Q:
Dear Cauce,

I need your help. I work for an organization that sends an email newsletter once a week. Someone in my office came up with the bright idea that we should auto-subscribe every person in our offline database and let them "opt-out" if they don't want to get it. While this email is not necessarily of a commercial nature, I personally still consider this unsolicited email to be spam. Can you provide me with a white paper or talking points on why this is a terrible idea so that I can make this case to my bosses?

---

A:

A good place to start is the Senders BCP (Best Current Practices) published by the Messaging Anti-Abuse Working Group. If anyone asks why they should do what MAAWG says, it's because its members include every large Internet provider in the country and several of the largest Anti-spam organizations in the world. This document gives easy to follow advice that will help your organization stay off blacklists and out of the ISP filters. We also recommend a review of the document "Stopping Spam: Creating a Stronger, Safer Internet", written by a joint government-industry task force in Canada. [pdf].

Another good place to look is these email related blogs that discuss Best Practices and the latest hapening in the industry:

• CAUCE
• Word to the Wise
• EmailKarma.net
• Email Marketing Water Cooler
• No Man is an iland

A letter to the editor sent to Ken Magill of Direct News / Magilla Marketing
* Reposted with Permission from Neil's Personal Blog.

Ken,

Thank-you for your April 1 column 'Anonymous Group Takes Aim at Spamhaus', it is no joke.

Consider for a moment what the circumstance for the email world would be, were the people behind Online Marketing Advocacy Group to be successful in putting The Spamhaus Project out of business.

Literally hundreds of millions of user inboxes would be left unprotected. Spam would flow, unabated, into them. How then, would users react? I imagine a goodly portion of them would simply give up on the medium. We have already seen evidence of users either migrating to social networking closed gardens or dumping email altogether, how much more tempting will these alternates be in such a world?

ISPs would scramble to put other measures into place, using DNSBLs far more draconian those of Spamhaus.

Legitimate marketers will be severely affected, with a far, far lessened ability to get their messages delivered, or actually seen, amidst the blizzard of spam.

Is a listing on Spamhaus onerous enough to sue the company out of existence? I imagine it must be for some of the highest degree of frustration to be listed at Spamhaus. However, in both my personal and professional life I have never experienced anything but professionalism and ease of use with their products. The clients I have encountered with Spamhaus listings who made the appropriate changes were quickly delisted, plain and simple as that.

I expect of the tens of thousands of legitimate marketers who are not listed at present, some may have had some unfortunate intersection with Spamhaus, and had to change their practices. At present, they are humming along happily. To them I ask - do you like getting your mail to the inbox of your subscribers? Then do not sit on your hands, and allow this pernicious, short-sighted initiative to move forward an inch without a challenge:

Contribute to Spamhaus in any way possible; they surely have a legal defense fund to fight against this spurious attack, pony up some money!

Strictly follow industry guidelines - the Messaging Anti-abuse Working Group has several available through their website (including a terrific new paper on email authentication, check it out - all these documents have been developed with the full participation of senders, receivers, CAUCE and Spamhaus associates.

Agitate in industry associations like the DMA and ESPC to very publicly voice and undertake initiatives against the actions of the cowardly Online Marketing Advocacy Group and indeed for The Spamhaus Project. This may cause some internal pain to these groups. It is my understanding that some of their members, in fact, very vocal members are the main supporters of this attack-dog group. Take a stance, divest yourselves of these sectors of the industry that do nobody any good, far least, the ever-loving recipient of email

Be forewarned, if you don't take an active stance now, today, and these vile back-room people are successful, you will doubtlessly wish you had done so. It will hurt your business, and in these business climes, I'd say that in and of itself is a very brave stance indeed. Good luck with that.

--
Neil Schwartzman
Executive Director
CAUCE: The Coalition Against Unsolicited Commercial Email

As most CAUCE supporters already know, forging From: or other commonly seen email headers is trivially easy. It's one of the most frustrating oversights in the creation of Internet email technology -- though of course that's only obvious in hindsight; it was just fine for the pre-Internet networks of the late 1970s and early-mid 1980s.

Since then, things have changed -- and the most interesting recent technological advancements in email have been in the realm of sender authentication, which encompasses ways to verify that the apparent sender of a message actually is the entity which sent it. Before you can answer the question "can I trust this message," you have to ask "who sent it?" -- but before authentication, there was often no way to know for sure.

The first authentication technology to catch the interest of the industry was Meng Wong's SPF, which also formed the basis for Microsoft's SenderID. In parallel, Yahoo! developed DomainKeys, which has now evolved into DKIM. All of these are free to use, though some have licensing requirements or patents which may prevent derivative works.

Having what looks like four entirely different technologies may seem confusing, and marketing tactics from some of the organizations involved certainly haven't helped. Luckily, our friends at the Messaging Anti-Abuse Working Group have published a new white paper, Trust in Email Begins with Authentication, which should help to clarify things. It provides a much-needed substantive overview of the authentication methods and practices currently in use, without inappropriate bias or attempts at coercion.

CAUCE hopes that this effort will raise the level of debate within the email industry, and lead to faster adoption of authentication technologies. Sender authentication will not, obviously, solve spam -- it has very little to do with spam, in fact -- but curtailing the bad guys' ability to send messages that look like they're from your bank or other trusted institution will certainly help.


[Some CAUCE Board members -- including the author of this article -- contributed to the MAAWG document, and are regular attendees of MAAWG events.]

John Levine is quoted in this recient article in the Seattle Post-Intelligencer, discussing recient spikes in fake drug spam being sent from hijacked computers.  

Read the full story here: Two major spam cases end up in Seattle.

Large scale spammer Robert Soloway, whose criminal trial was scheduled to
start next week, pled guilty to most of the criminal charges against him

CAUCE board member John Levine comments on the case in his blog.