From: John Glube
Sent: Wednesday, June 16, 2004 8:16 PM
Thanks for your thoughtful reply. While we disagree on a number of issues,
you raise some good points and I would like to respond to them below.
From: Seth Goodman
Sent: June 16, 2004 6:22 PM
Subject: FTC: we need sender authentication before "Do Not Spam"
can work
A couple of comments:
* Mailing standards for solicited bulk mailers:
My concern with moving to a higher standard is
for those e-publishers who have been running
confirmed opt-in mailing lists for a number of
years.
I stand to be corrected on this point, but my
understanding was the implementation of verified
opt-in was to deal with the problem of "joe jobs."
Since SPF responds to this problem, is there a
need to move to a higher standard?
That's a valid question, but I'm afraid the answer is still that we need
higher standards. SPF can validate an originating domain only under two
conditions:
a) the you receive the email directly from the domain that sent it
b) one of your trusted forwarders received the email directly from the
domain that sent it
Once an email has been forwarded more than once, it is nearly impossible to
unravel the implicit web-of-trust that is created when forwarders whitelist
each other. Even with the above observation in mind, there is a more
important issue. SPF only works to validate the originating domain if it is
implemented and configured correctly and if you use it. Unfortunately, the
people who have been poisoning the direct marketing well for years are not
honest individuals. They are, in fact, criminals. Legitimate bulk mailers
will probably tell the truth about their validation procedures and would
likely submit to audits. Illegitimate bulk mailers will lie and obfuscate.
The problem is that, after the fact, it is likely impossible to tell if a
site had a correct SPF implementation properly configured and operating at
the time a given purported opt-in request was made. Since we are unable to
distinguish the legitimate operators from the criminals, we can't just take
their word for it and some independent means is needed to validate an
end-user opt-in request.
An unfortunate side effect of any new requirements for anything is that
implementing them tends to penalize honest people more than dishonest ones.
This is one factor that makes the libertarian view of society appealing to
some. However, "good" requirements allow us to identify the dishonest
people and compel them to stop their anti-social behavior, either through
civil or criminal means. As a group, we are better off with the
requirements than without them.
*** why bulk email requires special considerations ***
Though IANAL, it has been long established that when someone sends you a
notice that, unless you take some action, they will provide you with a
product or service and bill you for it, you are under no obligation to
answer, you have no obligation to pay any bills they send, and I suspect
that you are allowed to keep any unsolicited goods they send you. Bulk
email is a unique communications medium because it arrives "postage due".
Once you receive it, you have already paid for it whether or not you
requested it.
The analogy to the unsolicited good and services scenario is if someone sent
you a notice that, unless you took some action, they will begin to withdraw
money from your bank account. If they proceeded to do so, that would be
obviously illegal, yet that is exactly what many bulk emailers do. This is
the primary reason that higher standards are required for bulk email senders
than for other means of marketing communication.
Another factor to consider is that bulk email, just like bulk postal mail,
is considered by nearly everyone (except the sender) as a lower deliver
class of mail. In terms of postal mail, private communications and bills
are sent as first class mail with guaranteed delivery, guaranteed
notification of non-delivery and at a premium price. Unsolicited bulk
postal mail is sent at a lower rate with the explicit understanding that
delivery is not as reliable and neither is notification of non-delivery.
Senders can also get a discount by pre-sorting the mail, which saves the
Postal Service considerable effort. The Postal Service designates this as
pre-sorted second class mail. While putting multiple recipients on a bulk
message for a domain does lower the cost of delivery, the recipient still
pays the cost. Bulk emailers appear to want the performance of first class
mail service and still expect the recipient to pay the cost. This is an
outlandish and completely unrealistic expectation. Though I cannot blame
them for trying, we don't have to, nor should we, accept their proposition.
As a side note, whether the standard is
unconfirmed opt-in, confirmed opt-in or verified
opt-in this has not and will not stop abusive
behaviour.
The best I can gather, all verified opt-in does,
given the existing state of email delivery is
make it easier to sort through whether the spam
complaint is legitimate or not.
We agree on this point. Where we may not agree is on the value of it.
Making it easier to validate complaints is key to an efficient and fair
blacklisting effort. The more efficient and faster it is possible to
blacklist an abusive party, the less network abuse they can perpetrate. If
abusive behavior can be sufficiently reduced, people may once again start to
pay more attention to solicited bulk email than they currently do. This
will make email a more valuable communications medium, both for private
communications and mass marketing. The key to this is drastically reducing
abusive behavior, and in the foreseeable future, this means making the
blacklist system faster and more accurate.
* Interference by outside groups
I have no love lost for marketing or business
associations which continue to support the
sending of UCE in bulk, which is simply a subset
of UBE.
The objective is to have wide spread and rapid
adoption and implementation of SPF. This in turn
makes it easier to identify and block spam
sources.
But when I read a call in the DMNews for SpamHaus
to step aside and allow the FTC to take over the
Dot Mail proposal, I become concerned as to
intentions.
(Know the opposition is a cardinal rule of
business.)
This can be interpreted in more than one way. I know what side of the issue
publications like DMNews are on. The fact that they are calling for
SpamHaus to step aside suggests to me that SpamHaus is probably doing
something that has the side effect of making legitimate mass emailers lives
more difficult. The FTC is a political institution that is heavily
influenced by the direct marketing industry, so it is no surprise that such
a request was made. I am fairly confident that SpamHaus represents my point
of view, and the point of view of millions of end users, far better than the
FTC, who will bend over backwards to avoid inconveniencing industry in any
way.
Yes, I appreciate we are merely having a
discussion on a mailing list about spam and how
to deal with it. And heh, the later is always a
topic which can generate lots of debate.
* Actions by black lists
The concern is not with "spammers rights." Rather
it has to do with solicited emailers ending up as
collateral damage.
"People use them [black lists] because they block
spam and very little, if any, legitimate mail."
Unfortunately, this is not correct:
"SpamCop runs a "blacklist" that is highly
controversial and has proven to be very
unreliable. There are frequent reports of
SpamCop's blacklist erroneously listing confirmed
opt-in email as spam! For these reasons, CAUCE
does not recommend use of the SpamCop blacklist.)"
http://www.cauce.org/about/resources.shtml
It is unfortunate that CAUCE has taken that position, and it seems to fly in
the face of the facts. Millions of users and thousands of systems operators
disagree with them, however. I personally used the SpamCop blacklist for a
number of years and though there were several documented incidents of
inappropriate listings, I never experienced a non-delivery because of that
list. Interland, one of the major hosting companies on the Internet, uses
the SpamCop list for _blocking_ mail. Their users, who number in the
hundreds of thousands, don't seem to have a problem with that. In fact, it
has proven wildly popular.
This is also why there are a variety of blacklists to suit the needs of
different system operators. Some blacklists will produce false positives
for a particular user base, while another will not. Another user base might
find the opposite true. Systems operators are free to pick the blacklists
that best help them control spam. They are also free to not use any at all.
The widespread and increasing use of blacklists today belies your contention
that they are somehow inaccurate or ineffective. Since no one compels
system operators to use these lists, and their job is to keep their users as
happy as possible at minimum cost, if your contention were true, blacklists
would not be the widely used tools they are today. Their unpopularity is
primarily among bulk mailers, who would prefer unfettered access to the
inboxes of countless end-users. Blacklisting is simply a defensive measure
taken by the systems operator community in response to the complete failure
of the direct marketing industry to either police itself or support
legislation that would accomplish that. If they didn't work well, people
wouldn't use them, and CAUCE's recommendation hasn't seemed to slow the
increasing popularity of the blacklists.
Solicited emailers are seeing ever increasing
problems with delivery, while spam levels
continue to soar.
Just as much as the ultimate objective is to
reduce levels of abusive behaviour at the same
time, presumably people want to stop the shooting
of innocents, so we can all "enjoy the common
green again" without being mugged, pillaged and
plundered.
I don't regard bulk emailers as innocent bystanders in all this. Since the
recipient pays the cost of delivery, it is perfectly reasonable to expect
them to take some additional measures to make sure that _no one_ who didn't
request their material receives is. That is just common sense. If bulk
mailers find that unnecessarily burdensome, I have no sympathy for them. If
they want to be sure their bulk mail is delivered, they have to take all
reasonable measures to avoid sending unsolicited mail. That may mean
keeping automated audit trails so that they can easily prove to a blacklist
that their mail was solicited and that there is an obvious and effective way
to stop receiving the mail. That will cost them some money, but since the
recipient pays the postage, and not them, they really have nothing to
complain about. Compared to the unfettered freedom we had to send UBE in
the past, this is a significant extra cost. However, that system was not
workable and any expectation that things will continue in that manner are
unrealistic.
* Classification and Accreditation Services
"Why should we even consider handing the keys to
the castle over to a group of corporations whose
combination of actions and inaction created the
problem in the first place?"
Why then did CAUCE come out in support of TEOS?
IMHO, this was a very large mistake. I can only guess at what their
political motives were.
Don't take my question in response the wrong way.
I fully respect the sentiment of your question as
put to me.
My concern is this. To many people, the Internet
is a low cost way of getting into business. I am
talking about running simple honest businesses.
These people are not associated with the DMA or
any other large marketing organization.
Just ordinary folks, who want to make a better
life for themselves and in doing so are prepared
to follow some basic rules. No sending of UBE. No
marketing of illegitimate or illegal businesses.
Run a clean business. Give good service for good
value.
Presumably it is not the intention of seeing
these folks shut out of the market place as we
move from an open e-mail system to a closed
e-mail system, or am I mistaken?
While this is an interesting emotional argument, but it cuts both ways. A
good argument could also be made that were it not for the preponderance of
UBE in the current email system, Internet connection charges would be
considerably lower than they are today. How many poor families are being
prevented from having the advantage of Internet connectivity due to the
present monthly costs? Adequate used computers can be had for next to
nothing, and in many cases for free, but the monthly charges are significant
to people who are at the bottom of the wage scale. The glut in
telecommunications bandwidth has been well-publicized for a number of years.
Unfortunately, spam has become such a problem that ISP's have to invest
large sums to keep up with the volume and to create, test and tune heuristic
schemes to keep as much spam out as possible. They also have to answer
countless user complaints about the problem and deal with complaints about
spam that did not originate from their network. This raises their costs
tremendously and gets directly passed on to the consumer.
There is no need for the cost of doing the best kind of opt-in user
validation that technology permits to be high. Here is a proposal that I
challenge the DMA and their friends to implement, if they are really
concerned with stopping abusive mass mailers, which appears highly doubtful.
It would take a relatively small amount of money, compared to their recent
lobbying efforts, to pay a group of programmers to create a system that
would provide the strong opt-in validation and automatic audit trails that
have been proposed by SpamHaus and others. This would, in turn, permit
blacklists to start distinguishing between well-run operations with a few
clueless users who complain inappropriately from irresponsible providers who
routinely purchase other lists and add the addresses without end-user
permission. The code for this and the binary distributions would be put in
the public domain and made freely available to anyone from the Mom-and-Pop
startups to Fortune 500 megaliths. This would remove the excuse that it is
too expensive to do strong end-user validation and allow any responsible
marketer who so desires to run a strongly validated bulk mailing list at no
extra cost.
This would cost a fraction of what they spent lobbying for the present
ineffective legislation and it would be quite useful to many of their
members. Every responsible marketer wants a mailing list that will generate
a minimum of complaints, and when they do occur, such a tool would quickly
allow them to prove that it was end-user error rather than fraud on their
part. That is but one example of what they could do if they were serious
about curbing the present problem, but as I said before, money talks and
their money is not going in that direction.
--
Seth Goodman