If theres one thing I wish somebody would have warned me about a few months ago, its this: Get proactive with Sender ID, and do it NOW!

Sender ID suddenly just became a big deal at Hotmail. If you dont have a Sender ID record, or you dont have it exactly right, get a move on! If you dont, youre going to eventually run into issues trying to get mail into the Hotmail inbox.

Heres what you need to do, in three easy steps:

  1. Create an SPF record. Go here. Put in every IP or netblock allowed to send mail on your behalf. Include a reference to your ESP or outsource providers. Take the record you create and drop it in as a DNS text record for your domain. Need examples? Look up the SPF record for other peoples domains to get an idea of how they do it.
  2. Make sure it covers your PRA (visible from domain), too. This is the important bit. An email sent to Gmail will pass an SPF check just fine with the record covering your MFROM (return path domain or bounce domain). That doesnt mean it covers your visible from domain (PRA). If your visible from domain isnt covered by an SPF or Sender ID record, Hotmail problems will follow.
  3. Test it. For work, I built an SPF/Sender ID/DomainKeys tester that we use for this. But, for the rest of yall, I recommend using this tool from Return Path. Itll break down PRA and MFROM results. Make sure they both pass. If the PRA test fails, you mail is likely to fail at Hotmail, too.

Not everybody failing Sender ID (or choosing not to sign) is having delivery issues to Hotmail. But, it is proving to be a reputational black mark. For some folks, thats enough to start causing problems. For others, less so– today, anyway. Tomorrow will likely be a different story.

Remember: authentication matters. Read more on the topic, including overviews of SPF and DomainKeys, over on my other blog post.

(I’m muddling Sender ID and SPF a little bit here, in the interest of making this a short article. SPF and Sender ID are very similar; Sender ID is essentially the newer version of SPF. I’ve focused on putting in SPF records in place, because Sender ID is backwards compatible, and I’ve found it easier and quicker to do SPF alone, which covers me for both Sender ID and SPF, when done correctly.)
Read More… (From Al Iverson’s Spam Resource)

Lots of people think that Canter and Siegel are the first internet spammers. Not exactly true. Long before their first excursions into bad taste in 1994, came another: Gary Thuerk of Digital Equipment Corporation. It all started in 1978, with his mass email to all the email addresses in the world (or at least as many of them as he could find and type in to his terminal by hand), advertising the latest and greatest in DEC Systems.

Read the whole story here.

I would love to say I was actively aware of this when it happened, but I can’t. In 1978, I was beginning my computing career by writing BASIC programs on an HP mainframe computer to which I was connected over a 110 baud acoustic coupled modem link from a brown-paper teletype. An ASR-33, if I recall correctly. Keep in mind, that was a hundred years ago, and I was very young.

As far as the first spams I recall personally receiving, or being involved in tracking down and blocking, that’s a tough one. Frank Virga and Zvika Lichter were two well known (at the time) bad actors in the email space that I, in collaboration with many other folks, worked hard to push off the ‘net. For a long time in the 90s, I had some weird/gross spam from Lichter printed out and taped to my wall at work, as an example of what spam was all about. Back then, not everybody knew what spam was, or why it was bad. I found that showing them one of Lichter’s disgusting spam messages was an excellent educational tool. (I won’t even described what the spam was offering, lest it haunt your next meal.)
Read More… (From Al Iverson’s Spam Resource)

Here’s links to the most relevant takes on the recent webmail changes at AOL, in my own humble opinion.

Read More… (From Al Iverson’s Spam Resource)

01  Jul
Know when to quit!

I sign up for hundreds upon hundreds of lists. I maintain multiple “hamtraps,” collections of received mail that I actually asked for. So it’s not spam, but sometimes the line gets a little blurred.

Take, for example, a random veterans affairs site. In April I signed up on their site, but never completed registration.

In the past thirty days, they’ve sent me five requests to complete my registration. They may have sent me more requests to complete; I don’t know, because Gmail claims to empty out my spam folder every thirty days.

Yup, they’re going to the spam folder at Gmail.

I have some idea why. It’s for something they did. Or rather, something they won’t do: They won’t let go.

If you keep sending mail to unconfirmed signups every week, you’re driving people nuts. People who don’t want your mail, so they’re reporting it as spam every single time. People who didn’t complete because they don’t want to complete. Maybe sending them a second nudge to complete was OK, but five is far beyond what I’d call an acceptable best practice.

Is it legal? Absolutely. Is it blockable? Absolutely. It wouldn’t suprise me to find that they were having delivery issues at other ISPs, not just Gmail. ISPs, especially the big dogs (AOL, Yahoo, Hotmail) do not take kindly to senders who generate complaints, and it seems very likely that this practice does exactly that.

If you want to be a good sender, confirming your list is great. Asking people to complete their registration is fine. But stop and think: What is reasonable? Five requests (so far, I might add) is overkill. The whole point of confirming is to validate them as a user, counting them as engaged, knowing they want your mail. It’s silly, and damaging, to keep nudging people over and over and over, if they’re clearly choosing not to join this group.

As a sender, you greatly improve your deliverability by jettisoning non-responders. If you keep pinging them repeatedly, you’re denying yourself the benefit of this process, and ensuring that ISPs are going to block your mail.

Not smart.
Read More… (From Al Iverson’s Spam Resource)

Greetings from the San Jose airport, where I am waiting to fly home after attending the INBOX Event. I was there to participate in a panel on deliverability and authentication, along with my good friend Morgan Witt from BlueHornet.

The highlight for me was Patrick Peterson from Ironport. He spent an hour detailing the nefarious things spam gangs are up to. He laid out the details of their investigation into a single spammer’s operation over a two week period, covering about twenty billion pharma spams (wow), where they lead, and how they trace back to the same sender. Lots of what happens with credit cards, merchant accounts, do the spammers actually ship the promised pills, etc. Very insightful.
Read More… (From Al Iverson’s Spam Resource)

Heres an update on the Amicus Brief filed in support of Spamhaus:

Matt Blumberg of ReturnPath published an article on March 13th about why his company decided to sign the amicus brief. Derek Harding, CTO of Innovyx, has done the same, writing an article published in ClickZ on March 22nd answering the question, Whats in it for us?

In related news, E360 is suing some anti-spammers who participate in the newsgroup NANAE, aka news.admin.net-abuse.email. Mickey Chandler pointed out with his launch of SpamSuite.com,

Ken Magill reported on it for Direct Mag here. Its a bit light on what NANAE actually is or how it works, but accurate overall.

Compare that to Dianna Dilworth writing for DMNews. I found her article to be very embarrassingly incorrect in a couple of places. NANAE is referred to as a web forum and that it did not immediately return e-mails for comment. Um, its not a person. Its not even an official association of any sort, so there is no Mr. NANAE to write to when looking for An Official Statement. She also implies that www.nanae.org is some sort of official website for the usenet group, which it is not.

Usenet is a collection of ISP and private servers that choose to participate in a message-based internet discussion system that predates the world wide web by at least twelve years, and probably longer. So its not a web anything, though nowadays, many people read usenet newsgroups via Google Groups, which incorporates access to these newsgroups. Wikipedia has an excellent overview of usenet if youd like to learn more.

News.admin.net-abuse.email (NANAE) is just one of the many thousands of discussion forums carried via usenet. Like many groups, its unmoderated, meaning that there is nobody in charge. Its a bit like the Wild West, and it can be painful to navigate through and participate in without some pretty heavy filtering. Name calling is rampant. A lot of talented anti-spam folks participate in NANAE to varying degrees, myself included, but a lot of other participants are not quite so knowledgeable, or care to act in a professional manner.

As I mentioned before, it looks like both the lead guys behind E360 (Dave Linhardt) and Spamhaus (Steve Linford) have been caught taking pot shots at each other on NANAE.

Read More… (From Al Iverson’s Spam Resource)

It’s time to go back to the drawing board for a new opinion on Spamcop’s SCBL blacklist. In the past, I had consistently observed significant false positive issues, which now seem to be resolved.

For more on the topic, including metrics showing how well Spamcop is working in my test environment, click here.
Read More… (From Al Iverson’s Spam Resource)

Averaging out the last 149,623 spams I’ve received, the average size of each message is 7.8kbytes.

Over the past twenty-one days or so, I’ve received an average of 6,959 spams a day, or 4.8 spam emails every minute of every hour, twenty four hours a day.

I’ll share information like this periodically, to help others who are looking for data. Feel free to share info like this with others.
Read More… (From Al Iverson’s Spam Resource)

Down in the trenches, as it were, I see a lot of miscommunication and misdirection on the subject of confirmed opt-in/double opt-in. Here’s some quick notes, thoughts spurred by recent discussion on various forums I participate in.

Confirmed opt-in and double opt-in both mean the following and only the following: A potential recipient submits an email address at a web page. This triggers a confirmation request email. No further emails are sent to the end recipient until and unless they take positive action to confirm the subscription in response to this confirmation request email. That means the person who received the confirmation message has to click on a link (or respond to a token, but I prefer the link method) to confirm the subscription. If they didn’t do that, then you don’t consider them opt-in, and you don’t email them further.

Sometimes you have people doing the right thing but in the worst possible way don’t be like Goofus and pound on unconfirmed recipients over and over and over, unless you like poor deliverability. A second confirmation request might be reasonable, but anything more and you’re guaranteeing spam complaints against you. It defeats the whole purpose (improved deliverability) of doing the right thing.

If somebody uses the term confirmed opt-in to mean filling out a web form and receiving an email saying Your subscription is confirmed. If this is incorrect, click here, then they are mistaken. This isn’t confirmed opt-in or double opt-in. It’s a signup form with a welcome message. The welcome message lets the recipient opt-out if necessary, and that’s great but it’s not confirming anything as far as the opt-in police (ISPs, blacklists, etc.) are concerned. I see a lot of confusion surrounding this and it’s important to remember the following: It’s not confirmed opt-in or double opt-in unless the recipient has to take that active step of clicking on a YES link or taking some other YES-affirming action.

Confirmed opt-in doesn’t make it okay to buy/sell lists. If somebody offers to sell you a guaranteed double opt-in list that they’ve been compiling for years and it’s super awesome and you’ll get great response!!!, run for the hills. There’s no way that people on this list know about you or expect to get your email. It might be totally legal, but it’ll put you on the fast track to getting blocked by all the large ISPs. (And the list seller is probably lying about it being double opt-in, anyway.) (Looking for legit ways to build your list? Here’s a previous article on the topic.) And if you’re taking your confirmed opt-in list and selling it, everybody buying it is a sucker. All of those people are going to start sending to that list, diluting its value, driving high spam complaints, and regardless of how clear the opt-in was, people who send to it are going to get blocked.

I spend lots of time working with clients undoing damage from co-reg lists, append list, etc., because somebody told the client (before I was involved) that this list is guaranteed opt-in and it’ll have a great match rate, everybody wants to hear from you, and it’ll drive great response. So the client signs on the dotted line, some append list does a poor opt-out introduction email, then passes over any addresses that don’t opt-out, and you never hear from them again. And then the client struggles with deliverability starting about a week later, and lasting for months. They end up pulling me into the loop (because, of course, I’m awesome!) to figure out what went wrong, and it fixing the problem inevitably boils down to jettisoning these not direct opt-in list segments. Save your money and avoid this in the first place.

There are best practices you can and should apply to confirmation emails just like you would for any other email you send.

  • HTML tends to work better (drive a higher confirmation completion rate) than text. My tests have always confirmed this. Maybe it won’t work for you so test it if you’re concerned that this won’t be the case.

  • Branding is important. Make sure people know that the message is from you. From line, subject line, and header in the email should all refer to the sender. A logo is an excellent idea, but also make sure the email degrades gracefully if images are blocked by the recipient.

  • The opt-in process should be nothing more than a simple, easy-to-click hyperlink. Nothing fancy, no captchas, no enter a code, etc. (But make sure that link can’t be spoofed to opt-in a different recipient.)

  • Include clear wording that says what the person is signing up for, how often you’re going to send them emails, and how they can unsubscribe from the list if/when they change their mind.

  • Include information about the source of the opt-in request. The IP address from where the web form submit occurred, and the date/time (with time zone) are necessary bits of data to include. (You’re tracking this already, right? If not, uh oh.) What this does is it allows people who get forged subscription requests to hunt down the source ISP on their own and leave you alone. Anti-spam groups really like this step.

  • Short and sweet is the key. If it takes a three page email to explain why people want to opt-in or how to confirm, then you’re doing something wrong. Recipients eyes will glaze over and your confirmation rate will suffer. You should be able to fit the key messages of why to opt-in, how to opt-in, and anything else you want to convey, in just a few inches of email.

You will find that none of this is a 100% guarantee against blacklisting. Sadly, you’ll find people who will attack you for doing COI/DOI just because they don’t like you, or they don’t like that somebody forged their address, or that your email contains HTML. Ignore them and do the right thing regardless. Why? Because the smart anti-spam folks who control the keys to the inbox at the large ISPs have significantly fewer issues with folks who run confirmed opt-in/double opt-in. If you do it and stick to it, you’ll get blocked much less often and have a strong message to convey to any anti-spam group or ISP who takes issue with you.

And finally, DON’T LIE! If I had a nickel for every time somebody lied to me about a list being confirmed opt-in, I’d be a rich man. How stupid do you think ISPs are? They can instantly tell when you’re hitting spamtraps, when too much of your mail attempts bounce, and when your mail generates too many complaints. Just because some ISPs provide data on this back to you doesn’t mean it’ll help you evade their filters and processes. Trust me, I’ve met most of these ISP guys, and they’re smarter than both me and you.

Read More… (From Al Iverson’s Spam Resource)

I spoke at both INBOX and Internet Retailer recently, and at both events heard smart marketers ask, “Why do readers unsubscribe, ignore or complain about my emails? They opted-in!”

Stephanie Miller from Return Path. Worth reading.

I’d like to extend Stephanie’s argument from senders to receivers and question whether permission is as relevant as it once was in terms of how ISPs, filters, and blacklists determine whether or not to block mail.

Matt Blumberg from Return Path keeps the discussion going.

My two cents to add here is simply this (very brief, as I’m on an awful keyboard): Permission still matters. Opt-in still matters. ISPs define spam as mail their users don’t want, and if you don’t have permission, you’re clearly sending mail users don’t want. Spam complaint data shows a clear correlation: Mail that isn’t opt-it gets you much higher spam complaints than mail that is opt-in.

The RP folks raise great, valid points though, in that opt-in isn’t good enough. You can be all 100% opt-in, and still have very poor delivery, spam foldering, and blocking, because you’re still not sending users mail they want. That’s why even with opt-in permission, or even 100% confirmed opt-in/double opt-in, you don’t get a “get out of jail free” card directing your mail straight to the inbox.

That’s why relevancy matters, too.
Read More… (From Al Iverson’s Spam Resource)

Continuing on the “clutter” theme , I have been working on uncluttering my inbox. via Genuine Curiosity
Read More… (From Email Spam News)

Here is the good news: the amount of image spam in your mailbox may begin dropping off. via It’s Just this Little Chromium Switch…
Read More… (From Email Spam News)

The US Department of Justice has issued a warning to the public urging them not to respond to a bogus email that purports to be from the DoJ. via The Register
Read More… (From Email Spam News)

These companys were noted in the Qwoter Stock Spam Report Overview for June 28 ,2007: Reported Stock Spam From Qwoter ————————————————————– 1. Score One Inc =42 2. … via M2.com
Read More… (From Email Spam News)

The DNSBL TQMCUBE was created by David Cary Hart sometime in 2004 or 2005. The front page of the website www.tqmcube.com was modified to specifically become the homepage of the TQM blacklist in January of 2006.

Various sources and my own investigation show that the website seems to be running on autopilot with nobody at the helm.

A postmaster at a large ISP contacted me and indicated that he had received no response to DNSBL remove requests submitted to TQM. Those requests were submitted on March 27th, and it is now June 30th that I write this article.

Other data points showing that the list appears to be unmanned and likely abandoned:

  • The list’s website has a “last update” date of March 11, 2007.

  • The last known response received in reply to a blacklist remove request seems to have been in February, 2007.

  • I contacted David Cary Hart via email to the address on his domain registration on June 20th, 2007, and have not received a reply.

  • I contacted the abuse desk of his ISP (Fortress ITX) and asked them to confirm that he was alive. This was on June 24th. I received a ticket number but no other response.
    The DNSBL’s experimental world zone has not been operational since December, 2006.

  • The last known sighting of Mr. Hart online appears to be here, from April 2007.

  • This newsgroup posting from Colin Leroy on June 14, 2007 indicates that Colin had last seen email from Mr. Hart back in December, 2006. The email was a message posted to a mailing list that they both participate in.

  • Others have indicated to me that they have called the telephone number in the TQMCUBE domain registration, and that the voice mail box associated with this phone number is full, no longer accepting new messages.

This thread in the news.admin.net-abuse.email newsgroup wondering why the list’s administrators are non-responsive is typical of the communication I’ve come across during my investigation. I am receiving numerous reports of issues with listings going unresolved. Additionally, when checked against my personal spamtrap data (8000+ spams/day) I am seeing the effectiveness of this blacklist trending downward over the past few weeks.

Keep all of this in mind, I do not think it is wise to use the TQMCUBE blacklist.

I will update this page as more information becomes available.

Published by Al Iverson. I welcome your feedback - visit http://contact.aliverson.com to contact me.Also, you might find my other sites interesting: http://www.spamresource.com and http://www.abusecomplaint.com.

Read More… (From Al Iverson’s DNSBL Resource)

Next Entries »