing queries made by more than 650,000 members. The members' IP addresses had been changed, but the queries themselves contained enough clues to people's identities that The New York Times was able to find and profile one "anonymized" user, Thelma Arnold, within days. At the time of that incident, many companies took the position that IP addresses were not personally identifiable information.

Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum, adds that many sites with older privacy policies maintain that they don't collect personally identifiable information, but log IP addresses. "For many years, people just threw around the term 'personal information,'" he says. "They didn't pay attention to account IDs in the hands of third parties, IP addresses -- other types of information that, with some effort, could become identifiable."