Well, I knew this was going to happen eventually: Google now has global spam filtering for Google Voice. It works in a way very similar to how ISPs track the sending reputation of email senders based on feedback from their users (i.e. spam reports). Now, if you opt-in to Google Voice's new "Global Spam Filtering," calls and text messages from phone numbers determined to be "spammy" won't make your phone ring. They'll land in your Google Voice "spam" folder, out of sight and out of mind, until and unless you go specifically looking for them.
I think this a great idea -- collaborative reputation systems are cool. What do you think?
What's your (telephone) reputation?
Posted by
Al Iverson
on Tuesday, July 12, 2011
Labels:
google,
google voice,
reputation
/
Comments: (3)
Is DKIM evil?
Posted by
Al Iverson
on Friday, June 24, 2011
Labels:
authentication,
dave crocker,
dkim,
trend micro
/
Comments: (5)
The email authentication protocol DomainKeys Identified Mail, aka DKIM, is winding its way through the standards track, and seems to be the future of email authentication. Recently, a lone voice, a security researcher with Trend Micro, seemingly upset at being sidelined during various industry association and standards track discussions, has taken a specific concern public. He's gone so far to label DKIM an "evil protocol," because of a possible exploit he has identified.
Problem is, this hack supposedly exploits a "potential hole" that is not even open, by most measures. This involves taking a legitimate message and adding another from address to that message, fooling recipients into perhaps looking at, and believing, the wrong from header. Problem is, an email message with multiple from addresses is already prohibited under the current SMTP specification (which is currently RFC5322, a descendant of RFC822). Messages composed in this manner are already heavily filtered and not trusted. It really has little to do with DKIM or email authentication.
Not only is this much ado about nothing, but I believe that Trend Micro's unwarranted hyperbole on the topic is harmful. And I'm not the only one who thinks so. Software engineer Barry Leiba calls Trend Micro's warning "severely flawed," "laughable," and "ridiculous."
Dave Crocker, the author of RFC822, many other RFCs, and longtime participant in multiple anti-abuse and standards track forums and organization, agrees. He says that "the blog's description of the facts, its premise about the requirements, and its apparent understanding of DKIM's functionality all suffer from basic flaws."
In short: Nothing to see here-- move along.
Problem is, this hack supposedly exploits a "potential hole" that is not even open, by most measures. This involves taking a legitimate message and adding another from address to that message, fooling recipients into perhaps looking at, and believing, the wrong from header. Problem is, an email message with multiple from addresses is already prohibited under the current SMTP specification (which is currently RFC5322, a descendant of RFC822). Messages composed in this manner are already heavily filtered and not trusted. It really has little to do with DKIM or email authentication.
Not only is this much ado about nothing, but I believe that Trend Micro's unwarranted hyperbole on the topic is harmful. And I'm not the only one who thinks so. Software engineer Barry Leiba calls Trend Micro's warning "severely flawed," "laughable," and "ridiculous."
Dave Crocker, the author of RFC822, many other RFCs, and longtime participant in multiple anti-abuse and standards track forums and organization, agrees. He says that "the blog's description of the facts, its premise about the requirements, and its apparent understanding of DKIM's functionality all suffer from basic flaws."
In short: Nothing to see here-- move along.
DNSBL Safety Report 5/14/2011
Posted by
Al Iverson
on Monday, May 16, 2011
Labels:
box of meat,
dnsbl,
dnsbls,
lashback,
spamassassin,
uceprotect
/
Comments: (0)
SpamTips.org, a website devoted to SpamAssassin Tips (SpamAssassin being the wildly popular open-source spam filter) recently posted a wonderful DNSBL Safety Report, showing hit rates against both spam and non-spam (false positives) for various blacklists commonly used in SpamAssassin.
Interestingly, they specifically warn AGAINST using UCEProtect and the Lashback UBL.
For Lashback's UBL, I'm not so surprised about the results. I don't mean that Lashback's list is broken -- it's just very specifically "IPs of somebody who mailed someone after they unsubscribed and should not have been mailed." There are probably a lot of ISP outbound mail servers that have had individual email messages or intermittent issues with spam emission that meet that criteria. It is probably more appropriate to use it for scoring/vetting reputation in certain scenarios only, moreso than using it to block mail outright.
With UCEProtect, it's disappointing to hear that they have a 1.7% false positive rate as measured against this specific email stream.
I've written about blacklists (and even similarly tracked their effectiveness) over on DNSBL Resource for many years -- so it's very nice to see somebody else doing something similar. The more data, the better, as far as I'm concerned.
(H/T: Box of Meat)
Interestingly, they specifically warn AGAINST using UCEProtect and the Lashback UBL.
For Lashback's UBL, I'm not so surprised about the results. I don't mean that Lashback's list is broken -- it's just very specifically "IPs of somebody who mailed someone after they unsubscribed and should not have been mailed." There are probably a lot of ISP outbound mail servers that have had individual email messages or intermittent issues with spam emission that meet that criteria. It is probably more appropriate to use it for scoring/vetting reputation in certain scenarios only, moreso than using it to block mail outright.
With UCEProtect, it's disappointing to hear that they have a 1.7% false positive rate as measured against this specific email stream.
I've written about blacklists (and even similarly tracked their effectiveness) over on DNSBL Resource for many years -- so it's very nice to see somebody else doing something similar. The more data, the better, as far as I'm concerned.
(H/T: Box of Meat)
AOL blocked? Don't try this at home.
Posted by
Al Iverson
on Thursday, May 5, 2011
/
Comments: (0)
Gee, ya think THIS will scale?
Over on the AOL Postmaster blog, a commenter tells a tale of his alternate method of finding a human at AOL to assist with his spam blocking issue:
"Since I felt that this was beginning to rise to the level of something that AOL execs should really be concerned about, I did the only remaining thing I could think of - I bought a share of AOL stock, and contacted AOL Investor Relations with an explanation of how, as a shareholder, I was very concerned with AOL's complete lack of inbound email delivery support and how I felt this would likely adversely impact shareholder value.
Yesterday, I got a response from a nice guy named Lothar their IR department with an offer to provide assistance in resolving our issue. I've forwarded our mail server/IP address info to Lothar, and am awaiting response. As a share of AOL stock is on par with the cost of a month of AOL service at this point, it might represent a cheaper way to get access to some attention/help. I'll post here again when I know how this approach works out."
Uhhhh....really? I have to admit, this gave me a good laugh. But is it likely a winning strategy? I'm doubtful.
Over on the AOL Postmaster blog, a commenter tells a tale of his alternate method of finding a human at AOL to assist with his spam blocking issue:
"Since I felt that this was beginning to rise to the level of something that AOL execs should really be concerned about, I did the only remaining thing I could think of - I bought a share of AOL stock, and contacted AOL Investor Relations with an explanation of how, as a shareholder, I was very concerned with AOL's complete lack of inbound email delivery support and how I felt this would likely adversely impact shareholder value.
Yesterday, I got a response from a nice guy named Lothar their IR department with an offer to provide assistance in resolving our issue. I've forwarded our mail server/IP address info to Lothar, and am awaiting response. As a share of AOL stock is on par with the cost of a month of AOL service at this point, it might represent a cheaper way to get access to some attention/help. I'll post here again when I know how this approach works out."
Uhhhh....really? I have to admit, this gave me a good laugh. But is it likely a winning strategy? I'm doubtful.
What would you present?
Posted by
Al Iverson
on Monday, May 2, 2011
/
Comments: (5)
In a couple of weeks I'll be presenting to a class of paralegals-in-training, talking about the legal aspects of compliance in marketing online (CAN-SPAM, DMCA, CDA, etc.). I'm pulling together information about various cases that might be most interesting to share with the class and generate topics of discussion. Could I impose upon you, dear reader, to share with me what your thoughts are here? Got any links or info you'd like to share with me? What cases do you think merit looking at? Gordon v Virtumundo, for starters. What else? Thanks in advance for your thoughts!
Spamcop Blacklisting: Should you care?
Posted by
Al Iverson
on Wednesday, April 27, 2011
Labels:
ask al,
spamcop
/
Comments: (5)
I was asked today if Spamcop should be "trusted." After all, even the Spamcop Wikipedia page says that their blocking list is "controversial." Though, is it truly more controversial than any other blacklist out there? Let me tell you what I know.
The last time I looked at Spamcop from a receiver's perspective was back in 2007. Back then, I found it to be pretty accurate. A Spamcop listing truly seemed to be indicative of a sending IP address sending unwanted mail. That data is from a long time ago, but I haven't seen anything since then that would make me think they've changed for the worse by any significant measure.
Long, long ago, when Spamcop was a one-man show (created and run by a guy named Julian Haight), I did find the blocking list to be controversial. I regularly saw listings of IP addresses sending very clearly only opt-in email, with nothing funny or weird going on. Even confirmed opt-in email. But since that time, Spamcop has been sold to Ironport, who has since been sold to Cisco. So nowadays, Spamcop is a tiny little part of Cisco. With that transition to corporate ownership, came new hands and new policies, which (in my opinion) seemed to significantly improve the reliability of Spamcop.
From a sender's perspective, I regularly help clients monitor for and address Spamcop listings. Because my prior testing of Spamcop led me to trust that it was typically correct, I typically think that a Spamcop blacklisting of a client's sending IP address is probably "correct" -- I suspect it is properly indicative that there is a problem that needs to be addressed. I think if a sender is regularly finding themselves listed on Spamcop's blacklist, then their list is probably outdated, poorly permissioned, or otherwise flawed. In these cases, I do think it's appropriate to run a permission pass to clean up the list and resolve any list hygiene issues. At the same time, discard any list segments that contain anything other than opt-in subscribers. Bought list? It's time to throw it out.
That's my opinion, provided with my alternating "sender" and "receiver" hats. What's your opinion?
The last time I looked at Spamcop from a receiver's perspective was back in 2007. Back then, I found it to be pretty accurate. A Spamcop listing truly seemed to be indicative of a sending IP address sending unwanted mail. That data is from a long time ago, but I haven't seen anything since then that would make me think they've changed for the worse by any significant measure.
Long, long ago, when Spamcop was a one-man show (created and run by a guy named Julian Haight), I did find the blocking list to be controversial. I regularly saw listings of IP addresses sending very clearly only opt-in email, with nothing funny or weird going on. Even confirmed opt-in email. But since that time, Spamcop has been sold to Ironport, who has since been sold to Cisco. So nowadays, Spamcop is a tiny little part of Cisco. With that transition to corporate ownership, came new hands and new policies, which (in my opinion) seemed to significantly improve the reliability of Spamcop.
From a sender's perspective, I regularly help clients monitor for and address Spamcop listings. Because my prior testing of Spamcop led me to trust that it was typically correct, I typically think that a Spamcop blacklisting of a client's sending IP address is probably "correct" -- I suspect it is properly indicative that there is a problem that needs to be addressed. I think if a sender is regularly finding themselves listed on Spamcop's blacklist, then their list is probably outdated, poorly permissioned, or otherwise flawed. In these cases, I do think it's appropriate to run a permission pass to clean up the list and resolve any list hygiene issues. At the same time, discard any list segments that contain anything other than opt-in subscribers. Bought list? It's time to throw it out.
That's my opinion, provided with my alternating "sender" and "receiver" hats. What's your opinion?
Is this permission?
Posted by
Al Iverson
on Wednesday, April 6, 2011
Labels:
rant,
surveys
/
Comments: (0)
I received an email the other day that went something like this: "Hello, A media site you recently visited would like you to participate in their user-survey. Your input will be combined with other users' across the country to improve their site. To encourage your participation, we are offering a chance to win one of two Apple iPads. Two participants will receive an Apple iPad 2 (valued at $499). To access the survey, simply click on the hyperlink below. We estimate that it will take approximately 15 minutes to complete."
Well, I know which media site it was, because I gave them a tagged (unique) address. When you send me an email to COMPANYNAME@example.com, it's not exactly a secret. Regardless, I'm peeved -- why is this media site giving my email address to a third party? Why is this third party emailing me? Where is the permission? Where is the informed consent?
Keep in mind, when emailing a subscriber, it is EXTREMELY bad from to try to be coy about where you got the recipient's email address from. Seriously-- only spammers do this. And this email is in fact spam. I didn't give permission to this survey company to email me. The mail was not transactional; this notification was not a necessary part of my subscription to the online media site. It was probably quite legal, due to some clause or other in the media site's privacy policy. But that doesn't make it right, and it doesn't change the fact that this is a very poor practice.
I would have mentioned this all to the survey company themselves, but the email address they emailed me from doesn't seem to work.
Survey companies, I challenge you to get with the modern age. I understand the desire to do surveying a certain way, but whatever this model is, it conflicts with email best practices and permission. It's time to modify the model.
Well, I know which media site it was, because I gave them a tagged (unique) address. When you send me an email to COMPANYNAME@example.com, it's not exactly a secret. Regardless, I'm peeved -- why is this media site giving my email address to a third party? Why is this third party emailing me? Where is the permission? Where is the informed consent?
Keep in mind, when emailing a subscriber, it is EXTREMELY bad from to try to be coy about where you got the recipient's email address from. Seriously-- only spammers do this. And this email is in fact spam. I didn't give permission to this survey company to email me. The mail was not transactional; this notification was not a necessary part of my subscription to the online media site. It was probably quite legal, due to some clause or other in the media site's privacy policy. But that doesn't make it right, and it doesn't change the fact that this is a very poor practice.
I would have mentioned this all to the survey company themselves, but the email address they emailed me from doesn't seem to work.
Survey companies, I challenge you to get with the modern age. I understand the desire to do surveying a certain way, but whatever this model is, it conflicts with email best practices and permission. It's time to modify the model.
Why are you in my inbox?
Posted by
Al Iverson
on Friday, March 25, 2011
Labels:
rant
/
Comments: (0)
Who are you? Wait -- now I remember you. Long ago, I was visiting some far away city, biding my time in some mall or airport or something, some place where the only option for wi-fi was via your company, so I paid you for a day's worth of Internet access or whatever. Now, two years later, you're sending me an email telling that you've updated your privacy policies and terms and conditions. And you say they're under some sort of legal obligation to send me this information. I can click on the unsubscribe link, you tell me, but you warn me that you'll continue to send me this kind of thing regardless of my stated preferences.
Sorry, what? Okay, that's your point of view. Let me give you my point of view.
I'm not a current customer. I don't have an ongoing relationship with you. Our transaction is long done. And I don't agree that this email was legally required. I'm not seeing how you have any legal mandate to send past customers new policy information that might impact future transactions. If it's necessary for a return customer to be appraised of a new policy before entering into a new transaction -- why not inform them at the point of sale, instead? During the signup or checkout process.
Instead, what you did was email a legal notice your entire database of email addresses, even subscribers who have previously unsubscribed. Like many, I feel that my inbox is my personal space. You get in only when invited, and no matter what you think, you're not allowed to force your way into it.
You may have an opinion about what you think you have to send, what you have a right to send, but I have a spam filter, and ISPs have engagement and reputation metrics.
If you fill inboxes with something of low value (a legal notice that few care about) and if you fill the inboxes of a bunch of people don't want it (who didn't opt-in to receive followup emails from you) and you've got a recipe for lower than average engagement and higher than average spam complaints. And on top of it, you insult me by implying that I am not allowed to make these emails stop.
It may not be a spam, just barely, but this kind of thing is exactly why some classes of "non-spam, completely legal" senders end up in the spam or bulk folder.
Which is exactly where I put this email.
Sorry, what? Okay, that's your point of view. Let me give you my point of view.
I'm not a current customer. I don't have an ongoing relationship with you. Our transaction is long done. And I don't agree that this email was legally required. I'm not seeing how you have any legal mandate to send past customers new policy information that might impact future transactions. If it's necessary for a return customer to be appraised of a new policy before entering into a new transaction -- why not inform them at the point of sale, instead? During the signup or checkout process.
Instead, what you did was email a legal notice your entire database of email addresses, even subscribers who have previously unsubscribed. Like many, I feel that my inbox is my personal space. You get in only when invited, and no matter what you think, you're not allowed to force your way into it.
You may have an opinion about what you think you have to send, what you have a right to send, but I have a spam filter, and ISPs have engagement and reputation metrics.
If you fill inboxes with something of low value (a legal notice that few care about) and if you fill the inboxes of a bunch of people don't want it (who didn't opt-in to receive followup emails from you) and you've got a recipe for lower than average engagement and higher than average spam complaints. And on top of it, you insult me by implying that I am not allowed to make these emails stop.
It may not be a spam, just barely, but this kind of thing is exactly why some classes of "non-spam, completely legal" senders end up in the spam or bulk folder.
Which is exactly where I put this email.
Neil Schwartzman: CASL Compliance
Posted by
Al Iverson
on Monday, March 21, 2011
Labels:
canada,
law,
legal,
neil schwartzman,
silly
/
Comments: (0)
It started innocently enough. I asked ex-Return Path'er Neil Schwartzman to tell me about his new gig, focusing on Canadian anti-spam law compliance. He offered up his reply in a mock interview format, which I offered to post here and share with the world. So, here it is, as he himself puts it, Neil Schwartzman interviewed by an invisible person who is far more enthusiastic than they should be about the topic at hand:
NS: Hi.
IP: HI!!! So what are you doing now that you are out from under the oppressive Return Path régime? It must have been hell! (ed: joking, obv.)
NS: You've been watching too much CNN, hombré. Return Path was great. Always will be. They have a strict no goatee policy, and I wanted to grow a beard, so we had to part ways. I worked for them for five years on policy issues, and it was time to help apply those policies with the force of law.
IP: Return Path makes law now? Wowee!
NS: Not exactly. Canada's Anti-spam Law, CASL, was passed into law in December. I helped get the law passed in a variety of ways, including encouraging enlightened companies like Return Path support the law, which they did, by writing a letter to the Prime Minister.
Now that the law is about to come into force, I wanted to start a new project helping companies to become complaint with the strict new rules in play in North America.
IP: That sounds amazing! But, Canada isn't all the countries in North America, I think the U.S. is considered part of it too. Surely you can't mean the law applies in the States, too?
NS: Don't call me Surely. And yes, that is what I mean. Here's the skinny:
CASL has strict opt-in standards for all types of electronic messaging: SMS, Social Network stuff, and email. It applies to any message that crosses Canadian wires, or is sent to a Canadian. That covers a lot of ground, and a lot of companies, whether they know it or not. Canada and the U.S. do about $1.5 billion dollars of business …
IP: Per year? Wow!
NS: Don't interrupt! $1.5 billion per day, dummy. That is a lot of Simoleans. My point is, case law is well established to have laws applied in one another's countries. For example, Facebook spammer Adam Guerbuez was sued under CANSPAM in California, and Facebook had the law applied, to get their $1 billion dollar judgment, in a Québec court. It works the other way too.
The new law has specified damages, and can be applied by Canadian law enforcement, Canadian individuals, or Canadians as a class-action lawsuit. Damages can be as high as $10,000,000 per email, per day. It adds up fast.
IP: Um, I bought a list once. Actually, I 'rented' it, if you know what I mean. Can you help me?
NS: Well, maybe. You probably should stop buying email addresses, and get rid of that list. Or reconfirm every address on that list really wants to receive your mail. And by reconfirm, I mean Confirmed Opt-in. Anything less leaves you with your butt hanging out, and an angry Canadian will very politely sue you.
IP: Gulp. So what are you doing to help legitimate senders like me?
NS: Well, I have partnered with a Ottawa-area law firm who specialize in this type of law. Kris Klein is one of my partners, and he helped write and apply PIPEDA, (Canada's privacy legislation) for the Office of the Privacy Commissioner, and the Justice Department.
IP: You guys have a Justice Department too? No way!
NS: Way. You don't get out much, do you? If you are done, I'll continue … Shaun Brown, one of my other partners, contributed to developing CASL when he worked at Industry Canada. I was on the Canadian Federal Task Force on Spam, so we figured among us, we have a solid understanding of law, email sending practices, and company policy.
IP: About that list I bought …
NS: I'm getting there. Our other partner, Adam, is the former CTO of IATA, the airline people. Together we have the knowledgebase to not only tell a company where their shortfalls are, why they will cost them huge sums of money, but also how to fix their business problems, and how to implement solutions, probably the trickiest part of all of this.
We call it an end-to-end practices and legal audit. Think of us as your CPA, but for email and electronic messaging. For example, when someone 'Likes' your company Facebook page, does that really give you the affirmative opt-in you need to send messages to them?
At the end of the day, if you follow our advice, we can even give you a clean bill of health, in the form of a legal opinion, saying you have taken serious steps to fix yourself up to be compliant with the law. That's important, because there are CASL clauses that talk about good faith efforts, which can buy you some time, and get you off the hook if you happen to mess up.
IP: Well that's fine. I'll just get an ESP to start mailing that list I bought, and they'll be on the hook, not me.
NS: Sleazy, but almost right. Anyone who has a hand in sending the email could potentially be liable under the la
NS: Hi.
IP: HI!!! So what are you doing now that you are out from under the oppressive Return Path régime? It must have been hell! (ed: joking, obv.)
NS: You've been watching too much CNN, hombré. Return Path was great. Always will be. They have a strict no goatee policy, and I wanted to grow a beard, so we had to part ways. I worked for them for five years on policy issues, and it was time to help apply those policies with the force of law.
IP: Return Path makes law now? Wowee!
NS: Not exactly. Canada's Anti-spam Law, CASL, was passed into law in December. I helped get the law passed in a variety of ways, including encouraging enlightened companies like Return Path support the law, which they did, by writing a letter to the Prime Minister.
Now that the law is about to come into force, I wanted to start a new project helping companies to become complaint with the strict new rules in play in North America.
IP: That sounds amazing! But, Canada isn't all the countries in North America, I think the U.S. is considered part of it too. Surely you can't mean the law applies in the States, too?
NS: Don't call me Surely. And yes, that is what I mean. Here's the skinny:
CASL has strict opt-in standards for all types of electronic messaging: SMS, Social Network stuff, and email. It applies to any message that crosses Canadian wires, or is sent to a Canadian. That covers a lot of ground, and a lot of companies, whether they know it or not. Canada and the U.S. do about $1.5 billion dollars of business …
IP: Per year? Wow!
NS: Don't interrupt! $1.5 billion per day, dummy. That is a lot of Simoleans. My point is, case law is well established to have laws applied in one another's countries. For example, Facebook spammer Adam Guerbuez was sued under CANSPAM in California, and Facebook had the law applied, to get their $1 billion dollar judgment, in a Québec court. It works the other way too.
The new law has specified damages, and can be applied by Canadian law enforcement, Canadian individuals, or Canadians as a class-action lawsuit. Damages can be as high as $10,000,000 per email, per day. It adds up fast.
IP: Um, I bought a list once. Actually, I 'rented' it, if you know what I mean. Can you help me?
NS: Well, maybe. You probably should stop buying email addresses, and get rid of that list. Or reconfirm every address on that list really wants to receive your mail. And by reconfirm, I mean Confirmed Opt-in. Anything less leaves you with your butt hanging out, and an angry Canadian will very politely sue you.
IP: Gulp. So what are you doing to help legitimate senders like me?
NS: Well, I have partnered with a Ottawa-area law firm who specialize in this type of law. Kris Klein is one of my partners, and he helped write and apply PIPEDA, (Canada's privacy legislation) for the Office of the Privacy Commissioner, and the Justice Department.
IP: You guys have a Justice Department too? No way!
NS: Way. You don't get out much, do you? If you are done, I'll continue … Shaun Brown, one of my other partners, contributed to developing CASL when he worked at Industry Canada. I was on the Canadian Federal Task Force on Spam, so we figured among us, we have a solid understanding of law, email sending practices, and company policy.
IP: About that list I bought …
NS: I'm getting there. Our other partner, Adam, is the former CTO of IATA, the airline people. Together we have the knowledgebase to not only tell a company where their shortfalls are, why they will cost them huge sums of money, but also how to fix their business problems, and how to implement solutions, probably the trickiest part of all of this.
We call it an end-to-end practices and legal audit. Think of us as your CPA, but for email and electronic messaging. For example, when someone 'Likes' your company Facebook page, does that really give you the affirmative opt-in you need to send messages to them?
At the end of the day, if you follow our advice, we can even give you a clean bill of health, in the form of a legal opinion, saying you have taken serious steps to fix yourself up to be compliant with the law. That's important, because there are CASL clauses that talk about good faith efforts, which can buy you some time, and get you off the hook if you happen to mess up.
IP: Well that's fine. I'll just get an ESP to start mailing that list I bought, and they'll be on the hook, not me.
NS: Sleazy, but almost right. Anyone who has a hand in sending the email could potentially be liable under the la