From: John Glube
Sent: Wednesday, August 18, 2004 10:30 AM
Seth -
The issue is whether we intend to allow reputation services
that are paid for by senders to become a virtual necessity
to get mail reliably delivered.
At present, for anyone running a verified opt-in mailing
list, from all my inquiries to have any reasonable delivery
rates compared to what the situation was a year ago before
passage of the CAN SPAM Act this is the present reality.
It happens in two ways in the market. You either join an
accreditation service, or you use an accredited 3rd party
email service provider to do your mailings for you.
At present the only accreditation services available in the
market are paid.
Now, you can still get mail delivered, but due to the
volume levels and gateway filtering, delivery rates have
plummeted.
Messages are not delivered. In many cases the sender has no
real idea as to why. A lot of filtering and bouncing tells
the sender, address unknown, when this is not in fact the
case.
This describes the situation for bulk senders, and I don't care if they
have to pay to achieve delivery or if their delivery rates are poor.
What I am concerned about is the situation for non-bulk senders, who are
footing all the delivery bills. While there may be an issue of fairness
among small bulk senders vs. large bulk senders, I'd be happy to let
them fight it out between themselves as long as the result doesn't
affect non-bulk senders. Since email delivery costs are largely paid
for by recipients, I think it is difficult to argue for any inherent
right of anyone to send UBE. Your arguing for clear and consistent
standards for senders that recipients would approve is clearly to
facilitate bulk sending of email. I repeat, this is not necessarily
anyone's right. If it can be done in a way that does not continue to
steal services from non-bulk senders and does not impose any additional
cost on non-bulk senders, then and only then is that a reasonable
expectation.
You go on to write:
That would be an extremely bad thing to happen to email,
unless you are a bulk mailer with deep pockets. This is
something that we should fight strenuously.
Let's step back and ask why are we here?
We are here in part due to:
* The need for email filtering;
* The Agreement reached in May, 2003 by CAUCE to support
TEOS;
* The decision in September, 2003 by ESPC to support LUMOS
and so Bonded Sender;
The Email service provider coalition withdrew its total
support for Bonded Sender this spring over disagreements
concerning how the financial penalties are imposed and the
lack of transparency in dealing with complaints.
* The decision in October, 2003 by the big mail providers
to support sender paid schemes to allow the providers to
sort 'good' email from 'bad' email.
* How the American law was drafted in consultation with
industry and the regulatory agencies; and,
(There is a provision in the Act calling for an IETF
approved seal in section 11 (2))
* The decision not to implement a National Do Not Email
List.
(Which made sense without the wide spread implementation of
sender authentication.)
This may well be an accurate description of why you are here, but it
doesn't have much in common with why I am here. I doubt I am unusual
in this respect. Why would I or anyone else working on behalf of
recipients spend all this time and effort to create a system that makes
it possible for bulk senders to operate profitably while raising my own
costs for reliable mail delivery? That doesn't make any sense. I find
it completely unimportant that bulk mailers can get reliable delivery.
It does not affect me personally, my business or any of my client's
businesses. Bulk mailers do not have any inherent right to deliver mail
to me postage due, which is how the current system operates. My
presumption in the current climate of non-enforcement is that bulk mail
is guilty until proven innocent. If the mechanisms to prove legitimate
bulk senders innocent results in non-bulk senders having to pay extra
for reliable mail delivery, that is not a solution and I will fight
against it. I am sure many other people who are concerned more about
non-bulk email traffic than bulk will fight it as well.
Try and think of it this way: since the recipient pays for delivery,
sending bulk mail is a privilege, not a right. The burden is on the
sender to prove to recipients, to _their_ satisfaction, that the bulk
email is worth paying to receive. Unfortunately, this puts bulk senders
in a terrible bind since any service they financially support has a
built-in conflict of interest. Since recipients will not likely
volunteer their time to facilitate the delivery of bulk mail, the bulk
senders are between a rock and a hard place. Since they have enjoyed
nearly unfettered access to recipients' inboxes at virtually no cost to
them until very recently, they really have no basis for complaint. They
made their bed, now they can lay in it.
Do the decisions made in May, September and October of 2003
apply to domain owners who use a domain for identity
purposes, who don't run a mailing list and send personal
and business mail on a day to day basis? In my view the
logical consequence is clear.
The thinking?
* In the absence of being able to establish a good
reputation, those caught in the grey area can either have
their mail filtered or sign up with an accreditation
service.
* Once you establish a good reputation through the use of
an accreditation service, you can withdraw and continue on
with the reputation you have established.
The reality?
Don't know. I know that I saw this coming in October, 2003
and others saw it a year prior.
With sender authentication, this only takes us part of the
way. The other part of the loop is reputation, or sorting
'good' from 'bad.'
Since there can be no agreement on what is 'good,' as
ultimately this is subjective based on content, as well as
objective based on is the sender verified opt-in, confirmed
opt-in, unconfirmed opt-in or opt-out, apart from the use
of reputation services, there will be an ongoing need for
filtering.
Well, there is room for discussion here. I personally hold to the
school of thought that spam is more about behavior than content. While
there is a very wide range of what different people would classify as
spam based on content, the standards for behavior can at least be
objective. This means confirmed opt-in vs. unconfirmed opt-in or worse
yet, opt-out. This is just my personal opinion, but I prefer standards
that have a chance of being objective. BTW, I could use some
clarification as to the difference between verified opt-in and confirmed
opt-in, if any.
Some argue, if the list is verified opt-in the issue of content
is between the sender and the ultimate recipient.
I happen to agree with this position. As an end user, if I have
verified my consent to receive an online newsletter,
transactional messages or commercial messages, what is the basis
of my internet access provider filtering this email?
If by verified opt-in you mean that you sent a subscription request or
hit a subscribe link on a web page, then you received a message that
said you needed to reply to that message within X hours or you would not
be subscribed, and you then replied to confirm your subscription
request, I agree with you. The communication is requested and you
should be able to whitelist it, if necessary. As ISP's get sick of
dealing with customer complaints relating to this, I'm sure they'll
implement a whitelisting system. After all, they're in business to make
money, too, and the combination of wasted help desk time plus unhappy
customers does not lead to more profits.
If I want to sign up for an online porn newsletter or an online
newsletter about fine art and I have given my verified consent to
the publisher, what is the basis for the internet access provider
to check the content?
Absolutely none, IMHO. There are perhaps some laws on the books that
have to do with content, such as depictions of children in sexual acts
or abuse of animals that may put some onus on the ISP, but I wouldn't
know about that. With that possible narrow exception, you should be
able to receive any bulk communication you gave the sender permission to
send you. This is no different from non-bulk communications, where as
long as you gave the party your email address, we can presume an implied
consent to send you email.
The decision whether to proceed in this direction is between the
receiving community and end users.
If the receiving community were to say, in the case of verified
opt-in, we will not run gateway filtering checks and instead
leave content filtering to the end user, this would make it a lot
easier to sort out some of the underlying issues.
Since verified opt-in operations, if we are using the term the same way,
that run their operations responsibly (don't forge headers, have
prominent unsubscribe directions, honor unsubscribe requests promptly,
don't sell unsubscribed addresses to spammers) they are very unlikely to
wind up on any blacklists. I am on a large number of forums and
commercial product mailing lists for electronic design software that I
use every day. For as long as I can remember, none of these
organizations have had any problems with mail delivery to my site.
Reading their user forms and attending user group meetings, I do not
hear complaints from other users about failure to get technical
newsletters in a timely manner.
In contrast, I have had a number of very unpleasant interactions with
business operators who feel that they have the right to send unsolicited
email to anyone who is in their target industry. They often claimed
that's the only way they could stay in business. If the only way
someone can stay in business is by committing theft, they should not be
in business. I no longer waste my time trying to educate these
belligerent, anti-social jerks, I report them to blacklists.
My point is that delivery rates for responsible bulk senders seem pretty
good from my perspective, as long as you run a clean operation. More
than likely, the folks making the most noise are their own worst
enemies. If they used best commercial practices, they would probably be
fine. The problem is that they want to get off on the cheap, and I have
no sympathy for them.
Postal mail is whole different story. Everyone gets plenty of junk mail
but few people care and even fewer complain. Why? Because the sender
pays the postage and that keeps the volume in check. If they could send
postal mail postage due and somehow compel recipients to pay for any of
it where the senders met certain standards, whether or not the recipient
requested it, you would hear similarly loud cries of protest from
recipients.
I am not holding my breath:-)
Good choice.
In dealing with accreditation services, you say from the
perspective of the receiving community follow the money.
Absolutely. People don't give money away easily and they often expect
something in return in order to give. That is why it is such a reliable
indicator of who has a relationship with whom.
You argue any accreditation service which takes money from
the sending community is therefore beholden to this
community and you seem to be saying except in the case of
bulk mailers with deep pockets, we should reject the use of
accreditation services.
Actually, I was suggesting that we reject sender-financed accreditation
services entirely, as it will force non-bulk senders to buy these
services to get reliable mail delivery. It also disadvantages small
bulk senders, which is a lesser issue but still a real one.
The problem is this leads to special treatment for those
with deep pockets, unless receivers decide the use of an
accreditation service by a sender gives rise to a
presumption the sender is a spammer.
There is a presumption that the sender must be having some difficulty
getting their mail delivered or they wouldn't need to pay for an
accreditation service to overcome whatever is causing them delivery
problems. As I mentioned previously, most of these problems are
avoidable and of their own making. If you treat your customers
respectfully, as you would like to be treated, you will have few
complaints.
But this is not the case. Many large corporate senders do
run verified opt-in mailing lists. Why should they be
penalized?
They are not penalized, unless they have a history of complaints and/or
blacklisting.
Receivers are going to check email through the use of
sender authentication, along with checking to see whether
the sender has a "good reputation" and depending on the
results and the receivers local policy the use of header
and content filtering.
Many senders will not be able to establish any reputation
due to lack of volume.
Receivers to protect their networks will continue to
subject these messages to header and content filtering.
More reasonably, they will simply reject messages from blacklisted IP's
and be done with it. Header and content filtering is expensive for the
recipient and not completely reliable. Why should recipients pay extra
for this? Bulk mailers delivery problems are exactly that. It is of
little concern to recipients. If you find yourself blacklisted, clean
up your act and keep it clean. You will not have delivery problems. If
ISP's receive many complaints about desired mail being blocked, they
will set up a whitelist system. But please don't suggest that we go
back to the bad old days where we accepted everything and ran it through
content filters. I never want to go back to that system and I would
change providers immediately if they stopped blocking as they currently
do.
For some senders this is fine. However, some senders may
decide, since I follow best practices (verified opt-in) and
email delivery is critical, I am prepared to pay for
accreditation to reduce the risk of my messages being
rejected due to false positives and the like.
Why would recipients believe an organization that was financed by
senders? Admittedly, some large providers do have "pay for play"
arrangements, but this is no better than the "pink contracts" spammers
have with disreputable ISP's.
Is this appropriate? Why should accreditation services be
staffed by volunteers? Why should receivers have to pay for
this information?
If you want people to believe an accreditation rating, there can't be
any financial relationship between the people doing the ratings and the
people being rated. This has been shown to be true, time and time
again, across a wide range of industries. The most recent example is
the accounting scandals where the same firm that performs financial
audits also promotes IPO's. This put auditors in an untenable position
and what happened was both predictable and inevitable. It was not a
question of whether, but only where and how much.
Because everyone understands this basic way that capitalism works, and
its the same thing that makes it so efficient, they are naturally wary
of even the _appearance_ of a financial link between a reputation
"auditor" and the organization being "audited". That may mean that, in
fact, the only way people will believe the ratings is if the services
are run by people with no financial connection with the organizations
being rated. That means they can't be paid by them. While recipients
should not have to pay for the use of such services, traditionally,
recipient organizations have been willing to donate enough to keep them
solvent. That is no conflict of interest. They are accepting money
from recipients to create reputation audits for the use of recipients.
But no money is required.
This obviously does not fit your normal conception of a business.
Neither does open source software. Both run on the goodwill of
volunteers who believe that they are collectively better off by
cooperating with others who have similar needs to them. However, they
in general do not cooperate with groups that are adversarial to their
needs. Since they are not paid, you can't force them to do anything.
What a concept. This sounds like a corporate nightmare. Thousands of
highly skilled people working for free doing what _they_ consider
important who don't care what you want and won't take your money. It's
not perfect, but it sure beats the alternative.
In looking at the value of an accreditation service, money
is not the issue, it is the standards set by the service
and how these are enforced.
In our society, money is _the_ issue. Everything else follows from
that. I don't make the rules, I just try to understand them so I can
survive.
What should be the result? At present we have:
* Senders who use services which accredit volume bulk
mailers who do not use verified opt-in, but simply
unconfirmed opt-in, along with implied consent based on a
pre-existing business relationship, subjecting violators to
fines and depending on violation levels loss of
accreditation.
* Senders who use services which only accredit bulk mailers
who use verified opt-in and black list violators.
* Senders who use accreditation services which allow
receivers to access sender characteristics based on a list
of criteria.
How receivers use this information is up to receivers.
The biggest problem I have with your argument is the
postulation because the sender is paying for accreditation,
this means the accreditation service will be less than
truthful about sender characteristics. You then use this
postulation to conclude all accreditation services are
therefore tainted.
Perhaps that is so. As long as they are tainted in my direction, I am
happy. It is my computer, my MTA and my inbox. I make the rules, not
the senders. If I were losing any legitimate mail, I might be
concerned, but that is not happening. On the rare occasion when it
does, I get a phone call and we continue to do business. The best thing
about outright rejection of messages is that all rejected messages
should generate DSN's. Any that are legitimate will know immediately
and call me to deal with it.
With the old paradigm of accepting nearly everything and filtering
later, there is a huge spam folder in which a couple of legitimate
messages are hidden. Manually inspecting the spam folder is not
reliable and I have missed important messages that way. The sender has
no way of knowing what happened and assumes that you ignored his
message. The worst possible outcome for the recipient. I have operated
under both systems and I can assure you there is absolutely no
comparison. You couldn't pay me to go back to the "promiscuous
reception" mode where important customer emails were lost in a
gargantuan spam folder.
The presumption that because the sender pays means the
accreditation service will not provide accurate information
belies the reality. If this position was correct, receivers
would not even consider using these services.
I think that only the big providers that have a financial stake in the
accreditation service pay much attention to them.
It is this negative presumption which defeats the value of
the argument "follow the money."
If you believe that capitalism works as an economic system, then you
have to believe in "follow the money". The whole system is predicated
on people acting in their own financial best interest. They do this
fairly reliably, and that's how the system works. The results aren't
always pretty, but they are predictable. The most ardent capitalists
argue that anyone who does not aggressively pursue their own financial
self-interest is a fool. The system strongly incentivizes people to
behave this way and they largely do. It's fairly nonsensical to argue
that people will pay money for a service that rates their behavior badly
and causes them problems as a result. The only situation where
corporations do this is in the case of legal requirements, such as
paying unemployment insurance, worker's compensation, social security or
paying fees for OSHA inspections that result in fines. Most would not
do any of this if it were not legally required. That is why they had to
make laws to get companies to contribute.
If "follow the money" was not the way that everything works in this
society, why would we need improved regulation of financial auditors and
investment bankers to avoid more Enron situations? Why can't these
people, all skilled professionals, just do their jobs and not be
influenced by the source of their paychecks? The answer is simple:
they're human.
Further, the position only volume bulk mailers with deep
pockets should pay gives special treatment to this class of
senders.
I didn't suggest that. I said that only large bulk mailers with deep
pockets would be able to afford these services.
This is the very fear of many, given the lack of legal
prohibition against sending unsolicited bulk email and the
present lack of clarity as to what is required to show
affirmative consent.
The DMA wrote this law, paid for it dearly and they will be judged by
its failure.
On this last point I note more and more people are coming
to the conclusion, verified opt-in is required to prove
affirmative consent.
Very reasonable. If there were an easier way, I would love to hear
about it.
There _are_ S/MIME certs, which are better authentication than
domain-keys and are fully supported today. Subscribing with a cert
could substitute for confirmation, as long as the cert was not revoked.
Thawte does offer free certs for individual users. The sign-up process
requires confirmation to prove that you own a given email address. It
doesn't prove your identity, which is why they can give it away for
free, but it does prove that the certificate was requested by that email
address. Since this is identical to the confirmed opt-in process,
subscribing by sending an email signed with your private cert key proves
that the owner of that email address subscribed. No one can forge that
request unless they steal the key from your computer. If your private
key gets hijacked or stolen, you can simply revoke the cert and get a
new one. As long as the sender checks for certificate revocation
whenever they send, they have proof of a subscription request that
cannot be forged.
If you really want to get fancy, once the user has a cert, the sender
can encrypt the message with the user's public key so only that
subscriber can even read the message. Under that scenario, it would be
useless for a sender to send messages to anyone but bona fide
subscribers, since they couldn't read the messages even if they were
delivered. At the same time, the sender can sign the document with his
cert (can be free or nearly so), so the recipient at least knows the
sender's email address is accurate. Most email clients I know about
will refuse to sign a message if the From: address is different than the
address in the cert.
The advantage of S/MIME or PGP certs over domain-keys is that they are
zero or low-cost, there is no requirement to change your DNS and
virtually all MUA's today support them (more so for S/MIME). They also
authenticate to the user level, not just the domain. It still doesn't
tell you if the message is spam, but at least the sender can prove it is
solicited. This would give an advantage to honest bulk mailers who
don't forge subscription requests, since with a public key cert, it is
impossible to forge a signature unless you steal the off the user's
computer. A sophisticated virus could probably do that, but then the
user can revoke the cert, so it isn't very useful. A system like this
would be pretty enforceable, should anyone have the will to do that.
What heightens the problem is that some internet access
services are willing to cater to bulk mailers who according
to some standards are sending solicited mail, but according
to other standards are sending spam.
That's the benefit of a standard of conduct like confirmed opt-in.
Either you can produce the confirmation message or you can't, and it
doesn't depend on any judgment of content.
If we set up a system which only requires accreditation for
bulk mailers with deep pockets, how do you distinguish good
from bad for the rest.
You can't. That's not a good idea.
Rely upon reputation services created by volunteers and
real time block list operators operated by volunteers for
the benefit of receivers?
Why does the receiving community expect that these
individuals should be altruistic?
Only because of past experience with them, but isn't that what all
reputations are based on? If they stop acting in the interest of
recipients, people will stop trusting them. It's pretty easy to tell if
that happens. You will get more spam.
Since internet access service providers are charging users
money for access, why should these providers get access to
a real time feed for free?
Because the operators of the blacklists want it that way. If they did
anything else, it would compromise _their_ reputation, which would
defeat the whole purpose of their effort.
Some blacklists have transitioned to a recipient-pays model. It's a
hard transition because you have to have very high quality data to
convince someone they want to pay for it. The Reynolds T1 list from
Australia is one of the better examples of a list that has gone
commercial and done it in a very gracious manner. I don't use them
anymore, because my providers do all the blocking for me, but when I did
use them, their fee schedule was very friendly to small businesses.
Basically, you got a certain number of free queries per month. If you
regularly used more than that, they would request that you start to pay
on a sliding scale. The free quota was sufficient for most businesses
of around five people, so it was a really nice service. It also
happened to be one of the best blacklists around. Because their hit
rate for spam was so high and their false negatives were so low, some
recipients were happy to pay for the service. I doubt anyone there was
getting rich, but it kept the doors open.
Even with reliance upon reputation services, which include
real time feeds from block list operations, the position is
receivers still need to use filters.
With good blacklists, you need very little filtering. I post to
numerous public lists with my real address and have my address listed in
several industry directories on the web. Yet, I only receive an average
of three or four spam pieces per day. My Bayesian filter is well
trained and takes care of these easily. This is down from a couple
hundred in my personal inbox before I started blocking. That was a very
bad situation. Similar results for other mailboxes at my company. Good
blocking really works, but it's not a job for the fat-fingered among us.
My present providers do a far better job at it than I ever did. I was
able to persuade my local ISP to try it and they were delighted with the
results, as was I. I was able to dump a pretty large set of local rules
with no increase in spam.
This of course takes us full circle and reminds me of the
song "There is a whole in the buck, dear Lisa" :-)
Send me a link, I don't know that one!
--
Seth Goodman