Reply-All: The Short-Week-Following-the-Long-Weekend-Edition Edition

A blogger for computer and Internet security giant Sophos sounded the red alert Tuesday, announcing that a “primary WHOIS registry” (huh?) had been hacked, and records of  sites belonging to Microsoft and Google had been vandalized.  Indeed, a WHOIS search on a UNIX box returned some uninteresting DNS performance art. The author of the blog post didn’t realize he was using, essentially, a modified substring search, so he was seeing a variety of  inexact matches containing records from a mess of DNS servers – all unrelated to the companies in question. The original post was replaced with an apology and redaction within a few hours, but not before a standard complement of rotten tomatoes had been tossed in their general direction.

Marketing industry reporter extrordinaire Ken Magill serves up another scoop: after fewer than five days in the saddle, the new CEO of Lyris is reportedly ready to lay off about 15% of it’s work force (somewhere between 40 and 45 jobs). The downsizing is apparently part of a shift in corporate strategy away from small business senders in favor of larger companies that send in higher volumes. Some within the company are reportedly wondering (out loud, to Magill) whether the job slashing is part of a move to make the company appear more attractive to a prospective buyer.

Microsoft cut the legs out from under the Waledac spam ‘botnet by seizing 276 domains used for command and control. Microsoft filed a suit against Waledac operators, in which it sought an award of the c&c domains. The botnet operators have 14 days to appeal the default judgment (thereby revealing their identities), which no one really expects they’ll do.  Unlike previous attempts at take-downs, it looks like this one is sticking.

“Houston, we have a problem … it’s called ‘spam’,” tweeted NASA’s Lunar Science Institute, as the “here you have”/VBMania e-mail trojan spread like wildfire across the Intarwebs Thursday, choking and overwhelming e-mail servers and stealing user passwords as it went. Various media outlets reported that the worm has hit NASA, Google, Coca Cola, Comcast, and ABC/Disney, and the Department of Homeland Security.

And to kick your weekend off with a smile, here’s a chuckle from cartoonist Brad Colbow about opting out of retail e-mail campaigns. Remind you of any clients you know?

Spamhaus lists Google

I’m sitting at my desk sipping first coffee of the day when a colleague floats a message over the transom of an e-mail related listserv with the subject line “Spamhaus now listing Google Outbounds”. Colleague owes me a new keyboard.

It does appear that Spamhaus is listing fifteen different Google hosts. However, Gmail users shouldn’t be reaching for their torches and pitchforks just yet. It does not appear that any machines that actually handle mail for Gmail are listed.

Instead, Spamhaus is listing a basketful Google Docs machines for their long history of hosting images and redirectors for the associated Canadian Pharmacy ROKSO listing.

Will Google notice? That really depends on whether any Google customers notice. Stay tuned.

Block Lists and the Death of a Thousand Cuts

Author’s Note: Since this writing, block lists operated by SORBS have had a pair of spectacular, catastrophic failures resulting in the inadvertent and wholly spurious characterization of enormous chunks of the Internet as sources of spam, or dynamic IP space, or both. Poor infrastructure planning and operational security precluded a graceful recovery; in fact, it was nearly a week before operations returned to normal. As such, use of GFI/SORBS as a reliable source of data on production mail servers is deprecated. My colleague Steve Atkins at Word to the Wise provides an exhaustive review of the problems leading up to and exacerbating the failures, and summarizes them neatly.

If you’re sending high volumes of e-mail, sooner or later you’ll find yourself on a block list. It doesn’t matter that all of your list segments are quadruple opt-in; like death and taxes, it’s inevitable. The secret to surviving (and correcting) a listing is to be ready before it happens. Here’s what you need to know now, before you find yourself listed.

Stay Cool. No one ever got a listing removed by screaming down a phone line or threatening legal action. Don’t expect (or demand) a good customer service experience from a block list – you are not their customer.

Block Lists Don’t Block Mail. In the initial panic following the discovery of your listing, it’s easy to forget that block lists don’t actually block any mail; it’s your recipients’ mail servers that do all the blocking. The filters used by many ISPs and companies reference data from block lists, reputation scoring firms, and especially feedback from their customers to inform their filtering decisions. If significant numbers of your recipients are reporting your mail as spam, stop worrying about the listing. It’s time to take a hard look at your list hygiene, acquisition and sending practices.

Some Block Lists Matter More Than Others. The vast majority of public block lists don’t matter at all. There are plenty of web sites that offer to look up your sending IP on hundreds of lists all at once, but unless you’re listed on one of only about a half-dozen, you probably have nothing to worry about.

So which are the ones worth worrying about? Any of the lists operated by, the CBL, URIBL, CloudMark CSI, SpamCop, Barracuda Central, and sometimes SURBL and SORBS. The cast of characters changes a little from time to time, but these are usually the heavy lifters.

Different Lists Do Different Things. A listing on the Spamhaus SBL means something very different from a listing on URIBL, which is entirely different again from a listing on Spamhaus PBL. Only one of these (SBL) is a list of suspected spam sources. The URIBL lists domains that appear in spam. The PBL is a list of IP space from which unauthenticated e-mail is not supposed to be sent. Don’t assume you’ve been listed because someone thinks you’re sending spam; make sure you understand the reason for your listing before you waste time fixing a problem you don’t have.

Many Block Lists are Automated. Some block lists operate with as little human input as possible. The URIBL is a good example. It automatically adds the domains it sees in the links contained in spam, so that users of the list can block mail based on presence of those domains. The good news is that delisting is pretty straightforward – just submit a short request on their web site. But expect the listing to be reinstated automatically if it sees more spam that contains links to the offending domain.

Avoid the Death of A Thousand Cuts. The most dangerous block lists are the private, home-grown lists created and maintained by IT professionals at the companies you’re sending to.  These lists are unpublished, unqueriable, and are controlled by harried mail administrators who don’t have time to check every few weeks to see if it’s okay to delist you.

Once you land in one of these lists, the effect is very localized, but extremely difficult to reverse. Land in enough of these lists, and you’ll notice significant deliverability problems with your target niche – the death of a thousand cuts. Ironically, one of the benefits of the large, centralized block lists for senders is that it takes just one delisting to get mail unblocked across great swathes of the Internet. It’s a lot easier than contacting every domain you send to, one by one.

Block lists seem a lot less scary once you understand how they’re assembled and used. If you find yourself listed, keep calm, find out why, and gather the data together you need to fix it.

Relevance Is The New Permission?

I’ve been meaning to blog more about this article for a while, in which Sherry Chiger examines the pros and cons of single and double opt-in permission for e-mail. Her opening line is a real attention-grabber – I nearly fell out of my chair when I first read it: “Once upon a time—say, 10 years ago or so—double opt-in was the gold standard of permission-based e-mail.”
Maybe what Ms. Chiger is trying to say is that double opt-in is not the only acceptable standard of permission – which is absolutely true. But it sure has a lot going for it: it’s simple to implement; easy to automate; easy for senders to measure; and happens in-band. For these reasons among others, it’s the best kind of permission to have, and that’s why it’s (still!) the gold standard.
But obtaining permission – even the gold standard – has never been a panacea for delivery issues. The problem with any flavor of permission is that, within the e-mail protocol, there is no way for senders to reliably assert what kind of permission they’ve been given. That means ISPs can’t measure permission per se; instead, they must measure spam complaints and other metrics as a proxy for permission. In other words, if a sender’s message is relevant to the recipients, the performance of a message sent without permission is often indistinguishable from permission-based messages.
Some in the sending community take this as proof that relevance is more important than permission – and this may be the point that Ms. Chiger is trying to make. I disagree. I think the real conclusion to be drawn is that there is no better indicator of relevance than permission – and that’s why permission is so valuable.
I talk to a lot of frustrated senders who’ve segmented their lists dozens of different ways to try and infer what messages are relevant to which recipients. They burn a lot of time, energy and reputation trying to force relevance. I’ve never understood why this is preferable to just asking the recipient for permission.