Every e-mail marketer knows about the existence of the dreaded blocklist or blacklist. via Target Marketing Magazine
Read More… (From Email Spam News)

The purpose of the spam is a throwback to the early days of e-mail abuse July 31, 2007 — Spammers are jumping on the success of The Simpsons Movie to trick e-mail users into validating their addresses, so they … via ComputerWorld
Read More… (From Email Spam News)

In 2004, Bill Gates of Microsoft promised that the spam problem would be ’solved’ in two years time. Three years later, Microsoft’s Hotmail service receives four billion messages a day, more than 90% of which are spam.
Read More… (From Spam News)

The purpose of the spam is a throwback to the early days of e-mail abuse July 31, 2007 — Spammers are jumping on the success of The Simpsons Movie to trick e-mail users into validating their addresses, so they … via ComputerWorld
Read More… (From Email Spam News)

If you are looking for a good free anti spam spamfighter - a free spam blocker or free spam filter - to help you deal with spam email, here are a couple of free spam filters and free spam blockers - including free anti spam software - that you may not have heard about! Now you can deal with your spam mail with your choice of a free Internet spam filter or free anti spam software! There is even free anti spam software for World of Warcraft users (SpamMeNot and one version of SpamSentry).
Read More… (From The Internet Patrol)

The other hazard I’d like to look at with regards to SPF and SenderID is the issue of newsletters, or more specifically, bulk emailers. Bulk emailers have a long and checkered history of using questionable email practises. They put in lots of advertising in their messages that spammers often mimic (refinance your mortgage, reduced price software, free <insert word here>), they have opt-out requests unselected in sign-up pages (often in grey text with font size = 1), they sell your email address to other bulk emailers (jerks) and usually insert a lot of HTML in their message, a lot like how spammers used to do it a couple of years ago. Still, even though there are a lot of grey-hat mailers, there are some legitimate ones as well. Bulk email really is a necessity to business. Businesses have to keep in contact with their customers and those that have signed up to receive email from the business want to hear from them. If a customer wants to hear about the latest sale at Home Depot, or United Airlines wants to tell its preferred customers about its latest vacation travel package, or Starwood Hotels keeps bugging me about its latest savings plan even though I only stayed with them one time and regret turning over my email address, the reality is that email marketing is something that business must do. I think a good bulk emailer does the following things:

1. It honours opt-out requests by providing a link to click on, rather than replying with REMOVE in the subject line.
2. It doesn’t sell your email address to anyone.
3. It makes you opt-in by default - that means that the checkbox is unclicked when you go to the page to sign up for something. This is more the responsibility of the merchant, but still…
4. It doesn’t ask you to whitelist them when you receive their messages.
5. It publishes SPF and SenderID records.

Aside from that, bulk mail has the issue of how it identifies itself. Suppose that website goodmailers.com has SPF record v=spf1 ip4:1.2.3.4. It then does a mailing campaign for Northwest Airlines. What does it put in the message headers? Let’s deal with SPF first. In the message From: address, it could put promtions @ nwa.com. It could put a different Reply-To to get replies, but what does it put in the Envelope Sender? Suppose the SPF record for nwa.com is v=spf1 ip4:139.72.159.240 ip4:139.72.159.241 mx ~all. That means that goodmailers.com, if they don’t want to get mail rejected by email servers that use SPF, must put mail @ goodmailers.com as the envelope sender. Wouldn’t that look a little odd? It is supposedly coming from nwa.com but the Return-Path says goodmailers.com? I don’t know that much about marketing and branding, but I bet somebody at nwa.com does and wouldn’t like a bulk sender putting their stamp on their customer marketing messages. But, if goodmailers puts promotions @ nwa.com as the envelope sender, then from the above we can see that if the mail is coming from 1.2.3.4 (the IP authorized to send mail from goodmailers.com), this will fail the SPF check from nwa.com’s SPF record. So, on the one hand we have a marketing problem and the other we have a security problem. In reality, nwa.com gets around this by having a different SPF record than what I put above. It’s actually the following: v=spf1 ip4:139.72.159.240 ip4:139.72.159.241 mx include:elabs3.com ~all Northwest Airlines actually outsources their bulk mail to EmailLabs and specifically authorizes them to send email for them. This means that elabs3.com can send bulk mail for Northwest Airlines and put nwa.com as the envelope sender. A SenderID implementation will take a look at this SPF record, and because elabs3.com is authorized to send mail, it will (probably) extract the PRA, most likely the From: or Sender: address, and this, too, will pass an SPF check. This raises the question of whether or not Northwest Airlines really wants to add elabs3.com to their SPF records. They don’t own EmailLabs so that means there needs to be a lot of trust between them and NWA. This may not be so bad for an airline, but what about a financial institution? In a discussion last week, one of my colleagues said that financial instutitions should never outsource their bulk email service. It’s too much of a risk. If the bulk mailer was ever compromised (or ever turned gray or black) they could do an incredible amount of damage to their customers in a short amount of time. The emails would get through SPF and SenderID checks and customers might be tempted to enter in their information. On the other hand, there would be an incredible lawsuit in that case and the email provider would be out of business in short order - both from the lawsuit and from the loss of business. It’s still debateable whether or not financial institutions and even other businesses want to add bulk mailers to their SPF record. If you don’t control the domain in your SPF record, you may want to think twice before adding it. On the other hand, as a business you probably want to outsource your mass emailing. I guess the CFO and chief security officer need to evaluate the risk/reward ratio.
Read More… (From Terry Zink’s Anti-spam Blog)

Both SenderID and SPF have their critics. I’d like to touch on two potential problems with them: the first is the issue of email forwarding. There’s no official standard on how email is to be forwarded (in terms of rewriting the headers). Suppose that Mail Server A sends the message and everything complies with SenderID or SPF - the envelope sender is correct, the domain has its SPF or SenderID records set up correctly, and so forth. The message goes through some internal routing, but then is subsequently forwarded by another outside mail server (perhaps an open relay) with no change to the email headers. Or, consider the case of receiving mail at one mail host on your network which then relays it to a central mail server. What happens? Well, since the last hop of the message router is the transmitting IP that the receiving email server receives the message from, it only makes logical sense that to use the envelope sender / PRA and that IP in doing an SPF or SenderID check. Since nothing was rewritten in the message headers, this will fail a sender authentication. The creators of SPF actually admit that this is a problem and suggest whitelisting the IP as a possible workaround:

Checking SPF On Forwarded Mail Mail forwarding is set up by the receiver and so for forwarded mail, the border mail server should be checked rather than the the forwarder’s mail server [sic]… Authorized forwarders should be whitelisted against SPF checks to avoid this problem.

Note: OpenSPF needs to clean up their grammar. I’m not a big fan of this workaround. Whether it’s your own internal mail servers routing the mail (SPF is designed to be used at the border of your network) or some other forwarder somewhere, my experience with whitelisting is that you’ll be forever whitelisting IPs. Just when you think you’ve found one forwarder, another one pops up. I can’t tell you how times I’ve fixed a false positive caused by spam regex rules thinking I’ve fixed all of our broken rules only to see another broken rule pop up. The fact of the matter is that there are lots of mail forwarders out there and chances are you’ll never find them all. While SenderID has the theoretical advantage of checking the Sender headers or Resent-(From|Sender) headers and could (in theory) look through the other email headers trying to extract the original sending IP and matching the PRA, I think this is a lot of trouble as well because it would have to figure out which IP in the headers was the original one and also detect which headers are fake and which are not. So, how can mail servers get around this problem? As a spam analyst who has processed over one hundred thousand false positives, I’ve long since learned that even though an anti-spam technique is supposed to be 100% designed to hit spam, it almost always hits legitimate messages that the designer of the technique hadn’t considered. The technique is good at stopping spam but inevitably proves to be overly sensitive. In the case of SPF and SenderID, this email forwarding is a legitimate problem. My own preferred technique is to tweak the recommended implementation. Whereas SPF and SenderID say you should reject mail that fails an authentication test, I prefer to score it aggressively. For example, if we have a spamminess scale based upon probability that runs from 1 to 10, with 1 being non-spam and 10 being spam, assume that if a message scores higher than 5.0, it is considered spam. The recommendations for SPF and SenderID say to reject mail based upon a test failure, so their probability grades would be 10.0. Thus, combined with other elements in the mail that knock down its spamminess, it’s unlikely to get it under the spam threshold. My way of doing it would be to score an authentication failure at 6.0, enough to get the message over the spam threshold, but not so far above it that non-spammy elements couldn’t bring it back down. In my experience, most spam contains elements that mark it somewhat spammy anyways, while non-spam contains elements that make it non-spammy. A message with an authentication failure will often times have other elements that will keep it over the spam threshold, while a non-spam message with a failure will usually (75% of the time) be able to be pulled under the threshold. Of course, there are times when spam will get pulled under (false negatives) and non-spam gets pushed over (false positives), but in my experience, it is generally better to error on the side of reduced false positives.
Read More… (From Terry Zink’s Anti-spam Blog)

That’s one of the problems we usually confronted to. To resolve this matter very easily, do not publicly publish or announce your email addresses in websites you visit. via NowPublic
Read More… (From Email Spam News)

Last year I was exchanging e-mail with an aquaintance in Africa aboutsetting up web sites, who said:

I would be interesting to know what mistakes made in North America and how they were addressed.

The major mistake was to assume that the most important use of the net wasto distribute content from a relatively small set of sources out to themasses, and that the masses would pay for the privilege. In fact, peopleput a much higher value on one-to-one or one-to-few communication, and thenumber of content providers that successfully sell information can becounted on your fingers.See more …
Read More… (From E-mail, tech policy and more )

“We’re not likely to send out unsolicited e-mails.”

The federal agency charged with protecting consumers from Internet scams now finds itself wrapped up in one.Identity thieves have sent thousands of bogus e-mails purporting to be from the Federal Trade Commission _ as well as the Internal Revenue Service and Justice Department _ in an attempt to trick consumers into divulging personal financial information.The agencies are the latest institutions to be exploited in ‘phishing’ scams, long the bane of large banks and credit card issuers. Read more
Read More… (From Email Spam News)

“To a large respect the whole industry has harped around a performance metric of getting more of the nasty messages out of people’s inboxes”

Users of challenge-response technology reported the most satisfaction making it the most effective method to fight annoying spam, according to an independent study. via TechTarget
Read More… (From Email Spam News)

But I looked through my email over the last week, and I have two social email. The other 5,000 or so are business , or mail lists about things I’m interested in, Google Alerts, or spam. via Megite Technology News
Read More… (From Email Spam News)

“I’m sorry, your message has > been trapped by my spam filter. If this > is a legitimate email message, please > put the word PASSWORD in the subject. > Thank you.”

About: Apache SpamAssassin is an extensible email filter that is used to identify spam. via Freshmeat
Read More… (From Email Spam News)

Mitch Joel offers a thought-provoking post about his recent experience transferring his subscription-based email traffic over to a GMail account, to keep his workflow in order.* This serves as a stunning … via Traffick.com
Read More… (From Email Spam News)

“Studies show that people on IM at work don’t waste too much time chatting with friends, and their productivity gain would outweigh any socialising.”

If your inbox has spiralled out out of control, you’re not alone. Jimmy Lee Shreeve reports on the new ways to stay in touch It was the 250 e-mails a day that finally sent Darren Lennard, managing director of … via The Belfast Telegraph
Read More… (From Email Spam News)

“We’ve seen that ISPs are constantly putting new policies in place, and those policies relate to reputation best practices.”

If you’ve been sending e-mail marketing messages, you’ve probably noticed a significant development over the past six months to a year: Deliverability now has more to do with reputation than it does with … via BtoB Magazine
Read More… (From Email Spam News)

“We’ve seen that ISPs are constantly putting new policies in place, and those policies relate to reputation best practices.”

If you’ve been sending e-mail marketing messages, you’ve probably noticed a significant development over the past six months to a year: Deliverability now has more to do with reputation than it does with … via BtoB Magazine
Read More… (From Email Spam News)