October 2, 2009
The Impact of the new Spamhaus CSS "snowshoer" List
Evan Burke, who works for an email service provider (ESP) in Minneapolis doing deliverability compliance, asked an interesting question via Twitter: he said that he was trying to figure out what the new Spamhaus CSS list will mean to his company as an ESP. The new list will likely result in a lot of spam being blocked, which is a good thing - so-called snowshoe spam (definition here) has been an increasingly large component of the spam we see here and in the trap feeds we monitor. In one sense, it's a return to old-school statically-hosted spamming, the sort that Spamhaus SBL was created to solve - but representing an evolution in tactics and new levels of obfuscation.
Having no small amount of experience with these snowshoe spammers, I replied that I expected it to mean the more legitimate clients of the sneakier grey- and black-hat spammers would migrate to more legitimate ESPs - suggesting that it was, in the long run, a good thing, because ESPs with transparency and a reputation to protect will educate their new clients. His reply was essentially that this would be a problem for them in the short run, because it would swamp their new customer vetting processes and so on. It's a glass half full/half empty sort of question, though, I think.
You can pretty well divide the world of email into a few categories:
- legitimate email (personal, corporate, etc.)
- unsolicited mail sent by corporations directly
- unsolicited mail sent by corporations via legitimate ESPs
- unsolicited mail sent by corporations via snowshoe spam operations
- unsolicited mail sent via "spambots" and botnets
- unsolicited mail sent via chickenboners and other individuals using spam software
The differences between each category are a matter of transparency, competence, and sophistication. Botnet operators are not at all transparent, but competent (mostly) and sophisticated (mostly). Chickenboners are sometimes transparent (mostly not) but their lack of competence and sophistication are enough to make their messages easily identifiable as spam. ESPs occupy a spectrum from transparent, competent, and sophisticated to cloaked, competent and sophisticated to cloaked, incompetent and unsophisticated - but it is important to make the point that it doesn't imply that their respective clients match the profile of the ESP that they happen to choose for their business.
When a salesman at a company tries to promote a product or service by way of hiring what they believe to be an ESP, they may not have the sophistication to know the importance of transparency - they may be more focused on claims of success rates, or the sophistication of the ESP's tools for tracking, and other factors. Some of the more sophisticated snowshoe spam we've seen has been for recognizable brand name products and companies, like Sears and Brinks and LG and Kraft and Gerber and Dish Network and the AARP and so forth; some has been for the usual diploma mills, cheap insurance, work-from-home schemes, Acai berry nostrums and the like; some has been for the usual bottom feeder crap like ink cartridges and business cards. Very little of what we see has been what shows up via botnets, such as pharmaceuticals, fake watches, "OEM software", and body part enlargement snake oil.
This suggests that the various tiers of legitimacy of the vendors so represented do not align with the various tiers of legitimacy of the ESPs they hire. In my view, as those who were attracted to ESPs (or "email marketing agencies") who advertised excellent returns and low rates see those returns fall, they will move to ESPs whose reputations are based on transparency and responsible practices. What Evan is afraid of is that because of the same misalignment between sophistication of client and service provider, the legitimate ESPs will be swamped by the middle tier and lower, and this represents a threat to their ability to vet and police their clients. So be it.
I've taken the (unpopular on lists like SPAM-L) position for several years that ESPs represent an opportunity for those who wish to curtail spam, not a threat per se, akin to an Internet-wide hygiene and education campaign. Of course, the difference between a "good" ESP and a "bad" one boils down to reputation, transparency, and responsiveness to complaints about abuse (which you can't even measure without the first two, because if I don't know who to complain to, or know enough about you to bother, the third is a non-starter). Looks like here's an opportunity for ESPs wanting to maintain their legitimacy and good reputations, or for those who want to improve them. I'm looking forward to it.
May 5, 2005
Florida Hurricane Alerts Treated as Spam by AOL
As with most sensational stories, I have to wonder what the real cause was. It's easier to just cry "false positive" and more fun to make a big deal out of the fact that the Floridians are using email for emergency notifications, especially insofar as hurricanes are often accompanied by complete power and phone service outages. One imagines the station, running on emergency power, sending email to the effect that 99% of the county had lost power and phone service, and it's not hard to come up with more humorous examples, making fun of the poor hurricane-battered Floridians.
And the bottom line for any mail administrator worth the name is that email is not, and has never been, a 100% reliable protocol (though perhaps in the more technical sense of "reliable", not the common sense of dependable). It's not the telephone, where circuits are established and kept open for the duration of the composition and transmission and reply to the message, but more like the post office, in that delays can occur, often lasting hours or days, and so forth. Hence electronic mail, not phone.
But I wonder, knowing something about the tactics AOL usually relies on to detect spam, whether the messages were simply sent from poorly configured servers, used language or formatting that is commonly found in spam, and so forth. As the article doesn't make that clear, unsurprisingly, any resultant furor or mockery is baseless. We're not talking about prejudice or judgement in human terms, we're talking about software algorithms. Now, granted, those algorithms are ultimately the result, the expression, of human prejudices and judgements, but they're more likely the application of statistics and the analysis of millions of messages identified as spam by AOL's own users and by trained admins and programmers.
We all have to set our own policies when it comes to what to accept, how often, and from whom. AOL, first and foremost, has a responsibility to protect its members from abuse and fraud, and its responsibility doesn't include making sure that anyone sending to them is competent (or has a competent administrator), cognizant of how not to construct their messages so they aren't easily mistaken for spam, and so on. And people, too, make mistakes when deciding whether to open a message at all, so even if AOL delivered the message, there's no guarantee the recipient would understand that it was something they asked for, or that it was more important than the headlines from CNN or the note from their sister in Dubuque. There are mechanisms for "grading" email that way, but they're rarely used except by those whose mail clients support them in an obvious manner. In the end, it's up to the users to learn how to use email effectively.
The largest mailing list I run, webdesign-L, had some trouble sending to AOL at one point, due to one of the list members using a URL in his .signature separated from another URL by an asterisk - simply a matter of styling, for him, but for AOL it resembled something they'd seen far more recently in phishing scams abusing poorly written HTTP redirectors. I reported the bug, they tuned their detectors, and the world was a better place. I could have screamed and complained and badgered, or simply told the list member to change his .signature (this latter I did also, just in case) but it made more sense to find out why the error occurred and fix the problem.
It's much easier to cry "false positive", though, than to learn something about defensive email composition or mail server administration, so I suspect that's probably what happened here. I'd love to hear more, from anyone with details.
Posted by schampeo at 12:48 PM
April 20, 2005
AOL Goes After Phishers
Posted by schampeo at 7:05 PM